Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or template stack? (Choose two.)
Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or template stack? (Choose two.)
There are specific settings that can only be configured locally on a firewall and not pushed from a Panorama template or template stack. The HA1 IP Address and the Master Key are two of these settings. The HA1 IP Address involves configuring the IP addresses of firewalls in a high-availability (HA) pair, which needs to be done directly on the individual devices to ensure they communicate correctly. Similarly, the Master Key, which is used for encrypting certain sensitive information, must be configured locally for security reasons and cannot be pushed via Panorama templates or stacks.
Correct: A,B You can use Templates and Template Stacks to define a wide array of settings but you can perform the following tasks only locally on each managed firewall: Configure a device block list. Clear logs. Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode. Configure the IP addresses of firewalls in an HA pair. Configure a master key and diagnostics. Compare configuration files (Config Audit). Renaming a vsys on a multi-vsys firewall.
It is possible to set up in Panorama, also for a secondary box via variables, but for some reason firewalls just don't take those values. Have PAN TAC case opened for it for 4 months already, PA engineering is working on it as of 04/2021. just fyi
reference URL https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/manage-templates-and-template-stacks/template-capabilities-and-exceptions
'Allow Forwarding of Decrypted Content' under Device->Setup->Content-ID->Content-ID Settings also cannot be configured on a Panorama Template. Has to be configured locally on the firewall.
I am pretty sure the HA IP address can be pushed from HA variables settings.
i have configured a pair of PA where all HA conf is pushed from Pano
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/manage-templates-and-template-stacks/template-capabilities-and-exceptions
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-firewalls/manage-templates-and-template-stacks/template-capabilities-and-exceptions.html#idf414a976-3abc-42c3-a21e-63bc5b94c638
Badly worded question as you can push master key from Panorama to firewalls but not via template or Template stack it is via PanoramaManaged DevicesSummary select the firewall and pick Deploy Master Key from task bar at the bottom, so technically the answer AB is correct as you cannot push Master Key via Template or Template stack. You cannot create HA IP and push from Panorama.
I don't see how you can't push HA1 IP's I have a template stack that has a template called active that does just this, and a second template stack called passive that does the same thing (all my HA1's are 192.168.1.1/30 and 192.168.1.2/30 respectively for active and passive)
you can also use the same template stack on both firewalls and change HA IPs with variables
Correct answer is A and B
Badly worded question as you can push master key from Panorama to firewalls but not via template or Template stack it is via PanoramaManaged DevicesSummary select the firewall and pick Deploy Master Key from task bar at the bottom, however you are not pushing this change via Template or Template stack so technically the answer is AB