Disable inherited policies in a Device Group

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Disable inherited policies in a Device Group

L4 Transporter

I'm guessing this would be a Feature Request, as it's something that's not available in Panorama 7.x, 8.x, or 9.x (haven't checked 10.x).


Is there a way to disable Policies (whether Security, NAT, QoS, etc) that have been inherited via the Device Group hierarchy?


Meaning, if I have 3 Devices Groups (GP, Parent, Child), and I put 10 Security Policies into GP, and 10 different Security Policies into Parent, is there any way to mark those as "disabled" within the Child Device Group?


So far, I have not been able to find a way to do this from within the Child Device Group context.  I can disable the rule in the DG they originate in, but that marks it as disabled for all device groups lower in the hierarchy.


Why do I want to do this, you ask?  Because it would be really nice to be able to write a single set of Security Policies to cover all configurations in the GP, some more specific Security Policies in the Parent, and then just disable the ones that don't apply in specific Child device groups.


Right now, we have 50 firewalls that cover elementary schools, secondary schools, and non-school / admin sites.  They all get the same base set of rules that are defined in a common parent device group.  Then we have a set of rules that are specific to an HVAC panel, to a PA system, to an irrigation controller, to a sign controller, and to a couple other one-off devices.  These are created in the Child DG for each firewall, and we have to clone these to other Child DGs when the devices get installed into other buildings.  It's a pain keeping track of which schools have which rules enabled when cloning needs to happen for a new device.


It would be nice to just have all the rules available to all Child DGs, and we just enable/disable the relevant rules in the Child DG.


Cyber Elite
Cyber Elite

Hi @fjwcash ,


Every policy in a Device Group has a Target tab for which you can enable or disable policies.  There is also a check box "Target to all but these specified devices and tags."  So, it looks like you can do everything that you want with the Target tab.  It looks like you can also use tags to make the process more efficient.  This is the only URL I can find -> https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/manage-device-groups....


This is cool!  I can't find any docs, but under Panorama > Managed Devices > Summary, you can add tags to devices.  These tags show up under the policy rule Target tab under Filters or Tabs.  You can create tags that mirror you child DGs, and you have a working solution today.





Help the community: Like helpful comments and mark solutions.

L4 Transporter

Interesting.  Seems like an overly complicated, round-about way compared to making the "enabled" tag override-able.  🙂  Wonder what the Policies tab --> Security Policies --> Post page would look like?  Would you see all the rules as "enabled" and then have to drill down into specific rules to see what it's targeted to?  Or have to use the "Preview Rules" button to see what will actually get pushed to the firewall?


Still think having the enable/disable toggle work in child device groups is a better/cleaner solution.  🙂


(Could also be that our device group hierarchy isn't ideal and there's better ways to arrange things.  We have 1 firewall per child device group.)

L4 Transporter

Ah, there's a Target column in the Policy view page.  By default, it lists "any" which includes all devices in all child device groups to where the policy is created.


In theory, we could create our one-off rules in the GP Device Group, and target them to only the specific Child Device Groups (aka specific firewalls) where it's needed.  As we add those devices to more sites, we add them to the target list.  Eventually (hopefully), that list grows to include all Child Device Groups and it switches over to "any".


Neat.  I think this will actually work.  Was wondering what the Target tab was for, as I couldn't see a reason for targetting rules to only specific child device groups, but now it (mostly) makes sense!


Thanks for the pointer!  I will have to play with this a bit to see if this will do what I want it to do.


And, I think this will actually help to clean up our one firewall that has completely different Security Policies compared to every other site, so it has an (essentially) duplicated ruleset done in the lowest device group (local to the firewall) with a "Deny all" rule to short-circuit the inherited rules from parent device groups.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!