What is the behavioral change in Panorama in PAN-OS 8.1 regarding templates?

What is the behavioral change in Panorama in PAN-OS 8.1 regarding templates?

5514
Created On 02/05/19 23:01 PM - Last Modified 08/08/19 23:07 PM


Question


Mysterious Templates appear after upgrade to 8.1.5 (from 8.0.x)

Environment


  • PAN-OS 8.1
  • Panorama templates and template stacks

Answer


There has been an enhancement in Panorama behavior in PAN-OS 8.1.x in which template re-usability is possible within template stacks. 

This feature provides the ability to reference and reuse objects across various templates (as long as the templates belong to the same stack). Also, individual templates are enhanced such that they will use variables instead of literal IPs in their configuration.

Other related changes in PAN-OS 8.1:
  • In 8.1, only Template stacks and not Templates are associated to firewalls and can be pushed to the firewalls.
  • Templates acts as building blocks for the template stacks.
  • All templates are merged at the template stack level to get the resultant config to be pushed to the firewall.
  • Template Stacks are editable now.
  • Max Templates in a Temp stack is now 8 from 16. 
  • Variables can be added from template or template stack dialogues.
  • Variables shall be one of the following type: IP Netmask, IP Range, FQDN, Interface or Group Id.
  • Variables values can be changed at the Template Level, Template Stack Level, or Device Level

Additional Information


PAN-OS New Features Guide 8.1:
Templates and template stacks are improved to make it easier to manage firewalls and appliances from Panorama™ using a single template or template stack. To more easily reuse templates and template stacks, you can now create template variables in place of firewall-specific and appliance-specific IP literals in your configurations. You can define template variables at either the template level or the template stack level and you can use them to replace IP addresses, IP ranges, FQDNs, group IDs, and interfaces in IKE, VPN and HA configurations. You can override variables associated with and managed by the template or template stack on a per-firewall or appliance basis. Overriding a template or template stack variable allows you to minimize the number of templates and template stacks you need to manage while still allowing you to keep any device-specific configurations as needed. To reduce the number template and template stack configurations you need to manage, you now add firewalls and appliances to a template stack rather than to a template; the firewall or appliance prioritizes the template stack configuration. Additionally, template stacks can now reference any named object in a template that belongs to the template stack, which means you use template stacks to manage the base firewall and appliance configurations while template configurations enable you to create specific configurations.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cmk7CAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail