Add a Template

You must add at least one template before Panorama will display the Device and Network tabs required to define the network set up and device configuration elements for firewalls. Panorama supports up to 1,024 templates.
You can avoid duplicating many configurations among templates by combining them into a template stack: see Templates and Template Stacks and Configure a Template Stack.
  1. Add a template.
    1. Select PanoramaTemplates.
    2. Click Add and enter a unique Name to identify the template.
    3. If the template has a virtual system (vsys) with configurations (for example, interfaces) that you want Panorama to push to firewalls that don’t have virtual systems, select it in the Default VSYS drop-down.
    4. In the Devices section, select check boxes to assign firewalls to the template.
      Whenever you add a new managed firewall to Panorama, you must assign it to the appropriate template; Panorama does not automatically assign new firewalls. When you push configuration changes to a template, Panorama pushes the configuration to every firewall assigned to the template.
    5. (Optional) Select Group HA Peers to display a single check box for firewalls that are in a high availability (HA) configuration. Icons indicate the HA state: green for active and yellow for passive. The firewall name of the secondary peer is in parentheses.
      For active/passive HA, add both peers to the same template so that both will receive the configurations. For active/active HA, whether you add both peers to the same template depends on whether each peer requires the same configurations. For a list of the configurations that PAN-OS synchronizes between HA peers, see High Availability Synchronization.
    6. Click OK to save the template.
    7. Select CommitCommit and Push and then Commit and Push your changes to the Panorama configuration and to the template.
  2. Verify that the template is available.
    After you add the first template, Panorama displays the Device and Network tabs. These tabs display a Template drop-down. Check that the drop-down displays the template you just added.
  3. Use the template to push a configuration change to firewalls.
    Renaming a vsys is allowed only on the local firewall. Renaming a vsys on Panorama is not supported. If you rename a vsys on Panorama, you will create an entirely new vsys, or the new vsys name may get mapped to the wrong vsys on the firewall.
    Let’s define a primary Domain Name System (DNS) server for the firewalls in the template.
    1. In the Device tab, select the Template from the drop-down.
    2. Select DeviceSetupServicesGlobal, and edit the Services section.
    3. Enter an IP address for the Primary DNS Server.
    4. Select CommitCommit and Push and then Commit and Push your changes to the Panorama configuration and to the template.
  4. Verify that the firewall is configured with the template settings that you pushed from Panorama.
    1. In the Context drop-down, select one of the firewalls to which you pushed the template setting.
    2. Select DeviceSetupServicesGlobal. The IP address that you pushed from the template appears. The Services section header displays a template icon (green cog) to indicate that settings in the section have values pushed from a template.

Related Documentation