Scribd
Upload
47 views3 pages

Device Group Policies

The Panorama Administrator's Guide outlines the management of device group policies for firewalls, emphasizing a layered approach to policy evaluation. It details the evaluation order of rules, including shared, device group, and local rules, and how they are applied based on hierarchy. Additionally, it explains the default rules for traffic handling and the ability to override these settings at various levels.

Uploaded by

bibist
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
47 views3 pages

Device Group Policies

The Panorama Administrator's Guide outlines the management of device group policies for firewalls, emphasizing a layered approach to policy evaluation. It details the evaluation order of rules, including shared, device group, and local rules, and how they are applied based on hierarchy. Additionally, it explains the default rules for traffic handling and the ability to override these settings at various levels.

Uploaded by

bibist
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

(/content/techdocs/en_US.

html)

Updated on Mar 13, 2025

Home (/) | Panorama (/content/techdocs/en_US/panorama.html)


| Panorama Administrator's Guide (/content/techdocs/en_US/panorama/10-1/panorama-admin.html)
| Panorama Overview (/content/techdocs/en_US/panorama/10-1/panorama-admin/panorama-overview.html)
| Centralized Firewall Configuration and Update Management (/content/techdocs/en_US/panorama/10-1/panorama-admin/panorama-
overview/centralized-firewall-configuration-and-update-management.html)
| Device Groups (/content/techdocs/en_US/panorama/10-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-
update-management/device-groups.html)
| Device Group Policies (/content/techdocs/en_US/panorama/10-1/panorama-admin/panorama-overview/centralized-firewall-
configuration-and-update-management/device-groups/device-group-policies.html)

DOWNLOAD PDF (/CONTENT/DAM/TECHDOCS/EN_US/PDF/PANORAMA/10-1/PANORAMA-ADMIN/PANORAMA-


ADMIN.PDF)

Panorama Administrator's Guide


(/content/techdocs/en_US/panorama/10-
1/panorama-admin.html)
Device Group Policies

Table of Contents

Device groups provide a way to implement a layered approach for managing policies across a network of managed firewalls. A
firewall evaluates policy rules by layer (shared, device group, and local) and by type (pre-rules, post-rules, and default rules) in
the following order from top to bottom. When the firewall receives traffic, it performs the action defined in the first evaluated
rule that matches the traffic and disregards all subsequent rules. To change the evaluation order for rules within a particular
layer, type, and rulebase (for example, shared Security pre-rules), see Manage the Rule Hierarchy
(/content/techdocs/en_US/panorama/10-1/panorama-admin/manage-firewalls/manage-device-groups/manage-the-rule-
hierarchy.html#idfb9e2593-a7f1-4e0d-aab5-a2903d654c99).

Whether you view rules on a firewall (https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/enumeration-of-


rules-within-a-rulebase) or in Panorama, the web interface displays them in evaluation order. All the shared, device group,
and default rules that the firewall inherits from Panorama are shaded orange. Local firewall rules display between the pre-
rules and post-rules.

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯ Cookie Settings
(https://www.paloaltonetworks.com/legal-notices/privacy)
EVALUATION ORDER RULE SCOPE AND DESCRIPTION ADMINISTRATION DEVICE

Shared pre-rules Panorama pushes shared pre-rules to all the These rules are visible on firewalls but you can
firewalls in all device groups. Panorama only manage them in Panorama.
pushes device group-specific pre-rules to all
the firewalls in a particular device group and its
descendant device groups.

If a firewall inherits rules from device groups at


multiple levels in the device group hierarchy, it
evaluates pre-rules in the order of highest to
lowest level. This means the firewall first
Device group pre-rules evaluates shared rules and last evaluates the
rules of device groups with no descendants.

You can use pre-rules to enforce the


acceptable use policy of an organization. For
example, a pre-rule might block access to
specific URL categories or allow Domain Name
System (DNS) traffic for all users.

Local firewall rules Local rules are specific to a single firewall or A local firewall administrator, or a Panorama
virtual system (vsys). administrator who switches to a local firewall
context, can edit local firewall rules.

Device group post-rules Panorama pushes shared post-rules to all the These rules are visible on firewalls but you can
firewalls in all device groups. Panorama only manage them in Panorama.
pushes device group-specific post-rules to all
the firewalls in a particular device group and its
descendant device groups.

If a firewall inherits rules from device groups at


multiple levels in the device group hierarchy, it
evaluates post-rules in the order of lowest to
Shared post-rules highest level. This means the firewall first
evaluates the rules of device groups with no
descendants and last evaluates shared rules.

Post-rules typically include rules to deny


access to traffic based on the App-ID™
signatures, User-ID™ information (users or
user groups), or service.

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)
EVALUATION ORDER RULE SCOPE AND DESCRIPTION ADMINISTRATION DEVICE

intrazone-default The default rules apply only to the Security Default rules are initially read-only, either
rulebase, and are predefined on Panorama (at because they are part of the predefined
interzone-default
the Shared level) and the firewall (in each configuration or because Panorama pushed
vsys). These rules specify how PAN-OS them to firewalls. However, you can override
handles traffic that doesn’t match any other the rule settings for tags, action, logging, and
rule. security profiles. The context determines the
level at which you can override the rules:
The intrazone-default rule allows all traffic
within a zone. The interzone-default rule Panorama—At the Shared or device group
denies all traffic between zones. level, you can override default rules that
are part of the predefined configuration.
If you override default rules, their order of
precedence runs from the lowest context to Firewall—You can override default rules
the highest: overridden settings at the firewall that are part of the predefined
level take precedence over settings at the configuration on the firewall or vsys, or
device group level, which take precedence that Panorama pushed from the Shared
over settings at the Shared level. location or a device group.

Was this information helpful?

Yes No

(/content/techdocs/en_US/panorama/10- (/content/techdocs/en_US/panorama/10-
Previous Next
1/panorama-admin/panorama- 1/panorama-admin/panorama-
Device overview/centralized-firewall-configuration- Device overview/centralized-firewall-configuration-
Group and-update-management/device- Group and-update-management/device-
Hierarchy Objects
groups/device-group-hierarchy.html) groups/device-group-objects.html)

Technical Documentation Co

Release Notes (/content/techdocs/en_US/release-notes.html) Abo


Search (/content/techdocs/en_US/search.html) Care
Blog (https://www.paloaltonetworks.com/blog/category/technical- Cus
documentation/) LIVE
Compatibility Matrix (/content/techdocs/en_US/compatibility- Kno
matrix.html)
OSS Listings (/content/techdocs/en_US/oss-listings.html)
Sitemap (/content/techdocs/en_US/sitemap.html)

(https://www.facebook.com/PaloAltoNetworks) (https://w
(https://www.youtube.com/channel/UCPRouchFt58TZnjoI65aelA)

(/content/techdocs/en_US.html) © 2025 Palo Alto Ne

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)

You might also like