Address object limit exceeded on Panorama Managed Low End platforms even if "Share Unused Address and Service Objects with Device" is unchecked
25590
Created On 04/13/19 03:38 AM - Last Modified 07/02/20 16:45 PM
Symptom
When you push configuration changes Device Groups, by default Panorama pushes all shared objects to firewalls whether or not any shared or device group policy rules reference the objects. However, you can configure Panorama to push only the shared objects that rules reference in the device groups. The Share Unused Address and Service Objects with Devices option enables you to limit the objects that Panorama pushes to the managed firewalls.
If "Share Unused Address and Service Objects with Device" is disabled/unchecked, Panorama evaluates unused objects while pushing configuration to the device. However this feature ignores the "target device" in security rules while evaluating unused objects.
Environment
This article applies to all Panorama PanOS supporting option for "Share Unused Address and Service Objects with Device"
Cause
We will discuss the above mentioned behavior in detail. For example consider the following Panorama policy Structure:
Assume a simple Device Group Hierarchy and Panorama configuration as below:
Shared :
DeviceGroup1
Firewall-1
DeviceGroup2
Firewall-2
Shared:
Address Objects
Address1
Address2
Policies
SharedPolicy1
Source : Address1
Target Device : Firewall-2
DeviceGroup1:
Address Objects
Address3
Policies
DG1-Policy1
Source : Address3
Target Device : All
DeviceGroup2:
Address Objects
Address4
Policies
DG2-Policy1
Source : Address2
Target Device : All
DG2-Policy2
Source : Address4
Target Device : All
So pushed configuration to Firewall-1 will be:
Policies:
DG1-Policy1
Source : Address3
Address Objects:
Address1
Address3
Pushed configuration to Firewall-2 will be:
Policies:
SharedPolicy1
Source : Address1
DG2-Policy1
Source : Address2
DG2-Policy2
Source : Address4
Address Objects:
Address1
Address2
Address4
Notice Address Object "Address1". It was defined under Shared Hierarchy, and used in a Shared Policy which was targetted for a firewall in only DeviceGroup2. Still it will be pushed to Firewall-1 since Target device setting is ignores for Unused Object evaluation
Resolution
As a resolution, we should design the device group hierarchy in a way that policies which are not targetted for certain devices should not be put under parent device group or Shared Hierarchy. Firewalls with similar policy requirements could be clubbed into separate Device Group Hierarchies.
In the above example, the SharedPolicy1 should have been put directly under DeviceGroup2.
Additional Information
NOTE : The planning of Panorama configuration should be done keeping in mind the lowest capacity platforms being managed. The above article should be considered even during Panorama configuration Planning to avoid issues in future when the configuration size scales.