This had been a known limit which is addressed in 5.0 to an extent. 5.0 offers option to setup shared policies – This new feature adds the ability for Panorama admins to add an additional layer of pre and post rules that will be applied to all Device Groups managed by the Panorama instance. You can also set up admin access control options, so the rules are only editable by privileged admins and cannot be changed by Device Group admins. Another new feature for Shared Policy is the Shared Objects Take Precedence option, which is located in Panorama > Setup > Management > General Settings. When this option is unchecked, device groups override corresponding objects of the same name from a shared location. If the option is checked, device group objects cannot override corresponding objects of the same name from a shared location and any device group object with the same name as a shared object will be discarded. To access this feature, select the Policies tab and then select Shared from the Device Group drop-down. With XML editor it may be possible to copy existing ruleset. Please mark it as 'Correct answer or helpful' if you
... View more