- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-22-2022 07:57 AM
Hello,
We are configuring all our Firewalls (PA-52xx) via Ansible playbooks with extensive usage of Ansible modules. It works totally fine for us. Configurations are consistent and reinstalling a firewall from scratch works like a charm.
We are wondering:
- Why bother using templates in panorama when all setups/configs can be automated ?
- Is there something that will not work correctly by not using those templates ?
We'd love to have your comments or opinions on that subject.
Thanks 🙂
06-26-2022 10:08 PM
Templates are just an alternative method of configuration. Years ago it was the only feasible option for consistent application of configurations. Now you also have automated tools to do the same. Main drawback with Templates is folk overriding them which can be tedious to undo.
09-12-2022 09:54 AM
It also depends how your configuration is generated. If you have a very solid and dependable source of truth, with operations that do not touch the firewalls manually or by hand, and the Ansible playbooks are written such that common "snippets" of configuration are written to the specific multiple firewalls which require them, then you are creating your own version of what Templates can do.
Some folks choose to use both Ansible and Templates, because they can target a piece of configuration for just the Data Centre template, or target just the Europe template, or just the Production template, or however the grouping into templates has been configured.
Another consideration is VM-Series firewalls, which are very commonly configured with boostrapping from Panorama. Again, templates work very well there, but bootstrapping is far less commonly used for hardware, such as the scenario in the original post where it is PA-5200 series devices.
If you have a SoT and Ansible playbooks setup such that Ansible execution does the same things as Templates (or as much of Template functionality as you actually want or need), then that's great. Any of the approaches discussed here (and probably other approaches we have not mentioned) are valid, it is just that some approaches fit some organisations better than others because of the circumstances.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!