This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Same object different details

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Same object different details

Go to solution
pcook
L1 Bithead

‎11-25-2013 05:42 AM

We've a number of firewalls managed via Panorama.

A number of those filewalls will have the same policy, except that the source or destination address will change depending where the firewall is deployed.

For example a rule to allow the remote sites (onside of the firewall) access to an intranet within the main site would always have the same destination/port (the Web server on HTTPS) but the source would be the user LAN on each site.

is there anyway to create these rules at the Device Group level, but then have the object which describes the Local LAN overridden on each firewall?

Phil.

Labels:
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
gwesson
L7 Applicator
In response to pcook

‎11-26-2013 09:26 AM

There does exist a mechanism in 5.0 and greater code that would allow this to work. The feature is called Dynamic Address Objects, and is used with the XML API. Essentially, you create a dynamic object on all the firewalls and update the address using the XML.

Each firewall will have the same object, so you can use the same policy for all firewalls, but the dynamic address is different based on how you populate it with the script.

Here's a doc on how that works:

https://live.paloaltonetworks.com/docs/DOC-4121

If you're not going to be changing the objects at all once created, you can create them on each firewall as a local object. You can refer to that address object in Panorama rules, and you won't have to create a separate rule for each firewall. For that there is nothing special to do other than ensure that each firewall has the exact same object name (including capitalization, spacing, etc.).

Hope this helps,

Greg

View solution in original post

0 Likes Likes
6 REPLIES 6

Go to solution
Phoenix
L4 Transporter

‎11-25-2013 07:40 AM

Hello Pcook,

I see from the question that multiple firewalls are being managed by the panorama and they are getting the security rules pushed from the Panorama.

The rules are such that the destination IP and port are same only the source gets varied.

There is no option to change the source IP on the firewall once the rule is pushed from the panorama. But we can have source address / address group objects created on panorama ( specific to each firewall ) and then push it to the firewalls such that there is no need for changing the source address once pushed.

Thanks

Go to solution
mbutt
L5 Sessionator

‎11-25-2013 09:06 AM

Hi,

You will need to create separate policy for different address.

Once way i can think of is to add all the address in the same policy and them push but doing this will have unwanted address in the policy on different devices.


Thank you

Numan

Go to solution
pcook
L1 Bithead

‎11-26-2013 12:53 AM

Thank you both - I was afraid that was the case.

I'll have to think about how this is going to affect our designs.

It's a shame that you can't override the policy at each firewall, in the same way you can with Templates.  Does anyone know if this is on the road map at all?  Should I suggest it?

Phil.

Go to solution
mbutt
L5 Sessionator
In response to pcook

‎11-26-2013 08:29 AM

I do not believe there is a Feature request on it. However if you would like to see a Feature on this you can contact your Local Sales Engineer and he should be able to help you file it.

Regards,

Numan

0 Likes Likes

Go to solution
gwesson
L7 Applicator
In response to pcook

‎11-26-2013 09:26 AM

There does exist a mechanism in 5.0 and greater code that would allow this to work. The feature is called Dynamic Address Objects, and is used with the XML API. Essentially, you create a dynamic object on all the firewalls and update the address using the XML.

Each firewall will have the same object, so you can use the same policy for all firewalls, but the dynamic address is different based on how you populate it with the script.

Here's a doc on how that works:

https://live.paloaltonetworks.com/docs/DOC-4121

If you're not going to be changing the objects at all once created, you can create them on each firewall as a local object. You can refer to that address object in Panorama rules, and you won't have to create a separate rule for each firewall. For that there is nothing special to do other than ensure that each firewall has the exact same object name (including capitalization, spacing, etc.).

Hope this helps,

Greg

0 Likes Likes

Go to solution
pcook
L1 Bithead
In response to gwesson

‎11-28-2013 01:41 AM

That might well be the answer thank you.

0 Likes Likes
  • 1 accepted solution
  • 4984 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks