This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Demystifying Selective Push on Panorama

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Articles
9 min read

Demystifying Selective Push on Panorama

shv
L3 Networker

‎06-19-2025 05:35 AM - edited ‎07-11-2025 03:52 AM

No ratings
Screenshot 2025-06-09 at 9.03.11 PM.png

 

What is Selective Push?

Selective Push on Panorama lets you deploy specific configuration to your firewalls instead of pushing everything all at once.

 

Terminology

  • Push Scope: The final admin view of committed changes with an option to select the changes that will be pushed to the selected target firewalls.
  • Config Audit Window: This window is the number of config versions saved for audit on Panorama. This is configurable and the default value is 100.
  • Full Push: This refers to the pushing of all currently committed changes on Panorama to the selected target firewalls.

 

Why Selective Push is Needed: Key Use Cases

  1. Granular Control Over Multi-User Changes
    Multiple admins often work on Panorama simultaneously. In such cases, admins may need to selectively push only their own changes rather than all the currently committed changes.
  2. Handling Urgent, Time-Sensitive Changes
    With Full Push, urgent and time-sensitive changes cannot be selectively pushed to the targets when there are other committed changes in Panorama..
  3. Traceability of pushed changes at an admin level
    For audit purposes, there is a need to keep track of the admins as well as the changes that they are pushing from Panorama to the managed firewalls.

 

Feature Highlights: What Selective Push Enables

Admins can now choose the changes that they would like to push to the target devices. The Push scope is automatically updated based on the below user selection;

  1. Push All Changes: Applicable if the user is a Superadmin, this allows to push all currently committed changes to the target firewalls. This is the equivalent of the legacy Full Push feature.
     

    shv_5-1749483597680.png

     

  2. Push Changes Made by: This option is the Selective Push feature. Applicable for any admin, this allows the admin to choose the changes made by selected admins for push.
    • Choosing which admins’ changes you are allowed to push depends on the admin access role/domain.
    • Based on selection of admins for whom the changes need to be pushed, the Push scope is updated automatically. 
    • You can also choose the specific changes to be pushed.

      shv_6-1749483707514.png

      shv_7-1749483817471.png

       

 

How it works

Once the admin selects the changes to be pushed (using the “Push Changes made by” option) and the target firewalls to which the changes will be pushed to and clicks on “Push”, Panorama does the following operations;

  1. Checks the selected targets for the Push operation and registers their last in-sync config version. If there are multiple firewalls in the Targets, it will take the lowest in-sync version from the list.
  2. Checks the Config Audit Window for the config version matching the lowest in-sync version from target firewalls. If a matching config version is not found within the window, the Selective Push operation fails with the error “Failed to generate selective push configuration. Unable to retrieve last in-sync configuration for the device, either a push was never done or version is too old. Please try a full push.
    1. In case of a failure at this point, we would need to identify the managed firewalls with the config versions outside of the Config Audit Window and perform a Full Push to those firewalls.
    2. If you’d like to push the changes urgently, remove the firewalls with config versions outside of the Config Audit Window from the Targets and try Selective Push once again.
  3. Once the matching config version is fetched, it will then get all applicable changes from this version to the latest running config version on Panorama and prepare the configuration to be pushed to the target firewalls.
  4. Once the config set to be pushed is prepared, the original Push cycle commences which includes config transformations based on PAN-OS versions, Push to firewalls and Commit on the firewalls.

 

Technical Considerations

  1. There are scenarios where Selective Push is not supported, and a Full Push must be performed instead. These scenarios are listed below.
    1. A managed firewall is newly onboarded to Panorama
    2. Template variables are imported via CSV.
    3. Security policies are moved across Device Groups.
    4. Templates, Template Stacks or Device Groups are renamed or moved in the hierarchy.
    5. Panorama HA failover is performed.
    6. The config versions on the managed firewalls are outside of the Config Audit Window.
    7. A configuration is loaded partially or fully into Panorama.
    8. The Master Key has been changed for managed firewalls
    9. Before a managed firewall is upgraded or downgraded to a version that supports Selective Push.
    10. A Device configuration is imported into Panorama.
    11. In some cases, if a config change and push is required to be performed from the Passive peer of a Panorama HA pair, a Full Push must be performed as well. 
  2. Config Audit Window or Number of Allowed Versions for Config Audit is the number of configuration versions to save before discarding the oldest ones (default is 100). This setting can be found under Panorama > Setup > Management > Logging and Reporting Setting.
    1. The Selective Push feature leverages this setting to compare committed changes and prepare the final config set to be pushed.
    2. If any of the selected target firewalls have a config version that is outside of this window, the feature is unable to fetch the config version for comparison and hence, the Selective Push operation fails.
  3. Devices out-of-sync even after successful push
    1. When only specific changes from the Push scope are pushed to managed firewalls, the Shared Policy status and Template status can still be Out-of-sync.
    2. This is because there are still committed changes in the Device Group and/or Template managing the firewall, but yet to be pushed.
    3. The Last Commit Status will be Successful because the Selective Push operation was successful.
  4. Selective Push fails even though firewalls are In Sync with Shared Policy and Templates.
    1. Sometimes, we might be committing and pushing changes only to some of the Device Groups and/or Templates. 
    2. This results in increasing differences in the config version on the firewalls, as compared to Panorama, in Device Groups and/or Templates that have not seen any changes, even though these firewalls are In Sync with their respective Device Groups and Templates.
    3. A Full Push in such cases simply synchronizes the config versions on the firewalls with the Panorama config version
  5. Performance implications
    1. When multiple users are performing Selective Push, it may lead to an increase in the number of committed but unpushed changes. For example,
      1. Admins making changes at a Device Group level and pushing to only a subset of the devices associated with the Device Group.
      2. Admins making changes at the Shared level impacting all the devices, but pushing to only a subset of the devices or Device Groups.
    2. This impacts performance because of the increased effort in populating the Push scope on the Panorama GUI.
  6. Using the “Commit + Push” operation instead of Separate Commit and Push operations
    1. A “Commit + Push” operation creates two separate jobs on Panorama, respectively for Commit and Push. Both jobs should be tracked on the Task Manager for Success.
    2. A “Commit + Push” operation always performs a Selective Push.
    3. When “Commit + Push” is used from the WebUI, the Push scope is not updated automatically for shared objects.
    4. Frequent “Commit + Push” operations can lead to longer commit and push times for subsequent operations because of post-commit validations.

 

Best Practices

  1. Avoid Excessive Micro-Pushes
    A micro-push is basically a push operation where the targets consist of a single or a small subset of the total number of firewalls managed by Panorama. While Selective Push is powerful, overusing it can lead to config versions dropping out of the Config Audit Window. Balance selective pushes with periodic full pushes.
  2. Remove or “Relocate” Disconnected Firewalls
    With Disconnected Firewalls, the config version is always likely to be outside of the Config Audit Window. Considering that they can also be selected as Targets automatically with Device Group or Template level pushes, it is good practice to remove firewalls that are disconnected from under Panorama > Managed Devices. This helps to clean up as well as avoid unnecessary failures. If you do not desire to remove the disconnected firewalls from Panorama, you can move them to a dummy Device Group and Template with no configuration and ensure that they are not selected as targets for Push operations.
  3. Design your Device Group and Template Hierarchy wisely 
    Leverage the Device Group and Template Hierarchy to distribute the managed firewalls as per configuration and usage. Allowing configuration to be shared hierarchically as well pushing configuration to larger sets of firewalls will help keep the config versions within the Config Audit Window and help improve performance as well. 
  4. Monitor Configuration version drift with the Config Audit Window
    Keep track of the Panorama running config version as compared to the In Sync version on the managed firewalls. Run a Full Push on the firewalls with config versions near the periphery of the Config Audit Window when it is close to the threshold. This can be automated using APIs.
  5. Commit and Push Strategically
    Especially in environments with many concurrent users, having a Commit and Push strategy that keeps all managed firewalls mostly, if not always, In Sync with Panorama.
  6. Always Preview Before Push
    Always review the Push scope to check exactly what will be pushed — this helps catch unintended changes early.

 

Conclusion

Selective Push in Panorama enables precise control over who pushes the changes and to where, and empowers teams to deploy changes more safely, flexibly, and in alignment with operational priorities. Whether it’s separating policy and infrastructure updates, handling urgent fixes, or supporting multi-admin environments, Selective Push minimizes risk while maximizing control. To make the most of this feature, incorporate it into your change management workflows, enforce clear commit and push practices, and ensure all stakeholders understand its limitations and its benefits.


Rate this article:
0 Likes Likes
  • 490 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎07-11-2025 03:52 AM
Updated by:
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks