Panorama IP Variable set to none/null possible?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Panorama IP Variable set to none/null possible?

L4 Transporter

I'm pretty sure this isn't supported and I haven't been able to get this to work.  I am attempting to use a single network interface template for multiple sites.  Some use 30 sub-interfaces and some may only use 3.  I want to push every sub-interface to all locations but only set IP variables on the ones that I need.  Does anyone know how to set a Layer 3 sub-interface and assign no value to the variable for ipv4?  Currently if it is set to "none" the commit will fail with message: Device xxxxxxxxxx variable table has undefined values, please use get value from device or define it first.  Unfortunately I want it to be defined as "none".

 

PS - I have also tried overriding at the stack level and removing the variable.  The GUI initially removes it but then it just comes back after a refresh.  This could be a bug.

1 accepted solution

Accepted Solutions

I felt like updating this thread based on how I solved this. (Requires PAN-OS 9 as some of these features are broken in 8.1 last time I checked)

 

I gave up on the variable with NULL value since it is not supported at this time.  Instead I re-engineered my design.  Instead of assigning IPs to interfaces in my Network Interface template, I shifted these assignments to overrides at the stack level.  I created one stack per site.  When you do this, a stack will inherit all interfaces from the Template but they will not be assigned an IP, Zone or vRouter.  This way they all have NULL values by default.  Then, for the interfaces you actually want to use, you can just use an overrides at the stack to give it an IP/Zone/vRouter.  I also assigned variable names at the template level so they don't have to be manually created at every stack.  Since unused variables are just place holders at this point and not assigned to an interface, I just used addresses from the APIPA range.  Working great so far.

 

So in the end I have - 

1. Standard Template (for universal settings to all sites)

2. HA Template (one per PA-xxxx series)

2. Network Interface Template (only contains base interfaces with tag and MTU)

3. Zone Template (placeholder for Zone definitions)

4. Stack (inherits the above and overrides define which interfaces are active at that site and their values, ie - IP/Zone/vRouter/etc)

 

If this isn't a clear explanation I can include some screenshots in the future.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

As you stated, I do not think it is possible.

 

Why not populate all interfaces with a bogus address 99.99.99.99/32 in the template variable.

May be ugly, but gets the job done.  😛

 

 

Help the community: Like helpful comments and mark solutions

You are correct... it works... it's ugly... and we want to avoid it.  Hopefully PAN will have a fix for this soon.  If I can do this directly on a firewall I should be able to template it out.

I felt like updating this thread based on how I solved this. (Requires PAN-OS 9 as some of these features are broken in 8.1 last time I checked)

 

I gave up on the variable with NULL value since it is not supported at this time.  Instead I re-engineered my design.  Instead of assigning IPs to interfaces in my Network Interface template, I shifted these assignments to overrides at the stack level.  I created one stack per site.  When you do this, a stack will inherit all interfaces from the Template but they will not be assigned an IP, Zone or vRouter.  This way they all have NULL values by default.  Then, for the interfaces you actually want to use, you can just use an overrides at the stack to give it an IP/Zone/vRouter.  I also assigned variable names at the template level so they don't have to be manually created at every stack.  Since unused variables are just place holders at this point and not assigned to an interface, I just used addresses from the APIPA range.  Working great so far.

 

So in the end I have - 

1. Standard Template (for universal settings to all sites)

2. HA Template (one per PA-xxxx series)

2. Network Interface Template (only contains base interfaces with tag and MTU)

3. Zone Template (placeholder for Zone definitions)

4. Stack (inherits the above and overrides define which interfaces are active at that site and their values, ie - IP/Zone/vRouter/etc)

 

If this isn't a clear explanation I can include some screenshots in the future.

  • 1 accepted solution
  • 7077 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!