Scribd
Upload
53 views3 pages

Move or Clone A Policy Rule or Object To A Different Device Group

The document provides a guide for moving or cloning policy rules or objects between device groups in Panorama. It outlines the necessary steps to ensure that all referenced objects are also moved or cloned and discusses error handling during the process. Additionally, it emphasizes the importance of committing changes to the Panorama configuration after the operation.

Uploaded by

bibist
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
53 views3 pages

Move or Clone A Policy Rule or Object To A Different Device Group

The document provides a guide for moving or cloning policy rules or objects between device groups in Panorama. It outlines the necessary steps to ensure that all referenced objects are also moved or cloned and discusses error handling during the process. Additionally, it emphasizes the importance of committing changes to the Panorama configuration after the operation.

Uploaded by

bibist
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

(/content/techdocs/en_US.

html)

Updated on Mar 13, 2025

Home (/) | Panorama (/content/techdocs/en_US/panorama.html)


| Panorama Administrator's Guide (/content/techdocs/en_US/panorama/10-1/panorama-admin.html)
| Manage Firewalls (/content/techdocs/en_US/panorama/10-1/panorama-admin/manage-firewalls.html)
| Manage Device Groups (/content/techdocs/en_US/panorama/10-1/panorama-admin/manage-firewalls/manage-device-groups.html)
| Move or Clone a Policy Rule or Object to a Different Device Group (/content/techdocs/en_US/panorama/10-1/panorama-admin/manage-
firewalls/manage-device-groups/move-or-clone-a-policy-rule-or-object-to-a-different-device-group.html)

DOWNLOAD PDF (/CONTENT/DAM/TECHDOCS/EN_US/PDF/PANORAMA/10-1/PANORAMA-ADMIN/PANORAMA-


ADMIN.PDF)

Panorama Administrator's Guide


(/content/techdocs/en_US/panorama/10-
1/panorama-admin.html)
Move or Clone a Policy Rule or Object to a Different Device Group

Table of Contents

On Panorama, if a policy rule or object that you will move or clone from a device group has references to objects that are not
available in the target device group (Destination), you must move or clone the referenced objects and the referencing rule or
object in the same operation. In a Device Group Hierarchy (/content/techdocs/en_US/panorama/10-1/panorama-
admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-
hierarchy.html#id014f3417-fe14-4fdd-8fd7-c03ac8cb2e0b), remember that referenced objects might be available through
inheritance. For example, shared objects are available in all device groups. You can perform a global find
(https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/use-the-web-interface/use-global-
find-to-search-the-firewall-or-panorama-management-server) to check for references. If you move or clone an overridden
object, be sure that overrides are enabled for that object in the parent device group of the Destination (see Create Objects for
Use in Shared or Device Group Policy (/content/techdocs/en_US/panorama/10-1/panorama-admin/manage-
firewalls/manage-device-groups/create-objects-for-use-in-shared-or-device-group-policy.html#id8a81daf5-4363-4971-
b9ec-411c41b510ba)).

When cloning multiple policy rules, the order by which you select the rules will determine the order they are


copied to the device group. For example, if you have rules 1-4 and your selection order is 2-1-4-3, the device
group where these rules will be cloned will display the rules in the same order you selected. However, you
can reorganize the rules as you see fit once they have been successfully copied.

STEP 1 -
Log in to Panorama and select the rulebase (for example, Policy > Security > Pre Rules) or object type (for
example, Objects > Addresses).

STEP 2 -
Select the Device Group and select one or more rules or objects.
This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement
STEP 3 - ❯ Cookie Settings
(https://www.paloaltonetworks.com/legal-notices/privacy)
Perform one of the following steps:
( Rules only ) Move > Move to other device group

( Objects only ) Move

( Rules or objects ) Clone

STEP 4 -
In the Destination drop-down, select the new device group or Shared. The default is previously selected Device
Group.

STEP 5 -
( Rules only ) Select the Rule order:

Move top (default)—The rule will come before all other rules.

Move bottom—The rule will come after all other rules.

Before rule—In the adjacent drop-down, select the rule that comes after the Selected Rules.

After rule—In the adjacent drop-down, select the rule that comes before the Selected Rules.

STEP 6 -
The Error out on first detected error in validation check box is selected by default, which means Panorama will
display the first error it finds and stop checking for more errors. For example, an error occurs if the Destination
device group doesn't have an object that is referenced in the rule you are moving. When you move or clone
many items at once, selecting this check box can simplify troubleshooting. If you clear the check box,
Panorama will find all the errors before displaying them. Regardless of this setting, Panorama won’t move or
clone anything until you fix all the errors for all the selected items.

STEP 7 -
Click OK to start the error validation. If Panorama finds errors, fix them and retry the move or clone operation. If
Panorama doesn't find errors, it performs the operation.

STEP 8 -
Select Commit > Commit and Push, Edit Selections in the Push Scope, select Device Groups, select the
original and destination device groups, click OK, and then Commit and Push your changes to the Panorama
configuration and to the device groups.

Ensure that you push all the changes when the original or the destination device groups do
not have any devices. Selective push is not supported for device groups that do not have
any devices.

Was this information helpful?

Yes No

Next
Previous
(/content/techdocs/en_US/panorama/10- Push a (/content/techdocs/en_US/panorama/10-
Manage
1/panorama-admin/manage- Policy Rule 1/panorama-admin/manage-
Precedence
firewalls/manage-device-groups/manage- to a Subset firewalls/manage-device-groups/push-a-
of Inherited
precedence-of-inherited-objects.html) of policy-rule-to-a-subset-of-firewalls.html)
Objects
Firewalls

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)
Technical Documentation Co

Release Notes (/content/techdocs/en_US/release-notes.html) Abo


Search (/content/techdocs/en_US/search.html) Care
Blog (https://www.paloaltonetworks.com/blog/category/technical- Cus
documentation/) LIVE
Compatibility Matrix (/content/techdocs/en_US/compatibility- Kno
matrix.html)
OSS Listings (/content/techdocs/en_US/oss-listings.html)
Sitemap (/content/techdocs/en_US/sitemap.html)

(https://www.facebook.com/PaloAltoNetworks) (https://w
(https://www.youtube.com/channel/UCPRouchFt58TZnjoI65aelA)

(/content/techdocs/en_US.html) © 2025 Palo Alto Ne

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)

You might also like