Doubt about Panorama Template Stack and if the template is superimposed on the same local configuration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Doubt about Panorama Template Stack and if the template is superimposed on the same local configuration

L4 Transporter
 

Hello, good morning, thank you very much for your collaboration. Here again waiting for your collaboration to solve some doubts about Panorama.

 

In this case, in relation to the Template/Tempkate stack.

 

For example, if I have locally configured the interfaces of a Palo Alto firewall and decide to use a template, a template that includes "the same settings" as the local interface configurations plus some additional settings, such as AE, subinterfaces.

 

1.- When pushing the configuration, will there be a problem that the local configurations, in part, are equal to the template (in part, since I add the AE and the subinterfaces) and that they are in a template? What is the operation that occurs in this case, the template and the injected configuration overlaps the local configurations and overwrites them and always defines them as from the template, or will I get some kind of error when doing the push from Panorama and which are partly the same settings and parameters?

 

2.- It is only enough to move the firewalls from one Tempalte Stack to another so that Panorama injects the configurations ? or in this matter of the template/template sktack there are other details and considerations? It is enough to move the Firewalls, from a template stack and the configurations injected by the old template stack, they will disappear and only the Network and Device configurations will be present, from the new Template Stack, that is, they will receive the configurations only from where they were moved and added, of the temple of destiny? There will be no trace of the configuration of the old tempalte stack? only of the configurations from the new template of destination of the firewalls?.

 

I remain attentive, thank you very much for the support, collaboration, for your time and support.

High Sticker
1 accepted solution

Accepted Solutions

So, special for you I've made a test with "Force Template Values" option on PAN-OS 10.1 and , what is interesting, it didn't work like it is said in "help" build into device:

1) object configured only locally - hasn't been changed at all, it didn't disappear.

2) object configured locally and on template - changed for template value.

3) object configured only on template - appeared on firewall.

 

It works as in https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/panorama-web-interface/panor...

 

Force Template Values
Overrides all local settings with objects defined in the templates or template stacks. This includes locally configured objects as well as objects pushed from Panorama that were locally overwritten. If an object is locally configured on the firewall, but is not configured in a template or template stack, then it remains unchanged on the firewall and is not deleted. The setting is disabled by default and must be enabled (checked) on each push from Panorama to managed firewalls.
If you push a configuration with Force Template Values enabled, all overridden values on the firewall are replaced with values from the template. Before you use this option, check for overridden values on the firewalls to ensure your commit does not result in any unexpected network outages or issues caused by replacing those overridden values.

 

I would recommend for you:

1) export firewall config to Panorama, modify it there and then push back

or

2) push templatestack values to firewall without "force template values" and then manually "revert" all locally configured values for those from Panorama

These are safe options.

 

PCNSE, PCCSE, CCNP Security, AWS SAA

View solution in original post

5 REPLIES 5

L2 Linker

Hello,
1) Local config has higher priority than pushed from Panorama templatestack. When you have settings that don't overlap, commit should be successful. When configs overlap, local config will be used, as long as it won't destroy integrity of machine config file - for example, when eth1/2 is used in other ae interfaces locally and in template - then whole commit will fail, so no changes will be applied. Remeber you have always "Validate template push" option in commit tab. You should export local config to Panorama, change it as you like and then push back. Second option is to manually rebuild local config on Panorama template, modify it and push. After successful commit, check if there any overriden settings locally on firewall and revert them - you will use then template settings.

2)Of course after changing tempalte stack for firewall you need to push and commit new configuration. Mark "Force Template Values" in Push and Commit -> Push scope selection tab. It overrides all local configuration settings and removes all objects on the selected firewall that don't exist in templatestack or that are overriden in local configuration. But be carefull before this operation.  

PCNSE, PCCSE, CCNP Security, AWS SAA

Cyber Elite
Cyber Elite

Hello @Metgatz

 

I would like to add to @W_Rafalski excellent answer that Panorama pushed Template configuration that is overlapping with Firewall's local configuration is readily available, but not applied until you override it. Details are described in this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMj1CAG 

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

@W_Rafalski  

 
 
Hello, good morning and thank you for your response. OK, thanks for the clarified details, but I still have a doubt, for example if in this template with the same configurations as the local interfaces, let's say they overlap and to avoid errors at the time of commit and push, I use the "Force Template Values" option " will force use the template for the "Network" configurations but let's say other parameters, such as the local configuration of HA, although "I am not configuring in any setting, nor any parameter or value of HA via template", but at using "Force Template Values" will also be stepped on and overwrite the settings say None configured, say these local HA settings will be lost? (I am interested not, that we only say, that the configuration parameters of the interfaces at the "Network" level are stepped on and overlapped, but those of the "Device", with local settings, for example the HA, remain intact). Thank you very much for your collaboration.
High Sticker

So, special for you I've made a test with "Force Template Values" option on PAN-OS 10.1 and , what is interesting, it didn't work like it is said in "help" build into device:

1) object configured only locally - hasn't been changed at all, it didn't disappear.

2) object configured locally and on template - changed for template value.

3) object configured only on template - appeared on firewall.

 

It works as in https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/panorama-web-interface/panor...

 

Force Template Values
Overrides all local settings with objects defined in the templates or template stacks. This includes locally configured objects as well as objects pushed from Panorama that were locally overwritten. If an object is locally configured on the firewall, but is not configured in a template or template stack, then it remains unchanged on the firewall and is not deleted. The setting is disabled by default and must be enabled (checked) on each push from Panorama to managed firewalls.
If you push a configuration with Force Template Values enabled, all overridden values on the firewall are replaced with values from the template. Before you use this option, check for overridden values on the firewalls to ensure your commit does not result in any unexpected network outages or issues caused by replacing those overridden values.

 

I would recommend for you:

1) export firewall config to Panorama, modify it there and then push back

or

2) push templatestack values to firewall without "force template values" and then manually "revert" all locally configured values for those from Panorama

These are safe options.

 

PCNSE, PCCSE, CCNP Security, AWS SAA

@W_Rafalski  Hello W_Rafalski,
Thank you very much for the support and for the tests you have carried out to validate what has been proposed, thanks for giving you the time to carry out the test, with that I will support myself.

With recommendation 2) that you generate, to revert, let's say, local settings and/or local overrides, I can revert these settings directly in the firewalls, that is, manually reverting the overrides and only some local configurations, directly from the GUI of the firewalls. local firewall (or from switch context Panorama) and so in the case of some reverted local configurations, the configuration that comes from Panorama is already injected.

Thank you best regards

High Sticker
  • 1 accepted solution
  • 5611 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!