05-31-2022 10:42 PM
Hello good evening:
As always, thank you very much for the support, collaboration, support and help.
I have the following important question regarding a PANORAMA function, in relation to the "Forced Template Values" option.
According to the documentation, this option performs the following function:
Merge with Cadidate Config = Option to merge the template configuration on panorama with the Candidate Configuration in the device.
Force Template Values = Forces the Panorama template values to be applied on the device
The official help documentation on Panorama says the following:
IP/hostnamePANORAMA/PAN_help/en/wwhelp/wwhimpl/js/html/wwhelp.htm#href=panorama-commit-operations.html
Force Template Values:
(Disabled by default) Overrides all local configuration settings and removes all objects on the selected firewalls that don't exist in the template or template stack or that are overridden in the local configuration. The push operation reverts all existing configuration on the firewall and ensures that the firewall inherits only the settings defined in the template or template stack.
If you push a configuration with Force Template Values enabled, all overridden values on the firewall are replaced with values from the template. Before you use this option, check for overridden values on the firewalls to ensure your commit does not result in any unexpected network outages or issues caused by replacing those overridden values.
My important doubt since executing a bad action could apply changes that could affect the correct functioning of the Firewall, the doubt is with the "Force Template Values" option.
**- This example option if I configure the DNS in Panorama to be able to override the LOCAL configuration of the firewall, which has other DNS and I want to configure both the DNS and the proxy from PANORAMA, with this option it would allow me to execute said change and override local settings ?
**- In addition to this and the special care with this option is what happens in the example case if at the local level I have configurations of HA, of the IP of the MGT and at the Template/Template Stack level I do not have any configuration associated with these configurations, that is, configurations that are turned on that remain local, if I do not have any option in the template, no associated configuration and I only want to example adjust and replace the local configuration of the DNS, the Proxy and the NTP when using "Force Template Values" anyway, even if you don't have anything set in them, it will step on all the locales ? that is, I would leave them blank, thinking that I have nothing associated with HA, the MGT interface, when using "Force Template Values" in order to only step on and apply the DNS, proxy and NTP from the Panorama template, this option will not affect the local values of HA and MGT ?
I remain attentive, in advance thank you very much for the support and collaboration
Best regards
07-07-2022 06:19 AM
Hi @Metgatz
I see this post is about month old, but if you still interested in the anwser:
- Force Template Value will as the name suggest remove any local configuratio and apply the value define the panorama template. But this is valid only for overlapping configuration. This means that if you define DNS and NTP servers in the template and at the same time you have local config for DNS and NTP if you push config from panorama, by default firewall will receive the template value, but it will still use the local. If you enable "Force Template Value", during Panorama push this will remove the local config and apply the DNS and NTP values defined in the template.
It is important to remeber that this is valid only for overlapping configuration. Which also means that if your template is only defining DNS and NTP (and nothing else), but locally on your firewall you have HA and logging configuration, enabling "Force Template Value" will not remove local HA and Logging setting, because they don't overlapp with template definition.
You need to be careful, what is actually defined in the template. For example - if you decide to enable HA in the template, but after that you decide to not push it with template and just disable it again (remove the check from the "Enable HA" checkbox). This still will be part of the template, because now your template is explicitely defining HA disabled. If you made a change in the template, and later decide that you don't want to control this setting with template, you need to revert the config by clicking the green bar next to the changed value
Or edit the template under CLI and use "delete" command to delete relevant config from the template.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
