05-04-2022 03:12 AM
Hello, good morning, thank you very much for your collaboration. Here again waiting for your collaboration to solve some doubts about Panorama.
In this case, in relation to the Template/Tempkate stack.
For example, if I have locally configured the interfaces of a Palo Alto firewall and decide to use a template, a template that includes "the same settings" as the local interface configurations plus some additional settings, such as AE, subinterfaces.
1.- When pushing the configuration, will there be a problem that the local configurations, in part, are equal to the template (in part, since I add the AE and the subinterfaces) and that they are in a template? What is the operation that occurs in this case, the template and the injected configuration overlaps the local configurations and overwrites them and always defines them as from the template, or will I get some kind of error when doing the push from Panorama and which are partly the same settings and parameters?
2.- It is only enough to move the firewalls from one Tempalte Stack to another so that Panorama injects the configurations ? or in this matter of the template/template sktack there are other details and considerations? It is enough to move the Firewalls, from a template stack and the configurations injected by the old template stack, they will disappear and only the Network and Device configurations will be present, from the new Template Stack, that is, they will receive the configurations only from where they were moved and added, of the temple of destiny? There will be no trace of the configuration of the old tempalte stack? only of the configurations from the new template of destination of the firewalls?.
I remain attentive, thank you very much for the support, collaboration, for your time and support.
05-05-2022 01:07 AM
So, special for you I've made a test with "Force Template Values" option on PAN-OS 10.1 and , what is interesting, it didn't work like it is said in "help" build into device:
1) object configured only locally - hasn't been changed at all, it didn't disappear.
2) object configured locally and on template - changed for template value.
3) object configured only on template - appeared on firewall.
It works as in https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/panorama-web-interface/panor...
|
Force Template Values
|
Overrides all local settings with objects defined in the templates or template stacks. This includes locally configured objects as well as objects pushed from Panorama that were locally overwritten. If an object is locally configured on the firewall, but is not configured in a template or template stack, then it remains unchanged on the firewall and is not deleted. The setting is disabled by default and must be enabled (checked) on each push from Panorama to managed firewalls.
If you push a configuration with Force Template Values enabled, all overridden values on the firewall are replaced with values from the template. Before you use this option, check for overridden values on the firewalls to ensure your commit does not result in any unexpected network outages or issues caused by replacing those overridden values.
|
I would recommend for you:
1) export firewall config to Panorama, modify it there and then push back
or
2) push templatestack values to firewall without "force template values" and then manually "revert" all locally configured values for those from Panorama
These are safe options.
05-04-2022 05:42 AM
Hello,
1) Local config has higher priority than pushed from Panorama templatestack. When you have settings that don't overlap, commit should be successful. When configs overlap, local config will be used, as long as it won't destroy integrity of machine config file - for example, when eth1/2 is used in other ae interfaces locally and in template - then whole commit will fail, so no changes will be applied. Remeber you have always "Validate template push" option in commit tab. You should export local config to Panorama, change it as you like and then push back. Second option is to manually rebuild local config on Panorama template, modify it and push. After successful commit, check if there any overriden settings locally on firewall and revert them - you will use then template settings.
2)Of course after changing tempalte stack for firewall you need to push and commit new configuration. Mark "Force Template Values" in Push and Commit -> Push scope selection tab. It overrides all local configuration settings and removes all objects on the selected firewall that don't exist in templatestack or that are overriden in local configuration. But be carefull before this operation.
05-04-2022 05:58 AM
Hello @Metgatz
I would like to add to @W_Rafalski excellent answer that Panorama pushed Template configuration that is overlapping with Firewall's local configuration is readily available, but not applied until you override it. Details are described in this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMj1CAG
Kind Regards
Pavel
05-04-2022 08:33 AM
05-05-2022 01:07 AM
So, special for you I've made a test with "Force Template Values" option on PAN-OS 10.1 and , what is interesting, it didn't work like it is said in "help" build into device:
1) object configured only locally - hasn't been changed at all, it didn't disappear.
2) object configured locally and on template - changed for template value.
3) object configured only on template - appeared on firewall.
It works as in https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/panorama-web-interface/panor...
|
Force Template Values
|
Overrides all local settings with objects defined in the templates or template stacks. This includes locally configured objects as well as objects pushed from Panorama that were locally overwritten. If an object is locally configured on the firewall, but is not configured in a template or template stack, then it remains unchanged on the firewall and is not deleted. The setting is disabled by default and must be enabled (checked) on each push from Panorama to managed firewalls.
If you push a configuration with Force Template Values enabled, all overridden values on the firewall are replaced with values from the template. Before you use this option, check for overridden values on the firewalls to ensure your commit does not result in any unexpected network outages or issues caused by replacing those overridden values.
|
I would recommend for you:
1) export firewall config to Panorama, modify it there and then push back
or
2) push templatestack values to firewall without "force template values" and then manually "revert" all locally configured values for those from Panorama
These are safe options.
05-05-2022 01:30 AM
@W_Rafalski Hello W_Rafalski,
Thank you very much for the support and for the tests you have carried out to validate what has been proposed, thanks for giving you the time to carry out the test, with that I will support myself.
With recommendation 2) that you generate, to revert, let's say, local settings and/or local overrides, I can revert these settings directly in the firewalls, that is, manually reverting the overrides and only some local configurations, directly from the GUI of the firewalls. local firewall (or from switch context Panorama) and so in the case of some reverted local configurations, the configuration that comes from Panorama is already injected.
Thank you best regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
