Configure a Template Stack
A template stack is a combination of templates: Panorama pushes the settings from every template in the stack to the firewalls you assign to that stack. Panorama supports up to 1,024 template stacks. For details and planning, see Templates and Template Stacks.
- Plan the templates and their order in the stack.For each template you will assign to the stack, Add a Template.When planning the priority order of templates within the stack (for overlapping settings), remember that Panorama doesn’t check the order for invalid relationships. For example, consider a stack in which the ethernet1/1 interface is of type Layer 3 in Template_A but of type Layer 2 with a VLAN in Template_B. If Template_A has a higher priority, Panorama will push ethernet1/1 as type Layer 3 but assigned to a VLAN.Also note that a template configuration can’t reference a configuration in another template, even if both templates are in the same stack. For example, a zone configuration in Template_A can’t reference a zone protection profile in Template_B.
- Create a template stack.
- Selectand clickPanoramaTemplatesAdd Stack.
- Enter a uniqueNameto identify the stack.
- For each of the Templates the stack will combine (up to 16), clickAddand select the template. The dialog lists the added templates in order of priority with respect to duplicate settings, where values in the higher templates override those that are lower in the list. To change the order, select a template and clickMove UporMove Down.
- In the Devices section, select check boxes to assign firewalls. You can’t assign individual virtual systems, only an entire firewall. You can assign any firewall to only one template or stack. After you finish selecting, clickOK.
- Edit theNetworkandDevicesettings, if necessary.While Panorama pushes mode-specific settings only to firewalls that support those modes, this selective push doesn’t adjust mode-specific values. For example, if a template has firewalls in Federal Information Processing Standards (FIPS) mode and an IKE Crypto profile that uses non-FIPS algorithms, the template push will fail. To avoid such errors, use theModedrop-down in theNetworkandDevicetabs to filter mode-specific features and value options.Renaming a vsys is allowed only on the local firewall. Renaming a vsys on Panorama is not supported. If you rename a vsys on Panorama, you will create an entirely new vsys, or the new vsys name may get mapped to the wrong vsys on the firewall.In an individual firewall context, you can override settings that Panorama pushes from a stack in the same way you override settings pushed from a template: see Override a Template Setting.
- Depending on the settings you will configure, select theNetworkorDevicetab and select the stack in theTemplatedrop-down. The tab settings are read-only when you select a stack.
- Filter the tabs to display only the mode-specific settings you want to edit:
- In theModedrop-down, select or clear theMulti VSYS,Operational Mode, andVPN Modefilter options.
- Set all theModeoptions to reflect the mode configuration of a particular firewall by selecting it in theDevicedrop-down.
- You can edit settings only at the template level, not at the stack level. To identify and access the template that contains the setting you want to edit:
- If the page displays a table, selectin the drop-down of any column header. The Template column displays the source template for each setting. If multiple templates have the same setting, the Template column displays the higher priority template. Click the template name in this column: theColumnsTemplateTemplatedrop-down changes to that template, at which point you can edit the setting.
- If the page doesn’t display a table, hover over the template icon (green cog) for a setting: a tooltip displays the source template. If multiple templates have the same setting, the tooltip displays the higher priority template. In theTemplatedrop-down, select the template that the tooltip displays to edit the setting.
- Edit the settings as needed.
- Select,CommitCommit and PushEdit Selectionsin the Push Scope, selectTemplates, select the firewalls assigned to the template stack, and thenCommit and Pushyour changes to the Panorama configuration and to the template stack.
- Verify that the template stack works as expected.
Recommended For You
Recommended videos not found.