At ignite someone was talking about using template variables and making sure that their values are set to "none" as default as a best practice, and then overriding on the panorama managed firewall (by local - I mean under Panorama/summary/managed devices).
1-If you have a setting of "none" and you place a firewall in that template stack- you have to either define those variables on the firewall in panorama (under panorama/managed devices/summary) or use the "get local device settings" before you can push those settings to the firewall, or the commit appears to fail.
I guess what I'm asking is - is why is the setting to "none" a best practice- as I assumed that when you added a firewall to a template stack, it was going to have the same interfaces/routing or really close to, and all you had to do was override whatever settings you had originally defined for a "patient zero" firewall, on the new firewall added to that stack, and you should be good to go? Any advice or thoughts?
Solved! Go to Solution.
@Sec101 I always set interface addresses to "none" because otherwise there is a risk to forget about the variables and push config to a firewall with incorrect values. Yes, if you forget to update them you will get an error, but better have an error when pushing the config, than pushing wrong IPs by mistake and getting duplicate IPs on the network.
ok. Thank you for the reply!
I've noticed you can't push without setting them to at least something- even if they aren't in use somewhere on the box. So you think it was just a matter of having them set to none before a push for a reminder to set them to something-......interesting...
Why not have multiple firewalls in one stack, and just simply override those specific settings on that device, if they are in fact "cookie cutter" networks? I can only make sense of setting variables to none- if you are literally using 1 firewall per template....and with variables, doesn't that kind of defeat the purpose?
I set all of my variables to "none" at the template level. You want to make your templates/stacks as dynamic as possible. As soon as you hard set something in a template, it trickles all the way down (not the preferred method). You always need to be aware of order of precedence. Variables can be set at the template level, the stack level or the device level (stack overrides template, device overrides both). The closer you get to setting at the individual device, the more dynamic your template/stack design gets. So in theory, you could do what you are suggesting if your sites are similar enough. You could put a bunch of firewalls in the same stack and set all your variables at the device level. I usually stick to one stack per site because it's easier to keep track of but I have considered putting similar sites into the same stack. Also, don't forget that in 9.x you can create your zones in a different template from you interfaces. This is where you can start to get even more dynamic and have more template reusability. This is confusing and it took me awhile to really "get it". Let me know if this helps or needs more explanation.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!