I'm guessing this would be a Feature Request, as it's something that's not available in Panorama 7.x, 8.x, or 9.x (haven't checked 10.x).
Is there a way to disable Policies (whether Security, NAT, QoS, etc) that have been inherited via the Device Group hierarchy?
Meaning, if I have 3 Devices Groups (GP, Parent, Child), and I put 10 Security Policies into GP, and 10 different Security Policies into Parent, is there any way to mark those as "disabled" within the Child Device Group?
So far, I have not been able to find a way to do this from within the Child Device Group context. I can disable the rule in the DG they originate in, but that marks it as disabled for all device groups lower in the hierarchy.
Why do I want to do this, you ask? Because it would be really nice to be able to write a single set of Security Policies to cover all configurations in the GP, some more specific Security Policies in the Parent, and then just disable the ones that don't apply in specific Child device groups.
Right now, we have 50 firewalls that cover elementary schools, secondary schools, and non-school / admin sites. They all get the same base set of rules that are defined in a common parent device group. Then we have a set of rules that are specific to an HVAC panel, to a PA system, to an irrigation controller, to a sign controller, and to a couple other one-off devices. These are created in the Child DG for each firewall, and we have to clone these to other Child DGs when the devices get installed into other buildings. It's a pain keeping track of which schools have which rules enabled when cloning needs to happen for a new device.
It would be nice to just have all the rules available to all Child DGs, and we just enable/disable the relevant rules in the Child DG.
... View more