Who Me Too'd this topic

Hey all,

I think I am hitting a limitation on the template-stacks, but maybe there is a nice workaround that you guys can help me with...

Contrary to Device groups, which have "shared" objects, templates use stacks which is a little different.
The limitation to this seems to be that you can not reference a template value between different templates...

Simple example to explain what I mean:

• create a "shared-template" and add a local admin user
• create a "FW1-template" add some specific network interfaces
• create a "FW2-template" add some specific network interfaces
• create a "FW1-template-stack" which includes the FW1 and shared template => assign this to your FW-1
• create a "FW2-template-stack" which includes the FW2 and shared template => assign this to your FW

=> if you commit; the device will receive its unique network interfaces + the shared admin user = this works and looks like template-stacking is the solution to all the "duplicate" objects between FW-templates

BUT

If we want to do something a bit more advanced (the following is just an example)

• add an ldap profile to the "shared-template"
• add an auth profile to the "shared-template" referencing to the ldap-profile above
• add an admin user which is only allowed to login to FW1 (not FW2) => This means you would create the admin user in the "FW1-template" an not to the "shared-template".

=> HERE IS THE ISSUE: you can not select the ldap-auth-profile, because the auth-profile was created in another template (the "shared-template")

So you have to be sure that all the components that will ever use a template object will have to be configred within the same template. This limitation becomes difficult fast, because a lot of the template objects are linked ex: ldap profile -> auth-profile => admin users, but also: group-mapping, globalprotect config, etc... and a lot of these things will have different config on the devices.

Anybody had similar experiences? How did you work around them?