To echo rmonvon's comment... you can safely commit the shared config. So long as you have not created any conflicting pre-rules in a firewall's device group, it will not break your existing policies. To my knowledge, the only way to get the local device policy and objects into Panorama is by manually creating it. That said, you might look at using pre and post rules to make things more maintainable in your environment... We have firewall pairs at each of our remote offices that are managed by Panorama. I used the same zone names at each site (in fact the firewalls were all configured according to a very specific config standard). My rules for Internet access, MPLS, and local DMZs are all in the 'pre' and 'post' section of the rulebase. These rules use the same security profiles enterprise wide - when I need to tune out a false positive, enable a signature, etc, I can change the profile in Panorama and do a global push. My local rules use global objects whenever possible. When I wanted to enable Wildfire, all I had to do was add the file blocking profile in my global rule. In 5 minutes time, I had deployed Wildfire enterprise-wide. When we stand up a new domain controller, I can simply add it to our 'domain controller' group object. Syncing to managed devices means that all rules, global and local, pick up the new IP. In our deployment, the local device policy is used only for site-specific rules. Each site has, at most, 5 or 6 local rules. Everything else comes from shared policy.
... View more