Understanding Panorama & Firewall Configurations

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Understanding Panorama & Firewall Configurations

L3 Networker

Our Panorama server has 3 firewalls connected to it, all 3 are the same model.  All 3 firewalls are linked to there own seperate template, template stack & device group.  Each template, template stack & device group is linked to only one firewall.  None of the 3 firewalls share the same template, template stack or device group.  I am wondering if I should make configurations in the template or the template stack? Does it even matter? If I am configuring security or nat policies on one firewall will it affect or break something on one of the other firewalls?  Likewise if I am configuring a new subinterface on one firewall, will it get configured on one of the other firewalls? Is this setup an effective one?  I would like to avoid adding more firewalls until I have the best practice set up on Panorama also, that way I dont have to re design panorama later on.


L3 Networker

Hello @MarioMarquez


For templates,


If all the network and device config on all 3 firewalls are different, then there is no point of using template stack. You can simply create one template for each firewall and start configuring on them.


If you have common config for all the 3 firewalls, then usage of template stack is efficient and preferred way. Create a template, say 'global' on which you will have all the common configuration. Create another individual template, say 'firewall1' for configuring device specific settings. Grouping of these two templates into a stack will ensure that you have all the configuration from both templates committed to firewall. Similarly you can group same global template along with other device sepcific template in different stacks.


Note that order of template in template stack matters. You can find more info on how they work at here



For device group,


If you have individual device group for each firewall, configuration changes on one device group will not effect the other firewall.


Device groups follow tree like hierarchy. You can have parent device group (shared) which can have child device groups. Aany common rules on all firewalls can be configured on parent device group where as the device specific rules can be configured under child device groups. You can find more info here.


In short, templates and device groups provides greater felxibility for efficient management of your firewalls and usage of them will completely depends upon your network architecture and your requirements. 

  • 1 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!