Device group configuration changes pushed manually or from a scheduled configuration push of a device groups from the Panorama™ management server to a multi-vsys firewall are automatically bundled into a single job. When a push is executed from Panorama to managed firewalls, Panorama inspects the managed firewalls associated with the device group push. If Panorama detects that multiple vsys belonging to the same multi-vsys firewall are associated with a device group push, it bundles the commit job for each vsys into a single commit job on the managed firewall to reduce the overall commit job completion time.

If one of the bundled commit jobs fails, then the entire push fails and you need to push entire the device group configuration changes from Panorama again. Additionally, if multiple multi-vsys firewalls are included in a push from Panorama and one push fails, then the entire push fails to all firewalls included in the push from Panorama. When you monitor the device group push locally on the firewall, a single job is displayed rather than multiple individual jobs. If any warnings are failures occur, an error description indicating the impacted vsys is displayed.

This functionality is supported for multi-vsys firewalls managed by Panorama running PAN-OS 10.1 and later releases by default.