Use Device Groups to Push Policy Rules
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Determine Panorama Log Storage Requirements
-
- Setup Prerequisites for the Panorama Virtual Appliance
- Perform Initial Configuration of the Panorama Virtual Appliance
- Set Up The Panorama Virtual Appliance as a Log Collector
- Set Up the Panorama Virtual Appliance with Local Log Collector
- Set up a Panorama Virtual Appliance in Panorama Mode
- Set up a Panorama Virtual Appliance in Management Only Mode
-
- Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode
- Add a Virtual Disk to Panorama on an ESXi Server
- Add a Virtual Disk to Panorama on vCloud Air
- Add a Virtual Disk to Panorama on Alibaba Cloud
- Add a Virtual Disk to Panorama on AWS
- Add a Virtual Disk to Panorama on Azure
- Add a Virtual Disk to Panorama on Google Cloud Platform
- Add a Virtual Disk to Panorama on Hyper-V
- Add a Virtual Disk to Panorama on KVM
- Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI)
- Mount the Panorama ESXi Server to an NFS Datastore
-
- Increase CPUs and Memory for Panorama on an ESXi Server
- Increase CPUs and Memory for Panorama on vCloud Air
- Increase CPUs and Memory for Panorama on Alibaba Cloud
- Increase CPUs and Memory for Panorama on AWS
- Increase CPUs and Memory for Panorama on Azure
- Increase CPUs and Memory for Panorama on Google Cloud Platform
- Increase CPUs and Memory for Panorama on Hyper-V
- Increase CPUs and Memory for Panorama on KVM
- Increase CPUs and Memory for Panorama on Oracle Cloud Infrastructure (OCI)
- Complete the Panorama Virtual Appliance Setup
-
- Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector
- Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector
- Convert Your Production Panorama to an ELA Panorama
-
- Register Panorama
- Activate a Panorama Support License
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected
- Activate/Retrieve a Firewall Management License on the M-Series Appliance
- Install the Panorama Device Certificate
-
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Install Updates for Panorama in an HA Configuration
- Install Updates for Panorama with an Internet Connection
- Install Updates for Panorama When Not Internet-Connected
- Install Updates Automatically for Panorama without an Internet Connection
- Migrate Panorama Logs to the New Log Format
-
- Migrate from a Panorama Virtual Appliance to an M-Series Appliance
- Migrate a Panorama Virtual Appliance to a Different Hypervisor
- Migrate from an M-Series Appliance to a Panorama Virtual Appliance
- Migrate from an M-100 Appliance to an M-500 Appliance
- Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance
-
- Configure an Admin Role Profile
- Configure an Access Domain
-
- Configure a Panorama Administrator Account
- Configure Local or External Authentication for Panorama Administrators
- Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
- Configure an Administrator with SSH Key-Based Authentication for the CLI
- Configure RADIUS Authentication for Panorama Administrators
- Configure TACACS+ Authentication for Panorama Administrators
- Configure SAML Authentication for Panorama Administrators
-
- Add a Firewall as a Managed Device
-
- Add a Device Group
- Create a Device Group Hierarchy
- Create Objects for Use in Shared or Device Group Policy
- Revert to Inherited Object Values
- Manage Unused Shared Objects
- Manage Precedence of Inherited Objects
- Move or Clone a Policy Rule or Object to a Different Device Group
- Push a Policy Rule to a Subset of Firewalls
- Manage the Rule Hierarchy
- Manage the Master Key from Panorama
- Redistribute Data to Managed Firewalls
-
- Add Standalone WildFire Appliances to Manage with Panorama
- Remove a WildFire Appliance from Panorama Management
-
-
- Configure a Cluster and Add Nodes on Panorama
- Configure General Cluster Settings on Panorama
- Remove a Cluster from Panorama Management
- Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama
- Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama
- View WildFire Cluster Status Using Panorama
- Upgrade a Cluster Centrally on Panorama with an Internet Connection
- Upgrade a Cluster Centrally on Panorama without an Internet Connection
-
-
- Manage Licenses on Firewalls Using Panorama
-
- Supported Updates
- Schedule a Content Update Using Panorama
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
- Preview, Validate, or Commit Configuration Changes
- Enable Automated Commit Recovery
- Compare Changes in Panorama Configurations
- Manage Locks for Restricting Configuration Changes
- Add Custom Logos to Panorama
- Use the Panorama Task Manager
- Reboot or Shut Down Panorama
- Configure Panorama Password Profiles and Complexity
-
-
- Verify Panorama Port Usage
- Resolve Zero Log Storage for a Collector Group
- Replace a Failed Disk on an M-Series Appliance
- Replace the Virtual Disk on an ESXi Server
- Replace the Virtual Disk on vCloud Air
- Migrate Logs to a New M-Series Appliance in Log Collector Mode
- Migrate Logs to a New M-Series Appliance in Panorama Mode
- Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Log Collectors after Failure/RMA of Non-HA Panorama
- Regenerate Metadata for M-Series Appliance RAID Pairs
- View Log Query Jobs
- Troubleshoot Commit Failures
- Troubleshoot Registration or Serial Number Errors
- Troubleshoot Reporting Errors
- Troubleshoot Device Management License Errors
- Troubleshoot Automatically Reverted Firewall Configurations
- Complete Content Update When Panorama HA Peer is Down
- View Task Success or Failure Status
- Downgrade from Panorama 10.0
End-of-Life (EoL)
Use Device Groups to Push Policy Rules
The third task in Use
Case: Configure Firewalls Using Panorama is to create the
device groups to manage policy rules on the firewalls.
- Create device groups and assign
the appropriate firewalls to each device group: see Add
a Device Group.In this example, create device groups named DG_BranchAndRegional and DG_DataCenter.When configuring the DG_BranchAndRegional device group, you must assign a Master firewall. This is the only firewall in the device group that gathers user and group mapping information for policy evaluation.
- Create a shared pre-rule to allow DNS and SNMP services.
- Create a shared application group for the
DNS and SNMP services.
- Select ObjectsApplication Group and click Add.
- Enter a Name and select the Shared check box to create a shared application group object.
- Click Add, type DNS, and select dns from the list. Repeat for SNMP and select snmp, snmp-trap.
- Click OK to create the application group.
- Create the shared rule.
- Select the Policies tab and, in the Device Group drop-down, select Shared.
- Select the SecurityPre-Rules rulebase.
- Click Add and enter a Name for the security rule.
- In the Source and Destination tabs for the rule, click Add and enter a Source Zone and a Destination Zone for the traffic.
- In the Applications tab, click Add, type the name of the applications group object you just created, and select it from the drop-down.
- In the Actions tab, set the Action to Allow, and click OK.
- Create a shared application group for the
DNS and SNMP services.
- Define the corporate acceptable use policy for all offices.
In this example, create a shared rule that restricts access to some
URL categories and denies access to peer-to-peer traffic that is
of risk level 3, 4, or 5.
- Select the Policies tab and, in the Device Group drop-down, select Shared.
- Select SecurityPre-Rules and click Add.
- In the General tab, enter a Name for the security rule.
- In the Source and Destination tabs, click Add and select any for the traffic Source Zone and Destination Zone.
- In the Application tab, define
the application filter:
- Click Add and click New Application Filter in the footer of the drop-down.
- Enter a Name, and select the Shared check box.
- In the Risk column, select levels 3, 4, and 5.
- In the Technology column, select peer-to-peer.
- Click OK to save the new filter.
- In the Service/URL Category tab, URL Category section, click Add and select the categories you want to block (for example, streaming-media, dating, and online-personal-storage).
- You can also attach the default URL Filtering profile—In the Actions tab, Profile Setting section, select the Profile Type option Profiles, and select the URL Filtering option default.
- Click OK to save the security pre-rule.
- Allow Facebook for all users in the Marketing group in
the regional offices only.Enabling a security rule based on user and group has the following prerequisite tasks:
- Set up User-ID on the firewalls.
- Enable User-ID for each zone that contains the users you want to identify.
- Define a master firewall for the DG_BranchAndRegional device group (see step 1).
- Select the Policies tab and, in the Device Group drop-down, select DG_BranchAndRegional.
- Select the SecurityPre-Rules rulebase.
- Click Add and enter a Name for the security rule.
- In the Source tab, Add the Source Zone that contains the Marketing group users.
- In the Destination tab, Add the Destination Zone.
- In the User tab, Add the Marketing user group to the Source User list.
- In the Application tab, click Add, type Facebook, and then select it from the drop-down.
- In the Action tab, set the Action to Allow.
- In the Target tab, select the regional office firewalls and click OK.
- Allow access to the Amazon cloud application for the
specified hosts/servers in the data center.
- Create an address object for the servers/hosts
in the data center that need access to the Amazon cloud application.
- Select ObjectsAddresses and, in the Device Group drop-down, select DG_DataCenter.
- Click Add and enter a Name for the address object.
- Select the Type, and specify an IP address and netmask (IP Netmask), range of IP addresses (IP Range), or FQDN.
- Click OK to save the object.
- Create a security rule that allows access to the Amazon
cloud application.
- Select PoliciesSecurityPre-Rules and, in the Device Group drop-down, select DG_DataCenter.
- Click Add and enter a Name for the security rule.
- Select the Source tab, Add the Source Zone for the data center, and Add the address object (Source Address) you just defined.
- Select the Destination tab and Add the Destination Zone.
- Select the Application tab, click Add, type amazon, and select the Amazon applications from the list.
- Select the Action tab and set the Action to Allow.
- Click OK to save the rule.
- Create an address object for the servers/hosts
in the data center that need access to the Amazon cloud application.
- To enable logging for all internet-bound traffic on your
network, create a rule that matches trust zone to untrust zone.
- Select the Policies tab and, in the Device Group drop-down, select Shared.
- Select the SecurityPre-Rules rulebase.
- Click Add and enter a Name for the security rule.
- In the Source and Destination tabs for the rule, Add trust_zone as the Source Zone and untrust_zone as the Destination Zone.
- In the Action tab, set the Action to Deny, set the Log Setting to Log at Session end, and click OK.