https://live.paloaltonetworks.com/t5/panorama-discussions/configure-existing-production-panorama-template-used-for/m-p/538268#M1470 <P>When we started using the Panorama many years ago, we did so using the templates as an after thought of manually configuring each firewall. We are a small company so it wasn't difficult, but now we want to entertain SD WAN and my understanding is it is best to do this from the Panorama and not individually from each firewall.&nbsp;</P> <P>&nbsp;</P> <P>Since the Interfaces/Zones are set up individually, but identically (other than IP address differences) what would happen if I introduced the Interface/Zone configurations to the Panorama and then pushed this down to the firewall(s)? Scared to do so and cause issues. What is the best way forward? Maybe set up a new template with this configured and then move each firewall to the new template.&nbsp;</P> <P>&nbsp;</P> <P>I should add I have 11 firewalls. The majority of these are in one template (9 firewalls) with 1 other in its own template and the last firewall is manually maintained and is different from all the rest.&nbsp;</P> Tue, 11 Apr 2023 16:40:37 GMT ronan 2023-04-11T16:40:37Z https://live.paloaltonetworks.com/t5/panorama-discussions/configure-existing-production-panorama-template-used-for/m-p/538268#M1470 <P>When we started using the Panorama many years ago, we did so using the templates as an after thought of manually configuring each firewall. We are a small company so it wasn't difficult, but now we want to entertain SD WAN and my understanding is it is best to do this from the Panorama and not individually from each firewall.&nbsp;</P> <P>&nbsp;</P> <P>Since the Interfaces/Zones are set up individually, but identically (other than IP address differences) what would happen if I introduced the Interface/Zone configurations to the Panorama and then pushed this down to the firewall(s)? Scared to do so and cause issues. What is the best way forward? Maybe set up a new template with this configured and then move each firewall to the new template.&nbsp;</P> <P>&nbsp;</P> <P>I should add I have 11 firewalls. The majority of these are in one template (9 firewalls) with 1 other in its own template and the last firewall is manually maintained and is different from all the rest.&nbsp;</P> Tue, 11 Apr 2023 16:40:37 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/configure-existing-production-panorama-template-used-for/m-p/538268#M1470 ronan 2023-04-11T16:40:37Z https://live.paloaltonetworks.com/t5/panorama-discussions/configure-existing-production-panorama-template-used-for/m-p/538284#M1471 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/52408">@ronan</a>&nbsp;, from the brief description of your network, panos native SDWAN in Panorama will work well without knowing your full checklist of needs. To handle the device-group parent-child relationships for pre and post rules, I recommend this document -&nbsp;<A href="https://docs.paloaltonetworks.com/best-practices/10-1/best-practices-for-managing-firewalls-with-panorama/configuration-management/device-group-management" target="_blank">Manage Your Device Group Configurations on Panorama (paloaltonetworks.com)</A>&nbsp;and make sure you configure a Master Device, &amp; Reference Template.&nbsp; You can store objects in a Parent DG instead of <EM>shared</EM>&nbsp;to keep from overloading smaller firewalls but there is a checkbox in Panorama to only download objects used by the firewall.&nbsp; Since your zone name characters/case are identical, you should be able to share much of your policy via parent DG.&nbsp;</P> <P>&nbsp;</P> <P>For Templates/Template-Stacks, you will use <EM>variables</EM>&nbsp;to identify different IP addresses &amp; FQDNs for different firewalls using the same Template-Stacks.&nbsp; &nbsp;</P> Tue, 11 Apr 2023 18:49:24 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/configure-existing-production-panorama-template-used-for/m-p/538284#M1471 delliott_6784 2023-04-11T18:49:24Z