08-25-2018 07:02 PM
I'm trying to figure out what the best practice and recommended method is for templates inside of Panorama? I've heard some conflicting info. Some advice says if I'm managing say 20 firewalls in Panorama, I should have a template for each firewall. I've also heard the opposite, that you only need 1 template for all firewalls. I've also heard you can create a template for each firewall but only up to a certain amount.
I guess the question also applies to device groups, when is there a need to create multiple device groups?
08-25-2018 07:23 PM
This fully depends on how you want to manage things, and there really isn't any set guidance here. Some administators will utilize Panorama as a single plane of glass but still choose to manage each firewall individually, some will break things out into functions, some will simply utilize one template and one device group for all firewalls.
So for instance I may only require the user of one Template for all firewalls, but then seperate them into device groups based on 'internal', 'perimeter', and 'datacenter'. That being said I may also require a new template for all three of those, and require further device groups depending on what I'm actually trying to accomplish.
In essence, don't let anyone tell you that you are using templates or device groups wrong. If they are working for how you are administering your firewalls then that's all that actually matters.
08-25-2018 07:23 PM
This fully depends on how you want to manage things, and there really isn't any set guidance here. Some administators will utilize Panorama as a single plane of glass but still choose to manage each firewall individually, some will break things out into functions, some will simply utilize one template and one device group for all firewalls.
So for instance I may only require the user of one Template for all firewalls, but then seperate them into device groups based on 'internal', 'perimeter', and 'datacenter'. That being said I may also require a new template for all three of those, and require further device groups depending on what I'm actually trying to accomplish.
In essence, don't let anyone tell you that you are using templates or device groups wrong. If they are working for how you are administering your firewalls then that's all that actually matters.
08-25-2018 07:54 PM
Thanks! Sadly the info I have been receiving has been from palo alto partners and technical support engineers.
I've worked in two environments that used Palo. The first one had a template for each firewall, so on the template, the interface IP addresses were set in the template. If a device had to be replaced, you just booted the new one up, put the basic config on it to get connectivity and then pushed the template from Panorama.
Second environment used 1 template for all firewalls, but in many cases some things don't make sense. For instance, in Chicago, there are two dmz zones, so since the template uses two dmz zones, each firewall gets the two zones, even if they don't require a single dmz zone.
The first environment had the benefit that you never have to worry about local settings that may be missed.
Template stacks help even further
08-26-2018 01:17 AM
That is somehow difficult because there really isn't the one way to do this, as @BPry already wrote, and there isn't really a wrong way - but there definately are ways that make more sense and ways that don't really help you and makes it more complex to administer your firewalls.
I only have a personal recommendation. For me there are some similatities to database design where you have to normalize the data (templates), reduce/eliminate redundandant data (template variables) and create relationships between the data (template stacks). After that there are 2 ways to me: somehow group the firewalls only by their functions/locations or add another hierarchy for different customers. For me this is a way that makes it almost totally possible to configure every feature only at one place.
08-26-2018 11:35 AM
@Remo thanks. I have never used template variables, but I will check them out.
I'm a huge fan of Panorama.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
