©
Palo
Alto
Networks,
Inc.
Panorama
6.1
Administrator’s
Guide
•
91
Manage
Firewalls
Manage
Device
Groups
When
you
display
rules
in
preview
mode
on
Panorama
in
the
following
procedure),
all
the
shared,
device
group,
and
default
rules
that
the
firewall
inherits
from
Panorama
appear
in
green,
while
the
local
firewall
rules
appear
in
blue
between
the
pre
‐
rules
and
post
‐
rules.
Figure:
Rule
Hierarchy
Use
the
following
procedure
to
verify
the
ordering
of
rules
and
make
changes
as
appropriate:
Manage
the
Rule
Hierarchy
Step
1
View
the
rule
hierarchy
for
each
rulebase.
1.
Select
the
Policies
tab,
and
click
Preview Rules
.
2.
Use
the
following
filters
for
previewing
rules
in
the
Combined
Rules
Preview
window
(see
):
•
Rulebase
—Select
a
rulebase
and
view
the
rules
defined
for
that
rulebase:
Security,
NAT,
QoS,
Policy
Based
Forwarding,
Decryption,
Captive
Portal,
Application
Override,
or
DoS
Protection.
•
Device Group
—For
the
selected
rulebase,
you
can
view
all
Shared
policies
or
select
a
specific
Device Group
for
which
you
want
to
view
the
combined
list
of
policies
inherited
from
Panorama
and
those
defined
locally.
•
Device
—For
the
selected
Rulebase
and
Device Group
,
you
can
view
the
list
of
policies
that
will
be
evaluated
on
a
specific
firewall
in
the
device
group.
3.
Close
the
Combined
Rules
Preview
window
to
exit
preview
mode.
Step
2
(Optional)
Delete
or
disable
rules.
You
must
access
the
context
of
individual
firewalls
to
determine
which
rules
they
do
not
use.
To
do
this
from
Panorama,
select
a
firewall
in
the
Context
drop
‐
down,
select
the
Policies
tab,
and
click
Highlight Unused
Rules
.
A
dotted
orange
background
indicates
the
rules
that
the
firewall
does
not
currently
use.
Select
the
Policies
tab
to
perform
either
of
the
following
actions:
•
To
delete
an
unused
rule,
select
the
rule
and
click
Delete
.
•
To
disable
a
rule,
select
the
rule
and
click
Disable
.
The
disabled
rule
appears
in
an
italicized
font.