If I knew then what I know now..... 1. Use Panorama for (almost) everything. Building all objects, profiles, zones, and policies in Panorama has numerous manageability/scalability benefits. Other than network interfaces, virtual routers, and IPSec tunnels, build everything else in Panorama and push it to the firewalls. 2. Use nested device groups in Panorama to create a hierarchy for shared security policies. This allows a single rule, created once, to be applied to multiple firewalls. 3. Template grouping should be based on device model do to zone limitations. Device grouping should be based on function or purpose. 4. Using tags, and corresponding colors, in your security rules helps with visual grouping the rules, and can also help with searching and filtering.
... View more