Administrator-Level Push

Push just the configuration changes made by the Panorama administrator to managed firewalls.
PAN-OS 10.2 enables Panorama administrators to push just their own configuration changes to managed firewalls. Additionally, a Panorama administrator can specify one or more Panorama administrators with committed configuration changes to include in the push. Leveraging an administrator-level push to managed firewalls reduces the risk of pushing incomplete device group and template configurations to managed firewalls by allowing you to explicitly exclude incomplete configuration changes when you push to managed firewalls. This helps mitigate and avoid potential outages and configuration related issues that could cause network disruptions.
For multi-vsys managed firewalls running PAN-OS 10.2, configurations in the Shared device group are now pushed to a Shared configuration context for all virtual systems rather than duplicating the shared configuration to each virtual system. This reduces the operational burden of scaling configurations for multi-vsys firewalls.
  1. After you upgrade to PAN-OS 10.2,
    Commit
    and
    Push to Devices
    the entire Panorama managed configuration to your managed firewalls.
    This is required to utilize the administrator-level push and leverage the improved shared configuration object management for multi-vsys firewalls managed by Panorama.
  2. (
    Optional
    ) Create a custom Panorama admin role to allow the Panorama administrator to push configuration changes for other admins.
    The default Superuser or Panorama admin role privileges support full object level configuration privileges.
    1. Select
      Panorama
      Admin Roles
      and
      Add
      a new admin role.
    2. Enter a descriptive
      Name
      for the admin role.
    3. Select the
      Panorama
      admin role.
    4. Select
      Web UI
      and navigate to the Commit privileges.
    5. Configure the object level configuration privileges as needed.
      All object level configuration privileges are enabled by default.
      • Push All Changes—
        Allow the administrator to push all changes made by all admins.
      • Push For Other Admins—
        Allows the administrator select and push configuration changes made by other administrators.
      • Object Level Changes—
        Allows the administrator to view individual configuration objects to push. If disabled, the list of configuration objects is not displayed in the Push Scope.
    6. Click
      OK
      .
    7. Configure a Panorama administrator and select the
      Admin Role
      you created.
    8. Commit
      and
      Commit to Panorama
      .
  3. Perform device group and template stack configuration changes and
    Commit
    Commit to Panorama
    .
    See Selective Commit of Configuration Changes to make object-level selections to commit.
  4. Perform an administrator-level push to managed firewalls.
    1. Select
      Commit
      Push to Devices
      and select
      Commit Changes Made By
      to only push your own configuration changes.
    2. (
      Optional
      ) Click the admin name displayed next to the
      Commit Changes Made By
      field to modify the Admin Scope and include configuration changes made by other admins in the commit.
    3. Expand the list of device groups and template stacks to review configuration changes.
    4. Push
      .

Recommended For You