PAN-OS: Panorama Commit Types and Scheduling

PCNSE Objective Focus (Domain 4 - 18%)

4.3 Manage firewall configurations within Panorama

(Related Concept) Understanding Commit Types, Scopes, and Scheduling

Introduction: Activating Panorama Configurations

Making configuration changes in Panorama (whether to Templates, Device Groups, Policies, or Objects) modifies the candidate configuration . These changes do not take effect on Panorama itself or on managed firewalls until a Commit operation is performed.

Panorama provides different types of commit operations to control whether changes are saved only on Panorama or pushed down to managed firewalls. Additionally, certain operations, particularly dynamic content updates, can be scheduled for automatic execution.

Understanding the different commit types, scope options, and scheduling mechanisms is fundamental to managing firewalls effectively with Panorama.

It's helpful to remember the configuration states on Panorama:

Candidate Config: The configuration currently being edited by administrators. Changes here are not active.
Running Config: The active configuration currently used by the Panorama management server itself.

The Commit process makes the candidate config the new running config *on Panorama*.

When you click the "Commit" button in Panorama, you are presented with options that determine the scope and target of the operation.

Commit Type	Action	Purpose	Impact on Firewalls?
Commit (or Commit to Panorama)	Saves the current candidate configuration as the new running configuration ONLY on the Panorama server itself .	Save work in progress. Validate configuration syntax correctness on Panorama before attempting a push. Make changes effective on Panorama (e.g., adding new admin accounts, changing Panorama's own settings). Prepare configuration to be pushed later (manually or via schedule).	No immediate impact. Does not send any configuration changes to managed firewalls.
Commit and Push	Performs a "Commit to Panorama" first (saves candidate to running on Panorama). If the Panorama commit succeeds, it then merges the relevant configurations (Shared, Device Group hierarchy, Template Stack). Pushes the resulting merged configuration to the selected managed firewalls or Device Groups.	Deploy configuration changes (Policies, Objects, Network/Device settings) to managed firewalls to make them active. Ensure firewalls have the latest intended configuration from Panorama.	Yes. This is the operation that sends configuration changes to managed firewalls, potentially overwriting local settings and impacting traffic flow based on the changes.

When performing a Commit or Commit and Push, Panorama offers scope options to control *what* configuration changes are included and *where* they are sent:

Commit Scope (What changes on Panorama are saved?):

Commit All Changes: Commits all modifications made across all Device Groups, Templates, Stacks, Shared scope, and Panorama's own settings since the last commit.
Commit Changes Made By Selected Administrators: Commits only changes made by specific administrators (useful in multi-admin environments).
Commit Changes in Selected Device Groups and Templates: Allows selecting specific Device Groups and Templates/Stacks whose changes should be included in the commit to Panorama. This is useful for committing only related changes without impacting unrelated work in progress elsewhere.

Push Scope (Which firewalls receive the config?):

When performing a Commit and Push , after the initial commit to Panorama succeeds, a "Push Scope Selection" dialog appears.
Here you select the specific Device Groups and/or individual Firewalls that should receive the configuration push.
Best Practice: Only push to the Device Groups or firewalls that are actually affected by the changes being committed, unless a full sync is intended. This minimizes unnecessary pushes and potential disruption.

Before committing or pushing, Panorama offers critical validation tools:

Validate Commit: Checks the candidate configuration for syntactical errors, unresolved references (e.g., using an object that doesn't exist), and potential conflicts *before* attempting the actual commit. This helps catch errors early.
Preview Changes: (Available during Commit/Push workflow) Shows a summary or detailed view of the specific configuration lines that will be added, modified, or deleted on Panorama and potentially pushed to devices. Essential for verifying the intended changes.

Always use Validate Commit and carefully review Preview Changes before initiating a Commit and Push operation, especially in production environments.

Purpose

While most configuration changes are pushed manually via "Commit and Push", Panorama allows scheduling certain operations:

Dynamic Content Updates (Primary Use): The most common use of scheduling is for automatically checking for, downloading, and installing Content Updates (Applications and Threats, Antivirus, WildFire, etc.). This ensures firewalls have the latest protections without manual intervention.
- Configuration: Schedules for Content Updates are configured under Device > Dynamic Updates within a Template and pushed to firewalls. Panorama itself can also be scheduled to download updates ( Panorama > Device Deployment > Dynamic Updates ).
Scheduled Configuration Push: Allows scheduling a "Commit and Push" of specific configuration changes (e.g., changes within a particular Device Group/Template) to occur automatically at a predetermined time (e.g., during off-peak hours).
- Configuration: Panorama > Scheduled Config Push .
- Use Case: Deploying non-urgent configuration changes during maintenance windows without requiring an administrator to be present at that exact time.
- Requires careful planning and prior validation, as the push happens automatically.
Scheduled Log Exports/Reports: While not commits, Panorama also allows scheduling the generation and export of logs and reports.

Scheduling is primarily used for routine Content Updates rather than frequent configuration changes, which usually warrant manual validation and push.

Best Practices for Commits

Commit Often (to Panorama): Use "Commit" frequently to save your work on Panorama and perform validation, even if not immediately pushing.
Validate Before Commit/Push: Always run "Validate Commit" before committing or pushing.
Preview Changes Carefully: Thoroughly review the changes listed in the "Preview Changes" window before pushing to devices.
Use Specific Commit/Push Scope: When possible, commit and push only the relevant changes/targets rather than using "Commit/Push All" to minimize impact and commit time.
Use Commit Comments: Add descriptive comments to each commit explaining the changes made for audit trail purposes.
Schedule Content Updates: Automate the download and installation of Content Updates for timely threat protection.
Use Scheduled Config Push Cautiously: Only schedule configuration pushes for well-tested, non-critical changes intended for off-hours deployment.
Understand Panorama RBAC: Use Role-Based Access Control on Panorama to limit which administrators can commit/push changes to specific Device Groups or Templates.
Backup Panorama Config: Regularly back up the Panorama configuration itself.

Caveats and Gotchas

Commit vs. Push Confusion: Administrators new to Panorama sometimes confuse "Commit" (saving on Panorama only) with "Commit and Push" (sending to firewalls), leading to changes not being deployed.
Accidental Push Scope: Selecting the wrong Device Group or accidentally pushing to "All" devices during a "Commit and Push" can deploy unintended configurations widely.
Overwriting Local Changes: A Panorama push overwrites most configurations made locally on the firewall. Ensure any necessary local settings are incorporated into Panorama Templates/Stacks or understand they will be lost.
Commit Failures: Commits can fail due to validation errors (syntax, unresolved references), connectivity issues to firewalls (during push), or insufficient resources on Panorama/firewall. Review error messages carefully.
Push Duration: Pushing large configuration changes or pushing to many devices simultaneously can take significant time.
Commit Lock: Only one administrator can hold the commit lock on Panorama at a time. Coordinate changes in multi-admin environments.
Commit Recovery Limitations: Remember Commit Recovery only helps if the push breaks *Panorama connectivity*, not if it breaks other functionality.

For the PCNSE exam, understand:

The difference between Candidate Config and Running Config on Panorama.
The distinction between `Commit` (to Panorama) and `Commit and Push` (to Firewalls) actions.
The purpose and use of Commit Scope (All vs. Selected DG/Template).
The purpose and use of Push Scope (Selecting target DGs/Firewalls).
The importance and function of Validate Commit and Preview Changes .
The primary use case for scheduling in Panorama (Content Updates).
Where Content Update schedules are typically configured (via Templates).
Where Scheduled Configuration Pushes are configured ( Panorama > Scheduled Config Push ).
That Panorama pushes overwrite local firewall configurations.

PAN-OS: Panorama Commit Types and Scheduling

PCNSE Objective Focus (Domain 4 - 18%)

4.3 Manage firewall configurations within Panorama

Introduction: Activating Panorama Configurations

Panorama Configuration Layers

Commit Types in Panorama

Commit and Push Scope Options

Commit Scope (What changes on Panorama are saved?):

Push Scope (Which firewalls receive the config?):

Validation and Preview

Commit Scheduling

Purpose

Best Practices for Commits

Caveats and Gotchas

PCNSE Exam Focus

Panorama Commits & Scheduling Quiz

References