topic Re: Panorama Templates best practice? in General Topics

Panorama Templates best practice?

LCMember17002 — Tue, 01 Apr 2014 08:56:09 GMT

Currently we are moving our stand alone firewalls to Panorama. We build device groups to manage policies and objects.

Now we try to create Templates but we don't know exactly how to use them. We read the following article but it didn't really help: Panorama Templates

The main problem is that one device can only be assigned to one Template. So we consider two possibilities.

Every device gets it's own template. We manage all settings via Template and only few things are left to configure directly in the device.
We create a general template and assign it to all devices. Unfortunately we can only manage a few things which are equal on all devices (authentication, Zones).

But we can't really see the benefit. Alternative 2 is not very reasonable because the main part of settings must be configured still locally. Alternative 1 shifts the configuration part from the device to Panorama. But that's all.

Re: Panorama Templates best practice?

HULK — Tue, 01 Apr 2014 13:40:39 GMT

Hello Peri,

I would prefer the option 1, even though all devices are having independent configuration. The benefit is, if at any point of time you replace a firewall in your network ( one FW went down and replacing with a new one), then you can easily push all config from Panorama.

FYI: a helpful doc How to Import Palo Alto Networks Firewall Configurations into Panorama

Thanks

Subhankar

Re: Panorama Templates best practice?

LCMember17002 — Tue, 01 Apr 2014 21:17:57 GMT

That's true. But I can do this even without Panorama. Just load my config Backup into my cold standby firewall

Re: Panorama Templates best practice?

rhagen — Thu, 01 May 2014 14:06:23 GMT

I'm a big proponent of the second approach you mentioned. You should be able to use one common template for every Palo Alto Networks firewall in your environment. The biggest benefit of templates in Panorama is their ability to manage configuration elements that are common across many firewalls. By taking this broad approach, you can make changes such as adding a new User-ID agent or changing an SNMP community string and have it apply to every firewall throughout the network just my modifying one template.

I recommend using templates for configuration elements such as:

Server Profiles (LDAP, RADIUS, Syslog, etc)
SNMP Setup
Custom Response Pages
Logon banners
Authentication Profiles
Dynamic Update schedules
User Identification
Certificates and Certificate Profiles
Log Settings
Network Profiles

There are some configuration elements that really do not belong in templates. For instance, you can create security zones and interfaces within a template. This may work fine if all your firewalls have identical network topologies. However, if you need to vary from the template on any of the firewalls, you'll need to create a local override. I've seen more than one instance when an admin puts security zones or interfaces into a template and then caused a self-inflicted outage when someone clicked on "Force Template Values" when performing a commit.

I do not recommend using templates for device-specific configuration elements such as:

Interfaces
Security zones
Virtual routers
VLANS
Virtual Wires
IPsec Tunnels
GlobalProtect

Anyways, this is how I typically utilize templates and what I recommend to my customers. Hopefully this helps you figure out your centralized management strategy.

Re: Panorama Templates best practice?

CHammock — Thu, 05 Mar 2015 16:17:40 GMT

Interesting to see you have come to the same conclusion as myself regards what to and not to use templates for. Can I ask how you manage a mix of vsys and non vsys firewalls. Obviously I wouldn't want to manage any of the vsys via a template however the only solution I have found is to create two templates, one for vsys firewalls and one for non vsys firewalls. The templates themselves are identical accept for the fact that one has virtual systems checked and the other doesn't. This approach makes it tough to maintain the same settings in both templates but I can't really find an alternative solution. Hopefully future releases of Panorama will support hierarchical templates which may solve this problem.

Re: Panorama Templates best practice?

rhagen — Thu, 05 Mar 2015 17:14:14 GMT

You're correct. Today you need separate templates for vsys vs non-vsys platforms. Fortunately, this issue will be resolved in 7.0 along with delivering much greater flexibility in terms of how templates are used. Beta testing starts soon. Talk to your SE if you're interested in participating.