Tips & Tricks: Commit & Config Locks

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Last Reviewed: 08-09-2023 10:18 AM
Audited By: emgarcia
Community Team Member
100% helpful (1/1)

Palo Alto Networks' Commit and Config Locks are important features that help ensure the integrity of network configurations and prevent unauthorized changes.


The Commit operation, in Palo Alto Networks devices, is the process of applying configuration changes made to the device to the running configuration. It is an essential step in the configuration process, as it allows the changes to take effect and be enforced. Before committing configuration changes, administrators can preview the changes and validate them to ensure that they are accurate and won't cause any disruption to the network.


Once the Commit operation is executed, the changes are written to the device's configuration and are applied to the running configuration. The configuration changes are then saved to the device's non-volatile memory, making them permanent.


In a team where multiple admins are responsible for the same systems, one always needs to coordinate config changes to prevent someone from pushing out or committing a change while someone else is still making changes, potentially committing an invalid or horribly wrong configuration.


To help prevent these kinds of conflicts, two kinds of locks are available to administrators: Commit Locks and Config Locks


As the name implies, a Commit Lock will prevent other admins from committing anything to the firewall until the lock has been released. This lock can be configured to be automatically acquired as soon as one administrator makes a change:




If one administrator makes a change and a second admin logs on and changes something, then tries to commit, they will be presented with a message saying that other administrators are holding a commit lock.


The lock needs to be cleared by the first administrator committing his configuration or relinquishing his lock to the second admin.


A lock can also be set manually, by clicking the little lock icon in the upper right-hand corner and selecting the type of lock:




Config Locks are a feature in Palo Alto Networks devices that prevent multiple administrators from making changes to the device's configuration at the same time. This feature is important in environments where multiple administrators may be working on the same device simultaneously, as it prevents conflicting changes that could cause disruptions or security vulnerabilities.


When a Config Lock is applied, only the administrator who holds the lock can make configuration changes to the device. This prevents other administrators from making changes that could conflict with the changes being made by the locked administrator.


You can also add a short description of what you are doing to notify other administrators of your activities.





Config Locks are also helpful in preventing unauthorized changes to the device's configuration. If an unauthorized user attempts to make changes to a device that is currently locked, the device will reject the changes, and an alert can be generated to notify administrators of the attempted change.  Anyone trying to change the configuration will be greeted with an error message saying the "Configuration is locked".


If required, a lock can be removed by the administrator who acquired the lock, or a superuser.




By combining the Commit and Config Lock features, Palo Alto Networks devices can ensure that configuration changes are made securely and with minimal disruption to the network. Before committing any changes, administrators can preview the changes and validate them to ensure they are correct.


This combination of features helps ensure the integrity of network configurations and prevents unauthorized changes.


Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎05-09-2023 11:14 PM
Updated by: