PANCast Episode 23: Panorama Templates and Template Stacks

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter
No ratings

 

Episode Transcript:

 

John:

Hi PANCasters and welcome back. Today we have Amine who will be talking about Panorama templates and template stacks. Thanks for joining us today Amine, can you tell us a bit about yourself before we start?

 

Amine:

Hello John. Thanks a lot for inviting me today. My name is Amine and I am part of the support team here in Singapore. I joined Palo Alto Networks almost 3 years ago, and I specialized in Panorama management and commit issues.

 

What are the Templates and Template Stacks?

 

John:
Thanks, Amine. Onto the topic of today, so what are Panorama templates and template stacks.

 

Amine:

A template is similar to a block of configuration. It’s a set of predefined settings on Panorama that then can be applied or "pushed" to the firewalls.

Templates can cover all the settings that are found under the "Network" and the "Device" tabs on your firewall.

For example, you could have a template that includes your internal CA root certificate.

And you could have another template that includes a local Radius server.

 

On the other hand, a template stack is the combination of several templates. The template stack puts together the several bricks of configuration from the templates into the final configuration that will be pushed to the firewalls.

For example, you could have a template stack that combines the two templates I just mentioned before: the root certificate and the RADIUS server configuration combined and together, they make the content of the template stack.

 

Benefits of the Templates and Template Stacks

 

John:
Now that we have an overview of the templates and template stacks, how do they help in daily administrative tasks?

 

Amine:

The templates and template stacks are centralized on Panorama. Their goal is to configure the things only once and to push them across the firewalls as per the business requirement.

 

Within an organization, it is most likely to have settings that will replicate across all the devices, for example the admin users or the NTP servers, and then there are some settings that are more specific to a region or a functionality or a model of a firewall.

 

The templates allow you to prepare the configuration on a granular approach. The template stacks make the framework that allows a unique combination of templates that will be pushed to the firewalls.

 

For example, in the event of having an expired certificate, renewing that certificate would require a single change in the template, on Panorama, and it would automatically be reflected on all the firewalls associated with that template.

 

A Few Things Worth Mentioning

 

John:
OK, so they allow a centralized, yet flexible way to configure all the firewalls. Anything worth noting about how they are used?

 

Amine:

Thanks John, that’s a good question. There are a couple things to remember when using them:

 

  • A firewall can be associated with only one template stack. It’s important to create the template stack with as much flexibility as possible by adding as many templates as necessary.
  • Another thing to mention, the order of the templates within the template stack matters. On Panorama, you can see the templates are orderly listed in the template stack. More priority is given to the higher template, and less priority is given to the lower template. Essentially, if there is some configuration overlapping between two templates, inside the same template stack, the template stack will use the configuration from the template listed higher and will ignore that same piece of configuration from the template listed below.

 

Scenario Based Example

 

John:
Great pointers. Could you give us an example of how they would work?

 

Amine:

Let's imagine a company. Let's name it: Example Corporation. 

So, it has its headquarters in Singapore, in Asia.

Example Corp is established on 2 continents: Asia and Africa.

The company has offices in 3 countries per continent and each site has one firewall.

 

John:
So, Example Corporation has a total of 6 firewalls in 6 countries across 2 continents, right?

 

Amine:

That’s correct, John.

Now, let's assume the following requirements:

First, we have the IT team, with 2 administrators, one per continent. Both of them must be able to connect to all the firewalls.

Second, the company has an Active Directory server on each continent. The AD servers act as the LDAP and DNS servers for the firewalls in their corresponding continent.

Finally, each site has a local syslog server for the log forwarding.

 

According to this information, we can organize our configuration based on layers. We will create the following templates:

  • One Global template that will be applied to all the firewalls and that includes all the admin users
  • Two Continent-specific templates, one for Asia and the other for Africa. Each one will contain its own Active Directory server.
  • And finally there will be six site-specific templates, one per country, applied to each firewall accordingly. They will have their own local syslog server configuration.

 

John:

Got it, so you prepared the templates as basic blocks of configuration with a granular approach. How do you combine them and link them to every firewall?

 

Amine:

So next, we create the template stacks.

We need as many Template Stacks as there are firewalls.

Each firewall will be linked to its corresponding template stack.

Then, inside each template stack, we will add all the necessary templates.

The order matters. So first, sitting at the top of the list, will be the most specific template and at the bottom of the list, will be the least specific template.

So the order of the templates will be: the country specific at the top, the continent-specific template below, and at the bottom will be the global worldwide template.

That’s it. The configuration is now complete. We have 6 firewalls and 6 template stacks. Each template stack uses the necessary settings from the templates.

 

John:

Great. That was easy! So what would happen if Example Corporation had to implement a new DNS server but only to be used by the firewall in the HQ in Singapore?

 

Amine:

So a change of DNS settings is required and it must be applied - only - to the firewall in Singapore?

As you know, the DNS settings come from the continent template, with the AD server. Changing that template would affect all the firewalls in Asia.

So well, in order to achieve that new requirement, we will simply add the new DNS server in the template dedicated to Singapore.

 

John:

But the template stack will have 2 DNS servers right, which one will be applied?

 

Amine:

You are correct, there will be 2 different DNS settings: the new DNS server in the Singapore's template and the old DNS server, the Active Directory server in the continent's template.

The template stack will combine all this configuration and will give the priority to the template sitting at the top of the list.

Since we have listed the country-specific template on top, the new DNS server in the Singapore’s template will be pushed to the firewall in Singapore, and only that.

 

Templates, Template Stacks and More

 

John:
What else can you add to this scenario?

 

Amine:

As you can imagine, we can add much more complexity to this scenario. We could add more templates:

  • for example, based on the models of the firewalls because of specific network interfaces configuration
  • or based on the needed functionalities such as VPN tunnels or QoS profiles… 

 

In addition to that, there are Template variables that can be defined at either the template or template stack level and can be used to replace IP addresses, IP ranges, FQDNs, IKE interfaces…The template variables allow even more flexibility in designing the templates and template stacks. That allows you to build your own way of configuring your firewalls thanks to Panorama.

 

John:
Thanks Amine, some great info on panorama templates and template stacks. Great to have you on PANCast.

 

Amine:

Thank you for having me... and I hope to join you again for another episode.

 

John:
I’ll look forward to it Amine. PANCasters, you can check out the episode’s transcript and in-depth articles on live.paloaltonetworks.com under PANCast. Until next time. Bye!

 

Related Content:

 

 

NGFW Panorama

Rate this article:
(1)
Comments
L2 Linker

I liked the example of how it can be applied to an environment. Great takeaways!