How to Limit the Number of Shared Objects Panorama Pushes to the Managed Device
A number of shared objects have been created on a Panorama that manages Palo Alto Networks firewalls in 2 separate Device Groups (DG). All the shared objects in use on DG-A are pushed by Panorama to DG-B, even though they are not in use on DG-B.
When creating an object in a particular Device Group, do not check the "Shared" checkbox. This will keep the objects only in that Device Group and not send them to devices outside the group.
Alternatively, a new option was introduced in PAN-OS 5.0 to share or not share unused addresses and objects. Follow the steps below to prevent the sharing of unreferenced addresses, address groups, service objects, and service group objects to all managed devices:
On the Web UI
- Go to the following tab on the UI: Panorama > Setup > Management
- Uncheck 'Share Unused Address and Service Objects with Devices' in Panorama Settings as shown:
This option is checked by default to share all Panorama shared objects with the managed devices. Uncheck the option to confirm that only necessary objects are shared with the devices, and in turn, also reduce the total object count on the managed device.
Note: Unchecking this option forces Panorama to check all of its policies for references to the objects and may increase commit times depending upon the configuration. See Panorama Commits Take a Long Time
On the CLI
# set deviceconfig setting management share-unused-objects-with-devices no