Hook Firewall & Panorama
Step 1: Go to Firewall and add the IP address of Primary and secondary Panorama.
Step 2: Go to Panorama and in the section "managed devices" put IP and S/N of the firewall.
Note: Panorama & Firewall will not connect if they have a time difference of more than 5 mins. Also, communication w.r.t. TCP port 3978 must be allowed.
Template
When you create a Template in Panama then the "Device & Network" section will appear.
"Template Stack": A template stack is configurable and allows you to combine multiple templates to push full configurations to your managed firewalls.
Select Panorama Templates and Add Stack.
For each of the templates, the stack will combine up to 8. The values in the higher templates override those that are lower in the list. To change the order, select a template and Move Up or Move Down.
For each of the templates, the stack will combine (up to 8) templates The values in the higher templates override those that are lower in the list. To change the order, select a template and Move Up or Move Down.
In the Devices section, select firewalls to assign them to the stack. For firewalls with multiple virtual systems, you can’t assign individual virtual systems (vSYS), only an entire firewall. You can assign a firewall to only one template stack.
Device Group
To configure policies w.r.t virtual systems (vSYS) you need to create a "Device Group"
"Device-Groups" can be created with a "Parent-child" relationship. Here, the child inherits the properties of the parent.
When you create a Device Group in Panama then the "Policies & Object" section will appear.
Device Groups on Panorama™ allow you to centrally manage firewall policies. You create policies on Panorama either as Pre Rules or Post Rules.
You can define Pre rules and Post rules in a shared context, as shared policies for all managed firewalls, or in a device group context, to make the rules specific to a device group.
Pre Rules
Rules that are added to the top and are evaluated first. You can use pre-rules to enforce the Acceptable Use Policy for an organization. For example, you can block access to specific URL categories or allow DNS traffic for all users.
Post Rules
Rules that are added at the bottom of the rule order are evaluated after the pre-rules and rules that are locally defined on the firewall. Post-rules typically include rules to deny access to traffic based on the App-ID™, User-ID™, or Service.
Default Rules—Rules that specify how the firewall handles traffic that does not match any Pre Rules, Post Rules, or local firewall rules.
When you add or edit a rule in Panorama, a Target tab displays. You can use this tab to apply the rule to specific firewalls or descendant device groups of the Device Group (or Shared location) where the rule is defined. In the Target tab, you can select Any (default), which means the rule applies to all the firewalls and descendant device groups. To target specific firewalls or device groups, deselect Any and select specific firewalls or device groups by name.
Comments