Doubts about Device-Group / Template Stack and Shared Objects

Doubts about Device-Group / Template Stack and Shared Objects:

Good afternoon, again thank you very much for the great support and collaboration that exists in this forum.

1.- To remove a Device from the Panorama administration, I imagine that references must be removed from that firewall first, before removing it, for example Remove from Device-Group and Template stack where it is configured and then proceed to Remove.

2.- Now, let's say the Template Stacks and the Device Groups that were left free and without any association with any Firewall, the procedure is to eliminate let's say from the side of the tamplate stack, remove the associated templates and then eliminate the template Stack and the tempplate and already for the Device Group it is just delete. I ask about debugging tasks, these Template and template stack and also the Device Groups, which have no reference to any firewall, can be eliminated and that's it, without problems? Or should something be checked beforehand? any additional reference? Is there any other issue in particular that needs to be checked before deleting them?

3.- I understand that when Shared type objects can be created, for example an object, these can even be referenced from the GUI example, directly from the local configuration, by locally creating a security policy and referencing that Shared object and applying it. This I clearly understand is not the best practice, but it asks, what happens if someone renames the object in Panorama , it is updated in the policies sent from Panorama, I imagine, but not from a local policy, which references the SHARED Object.

I'm a bit confused with Point 3 because of this I found:

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/manage-device-groups/create-objects-for-use-in-shared-or-device-group-policy :

***"Shared device group objects can be viewed and referenced in a specific device group. Changing the name of a Shared device group object in one device group changes the name of the Shared object in all device groups. This includes any configuration the Shared object is referenced, such as in Policy rules.Changing the name of a Shared device group object may cause the configuration push to managed firewalls to fail.

For example, you create a Shared object named ObjectA and create a Security policy rule in the DG1 device group where ObjectA is referenced. This configuration is pushed to your managed firewalls. Later in the DG1 device group, you change the name of ObjectA to ObjectB and try to push the configuration to your managed firewalls. This push fails because your managed firewalls have the Shared object with the name ObjectA as part of their configuration, and are expecting that configuration object to have the same name."

-Here they talk about a case similar to what was raised but I don't quite understand resolution 3 that you have to USE "Merge with Device Candidate Config":

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcICAS

- The documentation for the Merge with Device Candidate Config says the following: Merges the configuration changes pushed from Panorama with any pending configuration changes that administrators implemented locally on the target firewall. The push operation triggers PAN-OS® to commit the merged changes. If you clear this selection, the commit excludes the candidate configuration on the firewall.

I thought that the Merged With Candidate Configs only referenced the pending changes without a commit made in Palo Alto locally, but reviewing Resolution 3 of LINK: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcICAS I already have even more doubts.

Thank you very much for the support, the help and the collaboration to review these 3 points, I remain very attentive, cordial greetings.