08-22-2019 05:05 AM
Looking to deploy template stacks to all of our managed firewalls from our Panorama 8.1.x. I am wondering how to deploy STACKs with values unique to each individual in a HA (active\passive) pair. Some settings would include:
Hostname,
HA configurations
Other device unique settings
When we create seperate stacks for each firewall we get an error (albiet still commits) about the device A not being in STACK B. I am not comfortable keeping it like that with errors since i dont know the caveats.
Anyone out there deploy templates to HA Active\Passive without using the same stack?
08-22-2019 06:58 AM
Hello
We have a stack per node:
Node-A
1) node-a -- covering things which are unique to the machine
2) system -- covering everything common on both nodes
3) basic -- covering settings which are common on all firewall (clusters)
Node-B
1) node-b -- covering things which are unique to the machine
2) system -- covering everything common on both nodes
3) basic -- covering settings which are common on all firewall (clusters)
Configs done on a "higher" stack level overwrite the one from a "lower" level (in most cases). We ran into errors when we had a virtual router in "system" and "basic".
Best Regards
Joerg
08-22-2019 08:03 AM
Hello,
Panorama treats each firewall as a seperate entity, even in an HA pair. You can do as previously posted, or you can use template variables.
Cheers!
08-23-2019 06:57 AM
Hi @DShofkom33x ,
I am still searching for the best approach, but meanwhile our setup is:
- Created onе "Default Device Setting" template defining only: DNS, NTP, SNMP, Banner, Dynamic Updates, ContentID and session settings, logging setting and etc (any other setting that is considered standard for us and applied on all devices)
- Created one "Site Specific Network settings" template defining anything needed in the Network tab (interfaces, routing, IPsec, GP etc). In the same template defining the HA setting. For this template we have defined some template variables:
$peer-ip - used in HA config general tab for peer ip address
$ha1-ip - used in HA config, HA1 local IP address
$ha2-ip - used in HA config, HA2 local IP address
$gw-ip. - used in HA config, for path monitoring.
- Created on template stack per site - the stack include default device settings and the site specific network and HA config.
- Each member in the cluster is overwritting and uses specific value for all three variables
At the beginning I liked this approach as it is using fewer tempaltes = fewer templates to support.
The disadvantage is that template variables supprot only ip addresses and network. Which means that you cannot set different priority for the to members using same template (so we define it locally).
So I am starting to preffer the approach to use separate stacks for each member. Depenting on the standartization between your sites (firewalls) you can try to create two tempplate for HA peer one and HA peer two. So the two stack will use the same network template and the "standard HA" templates
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
