Panorama > Device Groups
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Panorama > Device Groups
Device groups comprise firewalls and virtual systems
you want to manage as a group, such as the firewalls that manage
a group of branch offices or individual departments in a company.
Panorama treats these groups as single units when applying policies.
Firewalls can belong to only one device group but, because virtual systems
are distinct entities in Panorama, you can assign virtual systems
within a firewall to different device groups.
You can nest device groups in a tree hierarchy of
up to four levels under the Shared location to implement a layered
approach for managing policies across your network of firewalls.
At the bottom level, a device group can have parent, grandparent,
and great-grandparent device groups at successively higher levels—collectively
called ancestors—from which the bottom-level device
group inherits policies and objects. At the top level, a device
group can have child, grandchild, and great-grandchild device groups—collectively
called descendants. When you select PanoramaDevice Groups,
the Name column displays this device group hierarchy.
After adding, editing, or deleting a device group, perform a
Panorama commit and device group commit (see Panorama
Commit Operations). Panorama then pushes the configuration
changes to the firewalls that are assigned to the device group; Panorama
supports up to 1,024 device groups.
To configure a device group, Add one and
configure the settings as described in the following table.
Device Group Settings | Description |
|---|---|
Name | Enter a name to identify the group (up to
31 characters). The name is case-sensitive, must be unique across
the entire device group hierarchy, and can contain only letters,
numbers, spaces, periods, hyphens, and underscores. |
Description | Enter a description for the device group. |
Devices | Select each firewall that you want to add
to the device group. If the list of firewalls is long, you can filter
by Device State, Platforms, Templates,
or Tags. The Filters section displays (in
parentheses) the number of managed firewalls for each of these categories. If
the purpose of a device group is purely organizational (that is,
to contain other device groups), you don’t need to assign firewalls
to it. |
Select All | Selects every firewall and virtual system
in the list. |
Deselect All | Deselects every firewall and virtual system
in the list. |
Group HA Peers | Select to group firewalls that are peers
in a high availability (HA) configuration. The list then displays
the active (or active-primary in an active/active configuration)
firewall first and the passive (or active-secondary in an active/active
configuration) firewall in parentheses. This enables you to easily identify
firewalls that are in HA mode. When pushing shared policies, you
can push to the grouped pair instead of individual peers. For HA peers in an active/passive configuration,
consider adding both firewalls or their virtual systems to the same
device group. This enables you to push the configuration to both
peers simultaneously. |
Filter Selected | If you want the Devices list to display
only specific firewalls, select the firewalls and then Filter
Selected. |
Parent Device Group | Relative to the device group you are defining,
select the device group (or the Shared location) that is just above
it in the hierarchy (default is Shared). |
Master
Device | To configure policy rules and reports based
on usernames and user groups, you must select a Master
Device. This is the firewall from which Panorama receives
usernames, user group names, and username-to-group mapping information. When
you change the Master Device or set it to None,
Panorama loses all the user and group information received from
that firewall. |
Store
users and groups from Master Device | This option displays only if you select
a Master Device. The option enables Panorama
to locally store usernames, user group names, and username-to-group
mapping information that it receives from the Master Device.
To enable local storage, you must also select PanoramaSetupManagement,
edit the Panorama Settings, and Enable
reporting and filtering on groups. |
Dynamically Added Device Properties—When
a new device is added to the device group, Panorama dynamically
applies the specified authorization code and PAN-OS software version
to the new device. This displays only after a device group is associated
with an NSX service definition in Panorama. | |
Authorization Code | Enter the authorization code to be applied
to devices added to this device group. |
SW Version | Select the software version to be applied
to devices added to this device group. |