topic How to use Panorama to deploy standardized remote sites? in General Topics

How to use Panorama to deploy standardized remote sites?

justinbrown — Tue, 04 Aug 2015 00:05:04 GMT

I'm looking for a way to use Panorama to deploy about 100 remote sites.

Let's say that we have the following scenario:

Site 01 has local subnet 192.168.101.0/24

Site 02 has local subnet 192.168.102.0/24

Etc through site 99 has local subnet 192.168.199.0/24

On each site, .1 is the firewall, .3 through .5 are onsite resources, .6-10 are switches, .11-19 are printers, and .20 through .200 are for DHCP Clients.

The security policies are different, of course, for allowing network access to switches than to printers and endusers.

Is there a way (other than scripting, which is where I'm at now) to use Panorama to set up each of these remote sites, including DHCP scopes for each site?

Or is there a more "Palo Alto Networks" way of doing this than my scenario?

My current scenario looks like this:

Script to set up a template specific to the site, with settings for DHCP Scope, Management interface, ethernet interfaces, etc.

Script to set up a device group specific to the site, with settings for local address objects, address groups, etc.

Use the parent device group to have the common security and nat policies that refer to the addresses defined in the site specific device group

Use the Template stack to set common network / device settings, though that doesn't seem relevant to the question.

Thanks,

Justin

Re: How to use Panorama to deploy standardized remote sites?

pulukas — Tue, 04 Aug 2015 10:26:00 GMT

Seems like you have the concepts down. Panorama is primarily about setting up the common settings that can be pushed to multiple devices via the groups. The general assumption is that specific site only settings are on the device.

With version 7 and the template stack you could use a specific template as you suggest for each site. But I think that is going to make your Panorama interface very busy with a very long pull menu on 100 sites. Personally, I would stick with keeping the specific settings local and just changing the context to local in Panorama for maintenance.

You are also correct that scripting will be your best bet to pre-load the configuration itself either on the device or via your Panorama specific device template.

Re: How to use Panorama to deploy standardized remote sites?

justinbrown — Tue, 04 Aug 2015 19:55:25 GMT

Thank you for helping me validate my plan.

Is there any way to run the script through Panorama (I couldn't find the command-line equivalent of switching to a local context)?

Assuming there isn't, and that I don't go with device specific Templates (I'll probably populate 30-40 to see how well filters mitigate the interface issues of having lots of templates), my updated plan ends with:

Bring up the new device, Import a config with the relevant bits, and use the load partial config from that file.

The load partial is to avoid problems with Putty buffer overruns in the scripting.

Assuming no one jumps in with a better plan, I'll give you the kudos for an answer in a couple days.

Re: How to use Panorama to deploy standardized remote sites?

pulukas — Tue, 04 Aug 2015 22:14:47 GMT

You are correct that you cannot run CLI for the devices from Panorama.

For the load partial scripting, I've generally imported the xml config file into the device or panorama as a file on the setup > operations menu. then you can reference the file name in your load partial commands so you don't have the buffer issue. The technique is outlined in the Panorama import documentation.

Panorama Device Migration