Panorama Templates best practice?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Panorama Templates best practice?

L2 Linker

Currently we are moving our stand alone firewalls to Panorama. We build device groups to manage policies and objects.

Now we try to create Templates but we don't know exactly how to use them. We read the following article but it didn't really help: Panorama Templates

The main problem is that one device can only be assigned to one Template. So we consider two possibilities.

  1. Every device gets it's own template. We manage all settings via Template and only few things are left to configure directly in the device.
  2. We create a general template and assign it to all devices. Unfortunately we can only manage a few things which are equal on all devices (authentication, Zones).

But we can't really see the benefit. Alternative 2 is not very reasonable because the main part of settings must be configured still locally. Alternative 1 shifts the configuration part from the device to Panorama. But that's all.

5 REPLIES 5

L7 Applicator

Hello Peri,

I would prefer the option 1, even though all devices are having independent configuration. The benefit is, if at any point of time you replace a firewall in your network ( one FW went down and replacing with a new one), then you can easily push all config from Panorama.

FYI: a helpful doc How to Import Palo Alto Networks Firewall Configurations into Panorama

Thanks

Subhankar

That's true. But I can do this even without Panorama. Just load my config Backup into my cold standby firewall Smiley Wink

L3 Networker

I'm a big proponent of the second approach you mentioned.  You should be able to use one common template for every Palo Alto Networks firewall in your environment.  The biggest benefit of templates in Panorama is their ability to manage configuration elements that are common across many firewalls.  By taking this broad approach, you can make changes such as adding a new User-ID agent or changing an SNMP community string and have it apply to every firewall throughout the network just my modifying one template


I recommend using templates for configuration elements such as:

  • Server Profiles (LDAP, RADIUS, Syslog, etc)
  • SNMP Setup
  • Custom Response Pages
  • Logon banners
  • Authentication Profiles
  • Dynamic Update schedules
  • User Identification
  • Certificates and Certificate Profiles
  • Log Settings
  • Network Profiles

There are some configuration elements that really do not belong in templates.  For instance, you can create security zones and interfaces within a template.  This may work fine if all your firewalls have identical network topologies.  However, if you need to vary from the template on any of the firewalls, you'll need to create a local override.  I've seen more than one instance when an admin puts security zones or interfaces into a template and then caused a self-inflicted outage when someone clicked on "Force Template Values" when performing a commit.

I do not recommend using templates for device-specific configuration elements such as:

  • Interfaces
  • Security zones
  • Virtual routers
  • VLANS
  • Virtual Wires
  • IPsec Tunnels
  • GlobalProtect

Anyways, this is how I typically utilize templates and what I recommend to my customers.  Hopefully this helps you figure out your centralized management strategy.

Interesting to see you have come to the same conclusion as myself regards what to and not to use templates for.  Can I ask how you manage a mix of vsys and non vsys firewalls.  Obviously I wouldn't want to manage any of the vsys via a template however the only solution I have found is to create two templates, one for vsys firewalls and one for non vsys firewalls.  The templates themselves are identical accept for the fact that one has virtual systems checked and the other doesn't.  This approach makes it tough to maintain the same settings in both templates but I can't really find an alternative solution.  Hopefully future releases of Panorama will support hierarchical templates which may solve this problem.

You're correct. Today you need separate templates for vsys vs non-vsys platforms. Fortunately, this issue will be resolved in 7.0 along with delivering much greater flexibility in terms of how templates are used. Beta testing starts soon. Talk to your SE if you're interested in participating.

  • 8345 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!