Hello good evening:
As always, thank you very much for the support, collaboration, support and help.
I have the following important question regarding a PANORAMA function, in relation to the "Forced Template Values" option.
According to the documentation, this option performs the following function:
Merge with Cadidate Config = Option to merge the template configuration on panorama with the Candidate Configuration in the device.
Force Template Values = Forces the Panorama template values to be applied on the device
The official help documentation on Panorama says the following:
Force Template Values:
(Disabled by default) Overrides all local configuration settings and removes all objects on the selected firewalls that don't exist in the template or template stack or that are overridden in the local configuration. The push operation reverts all existing configuration on the firewall and ensures that the firewall inherits only the settings defined in the template or template stack.
*
If you push a configuration with Force Template Values enabled, all overridden values on the firewall are replaced with values from the template. Before you use this option, check for overridden values on the firewalls to ensure your commit does not result in any unexpected network outages or issues caused by replacing those overridden values.
My important doubt since executing a bad action could apply changes that could affect the correct functioning of the Firewall, the doubt is with the "Force Template Values" option.
**- This example option if I configure the DNS in Panorama to be able to override the LOCAL configuration of the firewall, which has other DNS and I want to configure both the DNS and the proxy from PANORAMA, with this option it would allow me to execute said change and override local settings ?
**- In addition to this and the special care with this option is what happens in the example case if at the local level I have configurations of HA, of the IP of the MGT and at the Template/Template Stack level I do not have any configuration associated with these configurations, that is, configurations that are turned on that remain local, if I do not have any option in the template, no associated configuration and I only want to example adjust and replace the local configuration of the DNS, the Proxy and the NTP when using "Force Template Values" anyway, even if you don't have anything set in them, it will step on all the locales ? that is, I would leave them blank, thinking that I have nothing associated with HA, the MGT interface, when using "Force Template Values" in order to only step on and apply the DNS, proxy and NTP from the Panorama template, this option will not affect the local values of HA and MGT ?
I remain attentive, in advance thank you very much for the support and collaboration
Best regards
It only applies to a few things. HA config does not exist in the XML before you create config, so the 'high-availability' bit remains in config after you've removed all the parameters MGT config already exists, so removing parameters from it does not leave such a blank setting (but it's always good to double check)
@Reaper Hello Reaper, thank you very much for the support, the answer and the clarification.
So, in case 2 that you tell me:
"if you started creating HA config and then remove it all later on, you will have an empty HA config in the template. If you force that template, it will wipe the local config"
This means that although I apply a "remove all" to the HA config of the Template at the GUI and template level, it is considered an empty template and it is possible that residues may remain, and if these residues continue to exist and I apply a " force template values" will eliminate the local configuration of HA and apply an empty one, this in the case of not deleting the residuals of the template and to avoid this, that is, problems with the configuration residuals, it is best to review them and eliminate them by CLI , as you showed in your last comment. If I already make sure that there are no residues, applying "force template values" will not eliminate the local config and I will not have problems, right?
Another thing, does this apply to all Templates parameter settings? Example for the configuration of the MGT or for the DNS and/or NTP, if it is deleted and a "remove all" is applied to the template, if there is any configuration residue, also when applying a "force template values" what it will do Will it erase the local MGT/DNS and/or NTP settings and leave a blank setting?
This is very critical and I must understand the use, risks and benefits of the correct use of the "force template values" option.
Thank you very much Reaper for the support and help, I look forward to your comments
"force template values" only forces the parameters that have been set in templates. there is one important thing to keep in mind: if you once created something in template and then remove it, there may be residual config that indicates something should be 'empty' i.e. HA config
so: if you never touched HA in the template and push with 'force template' , the local HA config will be maintained
if you started creating HA config and then remove it all later on, you will have an empty HA config in the template. If you force that template, it will wipe the local config
its very easy to check if such residual stuff exists by checking the appropriate template from CLI for residual HA config
admin@PANORAMA> set cli config-output-format set admin@PANORAMA> admin@PANORAMA> configure Entering configuration mode [edit] admin@PANORAMA# show | match high-availability set template DC1-FW1-local config deviceconfig high-availability interface ha1 port aux-1 set template DC1-FW1-local config deviceconfig high-availability interface ha1 encryption enabled yes set template DC1-FW1-local config deviceconfig high-availability interface ha2 port ethernet1/9 set template DC1-FW1-local config deviceconfig high-availability interface ha2-backup port ethernet1/10 set template DC1-FW1-local config deviceconfig high-availability interface ha3 set template DC1-FW1-local config deviceconfig high-availability interface ha1-backup port aux-2
removing it is also easy
admin@PANORAMA# delete template DC1-FW1-local config deviceconfig high-availability