PAN-OS: Assigning Firewalls to Panorama Device Groups

Purpose of Assignment

Once you have established your Panorama management server and created your Device Group hierarchy (for managing Policies and Objects) and potentially Template Stacks (for managing Network and Device settings), the next crucial step is to assign your managed firewalls to the appropriate Device Group and Template Stack.

This assignment determines:

• Which set of Policies (Security, NAT, QoS, Decryption, etc.) and Objects will be pushed to the firewall (from the assigned Device Group and its ancestors).
• Which set of Network and Device configurations will be pushed to the firewall (from the Template Stack assigned to the Device Group).

Proper assignment ensures firewalls receive the correct, consistent configurations based on their role, location, or function within the organization.

A firewall can belong to only one Device Group and be assigned only one Template Stack at any given time.

When initially adding a firewall to be managed by Panorama:

1. Establish Connectivity: Ensure the firewall can reach Panorama on its management interface (or via a Service Route) and that Panorama can reach the firewall. Basic device certificates should be valid.
2. Add Firewall Serial Number to Panorama: Navigate to Panorama > Managed Devices > Summary and click Add . Enter the serial number of the firewall you want to manage.
3. Assign Device Group and Template Stack (Initial):
   • Once the firewall connects and appears in the Managed Devices list (it might initially show up under 'Unassigned Devices' or a default group), you need to assign it.
   • Select the checkbox next to the firewall's serial number.
   • Click the Assign Device Group and Template button (or similar wording depending on version).
   • In the dialog box, select the target Device Group from the dropdown list that this firewall should belong to.
   • Select the target Template Stack from the dropdown list that should apply to this firewall. (Often, the stack is implicitly linked to the chosen Device Group, but you might need to select it explicitly).
   • Click OK.
4. Commit to Panorama: Commit the changes on Panorama to save the assignment.
5. Commit and Push: Perform a Commit and Push operation from Panorama, selecting the target Device Group (or the specific device). This action:
   • Merges configurations from Shared, Device Group hierarchy, and the assigned Template Stack.
   • Pushes the resulting configuration down to the assigned firewall(s).
   • Overrides most local configurations on the firewall with the Panorama-defined settings.

It's common practice to assign newly managed firewalls to a dedicated "staging" or "onboarding" Device Group and Template Stack initially, push a basic configuration, verify connectivity, and then move them to their final production Device Group/Stack.

You may need to move a firewall from one Device Group to another if its role or location changes.

1. Select Firewall: Go to Panorama > Managed Devices > Summary . Select the checkbox next to the firewall you want to move.
2. Assign/Move: Click the Assign Device Group and Template button.
3. Choose New Group/Stack: Select the *new* target Device Group and the corresponding Template Stack from the dropdown lists.
4. Click OK.
5. Commit to Panorama: Commit the changes on Panorama to save the new assignment.
6. Commit and Push: Perform a Commit and Push , ensuring you select the *new* Device Group (or the specific device) as the target. This will push the potentially different policy set and template configuration from the new group/stack to the firewall.

Caveat: Moving a firewall between Device Groups can result in a significant configuration change being pushed, as the firewall will inherit a different set of policies, objects, and potentially template settings. This should be done during a planned maintenance window and thoroughly tested afterward.

While you can assign a stack when adding/moving a device, the primary association between a Device Group and its configuration baseline (Templates) is made by assigning a Template Stack directly to the Device Group.

1. Navigate to Device Group: Go to Panorama > Device Groups and click on the name of the Device Group you want to configure.
2. Assign Stack: Within the Device Group properties/settings window, find the option to assign a Template Stack (the exact location might vary slightly by PAN-OS/Panorama version, often on a General or Settings tab).
3. Select the desired Template Stack from the dropdown list. This stack will now apply to *all* firewalls currently in, or subsequently added to, this Device Group (unless overridden at the device level).
4. Click OK.
5. Commit to Panorama.
6. Commit and Push to the relevant Device Group to apply the stack's settings to the member firewalls.

This method ensures all firewalls within a given Device Group receive the same baseline Network and Device configuration defined by the assigned Template Stack.

Caveats and Gotchas

For the PCNSE exam, understand:

• That firewalls must be assigned to a Device Group to receive policies/objects from Panorama.
• That firewalls typically receive Network/Device settings via a Template Stack assigned to their Device Group .
• The process of assigning a device to a group/stack (via Managed Devices).
• The impact of assigning/moving a device (inheritance changes, configuration push overwrites).
• That a firewall belongs to only one Device Group and uses only one Template Stack at a time.
• The purpose of assigning stacks directly to Device Groups for baseline configuration.

References

• Panorama Admin Guide: Add a Firewall as a Managed Device
• Panorama Admin Guide: Manage Device Groups (Includes Assigning Devices/Stacks)
• Panorama Admin Guide: Templates and Template Stacks (Assigning Stacks)
• Palo Alto Networks Certified Network Security Engineer (PCNSE) Exam Blueprint (Domain 4)