Palo Alto Networks Panorama is a great tool that enables organizations to manage and analyze many firewalls at scale. Our customers often ask for improvements that make deploying or maintaining firewalls a more repeatable, consistent process. Templates can certainly help with this. However, if not properly planned and executed it can lead to the opposite effect by introducing unnecessary complexity, additional deployment tasks, and the potential for issues down the road.
The best time to plan a template strategy is at the time of a new deployment. It’s much easier to build out with the right approach than have to rebuild it once already in production.
There are a few template strategies that we encounter in the field:
- A template per firewall to manage all device and network settings - Many times this is the end result when Panorama was introduced after existing firewalls were deployed. The firewalls are imported to Panorama using a config bundle import process. The issue here is that every firewall now has its own template which defeats the purpose of using templates because it just as much work (if not more) to manage. This almost always leads into manageability and scale issues due to the number of templates being maintained.
- Template variables - Although not as common, it’s definitely an improvement over the first strategy above when properly executed. The idea is that you can take a baseline template, clone it, make it part of a template stack, then define the unique variables at the stack level for a particular installation. The variables are primarily for network related config elements such as IP addresses, routing, VPN configuration, etc. However, there are limitations and not all parts of a template can use variables. This strategy might work well for a retail environment, where the firewall at each location is very cookie-cutter and the variable options meet all of the requirements.
- A template only used for managing common system settings - Generally we feel that this strategy works the best for most deployments. A firewall fleet usually has common settings for things like SNMP, NTP, logon banner, administrator accounts, just to name a few. It always makes sense to templatize these types of settings for the sake of consistency. Of course there may be a different baseline template for data center firewalls versus branch office firewalls, and that’s ok. Additionally, template stack heiarchies could be used if there are different baseline settings for different regions, or firewall use types. In this strategy, we recommend configuring the network settings locally on each firewall. This includes interface and routing configuration, as well as High-Availability (HA) configuration. Also, it’s important to note that Panorama backs up the firewall local configuration every time a commit operation is performed.
- Not using templates at all - For small environments that have Panorama and perhaps 2-3 firewalls, it isn’t uncommon to see templates unused. Obviously Device Groups can and should be leveraged in these cases for the purpose of centrally managing policies and objects. However, we’d still suggest using templates for common system settings.
Beware of Template Overrides
A common issue that comes up is when template overrides come into play. Once a setting is managed and controlled by a Panorama template, an administrator can locally override that setting if needed. Sometimes it can be necessary during an emergency if the firewall cannot communicate with Panorama and a change on the firewall is required immediately. If the override is left in place, this can cause confusion later on if a template change is pushed and the desired result does not take affect. Always be on the lookout for these and only use them when needed. Revert them back if possible so that Panorama can resume managing the setting through the template.
If your organization is considering a new firewall deployment using Panorama templates, or if you have an existing deployment, consider how the template settings can help when it comes to repeating tasks and ensuring consistency. If it doesn’t improve deployment efficiency, and reduce or eliminate configuration errors, then often a different approach is necessary.
Panorama is a powerful tool from Palo Alto to manage many firewalls in one place. However, with different industries requiring varying applications and configurations, it's helpful to leverage an expert to take full advantage of Panorama's power. As one of Palo Alto Network's partners, WAN Dynamics is the go-to source for Panorama integrations. Get in touch with our team today to discuss how we can deliver the performance and security your organization deserves.
More WAN Dynamics News: