1. Create a Template. Add some network interfaces and zones and related stuff to it.
2. Create a Device Group. Add some Address Objects to it, that you'll be referenceing in your Security/NAT Policies later.
3. Try to create a Security/NAT Policy ... and notice how none of your Zones are available!
There's nothing in Panorama that links Templates with Devices Groups (except for the physical firewall / managed device), which makes it pretty much useless for pre-planning and pre-configuring things before your actual firewalls arrive.
What's even worse, is that if you have actual firewalls assigned to your Devices Groups and Templates, and you remove the last firewall from a Device Group (or Template), you will never be able to commit any changes from that point onward if you have used anything from the Network tab in the Policy tab. You get nothing but "invalid references". You basically have to clear out the Policy tab completely whenever you remove the last device from a Device Group. You can't keep an empty group around for future use!
There *really* needs to be a way to link Device Groups and Templates without requiring an actual, in production physical firewall. One should not need to wait until the hardware is there to start preparing the config for it. This means I can't use the next 3 months to pre-configure things before we get the firewall for a new school in July, and will instead have to rush through everything in August. Here I thought Panorama was supposed to make my life easier. :(
So, how is one supposed to write Security Policies (part of Device Group) without having access to Zones (required entry) from a Template? I just spent the day configuring everything under Device tab, Network tab, and Objects tab, only to discover it was wasted time as I can't use any of that stuff under the Policies tab as I don't have any managed devices yet to link them together!
Tested with Panorama 7.1, 8.1, and 9.0.
Solved! Go to Solution.
I was able to reproduce the same behaviour as you, and find a fix!
1. Go to Panorama -> Managed Devices -> Summary
2. Add a new serial number (it doesn't even have to be a valid one just spam some numbers)
3. Associate your fake FW to the device group and template
4. Commit to Panorama
You can now reference your zones in the policy.
Huh, didn't even think to try faking a serial number. It's not pretty, but it does "work".
I'll have to play around with that to see how to match things up between the two groups (Templates/Devices Groups) to get inheritance working properly.
Thanks for the hint!
Even if you cannot choose the zones, you can still enter the names manually. The names will only be choosable when - as you noticed - a device is added to the devicegroup/template. The same "problem" occurs when you create policies in a parent device group where the devices are attached to child devicegroups. There you have to enter the names manually but it works as it should and the policies of the parent device groups arw also applied to the devices in the child device groups.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!