11-29-2021 03:54 AM
Hello,
I have several devices managed from Panorama. All in version 9.1.7 .
When I commit from the team it shows the rules shadow warnings but when I do the same from the panorama it is not shown.
Does anyone know the reason for this?
Is it possible to see the shading rules from panorama?
Regards
11-29-2021 04:06 PM
Thank you for posting question @Alpalo
I believe the reason why you are not seeing a shadow rule warning while committing Panorama configuration is the fact that you are committing rules that are being pushed by Panorama and within those rules you do not have any shadow rules, however while committing local Firewall configuration you are seeing shadow rules that were locally configured. Since, Panorama does not own and manage locally configured rules, you will not see that warning from Panorama.
I can't think of a way to get that view of shadow rules from Panorama other than going to: Device Group > Security > Preview Rules > Rule Base: Security, then select Device Group and Device, then you will get a view of all the rules (pushed by Panorama and local). You can refer to rule usage, to see rules that are not getting hit.
An alternative, could be a 3rd party tool for example Firemon to detect redundant/unnecessary rules, but this is far off the topic.
Kind Regards
Pavel
12-02-2021 02:06 PM
Thank you for reply @Alpalo
Do you mean you imported local Firewall configuration into Panorama and pushed it back to Firewall from Device Group?
Kind Regards
Pavel
12-03-2021 12:00 AM
No, the configuration is pushed from the panorama.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
