Understanding Panorama Commit Types
PCNSE Objective Focus
This topic aligns with PCNSE objectives related to managing device configurations using Panorama, specifically understanding the different commit operations and their implications on Panorama and managed devices.
-
Identify the methods for managing configurations using Panorama.
-
Identify the functions of the Panorama commit types.
-
Understand the process of pushing configuration updates from Panorama to managed firewalls.
Introduction: The Role of Commits in Panorama
Panorama™ serves as the central management platform for Palo Alto Networks firewalls and Log Collectors. Making configuration changes in Panorama doesn't automatically apply them to the managed devices. The
commit process
is crucial for validating, saving, and distributing these changes.
Understanding the different commit options available in Panorama is essential for effective network management. Each option has a specific scope and purpose, impacting either Panorama itself, the managed devices, or both.
Key concepts to grasp are:
-
Candidate Configuration:
The set of changes you are currently working on within the Panorama GUI or CLI. These changes are not active until committed.
-
Running Configuration:
The active configuration currently enforced by Panorama or a managed device.
-
Commit Scope:
Determines whether the commit operation affects only Panorama's local configuration or also pushes changes to managed devices.
Commit (Local Panorama Commit)
The simplest commit option is the
Commit
button usually found in the upper-right corner of the Panorama web interface.
Purpose:
-
Validates the syntax and dependencies of the
candidate configuration
currently staged on Panorama.
-
Saves the validated candidate configuration as the new
running configuration
on Panorama itself.
-
Creates a new configuration version locally on Panorama, allowing for potential rollbacks using "Load Configuration Version".
Scope:
-
Only affects Panorama itself.
-
Does
NOT
push any configuration changes to managed firewalls or Log Collectors.
When to Use:
-
To save work-in-progress and ensure the configuration is syntactically valid before pushing to devices.
-
To make changes solely to Panorama's local settings (e.g., Panorama management settings, Collector Group configurations before associating them with Log Collectors).
-
As the first step in a two-step process:
Commit
locally, then use
Push to Devices
later.
Think of a simple
Commit
as saving your document locally on your computer. It doesn't send the document anywhere else, but it preserves your changes and ensures the file isn't corrupted.
Commit All (Commit and Push)
The
Commit All
operation is accessed via the same commit button dropdown in the upper-right corner.
Purpose:
-
Performs a local
Commit
on Panorama first (validates and saves the candidate config to Panorama's running config).
-
Immediately initiates a push
of the relevant configuration changes (Device Group and Template configurations) from Panorama to the managed firewalls.
Scope:
-
Affects
both
Panorama and the managed devices included in the scope of the pushed changes.
Commit All Dialog Options:
When initiating a `Commit All`, you are presented with options to refine the scope of the push:
-
Commit and Push (Default):
Performs a local commit on Panorama and pushes *all applicable changes* (relevant Device Group and Template configurations) to all managed firewalls. This is the most common option.
-
Push Device Group Config:
Allows you to select specific Device Groups whose configurations should be pushed. This performs a local commit first, then pushes only the selected Device Group policies and objects. Templates associated with devices in these groups are *not* pushed unless also selected implicitly or explicitly.
-
Push Template Config:
Allows you to select specific Templates (or Template Stacks) whose configurations should be pushed. This performs a local commit first, then pushes only the selected Template network/device settings. Device Group policies associated with devices using these templates are *not* pushed unless also selected.
-
Push Collector Group Config:
Pushes configuration changes to managed Log Collectors within selected Collector Groups. This option appears if Log Collectors are managed by Panorama.
Validation during Commit All:
-
Panorama validates its local candidate configuration.
-
Panorama then validates the configuration bundle intended for each managed device *before* pushing it. This helps catch device-specific issues (e.g., referencing an interface that doesn't exist on a particular firewall model) before the push occurs.
When to Use:
-
This is the standard workflow for deploying configuration changes from Panorama to managed devices.
-
When you have completed configuration changes and want to make them active on the firewalls simultaneously.
Commit All
is the most direct way to get changes from Panorama's staging area onto the managed firewalls in a single operation.
Push to Devices
The
Push to Devices
operation is typically accessed via the same commit button dropdown or sometimes contextually (e.g., after a commit failure).
Purpose:
-
Pushes the
already committed running configuration
from Panorama to selected managed devices (or Device Groups / Templates).
-
Does
NOT
perform a local commit on Panorama first; it assumes the configuration you want to push is already part of Panorama's current running configuration.
Scope:
-
Affects only the selected managed devices.
-
Does
NOT
change Panorama's local running configuration (as it assumes it's already committed).
When to Use:
-
When a previous `Commit All` push operation failed for some devices, and you want to retry pushing to just those devices after resolving the issue.
-
If you prefer a two-step deployment: perform a local
Commit
first, verify Panorama's state, and then use
Push to Devices
to deploy to firewalls later or selectively.
-
To synchronize configuration to a newly added firewall after it has connected to Panorama.
-
To selectively push only Device Group or Template configurations after a simple `Commit`.
Think of
Push to Devices
as sending a specific, already saved document version to selected recipients. You're not changing the master document, just distributing copies.
Load Configuration Version
This option, found under
Panorama > Setup > Operations > Load Configuration Version
, deals with Panorama's local configuration history.
Purpose:
-
Allows you to revert Panorama's
candidate configuration
back to a previously committed version.
-
It loads a selected historical configuration snapshot into Panorama's candidate config space.
Scope:
-
Only affects Panorama's
candidate configuration
.
-
Does
NOT
change Panorama's running configuration directly.
-
Does
NOT
push any changes to managed devices.
Process:
-
Select a previous configuration version to load.
-
Panorama loads this version into its candidate configuration area.
-
You must then perform a
Commit
(local) or
Commit All
(local + push) to make the loaded configuration active on Panorama and/or push it to devices.
When to Use:
-
To roll back Panorama's configuration to a known good state after problematic changes were committed locally.
-
To review historical configurations without impacting the current running state immediately.
Load Configuration Version
only prepares the rollback by loading the old config into the candidate state. You still need a subsequent
Commit
or
Commit All
to activate it.
This operation is distinct from reverting configuration changes directly on a managed firewall.
Best Practices
-
Validate Often:
Use the "Validate Commit" option (available in the commit dropdown) frequently during complex changes to catch errors early without performing a full commit.
-
Use Descriptive Commit Comments:
Always add clear, concise comments describing the changes made. This is invaluable for auditing and troubleshooting (e.g., "Added rule to allow web access for Marketing VLAN").
-
Commit Regularly, Push Strategically:
Perform local
Commit
operations to save your work and ensure validity. Plan your
Commit All
or
Push to Devices
operations, considering potential impact and scheduling during maintenance windows if necessary.
-
Utilize Commit Locks:
If multiple administrators manage Panorama, use Commit Locks (
Panorama > Commit > Commit Lock
) to prevent concurrent conflicting changes.
-
Understand Scope:
Before clicking `Commit All`, be certain you understand which Device Groups and Templates will be affected by the push. Review the preview if unsure.
-
Schedule Commits:
For large or potentially disruptive changes, use the scheduling option within the commit dialog to perform the push during off-peak hours.
-
Monitor Push Status:
After a `Commit All` or `Push to Devices`, monitor the push status in
Panorama > Managed Devices > Summary
or the Task Manager to ensure successful completion on all intended devices.
Caveats / Gotchas / Considerations
-
Commit Failures:
Commits (local or push) can fail due to syntax errors, dependency issues, licensing problems, device connectivity issues, or device-specific hardware/software limitations. Review the error messages carefully in the Task Manager (
Panorama > Task Manager
).
-
Out-of-Sync Devices:
Firewalls might become "out-of-sync" if a push fails or if local changes were made directly on the firewall (overriding Panorama). Resolve sync issues before attempting further pushes.
-
Push Duration:
Pushing large configurations or pushing to many devices simultaneously can take significant time. Plan accordingly.
-
Template Stack vs. Device Group Precedence:
Be aware of configuration precedence. Settings in Templates/Template Stacks are generally applied first, followed by Device Group settings. Conflicts are usually flagged during validation.
-
Local vs. Pushed Config State:
Remember that Panorama's running config might be ahead of the config on managed devices if you only performed a local `Commit`. The device status (sync state) reflects this.
-
`Load Configuration Version` Impact:
Loading an old configuration version wipes out any uncommitted changes in the current candidate config.
-
Permissions:
Administrators need appropriate permissions (Admin Role profile) to perform commit and push operations.
PCNSE Exam Focus
-
Clearly differentiate between
Commit
(local to Panorama, saves candidate to running on Panorama only) and
Commit All
(local commit + push to managed devices).
-
Know the purpose of
Push to Devices
(pushes Panorama's *current running config* to devices, used for retries or selective pushes after a local commit).
-
Understand that
Load Configuration Version
affects Panorama's *candidate* config, requiring a subsequent commit to become active.
-
Recognize that `Commit All` offers options to push specific Device Groups or Templates.
-
Know where to check the status and logs of commit/push operations (Task Manager).
-
Understand the concept of candidate vs. running configuration on Panorama.