Manage Locks for Restricting Configuration Changes
Locking the candidate or running configuration
prevents other administrators from changing the configuration until
you manually remove the lock or Panorama removes it automatically
(after a commit). Locks ensure that administrators don’t make conflicting
changes to the same settings or interdependent settings during concurrent
If you are changing settings that are
unrelated to the settings other administrators are changing in concurrent
sessions, you don’t need configuration locks to prevent commit conflicts.
Panorama queues commit operations and performs them in the order
that administrators initiate the commits. For details, see Panorama Commit, Validation, and Preview Operations.
template or device group configuration push will fail if a firewall
assigned to the template or device group has a commit or config
lock that an administrator set locally on that firewall.
View details about current locks.
For example, you can check whether other administrators
have set locks and read comments they entered to explain the locks.
the locked padlock (
at the top of the web interface. The adjacent number indicates the
number of current locks.
Lock a configuration.
Read-only administrators who cannot modify firewall or
Panorama configurations cannot set locks.
Click the padlock icon at the top of the
The icon varies based on whether existing locks are (
or are not (
Take a Lock
and select the
—Blocks other administrators
from changing the candidate configuration.
custom role administrator who cannot commit changes can set a
and save the changes to the candidate configuration. However, because
that administrator cannot commit the changes, Panorama does not
automatically release the lock after a commit; the administrator
must manually remove the
making the required changes.
other administrators from changing the running configuration.
the scope of the lock:
to the entire Panorama configuration, including all device groups
—Restricts changes to the
firewalls included in the selected template. (You can’t take a lock for
a template stack, only for individual templates within the stack.)
—Restricts changes to
the selected device group but not its descendant device groups.
) As a best practice, enter a
describe your reason for setting the lock.
Unlock a configuration.
Only a superuser or the administrator who locked the configuration
can manually unlock it. However, Panorama automatically removes
a lock after completing the commit operation that the administrator
who set the lock initiated.
Click the locked padlock (
at the top of the web interface.
Select the lock entry in the list.
Configure Panorama to automatically lock the running
configuration when you change the candidate configuration. This
setting applies to all Panorama administrators.