End-of-Life (EoL)

Configure a Template Stack

A template stack is a combination of templates: Panorama pushes the settings from every template in the stack to the firewalls you assign to that stack. Panorama supports up to 1,024 template stacks. For details and planning, see Templates and Template Stacks.
  1. Plan the templates and their order in the stack.
    For each template you will assign to the stack, Add a Template.
    When planning the priority order of templates within the stack (for overlapping settings), remember that Panorama doesn’t check the order for invalid relationships. For example, consider a stack in which the ethernet1/1 interface is of type Layer 3 in Template_A but of type Layer 2 with a VLAN in Template_B. If Template_A has a higher priority, Panorama will push ethernet1/1 as type Layer 3 but assigned to a VLAN.
    Also note that a template configuration can’t reference a configuration in another template, even if both templates are in the same stack. For example, a zone configuration in Template_A can’t reference a zone protection profile in Template_B.
  2. Create a template stack.
    1. Select
      Panorama
      Templates
      and click
      Add Stack
      .
    2. Enter a unique
      Name
      to identify the stack.
    3. For each of the Templates the stack will combine (up to 16), click
      Add
      and select the template. The dialog lists the added templates in order of priority with respect to duplicate settings, where values in the higher templates override those that are lower in the list. To change the order, select a template and click
      Move Up
      or
      Move Down
      .
    4. In the Devices section, select check boxes to assign firewalls. You can’t assign individual virtual systems, only an entire firewall. You can assign any firewall to only one template or stack. After you finish selecting, click
      OK
      .
  3. Edit the
    Network
    and
    Device
    settings, if necessary.
    While Panorama pushes mode-specific settings only to firewalls that support those modes, this selective push doesn’t adjust mode-specific values. For example, if a template has firewalls in Federal Information Processing Standards (FIPS) mode and an IKE Crypto profile that uses non-FIPS algorithms, the template push will fail. To avoid such errors, use the
    Mode
    drop-down in the
    Network
    and
    Device
    tabs to filter mode-specific features and value options.
    Renaming a vsys is allowed only on the local firewall. Renaming a vsys on Panorama is not supported. If you rename a vsys on Panorama, you will create an entirely new vsys, or the new vsys name may get mapped to the wrong vsys on the firewall.
    In an individual firewall context, you can override settings that Panorama pushes from a stack in the same way you override settings pushed from a template: see Override a Template Setting.
    1. Depending on the settings you will configure, select the
      Network
      or
      Device
      tab and select the stack in the
      Template
      drop-down. The tab settings are read-only when you select a stack.
    2. Filter the tabs to display only the mode-specific settings you want to edit:
      • In the
        Mode
        drop-down, select or clear the
        Multi VSYS
        ,
        Operational Mode
        , and
        VPN Mode
        filter options.
      • Set all the
        Mode
        options to reflect the mode configuration of a particular firewall by selecting it in the
        Device
        drop-down.
    3. You can edit settings only at the template level, not at the stack level. To identify and access the template that contains the setting you want to edit:
      • If the page displays a table, select
        Columns
        Template
        in the drop-down of any column header. The Template column displays the source template for each setting. If multiple templates have the same setting, the Template column displays the higher priority template. Click the template name in this column: the
        Template
        drop-down changes to that template, at which point you can edit the setting.
      • If the page doesn’t display a table, hover over the template icon (green cog) for a setting: a tooltip displays the source template. If multiple templates have the same setting, the tooltip displays the higher priority template. In the
        Template
        drop-down, select the template that the tooltip displays to edit the setting.
    4. Edit the settings as needed.
    5. Select
      Commit
      Commit and Push
      ,
      Edit Selections
      in the Push Scope, select
      Templates
      , select the firewalls assigned to the template stack, and then
      Commit and Push
      your changes to the Panorama configuration and to the template stack.
  4. Verify that the template stack works as expected.
    Perform the same verification steps as when you Add a Template but select the template stack from the
    Template
    drop-down:

Recommended For You