Manage: Variables
Focus
Focus
Strata Cloud Manager

Manage: Variables

Table of Contents

Manage: Variables

Use variables your configurations to accommodate device or deployment-specific configuration objects.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (PAN-OS or Panorama Managed)
  • VM-Series, funded with Software NGFW Credits
  • AIOps for NGFW Premium license (use the Strata Cloud Manager app)
  • Prisma Access
    license
Use variables your configurations to accommodate device or deployment-specific configuration objects.
Variables are an advanced tool that allows you to standardize your configurations while giving you the flexibility to accommodate unique configuration values that are device or deployment specific. Variables allow you to reduce the number of snippets you need to manage while allow you to keep any firewall or deployment-specific configuration values as needed.
For example, you have a snippet for the configuration you want to associate with multiple nested folders where each nested folder contains a set of firewalls specific to a geographic location. In the snippet, you have configured policy rules to restrict access to business critical systems for specific IP ranges only. In this scenario, you can create a variable for each IP range specific to each nested folder and use that variable in the inherited snippet configuration. This allows you to manage and push configuration changes while using fewer snippets to accommodate device or deployment-specific configuration values.
Variables can be created at the folder, deployment, or firewall level. When you create a variable for a folder, the variable is inherited by all folders nested under the folder. In the event of conflicting variables in a folder Configuration Scope, the firewall or deployment inherits the variable value from the folder containing the nested folders. However, you can override an inherited variable at the nested folder, deployment, or firewall level.
The following types of variables are supported:
Variable Type
Description
AS Number
Autonomous system number to use in your BGP configuration.
Count
Number of events that must occur to trigger an action.
Device ID
Device-ID to use to assign a device priority valuer in an active/active high availability (HA) configuration.
Device Priority
Device priority to indicate a preference for which firewall should assume the active role in an active/passive high availability (HA) configuration.
Egress Max
Egress max value to use in Quality of Service (QoS) Profile configuration.
FQDN
Fully qualified domain name.
Group ID
High availability Group ID.
IP Netmask
Static IP or network address.
IP Range
An IP range. For example,
192.168.1.10-192.168.1.20
.
IP Wildcard
IP wildcard mask to allow or deny similar IP addresses. For example,
10.0.0.5/255.255.0.255
.
Link Tag
Link tag to use in your SD-WAN configuration.
Percent
Percentage between
0
and
99
.
Port
Source or destination port.
QoS Profile
QoS Profile for use in QoS configurations.
Rate
Rate to specify a threshold that triggers an action. For example, the
Alarm rate
for a DoS Protection profile.
Router ID
Router ID when you configure Border Gateway Protocol (BGP) for a logical router.
Timer
Timer in seconds to configure a threshold that triggers an action.
Zone
A security zone.

Create a Variable

You can also create a variable inline where a variable is supported.
  1. Log in to
    Strata Cloud Manager
    .
  2. Select
    Manage
    Configuration
    NGFW and Prisma Access
    Overview
    and select the Configuration Scope where you want to create the variable.
    In the
    Folders
    , select the folder or device for which you want to create a variable.
    In the
    Snippets
    , select the specific snippet for which you want to create a variable.
  3. In the Variables section, click the Variable count displayed.
  4. Add Variable
    .
  5. Create the variable.
    In this example, an
    IP Netmask
    variable is created for use as an address object for a critical internal resource.
    1. Select the variable
      Type
      .
    2. Give the variable a descriptive
      Name
      .
      All variable names must begin with
      $
      .
    3. (
      Optional
      ) Enter a
      Description
      for the variable.
    4. Enter the variable
      Value
      .
    5. Save
      .
  6. Add the variable to your configuration.
    In this example, the
    $internal-lab-storage
    variable created in the previous step is added to the address object configuration.

Import a Variable

Where Can I Use This?
What Do I Need?
  • Strata Cloud Manager
  • AIOps for NGFW Premium
    license
  • Prisma Access
    license
Import variables to
Strata Cloud Manager
using a CSV file. Variable imports are designed to overwrite multiple variables inherited from the folder hierarchy by the firewall, or already configured in the firewall Configuration Scope, with new firewall-specific values.
The variable must already be inherited from the folder hierarchy or configured in the firewall Configuration Scope to overwrite using variable imports. Importing variables to create entirely new variables isn’t supported.
  1. Log in to
    Strata Cloud Manager
    .
  2. Select
    Manage
    Configuration
    NGFW and Prisma Access
    Overview
    .
  3. In the Variables section, click the Variable count displayed.
  4. Select
    CSV Export/Import
    Export
    to export the variables you want to overwrite.
    Palo Alto Networks recommends you first export the variables you want to overwrite. This guarantees the CSV file you upload to
    Strata Cloud Manager
    is properly formatted. This also expedites the import process by ensuring the target folder and firewall variables are properly attributed.
  5. Modify the variables in the exported CSV file.
    Consider the following when modifying your CSV file for import.
    • Only Simple text editors, such as Notepad, are supported for modifying an exported CSV file.
    • #
      signifies that the variable is created in the folder hierarchy and inherited by the firewall.
      Remove the
      #
      to override the inherited variable value with a firewall-specific value.
      A variable value appended with
      #
      is ignored by
      Strata Cloud Manager
      on import as only overriding variable values at the firewall Configuration Scope is supported.
    • -NA-
      signifies that the variable doesn’t exist in the firewall configuration. This means that the variable was created outside of the folder hierarchy the firewall belongs to.
      Changing a variable value to
      -NA-
      isn’t supported.
      Strata Cloud Manager
      ignores any variable value modified to
      -NA-
      .
      Assigning a firewall-specific value to a variable with a value of
      -NA-
      isn’t supported because the variable doesn’t exist in the firewall Configuration Scope. The variable must be inherited by the firewall from the folder hierarchy, or configured in the firewall Configuration Scope, in order to be overridden using variable import.
    • A variable value of
      None#
      or
      None
      means that the variable was created with the variable
      Value
      as
      None
      .
      You can modify any variable value as
      None
      to remove the value but not delete the variable.
    • For a variable created in the firewall Configuration scope, deleting a variable value and leaving it blank deletes the variable.
      For a variable created in the folder hierarchy and inherited by the firewall, deleting a variable value and leaving it blank reverts the variable value to that inherited from the folder hierarchy.
    1. Locate and open the CSV file you exported. The format of the exported CSV file the name is:
      <cloud-management-tenant-name> - Prisma Access_<export-date>_variables
    2. Modify the variables as needed.
      Palo Alto Networks does not recommend modifying the folder names, device names, or device serial numbers. This might result in import failures.
      In the example below, the following changes were made to the variable values in the
      Firewall-A
      Configuration Scope to illustrate how variable imports can be used to modify multiple variables with one operation.
      • $example1
        —Overwrite the inherited
        None#
        value with a firewall-specific value.
      • $example2
        —Overwrite the firewall-specific
        None
        value with a firewall-specific value.
      • $example3
        —If the variable was created in the firewall Configuration Scope, an empty value deletes the variable.
        If the variable was inherited from the folder hierarchy, and was overridden in the firewall Configuration Scope, an empty value restores the variable value inherited from the folder hierarchy.
      • $example4
        —Overwrite the inherited
        192.168.1.101
        value with a firewall-specific value.
      • $example5
        —Example of a variable change
        Strata Cloud Manager
        ignores because
        #
        is still appended.
  6. Save your changes.
    Select
    File
    Save
    to save the changes you made to the CSV file.
    Alternatively, select
    File
    Save As
    to save your changes in a new CSV file. To create a new CSV file, you must include
    .csv
    as the file extension.
  7. Import the CSV file to
    Strata Cloud Manager
    .
    1. Select
      Manage
      Configuration
      Overview
      .
    2. In the Variables section, click the Variable count displayed.
    3. Select
      CSV Export/Import
      Import
      .
    4. Choose File
      and select the CSV file containing the variables you modified.
    5. Import
      .

Export Variables

Export your folder and firewall configuration variables in CSV format to your local device. Exporting your variables is useful when overwriting a large number of variables across multiple firewalls.
Exporting interface variables created when you configure an interface at the folder-level isn’t supported.
  1. Log in to
    Strata Cloud Manager
    .
  2. Select
    Manage
    NGFW and Prisma Access
    Configuration
    Overview
    .
  3. In the Variables section, click the Variable count displayed.
  4. Select
    CSV Export/Import
    Export
    .
  5. Select the folder and firewalls with the variables you want to export and click
    Next
    .
    If you want to export all variables created on
    Strata Cloud Manager
    , select
    All Firewalls
    .
  6. Select one or more variables to export.
  7. (
    Optional
    )
    Preview
    the selected variables to view additional details.
    From the variables preview, you can view information such as the variable name, the Configuration Scope where the variable was created, and the variable value.
    Click
    Cancel
    and continue to the next step or
    Download CSV
    to your local device.
  8. Export
    the selected variables in CSV format.
    The CSV is exported and downloaded locally to your device. The format of the exported CSV file the name is:
    <cloud-management-tenant-name> - Prisma Access_<export-date>_variables

Recommended For You