Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
I just tested in my panorama by making the same thing and when you have a permitted IP in both templates it only pushes config from the top one. Making A the only possible answer.
I tested this in lab, A is correct. In the 3rd screenshot you can see that DEVICE_TEMP has higher priority. This is why the $permitted-subnet-1 takes precendence and also the configured SNMP checkbox in REGIONAL_TEMP won't take effect because of this.
The info text in Panorama GUI for Template Stacks is:
The Template at the top of the Stack has the highest priority in the presence of overlapping config
OK, here is old Frankies take:
The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and since
Permitted IP Addresses is a duplicate, it will prefererence the higher template.
Now it will also allow SNMP as it's in the lower template but, for this example, SNMP is still only
applied to $permitted-subnet-1 rendering the other answers useless, so it's A.
Bottom line is Permitted IP Addresses is duplicate, as are most of the other (http, https, ssh, ping) but Telnet and SNMP are unique in each template
but will still only apply to $permitted-subnet-1.
https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-force-template-value-option/td-p/496620
"- Force Template Value will as the name suggest remove any local configuratio and apply the value define the panorama template. But this is valid only for overlapping configuration"
"You need to be careful, what is actually defined in the template. For example - if you decide to enable HA in the template, but after that you decide to not push it with template and just disable it again (remove the check from the "Enable HA" checkbox). This still will be part of the template, because now your template is explicitely defining HA disabled. If you made a change in the template, and later decide that you don't want to control this setting with template, you need to revert the config by clicking the green bar next to the changed value"
Green bar next to value means value is explicitly specified. As higher template takes priority, the SNMP setting will be taken from device-template which has snmp explicitly disabled.
Device_Temp is higher in priority so SNMP will be disabled and permitted IP address will be combined.
Reference:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-templates-and-template-stacks/configure-a-template-stack
Just did a lab and found that services pushed from both templates, while the permitted subnets only pushed from the top template.
So, if my lab is valid/correct, the answer should be:
1. If based on the services, C should be correct (if subnet2 is removed)
2. If based on the permitted subnets, A is correct (if snmp is added)
upvoted 3 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
procheeseburger
Highly Voted 9 months, 2 weeks agochrisy042
Highly Voted 1 year, 4 months agoprocheeseburger
9 months, 2 weeks agofindkeywordcommand
Most Recent 3 weeks, 5 days agoMarshpillowz
2 months, 2 weeks agoKaifus
2 months, 3 weeks agoOrcun1905
3 months, 3 weeks agoMetgatz
4 months agofranko_72
4 months agoBetty2022
8 months, 2 weeks agosujss
11 months, 4 weeks agojhoncena
1 year agoBilou18
1 year agoKlash
1 year agoKlash
1 year agokewokil120
1 year agoMarbot
1 year, 1 month agomz101
1 year, 4 months ago