Scribd
Upload
44 views4 pages

Create A Device Group Hierarchy

The document provides a comprehensive guide on creating a device group hierarchy within Panorama, outlining steps for planning, adding, and managing device groups. It includes instructions for configuring objects and policy rules, overriding inherited values, and committing changes. The guide emphasizes the importance of maintaining proper hierarchy and access domains for effective management of firewalls and virtual systems.

Uploaded by

bibist
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
44 views4 pages

Create A Device Group Hierarchy

The document provides a comprehensive guide on creating a device group hierarchy within Panorama, outlining steps for planning, adding, and managing device groups. It includes instructions for configuring objects and policy rules, overriding inherited values, and committing changes. The guide emphasizes the importance of maintaining proper hierarchy and access domains for effective management of firewalls and virtual systems.

Uploaded by

bibist
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

(/content/techdocs/en_US.

html)

Updated on Thu Mar 13 20:26:10 UTC 2025

Home (/) | Panorama (/content/techdocs/en_US/panorama.html)


| Panorama Administrator's Guide (/content/techdocs/en_US/panorama/10-1/panorama-admin.html)
| Manage Firewalls (/content/techdocs/en_US/panorama/10-1/panorama-admin/manage-firewalls.html)
| Manage Device Groups (/content/techdocs/en_US/panorama/10-1/panorama-admin/manage-firewalls/manage-device-groups.html)
| Create a Device Group Hierarchy (/content/techdocs/en_US/panorama/10-1/panorama-admin/manage-firewalls/manage-device-
groups/create-a-device-group-hierarchy.html)

DOWNLOAD PDF (/CONTENT/DAM/TECHDOCS/EN_US/PDF/PANORAMA/10-1/PANORAMA-ADMIN/PANORAMA-


ADMIN.PDF)

Panorama Administrator's Guide


(/content/techdocs/en_US/panorama/10-
1/panorama-admin.html)
Create a Device Group Hierarchy

Table of Contents

STEP 1 -
Plan the Device Group Hierarchy (/content/techdocs/en_US/panorama/10-1/panorama-admin/panorama-
overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-
hierarchy.html#id014f3417-fe14-4fdd-8fd7-c03ac8cb2e0b).

A Decide the device group levels, and which firewalls and virtual systems you will assign to each device group
and the Shared location. You can assign any one firewall or virtual system (vsys) to only one device group. If
a device group will be just an organizational container for lower level device groups, you don’t need to

assign firewalls to it.

B Remove firewall or vsys assignments from existing device groups if those assignments don’t fit your
planned hierarchy.

1. Select Panorama > Device Groups and select the device group.

2. In the Devices section, clear the check boxes of firewalls and virtual systems you want to remove, and
click OK.

C If necessary, add more firewalls that you will assign to device groups: see Add a Firewall as a Managed
Device (/content/techdocs/en_US/panorama/10-1/panorama-admin/manage-firewalls/add-a-firewall-as-

a-managed-device.html#id361a70b2-5c7b-44db-83a5-377b069569ae).
This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯ Cookie Settings
(https://www.paloaltonetworks.com/legal-notices/privacy)
D If you are using multiple Panorama plugins to perform endpoint monitoring, a device group containing
firewalls deployed in a particular hypervisor cannot be the child or parent of a device group containing
firewalls deployed in a different hypervisor. See Device Group Hierarchy

(/content/techdocs/en_US/panorama/10-1/panorama-admin/panorama-overview/centralized-firewall-
configuration-and-update-management/device-groups/device-group-hierarchy.html#id014f3417-fe14-

4fdd-8fd7-c03ac8cb2e0b) for more information.

STEP 2 -
For each top-level device group, Add a Device Group (/content/techdocs/en_US/panorama/10-1/panorama-
admin/manage-firewalls/manage-device-groups/add-a-device-group.html#idc954be13-9886-4347-808e-
775b1c5266e4).

A In the Panorama > Device Groups page, click Add and enter a Name to identify the device group.

B In the Devices section, select check boxes to assign firewalls and virtual systems to the device group.

C Leave the Parent Device Group option at Shared (the default) and click OK.

STEP 3 -
For each lower-level device group, Add a Device Group (/content/techdocs/en_US/panorama/10-1/panorama-
admin/manage-firewalls/manage-device-groups/add-a-device-group.html#idc954be13-9886-4347-808e-
775b1c5266e4).

For new device groups at each lower level, repeat the previous step, but set the Parent Device Group to a
device group at the next level above.

For each existing device group, in the Device Groups page, select the device group to edit it, select a Parent
Device Group, and click OK.

If you move a device group to a different parent, all its descendant device groups move with
it, along with all firewalls, policy rules, and objects associated with the device group and its
descendants. If the new parent is in another access domain, the moved device group will no
longer have membership in the original access domain. If the new access domain has read-
write access for the parent device group, it will also have read-write access for the moved
device group. If the new access domain has read-only access for the parent, it will have no
access for the moved device group. To reconfigure access for device groups, see Configure
an Access Domain (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-
panorama/set-up-administrative-access-to-panorama/configure-an-access-
domain.html#id0aead9af-4502-43e4-b260-8cdb3026c6d4).

STEP 4 -
Configure, move, and clone objects and policy rules as needed to account for inheritance in the device group
hierarchy.

Create Objects for Use in Shared or Device Group Policy (/content/techdocs/en_US/panorama/10-


1/panorama-admin/manage-firewalls/manage-device-groups/create-objects-for-use-in-shared-or-device-
group-policy.html#id8a81daf5-4363-4971-b9ec-411c41b510ba), or edit existing objects.

You can edit objects only at their location: the device group to which they are assigned. Descendant device

This site usesgroups


cookiesinherit read-only
essential instances
to its operation, of the objects
for analytics, and forfrom that location.
personalized contentHowever, you can optionally see Step
and ads. By
continuing toOverride inherited
browse this site, youobject values.
acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)
Create or edit policies (https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy).
Move or Clone a Policy Rule or Object to a Different Device Group
(/content/techdocs/en_US/panorama/10-1/panorama-admin/manage-firewalls/manage-device-
groups/move-or-clone-a-policy-rule-or-object-to-a-different-device-group.html#id5c17d125-d5af-4636-
8930-6c17f9617cb2).

STEP 5 -
Override inherited object values.

Applicable only if object values in a particular device group must differ from the values inherited from an
ancestor device group.

After overriding an object, you can override it again in descendant device groups. However, you can never
override shared or predefined (default) objects.

In the Objects tab, inherited objects have a green icon in the Name column, and the Location column displays
the ancestor device group.

A In the Objects tab, select the object type (for example, Objects > Addresses).

B Select the Device Group that will have the override instance.

C Select the object and click Override.

D Edit the values. You can’t edit the Name or Shared settings.

E Click OK. The Name column displays a yellow-overlapping-green icon for the object to indicate it is
overridden.

If necessary, you can later Revert to Inherited Object Values


(/content/techdocs/en_US/panorama/10-1/panorama-admin/manage-firewalls/manage-

 device-groups/revert-to-inherited-object-values.html#idb6e923d1-c97d-4ac3-8a3a-
ec6a19e03082).

STEP 6 -
Save and commit your changes.

Commit to Panorama and push to device groups after any change to the hierarchy.

You must also push changes to templates if a template references objects in a device group (such as interfaces
referencing addresses), and a firewall assigned to the template is no longer assigned to that device group
because of a hierarchy change.

Select Commit > Commit and Push and then Commit and Push your changes to the Panorama configuration
and to the device groups you added or changed.

Was this information helpful?


This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing
Yes to browse
No this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)
Next

Create (/content/techdocs/en_US/panorama/10-
Previous
(/content/techdocs/en_US/panorama/10- Objects for 1/panorama-admin/manage-
Add a 1/panorama-admin/manage-firewalls/manage- firewalls/manage-device-groups/create-
Use in
Device
device-groups/add-a-device-group.html) Shared or objects-for-use-in-shared-or-device-
Group
Device group-policy.html)
Group Policy

Technical Documentation Co

Release Notes (/content/techdocs/en_US/release-notes.html) Abo


Search (/content/techdocs/en_US/search.html) Care
Blog (https://www.paloaltonetworks.com/blog/category/technical- Cus
documentation/) LIVE
Compatibility Matrix (/content/techdocs/en_US/compatibility- Kno
matrix.html)
OSS Listings (/content/techdocs/en_US/oss-listings.html)
Sitemap (/content/techdocs/en_US/sitemap.html)

(https://www.facebook.com/PaloAltoNetworks) (https://w
(https://www.youtube.com/channel/UCPRouchFt58TZnjoI65aelA)

(/content/techdocs/en_US.html) © 2025 Palo Alto Ne

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)

You might also like