cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

DotW: Autolock

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
reaper
L7 Applicator
‎12-06-2017 05:15 AM

DotW: Autolock

‎12-06-2017 05:15 AM

In a team where multiple admins are responsible for the same systems, one always needs to coordinate config changes to prevent someone from pushing out or committing a change while someone else is still making changes, potentially committing an invalid or horribly wrong configuration.

 

To help prevent these kinds of conflicts, two kinds of locks are available to administrators: Commit Locks and Config Locks

 

As the name implies, a Commit Lock will prevent other admins from committing anything to the firewall until the lock has been released. This lock can be configured to be automatically acquired as soon as one administrator makes a change:

 

Automatically Acquire Commit Lock when something is changedAutomatically Acquire Commit Lock when something is changedIf one administrator makes a change and a second admin logs on and changes something, then tries to commit, they will see this error message:

Commit LockCommit Lock

The lock will now first need to be cleared by the first administrator committing his configuration or relinquishing his lock to the second admin.

 

A lock can also be set manually, by clicking the little lock icon in the upper right-hand corner and selecting the type of lock:

 

Manually taking a Commit LockManually taking a Commit Lock

While the Commit Lock prevents other administrators from committing their changes, but still allows them to edit the configuration, a Config Lock prevents  all other administrators from making changes to the Candidate Config. You can also add a short description of what you are doing to notify other administrators of your activities:

Taking a Config Lock and adding a descriptionTaking a Config Lock and adding a description

Anyone trying to change the configuration will be greeted by this error message:

Operation Failed: Configuration is LockedOperation Failed: Configuration is Locked

When needed, a lock can be removed by the administrator who acquired the lock, or a superuser.

 

Removing the Config and Commit LocksRemoving the Config and Commit Locks

 

This blurb is based on a discussiojn I had with @jdprovine the other day where the recommendation had been made to enable automatic Commit Lock, but the functionality had not been explained. I hope this blog post helps other admins make their life a little easier and safe from stepping on each others' toes :) 

 

The original discussion can be followed here: autolock

 

Reaper out!

17,538 Views
Comments
jdprovine
L4 Transporter
‎12-13-2017 06:26 AM

Re: DotW: Autolock

‎12-13-2017 06:26 AM

Thanks reaper very helpfull

16,961 Views
freshcalendar
L0 Member
‎12-15-2017 08:27 PM

Re: DotW: Autolock

‎12-15-2017 08:27 PM

thanks man ! It's so helpful. 55531-200.png

16,813 Views
bhudgens
L1 Bithead
‎12-20-2017 07:12 PM

Re: DotW: Autolock

‎12-20-2017 07:12 PM

Nice touch with the animated GIFs. Keep up the great work!!

15,884 Views
Ask Questions Get Answers Join the Live Community
Labels
Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2020 - Palo Alto Networks