Sharing rulesets between device groups

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Sharing rulesets between device groups

L0 Member

I currently have a pair of 5250's at my internet edge.  I am adding a pair of 5410's in the datacenter and another 5410 in a DR site.  The 5410 at the DR site needs the rules from both other device groups(internet and datacenter) as well as the multiple vsys from the datacenter.  However the datacenter and internet edge devices will not share configs/rules.  What is the best way to go about this?  I 've only ever managed a single device group in Panorama and It's not clear whether or not what I am describing is possible.

Thanks for any guidance

1 REPLY 1

Cyber Elite
Cyber Elite

Hello @mscioscia

 

thanks for your post in LIVEcommunity!

 

The requirement you mentioned is typically accomplished by Device Group Hierarchy. Any configuration in Device Group will be automatically inherited from top Device Group to all lower level Device Groups: https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panorama-overview/centralized-firewal...

 

If you currently have a single Device Group, I would recommend to create a new hierarchy either based on location or function or combination of both, then place each of the Firewall into own Device Group.

 

For example:

Shared

  Data Center

    [DC Name]

    [DC DR Name]

  Offices

    [Office Name]

 

With the above hierarchy, anything that you configure in Device Group "Shared" will be inherited to all Device Groups. Anything you configure in Data Center will be inherited to all your DC Device Groups. You can create multiple Device Group to serve only as a place holders in hierarchy. Keep in mind that under Shared Device Group you can configure depth of up to 4 Device Groups.

 

Since you mentioned you have all your policies in the single Device Group, by building new Device Group Hierarchy, you might have to migrate your existing policies to upper level Device Group. You can select multiple rules and do a bulk clone to upper level Device Group, then delete policies from existing Device Group.

 

I hope this helps.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
  • 875 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!