: Push Selective Configuration Changes to Managed Devices
Focus
Focus

Push Selective Configuration Changes to Managed Devices

Table of Contents
End-of-Life (EoL)

Push Selective Configuration Changes to Managed Devices

Selectively push configuration objects from the Panorama™ management server to your managed firewalls.
You can include the configuration changes committed by one or more Panorama administrators to push to your managed firewalls. This allows for a greater degree of control when making configuration changes and reduces the risk of pushing an incomplete configuration to your managed firewalls. To allow a Panorama administrator to selectively push configuration changes, you must configure an admin role profile that allows selective push and assign the admin role profile to the Panorama administrator. A system log is generated for a successful selective push to managed firewalls.
You can also leverage selective commit of configuration changes for further selectivity when pushing configuration changes to your managed firewalls. Selective commit allows you to select and commit specific configuration objects. After you commit, you can leverage selective push to review and push all committed configuration changes made by other Panorama administrators.
The ability specify which Panorama administrator configuration changes to include in a push to managed firewalls allows multiple administrators to effectively manage firewall configurations without disrupting other administrators and reduces the risk of pushing an incomplete configuration to your managed firewalls that could result in an outage. Leveraging the ability to selectively push configuration changes allows you to maintain your defined operational procedure while still being able to successfully make independent configuration changes that are not defined within your operational scope.
Selective push is supported for managed firewalls only and is supported for managed firewalls running any supported PAN-OS release. Selective push is not supported for Log Collectors, collector groups, WildFire appliances, and WildFire clusters. For Panorama in an active/passive high availability (HA) configuration, selective push is supported from the active HA peer only.
  1. Log in to the Panorama Web Interface.
    The Panorama administrator must be configured with an admin role profile that allows the push of configuration changes made by other admins to managed firewalls. The default Superuser or Panorama admin role privileges support full object level configuration privileges.
  2. Select Commit and Push to Devices.
    You can also select Commit and Push to commit selective configuration changes to Panorama and push already committed changes in one operation.
    You cannot selectively push a configuration change that has not been committed.
  3. Change the push scope to Push Changes Made By and filter the push scope by Panorama admin to select specific device group and template stack configuration changes to push to your managed firewalls.
    The push scope displays the name of the admin currently logged in. Click the admin name to view a list of admins with committed configuration changes that have not been pushed to managed firewalls. The push scope automatically refreshes to display an updated list of device groups and template stacks based on the admins selected.
  4. In the Include in Push column, check (enable) the configuration objects you want to include in the commit.
    The push scope displays only device groups and template stacks that are out of sync.
    You must select and push the entire device group or template stack configuration that was committed. Object level changes displayed in the push scope are informational and cannot be excluded from the push for the device group or template stack you select.
  5. (Optional) Edit Selections and select the managed firewalls associated with the impacted device groups and template stacks.
    Skip this step to push to all managed firewalls associated with the impacted device groups and template stacks.
    Disable the Merge with Device Candidate Config setting if you manage and commit local firewall configuration changes independently of the Panorama managed configuration.
    This setting is enabled by default and merges any pending local firewall configurations with the configuration push from Panorama. The local firewall configuration is merged and committed regardless of the admin pushing the changes from Panorama or the admin who made the local firewall configuration changes.
  6. Push the configuration changes.
  7. If your admin role allows you to push configuration changes for other Panorama administrators, review the Confirm Push to Devices prompt and Push.
    This warning is displayed when the administrators included in the Admin Scope make conflicting configuration changes to the same object. For example, Admin1 is allowed to push configuration changes to managed firewalls while Admin2 is not allowed. Admin1 creates SecurityRule, adds ZoneA as the source zone and commits the change. Admin2 then modifies SecurityRule, deletes ZoneA, adds ZoneB, and as well as making additional configuration changes. Admin2 commits the changes to Panorama. Admin1 wants to include the configuration changes made by Admin1 in the push to managed firewalls. In this scenario, Admin1 is prompted to confirm the push because the configuration changes made to SecurityRule conflict.
    If you are not confident in the configuration changes made by other Panorama administrators, Continue push with my selected changes only to only push your own configuration changes and overwrite any configuration object conflict with the changes you made.
  8. Select PanoramaManaged DevicesSummary and click the Template Last Commit State for the impacted firewalls to review the Last Push State Details.