: Device Group Hierarchy
Focus
Focus

Device Group Hierarchy

Table of Contents

Device Group Hierarchy

You can Create a Device Group Hierarchy to nest device groups in a tree hierarchy of up to four levels, with lower-level groups inheriting the settings (policy rules and objects) of higher-level groups. At the bottom level, a device group can have parent, grandparent, and great-grandparent device groups (ancestors). At the top level, a device group can have child, grandchild, and great-grandchild device groups (descendants). All device groups inheriting settings from the Shared location—a container at the top of the hierarchy for configurations that are common to all device groups.
Creating a device group hierarchy enables you to organize firewalls based on common policy requirements without redundant configuration. For example, you could configure shared settings that are global to all firewalls, configure device groups with function-specific settings at the first level, and configure device groups with location-specific settings at lower levels. Without a hierarchy, you would have to configure both function- and location-specific settings for every device group in a single level under Shared.
Device Group Hierarchy
For details on the order in which firewalls evaluate policy rules in a device group hierarchy, see Device Group Policies. For details on overriding the values of objects that device groups inherit from ancestor device groups, see Device Group Objects.
In a multiple Panorama plugin deployment to perform, a device group containing firewalls deployed in a particular hypervisor cannot be the child or parent of a device group containing firewalls deployed in a different hypervisor. For example, if Panorama receives IP address updates from VMware NSX-V and AWS, you cannot create a device group of NSX-V VM-Series firewalls that is a child of an AWS VM-Series firewall device group.