Push Selective Configuration Changes to Managed Devices
Table of Contents
11.0 (EoL)
Expand all | Collapse all
-
- Determine Panorama Log Storage Requirements
-
- Setup Prerequisites for the Panorama Virtual Appliance
- Perform Initial Configuration of the Panorama Virtual Appliance
- Set Up The Panorama Virtual Appliance as a Log Collector
- Set Up the Panorama Virtual Appliance with Local Log Collector
- Set up a Panorama Virtual Appliance in Panorama Mode
- Set up a Panorama Virtual Appliance in Management Only Mode
-
- Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode
- Add a Virtual Disk to Panorama on an ESXi Server
- Add a Virtual Disk to Panorama on vCloud Air
- Add a Virtual Disk to Panorama on Alibaba Cloud
- Add a Virtual Disk to Panorama on AWS
- Add a Virtual Disk to Panorama on Azure
- Add a Virtual Disk to Panorama on Google Cloud Platform
- Add a Virtual Disk to Panorama on KVM
- Add a Virtual Disk to Panorama on Hyper-V
- Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI)
- Mount the Panorama ESXi Server to an NFS Datastore
-
- Increase CPUs and Memory for Panorama on an ESXi Server
- Increase CPUs and Memory for Panorama on vCloud Air
- Increase CPUs and Memory for Panorama on Alibaba Cloud
- Increase CPUs and Memory for Panorama on AWS
- Increase CPUs and Memory for Panorama on Azure
- Increase CPUs and Memory for Panorama on Google Cloud Platform
- Increase CPUs and Memory for Panorama on KVM
- Increase CPUs and Memory for Panorama on Hyper-V
- Increase the CPUs and Memory for Panorama on Oracle Cloud Infrastructure (OCI)
- Complete the Panorama Virtual Appliance Setup
-
- Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector
- Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector
- Convert Your Production Panorama to an ELA Panorama
-
- Register Panorama
- Activate a Panorama Support License
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected
- Activate/Retrieve a Firewall Management License on the M-Series Appliance
- Install the Panorama Device Certificate
- Install the Device Certificate for a Dedicated Log Collector
-
- Migrate from a Panorama Virtual Appliance to an M-Series Appliance
- Migrate a Panorama Virtual Appliance to a Different Hypervisor
- Migrate from an M-Series Appliance to a Panorama Virtual Appliance
- Migrate from an M-500 Appliance to an M-700 Appliance
- Migrate from an M-600 Appliance to an M-700 Appliance
- Migrate from an M-100 Appliance to an M-500 Appliance
- Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance
-
- Configure an Admin Role Profile
- Configure an Admin Role Profile for Selective Push to Managed Firewalls
- Configure an Access Domain
-
- Configure a Panorama Administrator Account
- Configure Local or External Authentication for Panorama Administrators
- Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
- Configure an Administrator with SSH Key-Based Authentication for the CLI
- Configure RADIUS Authentication for Panorama Administrators
- Configure TACACS+ Authentication for Panorama Administrators
- Configure SAML Authentication for Panorama Administrators
- Configure Tracking of Administrator Activity
-
- Add a Firewall as a Managed Device
- Change Between Panorama Management and Cloud Management
-
- Add a Device Group
- Create a Device Group Hierarchy
- Create Objects for Use in Shared or Device Group Policy
- Revert to Inherited Object Values
- Manage Unused Shared Objects
- Manage Precedence of Inherited Objects
- Move or Clone a Policy Rule or Object to a Different Device Group
- Push a Policy Rule to a Subset of Firewalls
- Device Group Push to a Multi-VSYS Firewall
- Manage the Rule Hierarchy
- Manage the Master Key from Panorama
- Schedule a Configuration Push to Managed Firewalls
- Redistribute Data to Managed Firewalls
-
- Plan the Transition to Panorama Management
- Migrate a Firewall to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall to Panorama Management and Push a New Configuration
- Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration
- Load a Partial Firewall Configuration into Panorama
- Localize a Panorama Pushed Configuration on a Managed Firewall
-
- Configure a Managed Collector
- Monitor Managed Collector Health Status
- Configure Log Forwarding to Panorama
- Configure Syslog Forwarding to External Destinations
- Forward Logs to Strata Logging Service
- Verify Log Forwarding to Panorama
- Modify Log Forwarding and Buffering Defaults
- Configure Log Forwarding from Panorama to External Destinations
-
- Add Standalone WildFire Appliances to Manage with Panorama
- Remove a WildFire Appliance from Panorama Management
-
-
- Configure a Cluster and Add Nodes on Panorama
- Configure General Cluster Settings on Panorama
- Remove a Cluster from Panorama Management
- Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama
- Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama
- View WildFire Cluster Status Using Panorama
-
-
- Preview, Validate, or Commit Configuration Changes
- Commit Selective Configuration Changes for Managed Devices
- Push Selective Configuration Changes to Managed Devices
- Enable Automated Commit Recovery
- Compare Changes in Panorama Configurations
- Manage Locks for Restricting Configuration Changes
- Add Custom Logos to Panorama
- Use the Panorama Task Manager
- Reboot or Shut Down Panorama
- Configure Panorama Password Profiles and Complexity
-
-
- Verify Panorama Port Usage
- Resolve Zero Log Storage for a Collector Group
- Replace a Failed Disk on an M-Series Appliance
- Replace the Virtual Disk on an ESXi Server
- Replace the Virtual Disk on vCloud Air
- Migrate Logs to a New M-Series Appliance in Log Collector Mode
- Migrate Logs to a New M-Series Appliance in Panorama Mode
- Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Log Collectors after Failure/RMA of Non-HA Panorama
- Regenerate Metadata for M-Series Appliance RAID Pairs
- View Log Query Jobs
- Troubleshoot Registration or Serial Number Errors
- Troubleshoot Reporting Errors
- Troubleshoot Device Management License Errors
- Troubleshoot Automatically Reverted Firewall Configurations
- View Task Success or Failure Status
- Generate a Stats Dump File for a Managed Firewall
- Recover Managed Device Connectivity to Panorama
- Restore an Expired Device Certificate
End-of-Life (EoL)
Push Selective Configuration Changes to Managed Devices
Selectively push configuration objects from the Panorama™
management server to your managed firewalls.
You can include the configuration changes
committed by one or more Panorama administrators to push to your
managed firewalls. This allows for a greater degree of control when
making configuration changes and reduces the risk of pushing an incomplete
configuration to your managed firewalls. To allow a Panorama administrator
to selectively push configuration changes, you must configure an
admin role profile that allows selective push and assign the admin
role profile to the Panorama administrator. A system log is generated
for a successful selective push to managed firewalls.
You can also
leverage selective commit of
configuration changes for further selectivity when pushing
configuration changes to your managed firewalls. Selective commit
allows you to select and commit specific configuration objects.
After you commit, you can leverage selective push to review and
push all committed configuration changes made by other Panorama
administrators.
The ability specify which Panorama
administrator configuration changes to include in a push to managed
firewalls allows multiple administrators to effectively manage firewall
configurations without disrupting other administrators and reduces
the risk of pushing an incomplete configuration to your managed
firewalls that could result in an outage. Leveraging the ability
to selectively push configuration changes allows you to maintain
your defined operational procedure while still being able to successfully
make independent configuration changes that are not defined within
your operational scope.
Selective push is supported for managed
firewalls only and is supported for managed firewalls running any supported PAN-OS release.
Selective push is not supported for Log Collectors, collector groups,
WildFire appliances, and WildFire clusters. For Panorama in an active/passive
high availability (HA) configuration, selective push is supported
from the active HA peer only.
- Log in to the Panorama Web Interface.The Panorama administrator must be configured with an admin role profile that allows the push of configuration changes made by other admins to managed firewalls. The default Superuser or Panorama admin role privileges support full object level configuration privileges.Select Commit and Push to Devices.You can also select Commit and Push to commit selective configuration changes to Panorama and push already committed changes in one operation.You cannot selectively push a configuration change that has not been committed.Change the push scope to Push Changes Made By and filter the push scope by Panorama admin to select specific device group and template stack configuration changes to push to your managed firewalls.The push scope displays the name of the admin currently logged in. Click the admin name to view a list of admins with committed configuration changes that have not been pushed to managed firewalls. The push scope automatically refreshes to display an updated list of device groups and template stacks based on the admins selected.In the Include in Push column, check (enable) the configuration objects you want to include in the commit.The push scope displays only device groups and template stacks that are out of sync.You must select and push the entire device group or template stack configuration that was committed. Object level changes displayed in the push scope are informational and cannot be excluded from the push for the device group or template stack you select.(Optional) Edit Selections and select the managed firewalls associated with the impacted device groups and template stacks.Skip this step to push to all managed firewalls associated with the impacted device groups and template stacks.Disable the Merge with Device Candidate Config setting if you manage and commit local firewall configuration changes independently of the Panorama managed configuration.This setting is enabled by default and merges any pending local firewall configurations with the configuration push from Panorama. The local firewall configuration is merged and committed regardless of the admin pushing the changes from Panorama or the admin who made the local firewall configuration changes.Push the configuration changes.If your admin role allows you to push configuration changes for other Panorama administrators, review the Confirm Push to Devices prompt and Push.This warning is displayed when the administrators included in the Admin Scope make conflicting configuration changes to the same object. For example, Admin1 is allowed to push configuration changes to managed firewalls while Admin2 is not allowed. Admin1 creates SecurityRule, adds ZoneA as the source zone and commits the change. Admin2 then modifies SecurityRule, deletes ZoneA, adds ZoneB, and as well as making additional configuration changes. Admin2 commits the changes to Panorama. Admin1 wants to include the configuration changes made by Admin1 in the push to managed firewalls. In this scenario, Admin1 is prompted to confirm the push because the configuration changes made to SecurityRule conflict.If you are not confident in the configuration changes made by other Panorama administrators, Continue push with my selected changes only to only push your own configuration changes and overwrite any configuration object conflict with the changes you made.Select PanoramaManaged DevicesSummary and click the Template Last Commit State for the impacted firewalls to review the Last Push State Details.