topic Re: Create device group to use it on panorama target field in General Topics

Create device group to use it on panorama target field

FassaSRL — Thu, 07 Sep 2017 08:17:18 GMT

Hello,

I use Panorama to deploy some policy rules to my 40 firewalls.

Obviously some rules are the same for all firewalls, others are specific to a some of them.

Is it possible to create different groups of firewalls and deploy the rules to the groups. So if I have to add/change a FW to a panorama rule, will be sufficient to modify the group and not all rules.

Yesterday I changed a broken firewall, and I had to remove the old one from more of 50 rules and the add the new one. 😞

For example I'd like to be able to:

Rule A --> deployed to FW1, FW2

Rule B --> deployed to FW1, FW2

Rule C --> deployed to FW1, FW3

Rule D --> deployed to FW1, FW3

If I have to add the FW4, and add it to all rules, it would be faster to have:

Device Group X: FW1, FW2

Device Group Y: FW1, FW3

Rule A --> deployed to Group X

Rule B --> deployed to Group X

Rule C --> deployed to Group Y

Rule D --> deployed to Group Y

and add FW to the groups.

Thanks

Massimiliano

Re: Create device group to use it on panorama target field

Kaje — Thu, 07 Sep 2017 11:47:00 GMT

You can in Panorama you have a shared device group section that will apply to all firewall groups. In this you can specify "Pre rules" and "Post Rules"

you also can select the individual groups and set up pre and post rules.

I dont believe you can have a single firewall as a memeber of more then one group.

Any rules you want assigned to only one firewall (or HA pair) the rules would fall between the Pre and Post rules.

Re: Create device group to use it on panorama target field

Wald — Thu, 07 Sep 2017 16:14:17 GMT

We create a device group for each FW. Why do we do this... Well so we don't have to worry about specifying a "target" FW each rule goes to. Once the rule is created in Panorama you can "Clone" it to another FW. You will not however be able to "Clone" to another FW if you originally wrote the rule specifying a "target" fw.

Re: Create device group to use it on panorama target field

FassaSRL — Fri, 08 Sep 2017 07:51:52 GMT

I don't know if I explain my problem:

For example I have these 2 pre-rules in panorama and deployed to about 40 firewalls (last column on the screenshot).

I created only a shared device group with all my firewalls, but however when I want to target a pre-rule to all the firewalls I have to check all:

And if I add a new Firewall to the shared device group, I have to go to all pre-rules and check the new FW on the target windows.

At the end I can't create different device groups with shared firewalls:

For example:

In the share device group XX, I have FW1 and FW2.

If I create the shared device group YY, the FW1 and FW2 are hidden.

I hope to be clearer.