Template and Devcie Group Design

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Template and Devcie Group Design

L4 Transporter

Hello Experts

 

I have two firewalls cluster, managed by panorama. One cluster is for perimeter firewall and other is core/DC firewalls. I have three customers and I created three vsys (CUST1, CUST2 and CUST3) on both clusters.

 

Now what is the recommendations for creating how many templates and device groups on panorama. Should I create three device groups - one for each customer on perimter cluster and DC cluster - means total six device groups?

Also what about templates? Should I create two tempaltes - one template per cluster or we can create templates for customer on same cluster?

 

Appreciated your input

4 REPLIES 4

L4 Transporter

Any one there?

Hi,

 

We have active/passive firewalls at the perimeter and datacenter. I went a bit overboard with the templates. I created a template for each firewall, then a template for the perimeter and datacenter, and a global template. I then created a stack for each firewall. The reasons why I did that is because I didn't want to put any configuration directly on the firewalls (beside the HA configuration), in case I mistakenly override a local configuration from Panorama, and also because I didn't want to have the same configuration in two places. For example, our NTP server configuration is only in the global template, and the firewall hostname is in each individual template.

 

Benjamin

Thank you make sense. But how about if your DC firewall have multiple virtual system (each for one customer). In this case would you go for individual template for each customer? What I see, If i stick to only one template for all virtual system then I cannot reuse the same zone name and also can not use different ssl forward decryption certificate etc.

 

So I can go with global template (contains HA config, hostname etc) then I can make one template per each customer and stack with global template. Is this make sense and we can do?

Hi,

 

I don't think it would make sense to have a template per customer. It makes sense for device groups, though. I don't understand why you cannot reuse the same zone name for different vsys. You tried it and you got an error message?

 

Benjamin

  • 3415 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!