12-13-2022 08:31 PM
The customer manages multiple sets of firewalls through panorama. Considering that the configuration of the template is not changed much in the future, the customer considers porting the configuration of the template to the local wall. If the parameters are changed, it will not be pushed through panorama.
Panorama is only responsible for pushing policies and objects. Does this bring new problems to the later operation and maintenance, or are there any special precautions?
Please put forward more suggestions or discuss, thank you.
12-14-2022 02:07 AM
Hello @Felixcao
thanks for the post!
I can think of a few issues and limitations.
Some of the Device Group configuration has dependency on Templates. For example Log Forwarding profile is being pushed by Device Group, but Syslog, SNMP, Email is coming from Template. If you do not use Template, you will not be able to push this configuration. The same applies to security policy, QoS, Policy Based Forwarding, Decryption. Each of these configuration is leveraging Zones and moving this from Template to local Firewall configuration will result in not being able to reference it in Device Group.
There are still some configuration under Device Group that have no dependency on Template, however not being able to use configuration from Template because it has moved from Panorama to local configuration will limit customer to only several configuration sections.
Personally, I think by this move there are more limitations than benefits.
Kind Regards
Pavel
12-14-2022 02:07 AM
Hello @Felixcao
thanks for the post!
I can think of a few issues and limitations.
Some of the Device Group configuration has dependency on Templates. For example Log Forwarding profile is being pushed by Device Group, but Syslog, SNMP, Email is coming from Template. If you do not use Template, you will not be able to push this configuration. The same applies to security policy, QoS, Policy Based Forwarding, Decryption. Each of these configuration is leveraging Zones and moving this from Template to local Firewall configuration will result in not being able to reference it in Device Group.
There are still some configuration under Device Group that have no dependency on Template, however not being able to use configuration from Template because it has moved from Panorama to local configuration will limit customer to only several configuration sections.
Personally, I think by this move there are more limitations than benefits.
Kind Regards
Pavel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
