DotW: Autolock

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cyber Elite
Cyber Elite

In a team where multiple admins are responsible for the same systems, one always needs to coordinate config changes to prevent someone from pushing out or committing a change while someone else is still making changes, potentially committing an invalid or horribly wrong configuration.


To help prevent these kinds of conflicts, two kinds of locks are available to administrators: Commit Locks and Config Locks


As the name implies, a Commit Lock will prevent other admins from committing anything to the firewall until the lock has been released. This lock can be configured to be automatically acquired as soon as one administrator makes a change:


Automatically Acquire Commit Lock when something is changedAutomatically Acquire Commit Lock when something is changedIf one administrator makes a change and a second admin logs on and changes something, then tries to commit, they will see this error message:

Commit LockCommit Lock

The lock will now first need to be cleared by the first administrator committing his configuration or relinquishing his lock to the second admin.


A lock can also be set manually, by clicking the little lock icon in the upper right-hand corner and selecting the type of lock:


Manually taking a Commit LockManually taking a Commit Lock

While the Commit Lock prevents other administrators from committing their changes, but still allows them to edit the configuration, a Config Lock prevents  all other administrators from making changes to the Candidate Config. You can also add a short description of what you are doing to notify other administrators of your activities:

Taking a Config Lock and adding a descriptionTaking a Config Lock and adding a description

Anyone trying to change the configuration will be greeted by this error message:

Operation Failed: Configuration is LockedOperation Failed: Configuration is Locked

When needed, a lock can be removed by the administrator who acquired the lock, or a superuser.


Removing the Config and Commit LocksRemoving the Config and Commit Locks


This blurb is based on a discussiojn I had with @jdprovine the other day where the recommendation had been made to enable automatic Commit Lock, but the functionality had not been explained. I hope this blog post helps other admins make their life a little easier and safe from stepping on each others' toes 🙂 


The original discussion can be followed here: autolock


Reaper out!

Register or Sign-in
About the Author
I drink and I know things
Top Liked Authors