So we have our device groups laid out like this, there’s more but you get the idea. Shared > Regional > Site. The devices are members of the Site device group, and have a master device allowing me to push User-ID rules down through Panorama. If I want to do Regional or Shared User-ID rules, I have to collapse the device groups so they’re all members of the same group (so I would have to delete all the Site groups and put them all into a Regional one, and assign a master device). When talking with a colleague he recommended putting in a “Collector” device group above the regional ones, put a spare box in there as the master and it should cascade the group mappings down (in Panorama). It didn’t. The documentation I’ve read online either covers how to handle large network User-ID redistribution, OR device group management for policies – but never together. We want to be able to do this because people move between sites within a region and don’t want to have to replicate all the rules or manage two sets of rules.
... View more