A company uses Panorama to manage multiple firewalls. They want to push a security policy that applies to all firewalls but with a specific exception for one firewall in a different region. Which Panorama method should be used?
Panorama allows overriding rules at the device group level for exceptions.
Why this answer
Option A is correct because Panorama allows a shared policy to be pushed to all firewalls, and you can override a specific rule for a particular device group. By placing the exception rule in the device group that contains the firewall in the different region, you can override the shared policy for that firewall while the rest continue to use the shared policy. This maintains centralized management while accommodating regional exceptions.
Exam trap
The trap here is that candidates often confuse rule override with rule addition, thinking that adding a pre-rule or post-rule can override a shared policy, when in fact only an explicit override within the same rule type (shared or device group) can replace a rule.
How to eliminate wrong answers
Option B is wrong because a post-rule in the device group applies after the shared policy rules, but it cannot override a shared policy rule; it only adds rules that are evaluated after the shared policy. Option C is wrong because a device-specific pre-rule applies only to a single firewall, but it cannot override a shared policy rule; it only adds rules that are evaluated before the shared policy. Option D is wrong because template variables are used to customize template settings (e.g., IP addresses, interfaces) across firewalls, not to override security policy rules.