Nested Palo Alto Object Groups

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Nested Palo Alto Object Groups

L4 Transporter


Does anyone know if there are any recommendations on the use of nested groupings within PA policies - specifically the PA objects?

In terms of maintaining 'easy to read' policies I wanted to make use of nesting to keep the policies simple, which will mean using nesting up to around 3 tiers - see following random example:-

Win2k8_Server_DC -- in grp --> Domain Controllers -- in grp --> UK DNS Servers -- in grp --> Global DNS Servers

My question is whether this level of nesting is recommended for Palo's; specifically whether it puts any additional strain on the policy compilation/commit process and/or running processes.



L6 Presenter

I dont think there is any limitation on the level of grouping. you can try this using a test address and create a rule. See if your are hitting the right rule when the traffic is coming from the corresponding address (nested address group in this case).

Sandeep T


I know that the nested groups 'work', it's more a question whether using them has any performance impact.  I've found that some functionality within the UI and policy structure can have a detrimental effect - especially during commiting - and was wondering whether there are any recommendations.

Will have a hunt round and maybe do some comparitive testing to see if I can judge for myself!


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!