topic Re: Panorama Template conflicts with base device config in General Topics

Panorama Template conflicts with base device config

Poe — Fri, 23 Aug 2013 14:38:14 GMT

I am in the process of building out my Device Groups and Templates to standardize configurations across all sites. Our sites are standardized in a way that we can actually apply device configurations across multiple sites. After the base templates are applied all I need to do is apply the site specific data such as their local subnets and up addresses. My goal is to standardize configurations and reduce configuration time for rapid deployment.

However, when trying to achieve this goal I ran into an issue with the base configurations of the PAN devices. Out of the box the device is setup for a vwire with trust and untrust zones setup. This causes a conflict with Panorama. When I go to deploy my template configurations, it errors because the vwire and the trust/untrust zones are being referenced and the Template cannot overwrite those settings, even with a force.

My current solution to the issue was to go into the device and remove the conflicting configurations. Effectively removing all existing configurations from the device to allow the template a fresh start. Originally I was doing this from the GUI, but got lazy and now have a notepad with all the commands I just run from CLI.

Attached are the commands that need to be run:

delete rulebase security rules rule1

delete network virtual-wire default-vwire

delete zone trust

delete zone untrust

delete network interface ethernet ethernet1/1 virtual-wire

delete network interface ethernet ethernet1/2 virtual-wire

delete network interface ethernet ethernet1/1

delete network interface ethernet ethernet1/2

delete network virtual-router default

delete network ike crypto-profiles ike-crypto-profiles default

delete network ike crypto-profiles ipsec-crypto-profiles default

Is there a better way to get around this? Forcing the template won't work because unless the device settings directly conflict with the Panorama settings they will coincide. IE: Panorama will only overwrite on force, not delete.

Re: Panorama Template conflicts with base device config

kprakash — Fri, 23 Aug 2013 19:49:44 GMT

Hi,

It does work for the devices in question ( over writing the network parameters, with the new parameters that are pushed from the template ), if you select "Include Device and Network Templates" and "force template values" under the "device group" and "Templates" commits,

Below thread also talks about the same:

https://live.paloaltonetworks.com/message/24073#24073

BR,

karthik

Re: Panorama Template conflicts with base device config

Poe — Sat, 24 Aug 2013 16:06:17 GMT

Thanks for the reply. Last time I tried this, force template values overwrites existing configurations, but this only works for overridden configuration. For instance if I have a new device the default admin account will be present and if I have 3 administrator accounts in my template, if I override one of the template admin accounts and change his role on the local device. When I force the value it will overwrite the role change on the template admin account but it would not remove the Default admin account. I want to be able to delete the default admin account without having to prep the device before applying the template.

In the switch world I would delete the startup-config and reboot the device and start with a clean slate. I wonder if I can do the same for PAN-OS or if it will brick something or revert back to the default config.