PAN-OS: Template Stack Order and Configuration Precedence

Introduction: Combining Configurations

In Panorama, Templates hold reusable Network and Device settings, while Template Stacks allow you to combine multiple Templates and apply them collectively to a Device Group. This provides modularity and flexibility in configuration management.

However, it's common for different Templates within the same Stack to configure the *same* setting (e.g., both Template A and Template B define DNS servers). Understanding how Panorama resolves these conflicts and determines the final configuration pushed to the firewall is critical.

The key principle is that the order of Templates within the Stack dictates precedence .

Top-Down Evaluation, Last Setting Wins

• When Panorama prepares the configuration push for a firewall belonging to a Device Group associated with a Template Stack, it processes the Templates within that Stack sequentially, from top to bottom as listed in the Stack configuration.
• If multiple templates within the stack configure the exact same configuration item (e.g., the Primary DNS server IP address under Device > Setup > Services ), the value defined in the LAST template in the stack that configures that item will OVERRIDE values from any preceding templates in the stack.
• Settings defined in templates that are *not* overridden by later templates are simply aggregated.

Think of it as applying layers of configuration. Each template adds its settings, potentially overwriting settings applied by the layers (templates) beneath it in the stack.

Example Scenario:

Consider a Template Stack named `Branch-Stack` applied to the `Branch-Firewalls` Device Group, with the following templates listed in this order:

1. `Global-Network-Settings` Template:
   • DNS Server Primary: 8.8.8.8
   • NTP Server 1: pool.ntp.org
   • Zone: Trust (contains eth1/1)
2. `Branch-Specific-Settings` Template:
   • DNS Server Primary: 10.1.1.1 (Local DNS)
   • Zone: Guest (contains eth1/3)
   • Syslog Server Profile: Branch-Syslog

Resulting Configuration on a Firewall in `Branch-Firewalls` DG:

• DNS Server Primary: 10.1.1.1 (The value from `Branch-Specific-Settings` (last) overrides the value from `Global-Network-Settings`).
• NTP Server 1: pool.ntp.org (Defined only in the first template, so it is included).
• Zones: Both Trust (from first template) and Guest (from second template) will be created/configured.
• Syslog Server Profile: Branch-Syslog (Defined only in the second template, so it is included).

graph TD
    subgraph Panorama
        Stack[Template Stack: Branch-Stack] --> T1(Template: Global-Network-Settings);
        Stack --> T2(Template: Branch-Specific-Settings);

        subgraph T1_Config [Config in Global-Network-Settings]
            direction LR
            DNS1_T1[DNS Primary: 8.8.8.8]
            NTP_T1[NTP: pool.ntp.org]
            Zone_T1[Zone: Trust]
        end

        subgraph T2_Config [Config in Branch-Specific-Settings]
            direction LR
            DNS1_T2[DNS Primary: 10.1.1.1]
            Zone_T2[Zone: Guest]
            Syslog_T2[Syslog Profile: Branch-Syslog]
        end

        T1 --> T1_Config;
        T2 --> T2_Config;

        Stack -- Applied To --> DG[Device Group: Branch-Firewalls];
    end

    subgraph ManagedFirewall [Result on Firewall]
        direction LR
        DNS_FW[DNS Primary: 10.1.1.1 - From T2: Overrides T1]
        NTP_FW[NTP: pool.ntp.org - From T1]
        Zones_FW[Zones: Trust, Guest - Merged]
        Syslog_FW[Syslog Profile: Branch-Syslog - From T2]
    end

    DG --> ManagedFirewall;

    style Stack fill:#eaf2f8,stroke:#aed6f1,stroke-width:2px
    style T1 fill:#fdebd0,stroke:#f5b041,stroke-width:1px
    style T2 fill:#fdebd0,stroke:#f5b041,stroke-width:1px
    style DNS1_T2 fill:#f8d7da,stroke:#dc3545    ; Indicates override
    style DNS_FW fill:#d5f5e3,stroke:#58d68d


     

Diagram illustrating Template Stack precedence.

• Precedence Control: Allows administrators to define base configurations in early templates and override specific settings for particular groups of devices using later templates in the stack.
• Modularity: Enables creating smaller, focused templates (e.g., one for NTP, one for DNS, one for specific interface types) and combining them as needed in different stacks.
• Potential for Confusion: If the same setting is configured in multiple templates within a stack, administrators must be aware of the order to understand which value will ultimately be applied.
• Troubleshooting: When diagnosing a configuration issue on a firewall managed by a template stack, it's essential to examine all templates in the stack, paying attention to the order, to determine the effective setting. Panorama's configuration preview tools can help.

For the PCNSE exam, concerning Template Stack order:

• Know the purpose of Template Stacks: To apply multiple Templates in a defined order to a Device Group.
• Understand the fundamental rule of precedence: Settings in templates listed later (higher up) in the stack override identical settings from templates listed earlier (lower down).
• Be able to predict the resulting configuration on a firewall when given a scenario with conflicting settings in different templates within a stack.
• Recognize that non-conflicting settings from different templates are aggregated.
• Differentiate Template Stack precedence from the overall Panorama hierarchy (Shared > Device Group Pre-Rules > Template Stack > Device Group Post-Rules > Local).