Manage Locks for Restricting Configuration Changes
Locking the candidate or running configuration prevents other administrators from changing the configuration until you manually remove the lock or Panorama removes it automatically (after a commit). Locks ensure that administrators don’t make conflicting changes to the same settings or interdependent settings during concurrent login sessions.
If you are changing settings that are unrelated to the settings other administrators are changing in concurrent sessions, you don’t need configuration locks to prevent commit conflicts. Panorama queues commit operations and performs them in the order that administrators initiate the commits. For details, see Panorama Commit, Validation, and Preview Operations.
A template or device group configuration push will fail if a firewall assigned to the template or device group has a commit or config lock that an administrator set locally on that firewall.
- View details about current locks.For example, you can check whether other administrators have set locks and read comments they entered to explain the locks.Click the locked padlock ( ) at the top of the web interface. The adjacent number indicates the number of current locks.
- Lock a configuration.Read-only administrators who cannot modify firewall or Panorama configurations cannot set locks.
- Click the padlock icon at the top of the web interface.The icon varies based on whether existing locks are ( ) or are not ( ) set.
- Take a Lockand select the lockType:
A custom role administrator who cannot commit changes can set aConfiglock and save the changes to the candidate configuration. However, because that administrator cannot commit the changes, Panorama does not automatically release the lock after a commit; the administrator must manually remove theConfiglock after making the required changes.
- Config—Blocks other administrators from changing the candidate configuration.
- Commit—Blocks other administrators from changing the running configuration.
- Select theLocationto determine the scope of the lock:
- Shared—Restricts changes to the entire Panorama configuration, including all device groups and templates.
- Template—Restricts changes to the firewalls included in the selected template. (You can’t take a lock for a template stack, only for individual templates within the stack.)
- Device group—Restricts changes to the selected device group but not its descendant device groups.
- (Optional) As a best practice, enter aCommentto describe your reason for setting the lock.
- Unlock a configuration.Only a superuser or the administrator who locked the configuration can manually unlock it. However, Panorama automatically removes a lock after completing the commit operation that the administrator who set the lock initiated.
- Click the locked padlock ( ) at the top of the web interface.
- Select the lock entry in the list.
- ClickRemove Lock,OK, andClose.
- Configure Panorama to automatically lock the running configuration when you change the candidate configuration. This setting applies to all Panorama administrators.
- Selectand edit the General Settings.PanoramaSetupManagement
- SelectAutomatically Acquire Commit Lockand clickOK.
- SelectandCommitCommit to PanoramaCommityour changes.