11-13-2016 10:56 PM
I have two firewalls cluster, managed by panorama. One cluster is for perimeter firewall and other is core/DC firewalls. I have three customers and I created three vsys (CUST1, CUST2 and CUST3) on both clusters.
Now what is the recommendations for creating how many templates and device groups on panorama. Should I create three device groups - one for each customer on perimter cluster and DC cluster - means total six device groups?
Also what about templates? Should I create two tempaltes - one template per cluster or we can create templates for customer on same cluster?
Appreciated your input
11-16-2016 02:53 AM
Any one there?
11-16-2016 07:11 AM
We have active/passive firewalls at the perimeter and datacenter. I went a bit overboard with the templates. I created a template for each firewall, then a template for the perimeter and datacenter, and a global template. I then created a stack for each firewall. The reasons why I did that is because I didn't want to put any configuration directly on the firewalls (beside the HA configuration), in case I mistakenly override a local configuration from Panorama, and also because I didn't want to have the same configuration in two places. For example, our NTP server configuration is only in the global template, and the firewall hostname is in each individual template.
11-16-2016 11:50 PM
Thank you make sense. But how about if your DC firewall have multiple virtual system (each for one customer). In this case would you go for individual template for each customer? What I see, If i stick to only one template for all virtual system then I cannot reuse the same zone name and also can not use different ssl forward decryption certificate etc.
So I can go with global template (contains HA config, hostname etc) then I can make one template per each customer and stack with global template. Is this make sense and we can do?
11-21-2016 10:26 AM
I don't think it would make sense to have a template per customer. It makes sense for device groups, though. I don't understand why you cannot reuse the same zone name for different vsys. You tried it and you got an error message?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!