Use Templates to Administer a Base Configuration

The second task in Use Case: Configure Firewalls Using Panorama is to create the templates you will need to push the base configuration to the firewalls.
  1. For each template you will use, Add a Template and assign the appropriate firewalls to each.
    In this example, create templates named T_Branch, T_Regional, and T_DataCenter.
  2. Define a DNS server, NTP server, syslog server, and login banner. Repeat this step for each template.
    1. In the Device tab, select the Template from the drop-down.
    2. Define the DNS and NTP servers:
      1. Select DeviceSetupServicesGlobal and edit the Services.
      2. In the Services tab, enter an IP address for the Primary DNS Server.
        For any firewall that has more than one virtual system (vsys), for each vsys, add a DNS server profile to the template (DeviceServer ProfilesDNS).
      3. In the NTP tab, enter an IP address for the Primary NTP Server.
      4. Click OK to save your changes.
    3. Add a login banner: select DeviceSetupManagement, edit the General Settings, enter text for the Login Banner and click OK.
    4. Configure a Syslog server profile (DeviceServer ProfilesSyslog).
  3. Enable HTTPS, SSH, and SNMP access to the management interface of the managed firewalls. Repeat this step for each template.
    1. In the Device tab, select the Template from the drop-down.
    2. Select SetupManagement, and edit the Management Interface Settings.
    3. Under Services, select the HTTPS, SSH, and SNMP check boxes, and click OK.
  4. Create a Zone Protection profile for the firewalls in the data center template (T_DataCenter).
    1. Select the Network tab and, in the Template drop-down, select T_DataCenter.
    2. Select Network ProfilesZone Protection and click Add.
    3. For this example, enable protection against a SYN flood—In the Flood Protection tab, select the SYN check box, set the Action to SYN Cookies as, set the Alert packets/second to 100, set the Activate packets/second to 1000, and set the Maximum packets/second to 10000.
    4. For this example, enable alerts—In the Reconnaissance Protection tab, select the Enable check boxes for TCP Port Scan, Host Sweep, and UDP Port Scan. Ensure the Action values are set to alert (the default value).
    5. Click OK to save the Zone Protection profile.
  5. Configure the interface and zone settings in the data center template (T_DataCenter), and then attach the Zone Protection profile you just created.
    Before performing this step, you must have configured the interfaces locally on the firewalls. As a minimum, for each interface, you must have defined the interface type, assigned it to a virtual router (if needed), and attached a security zone.
    1. Select the Network tab and, in the Template drop-down, select T_DataCenter.
    2. Select NetworkInterface and, in the Interface column, click the interface name.
    3. Select the Interface Type from the drop-down.
    4. In the Virtual Router drop-down, click New Virtual Router. When defining the router, ensure the Name matches what is defined on the firewall.
    5. In the Security Zone drop-down, click New Zone. When defining the zone, ensure that the Name matches what is defined on the firewall.
    6. Click OK to save your changes to the interface.
    7. Select NetworkZones, and select the zone you just created. Verify that the correct interface is attached to the zone.
    8. In the Zone Protection Profile drop-down, select the profile you created, and click OK.
  6. Push your template changes.
    1. Select CommitCommit and Push and Edit Selections in the Push Scope.
    2. Select Templates and select the firewalls assigned to the templates where you made changes.
    3. Commit and Push your changes to the Panorama configuration and to the template.

Related Documentation