A Panorama template push cannot be used to add single/individual routes within a VR to a managed Palo Alto Networks firewall.
Details
For example, one VR with same name exists on both Panorama and a managed firewall. Panorama's VR has two static routes, R1 and R3. The managed firewall's VR has two static routes, R1 and R2. There are three options when pushing a network template to a managed firewall:
- Merge with Candidate Config box checked. This will result in a VR on the managed firewall to have routes R1 and R2
- Force Temple Values box checked. This will result in a VR on the managed firewall having routes R1 and R3
- Both the options checked. This will again result in a VR on the managed firewall having routes R1 and R3.
From the options above, we can see that the VR on the managed firewall never results in having routes R1, R2, and R3 routes. When a VR is pushed from a Panorama onto its managed firewall, either everything gets pushed or nothing.
Therefore, it is very important to check Panorama's VR configuration to make sure that it has all the routes in its VR before pushing a network template. Otherwise, the push can flush routes from the managed firewall's VR. In the example above, the R2 route would be flushed.
Note: Option-1 from the above example is used to merge Panorama's network template configuration (Interfaces, Zones, VLANs, IPSec Tunnels, DHCP, DNS Proxy, GP and QoS and Network Profiles) with the managed firewall's candidate configuration. This option is not meant to merge Panorama's routes with the managed firewall's routes within a VR.
owner: kadak