>
    Manage: Variables
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Manage: NGFW and Prisma Access
    4. Manage: Configuration Scope
    5. Manage: Variables
    Download PDF
    Strata Cloud Manager

    Manage: Variables

    Table of Contents

    Manage: Variables

    Use variables your configurations to accommodate device or deployment-specific configuration objects.
    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • NGFW (Managed by Strata Cloud Manager)
    • NGFW (Managed by PAN-OS or Panorama)
    • VM-Series, funded with Software NGFW Credits
    • AIOps for NGFW Premium license (use the Strata Cloud Manager app)
    • Prisma Access
       license
    Use variables your configurations to accommodate device or deployment-specific configuration objects.
    Variables are an advanced tool that allows you to standardize your configurations while giving you the flexibility to accommodate unique configuration values that are device or deployment specific. Variables allow you to reduce the number of snippets you need to manage while allow you to keep any firewall or deployment-specific configuration values as needed.
    For example, you have a snippet for the configuration you want to associate with multiple nested folders where each nested folder contains a set of firewalls specific to a geographic location. In the snippet, you have configured policy rules to restrict access to business critical systems for specific IP ranges only. In this scenario, you can create a variable for each IP range specific to each nested folder and use that variable in the inherited snippet configuration. This allows you to manage and push configuration changes while using fewer snippets to accommodate device or deployment-specific configuration values.
    Variables can be created at the folder, deployment, or firewall level. When you create a variable for a folder, the variable is inherited by all folders nested under the folder. In the event of conflicting variables in a folder Configuration Scope, the firewall or deployment inherits the variable value from the folder containing the nested folders. However, you can override an inherited variable at the nested folder, deployment, or firewall level.
    The following types of variables are supported:
    Variable Type
    Description
    AS Number
    Autonomous system number to use in your BGP configuration.
    Count
    Number of events that must occur to trigger an action.
    Device ID
    Device-ID to use to assign a device priority valuer in an active/active high availability (HA) configuration.
    Device Priority
    Device priority to indicate a preference for which firewall should assume the active role in an active/passive high availability (HA) configuration.
    Egress Max
    Egress max value to use in Quality of Service (QoS) Profile configuration.
    FQDN
    Fully qualified domain name.
    Group ID
    High availability Group ID.
    IP Netmask
    Static IP or network address.
    IP Range
    An IP range. For example,
    192.168.1.10-192.168.1.20
    .
    IP Wildcard
    IP wildcard mask to allow or deny similar IP addresses. For example,
    10.0.0.5/255.255.0.255
    .
    Link Tag
    Link tag to use in your SD-WAN configuration.
    Percent
    Percentage between
    0
     and
    99
    .
    Port
    Source or destination port.
    QoS Profile
    QoS Profile for use in QoS configurations.
    Rate
    Rate to specify a threshold that triggers an action. For example, the
    Alarm rate
     for a DoS Protection profile.
    Router ID
    Router ID when you configure Border Gateway Protocol (BGP) for a logical router.
    Timer
    Timer in seconds to configure a threshold that triggers an action.
    Zone
    A security zone.

    Create a Variable

    You can also create a variable inline where a variable is supported.
    1. Log in to
      Strata Cloud Manager
      .
    2. Select
      Manage
      Configuration
      NGFW and Prisma Access
      Overview
       and select the Configuration Scope where you want to create the variable.
      In the
      Folders
      , select the folder or device for which you want to create a variable.
      In the
      Snippets
      , select the specific snippet for which you want to create a variable.
    3. In the Variables section, click the Variable count displayed.
    4. Add Variable
      .
    5. Create the variable.
      In this example, an
      IP Netmask
       variable is created for use as an address object for a critical internal resource.
      1. Select the variable
        Type
        .
      2. Give the variable a descriptive
        Name
        .
        All variable names must begin with
        $
        .
      3. (
        Optional
        ) Enter a
        Description
         for the variable.
      4. Enter the variable
        Value
        .
      5. Save
        .
    6. Add the variable to your configuration.
      In this example, the
      $internal-lab-storage
       variable created in the previous step is added to the address object configuration.

    Import a Variable

    Where Can I Use This?
    What Do I Need?
    • Strata Cloud Manager
    • AIOps for NGFW Premium
       license
    • Prisma Access
       license
    Import variables to
    Strata Cloud Manager
     using a CSV file. Variable imports are designed to overwrite multiple variables inherited from the folder hierarchy by the firewall, or already configured in the firewall Configuration Scope, with new firewall-specific values.
    The variable must already be inherited from the folder hierarchy or configured in the firewall Configuration Scope to overwrite using variable imports. Importing variables to create entirely new variables isn’t supported.
    1. Log in to
      Strata Cloud Manager
      .
    2. Select
      Manage
      Configuration
      NGFW and Prisma Access
      Overview
      .
    3. In the Variables section, click the Variable count displayed.
    4. Select
      CSV Export/Import
      Export
       to export the variables you want to overwrite.
      Palo Alto Networks recommends you first export the variables you want to overwrite. This guarantees the CSV file you upload to
      Strata Cloud Manager
       is properly formatted. This also expedites the import process by ensuring the target folder and firewall variables are properly attributed.
    5. Modify the variables in the exported CSV file.
      Consider the following when modifying your CSV file for import.
      • Only Simple text editors, such as Notepad, are supported for modifying an exported CSV file.
      • #
         signifies that the variable is created in the folder hierarchy and inherited by the firewall.
        Remove the
        #
         to override the inherited variable value with a firewall-specific value.
        A variable value appended with
        #
         is ignored by
        Strata Cloud Manager
         on import as only overriding variable values at the firewall Configuration Scope is supported.
      • -NA-
         signifies that the variable doesn’t exist in the firewall configuration. This means that the variable was created outside of the folder hierarchy the firewall belongs to.
        Changing a variable value to
        -NA-
         isn’t supported.
        Strata Cloud Manager
         ignores any variable value modified to
        -NA-
        .
        Assigning a firewall-specific value to a variable with a value of
        -NA-
         isn’t supported because the variable doesn’t exist in the firewall Configuration Scope. The variable must be inherited by the firewall from the folder hierarchy, or configured in the firewall Configuration Scope, in order to be overridden using variable import.
      • A variable value of
        None#
         or
        None
         means that the variable was created with the variable
        Value
         as
        None
        .
        You can modify any variable value as
        None
         to remove the value but not delete the variable.
      • For a variable created in the firewall Configuration scope, deleting a variable value and leaving it blank deletes the variable.
        For a variable created in the folder hierarchy and inherited by the firewall, deleting a variable value and leaving it blank reverts the variable value to that inherited from the folder hierarchy.
      1. Locate and open the CSV file you exported. The format of the exported CSV file the name is:
        <cloud-management-tenant-name> - Prisma Access_<export-date>_variables
      2. Modify the variables as needed.
        Palo Alto Networks does not recommend modifying the folder names, device names, or device serial numbers. This might result in import failures.
        In the example below, the following changes were made to the variable values in the
        Firewall-A
         Configuration Scope to illustrate how variable imports can be used to modify multiple variables with one operation.
        • $example1
          —Overwrite the inherited
          None#
           value with a firewall-specific value.
        • $example2
          —Overwrite the firewall-specific
          None
           value with a firewall-specific value.
        • $example3
          —If the variable was created in the firewall Configuration Scope, an empty value deletes the variable.
          If the variable was inherited from the folder hierarchy, and was overridden in the firewall Configuration Scope, an empty value restores the variable value inherited from the folder hierarchy.
        • $example4
          —Overwrite the inherited
          192.168.1.101
           value with a firewall-specific value.
        • $example5
          —Example of a variable change
          Strata Cloud Manager
           ignores because
          #
           is still appended.
    6. Save your changes.
      Select
      File
      Save
       to save the changes you made to the CSV file.
      Alternatively, select
      File
      Save As
       to save your changes in a new CSV file. To create a new CSV file, you must include
      .csv
       as the file extension.
    7. Import the CSV file to
      Strata Cloud Manager
      .
      1. Select
        Manage
        Configuration
        Overview
        .
      2. In the Variables section, click the Variable count displayed.
      3. Select
        CSV Export/Import
        Import
        .
      4. Choose File
         and select the CSV file containing the variables you modified.
      5. Import
        .

    Export Variables

    Export your folder and firewall configuration variables in CSV format to your local device. Exporting your variables is useful when overwriting a large number of variables across multiple firewalls.
    Exporting interface variables created when you configure an interface at the folder-level isn’t supported.
    1. Log in to
      Strata Cloud Manager
      .
    2. Select
      Manage
      NGFW and Prisma Access
      Configuration
      Overview
      .
    3. In the Variables section, click the Variable count displayed.
    4. Select
      CSV Export/Import
      Export
      .
    5. Select the folder and firewalls with the variables you want to export and click
      Next
      .
      If you want to export all variables created on
      Strata Cloud Manager
      , select
      All Firewalls
      .
    6. Select one or more variables to export.
    7. (
      Optional
      )
      Preview
       the selected variables to view additional details.
      From the variables preview, you can view information such as the variable name, the Configuration Scope where the variable was created, and the variable value.
      Click
      Cancel
       and continue to the next step or
      Download CSV
       to your local device.
    8. Export
       the selected variables in CSV format.
      The CSV is exported and downloaded locally to your device. The format of the exported CSV file the name is:
      <cloud-management-tenant-name> - Prisma Access_<export-date>_variables

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.