Click Commit at the top right of the web interface to commit, validate, or preview your changes to the Panorama configuration or to the template, device group, and Collector Group configurations that Panorama pushes to firewalls and Log Collectors. Committing applies the candidate configuration to the running configuration, which activates all configuration changes since the last commit. Panorama queues commit operations so that you can initiate new commits while a previous commit is in progress. You can use the Task Manager ( ) to clear the commit queue or see details about commits. For more information on configuration changes, commit processes, commit validations, and the commit queue, refer to Panorama Commit and Validation Operations . To save, revert, import, export, or load configurations, see Device > Setup > Operations.
As a best practice, commit changes to Panorama before committing changes to firewalls or Log Collectors.
Commit Setting Description
Commit Type Select one of the following: Panorama —Commits the changes in the current candidate configuration to the running configuration on Panorama. Template —Commits network and device configurations from Panorama templates or template stacks to firewalls. Device Group —Commits policies and objects from Panorama device groups to firewalls or virtual systems. Collector Group —Commits changes to the Log Collectors in Collector Groups.
Filters ( Template and device group commits only ) Filter the list of templates, template stacks, or device groups and the associated firewalls and virtual systems.
Name ( Template and device group commits only ) Select the templates, template stacks, device groups, firewalls, or virtual systems to which the commit applies.
Last Commit State ( Template and device group commits only ) Indicates whether the firewall and virtual system configurations are currently synchronized with the template or device group configurations in Panorama.
HA Status ( Template and device group commits only ) Indicates the high availability (HA) state of the listed firewalls: Active —Normal traffic-handling operational state. Passive —Normal backup state. Initiating —The firewall is in this state for up to 60 seconds after bootup. Non-functional —Error state. Suspended —An administrator disabled the firewall. Tentative —For a link or path monitoring event in an active/active configuration.
Preview Changes column ( Template and device group commits only ) Compares the candidate configuration to the running configuration with the results filtered to show only the settings for a specific template, template stack, device group, firewall, or virtual system. Because the preview results display in a new window, your browser must allow pop-up windows. If the preview window does not open, refer to your browser documentation for the steps to unblock pop-up windows.
Select All ( Template and device group commits only ) Selects every entry in the list.
Deselect All ( Template and device group commits only ) Deselects every entry in the list.
Expand All ( Template and device group commits only ) Displays only the templates, template stacks, or device groups, not the firewalls or virtual systems assigned to them.
Collapse All ( Template and device group commits only ) Displays the firewalls or virtual systems assigned to templates, template stacks, or device groups.
Group HA Peers ( Template and device group commits only ) Select this option to group firewalls that are peers in a high availability (HA) configuration. The resulting list displays the active firewall (or active-primary firewall in an active/active configuration) first and displays the passive firewall (or active-secondary firewall in an active/active configuration) in parentheses. This enables you to easily identify firewalls that are in HA mode. When pushing shared policies, you can push to the grouped pair instead of individual peers. For HA peers in an active/passive configuration, consider adding both firewalls or their virtual systems to the same device group, template, or template stack so that you can push the configuration to both peers simultaneously.
Filter Selected ( Template and device group commits only ) If you want the list to display only specific firewalls or virtual systems, select the firewalls and then select Filter Selected.
Merge with Candidate Config ( Template and device group commits only ) Select this option (selected by default) to merge and commit the Panorama configuration changes with any pending configuration changes that were implemented locally on the target firewall. If you clear this selection, the commit operation excludes the candidate configuration on the firewall. Clear this selection if you allow firewall administrators to commit changes locally on a firewall and you don’t want to include those local changes when committing changes from Panorama. Another best practice is to perform a configuration audit on the firewall to review any local changes before committing from Panorama.
Include Device and Network Templates ( Template and device group commits only ) Select this option (selected by default) to commit both device group and template changes to the selected firewalls and virtual systems in a single commit operation. To commit these changes as separate operations, clear this selection.
Force Template Values ( Template and device group commits only ) Select this option (disabled by default) to override all local configuration and remove objects on the selected firewalls that don’t exist in the template or template stack, or are overridden in the local configuration. The commit reverts all existing configuration on the firewall, and ensures that the firewall inherits only the settings defined in the template or template stack. If you push a configuration with Force Template Values enabled, all overridden values on the firewall are replaced with values from the template. Before you use this option, check for overridden values on the firewalls to ensure your commit does not result in any unexpected network outages or issues caused by replacing those overridden values.
Description Enter a description (up to 512 characters) for the commit. A brief summary of what changed in the configuration is useful for informing other administrators who might want to know about the changes without performing a configuration audit. The System log for a commit event will truncate the description value if it exceeds the character limit for that log type.
Preview Changes ( Panorama commits only ) Click Preview Changes to compare the candidate configuration to the running configuration. Use the Lines of Context drop-down to specify the number of lines—from the compared configuration files—to display before and after the highlighted differences. If you select All, the results include the entire configuration files. Changes are color-coded based on settings that you and other administrators added (green), modified (yellow), or deleted (red) since the last commit. The Panorama > Config Audit feature performs the same function (see Device > Config Audit). Because the preview results display in a new window, your browser must allow pop-ups. If the preview window does not open, refer to your browser documentation for the steps to unblock pop-up windows.
Validate Changes ( Panorama, template, and device group commits only ) Select Validate Changes to perform a syntactic validation (whether configuration syntax is correct) and semantic validation (whether the configuration is complete and makes sense) of the Panorama or firewall configuration before committing the changes. The results display all the same errors and warnings displayed for a full commit, including rule shadowing and application dependency warnings, but the running configuration does not change. The validations help determine whether you can successfully commit your changes before attempting to commit, which reduces failures at commit time.
Commit Click Commit to activate your changes. If another commit is in process, clicking Commit adds your request to the commit queue.

Related Documentation