I have 8 5060s that I manage with Panorama, I share objects between all of these devices. I want to add a new pair of devices to Panorama that are completely separate from the other 8 and I don't want the shared objects to be on the new pair. I also want to prevent admins of the new pair from creating shared objects that will become part of the original 8. Is this possible?
Solved! Go to Solution.
Create a device group for the new devices and when creating object do not check the "Shared" checkbox. This will keep the objects in the DG and not send them to the other devices. If you create a DG Admin Role and give access to only the new DG where the new boxes reside, then the admin will not be able to create shared objects.
Thank you so much Mike for your quick response, the problem is that I already have the 8 devices (4 device groups) in Panorama which already have shared objects. I don't want those existing shared objects to be pushed to the new devices I want to add to and manage via Panorama.
The second part of your answer makes sense, admins who only have access to a single DG can't create shared objects so objects created on the new device will not be made available to the existing systems... Thanks for clearing that up for me.
I just wish there was a way to prevent a device from accessing shared objects.
I was wrong, I am logged in to Panorama as a user with access to only the new devices, shared objects are still available to be used for the devices in which I had disabled shared config. :smileysad:
We are having an similar issue. We have lot's of address-objects (over 3000) that is shared on a Panorama installation.
We have 4 different device-groups with 3 of them containing PA-5050's.
Our problem now is that we also need to manage some PA-200's for some small installations and the PA-200 only supports a maximum of 2500 address-objects.
Is there any workaround for this problem? The PA-200's are not in the same device-groups as the PA-5050's.
Why are all the address-objects pushed to the PA-200 even if they are NOT in use in any security rules.
I think what you (and I) need is introduced in PANOS 5.0:
Share Unused Address and Service Objects with Devices – This feature allows Panorama
to share all shared objects and device group specific objects with managed devices. When
unchecked, Panorama policies are checked for references to address, address group,
service, and service group objects and any objects that are not referenced will not be
shared. This option will ensure that only necessary objects are being sent to managed
devices in order to reduce the total object count on the device. The option is checked by
default to remain backward compatible with the current functionality of pushing all
Panorama objects to managed devices.
Yes you are correct. This is exactly what we need :-)
The big question now is. Is version 5.0 fully backwards compatible with PanOS 4.1?
Upgrading to PanOS 5.0 is not an option for this installation.
Yes. Panorama is backward compatible with all supported PAN-OS versions running on FWs.
This means that 5.0 Panorama can manage 3.1, 4.0, 4.1, and 5.0 devices.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!