Chapter 16: Configuration Templates

Home Prev	InCenter 2.2.5 On-Premises Administration Guide	Next

	Note: NetWall nodes are not supported
	This feature is only supported by NetShield nodes. NetWall nodes are not supported.

A ConfigurationTemplate is an InCenter object that contains a set of configuration objects. The template can be applied to a particular node so the configuration additions and changes introduced in the template are transferred to the node.

The common use case for templates are as a way to simplify a common configuration task such as setting the same initial configuration for a newly added node.

When the template is applied to a node, there is no lasting relationship created between the configuration changes made and the template. The template can be reused with other nodes and also edited.

Creating a Template

Below is an example of template creation:

admin@InCenter:/> add ConfigurationTemplate
			Name=my-tp1
			Version=3.30.00.25

The show command can list all currently defined templates:

admin@InCenter:/> show ConfigurationTemplate
   Name        Version     Comments
-  ----------  ----------  --------
   my-tp1      3.30.00.25

Specifying the Template Version

The Version property must be specified when a template is created. The following should be noted about this property:

The version property must be set to any firewall software version that is supported by InCenter. Tab completion can be used to list all valid versions to help enter the number. The InCenter command show StandaloneNode will display a node's version number.
The template can be applied to a node running the same or a higher version.
The template cannot be applied to a node running a lower version number.
The template version property can be changed to a higher version number, in which case the template will be automatically upgraded to the new version when the change is activated.
The template version property cannot be changed to a lower version number.

Adding Template Objects

To add new configuration objects to a ConfigurationTemplate, the CLI context must be changed to be the template. In general, the configuration commands that apply for a node context are also valid for a template context. For example: add, set, delete, cc and show.

Add an IP address object to the template called my-ip with the IP 192.168.0.10:

admin@InCenter:/> cc ConfigurationTemplate my-tp1 
admin@InCenter:/my-tp1> add IPAddress
			Name=my-ip1
			Address=192.168.0.10

Add an empty interface object to point out the interface on the target:

admin@InCenter:/my-tp1> add EthernetInterface Name=if1

Add an IPRule that makes use of these objects:

admin@InCenter:/my-tp1> cc IPRuleSet main 
admin@InCenter:/my-tp1/IPRuleSet/main> add IPRule
			Action=Deny
			destinationInterface=if1
			DestinationNetwork=my-ip1
			SourceInterface=any
			SourceNetwork=all-nets
			Service=all_services
			Name=my-rule1

A change to the TCP settings could then be made:

admin@InCenter:/my-tp1/IPRuleSet/main> cc .. 
admin@InCenter:/my-tp1> set TCPSettings
			TCPAllowReopen=HigherSeq

Now, the activate and commit commands should be entered to save the template.

Applying Templates

A template apply operation will only transfer configuration changes that have been made to the template. Applying a template without changes will not introduce any changes on the target node(s).

The template my-tp1 can now be applied to the node my-node1 using the template command:

admin@InCenter:/> template -apply my-tp1 my-node1

Alternatively, the template could be applied to a list of nodes and groups:

admin@InCenter:/> template -apply my-tp1 my-node2,my-group1

Using the keyword <all> will apply the template to all nodes:

admin@InCenter:/> template -apply my-tp1 <all>

Applying the template my-tp1 will result in the following changes being made to the configuration of the target node(s):

Address object my-ip1 is added to the node's address book.
No change is made to the EthernetInterface if1.
IPRule object my-rule1 is added to the node's main rule set.
The TCPSettings property TCPAllowReopen has been set to HigherSeq.

After a template is applied, the changes introduced can be viewed using the command show –changes within the node's CLI context. The normal activate and commit sequence must also be entered to save the changes to any affected nodes.

Reapplying the same template will update changes made to settings and named objects such as IPAddress objects, but it will duplicate index objects such as IPRule objects. So if the exact same template (in the example) is reapplied, the only change to the target node(s) will be that a new IPRule is added.

Listing Template Contents with -show

A convenient way to view the effect that a template will have when it is applied is to list its contents using the template -show command. The following example shows this command being used with the template example that was created earlier in this section:

admin@InCenter:/> template -show my-tp1
Identifier                        Value
--------------------------------  ------------
|- ConfigurationTemplate my-tp1
   |- EthernetInterface if1
   |  |- Name                     if1
   |- IPAddress my-ip1
   |  |- Name                     my-ip1
   |  |- Address                  192.168.0.10
   |- TCPSettings
   |  |- TCPAllowReopen           HigherSeq
   |- IPRuleSet main
      |- IPRule 1(my-rule1)
      |- Action                Deny
      |- Name                  my-rule1
      |- SourceInterface       any
      |- DestinationInterface  if1
      |- DestinationNetwork    my-ip1
      |- Service               all_services
      |- SourceNetwork         all-nets

A Summary of Template Usage

The following points should be noted about template usage:

A template can only add or change node configuration objects. It cannot delete objects.
A template should be self-contained, meaning that an object must be added in a template before it is used later in that template. For example, if a line in a template refers to interface if1 then if1 must have been added by an earlier line in that template. This can be seen in the previous example.
If a template is run more than once on the same node then an add operation will not be performed twice where an object is only identified by name and not by index. However, list objects that have a list index for reference (for example, IPRule objects) will be added again each time the template is run.

Template Version Mismatch

The following is a list of the possible version mismatch scenarios and a description of how to deal with them:

If the software version on the firewall is not supported by InCenter.

The solution is to change the firewall version.
The firewall has a higher software version than the node in InCenter.

The template can still be applied to the node. When the changes are activated, the node will be upgraded to the software version automatically but the template version will remain the same.

To change the template version, this must be done manually. A reason to change the template version is to be able to include features in the template that are only available in a higher version.
The firewall has a lower software version than the node in InCenter.

The solution to this is to upgrade the firewall software version.