PAN-OS: Overriding Template Values in a Template Stack

Introduction: Handling Configuration Conflicts

Panorama Template Stacks provide a powerful way to apply layered configurations to groups of firewalls. However, this layering often leads to situations where the same configuration setting (e.g., a specific DNS server, an interface MTU, an NTP server address) is defined in multiple Templates within the same Stack .

PAN-OS uses a clear precedence rule to resolve these conflicts: the value defined in the template placed later (higher up) in the stack order takes precedence and effectively overrides the value(s) defined in template(s) placed earlier (lower down) in the stack.

Understanding and utilizing this override mechanism is key to building modular and maintainable configurations.

You can have a maximum of 8 templates in a stack

How Precedence Works:

• Panorama processes the templates in a stack sequentially, from the first template listed (often considered the "bottom" or base layer) to the last template listed (the "top" or final layer).
• When configuring a specific device setting (like `Device > Setup > Services > Primary DNS`), Panorama checks each template in the stack in order.
• If Template 1 sets Primary DNS to `8.8.8.8`.
• If Template 2 (listed after Template 1) sets Primary DNS to `10.1.1.1`.
• If Template 3 (listed after Template 2) does *not* define a Primary DNS server.
• The final value pushed to the firewall for Primary DNS will be `10.1.1.1` , because Template 2 was the *last* template in the stack order to define that specific setting, overriding the value from Template 1.
• Settings defined in only one template within the stack are simply included in the final configuration.

    graph TD
        subgraph Panorama
            Stack[Template Stack]
            T1[Template 1 - Base DNS: 8.8.8.8 NTP: pool.ntp.org]
            T2[Template 2 - Override DNS: 10.1.1.1 Syslog: log.internal]
            T3[Template 3 - Specific NTP: ntp.internal Interface: eth1/3 Config]

            Stack -- Contains (Order: 1st) --> T1
            Stack -- Contains (Order: 2nd) --> T2
            Stack -- Contains (Order: 3rd) --> T3

            Stack -- Applied To --> DG[Device Group]
        end

        subgraph ResultingFirewallConfig [Effective Configuration on Firewall]
            DNS_FW[DNS Primary: 10.1.1.1 T2 overrides T1]
            NTP_FW[NTP Server: ntp.internal T3 overrides T1]
            Syslog_FW[Syslog Profile: log.internal From T2]
            Intf_FW[Interface eth1/3 Config From T3]
        end

         DG --> ResultingFirewallConfig

        style Stack fill:#eaf2f8,stroke:#aed6f1,stroke-width:2px
        style T1 fill:#fdebd0,stroke:#f5b041,stroke-width:1px
        style T2 fill:#fdebd0,stroke:#f5b041,stroke-width:1px
        style T3 fill:#fdebd0,stroke:#f5b041,stroke-width:1px
        style DNS_FW fill:#d5f5e3,stroke:#58d68d
        style NTP_FW fill:#d5f5e3,stroke:#58d68d
        style Syslog_FW fill:#d5f5e3,stroke:#58d68d
        style Intf_FW fill:#d5f5e3,stroke:#58d68d

     

Diagram illustrating how later templates (T2, T3) override settings from earlier templates (T1).

Purpose of Overrides:

• Standardization with Exceptions: Define common baseline settings in base templates (lower in the stack) and use specific templates (higher in the stack) to override settings for particular device types, regions, or functions.
• Modularity: Create templates for specific features (e.g., a "GlobalProtect-Settings" template). If a specific device group needs a slightly different GP setting, you can create a small overriding template placed later in its stack.
• Hardware Differences: Have a base template for general settings, then specific templates higher in the stack for different firewall models that might require unique interface configurations or resource settings.

Managing Overrides

• Visibility: Determining the final "effective" configuration requires understanding the stack order. Panorama provides tools to help:
  • Configuration Preview: Before committing, Panorama often allows previewing the configuration that will be pushed to a specific device, showing the merged result of the stack.
  • Effective Configuration View (Firewall GUI): On the managed firewall itself, you can often see which settings are inherited from Panorama (Templates/Device Groups) versus configured locally.
• Template Variables vs. Overrides: For settings that vary per device but follow a pattern (like IP addresses or hostnames), using Template Variables is often preferable to creating many overriding templates. Variables allow you to define placeholders in a base template and provide specific values per firewall or device group. Overrides are best used when the *type* of configuration itself needs to change, not just a specific value.
• Complexity: While powerful, heavily relying on overrides across many layers of templates can make the configuration difficult to understand and troubleshoot. Aim for a balance between modularity and clarity.

For the PCNSE exam, regarding template overrides:

• Understand the rule of precedence: Last template in the stack wins for identical configuration items.
• Be able to determine the effective value of a setting when given multiple templates in a stack with conflicting configurations.
• Recognize that non-conflicting settings are aggregated.
• Understand the purpose of overriding values (providing exceptions or specific configurations on top of a base).
• Know that Template Variables are an alternative mechanism for handling device-specific *values* without necessarily needing overrides.
• Differentiate template override precedence from the overall Panorama hierarchy (Shared > DG Pre > Stack > DG Post > Local).