: Manage Locks for Restricting Configuration Changes
Focus
Focus

Manage Locks for Restricting Configuration Changes

Table of Contents

Manage Locks for Restricting Configuration Changes

Locking the candidate or running configuration prevents other administrators from changing the configuration until you manually remove the lock or Panorama removes it automatically (after a commit). Locks ensure that administrators don’t make conflicting changes to the same settings or interdependent settings during concurrent login sessions.
If you are changing settings that are unrelated to the settings other administrators are changing in concurrent sessions, you don’t need configuration locks to prevent commit conflicts. Panorama queues commit operations and performs them in the order that administrators initiate the commits. For details, see Panorama Commit, Validation, and Preview Operations.
A template or device group configuration push will fail if a firewall assigned to the template or device group has a commit or config lock that an administrator set locally on that firewall.
  • View details about current locks.
    For example, you can check whether other administrators have set locks and read comments they entered to explain the locks.
    Click the locked padlock (   ) at the top of the web interface. The adjacent number indicates the number of current locks.
  • Lock a configuration.
    Read-only administrators who cannot modify firewall or Panorama configurations cannot set locks.
    1. Click the padlock icon at the top of the web interface.
      The icon varies based on whether existing locks are (   ) or are not (   ) set.
    2. Take a Lock
      and select the lock
      Type
      :
      • Config
        —Blocks other administrators from changing the candidate configuration.
      A custom role administrator who cannot commit changes can set a
      Config
      lock and save the changes to the candidate configuration. However, because that administrator cannot commit the changes, Panorama does not automatically release the lock after a commit; the administrator must manually remove the
      Config
      lock after making the required changes.
      • Commit
        —Blocks other administrators from changing the running configuration.
    3. Select the
      Location
      to determine the scope of the lock:
      • Shared
        —Restricts changes to the entire Panorama configuration, including all device groups and templates.
      • Template
        —Restricts changes to the firewalls included in the selected template. (You can’t take a lock for a template stack, only for individual templates within the stack.)
      • Device group
        —Restricts changes to the selected device group but not its descendant device groups.
    4. (
      Optional
      ) As a best practice, enter a
      Comment
      to describe your reason for setting the lock.
    5. Click
      OK
      and
      Close
      .
  • Unlock a configuration.
    Only a superuser or the administrator who locked the configuration can manually unlock it. However, Panorama automatically removes a lock after completing the commit operation that the administrator who set the lock initiated.
    1. Click the locked padlock (   ) at the top of the web interface.
    2. Select the lock entry in the list.
    3. Click
      Remove Lock
      ,
      OK
      , and
      Close
      .
  • Configure Panorama to automatically lock the running configuration when you change the candidate configuration. This setting applies to all Panorama administrators.
    1. Select
      Panorama
      Setup
      Management
      and edit the General Settings.
    2. Select
      Automatically Acquire Commit Lock
      and click
      OK
      .
    3. Select
      Commit
      Commit to Panorama
      and
      Commit
      your changes.

Recommended For You