05-05-2022 01:07 AM
So, special for you I've made a test with "Force Template Values" option on PAN-OS 10.1 and , what is interesting, it didn't work like it is said in "help" build into device:
1) object configured only locally - hasn't been changed at all, it didn't disappear.
2) object configured locally and on template - changed for template value.
3) object configured only on template - appeared on firewall.
It works as in https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/panorama-web-interface/panor...
|
Force Template Values
|
Overrides all local settings with objects defined in the templates or template stacks. This includes locally configured objects as well as objects pushed from Panorama that were locally overwritten. If an object is locally configured on the firewall, but is not configured in a template or template stack, then it remains unchanged on the firewall and is not deleted. The setting is disabled by default and must be enabled (checked) on each push from Panorama to managed firewalls.
If you push a configuration with Force Template Values enabled, all overridden values on the firewall are replaced with values from the template. Before you use this option, check for overridden values on the firewalls to ensure your commit does not result in any unexpected network outages or issues caused by replacing those overridden values.
|
I would recommend for you:
1) export firewall config to Panorama, modify it there and then push back
or
2) push templatestack values to firewall without "force template values" and then manually "revert" all locally configured values for those from Panorama
These are safe options.
