Manage Locks for Restricting Configuration Changes

Locking the candidate or running configuration prevents other administrators from changing the configuration until you manually remove the lock or Panorama removes it automatically (after a commit). Locks ensure that administrators don’t make conflicting changes to the same settings or interdependent settings during concurrent login sessions.
If you are changing settings that are unrelated to the settings other administrators are changing in concurrent sessions, you don’t need configuration locks to prevent commit conflicts. Panorama queues commit operations and performs them in the order that administrators initiate the commits. For details, see Panorama Commit, Validation, and Preview Operations.
A template or device group configuration push will fail if a firewall assigned to the template or device group has a commit or config lock that an administrator set locally on that firewall.
  • View details about current locks.
    For example, you can check whether other administrators have set locks and read comments they entered to explain the locks.
    Click the locked padlock (  icon_locked.png  ) at the top of the web interface. The adjacent number indicates the number of current locks.
  • Lock a configuration.
    Read-only administrators who cannot modify firewall or Panorama configurations cannot set locks.
    1. Click the padlock icon at the top of the web interface.
      The icon varies based on whether existing locks are (  icon_locked.png  ) or are not (  icon_unlocked.png  ) set.
    2. Take a Lock and select the lock Type:
      • Config—Blocks other administrators from changing the candidate configuration.
      A custom role administrator who cannot commit changes can set a Config lock and save the changes to the candidate configuration. However, because that administrator cannot commit the changes, Panorama does not automatically release the lock after a commit; the administrator must manually remove the Config lock after making the required changes.
      • Commit—Blocks other administrators from changing the running configuration.
    3. Select the Location to determine the scope of the lock:
      • Shared—Restricts changes to the entire Panorama configuration, including all device groups and templates.
      • Template—Restricts changes to the firewalls included in the selected template. (You can’t take a lock for a template stack, only for individual templates within the stack.)
      • Device group—Restricts changes to the selected device group but not its descendant device groups.
    4. (Optional) As a best practice, enter a Comment to describe your reason for setting the lock.
    5. Click OK and Close.
  • Unlock a configuration.
    Only a superuser or the administrator who locked the configuration can manually unlock it. However, Panorama automatically removes a lock after completing the commit operation that the administrator who set the lock initiated.
    1. Click the locked padlock (  icon_locked.png  ) at the top of the web interface.
    2. Select the lock entry in the list.
    3. Click Remove Lock, OK, and Close.
  • Configure Panorama to automatically lock the running configuration when you change the candidate configuration. This setting applies to all Panorama administrators.
    1. Select PanoramaSetupManagement and edit the General Settings.
    2. Select Automatically Acquire Commit Lock and click OK.
    3. Select CommitCommit to Panorama and Commit your changes.

Related Documentation