User-ID Settings on Template Stack in Panorama Not Pushed to the Firewall

User-ID Settings on Template Stack in Panorama Not Pushed to the Firewall

10500
Created On 04/24/19 22:52 PM - Last Modified 04/26/19 17:50 PM


Symptom


The "User Identification" settings configured on Template Stack in Panorama "Multi-vsys" mode are not pushed to the managed firewall in "Single-vsys" mode.

Environment


Panorama

Cause


Template stack is set to "Multi-vsys" mode. "User Identification" settings are configured directly in the template stack. There are no templates added to the template stack. By default, if there are no templates added to the template stack, the "Default vsys" will be set to "None" as shown below
Lab-Temp-Stack-Default_VSYS

Managed firewall added to the template stack is operating in "Single vsys" mode. Since the managed firewall does not have "Multi Virtual System Capability" enabled, the "User Identification" settings are not pushed.

Resolution


Add a template to the template stack. The "Default vsys" field in the template stack changes from "None" to "vsys1."

"vsys1" is inherited from the template "Lab-Template" as shown below.
Lab-Temp-Stack-Default_VSYS_vsys1

This will allow the "User Identification" settings to be pushed to the firewall operating in "Single vsys" mode.

NOTE: If the Template Stack is in "Single vsys" mode, this will cause the User-ID settings to be grayed out as shown below. This is a limitation for certain nodes in the template stack. 
Lab-Temp-Stack-Single-VSYS-Mode-UserID-Grayed-Out

A template needs to be added to the template stack in "Single vsys" mode and the "User Identification" settings need to be configured in the template for the config to get pushed to the firewall operating in "Single vsys" mode,

Additional Information


To check if the managed firewall is operating in single-vsys or multi-vsys mode, please go to Device > Setup > Management > General Settings.

If the option "Multi Virtual System Capability" is unchecked, the device is operating in single-vsys mode. If you do not see this option "Multi Virtual System Capability," then the device does not support multi-vsys capability.

For more information on "Templates and Template Stacks," please check the Panorama Administrator's Guide: https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/templates-and-template-stacks.html#
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLkcCAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language