In this weeks Discussion of the Week (DOTW), I want to call attention to a discussion that user @sngwpark posted about the function of auto-commit in PAN-OS.
So, let's talk about auto-commit—what it is, how to check on its status, and why it's beneficial to your NGFW.
In PAN-OS, the hardware will have a Management Plane (to manage the device) and a Data Plane (what controls the hardware, interfaces and where the policy is stored). When you power on any Palo Alto Networks NGFW (Next-Generation Firewall), VM-Series or hardware, the device will not have any policy rules running on the Data Plane (DP). This also means that interfaces will not be enabled.
Auto-commit is a function of PAN-OS that enables interfaces and the ability to load a policy onto the device DP, allowing traffic to pass through and thus enabling the firewall. It's a background feature that lasts about five to 15 minutes, depending on the complexity of the configuration. The firewall can be accessed from the management interface (Panorama) during that time, but the DP and physical interfaces will be down.
If you are unsure what the status of the auto-commit, you can check it via the command line or via the WebGUI.
Via the CLI, you are also able to check the status of the Auto Commit job with the following command and look for the AutoCom job. When the output shows Type AutoCom with a status of FIN, the process is complete.
> show jobs processed
Enqueued ID Type Status Result Completed
-----------------------------------------------------
02:52:14 1 AutoCom ACT PEND 50%
> show jobs processed
Enqueued ID Type Status Result Completed
-----------------------------------------------------
02:52:14 1 AutoCom FIN OK 02:53:20
Inside of the WebGUI, if you click on "Tasks" at the bottom of the window, a "Task Manager" will pop-up, showing you the status of all tasks, and the Auto Commit should show up, and you should be able to see the status of it and if it is complete or not.
Important Note: During the auto-commit process, it is important not to restart the appliance and not to commit changes. If changes need to be applied, wait for the auto-commit to complete first. Applying changes while the auto-commit job is running might cause problems.
You can read the full discussion here: "What Is the Function of Autocommit in PAN-OS?"
I hope you learned something from this! Keep visiting us at LIVEcommunity for new weekly DOTWs and Tips & Tricks. Got a suggestion or idea? Let us know in the comments below!
Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumb up) button, don't forget to subscribe to the LIVEcommunity Blog area.
As always, we welcome all comments and feedback in the comments section below.
Stay Secure,
Joe Delio
End of line
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 3 Likes | |
| 3 Likes | |
| 2 Likes | |
| 2 Likes | |
| 2 Likes |
| User | Likes Count |
|---|---|
| 6 | |
| 4 | |
| 3 | |
| 2 | |
| 2 |
