08-08-2013 08:54 AM
Hi,
Is there any way to commit just a specific set commands to the Palo without committing all changes that are pending? I have an in house written piece of software that is going to make content filtering changes to my Palo's via the XML API. My concern is that if the software runs a commit and someone else has been working on the Palo config it will commit both sets of changes. I am wondering if its possible to just commit specific changes without having to overwrite the whole config, could a Panorama template or something be used?
Thanks,
Gareth
08-08-2013 09:26 AM
While not exactly what you may be looking for, taking a config/commit lock will help prevent such situations where one admin may accidentally commit/overwrite other admin's changes.
More information on this is available under "Locking Transactions" section on page 26 of PAN OS 5.0 Admin Guide.
Also, your software can request a lock as well. Eg. To take a commit lock using the API:
/api/?type=op&cmd=<request><commit-lock></commit-lock></request>
Hope this helps.
08-08-2013 09:32 AM
Hi Gareth,
You could try out the partial commit feature, but that does it just commits a specified parts of the candidate config to the running config:
Syntax
commit {force}
{
partial device-and-network excluded |
partial shared-object excluded |
partial vsys <value> |
partial no-vsys
}
Options
> force — Forces the commit command in the event of a conflict
> partial — Commits the specified part of the configuration
+ device-and-network — Excludes device and network configurations from the commit (configurations under
config/mgt-config, config/devices/platform, config/devices/deviceconfig, and config/devices/network)
+ shared-object — Excludes shared object configurations from the commit (configurations under (config/
shared; also excludes config/devices/vsys if in single vsys mode)
+ vsys — Commits only the specified virtual system configurations
Of if you want to selectively push some part of the configuration, you can save the candidate configuration, and then copy the set commands of the candidate config
> set cli config-output-format set
> show config diff
Copy all these set commands, to a notepad. Revert the config to the running config, and go under configuration mode
>configure
#
And now paste the selected configuration on the cli, and commit the changes.
The last option is to use commit locks, so that other users may not commit the changes, unless the lock is taken away.
Best regards,
Karthik
08-08-2013 10:02 AM
You could use Panorama and the script to alter the associated Security Profiles (e.g. Vuln protection, URL filtering). When doing the DG commit you could uncheck the "Merge with Device Candidate Config" option to avoid including any changes on the local device during the config push.
This will have the same issue though if changes are being made in a Panorama DG since all config in the device group will be pushed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
