Currently we are moving our stand alone firewalls to Panorama. We build device groups to manage policies and objects.
Now we try to create Templates but we don't know exactly how to use them. We read the following article but it didn't really help: Panorama Templates
The main problem is that one device can only be assigned to one Template. So we consider two possibilities.
But we can't really see the benefit. Alternative 2 is not very reasonable because the main part of settings must be configured still locally. Alternative 1 shifts the configuration part from the device to Panorama. But that's all.
I would prefer the option 1, even though all devices are having independent configuration. The benefit is, if at any point of time you replace a firewall in your network ( one FW went down and replacing with a new one), then you can easily push all config from Panorama.
FYI: a helpful doc How to Import Palo Alto Networks Firewall Configurations into Panorama
I'm a big proponent of the second approach you mentioned. You should be able to use one common template for every Palo Alto Networks firewall in your environment. The biggest benefit of templates in Panorama is their ability to manage configuration elements that are common across many firewalls. By taking this broad approach, you can make changes such as adding a new User-ID agent or changing an SNMP community string and have it apply to every firewall throughout the network just my modifying one template.
I recommend using templates for configuration elements such as:
There are some configuration elements that really do not belong in templates. For instance, you can create security zones and interfaces within a template. This may work fine if all your firewalls have identical network topologies. However, if you need to vary from the template on any of the firewalls, you'll need to create a local override. I've seen more than one instance when an admin puts security zones or interfaces into a template and then caused a self-inflicted outage when someone clicked on "Force Template Values" when performing a commit.
I do not recommend using templates for device-specific configuration elements such as:
Anyways, this is how I typically utilize templates and what I recommend to my customers. Hopefully this helps you figure out your centralized management strategy.
Interesting to see you have come to the same conclusion as myself regards what to and not to use templates for. Can I ask how you manage a mix of vsys and non vsys firewalls. Obviously I wouldn't want to manage any of the vsys via a template however the only solution I have found is to create two templates, one for vsys firewalls and one for non vsys firewalls. The templates themselves are identical accept for the fact that one has virtual systems checked and the other doesn't. This approach makes it tough to maintain the same settings in both templates but I can't really find an alternative solution. Hopefully future releases of Panorama will support hierarchical templates which may solve this problem.
You're correct. Today you need separate templates for vsys vs non-vsys platforms. Fortunately, this issue will be resolved in 7.0 along with delivering much greater flexibility in terms of how templates are used. Beta testing starts soon. Talk to your SE if you're interested in participating.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!