Panorama Device groups and pre and post policies

L4 Transporter

Panorama Device groups and pre and post policies

Hi

 

Okay just to under stand

 

if I have a device group

 

Top

Middle

pa

 

and I place my device in pa group

 

and i have rules security 

in the pre section

top -> Rule 1

middle -> rule 2

pa -> rule 3

 

how does that look on the actual PA.  if I look at my device security

 

will the policies be

 

rule 1

rule 2

rule 3

 

or 

 

rule 3

rule 2

rule 1

 

 

and i presume its

 

<pre rules>

any device rules

<post rules>

 

 

last question on panorama how can i move a rule from pre to post ?

 

 

 

Highlighted
L4 Transporter

Re: Panorama Device groups and pre and post policies

Hi @Alex_Samad

A device group enables grouping based on network segmentation, geographic location, organizational function, or any other common aspect of firewalls that require similar policy configurations. Using device groups, you can configure policy rules and the objects they reference. 

 

To your first question, according to your example, if you have a device placed in the device group PA, with rules 1, 2, 3 and in the pre-rule section, that's the order they will be showed in the actual device; however, the processing of the rules will depend if you create it as pre-rule or post-rule.

 

Pre Rules: Pre rules are inserted at the top of the rule order and are checked first in the configuration in the pre-rulebase, before the post or locally defined rules. Examples on the use of pre rules are to insert global use rules such as blocking peer-to-peer traffic for all users, or allowing DNS traffic for all users. Additional factors used to decide to use pre only rules are administrative restrictions that do not allow rules to be created locally on the firewalls. In other words, if you have many remote firewalls, and you do not want to allow other administrators to perform changes locally in each firewall, then pre-rule is the way to go. When you configure pre-rules, any policies pushed from Panorama to the device cannot be altered locally on the firewall, instead it has to be always done through Panorama.

 

Post Rules: Post rules are inserted at the bottom of the rule order and are checked in their configuration order in the post-rulebase, after the pre and locally defined rules. Examples of post rule use are global deny rules, either by appID/service/user/IP based or a combination of, or to create default zone to zone deny rules to use for logging of all blocked traffic. Unlike pre-rules, if  you are planning for rule management, it is recommended that Panorama is used to manage a post rule database if admins will be configuring rules locally on the firewall.

 

Best Practices from Palo Alto are:

Local Rules in Panorama:  Unless there is a business requirement, create all policies through Panorama

Use Post-Rules in Panorama: If there is an issue either with the communication to Panorama or Panorama itself, having most of your policy rules in the Post-Rules section allows you to create local policy to override if required.

 

As for your last question, about moving rules from Pre-Rules to Post-Rules, it is not supported. My recommendation in this case is to use the Palo Alto Migration tool in order to do that. With the Migration Tool, you can connect to the firewall via XML API, and pull all rules into the migration tool. From that point forward, you can select the rules you want to transform in post-rules, and generate an API call to the firewall.

https://live.paloaltonetworks.com/t5/Migration-Tool/ct-p/migration_tool

https://live.paloaltonetworks.com/t5/Migration-Tool-Articles/Migration-Tool-3-Info-and-Guide/ta-p/55...

 

I hope this helps.

 

L0 Member

Re: Panorama Device groups and pre and post policies

Hi

 

Thanks, wish you would have told me these best practise a few weeks ago :)

 

As for device groups not exaclty what i was using for. but did an experiment

 

again if I have 

 

tier1

tier2

tier3

pa

<device>

 

and I have in pre 

tier1

  policy 1

tier2

  policy 2

tier3

  policy 3

pa

  policy 4

 

 

when I look on <device> they show up as 

  policy 1

  policy 2

  policy 3

  policy 4

 

from my read, tier 1 gets processes first and then teir2 etc etc  which i sort of understand.

 

as for the migration tool, Im doing loading it, but would be able to give an example of how to do a partial import of full config use the command line / XML tools, think that would be  better to learn.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!