How Do Device Groups Help Me Manage Policy Rules?
Device groups make configuring firewalls easy by enabling you to group firewalls that require similar policy rules based on location and function. You can make your configuration workflow even easier by nesting device groups in a hierarchy with the predefined Shared location in the top layer and then parent and child device groups in descending layers. In a device group hierarchy, all firewalls inherit rules and objects that are common across your organization from Shared and the firewalls in child device groups inherit rules and objects from parent device groups. Inheritance enables you to avoid configuring duplicate settings in each device group.
How Do I Configure a Panorama Device Group Hierarchy?
Say you have data center firewalls in Chicago and Cairo and branch office firewalls in London and Shanghai. To avoid redundant configuration, you can create six device groups, each containing only the settings that are specific to the firewalls used for each function (data centers or branch offices) or each location (Chicago, Cairo, London, or Shanghai). Configuring the Chicago and Cairo device groups as children of the Data Center device group ensures that the firewalls in those locations inherit the Data Center settings. Similarly, configuring the London and Shanghai device groups as children of the Branch Office device group ensures that the firewalls in those locations inherit the Branch Office settings. All the firewalls in every location inherit shared settings.
For detailed instructions, refer to Create a Device Group Hierarchy in the PAN-OS 7.1 Administrator’s Guide.
[Palo Alto Networks Research Center]