Strata Cloud Manager
Manage: Variables
Table of Contents
Manage: Variables
Use variables your configurations to accommodate device or deployment-specific
configuration objects.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Use variables your configurations to accommodate device or deployment-specific
configuration objects.
Variables are an advanced tool that allows you to standardize your configurations while giving you
the flexibility to accommodate unique configuration values that are device or deployment
specific. Variables allow you to reduce the number of snippets you need to manage while
allow you to keep any firewall or deployment-specific configuration values as needed.
For example, you have a snippet for the configuration you want to associate
with multiple nested folders where each nested folder contains a set
of firewalls specific to a geographic location. In the snippet, you have configured
policy rules to restrict access to business critical systems for specific IP ranges
only. In this scenario, you can create a variable for each IP range specific to each
nested folder and use that variable in the inherited snippet configuration. This allows
you to manage and push configuration changes while using fewer snippets to accommodate
device or deployment-specific configuration values.
Variables can be created at the folder, deployment, or firewall level. When
you create a variable for a folder, the variable is inherited by all folders nested
under the folder. In the event of conflicting variables in a folder Configuration Scope,
the firewall or deployment inherits the variable value from the folder containing the
nested folders. However, you can override an inherited variable at the nested folder,
deployment, or firewall level.
The following types of variables are supported:
Variable Type | Description |
---|---|
AS Number | Autonomous system number to use in your BGP configuration. |
Count | Number of events that must occur to trigger an action. |
Device ID | Device-ID to use to assign a device priority valuer in an
active/active high availability (HA) configuration. |
Device Priority | Device priority to indicate a preference for which firewall should
assume the active role in an active/passive high availability (HA)
configuration. |
Egress Max | Egress max value to use in Quality of Service (QoS) Profile
configuration. |
FQDN | Fully qualified domain name. |
Group ID | High availability Group ID. |
IP Netmask | Static IP or network address. |
IP Range | An IP range. For example,
192.168.1.10-192.168.1.20 . |
IP Wildcard | IP wildcard mask to allow or deny similar IP addresses. For example,
10.0.0.5/255.255.0.255 . |
Link Tag | Link tag to use in your SD-WAN configuration. |
Percent | Percentage between 0 and
99 . |
Port | Source or destination port. |
QoS Profile | QoS Profile for use in QoS configurations. |
Rate | Rate to specify a threshold that triggers an action. For example, the
Alarm rate for a DoS Protection
profile. |
Router ID | Router ID when you configure Border Gateway Protocol
(BGP) for a logical router. |
Timer | Timer in seconds to configure a threshold that triggers
an action. |
Zone | A security zone. |
Create a Variable
You can also create a variable inline where a variable is supported.
- Log in toStrata Cloud Manager.
- Selectand select the Configuration Scope where you want to create the variable.ManageConfigurationNGFW and Prisma AccessOverviewIn theFolders, select the folder or device for which you want to create a variable.In theSnippets, select the specific snippet for which you want to create a variable.
- In the Variables section, click the Variable count displayed.
- Add Variable.
- Create the variable.In this example, anIP Netmaskvariable is created for use as an address object for a critical internal resource.
- Select the variableType.
- Give the variable a descriptiveName.All variable names must begin with$.
- (Optional) Enter aDescriptionfor the variable.
- Enter the variableValue.
- Save.
- Add the variable to your configuration.In this example, the$internal-lab-storagevariable created in the previous step is added to the address object configuration.
Import a Variable
Where Can I Use
This? | What Do I
Need? |
---|---|
|
|
Import variables to
Strata Cloud Manager
using a CSV file. Variable imports are
designed to overwrite multiple variables inherited from the folder hierarchy by
the firewall, or already configured in the firewall Configuration Scope, with
new firewall-specific values. The variable must already be inherited from the folder hierarchy or configured in
the firewall Configuration Scope to overwrite using variable imports. Importing
variables to create entirely new variables isn’t supported.
- Log in toStrata Cloud Manager.
- Select.ManageConfigurationNGFW and Prisma AccessOverview
- In the Variables section, click the Variable count displayed.
- Selectto export the variables you want to overwrite.CSV Export/ImportExportPalo Alto Networks recommends you first export the variables you want to overwrite. This guarantees the CSV file you upload toStrata Cloud Manageris properly formatted. This also expedites the import process by ensuring the target folder and firewall variables are properly attributed.
- Modify the variables in the exported CSV file.Consider the following when modifying your CSV file for import.
- Only Simple text editors, such as Notepad, are supported for modifying an exported CSV file.
- #signifies that the variable is created in the folder hierarchy and inherited by the firewall.Remove the#to override the inherited variable value with a firewall-specific value.A variable value appended with#is ignored byStrata Cloud Manageron import as only overriding variable values at the firewall Configuration Scope is supported.
- -NA-signifies that the variable doesn’t exist in the firewall configuration. This means that the variable was created outside of the folder hierarchy the firewall belongs to.Changing a variable value to-NA-isn’t supported.Strata Cloud Managerignores any variable value modified to-NA-.Assigning a firewall-specific value to a variable with a value of-NA-isn’t supported because the variable doesn’t exist in the firewall Configuration Scope. The variable must be inherited by the firewall from the folder hierarchy, or configured in the firewall Configuration Scope, in order to be overridden using variable import.
- A variable value ofNone#orNonemeans that the variable was created with the variableValueasNone.You can modify any variable value asNoneto remove the value but not delete the variable.
- For a variable created in the firewall Configuration scope, deleting a variable value and leaving it blank deletes the variable.For a variable created in the folder hierarchy and inherited by the firewall, deleting a variable value and leaving it blank reverts the variable value to that inherited from the folder hierarchy.
- Locate and open the CSV file you exported. The format of the exported CSV file the name is:<cloud-management-tenant-name> - Prisma Access_<export-date>_variables
- Modify the variables as needed.Palo Alto Networks does not recommend modifying the folder names, device names, or device serial numbers. This might result in import failures.In the example below, the following changes were made to the variable values in theFirewall-AConfiguration Scope to illustrate how variable imports can be used to modify multiple variables with one operation.
- $example1—Overwrite the inheritedNone#value with a firewall-specific value.
- $example2—Overwrite the firewall-specificNonevalue with a firewall-specific value.
- $example3—If the variable was created in the firewall Configuration Scope, an empty value deletes the variable.If the variable was inherited from the folder hierarchy, and was overridden in the firewall Configuration Scope, an empty value restores the variable value inherited from the folder hierarchy.
- $example4—Overwrite the inherited192.168.1.101value with a firewall-specific value.
- $example5—Example of a variable changeStrata Cloud Managerignores because#is still appended.
- Save your changes.Selectto save the changes you made to the CSV file.FileSaveAlternatively, selectto save your changes in a new CSV file. To create a new CSV file, you must includeFileSave As.csvas the file extension.
- Import the CSV file toStrata Cloud Manager.
- Select.ManageConfigurationOverview
- In the Variables section, click the Variable count displayed.
- Select.CSV Export/ImportImport
- Choose Fileand select the CSV file containing the variables you modified.
- Import.
Export Variables
Export your folder and firewall configuration variables in CSV format to your
local device. Exporting your variables is useful when overwriting a large number
of variables across multiple firewalls.
Exporting interface variables created when you configure an interface at the
folder-level isn’t supported.
- Log in toStrata Cloud Manager.
- Select.ManageNGFW and Prisma AccessConfigurationOverview
- In the Variables section, click the Variable count displayed.
- Select.CSV Export/ImportExport
- Select the folder and firewalls with the variables you want to export and clickNext.If you want to export all variables created onStrata Cloud Manager, selectAll Firewalls.
- Select one or more variables to export.
- (Optional)Previewthe selected variables to view additional details.From the variables preview, you can view information such as the variable name, the Configuration Scope where the variable was created, and the variable value.ClickCanceland continue to the next step orDownload CSVto your local device.
- Exportthe selected variables in CSV format.The CSV is exported and downloaded locally to your device. The format of the exported CSV file the name is:<cloud-management-tenant-name> - Prisma Access_<export-date>_variables