02-16-2012 06:51 PM
I have 8 5060s that I manage with Panorama, I share objects between all of these devices. I want to add a new pair of devices to Panorama that are completely separate from the other 8 and I don't want the shared objects to be on the new pair. I also want to prevent admins of the new pair from creating shared objects that will become part of the original 8. Is this possible?
Thanks
Rob
11-16-2012 12:04 AM
Hello,
We upgraded to Panorama 5.0 and that fixed our problem.
We are still running 4.1 on all the firewalls.
Jo Christian
02-17-2012 10:02 AM
Create a device group for the new devices and when creating object do not check the "Shared" checkbox. This will keep the objects in the DG and not send them to the other devices. If you create a DG Admin Role and give access to only the new DG where the new boxes reside, then the admin will not be able to create shared objects.
02-17-2012 10:23 AM
Thank you so much Mike for your quick response, the problem is that I already have the 8 devices (4 device groups) in Panorama which already have shared objects. I don't want those existing shared objects to be pushed to the new devices I want to add to and manage via Panorama.
The second part of your answer makes sense, admins who only have access to a single DG can't create shared objects so objects created on the new device will not be made available to the existing systems... Thanks for clearing that up for me.
I just wish there was a way to prevent a device from accessing shared objects.
Thanks again
Rob
02-17-2012 11:37 AM
I think I found the answer to my own question, there is a disable shared config option when you add the Panorama IP to the new device. DOH!
Thanks
Rob
02-17-2012 02:53 PM
I was wrong, I am logged in to Panorama as a user with access to only the new devices, shared objects are still available to be used for the devices in which I had disabled shared config. 
02-22-2012 06:38 PM
@rob.moore:
the 'disable shared config' option disables the shared configuration that was pushed from Panorama to the target device.
-Benjamin
11-07-2012 05:03 AM
Hello,
We are having an similar issue. We have lot's of address-objects (over 3000) that is shared on a Panorama installation.
We have 4 different device-groups with 3 of them containing PA-5050's.
Our problem now is that we also need to manage some PA-200's for some small installations and the PA-200 only supports a maximum of 2500 address-objects.
Is there any workaround for this problem? The PA-200's are not in the same device-groups as the PA-5050's.
Why are all the address-objects pushed to the PA-200 even if they are NOT in use in any security rules.
Jo Christian
11-07-2012 05:46 AM
Hi Christian,
I think what you (and I) need is introduced in PANOS 5.0:
Release Notes:
Share Unused Address and Service Objects with Devices – This feature allows Panorama
to share all shared objects and device group specific objects with managed devices. When
unchecked, Panorama policies are checked for references to address, address group,
service, and service group objects and any objects that are not referenced will not be
shared. This option will ensure that only necessary objects are being sent to managed
devices in order to reduce the total object count on the device. The option is checked by
default to remain backward compatible with the current functionality of pushing all
Panorama objects to managed devices.
-Alex
11-07-2012 05:56 AM
Yes you are correct. This is exactly what we need 🙂
The big question now is. Is version 5.0 fully backwards compatible with PanOS 4.1?
Upgrading to PanOS 5.0 is not an option for this installation.
Jo Christian
11-07-2012 08:39 AM
Yes. Panorama is backward compatible with all supported PAN-OS versions running on FWs.
This means that 5.0 Panorama can manage 3.1, 4.0, 4.1, and 5.0 devices.
https://support.paloaltonetworks.com/index.php?option=com_content&task=view&id=14&Itemid=147
11-07-2012 08:04 PM
That release note from PANOS 5.0 sounds really odd to me...
When you connect a PA device to Panorma you will not be able to configure it from its own web-gui, only from the Panorama (regarding security rules set by the Panorama).
This can also be seen in the CLI where "show config running" wont display any security rules or address objects. You must run "show config pushed" to see those.
Then how come Panorama will push any unused objects to the device when the device can only be configured from Panorama itself?
Im not saying that what the release note says would be wrong, but rather why wasnt this the default behaviour from the beginning?
To me shared objects are just objects that should be available for all device groups (like global objects, compared to private objects which are only available for a specific device or device group), handy when you have administrators that are only allowed to see/manage a particular device/device group or for that matter so you as admin wont need to setup the same address object multiple times when using Panorama.
But when Panorama will compile the ruleset and push it to a particular device I would expect that the default behaviour would be to only include the shared objects needed for this particular ruleset (and by that by design handle the case that different hardware models can only hold different amount of address objects and security rules).
11-08-2012 09:15 AM
Panorama has always pushed all Shared and any Device Group objects to managed devices.
This functionality in 5.0 adds the capability to do what you expected as the default behavior above.
11-08-2012 09:20 AM
With 5.0 , there is now an option to push only used objects.
I had troubles with the 2000 limits in the past on my PA-200 , my Panorama shared object base was 2200 objects large. I had to hunt unused objects to allow commits to happen.
5.0 now fixes that problem but you are scaring me with that news about local devices not being administrable from their GUI anymore .... Panorama is sooooo sloooooow at switching contexts.
11-08-2012 10:00 AM
Nothing change with 5.0 with respect to the object administration on the device. We are confused by your concern with the following statement.
5.0 now fixes that problem but you are scaring me with that news about local devices not being administrable from their GUI anymore ....
Can you be more specific about the concern so we can address the issue?
11-08-2012 10:26 AM
I was refering to Mikand statement:
"When you connect a PA device to Panorama you will not be able to configure it from its own web-gui, only from the Panorama (regarding security rules set by the Panorama).'
I understood it this way : since 5.0 you can't manage a device that is Panorama enabled from its own GUI, only from Panorama. It surprised me as I didn't read that anywhere yet.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
