use cases of Panorma Templates

hey

i am missing a good use case for configuring Panorama Template for a large site arround 60 PA (all single).

i dont think it will be smart to configure all of them from Panorama using "Template per device" method,

because for example some configuration like changing the Interface MGMT profile will have to be done 60 times...

i thing Paloalto should add things like "shared feature object" for example the MGMT profile should be a Panorama's object of some globale object that i will be able to put in the template, this thing can really make Panorama much more flexible. (for example maby a lot here in the integration businesses and for SSL connection and resource publishing Juniper SA is the best choice and that is because they design it so almost every feature is broken apart from other feature in the configuration, leaving you build you own most common configuration)

some things i have found irritating in using one Template for a bunch of PA are

1) you must really be careful not to pust configuration with Force Config if you configured an interface (and you certainly cannot configure interface with IP on a shared device template) that might cause your 60 PA lose their WAN Interface IP - a nice solution is to be able to choose fields to not be be force on a device

2) also i really believe Panorma should be "devices aware" meaning in this use administrator will have to loggin to the device directly for source NAT configuration and that because panorama dont know the source IP from the device itself - one solution is that Paloalto will make it possible to insert an object there in the configuration and let the device commit procedure to validate if the source NAT ip is good or not and alert us,,, no one that have bought panorama really want to go to the devices configuration directly

3) this is really annoying option because if you choose template for multiple device you actually skiping almost all the Network tab configuration

i thing a good design for the "template per group of device" is this:

1) device should be organized in groups (like now)

2) each device group should be allowed to get multiple templates in some configurable order

3) on commit panorama will put them in some layered structure and merge the configuration in the way that the device group configuration's order

4) the configuration will be sent to the device and be committed (force or merge) on merge the device's configuration will take place.... but per field that was configured locally for example not all the Interface configuration but only the IP of the interface

another safe commit features:

1) per each device group / device disable the force template check box option

if someone here have more good stuff to add here of would love to see more features then please add to this discussion maybe paloalto will get this list and do something with it.

if someone have a good use case for controlling effectively 60 device with one template then i will love to hear about it