Recovering isolated firewalls can be painful as it can result in unintended downtime and a loss in productivity. PAN-OS 9.1.0 introduces the ability for managed firewalls to check for connectivity to the Panorama™ management server and automatically revert to the last running configuration when the firewall is unable to communicate with Panorama. This helps you quickly resolve any configuration or connectivity issues without the need for manual intervention.

Automatic commit recovery allows you to configure the firewall to attempt a specified number of connectivity tests after you push a configuration from Panorama or commit a configuration change locally on the firewall. Additionally, the firewall checks connectivity to Panorama every hour to ensure consistent communication in the event unrelated network configuration changes have disrupted connectivity between the firewall and Panorama or if implications to a pushed committed configuration may have affected connectivity. If an hourly connectivity check fails, the firewall generates a system log to alert admins of potential configuration or network connectivity issues. Additionally, a system log is generated when you disable the setting, a connectivity test fails, or when a firewall configuration reverts to the last running configuration.

In high availability (HA) firewall configurations, each HA peer performs connectivity tests independently of each other, and HA config syncs may only occur after each HA successfully tests connectivity to Panorama and verifies their connection.