I just tested in my panorama by making the same thing and when you have a permitted IP in both templates it only pushes config from the top one. Making A the only possible answer.
All the four answers are not correct. The http field stays in conflict between both templates. Therefore the value from the top template takes place. And here is the box not ticked!
I tested this in lab, A is correct. In the 3rd screenshot you can see that DEVICE_TEMP has higher priority. This is why the $permitted-subnet-1 takes precendence and also the configured SNMP checkbox in REGIONAL_TEMP won't take effect because of this.
The info text in Panorama GUI for Template Stacks is:
The Template at the top of the Stack has the highest priority in the presence of overlapping config
OK, here is old Frankies take:
The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and since
Permitted IP Addresses is a duplicate, it will prefererence the higher template.
Now it will also allow SNMP as it's in the lower template but, for this example, SNMP is still only
applied to $permitted-subnet-1 rendering the other answers useless, so it's A.
Bottom line is Permitted IP Addresses is duplicate, as are most of the other (http, https, ssh, ping) but Telnet and SNMP are unique in each template
but will still only apply to $permitted-subnet-1.
https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-force-template-value-option/td-p/496620
"- Force Template Value will as the name suggest remove any local configuratio and apply the value define the panorama template. But this is valid only for overlapping configuration"
"You need to be careful, what is actually defined in the template. For example - if you decide to enable HA in the template, but after that you decide to not push it with template and just disable it again (remove the check from the "Enable HA" checkbox). This still will be part of the template, because now your template is explicitely defining HA disabled. If you made a change in the template, and later decide that you don't want to control this setting with template, you need to revert the config by clicking the green bar next to the changed value"
Green bar next to value means value is explicitly specified. As higher template takes priority, the SNMP setting will be taken from device-template which has snmp explicitly disabled.
Device_Temp is higher in priority so SNMP will be disabled and permitted IP address will be combined.
Reference:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-templates-and-template-stacks/configure-a-template-stack
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
procheeseburger
Highly Voted 1 year, 6 months agochrisy042
Highly Voted 2 years, 1 month agoprocheeseburger
1 year, 6 months agocorpguy
Most Recent 2 months agoNSO_Blue
2 months, 2 weeks agofindkeywordcommand
10 months agoMarshpillowz
11 months, 2 weeks agoKaifus
12 months agoOrcun1905
1 year agoMetgatz
1 year agofranko_72
1 year, 1 month agoBetty2022
1 year, 5 months agosujss
1 year, 8 months agojhoncena
1 year, 9 months agoBilou18
1 year, 9 months agoKlash
1 year, 9 months agoKlash
1 year, 9 months agokewokil120
1 year, 10 months agoMarbot
1 year, 10 months ago