That release note from PANOS 5.0 sounds really odd to me...
When you connect a PA device to Panorma you will not be able to configure it from its own web-gui, only from the Panorama (regarding security rules set by the Panorama).
This can also be seen in the CLI where "show config running" wont display any security rules or address objects. You must run "show config pushed" to see those.
Then how come Panorama will push any unused objects to the device when the device can only be configured from Panorama itself?
Im not saying that what the release note says would be wrong, but rather why wasnt this the default behaviour from the beginning?
To me shared objects are just objects that should be available for all device groups (like global objects, compared to private objects which are only available for a specific device or device group), handy when you have administrators that are only allowed to see/manage a particular device/device group or for that matter so you as admin wont need to setup the same address object multiple times when using Panorama.
But when Panorama will compile the ruleset and push it to a particular device I would expect that the default behaviour would be to only include the shared objects needed for this particular ruleset (and by that by design handle the case that different hardware models can only hold different amount of address objects and security rules).
Panorama has always pushed all Shared and any Device Group objects to managed devices.
This functionality in 5.0 adds the capability to do what you expected as the default behavior above.
With 5.0 , there is now an option to push only used objects.
I had troubles with the 2000 limits in the past on my PA-200 , my Panorama shared object base was 2200 objects large. I had to hunt unused objects to allow commits to happen.
5.0 now fixes that problem but you are scaring me with that news about local devices not being administrable from their GUI anymore .... Panorama is sooooo sloooooow at switching contexts.
Nothing change with 5.0 with respect to the object administration on the device. We are confused by your concern with the following statement.
5.0 now fixes that problem but you are scaring me with that news about local devices not being administrable from their GUI anymore ....
Can you be more specific about the concern so we can address the issue?
I was refering to Mikand statement:
"When you connect a PA device to Panorama you will not be able to configure it from its own web-gui, only from the Panorama (regarding security rules set by the Panorama).'
I understood it this way : since 5.0 you can't manage a device that is Panorama enabled from its own GUI, only from Panorama. It surprised me as I didn't read that anywhere yet.
I believe he was referring to the fact the rules/objects that were pushed from Panorama are not editable on the device. This is the same model that was present prior to 5.0 and is not likely to change.
All local config can still be managed on a device.
Ah I'was looking for the same. Hope this fixes our issue. However, I can't jump on 5.0 and upgrade our panorama cluster or the devices. We just moved from 4.0.11 to 4.1.7hfa2. I don't see 5.0 happening to us any time soon. I wish there was other alternative to this resolution other then manually converting shared objects to device group specific.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!