Strata Cloud Manager
Manage: Snippets
Table of Contents
Manage: Snippets
Use snippets to group configurations that you can quickly push to your firewalls or
deployments.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Use snippets to group configurations that you can quickly push to
your firewalls or deployments.
A snippet is a configuration object which cannot fit into
a hierarchy, or grouping of configuration objects, that you can associate with a folder,
deployment, or device. Snippets are used to standardize a common base configuration for
a set of firewalls or deployments allowing you to quickly onboard new devices with a
known good configuration and reducing the time required to onboard a new device. For
example, you onboard a new firewall in a remote branch office. You can associate a set
of snippets that contain all of the required network and policy rule configurations with
the folder the new firewall belongs to. This reduces the time required to set up the
firewall to protect the remote branch office.
Snippet associations have a top-down priority in the
event of conflicting object values. Rules with duplicate names are not allowed, and
validation fails during the creation of a snippet with the same name in any folder or
while associating a snippet to a folder if the snippet with the same name is already
associated.
This means that if the first and the last associated snippets have different
values for the same object, the value from the first snippet is inherited by the device
or deployment. Additionally, all configurations inherited from a snippet can be
overridden at the child folder, deployment, or device level.
Within a folder hierarchy, a snippet might
only be associated one time within any folder hierarchy. This means that a snippet can’t
be associated with both a folder and the folder nested under it. However, you can
associate the same snippet with different folders or folders nested under different
folders. Snippets that are already associated with a folder in the folder hierarchy are
grayed out so they can’t be used more than once where
applicable.
Create a Snippet
Create and associate a snippet with a folder, deployment, or device to apply a
common base configuration to a group of devices. You can associate as many
snippets with a folder, deployment, or device as needed.
Snippets can be modified and reassociated with any folder, deployment, or device
at any time after creation.
Custom snippets that are no longer in use can be deleted.
- Log in toStrata Cloud Manager.
- Selectand expand the Configuration Scope to view theManageConfigurationNGFW and Prisma AccessOverviewSnippets.
- Add Snippet.
- Create the snippet.
- Give the snippet a descriptiveName.
- (Optional) Enter aDescriptionfor the snippet.
- (Optional) Assign one or moreLabels.You can select an existing label or create a new label by typing the label you wanted to create.
- Create.Newly created snippets are listed categorised underLocalsnippets. After the snippets are published, they are moved under Published snippets.
- Create your snippet configuration.You’re now in the Configuration Scope for the snippet. All configurations you create while in the snippet scope occurs only for the snippet.While in the snippet scope, you can review the snippetOverviewto see detailed information about the snippet. This includes information such as the number of variables, information about the snippet was created and last updated, and the list of all folders, deployments, and devices the snippet is associated with.
- Associate a snippet.
- Selectand expand the Configuration Scope to view theManageConfigurationNGFW and Prisma AccessOverviewConfig Tree.
- Select the folder, deployment, or device you want to associate the snippet with.
- Edit theConfig Snippet.
- Add the snippets that you want to associate and order them as needed.
- Close.
- Push Configto push your configuration changes to your network.
Modify a Snippet
Modify your snippet configurations, details, and associations.
Custom snippets no longer associated with a folder,
deployment, or device can be deleted.
- Log in toStrata Cloud Manager.
- Selectand expand the Configuration Scope to view theManageConfigurationNGFW and Prisma AccessOverviewSnippets.
- Select the snippet you want to modify.After you select a snippet, you’re redirected to the snippetOverview.
- (Optional) Edit the snippet to modify theName,Description, or to change or assign additionalLabels. Enable or disablePause Updateto see the config diffs and decide to accept the change.
- Edit theSnippet Associationsto reassociate the snippet with a different folder, deployment, or device or to associate the snippet with additional folders, deployments, or devices.Exit the snippet reassociation screen to apply the changes.
- Make any changes to the snippet configuration as needed.
- Push Config.
Delete a Snippet
Delete your custom snippets to keep your configurations organized. Snippets must
be unassociated with any firewalls, folders, or deployments before they are able
to be deleted. Deleting predefined snippets is not supported.
- Log in toStrata Cloud Manager.
- Selectand expand theManageConfigurationNGFW and Prisma AccessOverviewConfiguration Scopeto view the Snippets.
- Click the three vertical dots of the custom snippet you want to delete.
- Deletethe snippet.Snippets currently associated with folders, deployments, or devices can't be deleted. You must first edit theSnippet Associationsto remove all existing associations before it can be deleted.
Clone a Snippet
If you want to use an existing snippet as a template for a new snippet, you can
easily clone it so you do not have to configure a completely new object.
Cloned snippets are not associated with any devices, folders, or deployments,
allowing you to customize them freely without having to disassociate them before
you begin your configurations.
- Log in toStrata Cloud Manager.
- Selectand expand theManageConfigurationNGFW and Prisma AccessOverviewConfiguration Scopeto view the Snippets.
- Click the three vertical dots of the custom snippet you want to clone.
- Clonethe snippet.
- (Optional) Give the cloned snippet a new name.
Share Snippet Configuration Between Tenants
This feature provides a unique and flexible way to share common configuration
across any tenants including multitenant environment. You can save and
manage any combination of configuration as a snippet, seamlessly sharing
them across tenants under a customer account. This offers tremendous
flexibility and control in managing shared configuration across tenants.
This feature offers a variety of use cases such as updating configurations
from lab to production environments, migrating configurations between
tenants, centralizing configuration management for common use cases across
tenants, and managing global configurations in a multibusiness unit
setup.
- Publisher tenant is the tenant who is sharing snippets with the subscriber tenant.
- Subscriber tenant is the tenant receiving snippets from the publisher tenant
- Log in toStrata Cloud Manager.
- On the publisher tenant, select, select theManageConfigurationNGFW and Prisma AccessOverviewGlobalconfiguration scope.
- Establish Trust Between the Tenants: Set up a connection between the subscriber and publisher tenants to enable snippet sharing.
- ClickSubscriber TenantunderTrusted Tenants for Snippet Sharing.
- Add Subscriber Tenant.
- Enter theTSG IDto add as a subscriber tenant, andCheck TSG IDto validate. This validation ensures no usage of randomly generated TSG or Serialized TSG based attacks.The success message indicates that the TSD ID has been validated.
- Next: Generate Pre Shared Key.Copy the generated PSK; you enter this PSK when you validate the publisher tenant in step 4.
- Go to subscriber tenant, selectand set the configuration scope toManageConfigurationNGFW and Prisma AccessOverviewGlobal.
- ThePublisher Tenantsstatus underTrusted Tenants for Snippet Sharingshows asPending.
- ClickPublisher TenantsandEnter Pre Shared Keygenerated in the previous step, andValidatethe subscriber tenant.After successful validation, a message appears that tenant has been identified as a trusted tenant, which means that the trust has been established between the subscriber and publisher tenant.
- Publish Snippet to a subscriber tenant.
- Create and associate snippet to a folder.Newly created snippets are available underLocalsnippets. The following tabs appear for local sharable snippets.
- Overviewshows the snippet name, description, created time, which is the time when snippet was loaded on the subscriber side, and last updated time, and labels details.
- Subscriber Tenantsshows the tenant name, published version on the tenant, last published date, and publish status.
- ClickPublished Versionto view configuration difference.
- Before publishing snippet to a tenant,Add SubscriberandSaveit.
- Version Snapshotsgives you a view into your snippet configuration history. Version Snapshot screen is the place to compare config snapshots with your configuration candidate, andSave Version SnapshotorLoadan earlier configuration snapshot to use as your candidate configuration. Click theVersionnumber to view configuration difference.
- Audit Historyprovides an audit trail of all actions initiated by the administrator. It provides logs on published version number, changes made, the owner of the change, the date and time of the change, and the detail of the change.
- On theSubscriber Tenanttab, select the tenant name andPublish.The publish request is sent to the subscriber tenant. TheStatuscolumn says Snippet Successfully published to subscriber and the snippet will be available under Published snippets.
- Verify on the subscriber tenant.
- Go to, and select the snippet underOverviewConfiguration ScopeSnippetsSubscribedsnippets.You're redirected to the snippetOverviewwhich shows the name of the publisher tenant, description, TSG ID, time when the snippet was created, last updated time, labels, and pause update details.
- Delete the trustSubscribed snippets associated with folders or Firewalls can only be cloned and can't be deleted.
- Go to subscriber or publisher tenant.
- ClickSubscriber TenantunderTrusted Tenants for Snippet Sharing.
- Select theTenant Name, andDelete Trust.
After deletion of trust, the snippet loses association with the Firewall or folder and becomes a local snippet.
Snippet Classification
- Predefined: Predefined snippets are available to all Strata Cloud Manager users and can be used to quickly get your new firewalls and deployments up and running with best practice configurations.
- Local: Local snippets are created locally on the tenant but not shared with any subscriber tenant, which you can close and edit.
- Published: Published snippets are shared with trusted subscriber tenants, which you can clone and edit.
- Subscribed: Subscriber tenants are shared by the publisher tenant, which you can only clone and cannot edit.