1. Home
    2. Panorama
    3. Panorama™ Administrator’s Guide
    4. Manage Firewalls
    5. Configure a Template Stack
    Previous
    Next
    A template stack is a combination of templates: Panorama pushes the settings from every template in the stack to the firewalls you assign to that stack. Panorama supports up to 128 template stacks and each stack can have up to 16 templates. For details and planning, see Templates and Template Stacks.
    Configure a Template Stack
    Plan the templates and their order in the stack. For each template you will assign to the stack, Add a Template. When planning the priority order of templates within the stack (for overlapping settings), remember that Panorama doesn’t check the order for invalid relationships. For example, consider a stack in which the ethernet1/1 interface is of type Layer 3 in Template_A but of type Layer 2 with a VLAN in Template_B. If Template_A has a higher priority, Panorama will push ethernet1/1 as type Layer 3 but assigned to a VLAN. Also note that a template configuration can’t reference a configuration in another template, even if both templates are in the same stack. For example, a zone configuration in Template_A can’t reference a zone protection profile in Template_B.
    Create a template stack. Select Panorama > Templates and click Add Stack. Enter a unique Name to identify the stack. For each of the Templates the stack will combine (up to 16), click Add and select the template. The dialog lists the added templates in order of priority with respect to duplicate settings, where values in the higher templates override those that are lower in the list. To change the order, select a template and click Move Up or Move Down. In the Devices section, select check boxes to assign firewalls. You can’t assign individual virtual systems, only an entire firewall. You can assign any firewall to only one template or stack. After you finish selecting, click OK.
    Edit the Network and Device settings, if necessary. While Panorama pushes mode-specific settings only to firewalls that support those modes, this selective push doesn’t adjust mode-specific values. For example, if a template has firewalls in Federal Information Processing Standards (FIPS) mode and an IKE Crypto profile that uses non-FIPS algorithms, the template commit will fail. To avoid such errors, use the Mode drop-down in the Network and Device tabs to filter mode-specific features and value options. In an individual firewall context, you can override settings that Panorama pushes from a stack in the same way you override settings pushed from a template: see Override a Template Setting. Renaming a vsys is allowed only on the local firewall. If you rename a vsys on Panorama, you will create an entirely new vsys, or the new vsys name may get mapped to the wrong vsys on the firewall. Depending on the settings you will configure, select the Network or Device tab and select the stack in the Template drop-down. The tab settings are read-only when you select a stack. Filter the tabs to display only the mode-specific settings you want to edit: In the Mode drop-down, select or clear the Multi VSYS, Operational Mode, and VPN Mode filter options. Set all the Mode options to reflect the mode configuration of a particular firewall by selecting it in the Device drop-down. You can edit settings only at the template level, not at the stack level. To identify and access the template that contains the setting you want to edit: If the page displays a table, select Columns > Template in the drop-down of any column header. The Template column displays the source template for each setting. If multiple templates have the same setting, the Template column displays the higher priority template. Click the template name in this column: the Template drop-down changes to that template, at which point you can edit the setting. If the page doesn’t display a table, hover over the template icon (green cog) for a setting: a tooltip displays the source template. If multiple templates have the same setting, the tooltip displays the higher priority template. In the Template drop-down, select the template that the tooltip displays to edit the setting. Edit the settings as needed. Click Commit, for the Commit Type select Panorama, and click Commit again. Click Commit, for the Commit Type select Template, select the firewalls assigned to the template stack, and click Commit again.
    Verify that the template stack works as expected. Perform the same verification steps as when you Add a Template but select the template stack from the Template drop-down: Use the template to push a configuration change to firewalls. Verify that the firewall is configured with the template settings that you pushed from Panorama.
    Previous
    Next

    Related Documentation

    Panorama > Templates

    Panorama > Templates Through the Device and Network tabs, templates enable you to deploy a common base configuration to multiple firewalls that require similar settings. ...

    Templates and Template Stacks

    Templates and Template Stacks You use templates to configure the settings that enable firewalls to operate on the network. Templates enable you to define a ...

    Add a Template

    Add a Template You must add at least one template before Panorama will display the Device and Network tabs required to define the network set ...

    Override a Template Setting

    Override a Template Setting While Templates and Template Stacks enable you to apply a base configuration to multiple firewalls, you might want to configure firewall-specific ...

    Disable/Remove Template Settings

    Disable/Remove Template Settings If you want to stop using a template or template stack for managing the configuration on a managed firewall, you can disable ...

    Commit Your Changes in Panorama

    Commit Your Changes in Panorama Click Commit at the top right of the web interface to commit, validate, or preview your changes to the Panorama ...

    Create Template(s), and Device Group(s) on Panorama

    Create Template(s), and Device Group(s) on Panorama To manage the VM-Series NSX edition firewalls using Panorama, the firewalls must belong to a device group and ...

    Manage Templates and Template Stacks

    Manage Templates and Template Stacks Use templates and template stacks to define the common base configurations that enable firewalls to operate in your network. See ...

    Transition a Firewall to Panorama Management

    Transition a Firewall to Panorama Management If you have already deployed Palo Alto Networks firewalls and configured them locally, but now want to use Panorama ...

    Support for Device Group Hierarchy in the VM-Series NSX edition firewall

    Support for Device Group Hierarchy in the VM-Series NSX edition firewall When deploying the VM-Series NSX edition firewall, you can now use a template stack ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo