>
    Strata Copilot
    Configuration: Variables
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Strata Cloud Manager Getting Started
    4. Configuration: Strata Cloud Manager
    5. Configuration: NGFW and Prisma Access
    6. Configuration: Overview
    7. Configuration: Variables
    Download PDF
    Strata Cloud Manager

    Configuration: Variables

    Table of Contents

    Configuration: Variables

    Use variables your configurations to accommodate device or deployment-specific configuration objects.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • NGFW, including those funded by Software NGFW Credits
    Each of these licenses include access to Strata Cloud Manager:
    → The features and capabilities available to you in Strata Cloud Manager depend on which license(s) you are using.
    Use variables in your configurations to accommodate device or deployment-specific configuration objects.
    Variables are an advanced tool that allows you to standardize your configurations while giving you the flexibility to accommodate unique configuration values that are device or deployment specific. Variables allow you to reduce the number of snippets you need to manage while allow you to keep any firewall or deployment-specific configuration values as needed.
    For example, you have a snippet for the configuration you want to associate with multiple nested where each nested folder contains a set of firewalls specific to a geographic location. In the snippet, you have configured policy rules to restrict access to business critical systems for specific IP ranges only. In this scenario, you can create a variable for each IP range specific to each nested folder and use that variable in the inherited snippet configuration. This allows you to manage and push configuration changes while using fewer snippets to accommodate device or deployment-specific configuration values.
    Variables can be created at the folder, deployment, or firewall level. When you create a variable for a folder, the variable is inherited by all folders nested under the folder. In the event of conflicting variables in a folder Configuration Scope, the firewall or deployment inherits the variable value from the folder containing the nested folders. However, you can override an inherited variable at the nested folder, deployment, or firewall level.
    The following types of variables are supported:
    Variable Type
    Description
    AS Number
    Autonomous system number to use in your BGP configuration.
    Bandwidth
    Bandwidth in Mbps to use for Egress Max or Egress Guaranteed in a Quality of Service (QoS) profile.
    Count
    Number of events that must occur to trigger an action.
    Device ID
    Device-ID to use to assign a device priority valuer in an active/active high availability (HA) configuration.
    Device Priority
    Device priority to indicate a preference for which firewall should assume the active role in an active/passive high availability (HA) configuration.
    Egress Max
    Egress max value to use in Quality of Service (QoS) Profile configuration.
    FQDN
    Fully qualified domain name.
    Group ID
    High availability Group ID.
    IP Netmask
    Static IP or network address.
    IP Range
    An IP range. For example, 192.168.1.10-192.168.1.20.
    IP Wildcard
    IP wildcard mask to allow or deny similar IP addresses. For example, 10.0.0.5/255.255.0.255.
    IP Subnet
    IP subnet address.
    Link Tag
    Link tag to use in your SD-WAN configuration.
    Percent
    Percentage between 0 and 99. Use this variable for Egress Max or Egress Guaranteed in a Quality of Service (QoS) profile.
    Port
    Source or destination port.
    QoS Profile
    QoS Profile for use in QoS configurations.
    Rate
    Rate to specify a threshold that triggers an action. For example, the Alarm rate for a DoS Protection profile.
    Router ID
    		Router ID when you configure Border Gateway Protocol (BGP) for a logical router.
    Sub-Interface Identifier
    The numeric ID of the sub-interface portion of a logical interface. Supports values from 1 to 999. Use this variable when referencing sub-interfaces in your configuration and when defining sub-interfaces under a parent interface. This variable applies only to the sub-interface ID; the parent interface and sub-interface type are configured separately.
    Timer
    		Timer in seconds to configure a threshold that triggers an action.
    VLAN Tag
    VLAN identifier used for interface tagging. Supports values from 0 to 4095.
    Zone
    A security zone.

    Create a Variable

    You can also create a variable inline where a variable is supported.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationNGFW and Prisma AccessOverview and select the Configuration Scope where you want to create the variable.
      In the Folders, select the folder or device for which you want to create a variable.
      In the Snippets, select the specific snippet for which you want to create a variable.
    3. In the Variables section, click the Variables count displayed.
    4. Add Variable.
    5. Create the variable.
      In this example, an IP Netmask variable is created for use as an address object for a critical internal resource.
      1. Select the variable Type.
      2. Give the variable a descriptive Name.
        All variable names must begin with $.
      3. (Optional) Enter a Description for the variable.
      4. Enter the variable Value.
      5. Save.
    6. Add the variable to your configuration.
      In this example, the $internal-lab-storage variable created in the previous step is added to the address object configuration.
    7. Push Config.

    Import a Variable

    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • AIOps for NGFW Premium license
    • Prisma Access license
    Import variables to Strata Cloud Manager using a CSV file. Variable imports are designed to overwrite multiple variables inherited from the folder hierarchy by the firewall, or already configured in the firewall Configuration Scope, with new firewall-specific values.
    The variable must already be inherited from the folder hierarchy or configured in the firewall Configuration Scope to overwrite using variable imports. Importing variables to create entirely new variables isn’t supported.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationNGFW and Prisma AccessOverview.
    3. In the Variables section, click the Variables count displayed.
    4. Select CSV Export/ImportExport to export the variables you want to overwrite.
      Palo Alto Networks recommends you first export the variables you want to overwrite. This guarantees the CSV file you upload to Strata Cloud Manager is properly formatted. This also expedites the import process by ensuring the target folder and firewall variables are properly attributed.
    5. Modify the variables in the exported CSV file.
      Consider the following when modifying your CSV file for import.
      • Only Simple text editors, such as Notepad, are supported for modifying an exported CSV file.
      • # signifies that the variable is created in the folder hierarchy and inherited by the firewall.
        Remove the # to override the inherited variable value with a firewall-specific value.
        A variable value appended with # is ignored by Strata Cloud Manager on import as only overriding variable values at the firewall Configuration Scope is supported.
      • -NA- signifies that the variable doesn’t exist in the firewall configuration. This means that the variable was created outside of the folder hierarchy the firewall belongs to.
        Changing a variable value to -NA- isn’t supported. Strata Cloud Manager ignores any variable value modified to -NA-.
        Assigning a firewall-specific value to a variable with a value of -NA- isn’t supported because the variable doesn’t exist in the firewall Configuration Scope. The variable must be inherited by the firewall from the folder hierarchy, or configured in the firewall Configuration Scope, in order to be overridden using variable import.
      • A variable value of None# or None means that the variable was created with the variable Value as None.
        You can modify any variable value as None to remove the value but not delete the variable.
      • For a variable created in the firewall Configuration scope, deleting a variable value and leaving it blank deletes the variable.
        For a variable created in the folder hierarchy and inherited by the firewall, deleting a variable value and leaving it blank reverts the variable value to that inherited from the folder hierarchy.
      1. Locate and open the CSV file you exported. The format of the exported CSV file the name is:
        <cloud-management-tenant-name> - Prisma Access_<export-date>_variables
      2. Modify the variables as needed.
        Palo Alto Networks does not recommend modifying the folder names, device names, or device serial numbers. This might result in import failures.
        In the example below, the following changes were made to the variable values in the Firewall-A Configuration Scope to illustrate how variable imports can be used to modify multiple variables with one operation.
        • $example1—Overwrite the inherited None# value with a firewall-specific value.
        • $example2—Overwrite the firewall-specific None value with a firewall-specific value.
        • $example3—If the variable was created in the firewall Configuration Scope, an empty value deletes the variable.
          If the variable was inherited from the folder hierarchy, and was overridden in the firewall Configuration Scope, an empty value restores the variable value inherited from the folder hierarchy.
        • $example4—Overwrite the inherited 192.168.1.101 value with a firewall-specific value.
        • $example5—Example of a variable change Strata Cloud Manager ignores because # is still appended.
    6. Save your changes.
      Select FileSave to save the changes you made to the CSV file.
      Alternatively, select FileSave As to save your changes in a new CSV file. To create a new CSV file, you must include .csv as the file extension.
    7. Import the CSV file to Strata Cloud Manager.
      1. Select ConfigurationOverview.
      2. In the Variables section, click the Variable count displayed.
      3. Select CSV Export/ImportImport.
      4. Choose File and select the CSV file containing the variables you modified.
      5. Import.

    Export Variables

    Export your folder and firewall configuration variables in CSV format to your local device. Exporting your variables is useful when overwriting a large number of variables across multiple firewalls.
    Exporting interface variables created when you configure an interface at the folder-level isn’t supported.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationNGFW and Prisma AccessOverview.
    3. In the Variables section, click the Variable count displayed.
    4. Select CSV Export/ImportExport.
    5. Select the folder and firewalls with the variables you want to export and click Next.
      If you want to export all variables created on Strata Cloud Manager, select All Firewalls.
    6. Select one or more variables to export.
    7. (Optional) Preview the selected variables to view additional details.
      From the variables preview, you can view information such as the variable name, the Configuration Scope where the variable was created, and the variable value.
      Click Cancel and continue to the next step or Download CSV to your local device.
    8. Export the selected variables in CSV format.
      The CSV is exported and downloaded locally to your device. The format of the exported CSV file the name is:
      <cloud-management-tenant-name> - Prisma Access_<export-date>_variables

    © 2026 Palo Alto Networks, Inc. All rights reserved.