: Push a Policy Rule to a Subset of Firewalls
Focus
Focus

Push a Policy Rule to a Subset of Firewalls

Table of Contents

Push a Policy Rule to a Subset of Firewalls

A policy target allows you to specify the firewalls in a device group to which to push policy rules. It allows you to exclude one or more firewalls or virtual systems, or to apply a rule only to specific firewalls or virtual systems in a device group.
As your rulebase evolves and you push new or modified rules to firewalls, changes and audit information get lost over time unless they are archived at the time the rule is created or modified. Use the audit comment archive to view the audit comment and configuration log history of a selected rule, as well to compare two policy rule versions to see how the rule changed. The audit comment history for a rule pushed from Panorama is viewable only from the Panorama management server. However, you can view the audit comments in the configurations logs forwarded to Panorama from managed firewalls. However, the audit comment archive is not viewable for rules created or modified locally on the firewall. To ensure that audit comments are captured at the time a rule is created or modified, Enforce Policy Rule, Description, Tag and Audit Comment.
The ability to target a rule enables you to keep policies centralized on Panorama. Targeted rules allow you to define the rules (as either shared or device group pre- or post-rules) on Panorama and improve visibility and efficiency when managing the rules (see Device Group Policies). The audit comment archive adds further visibility by allowing you to track how and why your policy rules change over time so you can audit the rule evolution over the course of the rule lifecycle.
  1. (Best Practice) Enforce audit comments for policy rules.
    Although this step is optional, it is a best practice to enforce audit comments for policy rules to ensure that you capture the reason for creating or modifying the rule. This also helps maintain an accurate rule history for auditing purposes.
    1. Select PanoramaSetupManagement and edit the Policy Rulebase Settings.
    2. Enable the option to Require audit comment on policies.
    3. Configure the Audit Comment Regular Expression to specify the audit comment format.
      When creating or modifying a rule, require audit comments to adhere to a specific format based on your business and auditing needs by specifying letter and number expressions. For example, you can use this setting to specify regular expressions to match your ticketing number formats:
      • [0-9]{<Number of digits>}—Requires the audit comment to contain a minimum number of digits ranging from 0 to 9. For example, [0-9]{6} requires a minimum of 6 digit numerical expression with numbers 0 to 9. Configure the minimum number of digits as needed.
      • <Letter Expression>—Requires the audit comment to contain a letter expression. For example, Reason for Change- requires that the administrator to begin the audit comment with this letter expression.
      • <Letter Expression>-[0-9]{<Number of digits>}—Requires the audit comment to contain a set character prefix with a minimum number of digits ranging from 0 to 9. For example, SB-[0-9]{6} requires the audit comment format to begin with SB-, followed by a minimum 6 digit numerical expression with numbers 0 to 9 such as SB-012345.
      • (<Letter Expression>)|(<Letter Expression>)|(<Letter Expression>)|-[0-9]{<Number of digits>}—Requires the audit comment to contain a prefix using one of the configured set of letter expressions with a minimum number of digits ranging from 0 to 9. For example, (SB|XY|PN)-[0-9]{6} requires the audit comment format begin with SB-, XY-, or PN- followed by a minimum 6 digit numerical expression with numbers 0 to 9 such as SB-012345, XY-654321, or PN-012543.
    4. Click OK to apply the new policy rulebase settings.
    5. Select Commit and Commit to Panorama.
  2. Create a rule.
    In this example, we define a pre-rule in the Security rulebase that permits users on the internal network to access the servers in the DMZ.
    1. On the Policies tab and select the Device Group for which you want to define a rule.
    2. Select the rulebase. For this example, select PoliciesSecurityPre-Rules and Add a rule.
    3. In the General tab, enter a descriptive rule Name and enter an Audit Comment.
    4. In the Source tab, set the Source Zone to Trust.
    5. In the Destination tab, set the Destination Zone to DMZ.
    6. In the Service/ URL Category tab, set the Service to application-default.
    7. In the Actions tab, set the Action to Allow.
    8. Leave all the other options set to their default values.
  3. Target the rule to include or exclude a subset of firewalls.
    To apply the rule to a selected set of firewalls:
    1. Select the Target tab in the Policy Rule dialog.
    2. Select the firewalls to which you want to apply the rule.
      Ensure that you select either the target tags or target devices. If you select both target tags and target devices, the configuration push might fail.
      If you do not select firewalls to target, the rule is added to all of the (unchecked) firewalls in the device group.
      By default, although the check box for the virtual systems in the device group is disabled, all virtual systems will inherit the rule on commit unless you select one or more virtual systems to which you want the rule to apply.
    3. (Optional) To exclude a subset of firewalls from inheriting the rule, Install on all but specified devices and select the firewalls you want to exclude.
      If you Install on all but specified devices and do not select any firewalls, the rule is not added to any of the firewalls in the device group.
    4. Click OK to add the rule.
  4. Commit and push the configuration changes.
    1. Select CommitCommit and Push and Edit Selections in the Push Scope.
    2. Select Device Groups, select the device group where you added the rule, and click OK.
    3. (Optional) Disable Merge with Device Candidate Config if you manage local firewall configuration changes independently of configuration changes from Panorama.
      This setting is enabled by default and merges any pending local firewall configurations with the configuration push from Panorama. The local firewall configuration is merged and committed regardless of the admin pushing the changes from Panorama or the admin who made the local firewall configuration changes.
    4. Commit and Push your changes to the Panorama configuration and to device groups.
  5. Troubleshoot Policy Rule Traffic Match to verify that the rules allow and deny traffic as the intended.