Panorama Adaptive Objects

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Panorama Adaptive Objects

Not applicable

I have several PAN firewalls that I now manage individually and have recently purchased a Panorama appliance in the hopes of making it easier to manage common policies.

We have two sites that will need identical rules but with different IP's referenced in the rules.  I come from a background of using McAfee CommandCenter and in their terminology what I am looking for is an "Adaptive Object". Where I can define an object that has a different IP depending on which firewall it is installed on.  How can I do this same functionality with Panorama?  I was told that if you name the objects/groups the same that the local object will have precedence, but then you still have to manage local object and Panorama objects, it's not centralized management.  Any feedback in figuring this out is greatly appreciated.


L6 Presenter

you have to create objects on each device seperately with same names different ip addresses,

then you have to create policies at panorama with same object names and push them to these 2 sites.

I don't know any other way but if there is; I also want to learn.

You can create one rule (which needs to be identical on all devices) in Panorama for such situations. For example if you want a rule that says allow traffic from source named ServerABC which has different IP at firewallA, FirewallB, FirewallC. Create 3 different address objects in Panorama like ServerA with IP_Addr_A, ServerB with IP_Addr_B and so on. Then create an address group in Panorama like ServerABC that has members like ServerA, ServerB and so on. Presuming that network subnets under each firewalls are different and firewallA handles traffic from ServerA only (and so on for firewallB and FirewallC), such a workaround would serve the purpose.

L4 Transporter


Are both the PAN firewalls in the same Device group on the Panorama? If so, since you're looking for creating identical rules but with different IP/address objects, create separate security policies with respective address-objects/IP's and target them only to the specific device in question.(Target is the last tab while creating a Security policy). This way when pushing the config to the Device group, policies will be pushed based on the target specified to the selected device.

You can also add the devices in different device groups, so that way you can create address-objects and policies specific to each group. In this case, as you said you define the object with a different IP depending upon the device group.

Hope that helps!


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!