topic Re: Template and Devcie Group Design in General Topics

Template and Devcie Group Design

ghostrider — Mon, 14 Nov 2016 06:56:20 GMT

Hello Experts

I have two firewalls cluster, managed by panorama. One cluster is for perimeter firewall and other is core/DC firewalls. I have three customers and I created three vsys (CUST1, CUST2 and CUST3) on both clusters.

Now what is the recommendations for creating how many templates and device groups on panorama. Should I create three device groups - one for each customer on perimter cluster and DC cluster - means total six device groups?

Also what about templates? Should I create two tempaltes - one template per cluster or we can create templates for customer on same cluster?

Appreciated your input

Re: Template and Devcie Group Design

ghostrider — Wed, 16 Nov 2016 10:53:00 GMT

Any one there?

Re: Template and Devcie Group Design

BenjAudy.MTL — Wed, 16 Nov 2016 15:11:24 GMT

Hi,

We have active/passive firewalls at the perimeter and datacenter. I went a bit overboard with the templates. I created a template for each firewall, then a template for the perimeter and datacenter, and a global template. I then created a stack for each firewall. The reasons why I did that is because I didn't want to put any configuration directly on the firewalls (beside the HA configuration), in case I mistakenly override a local configuration from Panorama, and also because I didn't want to have the same configuration in two places. For example, our NTP server configuration is only in the global template, and the firewall hostname is in each individual template.

Benjamin

Re: Template and Devcie Group Design

ghostrider — Thu, 17 Nov 2016 07:50:06 GMT

Thank you make sense. But how about if your DC firewall have multiple virtual system (each for one customer). In this case would you go for individual template for each customer? What I see, If i stick to only one template for all virtual system then I cannot reuse the same zone name and also can not use different ssl forward decryption certificate etc.

So I can go with global template (contains HA config, hostname etc) then I can make one template per each customer and stack with global template. Is this make sense and we can do?

Re: Template and Devcie Group Design

BenjAudy.MTL — Mon, 21 Nov 2016 18:26:50 GMT

Hi,

I don't think it would make sense to have a template per customer. It makes sense for device groups, though. I don't understand why you cannot reuse the same zone name for different vsys. You tried it and you got an error message?

Benjamin