This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Multiple Portals Same Template Panorama Multiple Vsys
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- Network Security
- Panorama Discussions
- Multiple Portals Same Template Panorama Multiple Vsys
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-22-2021 02:16 PM
I'm trying to see if there is a good way to use templates to create 2 different global protect portals using panorama. This would be used as a failover scenario, and ease changes, allowing us to use 1 template to configure both firewalls. Name and fqdn would be the same, just failover to the other IP.
Problem is that I can't seem to find out how to capitalize on using a template when it comes down to using the same setup, but on different firewalls on a specific vsys (not vsys1). I know variables solve the problem of ip's, but I think certificates may be a problem too. Multiple vsys and one template config across 2 different firewalls. Solution?
9 REPLIES 9
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-23-2021 01:12 PM
Hi @Sec101
Panorama actually doesn't care about the internal firewall-vsys-names (vsys1, vsys2, vsys3, ...). In panorama you create a template with a name like "VPN". If you then apply this template to a firewall, the configuration will be applied to the vsys with the name "VPN". There it does not matter if this vsys "VPN" is vsys2 on firewall 1 ond vsys4 for example on firewall 2. So with this theoretically your requirement should be configurable but there probably stilm are some stones in the way aka dependent configurations. So if there are other configurations in the same vsys on the two firewalls you might need to change some of these into the template for the vsys "VPN".
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-23-2021 01:15 PM
@SteveCantwell are you talking about the device groups? As these are applied to 0070003242649/VSYSNAME. The templates need to be added to template stacks to which actual firewalls (without vsys) are attached.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-23-2021 01:42 PM
Maybe I don't understand what you mean, but in a new template by default vsys1 is created. But then you can add the vsys with the name you like:
After that you could even delete vsys1 from this template so that it only contains the configuration for this one specific vsys you need. When you then add this template to a template stack the configuration from the VPN vsys is applied there where you need it.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-24-2021 07:02 AM
That is exactly what I meant. Thank you @vsys_remo ! So now, my only question is, I'm guessing I can have two templates managing the same vsys, as long as there are no overlaps in the configuration correct? I know the top down precedence order in stacking, but when it comes to multiple templates managing the same vsys, does it work the same way?
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-24-2021 08:30 AM
@Sec101 yes, it works the same way. As long as you have no overlaps all the configurations will be applied.
(If there are overlaps then, the configuration from the template with the higher priority (higher in the list of templates in the template stack) will be used)
Related Content
- failed to generate selective push in Panorama Discussions
- firewall telemetry disabled in AIOps for NGFW Discussions
- Panorama in Panorama Discussions
- Asking for best practice regarding editing multiple interfaces of a FW HA pair which is managed by Panorama in Panorama Discussions
- Bootstrap VM-series AWS firewalls not showing in Panorama in VM-Series in the Public Cloud
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks