Use Templates to Administer a Base Configuration
The second task in Use
Case: Configure Firewalls Using Panorama is to create the
templates you will need to push the base configuration to the firewalls.
- For each template you will use, Add a Template and assign the appropriate firewalls to each.In this example, create templates named T_Branch, T_Regional, and T_DataCenter.
- Define a DNS server, NTP server, syslog server, and login banner. Repeat this step for each template.
- In theDevicetab, select theTemplatefrom the drop-down.
- Define the DNS and NTP servers:
- Selectand edit the Services.DeviceSetupServicesGlobal
- In theServicestab, enter an IP address for thePrimary DNS Server.For any firewall that has more than one virtual system (vsys), for each vsys, add a DNS server profile to the template ().DeviceServer ProfilesDNS
- In theNTPtab, enter an IP address for thePrimary NTP Server.
- ClickOKto save your changes.
- Add a login banner: select, edit the General Settings, enter text for theDeviceSetupManagementLogin Bannerand clickOK.
- Configure a Syslog server profile ().DeviceServer ProfilesSyslog
- Enable HTTPS, SSH, and SNMP access to the management interface of the managed firewalls. Repeat this step for each template.
- In theDevicetab, select theTemplatefrom the drop-down.
- Select, and edit the Management Interface Settings.SetupManagement
- Under Services, select theHTTPS,SSH, andSNMPcheck boxes, and clickOK.
- Create a Zone Protection profile for the firewalls in the data center template (T_DataCenter).
- Select theNetworktab and, in theTemplatedrop-down, select T_DataCenter.
- Selectand clickNetwork ProfilesZone ProtectionAdd.
- For this example, enable protection against a SYN flood—In theFlood Protectiontab, select theSYNcheck box, set theActiontoSYN Cookiesas, set theAlertpackets/second to100, set theActivatepackets/second to1000, and set theMaximumpackets/second to10000.
- For this example, enable alerts—In theReconnaissance Protectiontab, select theEnablecheck boxes forTCP Port Scan,Host Sweep, andUDP Port Scan. Ensure the Action values are set toalert(the default value).
- ClickOKto save the Zone Protection profile.
- Configure the interface and zone settings in the data center template (T_DataCenter), and then attach the Zone Protection profile you just created.Before performing this step, you must have configured the interfaces locally on the firewalls. As a minimum, for each interface, you must have defined the interface type, assigned it to a virtual router (if needed), and attached a security zone.
- Select theNetworktab and, in theTemplatedrop-down, select T_DataCenter.
- Selectand, in the Interface column, click the interface name.NetworkInterface
- Select theInterface Typefrom the drop-down.
- In theVirtual Routerdrop-down, clickNew Virtual Router. When defining the router, ensure theNamematches what is defined on the firewall.
- In theSecurity Zonedrop-down, clickNew Zone. When defining the zone, ensure that theNamematches what is defined on the firewall.
- ClickOKto save your changes to the interface.
- Select, and select the zone you just created. Verify that the correct interface is attached to the zone.NetworkZones
- In theZone Protection Profiledrop-down, select the profile you created, and clickOK.
- Push your template changes.
- SelectandCommitCommit and PushEdit Selectionsin the Push Scope.
- SelectTemplatesand select the firewalls assigned to the templates where you made changes.
- Commit and Pushyour changes to the Panorama configuration and to the template.
Recommended For You
Recommended Videos
Recommended videos not found.