03-06-2012 04:21 AM
Does anyone know if there are any recommendations on the use of nested groupings within PA policies - specifically the PA objects?
In terms of maintaining 'easy to read' policies I wanted to make use of nesting to keep the policies simple, which will mean using nesting up to around 3 tiers - see following random example:-
Win2k8_Server_DC -- in grp --> Domain Controllers -- in grp --> UK DNS Servers -- in grp --> Global DNS Servers
My question is whether this level of nesting is recommended for Palo's; specifically whether it puts any additional strain on the policy compilation/commit process and/or running processes.
03-06-2012 03:32 PM
I dont think there is any limitation on the level of grouping. you can try this using a test address and create a rule. See if your are hitting the right rule when the traffic is coming from the corresponding address (nested address group in this case).
03-06-2012 03:38 PM
I know that the nested groups 'work', it's more a question whether using them has any performance impact. I've found that some functionality within the UI and policy structure can have a detrimental effect - especially during commiting - and was wondering whether there are any recommendations.
Will have a hunt round and maybe do some comparitive testing to see if I can judge for myself!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!