This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Sharing rulesets between device groups

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Sharing rulesets between device groups

mscioscia
L0 Member

‎11-15-2022 12:11 PM

I currently have a pair of 5250's at my internet edge.  I am adding a pair of 5410's in the datacenter and another 5410 in a DR site.  The 5410 at the DR site needs the rules from both other device groups(internet and datacenter) as well as the multiple vsys from the datacenter.  However the datacenter and internet edge devices will not share configs/rules.  What is the best way to go about this?  I 've only ever managed a single device group in Panorama and It's not clear whether or not what I am describing is possible.

Thanks for any guidance

0 Likes Likes
1 REPLY 1

PavelK
Cyber Elite
Cyber Elite

‎11-15-2022 01:48 PM

Hello @mscioscia

 

thanks for your post in LIVEcommunity!

 

The requirement you mentioned is typically accomplished by Device Group Hierarchy. Any configuration in Device Group will be automatically inherited from top Device Group to all lower level Device Groups: https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panorama-overview/centralized-firewal...

 

If you currently have a single Device Group, I would recommend to create a new hierarchy either based on location or function or combination of both, then place each of the Firewall into own Device Group.

 

For example:

Shared

  Data Center

    [DC Name]

    [DC DR Name]

  Offices

    [Office Name]

 

With the above hierarchy, anything that you configure in Device Group "Shared" will be inherited to all Device Groups. Anything you configure in Data Center will be inherited to all your DC Device Groups. You can create multiple Device Group to serve only as a place holders in hierarchy. Keep in mind that under Shared Device Group you can configure depth of up to 4 Device Groups.

 

Since you mentioned you have all your policies in the single Device Group, by building new Device Group Hierarchy, you might have to migrate your existing policies to upper level Device Group. You can select multiple rules and do a bulk clone to upper level Device Group, then delete policies from existing Device Group.

 

I hope this helps.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 1156 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks