End-of-Life (EoL)
Templates and Template Stacks
You use templates to configure the settings that enable
firewalls to operate on the network. Templates enable you to define
a common base configuration using the
Network
and Device
tabs
on Panorama. For example, you can use templates to manage interface
and zone configurations, server profiles for logging and syslog
access, and network profiles for controlling access to zones and
IKE gateways. When defining a template, consider assigning firewalls
that are the same hardware model and require access to similar network
resources, such as gateways and syslog servers.If your network has groups of firewalls with some group-specific
settings and some settings that are common across groups, you can
simplify management by assigning the firewalls to a template stack
for each group. A template stack is a combination of templates:
the assigned firewalls inherit the settings from every template
in the stack. This enables you to avoid the redundancy of adding
every setting to every template. The following figure illustrates
an example deployment in which you assign data center firewalls
in the Asia-Pacific (APAC) region to a stack that has one template
with global settings, one template with APAC-specific settings,
and one template with data center-specific settings. To manage firewalls
in an APAC branch office, you can then re-use the global and APAC-specific templates
by adding them to another stack that includes a template with branch-specific settings.
Templates in a stack have a configurable priority order that ensures
Panorama pushes only one value for any duplicate setting. Panorama
evaluates the templates listed in a stack configuration from top
to bottom, with higher templates having priority. The following
figure illustrates a data center stack in which the data center
template has a higher priority than the global template: Panorama
pushes the idle timeout value from the data center template and
ignores the value from the global template.
Template Stacks

To accommodate firewalls that have unique settings, you can use
templates (single or stacked) to push a limited common base configuration
to all firewalls, and in individual firewalls configure firewall-specific
settings. Alternatively, you can push a broader common base configuration
and in the individual firewalls override certain pushed settings
with firewall-specific values. When you override a setting, the
firewall saves that setting to its local configuration; Panorama
no longer manages the setting. To restore template values after overriding
them, you can use Panorama to force the template configuration onto
a firewall. For example, after defining a common NTP server in a
template and overriding the NTP server configuration on a firewall
to accommodate its local time zone, you can later revert to the
NTP server defined in the template.
You cannot use templates to set firewall modes: virtual private
network (VPN) mode, multiple virtual systems mode (multi-vsys mode),
and operational mode (normal, Federal Information Processing Standards
[FIPS], or Common Criteria [CC]). For details, see Template
Capabilities and Exceptions. However, you can assign firewalls
that have non-matching modes to the same template or stack. In such
cases, Panorama pushes mode-specific settings only to firewalls
that support those modes. As an exception, you can configure Panorama
to push the settings of the default vsys in a template to firewalls
that don’t support virtual systems or have none configured.
For the relevant procedures, see Manage
Templates and Template Stacks.
Recommended For You
Recommended Videos
Recommended videos not found.