pn do not use tempalte ,only use device group

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

pn do not use tempalte ,only use device group

L3 Networker

The customer manages multiple sets of firewalls through panorama. Considering that the configuration of the template is not changed much in the future, the customer considers porting the configuration of the template to the local wall. If the parameters are changed, it will not be pushed through panorama.

Panorama is only responsible for pushing policies and objects. Does this bring new problems to the later operation and maintenance, or are there any special precautions?

Please put forward more suggestions or discuss, thank you.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello @Felixcao

 

thanks for the post!

 

I can think of a few issues and limitations.

 

Some of the Device Group configuration has dependency on Templates. For example Log Forwarding profile is being pushed by Device Group, but Syslog, SNMP, Email is coming from Template. If you do not use Template, you will not be able to push this configuration. The same applies to security policy, QoS, Policy Based Forwarding, Decryption. Each of these configuration is leveraging Zones and moving this from Template to local Firewall configuration will result in not being able to reference it in Device Group.

 

There are still some configuration under Device Group that have no dependency on Template, however not being able to use configuration from Template because it has moved from Panorama to local configuration will limit customer to only several configuration sections.

 

Personally, I think by this move there are more limitations than benefits.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

1 REPLY 1

Cyber Elite
Cyber Elite

Hello @Felixcao

 

thanks for the post!

 

I can think of a few issues and limitations.

 

Some of the Device Group configuration has dependency on Templates. For example Log Forwarding profile is being pushed by Device Group, but Syslog, SNMP, Email is coming from Template. If you do not use Template, you will not be able to push this configuration. The same applies to security policy, QoS, Policy Based Forwarding, Decryption. Each of these configuration is leveraging Zones and moving this from Template to local Firewall configuration will result in not being able to reference it in Device Group.

 

There are still some configuration under Device Group that have no dependency on Template, however not being able to use configuration from Template because it has moved from Panorama to local configuration will limit customer to only several configuration sections.

 

Personally, I think by this move there are more limitations than benefits.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 1054 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!