05-02-2013 06:53 AM
I have several PAN firewalls that I now manage individually and have recently purchased a Panorama appliance in the hopes of making it easier to manage common policies.
We have two sites that will need identical rules but with different IP's referenced in the rules. I come from a background of using McAfee CommandCenter and in their terminology what I am looking for is an "Adaptive Object". Where I can define an object that has a different IP depending on which firewall it is installed on. How can I do this same functionality with Panorama? I was told that if you name the objects/groups the same that the local object will have precedence, but then you still have to manage local object and Panorama objects, it's not centralized management. Any feedback in figuring this out is greatly appreciated.
05-26-2013 09:52 AM
you have to create objects on each device seperately with same names different ip addresses,
then you have to create policies at panorama with same object names and push them to these 2 sites.
I don't know any other way but if there is; I also want to learn.
05-28-2013 01:32 AM
You can create one rule (which needs to be identical on all devices) in Panorama for such situations. For example if you want a rule that says allow traffic from source named ServerABC which has different IP at firewallA, FirewallB, FirewallC. Create 3 different address objects in Panorama like ServerA with IP_Addr_A, ServerB with IP_Addr_B and so on. Then create an address group in Panorama like ServerABC that has members like ServerA, ServerB and so on. Presuming that network subnets under each firewalls are different and firewallA handles traffic from ServerA only (and so on for firewallB and FirewallC), such a workaround would serve the purpose.
05-28-2013 08:49 AM
Hello,
Are both the PAN firewalls in the same Device group on the Panorama? If so, since you're looking for creating identical rules but with different IP/address objects, create separate security policies with respective address-objects/IP's and target them only to the specific device in question.(Target is the last tab while creating a Security policy). This way when pushing the config to the Device group, policies will be pushed based on the target specified to the selected device.
You can also add the devices in different device groups, so that way you can create address-objects and policies specific to each group. In this case, as you said you define the object with a different IP depending upon the device group.
Hope that helps!
Aditi
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
