- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-22-2021 02:16 PM
I'm trying to see if there is a good way to use templates to create 2 different global protect portals using panorama. This would be used as a failover scenario, and ease changes, allowing us to use 1 template to configure both firewalls. Name and fqdn would be the same, just failover to the other IP.
Problem is that I can't seem to find out how to capitalize on using a template when it comes down to using the same setup, but on different firewalls on a specific vsys (not vsys1). I know variables solve the problem of ip's, but I think certificates may be a problem too. Multiple vsys and one template config across 2 different firewalls. Solution?
06-23-2021 01:42 PM
Maybe I don't understand what you mean, but in a new template by default vsys1 is created. But then you can add the vsys with the name you like:
After that you could even delete vsys1 from this template so that it only contains the configuration for this one specific vsys you need. When you then add this template to a template stack the configuration from the VPN vsys is applied there where you need it.
06-22-2021 03:09 PM
Hi @Sec101
As long as the name (in panorama) for the vsys is the same, this shouldn't be a problem. Also the certificate then can be imported in this template and is then applied to both firewalls.
06-23-2021 06:34 AM
If you open a new template, are you able to specify anything other than vsys1 - in the vsys designation? I may be doing something wrong- but it looks like I can only select vsys1? Do you just type the name in manually?
06-23-2021 07:41 AM
Hello there
Here is a point to consider.... every FW (from the vm firewalls to the highest 7000 series) all have a vsys called vsys1.
So, Panorama technically manages vsys, not firewalls.
My point here, how are you adding into the Panorama that you want to have vsys/2 or vsys/3, etc?
I think you need to add in your serial (00700032423434 with a / and the vsys you want to manage)
So my example: 0070003242649/2, then 0070003242649/3
Now each "firewall" can be put into its own template.
06-23-2021 01:10 PM - edited 06-23-2021 01:22 PM
Is this even in a existing template stack when adding a completely new template that you would want to add into an existing stack? The option to change to a different vsys in a new template that you would want to add to a template stack is either vsys1 or none it seems?. I also see the firewall/vsys on the device groups side, but that doesn't appear to exist on the template side i think, other than the already existing template- where I am able to select which is the default vsys (names included). Its like panorama doesn't know about the mult-vsys in a brand new template. I tried adding it to the stack even, but it still won't allow me to choose the vsys to force that configuration to (would like to do this across firewall with a few variables- but this would be a newly added template into an existing multivsys stack- so the new template would have to designate an already existing vsys that only exists in that stack.
06-23-2021 01:12 PM
Hi @Sec101
Panorama actually doesn't care about the internal firewall-vsys-names (vsys1, vsys2, vsys3, ...). In panorama you create a template with a name like "VPN". If you then apply this template to a firewall, the configuration will be applied to the vsys with the name "VPN". There it does not matter if this vsys "VPN" is vsys2 on firewall 1 ond vsys4 for example on firewall 2. So with this theoretically your requirement should be configurable but there probably stilm are some stones in the way aka dependent configurations. So if there are other configurations in the same vsys on the two firewalls you might need to change some of these into the template for the vsys "VPN".
06-23-2021 01:15 PM
@SCantwell_IM are you talking about the device groups? As these are applied to 0070003242649/VSYSNAME. The templates need to be added to template stacks to which actual firewalls (without vsys) are attached.
06-23-2021 01:42 PM
Maybe I don't understand what you mean, but in a new template by default vsys1 is created. But then you can add the vsys with the name you like:
After that you could even delete vsys1 from this template so that it only contains the configuration for this one specific vsys you need. When you then add this template to a template stack the configuration from the VPN vsys is applied there where you need it.
06-24-2021 07:02 AM
That is exactly what I meant. Thank you @Remo ! So now, my only question is, I'm guessing I can have two templates managing the same vsys, as long as there are no overlaps in the configuration correct? I know the top down precedence order in stacking, but when it comes to multiple templates managing the same vsys, does it work the same way?
06-24-2021 08:30 AM
@Sec101 yes, it works the same way. As long as you have no overlaps all the configurations will be applied.
(If there are overlaps then, the configuration from the template with the higher priority (higher in the list of templates in the template stack) will be used)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!