Use Templates to Administer a Base Configuration

The second task in Use Case: Configure Firewalls Using Panorama is to create the templates you will need to push the base configuration to the firewalls.
  1. For each template you will use, Add a Template and assign the appropriate firewalls to each.
    In this example, create templates named T_Branch, T_Regional, and T_DataCenter.
  2. Define a DNS server, NTP server, syslog server, and login banner. Repeat this step for each template.
    1. In the
      Device
      tab, select the
      Template
      from the drop-down.
    2. Define the DNS and NTP servers:
      1. Select
        Device
        Setup
        Services
        Global
        and edit the Services.
      2. In the
        Services
        tab, enter an IP address for the
        Primary DNS Server
        .
        For any firewall that has more than one virtual system (vsys), for each vsys, add a DNS server profile to the template (
        Device
        Server Profiles
        DNS
        ).
      3. In the
        NTP
        tab, enter an IP address for the
        Primary NTP Server
        .
      4. Click
        OK
        to save your changes.
    3. Add a login banner: select
      Device
      Setup
      Management
      , edit the General Settings, enter text for the
      Login Banner
      and click
      OK
      .
    4. Configure a Syslog server profile (
      Device
      Server Profiles
      Syslog
      ).
  3. Enable HTTPS, SSH, and SNMP access to the management interface of the managed firewalls. Repeat this step for each template.
    1. In the
      Device
      tab, select the
      Template
      from the drop-down.
    2. Select
      Setup
      Management
      , and edit the Management Interface Settings.
    3. Under Services, select the
      HTTPS
      ,
      SSH
      , and
      SNMP
      check boxes, and click
      OK
      .
  4. Create a Zone Protection profile for the firewalls in the data center template (T_DataCenter).
    1. Select the
      Network
      tab and, in the
      Template
      drop-down, select T_DataCenter.
    2. Select
      Network Profiles
      Zone Protection
      and click
      Add
      .
    3. For this example, enable protection against a SYN flood—In the
      Flood Protection
      tab, select the
      SYN
      check box, set the
      Action
      to
      SYN Cookies
      as, set the
      Alert
      packets/second to
      100
      , set the
      Activate
      packets/second to
      1000
      , and set the
      Maximum
      packets/second to
      10000
      .
    4. For this example, enable alerts—In the
      Reconnaissance Protection
      tab, select the
      Enable
      check boxes for
      TCP Port Scan
      ,
      Host Sweep
      , and
      UDP Port Scan
      . Ensure the Action values are set to
      alert
      (the default value).
    5. Click
      OK
      to save the Zone Protection profile.
  5. Configure the interface and zone settings in the data center template (T_DataCenter), and then attach the Zone Protection profile you just created.
    Before performing this step, you must have configured the interfaces locally on the firewalls. As a minimum, for each interface, you must have defined the interface type, assigned it to a virtual router (if needed), and attached a security zone.
    1. Select the
      Network
      tab and, in the
      Template
      drop-down, select T_DataCenter.
    2. Select
      Network
      Interface
      and, in the Interface column, click the interface name.
    3. Select the
      Interface Type
      from the drop-down.
    4. In the
      Virtual Router
      drop-down, click
      New Virtual Router
      . When defining the router, ensure the
      Name
      matches what is defined on the firewall.
    5. In the
      Security Zone
      drop-down, click
      New Zone
      . When defining the zone, ensure that the
      Name
      matches what is defined on the firewall.
    6. Click
      OK
      to save your changes to the interface.
    7. Select
      Network
      Zones
      , and select the zone you just created. Verify that the correct interface is attached to the zone.
    8. In the
      Zone Protection Profile
      drop-down, select the profile you created, and click
      OK
      .
  6. Push your template changes.
    1. Select
      Commit
      Commit and Push
      and
      Edit Selections
      in the Push Scope.
    2. Select
      Templates
      and select the firewalls assigned to the templates where you made changes.
    3. Commit and Push
      your changes to the Panorama configuration and to the template.

Related Documentation