Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-22-2017 02:19 PM
Hi
Okay just to under stand
if I have a device group
Top
Middle
pa
and I place my device in pa group
and i have rules security
in the pre section
top -> Rule 1
middle -> rule 2
pa -> rule 3
how does that look on the actual PA. if I look at my device security
will the policies be
rule 1
rule 2
rule 3
or
rule 3
rule 2
rule 1
and i presume its
<pre rules>
any device rules
<post rules>
last question on panorama how can i move a rule from pre to post ?
06-22-2017 08:45 PM
Hi @Alex_Samad
A device group enables grouping based on network segmentation, geographic location, organizational function, or any other common aspect of firewalls that require similar policy configurations. Using device groups, you can configure policy rules and the objects they reference.
To your first question, according to your example, if you have a device placed in the device group PA, with rules 1, 2, 3 and in the pre-rule section, that's the order they will be showed in the actual device; however, the processing of the rules will depend if you create it as pre-rule or post-rule.
Pre Rules: Pre rules are inserted at the top of the rule order and are checked first in the configuration in the pre-rulebase, before the post or locally defined rules. Examples on the use of pre rules are to insert global use rules such as blocking peer-to-peer traffic for all users, or allowing DNS traffic for all users. Additional factors used to decide to use pre only rules are administrative restrictions that do not allow rules to be created locally on the firewalls. In other words, if you have many remote firewalls, and you do not want to allow other administrators to perform changes locally in each firewall, then pre-rule is the way to go. When you configure pre-rules, any policies pushed from Panorama to the device cannot be altered locally on the firewall, instead it has to be always done through Panorama.
Post Rules: Post rules are inserted at the bottom of the rule order and are checked in their configuration order in the post-rulebase, after the pre and locally defined rules. Examples of post rule use are global deny rules, either by appID/service/user/IP based or a combination of, or to create default zone to zone deny rules to use for logging of all blocked traffic. Unlike pre-rules, if you are planning for rule management, it is recommended that Panorama is used to manage a post rule database if admins will be configuring rules locally on the firewall.
Best Practices from Palo Alto are:
Local Rules in Panorama: Unless there is a business requirement, create all policies through Panorama
Use Post-Rules in Panorama: If there is an issue either with the communication to Panorama or Panorama itself, having most of your policy rules in the Post-Rules section allows you to create local policy to override if required.
As for your last question, about moving rules from Pre-Rules to Post-Rules, it is not supported. My recommendation in this case is to use the Palo Alto Migration tool in order to do that. With the Migration Tool, you can connect to the firewall via XML API, and pull all rules into the migration tool. From that point forward, you can select the rules you want to transform in post-rules, and generate an API call to the firewall.
https://live.paloaltonetworks.com/t5/Migration-Tool/ct-p/migration_tool
I hope this helps.
06-22-2017 08:45 PM
Hi @Alex_Samad
A device group enables grouping based on network segmentation, geographic location, organizational function, or any other common aspect of firewalls that require similar policy configurations. Using device groups, you can configure policy rules and the objects they reference.
To your first question, according to your example, if you have a device placed in the device group PA, with rules 1, 2, 3 and in the pre-rule section, that's the order they will be showed in the actual device; however, the processing of the rules will depend if you create it as pre-rule or post-rule.
Pre Rules: Pre rules are inserted at the top of the rule order and are checked first in the configuration in the pre-rulebase, before the post or locally defined rules. Examples on the use of pre rules are to insert global use rules such as blocking peer-to-peer traffic for all users, or allowing DNS traffic for all users. Additional factors used to decide to use pre only rules are administrative restrictions that do not allow rules to be created locally on the firewalls. In other words, if you have many remote firewalls, and you do not want to allow other administrators to perform changes locally in each firewall, then pre-rule is the way to go. When you configure pre-rules, any policies pushed from Panorama to the device cannot be altered locally on the firewall, instead it has to be always done through Panorama.
Post Rules: Post rules are inserted at the bottom of the rule order and are checked in their configuration order in the post-rulebase, after the pre and locally defined rules. Examples of post rule use are global deny rules, either by appID/service/user/IP based or a combination of, or to create default zone to zone deny rules to use for logging of all blocked traffic. Unlike pre-rules, if you are planning for rule management, it is recommended that Panorama is used to manage a post rule database if admins will be configuring rules locally on the firewall.
Best Practices from Palo Alto are:
Local Rules in Panorama: Unless there is a business requirement, create all policies through Panorama
Use Post-Rules in Panorama: If there is an issue either with the communication to Panorama or Panorama itself, having most of your policy rules in the Post-Rules section allows you to create local policy to override if required.
As for your last question, about moving rules from Pre-Rules to Post-Rules, it is not supported. My recommendation in this case is to use the Palo Alto Migration tool in order to do that. With the Migration Tool, you can connect to the firewall via XML API, and pull all rules into the migration tool. From that point forward, you can select the rules you want to transform in post-rules, and generate an API call to the firewall.
https://live.paloaltonetworks.com/t5/Migration-Tool/ct-p/migration_tool
I hope this helps.
06-22-2017 09:21 PM
Hi
Thanks, wish you would have told me these best practise a few weeks ago 🙂
As for device groups not exaclty what i was using for. but did an experiment
again if I have
tier1
tier2
tier3
pa
<device>
and I have in pre
tier1
policy 1
tier2
policy 2
tier3
policy 3
pa
policy 4
when I look on <device> they show up as
policy 1
policy 2
policy 3
policy 4
from my read, tier 1 gets processes first and then teir2 etc etc which i sort of understand.
as for the migration tool, Im doing loading it, but would be able to give an example of how to do a partial import of full config use the command line / XML tools, think that would be better to learn.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
