Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-27-2013 10:00 AM
I have an environment where there are Palo Alto firewalls already deployed and in production (mix of PA-200's & PA-500's), I am building the templates but I want to make sure that when I push them out the templates won't wipe out the management interface settings or settings that are left blank in the template on Panorama. I have looked through documentation and forum searches but it all points to new devices where on the first template push the device can be overwritten. I also know of the option "force template values" and I suspect if this is checked off the management ip address won't get wiped and the existing security zones will stay there but I am hesitant to push this out before being 100% as if it wipes the zones I will lose remote access.
I am assuming someone has run into this before.
08-27-2013 10:17 AM
Hello Eric,
You are right. If you push a network template without checking 'Forced Template Values'', panorama will merge it configuration with the firewall's candidate/running configuration.
If 'Forced Template Values' option is checked along with 'Merge with Device Candidate Configuration', panorama will try to override all the configuration on the firewall with the template's configuration which would be catastrophic. If your firewall contains some local configuration , it is always a good practice to NOT check that 'Forced Template Values' option while committing.
Hope that helps!
Regards,
Kunal Adak
08-27-2013 10:17 AM
Hello Eric,
You are right. If you push a network template without checking 'Forced Template Values'', panorama will merge it configuration with the firewall's candidate/running configuration.
If 'Forced Template Values' option is checked along with 'Merge with Device Candidate Configuration', panorama will try to override all the configuration on the firewall with the template's configuration which would be catastrophic. If your firewall contains some local configuration , it is always a good practice to NOT check that 'Forced Template Values' option while committing.
Hope that helps!
Regards,
Kunal Adak
08-27-2013 10:47 AM
Thanks for the quick response, to confirm any setting which is not configured in the template will not over-ride what is on the Palo Alto firewall as long as the "force template value" check box is unchecked
08-27-2013 10:58 AM
Eric,
If a setting is not configured in a template, then the template is not going to affect local device config regardless of checking/unchecking "Force Template Values". The force will only remove local device configuration for settings which are configured in a template and overlap.
Mike
07-27-2014 08:43 AM
try it ofirst on one member if you have HA
i have also seen on version 6 that if the Interface is configured on local device and not MGMT profile and on the template in panorama you have configured the MGMT profile then when commiting with merge configuration option the local device will show in green + yellow icon meaning the local device values overrides template values and the MGMT Profile from panorama wont take effect, that makes me think what is the "scope" of the merge configuration and how really the template can be template for managing many devices
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
