Configure Main Templates

Add Main Templates

You create a new main template using a configuration workflow. When you create a main template, it is marked as Version 1 of the template.

Each main template must contain the following minimum configuration:

• Deployment tier
• One WAN networking interface configuration
• One LAN Network interface configuration
• Template name

All other items in the Add Main Template workflow are optional.

To configure a main template:

1. In Tenant view, select Configure > Secure SD-WAN > Main Templates. The Main Templates table displays.
   
   
    
2. Click + Add. The screen displays the workflow to create a template, beginning with step 1, Deployment Tier and High Availability.
   
   
    
3. Select the Deployment Tier tab, and then enter information for the following fields.
    

   Field	Description
   Scope	Select the scope for the deployment: Single Tenant Multi Tenant Sub Tenant
   Solution Tier	Select the deployment type, SD-WAN or NGFW, and then the solution tier. When you select the deployment type, the corresponding solution tiers display. Select the solution tier based on the license you plan to apply to the device.
   SD-WAN	For SD-WAN solutions, choose from the following options: Prime SD-WAN Prime Secure SD-WAN Premier Secure SD-WAN Premier Elite Secure SD-WAN
   NGFW	For NGFW solutions, choose from the following options: Pro-Net Next-Generation Firewall (NGFW) Unified Threat Management (UTM)

4. For high-availability (HA) deployments, select the High Availability tab.
   
   
    
   1. Click the toggle to switch between enabled and disabled HA mode.
   2. If you enable HA mode, select either Active-Active or Active-Standby mode.
       
5. Select workflow step 2, Network Interfaces. 
6. In the Device Model field, select a device model. If your model is not listed, select Other. If the NIC Port field displays, select the NIC port configuration for the device. 
   
   

   The screen refreshes to display some or all of the following tabs, based on your device selection:

   • All Interfaces
   • WAN
   • LAN
   • Site-to-Site Tunnel
   • Loopback
   • Cross Connect (Displays for HA deployments.)
   • Paired Virtual Tunnels
   • WiFi Radios
      
7. To configure an interface, select the tab for the interface type you want to configure. You can add a new interface configuration or select from existing configurations. 
    
   • To add a new interface configuration, click the Add drop-down list, and select Add New. 
     
     For example, to add a new WAN interface, select the WAN tab, and then select Add New WAN Interface from the Add drop-down menu.
     
     
     
     For information about adding interface configurations, see the following documentation:
      

     Interface Type	Documentation
     WAN	Configure WAN Interfaces in Concerto
     LAN	Configure LAN Interfaces in Concerto
     Site-to-Site Tunnels	Configure Site-to-Site Tunnel Interfaces in Concerto
     Loopback	Configure Loopback Interfaces in Concerto
     Cross Connect	Configure Cross-Connect Interfaces in Concerto
     Paired Virtual Tunnels	Configure Paired Virtual Tunnels in Concerto
     WiFi Radios	Configure WiFI Radio Interfaces in Concerto

      
   • To select from existing interface configurations, click the Add drop-down list, and select Add Existing.
     
     For example, to add an existing WAN configuration select the WAN tab and then select the Add Existing WAN Interface from the Add drop-down menu. 
     
     
     
     The Add Existing window for the interface type displays.
     
     
     
     To select an interface configuration, select its version from the drop-down list in the Version field. Then, click the box to the left of the interface configuration name. Details for the interface configuration display in the Selected Interfaces pane.
      
   • Click Submit to add the interface configuration to the main template.
   • If HA is enabled, select the Secondary Device tab, and then repeat procedure Steps 7a and 7b, above.
   • To view a list of all interface configurations included in the main template, select the All Interfaces tab.
     
     
      
8. To configure policies for the main template, click the workflow step for the type of policy you want to configure. Note that some of these steps might not appear in your main template, depending on your deployment:
   • Topologies & Routing Protocols
   • Network Services
   • QoS, Traffic Steering and Traffic Monitoring
   • Authentication
   • Security
     
     
9. For the selected workflow step, configure a list of policies to include in the template. For each step, you can select from existing policies, or you can create new policies.
   • To create a new policy, select the Add New icon. For example, to add a new topology and LAN routing protocol policy, select the Add New Topology & LAN Routing Protocol icon. For more information, see the documentation that corresponds to the policy type in the table below. 
      

     Workflow Step	Policy Types	Documentation for Policy Type
     Topologies and Routing Protocols	LAN	Configure SD-WAN Topology and LAN Routing Protocols
     	WAN	Configure SD-WAN WAN-Facing Routing Protocols
     Network Services	CGNAT	Configure CGNAT Policies
     	DNS Proxy	Configure DNS Proxy for Concerto
     QoS, Traffic Steering & Traffic Monitoring	QoS Application	Configure Application QoS Policies in Configure QoS
     	QoS Stateless	Configure QoS Stateless Policies in Configure QoS
     	Traffic Steering	Configure SD-WAN Traffic Steering
     	Traffic Monitoring	Configure SD-WAN Traffic Monitoring
     Authentication	User and Device Authentication	Configure User and Device Authentication
     Security	Access Control	Configure SD-WAN Access Control Policies
     	DoS	Configure SD-WAN DoS Protection Policies
     	TLS	Configure SD-WAN TLS Decryption
     	Security Setting	Configure SD-WAN Security Settings

   • To select from existing policies, select the Add Existing icon. For example, for topology and LAN routing protocols, select the Add Existing Topology & LAN Routing Protocols icon to display the following screen.
     
     
     
     Click the box to the left of a policy to add it to the table, and then click Submit.
     
     The screen displays the list of policies to be included in the template.
     
     
      
   • To reorder the policies, click the box to the left of each policy, and then click +Reorder.
      
10. Select the workflow step for Servers & Settings. The screen displays the following tabs: 
    • Management Servers—Configurations for syslog, NTP, DNS, TACACS+, RADIUS, and SNMP servers.
    • VOS User Policies—Configuration for shell accounts on VOS devices to which you publish the main template.
    • ALG Policies—Application layer gateway (ALG) policies.
    • System Settings—System settings for VOS devices to which you publish the main template.
      
      
      
      For information about configuring the servers and settings for each tab, see the following documentation:
       

      Interface Type	Documentation
      Management Servers	Configure Management Servers
      VOS User Policies	Configure VOS User Accounts
      ALG Policies	Configure Application Layer Gateway
      System Settings	Configure System Settings

11. Select the workflow step for Director Service Templates.
12. To add a Director service template:
    
    
     
    1. Click + Add. The Add Director Service Templates window displays. The screen lists the service templates configured on the underlying Director instance. For information about Director service templates, see Overview of Configuration Templates.
       
       
        
    2. Click the box to the left of one or more templates to add it to the list of Director service templates. 
    3. Click Submit. The service template is added to the table of service templates for the main template.
       
       
        
    4. To reorder the templates, click the box to the left of each template, and then click +Reorder.
        
13. Select the workflow step for Variables. The screen displays variables included in the template. You assign values to variables from this screen. Note that there are two types of variables:
    • Variables defined within the policies and interface configurations from workflow steps 2 through 8. These are configured in Concerto.
    • Variables defined in the Director service templates you selected in workflow step 9, Director Service Templates. These are configured in Director.
      
      In the example below, all variables are from the Director service templates since in this case no policy or interface configuration variables were defined. For information about configuring variables in Concerto, see Object Variables in Versa Concerto for SD-WAN.
      
      
      
      You can assign values to variables for primary and secondary devices:
      • To assign a value for a variable for a primary device, enter the value in the box beneath the variable, and then press the tab key.
        
        
      • To assign a value for a variable for a secondary device variable, click the + Plus icon to expand the display, enter a value in the box beneath the second instance of the variable name, and then press the tab key.
        
        
14. Select the workflow step for Permissions.
15. The permissions for each role is selected by default, and you can update it. To change permissions for a role, select or deselect the Create, Read, Update, and Delete fields for the role. The displayed permissions apply to this main template only.
    
    
16. Select the workflow step for Review & Submit.
    
    
17. In the General section, enter values for the following fields.
     

    Field	Description
    Name (Required)	Enter a name for the main template.
    Description	Enter a description for the main template.
    Tags	Enter one or more tags to to associate with the main template. A tag is an alphanumeric text descriptor with no spaces or special characters that you use for searching objects.

18. The remaining sections display the previously configured values for the template. Click the Edit icon to edit any of these values. 
19. Click Submit to add the main template. 

Manage Main Templates

You can perform the following actions on main templates:

• Edit
• Clone
• Delete
• View references
• Propagate
• Compare versions
• View the audit log
• Enable and disable auto delete

For descriptions of references, propagation, and auto delete, see SD-WAN Configuration Hierarchy in Versa Concerto for SD-WAN.

To manage main templates:

1. Select Configure > Secure SD-WAN > Main Templates. A table of currently configured main templates displays.
   
   
    

   Column	Description
   Name	Name of the template.
   Version	The number of versions of the template.
   Variables	Number of variables in the template. To view a list of variable names and their assigned values, click the Eye icon.
   Last Modified	Most recent modification date of the template.

2. To edit a template:
   • If exactly one version of the template exists, click the template name in the Name column of the Main Templates table. The Edit Main Template window displays. Continue to Step 3.
     
     
   • If multiple versions of the template exist:
     1. Click the link in the Version field of the Main Templates table.
        
        
        
        A table listing the versions of the template displays.
        
        
     2.  Click the template name in the Name column. The Edit Main Template window displays. Continue to Step 3.
3. In the Edit Template window, make changes to the template.
4. Select workflow step 12, Review and Submit.
   
   
5. To save your changes:
   1. Click Submit. The following window displays.
      
      
   2. Click No to save your changes without searching for VOS devices that reference the template. Continue to procedure Step 6.
   3. Click Yes to search for devices that reference the template. The following window displays.
      
      
   4. Select devices to which to propagate the template, and then click Submit. The propagation status displays.
      
      
   5. Continue to procedure Step 6.
6. To perform actions on a template:
   • If exactly one version of the template exists, click the box to the left of the template name. The menu bar in the upper-right portion of the screen activates. Continue to procedure Step 7. 
     
     
      
   • If multiple versions of the template exist:
     ​​​​
     1. Click the link in the Version field.
        
        
        
        A table listing the versions of the template displays.
        
        
     2. Click the template name in the Name column. The menu bar in the upper-right portion of the screen activates. Continue to procedure Step 7.
7. Select one of the following actions.
    

   Action	Description
   Clone	Click to make a copy of the selected template.
   Delete	Click to delete the selected template.
   Refresh	Click to refresh the template table.
   Propagate	Click to propagate and publish the template. The Propagate popup window displays.  When you propagate the template you can choose to perform the following operations: Propagate—Updates the version of the template that is associated with VOS devices. When you associate a device with a main template, the association is with a specific version of the main template. The device only references that version. If you update a main template that is referenced by a device, you must indicate whether the device should continue to reference the original version or if it should reference the updated version. If you choose to have the device reference the updated version of the main template, Concerto must adjust its internal data to point to the new version. This is referred to as propagating the updated main template.  Publish—Publishing a template updates VOS device configurations in the underlying Director node's database. The devices must be associated with the main template before you can publish the template. For more information, see Associate a Main Template with a VOS Device, below. During publication, Concerto passes the template's specifications and variables to Director, which converts the information into VOS device configurations and stores them in the Director database. Commit—Copies the VOS device configurations from Director to the corresponding devices. If the device is ZTP completed and connected to the Director, then the committed configuration becomes the running configuration on the device. Reboot—This option is sometimes required for configuration changes to be committed successfully. Certain changes are not allowed by VOS without selecting this option. If you commit such configurations without selecting this option, publishing will fail.    To propagate and publish the template: Select the devices to which you want to propagate the main template.   Click Submit. The Propagation Status screen displays.   To view details of the propagation, click View Task Details. Click Publish. For appliances requiring variable assignments, click +Add Values to display the View Variables popup window, and then assign values to variables as described in procedure Step 13 in section Add Main Templates, above.  Select and/or deselect appliances in the list. Click Submit. The Publish Options popup window displays.   Enter information for the following fields   Field Description Director Device Template (Group of Fields)   Merge (Default) Select to merge the configuration. To publish a configuration, Concerto contacts the underlying Director node which converts the main template specifications and variables into a VOS device configuration. The device configuration is stored in the Director database. The merge option merges the information from the template you are propagating with any existing configuration for the device in the Director database. For example, you cannot currently configure SNMP using Concerto. If you configure SNMP on Versa Director and then publish a configuration from Concerto to Versa Director, the SNMP configuration is retained on Versa Director. Overwrite Select to overwrite the configuration for the device in the Director database. Commit Template to Appliance Commit the device configuration from Director to the appliance or appliances you selected in Step 4. The new configuration becomes the running configuration on the device. Deploy Device Workflow Redeploy the device workflow on the Versa Director node. Reboot Appliance Reboot the appliance after committing the configuration. This option not typically required, but is sometimes needed to successfully apply the configuration. Click Publish.
   View References	Click to display the devices that reference the template.
   Copy to Subtenant	Click to copy the policy to one or more subtenants. The following popup window displays.   To copy the policy: Click the box to the left of one or more subtenant names. To select all subtenants, click the box to the left of the Name column. If a subtenant has an existing policy with the same name and version number, the Override Existing column displays Yes and No radio buttons. In this case, click Yes to overwrite the existing policy, or click No to block copying the policy in the next step.   Click Submit to copy the policy to the selected tenants.
   Compare	Click to compare versions of a template.
   View Audit Log	Click to view an audit log for the main template. The screen lists actions taken on the template by users.     Click the arrow in the second column to expand the information in a row.
   Enable/Disable Auto Delete	Enable or disable auto delete for the main template. Auto delete automatically deletes main template versions that are no longer associated with any appliances and are not the latest version. See Auto Delete in Versa Concerto for SD-WAN.

Associate a Main Template with a VOS Device

You can associate a main template with a VOS device when you initially add the device in Concerto, or you can make the association after the device is configured. This section describes how to add or modify the association after the device has been configured. For information on associating a main template when you initially configure the device, see Configure Appliances, Hubs, and Hub–Controllers.

To associate a main template with a VOS device:

1. In Tenant view, select Deploy in the left menu bar.
   
   
    
2. Double-click the site containing the VOS device. The Site Summary screen displays.
   
   
    
3. Hover over the appliance hexagon, and then click Set Template. The Set Template list displays.
   
   
    
4. Select a main template. If the main template has multiple versions, you can select a specific version in the drop-down list for the template.
5. Click Apply to associate the main template with the device.
    

Supported Software Information

Releases 13.1.1 and later support all content described in this article.

Additional Information 

Configure Appliances, Hubs, and Hub-Controllers
Configure Application Layer Gateway
Configure CGNAT Policies
Configure Cross-Connect Interfaces in Concerto
Configure LAN Interfaces in Concerto
Configure Loopback Interfaces in Concerto
Configure Management Servers
Configure QoS
Configure SD-WAN Access Control Policies
Configure SD-WAN DoS Protection Policies
Configure SD-WAN TLS Decryption
Configure SD-WAN Topology and LAN Routing Policies 
Configure SD-WAN Traffic Monitoring Policies
Configure SD-WAN Traffic Steering
Configure SD-WAN User and Device Authentication Policies
Configure Site-to-Site Tunnel Interfaces in Concerto
Configure System Settings
Configure WAN-Facing Routing Protocols
Configure WAN Interfaces in Concerto
Configure WiFi Radio Interfaces in Concerto
Configure VOS User Accounts