Configure a Template Stack
A template stack is a combination of templates: Panorama pushes the settings from every template in the stack to the firewalls you assign to that stack. Panorama supports up to 1,024 template stacks. For details and planning, see Templates and Template Stacks.
- Plan the templates and their order in the stack.For each template you will assign to the stack, Add a Template.When planning the priority order of templates within the stack (for overlapping settings), remember that Panorama doesn’t check the order for invalid relationships. For example, consider a stack in which the ethernet1/1 interface is of type Layer 3 in Template_A but of type Layer 2 with a VLAN in Template_B. If Template_A has a higher priority, Panorama will push ethernet1/1 as type Layer 3 but assigned to a VLAN.Also note that a template configuration can’t reference a configuration in another template, even if both templates are in the same stack. For example, a zone configuration in Template_A can’t reference a zone protection profile in Template_B.
- Create a template stack.
- Select PanoramaTemplates and click Add Stack.
- Enter a unique Name to identify the stack.
- For each of the Templates the stack will combine (up to 16), click Add and select the template. The dialog lists the added templates in order of priority with respect to duplicate settings, where values in the higher templates override those that are lower in the list. To change the order, select a template and click Move Up or Move Down.
- In the Devices section, select check boxes to assign firewalls. You can’t assign individual virtual systems, only an entire firewall. You can assign any firewall to only one template or stack. After you finish selecting, click OK.
- Edit the Network and Device settings,
if necessary.While Panorama pushes mode-specific settings only to firewalls that support those modes, this selective push doesn’t adjust mode-specific values. For example, if a template has firewalls in Federal Information Processing Standards (FIPS) mode and an IKE Crypto profile that uses non-FIPS algorithms, the template push will fail. To avoid such errors, use the Mode drop-down in the Network and Device tabs to filter mode-specific features and value options.Renaming a vsys is allowed only on the local firewall. Renaming a vsys on Panorama is not supported. If you rename a vsys on Panorama, you will create an entirely new vsys, or the new vsys name may get mapped to the wrong vsys on the firewall.In an individual firewall context, you can override settings that Panorama pushes from a stack in the same way you override settings pushed from a template: see Override a Template Setting.
- Depending on the settings you will configure, select the Network or Device tab and select the stack in the Template drop-down. The tab settings are read-only when you select a stack.
- Filter the tabs to display only the mode-specific
settings you want to edit:
- In the Mode drop-down, select or clear the Multi VSYS, Operational Mode, and VPN Mode filter options.
- Set all the Mode options to reflect the mode configuration of a particular firewall by selecting it in the Device drop-down.
- You can edit settings only at the template level,
not at the stack level. To identify and access the template that
contains the setting you want to edit:
- If the page displays a table, select ColumnsTemplate in the drop-down of any column header. The Template column displays the source template for each setting. If multiple templates have the same setting, the Template column displays the higher priority template. Click the template name in this column: the Template drop-down changes to that template, at which point you can edit the setting.
- If the page doesn’t display a table, hover over the template icon (green cog) for a setting: a tooltip displays the source template. If multiple templates have the same setting, the tooltip displays the higher priority template. In the Template drop-down, select the template that the tooltip displays to edit the setting.
- Edit the settings as needed.
- Select CommitCommit and Push, Edit Selections in the Push Scope, select Templates, select the firewalls assigned to the template stack, and then Commit and Push your changes to the Panorama configuration and to the template stack.
- Verify that the template stack works as expected.Perform the same verification steps as when you Add a Template but select the template stack from the Template drop-down:
Template Stacks A template stack is a combination of templates. By assigning firewalls to a stack, you can push all the necessary settings to them ...
Templates and Template Stacks
Templates and Template Stacks You use templates to configure the settings that enable firewalls to operate on the network. Templates enable you to define a ...
Templates Panorama supports up to 1,024 templates. To configure a template, Add one and configure the settings as described in the following table. After configuring ...
Add a Template
Add a Template You must add at least one template before Panorama will display the Device and Network tabs required to define the network set ...
Panorama > Templates
Panorama > Templates Through the Device and Network tabs, you can deploy a common base configuration to multiple firewalls that require similar settings using a ...
Override a Template Setting
Override a Template Setting While Templates and Template Stacks enable you to apply a base configuration to multiple firewalls, you might want to configure firewall-specific ...
Plan Your Multi-NSX Deployment
Plan Your Multi-NSX Deployment You must carefully plan your device group hierarchy and template stacks and consider how they interact with the other components needed ...
Migrate a Firewall to Panorama Management
Migrate a Firewall to Panorama Management When you import a firewall configuration, Panorama automatically creates a template to contain the imported network and device settings. ...
Manage Templates and Template Stacks
Manage Templates and Template Stacks Use templates and template stacks to define the common base configurations that enable firewalls to operate in your network. See ...