What is it? Panorama is a centralized management system from Palo Alto Networks. Which of course manages Palo Alto Firewalls. It uses templates to push configuration to each or multiple firewalls. Which you probably already know if you got one. But the question is how it is being used.
Templates contains the configuration for everything in the Network Tab and Device Tab.
Template Stacks are multiple templates combine.
There are multiple ways in designing your templates.
Planning for templates and template stacks.
How should you plan?
I recommend starting with a base template, which palo alto calls a global template, which should have all the same configurations for all your firewalls. Examples are Administrators, Log Settings, Server Profiles (SNMP Traps, Syslog, TACACS+, Radius) but not limited to those. It all depends on your configuration. Spend some time looking into it, and you can also make changes afterwards.
The next templates require some planning. Because this varies depending on how many different Network topologies that you have and how you want to design it. You can create a device template specifically for each firewall and add it to the stack template. You just created some standardization. But what if you have multiple different network topologies? For example, some firewalls are HA and some are not; Some firewalls have a single ISP and some have multiple ISPs, the list goes on. If you only have a couple firewalls in a small network topology, then it’s not much of a pain. But what if you have 20 firewalls in that type of topology and you have more sites coming up? This is where you must decide. Deal with the pain now or deal with it later. Either way, you’ll still need to configure it.
Creating more standard templates makes life easier in this scenario. I’ve created some standard templates below.
Now I mentioned Variables on the templates above. Template Variables are configuration components for the template. Every firewall usually has different IP addresses. So, this makes it easier when implementing a new firewall. Examples are IP addresses for interfaces and HA settings. Variables names must start with $ sign. Example below.
You’ll need to export the variable from the stack template, which is a CSV file. Input the data for your variable, save it and import it back into Panorama. Commit to Panorama before pushing it to the device.
How you stack these templates are also important. The template on top has highest priority, and it will override any templates below if there are any matching configurations.
Example: Top template has an interface with Ip address 1.1.1.1 and a template below it has the same interface with Ip address 2.2.2.2. That interface will get an ip address of 1.1.1.1.
With my templates, it will be stacked in the order below.
With these standard templates in place, my integration steps for a new firewall are below.
Keep in mind that these template designs all vary in so many ways. It all depends on your plans and desire output. It’s probably best to plan something now before you add too many firewalls to your plate.
I ran into some commit errors on the template stack that I spent some time on, looking for the configuration. Best way to locate these configurations is start with the template stack instead of the individual template. Once you find it on the stack template, move your mouse over the green setting icon. It’ll tell you which template it is on. If you can’t find it there, then look at the device configuration.
I also had some issues with the variables. Some ip-netmask variable types require a CIDR input and some just require IP address. Importing and committing to Panorama doesn’t give an error, but when you push to the device, that’s when you’ll see the error.
I hope this had some good insight for you. Thank you for reading.
As always if you have any questions on Palo Alto Networks Panorama for you and your business and would like to schedule a free consultation with us, please reach out to us at sales@lookingpoint.com and we’ll be happy to help!