Documentation forHybrid Cloud Observability Advancedand Network Configuration Manager

View Palo Alto policies

Use NCM to view information about the policies defined for Palo Alto devices that run OS 7.1 and later.

What policies can I view in NCM?

NCM displays information about the policies defined in the default virtual system (vsys) of the Palo Alto device. If you have defined policies in a non-default vsys, they are not available to NCM.

NCM displays information about Security Policies on Palo Alto devices. NCM does not display information about the following types of policies:

  • NAT
  • QoS
  • Policy Based Forwarding
  • Decryption
  • Tunnel Inspection
  • Application Override
  • Authentication
  • DoS Protection

View policies

  1. Click My Dashboards > Network Configuration > Config Summary.
  2. In the NCM node list, click a Palo Alto device.

    The Node Details page displays information about the selected device.

  3. In the menu on the left, choose Policies .

    The Policies view displays a summary of each policy, including the name, source zones, destination zones, and origin.

    • Policies pushed from a Panorama management server have an origin of either 'Pre Policy (Panorama)' or 'Post Policy (Panorama)'.
    • Policies that are not pushed from a Panorama management server have an origin of 'Local'.

    Information is available on the Policies view only after you have downloaded configurations from the Palo Alto device.

  4. Use filters or search to locate the policy that you're interested in, and click the policy name.

    The Policy Details page displays information about the policy definition, as well as other information to help you evaluate and manage your policies. For example:

    • The Policy Changes widget displays the time and date of that affect this policy. This includes changes that were made directly to the policy, and changes to tags, applications, services, and other objects that are referenced by the policy.

      For changes made directly to the policy, click the View diff link to open the Compare Configs window and see what changed.

    • The Other Firewalls Using this Policy widget lists the devices that would be directly affected by changes to this policy.

      Other firewalls are listed only if their configurations have been downloaded to NCM. NCM uses the policy name to determine if other firewalls are using the policy.

    • If you have SolarWinds NTA with netflow enabled, the Top XX Conversations on Policy widget shows application traffic conversations that are affected by the selected policy. When a policy changes, use this widget to see how the change affects network traffic.