Commit Configuration Changes

Any change in the Palo Alto Networks device configuration is first written to the candidate configuration. The change only takes effect on the device when you commit it. Committing a configuration applies the change to the running configuration, which is the configuration that the device actively uses. Upon commit, the device performs both a syntactic validation (of configuration syntax) and a semantic validation (whether the configuration is complete and makes sense). As a best practice, validate configuration changes prior to committing so that you can fix any errors that will cause a commit failure, thereby ensuring that the commit will succeed. This is particularly useful in environments with a strict change window.
The firewall and Panorama queue commit operations so that you can initiate a new commit while a previous commit is in progress. The firewall and Panorama perform commits in the order you and other administrators initiate them but prioritize automatic commits such as content database installations and FQDN refreshes. If the queue already has the maximum number of administrator-initiated commits (this varies by appliance model), the firewall or Panorama must begin processing a commit (remove it from the queue) before you can initiate a new commit.
To see details (such as queue positions or Job-IDs) about commits that are pending, in progress, completed, or failed, run the operational command show jobs all. To see the messages and description for a particular commit, run show jobs id <job-id>.
  1. (Optional but recommended) Validate the configuration:
    1. Enter the validate command:
      admin@PA-3060> configure 
      admin@PA-3060# validate full 
      Validate job enqueued with jobid 3041 
      3041 
    2. View the validation results using the job ID that was displayed when you entered the validate command. Verify that the job finished (FIN) and that the configuration is valid as shown in the following example:
      [edit] 
      admin@PA-3060# exit 
      Exiting configuration mode 
      admin@PA-3060> show jobs id 3041 
       
      Enqueued              Dequeued       ID             Type    Status Result Completed 
      -------------------------------------------------------------------------------------- 
      2015/05/18 14:00:40   14:00:40     3041         Validate       FIN     OK  14:01:11 
      Warnings:EBL(vsys1/Palo Alto Networks Malicious IP List) Unable to fetch external list. Using old copy for refresh. 
      vsys1 (vsys1) 
          vsys1: Rule 'rule1' application dependency warning: 
              Application 'propalms' requires 'web-browsing' be allowed 
              Application 'open-vpn' requires 'ssl' be allowed 
              Application 'open-vpn' requires 'web-browsing' be allowed 
              Application 'files.to' requires 'web-browsing' be allowed 
              Application 'gigaup' requires 'ftp' be allowed 
              Application 'dazhihui' requires 'web-browsing' be allowed 
              Application 'fasp' requires 'ssh' be allowed 
              Application 'vidsoft' requires 'web-browsing' be allowed 
              Application 'ipp' requires 'web-browsing' be allowed 
              Application 'flexnet-installanywhere' requires 'web-browsing' be allowed 
      (Module: device) 
      Details:Configuration is valid 
    3. If the validation fails, fix any errors and then repeat steps 1 and 2.
  2. After successfully validating the configuration, save it to the running configuration by performing a commit of all or a portion of the configuration:
    • Commit the entire configuration:
      admin@PA-3060> configure 
      admin@PA-3060# commit
    • Commit part of the configuration on a firewall with multiple virtual systems:
      admin@PA-3060# commit partial ? 
      + description          Enter commit description 
      + device-and-network   device-and-network 
      + shared-object        shared-object 
      > admin                admin 
      > no-vsys              no-vsys 
      > vsys                 vsys 
        <Enter>              Finish input 
      When doing a partial commit from the CLI, you must specify what part of the configuration to exclude from the commit. You can also filter the configuration changes by administrator. For example, the following command commits only the changes that an administrator with the username jsmith made to the vsys1 configuration and to shared objects:
      admin@PA-3060# commit partial admin jsmith vsys vsys1 device-and-network excluded
    • Commit part of the configuration on a firewall that does not have multiple virtual systems mode enabled:
      admin@PA-200# commit partial ? 
      + description          Enter commit description 
      + device-and-network   device-and-network 
      + policy-and-objects   policy-and-objects 
      + shared-object        shared-object 
      > admin                admin 
      <Enter>              Finish input 
      For example, if you made a change in the Security policy only, you might want to commit just the policy and objects portion of the configuration as follows:
      admin@PA-200# commit partial device-and-network excluded
      If the commit takes a long time, you can press Ctrl+C to access the command line while the commit continues as a background process.

Related Documentation