https://live.paloaltonetworks.com/t5/general-topics/major-flaw-in-panorama-can-t-configure-anything-without-a-real/m-p/257100#M72936 <P>1.&nbsp; Create a Template.&nbsp; Add some network interfaces and zones and related stuff to it.</P><P>&nbsp;</P><P>2.&nbsp; Create a Device Group.&nbsp; Add some Address Objects to it, that you'll be referenceing in your Security/NAT Policies later.</P><P>&nbsp;</P><P>3.&nbsp; Try to create a Security/NAT Policy ... and notice how none of your Zones are available!</P><P>&nbsp;</P><P>There's nothing in Panorama that links Templates with Devices Groups (except for the physical firewall / managed device), which makes it pretty much useless for pre-planning and pre-configuring things before your actual firewalls arrive.</P><P>&nbsp;</P><P>What's even worse, is that if you have actual firewalls assigned to your Devices Groups and Templates, and you remove the last firewall from a Device Group (or Template), you will never be able to commit any changes from that point onward if you have used anything from the Network tab in the Policy tab.&nbsp; You get nothing but "invalid references".&nbsp; You basically have to clear out the Policy tab completely whenever you remove the last device from a Device Group.&nbsp; You can't keep an empty group around for future use!</P><P>&nbsp;</P><P>There *really* needs to be a way to link Device Groups and Templates without requiring an actual, in production physical firewall.&nbsp; One should not need to wait until the hardware is there to start preparing the config for it.&nbsp; This means I can't use the next 3 months to pre-configure things before we get the firewall for a new school in July, and will instead have to rush through everything in August.&nbsp; Here I thought Panorama was supposed to make my life easier.&nbsp; <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P>&nbsp;</P><P>So, how is one supposed to write Security Policies (part of Device Group) without having access to Zones (required entry) from a Template?&nbsp; I just spent the day configuring everything under Device tab, Network tab, and Objects tab, only to discover it was wasted time as I can't use any of that stuff under the Policies tab as I don't have any managed devices yet to link them together!</P><P>&nbsp;</P><P>Tested with Panorama 7.1, 8.1, and 9.0.</P> Wed, 10 Apr 2019 22:41:52 GMT fjwcash 2019-04-10T22:41:52Z https://live.paloaltonetworks.com/t5/general-topics/major-flaw-in-panorama-can-t-configure-anything-without-a-real/m-p/257100#M72936 <P>1.&nbsp; Create a Template.&nbsp; Add some network interfaces and zones and related stuff to it.</P><P>&nbsp;</P><P>2.&nbsp; Create a Device Group.&nbsp; Add some Address Objects to it, that you'll be referenceing in your Security/NAT Policies later.</P><P>&nbsp;</P><P>3.&nbsp; Try to create a Security/NAT Policy ... and notice how none of your Zones are available!</P><P>&nbsp;</P><P>There's nothing in Panorama that links Templates with Devices Groups (except for the physical firewall / managed device), which makes it pretty much useless for pre-planning and pre-configuring things before your actual firewalls arrive.</P><P>&nbsp;</P><P>What's even worse, is that if you have actual firewalls assigned to your Devices Groups and Templates, and you remove the last firewall from a Device Group (or Template), you will never be able to commit any changes from that point onward if you have used anything from the Network tab in the Policy tab.&nbsp; You get nothing but "invalid references".&nbsp; You basically have to clear out the Policy tab completely whenever you remove the last device from a Device Group.&nbsp; You can't keep an empty group around for future use!</P><P>&nbsp;</P><P>There *really* needs to be a way to link Device Groups and Templates without requiring an actual, in production physical firewall.&nbsp; One should not need to wait until the hardware is there to start preparing the config for it.&nbsp; This means I can't use the next 3 months to pre-configure things before we get the firewall for a new school in July, and will instead have to rush through everything in August.&nbsp; Here I thought Panorama was supposed to make my life easier.&nbsp; <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P>&nbsp;</P><P>So, how is one supposed to write Security Policies (part of Device Group) without having access to Zones (required entry) from a Template?&nbsp; I just spent the day configuring everything under Device tab, Network tab, and Objects tab, only to discover it was wasted time as I can't use any of that stuff under the Policies tab as I don't have any managed devices yet to link them together!</P><P>&nbsp;</P><P>Tested with Panorama 7.1, 8.1, and 9.0.</P> Wed, 10 Apr 2019 22:41:52 GMT https://live.paloaltonetworks.com/t5/general-topics/major-flaw-in-panorama-can-t-configure-anything-without-a-real/m-p/257100#M72936 fjwcash 2019-04-10T22:41:52Z https://live.paloaltonetworks.com/t5/general-topics/major-flaw-in-panorama-can-t-configure-anything-without-a-real/m-p/257407#M73016 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42838">@fjwcash</a>&nbsp;</P><P>&nbsp;</P><P>I was able to reproduce the same behaviour as you, and find a fix!</P><P>&nbsp;</P><P>1. Go to Panorama -&gt; Managed Devices -&gt; Summary</P><P>2. Add a new serial number (it doesn't even have to be a valid one just spam some numbers)</P><P>3. Associate your fake FW to the device group and template</P><P>4. Commit to Panorama</P><P>&nbsp;</P><P>You can now reference your zones in the policy.</P><P>&nbsp;</P><P>Cheers,</P><P>Luke.</P> Fri, 12 Apr 2019 12:43:18 GMT https://live.paloaltonetworks.com/t5/general-topics/major-flaw-in-panorama-can-t-configure-anything-without-a-real/m-p/257407#M73016 LukeBullimore 2019-04-12T12:43:18Z https://live.paloaltonetworks.com/t5/general-topics/major-flaw-in-panorama-can-t-configure-anything-without-a-real/m-p/257438#M73025 <P>Huh, didn't even think to try faking a serial number.&nbsp; It's not pretty, but it does "work".</P><P>&nbsp;</P><P>I'll have to play around with that to see how to match things up between the two groups (Templates/Devices Groups) to get inheritance working properly.</P><P>&nbsp;</P><P>Thanks for the hint!</P> Fri, 12 Apr 2019 15:21:42 GMT https://live.paloaltonetworks.com/t5/general-topics/major-flaw-in-panorama-can-t-configure-anything-without-a-real/m-p/257438#M73025 fjwcash 2019-04-12T15:21:42Z https://live.paloaltonetworks.com/t5/general-topics/major-flaw-in-panorama-can-t-configure-anything-without-a-real/m-p/257487#M73037 <P>Even if you cannot choose the zones, you can still enter the names manually. The names will only be choosable when - as you noticed - a device is added to the devicegroup/template. The same "problem" occurs when you create policies in a parent device group where the devices are attached to child devicegroups. There you have to enter the names manually but it works as it should and the policies of the parent device groups arw also applied to the devices in the child device groups.</P> Fri, 12 Apr 2019 18:45:07 GMT https://live.paloaltonetworks.com/t5/general-topics/major-flaw-in-panorama-can-t-configure-anything-without-a-real/m-p/257487#M73037 Remo 2019-04-12T18:45:07Z https://live.paloaltonetworks.com/t5/general-topics/major-flaw-in-panorama-can-t-configure-anything-without-a-real/m-p/348416#M86729 <P data-unlink="true">To update this thread, in 8.1/9.0 and later code versions, there are now mechanisms called <A href="https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/manage-firewalls/manage-device-groups/add-a-device-group" target="_blank" rel="noopener">Reference Templates</A> (See step 4)&nbsp;in each Device Group (DG) where you can specify templates to be used in the DG config. This ensures Zones, server profiles, etc, are usable in DG config.</P> Fri, 11 Sep 2020 00:09:48 GMT https://live.paloaltonetworks.com/t5/general-topics/major-flaw-in-panorama-can-t-configure-anything-without-a-real/m-p/348416#M86729 chmotley 2020-09-11T00:09:48Z https://live.paloaltonetworks.com/t5/general-topics/major-flaw-in-panorama-can-t-configure-anything-without-a-real/m-p/348671#M86758 <P>There is no Reference Template section in Panorama 8.1.15-h3. whether creating a new Device Group, or editing an existing one.</P> Fri, 11 Sep 2020 18:38:33 GMT https://live.paloaltonetworks.com/t5/general-topics/major-flaw-in-panorama-can-t-configure-anything-without-a-real/m-p/348671#M86758 fjwcash 2020-09-11T18:38:33Z