How to use Panorama to deploy standardized remote sites?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to use Panorama to deploy standardized remote sites?

L0 Member

I'm looking for a way to use Panorama to deploy about 100 remote sites.

Let's say that we have the following scenario:

Site 01 has local subnet 192.168.101.0/24

Site 02 has local subnet 192.168.102.0/24

Etc through site 99 has local subnet 192.168.199.0/24

On each site, .1 is the firewall, .3 through .5 are onsite resources, .6-10 are switches, .11-19 are printers, and .20 through .200 are for DHCP Clients.

The security policies are different, of course, for allowing network access to switches than to printers and endusers.

Is there a way (other than scripting, which is where I'm at now) to use Panorama to set up each of these remote sites, including DHCP scopes for each site?

Or is there a more "Palo Alto Networks" way of doing this than my scenario?

My current scenario looks like this:

Script to set up a template specific to the site, with settings for DHCP Scope, Management interface, ethernet interfaces, etc.

Script to set up a device group specific to the site, with settings for local address objects, address groups, etc.

Use the parent device group to have the common security and nat policies that refer to the addresses defined in the site specific device group

Use the Template stack to set common network / device settings, though that doesn't seem relevant to the question.

Thanks,

Justin

3 REPLIES 3

L7 Applicator

Seems like you have the concepts down.  Panorama is primarily about setting up the common settings that can be pushed to multiple devices via the groups.  The general assumption is that specific site only settings are on the device.

With version 7 and the template stack you could use a specific template as you suggest for each site.  But I think that is going to make your Panorama interface very busy with a very long pull menu on 100 sites.  Personally, I would stick with keeping the specific settings local and just changing the context to local in Panorama for maintenance.

You are also correct that scripting will be your best bet to pre-load the configuration itself either on the device or via your Panorama specific device template.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thank you for helping me validate my plan.

Is there any way to run the script through Panorama (I couldn't find the command-line equivalent of switching to a local context)?

Assuming there isn't, and that I don't go with device specific Templates (I'll probably populate 30-40 to see how well filters mitigate the interface issues of having lots of templates), my updated plan ends with:

Bring up the new device, Import a config with the relevant bits, and use the load partial config from that file.

The load partial is to avoid problems with Putty buffer overruns in the scripting.

Assuming no one jumps in with a better plan, I'll give you the kudos for an answer in a couple days.

You are correct that you cannot run CLI for the devices from Panorama.

For the load partial scripting, I've generally imported the xml config file into the device or panorama as a file on the setup > operations menu.  then you can reference the file name in your load partial commands so you don't have the buffer issue.  The technique is outlined in the Panorama import documentation.

Panorama Device Migration

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 3348 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!