Enable Automated Commit Recovery

Enable Automated Commit Recovery to enable firewalls to locally test the connection to Panorama and revert if the connection is broken.
To ensure that broken configurations caused by configuration changes pushed from the Panorama™ management server to managed firewalls, or committed locally on the firewall, enable
Automated Commit Recovery
to enable managed firewalls to test configuration changes for each commit and to verify that the changes did not break the connection between Panorama and the managed firewall. You can configure the number of tests that each managed firewall performs and the interval at which each test occurs before the managed firewall automatically reverts its configuration back to the previous running configuration. When you enable automated commit recovery, the managed firewall configuration reverts and not the Panorama configuration. Additionally, the managed firewall tests its connection to Panorama every 60 minutes to ensure continued communication in the event unrelated network configuration changed disrupted connectivity between the firewall and Panorama or if impacts from a past committed configuration affected connectivity. For high availability (HA) configurations, HA synchronization between the HA peers after a push from Panorama occurs only after a connectivity test.
Automated commit recovery is enabled by default. However, if you disabled automated commit recovery and then want to re-enable this feature in an existing production environment, first verify that there are no policy rules that will break the connection between Panorama and the managed firewall. For example, in the event where management traffic traverses the dataplane, it is possible there is a policy rule that restricts traffic from the firewall to Panorama.
The firewall generates a config log after the firewall configuration successfully reverts to the last running configuration. Additionally, the firewall generates a system log when tan administrator disables this feature, when a configuration revert event begins due to a connectivity test that fails after a configuration push, and when the Panorama connectivity test that is performed every 60 minutes fails and causes the firewall configuration to revert.
Enable
Automated Commit Recovery
independent of any other configuration change. If enabled alongside any other configuration changes that result in a connection break between Panorama and managed firewalls, the firewall configuration cannot automatically revert.
  1. Select
    Device
    Setup
    Management
    and select the desired Template or Template Stack from the
    Template
    context drop-down.
  2. Enable automated commit recovery.
    1. Edit
      ( icon_edit_cog.png ) the Panorama Settings.
    2. Enable automated commit recovery
      .
    3. Configure the
      Number of attempts to check for Panorama connectivity
      (default is 1 attempt).
    4. Configure the
      Interval between retries
      (default is 10 seconds).
    5. Click
      OK
      to save your changes.
    enable-automated-commit-recovery.png
  3. Commit
    Commit and Push
    and
    Commit and Push
    your changes.
  4. Verify that the automated commit recovery feature is enabled on your managed firewalls.
    1. Select
      Device
      Setup
      Management
      and, in the Panorama Settings, verify that
      Enable automated commit recovery
      is enabled (checked).

Recommended For You