|
Plan the templates and their order in the stack.
|
For each template you will assign to the stack,
Add a Template.
When planning the priority order of templates within the stack (for overlapping settings), remember that Panorama doesn’t check the order for invalid relationships. For example, consider a stack in which the ethernet1/1 interface is of type Layer 3 in Template_A but of type Layer 2 with a VLAN in Template_B. If Template_A has a higher priority, Panorama will push ethernet1/1 as type Layer 3 but assigned to a VLAN.
Also note that a template configuration can’t reference a configuration in another template, even if both templates are in the same stack. For example, a zone configuration in Template_A can’t reference a zone protection profile in Template_B.
|
|
Create a template stack.
|
Select
Panorama > Templates
and click
Add Stack.
Enter a unique
Name
to identify the stack.
For each of the Templates the stack will combine (up to 16), click
Add
and select the template. The dialog lists the added templates in order of priority with respect to duplicate settings, where values in the higher templates override those that are lower in the list. To change the order, select a template and click
Move Up
or
Move Down.
In the Devices section, select check boxes to assign firewalls. You can’t assign individual virtual systems, only an entire firewall. You can assign any firewall to only one template or stack. After you finish selecting, click
OK.
|
Edit the
Network
and
Device
settings, if necessary.
While Panorama pushes mode-specific settings only to firewalls that support those modes, this selective push doesn’t adjust mode-specific values. For example, if a template has firewalls in Federal Information Processing Standards (FIPS) mode and an IKE Crypto profile that uses non-FIPS algorithms, the template commit will fail. To avoid such errors, use the
Mode
drop-down in the
Network
and
Device
tabs to filter mode-specific features and value options.
In an individual firewall context, you can override settings that Panorama pushes from a stack in the same way you override settings pushed from a template: see
Override a Template Setting.
Renaming a vsys is allowed only on the local firewall. If you rename a vsys on Panorama, you will create an entirely new vsys, or the new vsys name may get mapped to the wrong vsys on the firewall.
|
Depending on the settings you will configure, select the
Network
or
Device
tab and select the stack in the
Template
drop-down. The tab settings are read-only when you select a stack.
Filter the tabs to display only the mode-specific settings you want to edit:
In the
Mode
drop-down, select or clear the
Multi VSYS,
Operational Mode, and
VPN Mode
filter options.
Set all the
Mode
options to reflect the mode configuration of a particular firewall by selecting it in the
Device
drop-down.
You can edit settings only at the template level, not at the stack level. To identify and access the template that contains the setting you want to edit:
If the page displays a table, select
Columns > Template
in the drop-down of any column header. The Template column displays the source template for each setting. If multiple templates have the same setting, the Template column displays the higher priority template. Click the template name in this column: the
Template
drop-down changes to that template, at which point you can edit the setting.
If the page doesn’t display a table, hover over the template icon (green cog) for a setting: a tooltip displays the source template. If multiple templates have the same setting, the tooltip displays the higher priority template. In the
Template
drop-down, select the template that the tooltip displays to edit the setting.
Edit the settings as needed.
Click
Commit, for the
Commit Type
select
Panorama, and click
Commit
again.
Click
Commit, for the
Commit Type
select
Template, select the firewalls assigned to the template stack, and click
Commit
again.
|
