Based on the screenshots above, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Based on the screenshots above, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
The correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group is as follows: shared pre-rules, DATACENTER_DG pre-rules, rules configured locally on the firewall, DATACENTER_DG post-rules, shared post-rules, and finally DATACENTER_DG default rules. The shared default rules are typically applied last, but since the question involves the DATACENTER_DG device group having overrides, the specific ordering for that context should be considered.
Would choose D. base on doc from dgonz the order is: Shared pre rules DG prer ules local rules DG post rules Shared post rules default rules Then be aware of order in DG when 2 config matches. in DG the config maintained is the child. On template is the oposite , the config maintained is the father. From the same doc. If you override default rules, their order of precedence runs from the lowest context to the highest: overridden settings at the firewall level take precedence over settings at the device group level, which take precedence over settings at the Shared level.
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-policies
Why do you keep voting different answers?
As per News088
yup.. sorry it is D
https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-policies DG post-rules before Shared post rules
A. This one isn't as tricky as it looks--device groups don't have default rules.
sure they have. Take a look into your Panorama
Shared Pre-Rules Device Group Pre-Rules Local Firewall Rules Device Group Post Rule Shared Post-Rules Default Rules The default rules apply only to the Security rulebase, and are predefined on Panorama (at the Shared level) and the firewall (in each vsys). https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-policies
I would choose D based on https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-policies: If you override default rules, their order of precedence runs from the lowest context to the highest: overridden settings at the firewall level take precedence over settings at the device group level, which take precedence over settings at the Shared level. As we have overridden the default ruleset in the device group it will be applied instead of the shared one.
TeachTrooper is correct. However, the answer should also include shared default rule at the very bottom as the interzone rule does not have an override. Due to so many people stating A, I labbed it, re-confirming it, to make sure I wasn't thinking of this incorrectly.
I think A
Default rules belong to the Shared level and not any particular device group, which leaves us with only option A and C. The following doc states this and also explicitly gives us the order :) Shared pre Group pre Locals Group post Shared post Shared defaults https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-policies
Shared Pre-Policies Device group hierarchy Pre-Policies Local Firewall Policies Device group hierarchy Post-Policies Shared Post-Policies Default Rules there is no shared defaukt event hough it exist and it can be used as well. This is a document from Palo training ... we have to use same wording as they provide it ( it is an exam so go with whatever they want the answer to be. Even if it's not 100% correct)
I got this question in the exam
Based on that A 1. Shared pre-rules 2. Device group pre-rules 3. Local firewall rules 4. Device group post-rules 5. Shared post-rules 6. intrazone-default interzone-default https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-policies
Screenshots indicate that the default rules have been overridden. The accurate answer is D. If you override default rules, their order of precedence runs from the lowest context to the highest: overridden settings at the firewall level take precedence over settings at the device group level, which take precedence over settings at the Shared level.