Templates

A template groups snippets into a reusable policy set. Instead of assigning individual snippets to devices, you compose snippets into templates, then assign templates to organizational units. This creates a clean hierarchy: Snippets → Templates → OUs → Devices.

Template Position

Each template has a position that determines where its snippets are placed relative to the device’s own local configuration:

Position	Meaning
PREPEND	Snippets are inserted before any device-local rules. Use this for organization-wide security policies that must be enforced regardless of what the device admin configures locally (e.g., drop invalid packets, block bogon ranges).
APPEND	Snippets are inserted after all device-local rules. Use this for catch-all policies like logging or default-deny rules that should only apply to traffic not already handled by earlier rules.

This separation ensures centrally managed security baselines (PREPEND) cannot be bypassed by local device configuration, while logging and fallback policies (APPEND) run last.

Note

PREPEND templates enforce security baselines that device administrators cannot override or bypass with locally configured rules — they always appear before any device-local configuration.

See Policy Chain for a detailed explanation of how PREPEND and APPEND templates combine with snippet priorities to produce the final device configuration.

List Templates

View in NDWeb

ndcli template list

╭────────────────────────┬──────────┬──────────────────────────────────────────┬──────────┬──────────────────╮
│ Name                   │ Position │ Description                              │ Snippets │ Created          │
├────────────────────────┼──────────┼──────────────────────────────────────────┼──────────┼──────────────────┤
│ base-hardening         │ PREPEND  │ Drop invalid, rate-limit ICMP, anti-s... │ 5        │ 2026-02-20 19:18 │
│ corporate-services     │ PREPEND  │ Core corporate services: DNS, NTP, LD... │ 4        │ 2026-02-20 19:18 │
│ guest-isolation        │ PREPEND  │ Guest network isolation: internet-onl... │ 3        │ 2026-02-20 19:18 │
│ intrusion-prevention   │ PREPEND  │ GeoIP filtering, port scan detection,... │ 3        │ 2026-02-20 19:18 │
│ logging-and-monitoring │ APPEND   │ Traffic logging for accepted and drop... │ 2        │ 2026-02-20 19:18 │
╰────────────────────────┴──────────┴──────────────────────────────────────────┴──────────┴──────────────────╯

Describe a Template

View in NDWeb

ndcli template describe base-hardening

Name:        base-hardening
Description: Drop invalid, rate-limit ICMP, anti-spoofing, block bogons
Position:    PREPEND
Created:     2026-02-20 19:18:43
Updated:     2026-02-20 19:18:52

Snippets (5):
╭──────────────────────┬──────────┬───────┬──────────────────╮
│ Name                 │ Priority │ Type  │ Updated          │
├──────────────────────┼──────────┼───────┼──────────────────┤
│ drop-invalid-state   │ 10       │ RULE  │ 2026-02-20 19:18 │
│ rate-limit-icmp      │ 20       │ RULE  │ 2026-02-20 19:18 │
│ anti-spoofing        │ 30       │ RULE  │ 2026-02-20 19:18 │
│ log-and-drop-default │ 50       │ RULE  │ 2026-02-20 19:18 │
│ bogon-ranges         │ 1000     │ ALIAS │ 2026-02-20 19:18 │
╰──────────────────────┴──────────┴───────┴──────────────────╯