Manage Locks for Restricting Configuration Changes
Locking the candidate or running configuration prevents other administrators from changing the configuration until you manually remove the lock or Panorama removes it automatically (after a commit). Locks ensure that administrators don’t make conflicting changes to the same settings or interdependent settings during concurrent login sessions.
If you are changing settings that are unrelated to the settings other administrators are changing in concurrent sessions, you don’t need configuration locks to prevent commit conflicts. Panorama queues commit operations and performs them in the order that administrators initiate the commits. For details, see Panorama Commit, Validation, and Preview Operations.
A template or device group configuration push will fail if a firewall assigned to the template or device group has a commit or config lock that an administrator set locally on that firewall.
- View details about current locks.For example, you can check whether other administrators have set locks and read comments they entered to explain the locks.Click the locked padlock ( ) at the top of the web interface. The adjacent number indicates the number of current locks.
- Lock a configuration.Read-only administrators who cannot modify firewall or Panorama configurations cannot set locks.
- Click the padlock icon at the top of the
web interface.The icon varies based on whether existing locks are ( ) or are not ( ) set.
- Take a Lock and select the
A custom role administrator who cannot commit changes can set a Config lock and save the changes to the candidate configuration. However, because that administrator cannot commit the changes, Panorama does not automatically release the lock after a commit; the administrator must manually remove the Config lock after making the required changes.
- Config—Blocks other administrators from changing the candidate configuration.
- Commit—Blocks other administrators from changing the running configuration.
- Select the Location to determine
the scope of the lock:
- Shared—Restricts changes to the entire Panorama configuration, including all device groups and templates.
- Template—Restricts changes to the firewalls included in the selected template. (You can’t take a lock for a template stack, only for individual templates within the stack.)
- Device group—Restricts changes to the selected device group but not its descendant device groups.
- (Optional) As a best practice, enter a Comment to describe your reason for setting the lock.
- Click OK and Close.
- Click the padlock icon at the top of the web interface.
- Unlock a configuration.Only a superuser or the administrator who locked the configuration can manually unlock it. However, Panorama automatically removes a lock after completing the commit operation that the administrator who set the lock initiated.
- Click the locked padlock ( ) at the top of the web interface.
- Select the lock entry in the list.
- Click Remove Lock, OK, and Close.
- Configure Panorama to automatically lock the running
configuration when you change the candidate configuration. This
setting applies to all Panorama administrators.
- Select PanoramaSetupManagement and edit the General Settings.
- Select Automatically Acquire Commit Lock and click OK.
- Select CommitCommit to Panorama and Commit your changes.
Manage Locks for Restricting Configuration Changes
Manage Locks for Restricting Configuration Changes You can use configuration locks to prevent other administrators from changing the candidate configuration or from committing configuration changes ...
Lock Configurations To help you coordinate configuration tasks with other firewall administrators during concurrent login sessions, the web interface enables you to apply a configuration ...
Panorama Commit, Validation, and Preview Operations
Panorama Commit, Validation, and Preview Operations When you are ready to activate changes that you made to the candidate configuration on Panorama or to push ...
Revert Changes Select Config Revert Changes at the top right of the firewall or Panorama web interface to undo changes made to the candidate configuration ...
Administer Panorama This section describes how to administer and maintain the Panorama™ management server. It includes the following topics: Preview, Validate, or Commit Configuration Changes ...
Panorama > Administrators
Panorama > Administrators Select Panorama Administrators to create and manage accounts for Panorama administrators. If you log in to Panorama as an administrator with a ...
Use the Web Interface
Use the Web Interface The following topics describe how to use the firewall web interface. For detailed information about specific tabs and fields in the ...
Device > Setup > Management
Device > Setup > Management Device > Setup > Management Panorama > Setup > Management On a firewall, select Device Setup Management to configure management ...
Log Collector CLI Authentication Settings
Log Collector CLI Authentication Settings Panorama > Managed Collectors > Authentication An M-Series appliance in Log Collector mode (Dedicated Log Collector) has no web interface, ...