I am embarrassed to say, I have worked with PA fw's for years, but every time I have to work with templates, I end up ruining my day because they make my life difficult. I just don't get them.
Let's say I have 2 templates in a stack, "Network" layer 1 on the bottom, and "VPN" layer 2 on the top.
In Network template, I defined eth1/1 as a public interface.
Then in VPN template, I created a vpn tunnel. But, it has to be tied to an interface, so I had to redefine eth1/1 again here, since it doesn’t see the eth1/1 from the Network template.
But then I try to commit, and get this error, because it says "ethernet1/1 is already I use", which makes sense because I defined it in both layers. This messes me up because the VR can only reside in one layer, which I had in Network. Once I remove eth1/1 from the Network template so the commit works, then the VR and eth1/1 may as well be on different planets, they'll never talk to each other.
So does all the networking have to be defined within the same layer? I guess it would because otherwise you’d have a different VR on each template and they would not mesh together?
Device groups are so much easier to manage because everything flows through, but templates are very constricting.
Take a look at this great video on templates, (which is great but probably out of date as it's v8.x) if you FF to 6:00 it shows he has a Network template, and a LSVPN tempate in a stack. How does this even work, if they both contain networking info, don't they conflict?
Thanks for listening to my ranting, happy to hear what I am missing here.
So just so I'm understanding correctly, this means that at my customer with 3 GlobalProtect gateways, every year when I have to help them replace the wildcard cert in Panorama, I need to do it in 3 different places since it has a copy of the cert in each firewall's template. And also for the IPSEC tunnels on each firewall, even though the IKE and IPSEC settings for the tunnels are all the same between the firewalls, I have to define them in each template. Regarding the IPSEC tunnels, Each tunnel PSK is different between my 3 sites, and you can't use variables for PSK's so this would not support using a centralized template with variables in this case.
Lol nono :) templates are great but they test your sanity
Thank you, this means I'm not crazy :)
Networking is one of those things that don't work well with templates :) I try to put everything related to networking into a single template as there are other of dependencies that cause weird behavior if you don't put them in the same template. I then use variables to make the template "transportable" to different firewalls.
I imagine networking kinda looks like a fungus with tentacles to everything that relates to the virtual router (interfaces and any objects that directly reference an interface like ipsec tunnels)
Once you give up fighting that blob life gets a little better ;)