User-ID Settings on Template Stack in Panorama Not Pushed to the Firewall
10234
Created On 04/24/19 22:52 PM - Last Modified 04/26/19 17:50 PM
Symptom
The "User Identification" settings configured on Template Stack in Panorama "Multi-vsys" mode are not pushed to the managed firewall in "Single-vsys" mode.
Environment
Panorama
Cause
Template stack is set to "Multi-vsys" mode. "User Identification" settings are configured directly in the template stack. There are no templates added to the template stack. By default, if there are no templates added to the template stack, the "Default vsys" will be set to "None" as shown below
Managed firewall added to the template stack is operating in "Single vsys" mode. Since the managed firewall does not have "Multi Virtual System Capability" enabled, the "User Identification" settings are not pushed.
Resolution
Add a template to the template stack. The "Default vsys" field in the template stack changes from "None" to "vsys1."
"vsys1" is inherited from the template "Lab-Template" as shown below.
This will allow the "User Identification" settings to be pushed to the firewall operating in "Single vsys" mode.
NOTE: If the Template Stack is in "Single vsys" mode, this will cause the User-ID settings to be grayed out as shown below. This is a limitation for certain nodes in the template stack.
A template needs to be added to the template stack in "Single vsys" mode and the "User Identification" settings need to be configured in the template for the config to get pushed to the firewall operating in "Single vsys" mode,
Additional Information
To check if the managed firewall is operating in single-vsys or multi-vsys mode, please go to Device > Setup > Management > General Settings.
If the option "Multi Virtual System Capability" is unchecked, the device is operating in single-vsys mode. If you do not see this option "Multi Virtual System Capability," then the device does not support multi-vsys capability.
For more information on "Templates and Template Stacks," please check the Panorama Administrator's Guide: https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/templates-and-template-stacks.html#