© Palo Alto Networks, Inc.
Panorama 7.0 Administrator’s Guide • 17
Centralized Configuration and Deployment Management
Whether you view rules on a firewall or in Panorama, the web interface displays them in evaluation order.
All the shared, device group, and default rules that the firewall inherits from Panorama appear in green, while
local firewall rules appear in blue between the pre‐rules and post‐rules.
Figure: Rule Hierarchy
Device Group Objects
Objects are configuration elements that policy rules reference, for example: IP addresses, URL categories,
security profiles, users, services, and applications. Rules of any type (pre‐rules, post‐rules, default rules, and
rules locally defined on a firewall) and any rulebase (Security, NAT, QoS, Policy Based Forwarding,
Decryption, Application Override, Captive Portal, and DoS Protection) can reference objects. You can reuse
an object in any number of rules that have the same scope as that object in the Device Group Hierarchy. For
example, if you add an object to the Shared location, all rules in the hierarchy can reference that shared object
because all device groups inherit objects from Shared. If you add an object to a particular device group, only
the rules in that device group and its descendant device groups can reference that device group object. If
object values in a device group must differ from those inherited from an ancestor device group, you can
The default rules apply only to the Security
rulebase, and are predefined on Panorama (at
the Shared level) and the firewall (in each
vsys). These rules specify how PAN‐OS
handles traffic that doesn’t match any other
The intrazone‐default rule allows all traffic
within a zone. The interzone‐default rule
denies all traffic between zones.
If you override default rules, their order of
precedence runs from the lowest context to
the highest: overridden settings at the firewall
level take precedence over settings at the
device group level, which take precedence
over settings at the Shared level.
Default rules are initially read‐only, either
because they are part of the predefined
configuration or because Panorama pushed
them to firewalls. However, you can override
the rule settings for tags, action, logging, and
security profiles. The device context
determines the level at which you can
override the rules:
• Panorama—At the Shared or device group
level, you can override default rules that
are part of the predefined configuration.
• Firewall—You can override default rules
that are part of the predefined
configuration on the firewall or vsys, or
that Panorama pushed from the Shared
location or a device group.
Rule Scope and Description