Commit Configuration Changes
Any change in the Palo Alto Networks device configuration is first written to the candidate configuration. The change only takes effect on the device when you commit it. Committing a configuration applies the change to the running configuration, which is the configuration that the device actively uses. Upon commit, the device performs both a syntactic validation (of configuration syntax) and a semantic validation (whether the configuration is complete and makes sense). As a best practice, validate configuration changes prior to committing so that you can fix any errors that will cause a commit failure, thereby ensuring that the commit will succeed. This is particularly useful in environments with a strict change window.
The firewall and Panorama queue commit operations so that you can initiate a new commit while a previous commit is in progress. The firewall and Panorama perform commits in the order you and other administrators initiate them but prioritize automatic commits such as content database installations and FQDN refreshes. If the queue already has the maximum number of administrator-initiated commits (this varies by appliance model), the firewall or Panorama must begin processing a commit (remove it from the queue) before you can initiate a new commit.
To see details (such as queue positions or Job-IDs) about commits that are pending, in progress, completed, or failed, run the operational command show jobs all. To see the messages and description for a particular commit, run show jobs id <job-id>.
- (Optional but recommended) Validate the
the validate command:
admin@PA-3060> configure admin@PA-3060# validate full Validate job enqueued with jobid 3041 3041
- View the validation results using the job ID that
was displayed when you entered the validate command. Verify that
the job finished (FIN) and that the
configuration is valid as shown in the following example:
 admin@PA-3060# exit Exiting configuration mode admin@PA-3060> show jobs id 3041 Enqueued Dequeued ID Type Status Result Completed -------------------------------------------------------------------------------------- 2015/05/18 14:00:40 14:00:40 3041 Validate FIN OK 14:01:11 Warnings:EBL(vsys1/Palo Alto Networks Malicious IP List) Unable to fetch external list. Using old copy for refresh. vsys1 (vsys1) vsys1: Rule 'rule1' application dependency warning: Application 'propalms' requires 'web-browsing' be allowed Application 'open-vpn' requires 'ssl' be allowed Application 'open-vpn' requires 'web-browsing' be allowed Application 'files.to' requires 'web-browsing' be allowed Application 'gigaup' requires 'ftp' be allowed Application 'dazhihui' requires 'web-browsing' be allowed Application 'fasp' requires 'ssh' be allowed Application 'vidsoft' requires 'web-browsing' be allowed Application 'ipp' requires 'web-browsing' be allowed Application 'flexnet-installanywhere' requires 'web-browsing' be allowed (Module: device) Details:Configuration is valid
- If the validation fails, fix any errors and then repeat steps 1 and 2.
- Enter the validate command:
- After successfully validating the configuration, save
it to the running configuration by performing a commit of all or
a portion of the configuration:
- Commit the entire configuration:
admin@PA-3060> configure admin@PA-3060# commit
- Commit part of the configuration on a firewall with multiple virtual systems:
admin@PA-3060# commit partial ? + description Enter commit description + device-and-network device-and-network + shared-object shared-object > admin admin > no-vsys no-vsys > vsys vsys <Enter> Finish inputWhen doing a partial commit from the CLI, you must specify what part of the configuration to exclude from the commit. You can also filter the configuration changes by administrator. For example, the following command commits only the changes that an administrator with the username jsmith made to the vsys1 configuration and to shared objects:
admin@PA-3060# commit partial admin jsmith vsys vsys1 device-and-network excluded
- Commit part of the configuration on a firewall that does not have multiple virtual systems mode enabled:
admin@PA-200# commit partial ? + description Enter commit description + device-and-network device-and-network + policy-and-objects policy-and-objects + shared-object shared-object > admin admin <Enter> Finish inputFor example, if you made a change in the Security policy only, you might want to commit just the policy and objects portion of the configuration as follows:
admin@PA-200# commit partial device-and-network excludedIf the commit takes a long time, you can press Ctrl+C to access the command line while the commit continues as a background process.
Refresh SSH Keys and Configure Key Options for Management Interface Connection
Regenerate SSH keys and configure other key options for the connection to the management interface on the firewall. ...
Refresh HA1 SSH Keys and Configure Key Options
If you enable encryption over the HA1 control link, you can refresh the SSH host keys and change various key options. ...
Commit Changes Click Commit at the top right of the web interface and specify an operation for pending changes to the firewall configuration: commit (activate), ...
Commit, Validate, and Preview Firewall Configuration Change...
Commit, Validate, and Preview Firewall Configuration Changes A commit is the process of activating pending changes to the firewall configuration. You can filter pending changes ...
Panorama Commit Operations
Panorama Commit Operations Click Commit at the top right of the web interface and select an operation for pending changes to the Panorama configuration and ...
Modify the Configuration
Modify the Configuration You can also modify the device configuration from the CLI using the set , delete , and edit commands (if your administrative ...
Preview, Validate, or Commit Configuration Changes
Preview, Validate, or Commit Configuration Changes You can perform Panorama Commit, Validation, and Preview Operations on pending changes to the Panorama configuration and then push ...
Panorama Commit, Validation, and Preview Operations
Panorama Commit, Validation, and Preview Operations When you are ready to activate changes that you made to the candidate configuration on Panorama or to push ...
Interpret the Command Help
Interpret the Command Help Use the following table to help interpret the command options you see when you use the ? to get help. Symbol ...