Question:

What is a service template? How to create and associate Service templates?

Usage of Service Templates

The Versa Director facilitate a centralized mechanism for making configuration changes to the Versa FlexVNF. You can implement these changes using either, the CLI, the northbound interfaces or the GUI.

In the context of the Versa Director, these configuration changes are made using the Versa Director GUI, REST API and the Versa Director CLI.

The Versa FlexVNF has a very rich set of functionality and a typical SD-WAN or a NextGen Firewall usecase consists of large configuration sets. 

The management of the CLI chunks is a mammoth task for an operator. To ease the management problem, Versa Director (NMS) provides you features like profiles or templates. A template looks for patterns or repetitive CLI commands and applies some variables depending upon the actual configuration in question. Thus a template is an abstraction of a huge set of repetitive CLI where most of the configuration is same as a few variable parameters.

An operator has to create a template once and then with customizable parameters use it across multiple Versa FlexVNFs. This reduces the administration effort drastically as the template creation is a one-time effort and can be shared across operators.

The current Versa Director release supports a rich set of templates for the majority of the SD-WAN use cases and this functionality is accessible from both UI and the REST API layer.

Problems with Monolithic Templates

Though the templates have made the life of the operator much simpler, there still exist a few pain points because the templates are monolithic. These are its impact:

1. The entire configuration set is present in a single template. This means that the configuration for all the service sets such as SD-WAN, Stateful or NextGen Firewall, or QoS are present in a single template.
2. Since everything is in a single template, minor changes to the template require the whole template to be edited.
3. If the configuration is slightly different then you have to create and maintain two huge templates.
4. You must have to maintain a template for every tenant even if the configuration is largely the same.

Service templates addresses these problems.

Service Templates

You can treat services templates as smaller sections of a template. Let's consider an example of a Master template that has some configuration for SD-WAN, NGFW, QoS etc. Service templates break down this problem into smaller fragments. The idea is to have separate templates for NGFW, QoS, etc and to have a place holder in the master template where you can refer to these. Thus, you can associate the main template to multiple service templates wherin each service template is maintained by the respective domain owner. 

The security operator who is only with the NGFW or the Stateful Firewall policies will have to maintain only the security template. He need not bother to read the contents of the whole template. This allows various domain experts to manage their respective areas independently and allows them to concentrate only in their area of interest.

Logically a service template is a template with some specific service related configuration. You can also treat it as a sub template. It's very much like a normal template except that it consists of a smaller set of service related configuration. Just like the main template the service templates too have their own bind data.

The main template refers to this. The main template can actually refer to multiple such 'sub templates'.   Sub templates are created independently and then associated with the main template.

If there is a change in the security related configuration, the main template need not be touched the security operator can make the modifications on the security related service template. If the security considerations are completely different the main operator can associate the main template to a different security related template.

Reusage of Service Templates

A service template is reusable across templates and the independent main templates can refer to the same service template. So two main templates can refer to the same security template.  After the security admin has defined a security template multiple users can refer to that independently.

The service template is org agnostic and you can also use the service template across organizations. For example, a QoS or a security policy that is the same for many organizations. Instead of creating separate templates by cloning or by other means, it is possible to create a single template and use it across organizations.  This makes their management much simpler.

Overriding Policy or Configuration Sets Using Sub Templates

Consider a scenario where in the provider has a set of policy rules.  These could be captured in the main template. This main template might be associated to a sub template and there is a possibility of an overlap or a contradiction of the policy rules. The Versa Director provides the flexibility to select which template, the main or the partial is given precedence over the other. It is possible for the main template to override the service template and vice versa.

Categories of Service Templates

Versa Director, Rel 16.1R1 supports these categories of service templates

1. NextGen Firewall
2. Stateful Firewall.
3. QoS.

While creating the service template using the Versa Director GUI with these categories, only the relevant and required Firewall and QoS configuration objects are allowed. You can then associate the service template using SD-WAN workflows in the GUI or from the Administration.

Versa Director will extend support to more categories in its next release. All enhancements shall be taken up but they are beyond the scope of this writeup.

Creating a Service Template

Follow these steps to create a service template and associate it to the required post-staging template:

1. Select Director Context > Workflows > Template > Create Template and click on any post staging template (existing setup) to edit the post staging template. This opens the Create Template <Template Name> window.
   
2. Select Services tab in the Create Template <Template Name> window.
   
3. Click + Service Template link in the Service Template section. This opens the Create Service Template window.
   
4. Enter these details in the Create Service Template window.
   

   Field	Description
   Name	Specify the name of the service template
   Organization	Select the organization from the drop down.
   Type	Select the category or the type of service for this template. These are the options: Next Gen Firewall Statefull Firewall QoS General

   
   
5. Click OK to create a new service template.
6. The new service template now appears in the table inside the Service Template section.
   Based on the type of service template created in Step 3, you must associate the respective service template to the staging template in the Service Template section.

Alternatively, you can also follow these steps to create a service template:

1. Select Director Context > Administration > Service Template and click + on the dashboard. This opens the Add Service Template window.
   
2. Enter these details in the Add Service Template window.
   

   Field	Description
   Name	Specify the name of the service template
   Organization	Select the organization from the drop down.
   Type	Select the category or the type of service for this template. These are the options: Next Gen Firewall Stateful Firewall QoS General

   
   
   
3. Click OK to create and add a new service template.

Modifying a Service Template

Follow these steps to modify an existing service template:

1. Select Director Context > Config Templates and select the required service template from the drop down box that is just below the Director Context drop down field.
   
2. Select Director Context > Config Templates> Services to view the list of services configured.
   
3. As an example, select the NGFW service and make the required configuration for this service.
4. Click Commit on the dashboard to push the final configuration to the appropriate appliance. This opens the Commit window.
   
5. Make these configuration changes in the Commit window:
   
   1. Select Template- Select the post staging template.
   2. Device Group- This section is populated based on the previous selection (Step 1).
   3. Click OK.

 NOTE: Service templates are meant to be reused along with different post-staging templates.
              For example, Service Template S1 is tagged with Post-Staging templates P1, P2 and P3 and each of these templates have
             different zones, networks, logging profiles with different definition in their own context. 

              In this case the service template creates a smaller context independent of any post-staging templates. 

              Service templates are currently used for limited purpose of creating rules and other available configuration options.