Template Stacks for HA (Active\Passive)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Template Stacks for HA (Active\Passive)

L2 Linker

Looking to deploy template stacks to all of our managed firewalls from our Panorama 8.1.x. I am wondering how to deploy STACKs with values unique to each individual in a HA (active\passive) pair. Some settings would include:

 

Hostname,

HA configurations

Other device unique settings

 

When we create seperate stacks for each firewall we get an error (albiet still commits) about the device A not being in STACK B. I am not comfortable keeping it like that with errors since i dont know the caveats.

 

Anyone out there deploy templates to HA Active\Passive without using the same stack?

3 REPLIES 3

L4 Transporter

Hello

 

We have a stack per node:

Node-A

1) node-a -- covering things which are unique to the machine

2) system -- covering everything common on both nodes

3) basic -- covering settings which are common on all firewall (clusters)

Node-B

1) node-b -- covering things which are unique to the machine

2) system -- covering everything common on both nodes

3) basic -- covering settings which are common on all firewall (clusters)

 

Configs done on a "higher" stack level overwrite the one from a "lower" level (in most cases). We ran into errors when we had a virtual router in "system" and "basic".

 

Best Regards

  Joerg

Cyber Elite
Cyber Elite

Hello,

Panorama treats each firewall as a seperate entity, even in an HA pair. You can do as previously posted, or you can use template variables. 

 

Cheers!

Hi @DShofkom33x ,

 

I am still searching for the best approach, but meanwhile our setup is:

- Created onе "Default Device Setting" template defining only: DNS, NTP, SNMP, Banner, Dynamic Updates, ContentID and session settings, logging setting and etc (any other setting that is considered standard for us and applied on all devices)

- Created one "Site Specific Network settings" template defining anything needed in the Network tab (interfaces, routing, IPsec, GP etc). In the same template defining the HA setting. For this template we have defined some template variables:

$peer-ip - used in HA config general tab for peer ip address

$ha1-ip - used in HA config, HA1 local IP address

$ha2-ip - used in HA config, HA2 local IP address

$gw-ip. - used in HA config, for path monitoring.

 

- Created on template stack per site - the stack include default device settings and the site specific network and HA config.

- Each member in the cluster is overwritting and uses specific value for all three variables

 

At the beginning I liked this approach as it is using fewer tempaltes = fewer templates to support.

The disadvantage is that template variables supprot only ip addresses and network. Which means that you cannot set different priority for the to members using same template (so we define it locally).

 

So I am starting to preffer the approach to use separate stacks for each member. Depenting on the standartization between your sites (firewalls) you can try to create two tempplate for HA peer one and HA peer two. So the two stack will use the same network template and the "standard HA" templates

 

  • 4226 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!