PAN-OS: Panorama Templates and Template Stacks

PCNSE Objective Focus (Domain 4 - 18%)

4.1 Configure Firewall Management

• 4.1.1 Components configured in a template

Introduction: Centralized Configuration Management

Panorama™ provides centralized management for multiple Palo Alto Networks firewalls. Two core components enabling efficient and consistent configuration across managed devices are Templates and Template Stacks .

• Templates: Reusable building blocks containing specific configuration settings primarily related to the Network and Device tabs of a firewall's configuration (e.g., interfaces, zones, server profiles, management settings).
• Template Stacks: Ordered collections of one or more Templates. Stacks are assigned to Device Groups, applying the combined configuration of their constituent templates to all firewalls within that group.

Using Templates and Stacks dramatically simplifies administration, ensures consistency, reduces errors, and allows for scalable deployment and modification of firewall settings across an organization.

This guide focuses specifically on identifying the types of configurations managed within Templates, aligning with PCNSE objective 4.1.1.

Understanding where Templates fit into the overall Panorama configuration hierarchy is crucial:

graph TD
    A["Shared Settings (Global Objects/Policies - Optional)"] --> B["Device Group - Pre Rules Policies & Objects"];
    B --> C{"Template Stack Applied to Device Group"};
    C --> T1["Template 1 (Network/Device Settings)"];
    T1 --> T2["Template 2 (Network/Device Settings)"];
    T2 --> D["Device Group - Post Rules Policies & Objects"];
    D --> E["Local Firewall Config Overrides where allowed"];

    subgraph Legend
        direction LR
        L1["Panorama Config"] --> L2["Firewall Specific Config"]
    end

    style C fill:#eaf2f8,stroke:#aed6f1,stroke-width:2px
    style T1 fill:#fdebd0,stroke:#f5b041,stroke-width:1px
    style T2 fill:#fdebd0,stroke:#f5b041,stroke-width:1px

     

• Shared: Global settings applicable to all managed devices (optional).
• Device Groups: Contain Policies (Security, NAT, QoS, etc.) and Objects (Addresses, Services, Applications, Profiles) pushed to groups of firewalls. Rules can be Pre (evaluated first) or Post (evaluated last).
• Templates/Template Stacks: Assigned to Device Groups, they contain Network and Device configurations. Settings within a Stack are applied in the order of the Templates listed.
• Local Firewall: Configuration made directly on the firewall itself.

Settings pushed from Panorama (Device Groups, Templates/Stacks) generally override local firewall configurations unless specifically configured otherwise (rare). Within a Template Stack, settings in later templates override settings for the same item in earlier templates.

Components Configured in a Template (PCNSE 4.1.1 Focus)

Templates in Panorama are specifically designed to manage configurations found under the Network and Device tabs of a firewall's local configuration. They do *not* manage policies or most objects.

Network Tab Components (Examples):

Templates allow you to configure settings related to network connectivity and infrastructure:

• Interfaces:
  • Physical Interfaces (Ethernet): Type (L3, L2, VWire, Tap), IP addresses, Management Profiles, Link Speed/Duplex, MTU.
  • Tunnel Interfaces: Configuration, IP assignment.
  • Aggregate Ethernet (AE) Interfaces: Configuration, member interfaces, LACP settings.
  • VLAN Interfaces: Configuration, IP assignment.
  • Loopback Interfaces: Configuration, IP assignment.
• Zones: Define Security Zones (Type: L3, L2, VWire, Tap, Tunnel) and assign interfaces to them. (Zone Protection Profiles are Objects, usually managed in Device Groups).
• VLANs: Create VLAN objects and assign interfaces.
• Virtual Routers: Define Virtual Routers, add interfaces, configure basic routing options (like ECMP), but Static Routes and Dynamic Routing Protocols (OSPF, BGP) are typically configured within the Virtual Router settings *inside* the template, not as separate policy objects .
• IPSec Tunnels: Configure IKE Gateways, IPSec Crypto Profiles, IKE Crypto Profiles, and IPSec Tunnel configurations.
• GlobalProtect: Configure GlobalProtect Portal and Gateway settings (Interfaces, Authentication, Agent Configs, Client Settings).
• Network Profiles:
  • Interface Management Profiles
  • LLDP Profiles
  • Zone Protection Profiles (Linkage, definition often in Objects)
  • QoS Profiles (Network Profiles): Configure profiles defining Interface Egress Max and per-class bandwidth (Guaranteed/Max). Note: QoS Profile *Objects* (mapping traffic to classes) are configured under Objects.
  • Monitor Profiles (for Tunnel Monitoring)
  • SD-WAN Profiles (Link/Path Quality, Traffic Distribution)
• Virtual Wires: Configure Virtual Wire objects and assign interfaces.
• DHCP: Configure DHCP Server, Relay, Client settings.
• DNS Proxy: Configure DNS Proxy objects and rules.
• NetFlow / IPFIX: Configure Server Profiles for exporting flow data.

Device Tab Components (Examples):

Templates manage device-specific operational settings:

• Setup:
  • Management Interface Settings (IP, DNS, Services).
  • Services: DNS Servers, NTP Servers, Service Route Configuration.
  • Session Settings: Timeouts, session limits.
  • Content-ID Settings: Various options for the Content-ID engine.
  • WildFire General Settings (File size limits, cloud region).
• High Availability (HA): Configure HA settings (Group ID, mode, link monitoring, path monitoring).
• Log Settings: Configure log settings for different types and system log forwarding.
• Server Profiles: Configure profiles for external services:
  • Syslog
  • Email
  • SNMP Trap
  • HTTP (for EDLs, updates)
  • User-ID Syslog Listeners
  • RADIUS
  • TACACS+
  • LDAP
  • Kerberos
  • SAML Identity Provider
  • etc.
• Certificate Management:
  • Certificate Profiles (defining validation criteria).
  • SSL/TLS Service Profiles (defining server certificates for specific services like GP Portal/Gateway, Management).
  • OCSP Responder profiles.
  • SCEP profiles.
  • (Note: Actual Certificate *files* and Keys are often managed globally or imported directly, but profiles referencing them are configurable here).
• Schedules: Define schedule objects for use in policies or updates.
• Dynamic Updates: Configure schedules for downloading/installing content updates.
• VM-Series / CN-Series specific settings: Plugin configurations, etc.
• SNMP Setup: Configure SNMP agent settings, trap destinations.
• Administrators / Admin Roles: Configure local admin accounts and roles (though often managed via directory services).

What is NOT Configured in Templates

It's equally important to know what is NOT managed by Templates. These configurations belong primarily in Panorama Device Groups (or potentially Shared):

• Policies:
  • Security
  • NAT
  • QoS (Policy Rules, not Interface bandwidth settings)
  • Policy Based Forwarding (PBF)
  • Decryption
  • Authentication
  • Application Override
  • Tunnel Inspection
  • DoS Protection
• Objects: (Most objects used *within* policies)
  • Addresses & Address Groups
  • Services & Service Groups
  • Applications, Application Groups, Application Filters
  • External Dynamic Lists (EDLs)
  • Custom Objects (URL Categories, Data Patterns, Custom Apps/Threats)
  • Security Profiles (Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, File Blocking, Data Filtering, WildFire Analysis, DoS Protection Profiles, SD-WAN Profiles used in policy)
  • QoS Profile Objects (mapping traffic to classes)
  • Log Forwarding Profiles

Think of Templates for the firewall's underlying network and device setup, and Device Groups for the security policies and the objects those policies reference.