Guidelines and Limitations for Device Management using Device Templates

General Guidelines for Device Templates

  • All device configurations other than VNI and VTEP are supported.

  • You can attach shared policies and S2S VPN policies to a template. These policies are assigned during template application.

  • Templates can be applied on HA devices. However, application of device templates during HA device pair registration is not supported. You also cannot manage HA-related configurations such as failover links, standby IP addresses, and so on. For more information, see Device Template Operations on Threat Defense HA Devices.

  • Device template operations are supported only on the active management center. The standby peer does not support device template operations.

  • Ensure that the template names and device display names are not the same.

  • Ensure that you do not create or delete a template during device backup or restore operations.

  • After application of the template on the device, if the manager access is changed from management to data interface or vice-versa, you must re-establish the management connection with the device. Note that you cannot change the manager access interface during template application.

  • You can add a maximum of 250 device templates to the management center.

  • Templates that are created and configured for devices that are managed through the data interface cannot be used to register and apply to devices that are managed through the management interface.

  • Device registration and application of template does not come under the Change Management workflow. Only approved data, such as access policies, templates, template variables, network overrides declared in template, and template configurations used in the template application operation are used.

  • Device registration with serial number and access control policy is supported for only one device at a time.

  • When you apply a template to a device that is already registered, the configuration in the template is only copied to the target device. You can then choose to manually deploy the configuration on the device or let the copied configuration stay on the device and deploy later. However, if you apply the template during device onboarding, the configuration in the template is copied to the target device and, as per existing behavior, automatically deployed on the device after device registration.

  • Any change in model mapping causes the device to be marked as ‘Out of Sync’. Consider reapplying the template to the devices if you have made changes to the interface mapping in the corresponding model mapping or if you have made any configuration changes after the previous application of the template.

  • Device templates are only supported on merged management and diagnostic interfaces. For more information, see Merge the Management and Diagnostic Interfaces.

  • Template configuration updates are supported by change management. Creation and application of device templates is not supported by change management.

  • You cannot sync configuration changes from a device to the template. A few sample scenarios during which you may want to make changes to the device configuration using a template along with recommended solutions are given below:

    • If you want to test the new configuration changes on one device before propagating the changes to multiple devices, we recommend that you make the changes in the template and apply the template to one device. Validate the changes on that device and then apply the template to the other devices.

    • If you want to make a large number of changes resulting in a signification deviation from the current configuration on a device, and then propagate those changes to other devices, you may choose one of the following options:

      • Export the current template to get a copy of the template. You can then make the required changes in the template and apply to a single device. Validate the changes on that device and then apply the template to the other devices.

      • You can also make the required changes on the device and create a template from that device. You can then apply and validate the changes on the other devices. However, we do not recommend this as template parameters such as variables and network object overrides will not be present in the created template.

    • If the configuration on a particular device starts to differ significantly from the configuration in the template, you may also choose to not use the template for this device and delete the device-template association from the Associated Devices window.

Guidelines for VPN Connections in Device Templates

  • Supported interfaces for VPN topologies are:

    Topology Type

    Interface Type

    Policy-Based and SD-WAN

    • Physical interfaces

      • Non-management

      • Interface Mode must be either Routed or None

    • Subinterfaces

    • Redundant interfaces

    • Etherchannel interfaces

    • VLAN interfaces

    Route-Based

    Static Virtual Tunnel Interfaces

  • When you apply a template on a device that is part of a VPN topology, you must ensure that the template includes interface configurations for all interfaces used in the topology.

  • When you apply a template with VPN connections to multiple devices, note the following:

    A template is applied to multiple devices in the order in which you have selected the devices. If the template has VPN connections, the corresponding VPN topology is locked.

  • For SD-WAN topology VPN connections: Ensure that IP address subnet of the interface does not conflict with the subnet of the IP address pool of the SD-WAN hub.

  • Domain:

    • You can define a template in a global or leaf domain. However, you can define a VPN topology only in a leaf domain.

    • You can configure VPN connections in a template for all domains. During template application, VPN connections are applied to the device only if the device is in the same domain as the VPN topology.

    For more information, see Device Templates in Domains.

  • Change management: Before you apply a device template to a device, ensure that the VPN topology is not locked by a Change management ticket.

Limitations for Device Templates

  • The following features and configurations are not supported using device templates:

    • Multi-instance mode

    • Clustering

    • Non-converged management interface

    • Transparent mode

    • HA failover configurations

    • Chassis configurations

    • Logical devices

    • Variables for nested objects

    • Override support for network groups and other object types

Limitations for VPN Connections

  • When you create a template from a device that is part of a VPN topology (Devices > Device Management > More (more icon) > Generate Template from Device), VPN configurations are not part of the template. You must reconfigure the VPN configurations on the template.

  • When you export a device template with one or more VPN connections (Template Settings > General > General pane > Export), the VPN connections are not exported. You must reconfigure the VPN connections on the imported template.

  • Certificate-based authentication:

    • Device templates do not support automatic certificate enrolment of a device.

    • When you onboard a device using a template with VPN configurations, if the VPN topology uses certificate-based authentication, the first deployment to the device will fail. Ensure that you manually enroll the device certificate after the device registration and deploy the configurations on the device again.