I use Panorama to deploy some policy rules to my 40 firewalls.
Obviously some rules are the same for all firewalls, others are specific to a some of them.
Is it possible to create different groups of firewalls and deploy the rules to the groups. So if I have to add/change a FW to a panorama rule, will be sufficient to modify the group and not all rules.
Yesterday I changed a broken firewall, and I had to remove the old one from more of 50 rules and the add the new one. 😞
For example I'd like to be able to:
Rule A --> deployed to FW1, FW2
Rule B --> deployed to FW1, FW2
Rule C --> deployed to FW1, FW3
Rule D --> deployed to FW1, FW3
If I have to add the FW4, and add it to all rules, it would be faster to have:
Device Group X: FW1, FW2
Device Group Y: FW1, FW3
Rule A --> deployed to Group X
Rule B --> deployed to Group X
Rule C --> deployed to Group Y
Rule D --> deployed to Group Y
and add FW to the groups.
You can in Panorama you have a shared device group section that will apply to all firewall groups. In this you can specify "Pre rules" and "Post Rules"
you also can select the individual groups and set up pre and post rules.
I dont believe you can have a single firewall as a memeber of more then one group.
Any rules you want assigned to only one firewall (or HA pair) the rules would fall between the Pre and Post rules.
We create a device group for each FW. Why do we do this... Well so we don't have to worry about specifying a "target" FW each rule goes to. Once the rule is created in Panorama you can "Clone" it to another FW. You will not however be able to "Clone" to another FW if you originally wrote the rule specifying a "target" fw.
I don't know if I explain my problem:
For example I have these 2 pre-rules in panorama and deployed to about 40 firewalls (last column on the screenshot).
I created only a shared device group with all my firewalls, but however when I want to target a pre-rule to all the firewalls I have to check all:
And if I add a new Firewall to the shared device group, I have to go to all pre-rules and check the new FW on the target windows.
At the end I can't create different device groups with shared firewalls:
In the share device group XX, I have FW1 and FW2.
If I create the shared device group YY, the FW1 and FW2 are hidden.
I hope to be clearer.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!