In a team where multiple admins are responsible for the same systems, one always needs to coordinate config changes to prevent someone from pushing out or committing a change while someone else is still making changes, potentially committing an invalid or horribly wrong configuration.
To help prevent these kinds of conflicts, two kinds of locks are available to administrators: Commit Locks and Config Locks
As the name implies, a Commit Lock will prevent other admins from committing anything to the firewall until the lock has been released. This lock can be configured to be automatically acquired as soon as one administrator makes a change:
Automatically Acquire Commit Lock when something is changedIf one administrator makes a change and a second admin logs on and changes something, then tries to commit, they will see this error message:
Commit Lock
The lock will now first need to be cleared by the first administrator committing his configuration or relinquishing his lock to the second admin.
A lock can also be set manually, by clicking the little lock icon in the upper right-hand corner and selecting the type of lock:
Manually taking a Commit Lock
While the Commit Lock prevents other administrators from committing their changes, but still allows them to edit the configuration, a Config Lock prevents all other administrators from making changes to the Candidate Config. You can also add a short description of what you are doing to notify other administrators of your activities:
Taking a Config Lock and adding a description
Anyone trying to change the configuration will be greeted by this error message:
Operation Failed: Configuration is Locked
When needed, a lock can be removed by the administrator who acquired the lock, or a superuser.
Removing the Config and Commit Locks
This blurb is based on a discussiojn I had with @jdprovine the other day where the recommendation had been made to enable automatic Commit Lock, but the functionality had not been explained. I hope this blog post helps other admins make their life a little easier and safe from stepping on each others' toes 🙂
The original discussion can be followed here: autolock
Reaper out!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
3 Likes | |
2 Likes | |
2 Likes | |
1 Like | |
1 Like |