Panorama Pre rule reuse with firewall type but different inside zones

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Panorama Pre rule reuse with firewall type but different inside zones

L2 Linker

I want to reuse a pre ruleset because all firewalls of a type get these firewall rules. The issue is the inside interfaces are different zone names. Whats the best way to handle that situation while using the "no any zone" best practice? I am alreadly overriding an object-group to specify these zones networks. We cannot override the zones of a policy rule unfortunately.

1 accepted solution

Accepted Solutions

if you think that's likely to happen often then you may be best to add all the same zones to all the firewalls, you don't have to have them used anywhere, just exist. then you can have one policy for all and sleep most of the day....   

View solution in original post

6 REPLIES 6

L7 Applicator

I'm not sure if i read you correctly but I just clone the policy, change the zone information as required  and only have the intended firewall ticked in the target window.

Hi MickBall, I thought about that too but when a rule changes across the board you now have to update that change across your fleet. That is hard to do if you all your rules sets are technically now separate. 😞

I wish there was a way to override the zones. 😕

There only place that is consistent for the zones are using the outside interface as a reference point. That isn't using Palo Alto best practice of using "no any" for zone.

if you think that's likely to happen often then you may be best to add all the same zones to all the firewalls, you don't have to have them used anywhere, just exist. then you can have one policy for all and sleep most of the day....   

Yea, that was my next guess. I will have to pick out the most common amongst all the firewalls and add them. Thanks!

  • 1 accepted solution
  • 3882 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!