Same object different details

cancel
Showing results for 
Search instead for 
Did you mean: 

Same object different details

L1 Bithead

We've a number of firewalls managed via Panorama.

A number of those filewalls will have the same policy, except that the source or destination address will change depending where the firewall is deployed.

For example a rule to allow the remote sites (onside of the firewall) access to an intranet within the main site would always have the same destination/port (the Web server on HTTPS) but the source would be the user LAN on each site.

is there anyway to create these rules at the Device Group level, but then have the object which describes the Local LAN overridden on each firewall?

Phil.

1 ACCEPTED SOLUTION

Accepted Solutions

There does exist a mechanism in 5.0 and greater code that would allow this to work. The feature is called Dynamic Address Objects, and is used with the XML API. Essentially, you create a dynamic object on all the firewalls and update the address using the XML.

Each firewall will have the same object, so you can use the same policy for all firewalls, but the dynamic address is different based on how you populate it with the script.

Here's a doc on how that works:

https://live.paloaltonetworks.com/docs/DOC-4121

If you're not going to be changing the objects at all once created, you can create them on each firewall as a local object. You can refer to that address object in Panorama rules, and you won't have to create a separate rule for each firewall. For that there is nothing special to do other than ensure that each firewall has the exact same object name (including capitalization, spacing, etc.).

Hope this helps,

Greg

View solution in original post

6 REPLIES 6

L4 Transporter

Hello Pcook,

I see from the question that multiple firewalls are being managed by the panorama and they are getting the security rules pushed from the Panorama.

The rules are such that the destination IP and port are same only the source gets varied.

There is no option to change the source IP on the firewall once the rule is pushed from the panorama. But we can have source address / address group objects created on panorama ( specific to each firewall ) and then push it to the firewalls such that there is no need for changing the source address once pushed.

Thanks

L5 Sessionator

Hi,

You will need to create separate policy for different address.

Once way i can think of is to add all the address in the same policy and them push but doing this will have unwanted address in the policy on different devices.


Thank you

Numan

L1 Bithead

Thank you both - I was afraid that was the case.

I'll have to think about how this is going to affect our designs.

It's a shame that you can't override the policy at each firewall, in the same way you can with Templates.  Does anyone know if this is on the road map at all?  Should I suggest it?

Phil.

I do not believe there is a Feature request on it. However if you would like to see a Feature on this you can contact your Local Sales Engineer and he should be able to help you file it.

Regards,

Numan

There does exist a mechanism in 5.0 and greater code that would allow this to work. The feature is called Dynamic Address Objects, and is used with the XML API. Essentially, you create a dynamic object on all the firewalls and update the address using the XML.

Each firewall will have the same object, so you can use the same policy for all firewalls, but the dynamic address is different based on how you populate it with the script.

Here's a doc on how that works:

https://live.paloaltonetworks.com/docs/DOC-4121

If you're not going to be changing the objects at all once created, you can create them on each firewall as a local object. You can refer to that address object in Panorama rules, and you won't have to create a separate rule for each firewall. For that there is nothing special to do other than ensure that each firewall has the exact same object name (including capitalization, spacing, etc.).

Hope this helps,

Greg

View solution in original post

That might well be the answer thank you.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!