I am in the process of building out my Device Groups and Templates to standardize configurations across all sites. Our sites are standardized in a way that we can actually apply device configurations across multiple sites. After the base templates are applied all I need to do is apply the site specific data such as their local subnets and up addresses. My goal is to standardize configurations and reduce configuration time for rapid deployment.
However, when trying to achieve this goal I ran into an issue with the base configurations of the PAN devices. Out of the box the device is setup for a vwire with trust and untrust zones setup. This causes a conflict with Panorama. When I go to deploy my template configurations, it errors because the vwire and the trust/untrust zones are being referenced and the Template cannot overwrite those settings, even with a force.
My current solution to the issue was to go into the device and remove the conflicting configurations. Effectively removing all existing configurations from the device to allow the template a fresh start. Originally I was doing this from the GUI, but got lazy and now have a notepad with all the commands I just run from CLI.
Attached are the commands that need to be run:
delete rulebase security rules rule1
delete network virtual-wire default-vwire
delete zone trust
delete zone untrust
delete network interface ethernet ethernet1/1 virtual-wire
delete network interface ethernet ethernet1/2 virtual-wire
delete network interface ethernet ethernet1/1
delete network interface ethernet ethernet1/2
delete network virtual-router default
delete network ike crypto-profiles ike-crypto-profiles default
delete network ike crypto-profiles ipsec-crypto-profiles default
Is there a better way to get around this? Forcing the template won't work because unless the device settings directly conflict with the Panorama settings they will coincide. IE: Panorama will only overwrite on force, not delete.
It does work for the devices in question ( over writing the network parameters, with the new parameters that are pushed from the template ), if you select "Include Device and Network Templates" and "force template values" under the "device group" and "Templates" commits,
Below thread also talks about the same:
Thanks for the reply. Last time I tried this, force template values overwrites existing configurations, but this only works for overridden configuration. For instance if I have a new device the default admin account will be present and if I have 3 administrator accounts in my template, if I override one of the template admin accounts and change his role on the local device. When I force the value it will overwrite the role change on the template admin account but it would not remove the Default admin account. I want to be able to delete the default admin account without having to prep the device before applying the template.
In the switch world I would delete the startup-config and reboot the device and start with a clean slate. I wonder if I can do the same for PAN-OS or if it will brick something or revert back to the default config.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!