Use Templates to Administer a Base Configuration

For each template you will use, Add a Template and assign the appropriate firewalls to each.
In this example, create templates named T_Branch, T_Regional, and T_DataCenter.
Define a DNS server, NTP server, syslog server, and login banner. Repeat this step for each template.
In the
Device
tab, select the
Template
from the drop-down.
Define the DNS and NTP servers:
Select
Device
Setup
Services
Global
and edit the Services.
In the
Services
tab, enter an IP address for the
Primary DNS Server
.
For any firewall that has more than one virtual system (vsys), for each vsys, add a DNS server profile to the template (
Device
Server Profiles
DNS
).
In the
NTP
tab, enter an IP address for the
Primary NTP Server
.
Click
OK
to save your changes.
Add a login banner: select
Device
Setup
Management
, edit the General Settings, enter text for the
Login Banner
and click
OK
.
Configure a Syslog server profile (
Device
Server Profiles
Syslog
).
Enable HTTPS, SSH, and SNMP access to the management interface of the managed firewalls. Repeat this step for each template.
In the
Device
tab, select the
Template
from the drop-down.
Select
Setup
Management
, and edit the Management Interface Settings.
Under Services, select the
HTTPS
,
SSH
, and
SNMP
check boxes, and click
OK
.
Create a Zone Protection profile for the firewalls in the data center template (T_DataCenter).
Select the
Network
tab and, in the
Template
drop-down, select T_DataCenter.
Select
Network Profiles
Zone Protection
and click
Add
.
For this example, enable protection against a SYN flood—In the
Flood Protection
tab, select the
SYN
check box, set the
Action
to
SYN Cookies
as, set the
Alert
packets/second to
100
, set the
Activate
packets/second to
1000
, and set the
Maximum
packets/second to
10000
.
For this example, enable alerts—In the
Reconnaissance Protection
tab, select the
Enable
check boxes for
TCP Port Scan
,
Host Sweep
, and
UDP Port Scan
. Ensure the Action values are set to
alert
(the default value).
Click
OK
to save the Zone Protection profile.
Configure the interface and zone settings in the data center template (T_DataCenter), and then attach the Zone Protection profile you just created.
Before performing this step, you must have configured the interfaces locally on the firewalls. As a minimum, for each interface, you must have defined the interface type, assigned it to a virtual router (if needed), and attached a security zone.
Select the
Network
tab and, in the
Template
drop-down, select T_DataCenter.
Select
Network
Interface
and, in the Interface column, click the interface name.
Select the
Interface Type
from the drop-down.
In the
Virtual Router
drop-down, click
New Virtual Router
. When defining the router, ensure the
Name
matches what is defined on the firewall.
In the
Security Zone
drop-down, click
New Zone
. When defining the zone, ensure that the
Name
matches what is defined on the firewall.
Click
OK
to save your changes to the interface.
Select
Network
Zones
, and select the zone you just created. Verify that the correct interface is attached to the zone.
In the
Zone Protection Profile
drop-down, select the profile you created, and click
OK
.
Push your template changes.
Select
Commit
Commit and Push
and
Edit Selections
in the Push Scope.
Select
Templates
and select the firewalls assigned to the templates where you made changes.
Commit and Push
your changes to the Panorama configuration and to the template.