Thanks for your input. I had been leaning towards moving the rules but wanted to justify the effort, which you helped to do. Took a few hours, but at least now I know any new remote sites will be simple to bring up in this respect. That's very interesting about Jinja2. I'm reluctant to suggest Panorama anyway since it seems so frequently riddled with CVEs and bugs, and individual management isn't too cumbersome yet. I'll look into Jinja if management ever starts to balloon out of control. We also have SolarWinds NCM which is pulling configs off the firewalls, so I could probably leverage that to push too. I have some experience working with the XML since I used it to copy the policy configs from an existing remote site to a new one.
... View more
Hello, We have a pair of 3200s on our main site, and have added an 820 at a remote site to bring up an IPSec tunnel between the two. When I initially set the remote site up, I decided to have all the security policies controlling what access the remote site would have to the main site on the 820 side. I could see arguments for doing it on either end, but I decided on doing this since it's closer to the source and will block denied traffic before it traverses our tunnel (with limited bandwidth) and because I thought it'd make management easier to have a remote site with the few rules it needs and not clutter up the main site with them. The obvious downside being now I had a separate set of rules to maintain (and it looks like we won't be maintaining our Threat Prevention license on the 820...). Now we're adding two more remote sites which will also be set up the same way-- with a site-to-site tunnel back to my 3200s-- which would mean having four sets of security policies to keep up with, so I'm starting to really question this choice. What's best practice (and common practice) in managing the access of remote sites over a tunnel? Should I move the policies to my 3200s and just add the new remote site IPs to these policies as the sites are brought up? Do I keep setting the policies on each remote PAN and push to get Panorama to make maintaining these extra rulesets easier? Thanks
... View more