FW specific rules from the Panorama shared policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

FW specific rules from the Panorama shared policy

L3 Networker

Hi All,

Using Panorama (10.1.x) with a number of managed FWs
we have a shared pre policy, parent pre policy and child policies with pre rules configured within.


goal - in event of a security incident on a branch location we want to have a pre-defined deny rule in the parent pre-policy in place that we can just enable and push down to a specific FW that will invoke this deny rule on this FW only...example:

"src zone: any > dst zone: untrust > action deny"


So i want to add a deny rule (will be disabled by default) on my parent pre policy that when enabled, will be targeted to a specific FW and committed.. so then it only applies and enables in on the target FW.


however all the FWs managed has different naming conventions for zones ie sitea_zone_trust, siteb_zone_trust etc..


instead of creating multiple policies in the parent pre rule defining each zone name.. is there a way i can do the following..


when enabling the parent pre policy deny rule.. and selecting the target for it, then to commit it to the FW but then for the FW to automatically ingest the source zone as siteb_trust for instance when the parent pre rule has 'any' defined for this rule?


thanks in adv

1 REPLY 1

Cyber Elite
Cyber Elite

If zone names are different then use source address.

So assuming source zone that you want to block is siteb_trust and subnet used is 10.5.5.0/24 then push policy to firewall with source zone any source address 10.5.5.0/24

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 380 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!