One template in Panorama for HA pair of firewalls

Reply
Highlighted
L0 Member

One template in Panorama for HA pair of firewalls

Transition/migrate HA pair to firewall

 

I followed those instructions https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/manage-firewalls/migr..., steps from 1 to 7 and successfully migrated 3 HA pairs to Panorama management.

 

After migration I've got in Panorama 3 device groups and 6 device templates.

 

In this document https://live.paloaltonetworks.com/t5/Management-Articles/Any-special-considerations-when-importing-H... is written that each firewall has to use its own template (bellow special note). This limitation is annoying and can lead to mistakes. After checking template values I think there is no need for this limitation and I think I could put both firewalls into the same template because relevant values for HA aren't part of the template (e.g. High Availability - General - Preemptive - Device Priority).

 

Is this correct, or has anyone experience with such deployment (two firewalls and one template) in the production (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-add-a-locally-managed-firewall-to-pa...)?

 

Regards Milan

Tags (1)

Accepted Solutions
Highlighted
Cyber Elite

Hi @Milan_Lesnik

 

We already have a lot of such deployments. The dedicated template is only in the migration. After that you're free to change everything you want. You only need dedicated templates when you use them for settings which aren't the same on both firewalls.

In your case it is no problem to use one template for both clustermembers. In my case we use template stacks which contain multiple templates (global settings template, clustersettings template and devicespecific templates for each firewall with settings like mgmt ip, hostname ...)

 

Just keep in mind that you need to delete the devicespecific values from the import templates and the you could apply this one template to both firewalls of your HA pair.

 

Hope this helps.

 

Regards,

Remo

View solution in original post


All Replies
Highlighted
Cyber Elite

Hi @Milan_Lesnik

 

We already have a lot of such deployments. The dedicated template is only in the migration. After that you're free to change everything you want. You only need dedicated templates when you use them for settings which aren't the same on both firewalls.

In your case it is no problem to use one template for both clustermembers. In my case we use template stacks which contain multiple templates (global settings template, clustersettings template and devicespecific templates for each firewall with settings like mgmt ip, hostname ...)

 

Just keep in mind that you need to delete the devicespecific values from the import templates and the you could apply this one template to both firewalls of your HA pair.

 

Hope this helps.

 

Regards,

Remo

View solution in original post

Highlighted
L0 Member

Hi

 

It helps, thank you for the answer.

 

During migration dedicated template, after migration one template for both firewalls.

 

Regards Milan

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!