Why Should I Use Variables in Panorama?
In this blog
First introduced in Panorama version 8.1, variables allow administrators to consolidate the configuration needed to manage multiple firewalls, simplifying the configuration elements. Usually, firewalls can be grouped by ordinary circumstances, such as location or use cases. However, grouping firewalls presents a challenge because, even in high-availability configurations, some configuration elements need to remain individualized. Before using variables, the configuration had to be split into multiple templates so that each firewall would get these unique configuration elements, such as IP addresses on interfaces or routes. Now, variables allow an administrator to simplify the configuration, significantly reducing the chance of errors.
What is a template?
More than likely, if you're reading this, you already know what a Palo Alto template is. In short, templates allow Panorama to manage firewalls' device and network configurations, centralizing the configuration to reduce the administrative burden of managing multiple firewalls. Many configurations can be repeated among firewall groups, such as Panorama's IP address for log forwarding. However, some configuration elements, such as high-availability IP addresses, need to stay unique. If the same IPs are used on multiple firewalls, there will be an IP conflict, preventing the firewalls from communicating with each other to form an HA pair.
How do variables help?
This is where variables come in. Let's continue using the HA1 example to see how variables can simplify the configuration. Without variables, you must either configure the HA settings locally on each firewall or create device-specific templates and template stacks so that each firewall can receive unique configuration elements, as seen in the example below.
Below is an example of the variables that can be configured. In the high-availability configuration example, we would use some of the variables listed below, allowing the consolidation of the templates and template stacks into a single template stack per high-availability pair.
As mentioned earlier, consolidating the configuration using variables reduces the chance of errors. Below is an example of the reduced template structure.
This example removes the unique template stacks for each firewall in each location. Although this example is relatively simple, imagine having hundreds or maybe thousands of firewalls and how complex that can get if every firewall needs its template stack.
How to create variables
Variables can be created where you normally enter a value for specific objects, such as the management IP addresses, DNS servers, routes, and default gateways. When you import a firewall into Panorama that has already been configured, you even use the template variable management option to pull the values for the variables from the local configuration. Another option to make it easier to manage variables on a larger scale, Palo Alto provides a mechanism to upload variable values using a CSV-formatted spreadsheet, as seen below.
A final thought on variables
Variables have saved much time and effort for admins who have embraced their use. I know from experience that switching to variables can seem daunting, but once you give them a chance and learn how to work with them, they will save time and complexity. In large infrastructures with multiple template branches, they can eliminate much complexity and make troubleshooting much more straightforward.
If you have any questions about how to leverage variables in your environment, please feel free to contact your local WWT account team. We will be more than happy to discuss variables with you and help you find other ways to simplify your configuration.