Search

US-20260129025-A1 - ALTERNATE MEANS TO SHARING CONFIGURATION ACROSS MULTIPLE FIREWALLS OR GROUPS OF FIREWALLS

US20260129025A1US 20260129025 A1US20260129025 A1US 20260129025A1US-20260129025-A1

Abstract

The present application discloses a method, system, and computer system for providing policy configurations. The method includes (i) receiving a set of shared policy configurations, (ii) sharing the set of shared policy configurations across a plurality of entities, and (iii) deploying the set of shared policy configurations across the plurality of entities.

Inventors

  • Saurabh Pradhan
  • Miaomiao SHEN
  • Michael Soren Jacobsen
  • Srinath Gutti
  • Sandeep Panuganti

Assignees

  • PALO ALTO NETWORKS, INC.

Dates

Publication Date
20260507
Application Date
20251028

Claims (20)

  1. 1 . A system for managing policy configurations, comprising: one or more processors configured to: select a policy snippet, wherein the policy snippet comprises a set of shared policy configurations; associate policy snippet with a selected entity hierarchy, wherein the entity hierarchy defines a hierarchy structure of network devices; share the set of shared policy configurations across a plurality of entities, including pushing the policy snippet to a plurality of entities comprised in the entity hierarchy; and deploy the set of shared policy configurations across the entity hierarchy, including causing the plurality of entities to enforce the set of shared policy configurations comprised in the policy snippet, and resolving conflicts among policy configurations in the set of shared policy configurations based at least in part on one or more predefined priorities; and a memory coupled to the one or more processors and configured to provide the one or more processors with instructions.
  2. 2 . The system of claim 1 , wherein the one or more processors are further configured to: determine a compatibility of a particular policy configuration and a particular entity selected to enforce the particular policy configuration; in response to determining that the particular policy configuration and the particular entity are not compatible, translate the particular policy configuration to a policy configuration version that is compatible with the particular entity.
  3. 3 . The system of claim 1 , wherein sharing the set of shared policy configurations across a plurality of entities comprises providing to the particular entity a version of the policy snippet comprising the policy configuration that is compatible with the particular entity.
  4. 4 . The system of claim 1 , wherein deploying the set of shared policy configurations comprises causing all entities within the entity hierarchy to enforce the set of shared policy configurations.
  5. 5 . The system of claim 4 , wherein causing all entities within the entity hierarchy to enforce the set of shared policy configurations comprises causing each entity within the entity hierarchy to enforce compatible versions of the policy configurations comprised in the set of shared policy configurations.
  6. 6 . The system of claim 1 , wherein the policy snippet comprises an entirety of a configuration schema.
  7. 7 . The system of claim 1 , wherein the set of shared policy configurations comprises a set of security policy configurations.
  8. 8 . The system of claim 1 , wherein sharing the set of policy configurations across the plurality of entities comprises: sharing the set of policy configurations across a plurality of tenants.
  9. 9 . The system of claim 8 , wherein the plurality of tenants is associated with different organizations.
  10. 10 . The system of claim 1 , wherein sharing the set of policy configurations across the plurality of entities comprises: sharing the set of policy configurations across a plurality of cloud management customers.
  11. 11 . The system of claim 1 , wherein the plurality of entities comprises one or more of a tenant, a customer, a managed device, and endpoint.
  12. 12 . The system of claim 1 , wherein: the one or more processors are further configured to: generate a policy configuration; and share the policy configuration with a set of cloud management customers.
  13. 13 . The system of claim 1 , wherein the one or more processors are further configured to: associate a first policy configuration with a folder comprising one or more other policy configurations.
  14. 14 . The system of claim 13 , wherein the first policy configuration is associated with the folder based on a user input to a user interface.
  15. 15 . The system of claim 1 , wherein the one or more processors are further configured to: resolve a conflict between a plurality of shared policy configurations within the set of shared policy configurations based at least in part on an entity hierarchy.
  16. 16 . The system of claim 15 , wherein the conflict is resolved based on a determination of an ordering associated with the plurality of shared policy configurations.
  17. 17 . The system of claim 1 , wherein the one or more processors are further configured to: determine that a policy configuration within the set of shared policy configurations is updated; and in response to determining that the policy configuration is updated, automatically deploy an updated policy configuration.
  18. 18 . The system of claim 1 , wherein one or more policy configurations of the set of shared policy configurations comprises a version identifier.
  19. 19 . The system of claim 1 , wherein: the plurality of entities are comprised in a predefined group of entities; the set of shared policy configurations are associated with the predefined group of entities; and in response to determining that a particular entity is newly added to the defined group, the set of shared policy configurations are pushed to the particular entity.
  20. 20 . A method for managing policy configurations, comprising: selecting a policy snippet, wherein the policy snippet comprises a set of shared policy configurations; associating policy snippet with a selected entity hierarchy, wherein the entity hierarchy defines a hierarchy structure of network devices; sharing the set of shared policy configurations across a plurality of entities, including pushing the policy snippet to a plurality of entities comprised in the entity hierarchy; and deploying the set of shared policy configurations across the entity hierarchy, including causing the plurality of entities to enforce the set of shared policy configurations comprised in the policy snippet, and resolving conflicts among policy configurations in the set of shared policy configurations based at least in part on one or more predefined priorities.

Description

CROSS REFERENCE TO OTHER APPLICATIONS This application is a continuation of U.S. patent application Ser. No. 18/115,454, entitled ALTERNATE MEANS TO SHARING CONFIGURATION ACROSS MULTIPLE FIREWALLS OR GROUPS OF FIREWALLS filed Feb. 28, 2023 which is incorporated herein by reference for all purposes. BACKGROUND OF THE INVENTION Large scale deployments have large numbers of systems, devices, or other endpoints. The systems, devices, or endpoints may be arranged in a hierarchical structure. Because of the scale of such deployments, targeting the configuration of a specific multiple leaf nodes (e.g., systems, devices, or other endpoints in the hierarchy) is difficult to manage and maintain. Traditionally, administrators for the deployments individually configure the various leaf nodes. The administrators are tasked with ensuring that the various leaf nodes in the hierarchical structure are configured with the appropriate policy configurations, including updating the configurations in connection new or updated policy configurations. BRIEF DESCRIPTION OF THE DRAWINGS Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings. FIG. 1 is a block diagram of an environment for managing policy configurations according to various embodiments. FIG. 2 is a block diagram of system for managing policy configurations according to various embodiments. FIG. 3 is an example of a user interface for managing snippets according to various embodiments. FIG. 4 is an example of a user interface for creating snippets according to various embodiments. FIG. 5 is an example of a user interface for associating snippets according to various embodiments. FIG. 6 is an example of a user interface for managing snippets associated with a particular entity hierarchy according to various embodiments. FIG. 7 is an example of a user interface for managing snippets associated with a particular entity hierarchy according to various embodiments. FIG. 8 is a flow diagram of a method for deploying a set of shared policy configurations according to various embodiments. FIG. 9 is a flow diagram of a method for configuring a snippet according to various embodiments. FIG. 10 is a flow diagram of a method for associating snippets with entity hierarchies according to various embodiments. FIG. 11 is a flow diagram of a method for managing snippets associated with an entity hierarchy according to various embodiments. FIG. 12 is a flow diagram of a method for resolving conflicts between snippets associated with an entity hierarchy according to various embodiments. FIG. 13 is a flow diagram for deploying a set of policy configurations according to various embodiments. FIG. 14 is a flow diagram of a method for deploying a set of policy configurations according to various embodiments. FIG. 15 is a flow diagram of a method for managing snippets according to various embodiments. DETAILED DESCRIPTION The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions. A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications, and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured. As used herein, a snippet may be a collection of one or more configurations for a system. For example,