Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Change device group tree

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Change device group tree

Hello,

Now my Panorama managing 4 cluster, 3 in Emea and 1 in US.

This the Device Group organization.

 

Shared

  1.      Cluster 1
  2.      Cluster 2
  3.      Cluster 3
  4.      Cluster 4

 

Now we want to modify the organization to split the Emea Cluster and US Cluster:

 

Shared

  • Emea:
    1. Cluster1
    2. cluster2
    3. cluster3
  • US:
    1. Cluster1

Should be easy like that:

  1. Create 2  new empty Device Gruop "Emea" and "US" (parent device group will be Shared)
  2. For each cluster change the "Parent Device Gruop" from "shared" to the dedicated Region DG.
  3. Commit

 

It's only a Panorama organizations or there are an consequences on the fws that can create an outage and I have to consider?

 

 

 

 

2 accepted solutions

Accepted Solutions

Hi @ChristianBolelli ,

As long as "Emea" and "US" device-groups are completely empty it shouldn't have any difference for the actuall firewall configuration or any traffic interruption.

You may still need to "push" config to devices if Panorama show firewall config out of sync. But you could confirm that nothing will change for the firewall, by "preview changes" (Push to Devices -> Edit Selections -> Device Groups -> Preview Changes")

View solution in original post

Hi @ChristianBolelli ,

That is correct. Each device groups will inherint the rules from it parent.

 

I would like to think for device groups as of onion layers as the parent device groups are the outter layers and the child are the inner layers.

 

Astardzhiev_0-1654613734494.png

Above image represent the final rule order pushed to the device. Sorry I couldn't found image with multiple device group, but the principle is the same. In your case it should look like
Share Pre-prolicies

Emea Pre-policies

Cluster1 Pre-policies

Local policies

Cluster1 Post-policies

Emea Post-policies

Shared Post policies

 

If your Emea device group is empty...Nothing will really change for the firewall policy and rule order.

If you add Pre-rule in Emea device group it will be inherited by all emea clusters and that rule will be placed above any pre-rules defined in the clusterX device groups

 

Hope this make sense, not sure if I manage to explaint it in a good way.

View solution in original post

4 REPLIES 4

any advice?

Hi @ChristianBolelli ,

As long as "Emea" and "US" device-groups are completely empty it shouldn't have any difference for the actuall firewall configuration or any traffic interruption.

You may still need to "push" config to devices if Panorama show firewall config out of sync. But you could confirm that nothing will change for the firewall, by "preview changes" (Push to Devices -> Edit Selections -> Device Groups -> Preview Changes")

Ah yes, now "Emea"and "US" are two DG where I can put a regional rules.
For example on my scenario I can put under the Emea policy a rule that will be pushed on all 3 cluster but If the Emea and US still empty the firewall rule will be the same.

Right?

Hi @ChristianBolelli ,

That is correct. Each device groups will inherint the rules from it parent.

 

I would like to think for device groups as of onion layers as the parent device groups are the outter layers and the child are the inner layers.

 

Astardzhiev_0-1654613734494.png

Above image represent the final rule order pushed to the device. Sorry I couldn't found image with multiple device group, but the principle is the same. In your case it should look like
Share Pre-prolicies

Emea Pre-policies

Cluster1 Pre-policies

Local policies

Cluster1 Post-policies

Emea Post-policies

Shared Post policies

 

If your Emea device group is empty...Nothing will really change for the firewall policy and rule order.

If you add Pre-rule in Emea device group it will be inherited by all emea clusters and that rule will be placed above any pre-rules defined in the clusterX device groups

 

Hope this make sense, not sure if I manage to explaint it in a good way.

  • 2 accepted solutions
  • 2671 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!