Commit Configuration Changes
Any change in the Palo Alto Networks device configuration is first written to the candidate configuration. The change only takes effect on the device when you commit it. Committing a configuration applies the change to the running configuration, which is the configuration that the device actively uses. Upon commit, the device performs both a syntactic validation (of configuration syntax) and a semantic validation (whether the configuration is complete and makes sense). As a best practice,
validateconfiguration changes prior to committing so that you can fix any errors that will cause a commit failure, thereby ensuring that the commit will succeed. This is particularly useful in environments with a strict change window.
The firewall and Panorama queue commit operations so that you can initiate a new commit while a previous commit is in progress. The firewall and Panorama perform commits in the order you and other administrators initiate them but prioritize automatic commits such as content database installations and FQDN refreshes. If the queue already has the maximum number of administrator-initiated commits (this varies by appliance model), the firewall or Panorama must begin processing a commit (remove it from the queue) before you can initiate a new commit.
To see details (such as queue positions or Job-IDs) about commits that are pending, in progress, completed, or failed, run the operational command
show jobs all. To see the messages and description for a particular commit, run
show jobs id.
- (Optional but recommended) Validate the configuration:
- Enter the validate command:admin@PA-3060>configureadmin@PA-3060#validate fullValidate job enqueued with jobid 3041 3041
- View the validation results using the job ID that was displayed when you entered the validate command. Verify that the job finished (FIN) and that the configuration is valid as shown in the following example: admin@PA-3060#exitExiting configuration mode admin@PA-3060>show jobs id 3041Enqueued Dequeued ID Type Status Result Completed -------------------------------------------------------------------------------------- 2015/05/18 14:00:40 14:00:40 3041 Validate FIN OK 14:01:11 Warnings:EBL(vsys1/Palo Alto Networks Malicious IP List) Unable to fetch external list. Using old copy for refresh. vsys1 (vsys1) vsys1: Rule 'rule1' application dependency warning: Application 'propalms' requires 'web-browsing' be allowed Application 'open-vpn' requires 'ssl' be allowed Application 'open-vpn' requires 'web-browsing' be allowed Application 'files.to' requires 'web-browsing' be allowed Application 'gigaup' requires 'ftp' be allowed Application 'dazhihui' requires 'web-browsing' be allowed Application 'fasp' requires 'ssh' be allowed Application 'vidsoft' requires 'web-browsing' be allowed Application 'ipp' requires 'web-browsing' be allowed Application 'flexnet-installanywhere' requires 'web-browsing' be allowed (Module: device) Details:Configuration is valid
- If the validation fails, fix any errors and then repeat steps 1 and 2.
- After successfully validating the configuration, save it to the running configuration by performing a commit of all or a portion of the configuration:
- Commit the entire configuration:admin@PA-3060>configureadmin@PA-3060#commit
- Commit part of the configuration on a firewall with multiple virtual systems:admin@PA-3060#commit partial ?+ description Enter commit description + device-and-network device-and-network + shared-object shared-object > admin admin > no-vsys no-vsys > vsys vsys <Enter> Finish inputWhen doing a partial commit from the CLI, you must specify what part of the configuration to exclude from the commit. You can also filter the configuration changes by administrator. For example, the following command commits only the changes that an administrator with the username jsmith made to the vsys1 configuration and to shared objects:admin@PA-3060#commit partial admin jsmith vsys vsys1 device-and-network excluded
- Commit part of the configuration on a firewall that does not have multiple virtual systems mode enabled:admin@PA-200#commit partial ?+ description Enter commit description + device-and-network device-and-network + policy-and-objects policy-and-objects + shared-object shared-object > admin admin <Enter> Finish inputFor example, if you made a change in the Security policy only, you might want to commit just the policy and objects portion of the configuration as follows:admin@PA-200#commit partial device-and-network excludedIf the commit takes a long time, you can press Ctrl+C to access the command line while the commit continues as a background process.
Recommended For You
Recommended videos not found.