My question would be, is it possible to use template variables to set primary end secondary dns for DNS proxy rules in Panorama?
I can set a static entrys' IP address value to a variable defined in the template, but can't find the way to do the same for proxy rules.
Context: Our branch offices each have their on subnet, doman controllers and Palo Alto FWs. Subnets and IP addresses are standarized, Office 1 DC1 has IP of 192.168.1.1, Office2 DC1 has 192.168.2.1, etc. The DCs have their own template variable, let's say $DC01
The clients use the firewalls DNS proxy for DNS queries, however I want some queries for specific domains to be forwarded to the local DC, instead of the primary DNS server of the DNS proxy.
Of course I can override the configuration of the DNS Proxy object on the local firewall, but I would like to avoid that, it would make the template variables and the whole central management concept unusable.
Thanks in advance
Thank you for posting question @PozsonyiAttila
I was looking into this on my side, but I can't see this option in Panorama either. As an alternative solution, I would suggest to create a new Template for every site and configure the DNS proxy object in it, then place it on the top in each site's Template Stack. In this case, the DNS proxy object would take precedence and rest of the configuration will be pushed from rest of your Templates in Template Stack. This will have a slight administrative advantage over overriding Template values locally on Firewall side and you can manage everything from Panorama side.
Thanks for your answer Pavel,
If I'd have a tempIate stack for every branch office it could have been a solution, but our infrastructure and IP addressing is highly standartized so I could do all my 60+ sites with a single template stack and variables. So far...
In think it's a pretty basic need to handle DNS servers with variables or it's only me?
Anyway, I think I file a feature request and see what PAN thinks about it.
Running into this as well. Our template sets all the interfaces in vsys1. If you create the DNS Proxy Object on the template in Vsys1 it let's you define variables. However, when you go to commit to the firewalls it fails and says the interfaces are an invalid reference which doesn't make sense as they live in the default vsys1.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!