LIVEcommunity discussion of the function of Auto-commit in PAN-OS
So, let's talk about auto-commit—what it is, how to check on its status, and why it's beneficial to your NGFW.
What Is Auto-Commit? And Why Is It Needed?
In PAN-OS, the hardware will have a Management Plane (to manage the device) and a Data Plane (what controls the hardware, interfaces and where the policy is stored). When you power on any Palo Alto Networks NGFW (Next-Generation Firewall), VM-Series or hardware, the device will not have any policy rules running on the Data Plane (DP). This also means that interfaces will not be enabled.
Auto-commit is a function of PAN-OS that enables interfaces and the ability to load a policy onto the device DP, allowing traffic to pass through and thus enabling the firewall. It's a background feature that lasts about five to 15 minutes, depending on the complexity of the configuration. The firewall can be accessed from the management interface (Panorama) during that time, but the DP and physical interfaces will be down.
How do you check on auto-commit?
If you are unsure what the status of the auto-commit, you can check it via the command line or via the WebGUI.
Via the CLI, you are also able to check the status of the Auto Commit job with the following command and look for the AutoCom job. When the output shows Type AutoCom with a status of FIN, the process is complete.
Inside of the WebGUI, if you click on "Tasks" at the bottom of the window, a "Task Manager" will pop-up, showing you the status of all tasks, and the Auto Commit should show up, and you should be able to see the status of it and if it is complete or not.
Task Manager inside of the PAN-OS WebGUI showing the Auto Commit status.
Important Note: During the auto-commit process, it is important not to restart the appliance and not to commit changes. If changes need to be applied, wait for the auto-commit to complete first. Applying changes while the auto-commit job is running might cause problems.