Create Template Stacks and Device Groups on Panorama

To manage the VM-Series firewalls on NSX-T using Panorama, the firewalls must belong to a device group and a template stack. Device groups allow you to assemble firewalls that need similar policies and objects as a logical unit; the configuration is defined using the
Objects
and
Policies
tabs on Panorama. Use template stacks to configure the settings that are required for the VM-Series firewalls to operate on the network; the configuration is defined using the
Device
and
Network
tabs on Panorama. Each template stack used in your NSX-T configuration must be associated with a service definition.
Firewalls deployed in NSX-T have two default zones and two interfaces configured in virtual-wire mode. Ethernet1/1 is part of zone
south
and ethernet1/2 is part of zone
north
. To push policy rules from Panorama to managed firewalls, you must configure zones and interfaces matching those on the firewall in the corresponding template stack on Panorama.
  1. Add a device group or a device group hierarchy.
    1. Select
      Panorama
      Device Groups
      , and click
      Add
      . You can also create a device group hierarchy.
    2. Enter a unique
      Name
      and a
      Description
      to identify the device group.
    3. Click
      OK
      .
    4. Click
      Commit
      and select
      Panorama
      as the
      Commit Type
      to save the changes to the running configuration on Panorama.
  2. Add a template.
    1. Select
      Panorama
      Templates
      , and click
      Add
      .
    2. Enter a unique
      Name
      and a
      Description
      to identify the template.
    3. Click
      OK
      .
    4. Click
      Commit
      , and select
      Panorama
      as the
      Commit Type
      to save the changes to the running configuration on Panorama.
  3. Create a template stack.
    1. Select
      Panorama
      Templates
      , and click
      Add Stack
      .
    2. Enter a unique
      Name
      and a
      Description
      to identify the template.
    3. Click
      Add
      to add the template you created previously.
    4. Click
      OK
      .
    5. Click
      Commit
      , and select
      Commit to Panorama
      to save the changes to the running configuration on Panorama.
  4. Configure the virtual wire, interfaces, and zones. Ensure that you select the correct template from the drop-down shown below. The objects you create must meet the following criteria:
    If you change the default virtual wire or zone names, the virtual wire and zones on Panorama must match the names used on the firewall.
    • Use
      ethernet1/1
      and
      ethernet1/2
      .
    • The virtual wire object named
      vw1
      .
    • The first zone named
      south
      , type
      virtual-wire
      , and contain
      ethernet1/1
      .
    • The second zone named
      north
      , type
      virtual-wire
      , and contain
      ethernet1/2
      .
    Repeat this process for each template in your deployment.
    nsxt-interface-configs.png
  5. Click
    Commit
    , and select
    Panorama
    as the
    Commit Type
    to save the changes to the running configuration on Panorama.

Recommended For You