How do you duplicate a device group
cancel
Showing results for 
Search instead for 
Did you mean: 

How do you duplicate a device group

Not applicable

Mite seem like a simple question, but it seems you can only clone/duplicate the security rules within the same policy you cloned/copied it from.  Im trying to create a new device group and use existing security rules from an existing device group without having to rewrite the same security rules in the new device group.  Thank You.

5 REPLIES 5

L5 Sessionator

Hi,

Go to the security rules in panorama, open the security rule that you want pushed to a new device group. Select the appropriate available target devices as per your requirements.

target.JPG

Hopefully this helps.

Thank you

Numan

Not applicable

Thanks, but I was hoping I could move my rules to a different device group.  Using the target tab only lets me move the rules to devices within the same device group.  I am building a new device group and want to use some of the same rules in my existing device group.

Hi,

I believe currently you can not clone or move the rules to a different device group from the GUI or CLI.

Work around would be to manually download the configuration and copy paste the desired rules and then load the config again.

Thank you

Numan

L1 Bithead

There are a few ways you might do this.

You can use the panxapi command line program from the PAN-perl package on DevCenter and get/show (-g/-s) the source device group xpath then set (-S) the XML into the new device group.  Also clone (--clone) might be able to do this in one step.

You could also use the load config partial CLI configuration mode command.  The challenging part may be figuring out the xpaths.  However, assuming you want to copy post-rulebase security rule1 from test-dg to dg2, the following should work.  Hopefully that will get you started and you can adjust the xpaths to do what you need to do.

admin@Panorama# load config partial from running-config.xml from-xpath /config/devices/entry/device-group/entry[@name='test-dg']/post-rulebase/security/rules/entry[@name='rule1'] to-xpath  /config/devices/entry/device-group/entry[@name='dg2']/post-rulebase/security/rules mode append

Config loaded from running-config.xml

L3 Networker

This had been a known limit which is addressed in 5.0 to an extent.

5.0 offers option to setup shared policies

– This new feature adds the ability for Panorama admins to add an additional layer of pre and post rules that will be applied to all Device Groups managed by the Panorama instance. You can also set up admin access control options, so the rules are only editable by privileged admins and cannot be changed by Device Group admins. Another new feature for Shared Policy is the Shared Objects Take Precedence option, which is located in Panorama > Setup > Management > General Settings. When this option is unchecked, device groups override corresponding objects of the same name from a shared location. If the option is checked, device group objects cannot override corresponding objects of the same name from a shared location and any device group object with the same name as a shared object will be discarded. To access this feature, select the Policies tab and then select Shared from the Device Group drop-down.

With XML editor it may be possible to copy existing ruleset.

Please mark it as 'Correct answer or helpful' if you

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!