NSM – Template Dos and Don'ts

Templates allows to effectively deploy and manage common configurations across firewalls within NSM Tenant. Templates in NSM have following behaviors:

Things to note:

1.    Template records every activity for each change included and performs those steps in order when applied onto Firewalls. It’s recommended to check ‘View Template Details’ of Template and verify the steps before applying to the Firewall/s or Group. 
For Ex: Adding an address object named ‘Google DNS’ and then renaming that to ‘Public DNS’ and finally deleting it from template. 
This address object is no more visible in the template UI and should’t be applied but when template is applied to a firewall/s, above steps will be performed in the same sequence: creating the address object, renaming it, deleting it. Which at times leads to failed commits or setting mismatch.
2.    Currently there are no validation checks in Template and it may lead to error/ issues when applying specific changes to firewalls.
For Ex: An address object called ‘Google DNS’ is created and is used in an Access Rule. Later changed the name to ‘Public DNS’. The Access Rule loses its association with the ‘Google DNS’ and replaced it default ‘any’.
3.    Template can be deleted from NSM but once a template is applied to a NSM group, changes stay on the group, even if the template is deleted and no more exists in NSM. Previous changes through that Template still applied to the group and underneath firewalls.
4.   Interface Configurations in the SonicWall firewall are stored as an array. Let’s say X0 has been configured with the following:
Example 1:  192.168.1.254/255.255.0.0, default gateway 192.168.7.1, with HTTPS disable, SNMP enabled
To change the interface IP from 192.168.1.254 to 192.168.1.1 using a template, it will push the IP address along with the default settings of the X0 interface, like below:
192.168.1.1/255.255.255.0, default gateway 0.0.0.0, HTTPS enabled, SNMP disabled, etc.

Example 2: If only HTTPS Management is disabled on the WAN interface using a Template, the Template will push other default settings like below.

Will change the WAN IP Mode / IP Assignment to DHCP as DHCP is the default value
Currently, partial updates of configuration settings are not supported.

Note: The JSON actions of Template can be viewed by clicking on ‘View Template Details’.

5.    It’s recommended to create a new Template instead of using existing Template with pre-existing configuration. That will help avoid any unwanted changes pushed to firewalls. 
6.    Instead of using a large template, its recommended to create multiple templates with small set of changes with a specific setting as needed. 

Refer to below technical document for more information:
https://www.sonicwall.com/support/technical-documentation/docs/nsm-administration/Content/topics/Templates/new-features-templates.htm/