Ability to merge similar rules in parent DG

[necebeci]

Is your feature request related to a problem?

We are trying to create alternatives for reducing overall config size. Currently using a 4 level DG hierarchy with a planned final configuration of 250 virtual systems onboard. Moving similar rules in these virtual systems to a common parent would help reduce config size.

Describe the solution you'd like

Analyse the security policies in the same level of a DG tree, if a security rule matching a criteria exists in all DGs, move that rule to the parent DG and remove it from child DGs.

It would also be good to have the visibility and option to show if, like 4 out of 7 DGs in same level have this rule, either display or create it in higher DG. This could maybe be done by using a prevelance parameter ranging 1-100, if it's present above %70 of DGs in same level, add this rule to upper DG.

Additional context

This would be a 'nice to have' option when doing policy optimization tasks in relatively large environments.

[welcome-to-palo-alto-networks]

🎉 Thanks for opening your first issue here! Welcome to the community!

[swaschkut]

thanks for bringing this in.

some notes for later implementation

• create rule hash for all DG
• based on DG hierarchy compare rule hash
• objects used in rule must be available at the parentDG
• objects must be identical in all childDG (no overwrites)
• adding rule at end of parentDG [check needed about upper rules in childDG, starting from rule to be merged position]

[swaschkut]

• request from multiple customers;

another chat done with necebeci; this feature is a possibility to reduce configuration size