https://live.paloaltonetworks.com/t5/panorama-discussions/fastest-way-to-commit-panorama-changes/m-p/428202#M162 <P>Hey All, I have a customer who has about 50 PA FW's and Panorama. They will be using Cyberark to rotate passwords on service accounts, the account that the FW's are using for LAPD will be changing.&nbsp;Cyberark will make and replicate its change very fast but the FW commits will take way longer and USER ID will break as soon as the change is made. It's a 24/7 operation so I need to be as noninvasive as possible, will scripting or API call's speed up the commit process?&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Fri, 20 Aug 2021 20:47:49 GMT Pasquale01 2021-08-20T20:47:49Z https://live.paloaltonetworks.com/t5/panorama-discussions/fastest-way-to-commit-panorama-changes/m-p/428202#M162 <P>Hey All, I have a customer who has about 50 PA FW's and Panorama. They will be using Cyberark to rotate passwords on service accounts, the account that the FW's are using for LAPD will be changing.&nbsp;Cyberark will make and replicate its change very fast but the FW commits will take way longer and USER ID will break as soon as the change is made. It's a 24/7 operation so I need to be as noninvasive as possible, will scripting or API call's speed up the commit process?&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Fri, 20 Aug 2021 20:47:49 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/fastest-way-to-commit-panorama-changes/m-p/428202#M162 Pasquale01 2021-08-20T20:47:49Z https://live.paloaltonetworks.com/t5/panorama-discussions/fastest-way-to-commit-panorama-changes/m-p/428278#M163 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/138583">@Pasquale01</a>,</P><P>So just to be clear, User-ID shouldn't be clearing its cache when the password starts failing once the service account is changed. The cached user-id entries will still be present until their age-out limit is reached, you simply won't be able to get any updates until the commit with the updated password is actually applied. So yes that's a disruption, but not a "everything stopped working because we dropped the entire user-id database" disruption.&nbsp;</P><P>&nbsp;</P><P>On to your other question, it would technically be quicker to push the change directly at the device instead of pushing it through Panorama. You aren't talking about a huge amount of time difference however. Whenever you're automating anything on the firewall I&nbsp;<STRONG>don't&nbsp;</STRONG>recommend doing it through a CLI script. The API is the easier option, is actually built for these sort of situations, and will allow you to easily build out a pretty robust script with built in job status and failure detection.</P><P>Once you have the script operational just be mindful that you'll want to run the commit on all devices in parallel if you actually want to see a performance improvements over Panorama. This means that you'll either need to spawn 50 instances of the script targeting your firewalls or set the script up with proper threading to actually handle a parallel run.&nbsp;</P> Sun, 22 Aug 2021 04:38:40 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/fastest-way-to-commit-panorama-changes/m-p/428278#M163 BPry 2021-08-22T04:38:40Z