How to duplicate settings among multiple templates

How to duplicate settings among multiple templates

41438
Created On 09/25/18 17:19 PM - Last Modified 07/27/22 16:28 PM


Resolution


At times you may want to duplicate/reconfigure Network or Device tab settings for multiple templates. For example, if you have N number of templates but want to share the same Administrator accounts, LDAP servers, etc among all of them you can duplicate or reconfigure settings. 

 

There are two options to do so, besides the GUI option of configuring everything manually. 

  1. Duplicate configuration between templates on the CLI using set commands or load configuration partial.
  2. Use template stacks to combine common elements. This option is only available if you are running PAN-OS 7.0+.

Method 1: Duplicate configuration between templates using set commands from the CLI: 

  1. Go to configuration mode on the Panorama CLI, and set the configuration output mode to set:

    admin@Panorama# run set cli config-output-format set

  2. Find the configuration that you want to copy. For example:

    admin@Panorama# show | match Template1

    set template Template1 settings operational-mode normal

    set template Template1 config devices localhost.localdomain vsys vsys1

    set template Template1 config mgt-config users Admin1 permissions role-based superuser yes

    set template Template1 config mgt-config users Admin1 phash $1$jhtkhsba$D6q7Bu38KMpOBd.V.FlhX1

    set template Template1 config mgt-config users Admin2 permissions role-based superuser yes

    set template Template1 config mgt-config users Admin2 phash $1$cpqxckno$FhbxH9tTxwgeIaeKc.pOa1

    set template Template1 config mgt-config users Admin3 permissions role-based superuser yes

    set template Template1 config mgt-config users Admin3 phash $1$sykssmec$kst3ufkcj9.Htg9zAXvDy0

  3. Copy the required configuration on a notepad, in this all configuration under mgt-config and edit the template name to target template. Then copy and paste the same back on the CLI after enabling scripting-mode:

    admin@Panorama# run set cli scripting-mode on                                       

    admin@Panorama#(Paste the commands now)  

    set template Template2 config mgt-config users Admin1 permissions role-based superuser yes

    set template Template2 config mgt-config users Admin1 phash $1$jhtkhsba$D6q7Bu38KMpOBd.V.FlhX1

    set template Template2 config mgt-config users Admin2 permissions role-based superuser yes

    set template Template2 config mgt-config users Admin2 phash $1$cpqxckno$FhbxH9tTxwgeIaeKc.pOa1

    set template Template2 config mgt-config users Admin3 permissions role-based superuser yes

    set template Template2 config mgt-config users Admin3 phash $1$sykssmec$kst3ufkcj9.Htg9zAXvDy0

    admin@Panorama# run set cli scripting-mode off        

 

Method 2: Duplicate configuration between templates using the load command on the CLI: 

  1. Take backup of current configuration: Panorama > Operations > Save named Panorama configuration snapshot, for example, ConfigBackup.

  2. Open a new browser tab to view the XML browser: https://<panorama-ip>/api, and simultaneously open a CLI session.

  3. Navigate to the required configuration:

    Screen Shot 2016-03-24 at 11.34.20 am.png

     Note the highlighted XML Path.
     

  4. On the CLI session go into the configuration mode and execute the following command:

     

    # load config partial mode merge from-xpath devices/entry[@name='localhost.localdomain']/template/entry[@name='Template1']/config/mgt-config to-xpath /config/devices/entry[@name='localhost.localdomain']/template/entry[@name='Template2']/config/mgt-config from ConfigBackup

     

    Notice the path used in from-xpath, which doesn't include /config/ in the beginning since /config/ indicates the current device configuration. Also, notice the changed template name (target template) in the to-xpath.

 

Method 3: Use template stacks (When running PAN-OS 7.0.X only)

 

  1. Create a Common Template, TemplateCommon for example. Do not assign any devices to this template. Configure admin accounts to be shared on this template.

    Screen Shot 2016-03-24 at 12.47.10 pm.png
     

  2. Create a Template Stack called TemplateStack1, and add two templates to it: TemplateCommon and Template1, in that order. 

    Screen Shot 2016-03-24 at 12.50.18 pm.png
     

  3. Unassign Firewall1 from Template1 and assign it to TemplateStack1.

  4. Similarly, create a Template Stack called as TemplateStack2, and add two templates to it: TemplateCommon and Template2, in that order.

  5. Unassign Firewall2 from Template2 and assign it to TemplateStack2.

  6. Commit the changes locally to Panorama, and perform a Template commit to Firewall1 and Firewall2.

  7. Check the GUI of both firewalls to make sure admin accounts are pushed properly.

  8. In the future, any common changes can be just made in TemplateCommon, and then pushed to all devices by doing a commit on the corresponding Template Stack.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF3CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language