How to monitor pending commits

mcain@Shamrock · ‎02-03-2015

I'm looking for a way to externally check that there are no policy commits pending.

Is there an SNMP OID signalling a commit is pending?

Or, is there a SSH CLI command that shows a commit is pending?

I'm running a PA-3020 with PANOS 5.0.15.

mcain@Shamrock · ‎02-03-2015

This 'show config diff' method may get me what I want to know. I'm not interested in the specific details of the candidate changes. I just want to know if there exist candidate changes waiting to be applied. I'll have my network monitoring system check every couple hours and raise a warning if changes are waiting that haven't been committed.

'show config diff | match @@' may be what I need.

After a change but before commit:

admin@PN3020> show config diff | match @@
@@ -4156,7 +4156,7 @@
@@ -4174,6 +4174,14 @@
@@ -4253,7 +4261,7 @@
@@ -4271,6 +4279,14 @@
@@ -4424,33 +4440,6 @@
admin@PN3020>

After the commit:

admin@PN3020> show config diff | match @@
admin@PN3020>

View solution in original post

mcain@Shamrock · ‎02-03-2015

This works and solved my problem!

My network monitoring system (Ipswitch WhatsUp Gold) is running an EXPECT script that logs in via SSH and runs the show config diff | match @@ command.

If there is no output, there are no pending changes.

If there is any output, there are changes waiting to be committed, and I need to be notified.

This is going to help me and my staff make sure we're following through.

Thanks for the advice everyone! :smileygrin:

View solution in original post

kattaullah · ‎02-03-2015

Hello Mcain

From the CLI you can use the below command to see the pending commits

> show jobs pending

Enqueued ID Type Status Result Completed

--------------------------------------------------------------------------

To check the commit jobs that were processed use the below command. The output is from one of my local device

> show jobs processed

Enqueued ID Type Status Result Completed

--------------------------------------------------------------------------

2015/02/03 10:19:33 9904 WildFire FIN OK 10:19:40

2015/02/03 10:19:26 9903 Install FIN OK 10:19:33

2015/02/03 10:18:24 9902 Downld FIN OK 10:19:26

2015/02/03 10:04:20 9900 WildFire FIN OK 10:04:25

2015/02/03 10:04:13 9899 Install FIN OK 10:04:20

2015/02/03 10:03:35 9898 Downld FIN OK 10:04:10

2015/02/03 09:49:35 9896 WildFire FIN OK 09:49:41

2015/02/03 09:49:28 9895 Install FIN OK 09:49:35

2015/02/03 09:48:24 9894 Downld FIN OK 09:49:28

2015/02/03 09:34:27 9892 WildFire FIN OK 09:34:33

2015/02/03 09:34:21 9891 Install FIN OK 09:34:27

Hope that helps!

Note: Please mark any helpful or correct answers.

Regards

Khan

HULK · ‎02-03-2015

Add to it:

In case of a commit pending or failure, you may also see detail information about the failure reason.

> show jobs all

Enqueued ID Type Status Result Completed

--------------------------------------------------------------------------

2015/02/03 10:34:24 1900 WildFire FIN OK 10:34:28

2015/02/03 10:34:20 1899 Install FIN OK 10:34:24

admin@34-PA-3020> show jobs id 1900

Enqueued ID Type Status Result Completed

--------------------------------------------------------------------------

2015/02/03 10:34:24 1900 WildFire FIN OK 10:34:28

Warnings:

Details:Configuration committed successfully

Successfully committed last configuration

Thanks

HULK

ssharma · ‎02-03-2015

Hi,

Command you are looking for is "> show config diff" ; this will show you all the configs that are modified but are not committed yet.

admin@PA> show config diff

Then added a address group called test_3 along with other changes.

admin@PA> show config diff

@@ -3447,6 +3447,9 @@

v6-WINSRVR {

ip-netmask fc00:2:6::242;

}

+ test_3 {

+ ip-netmask 3.3.3.3;

+ }

}

application-filter {

file-sharing {

Hope this helps. Thank you.

mcain@Shamrock · ‎02-03-2015

Thanks for the 'show jobs' suggestion, however, that didn't seem to work. I made a small policy configuration change, and the "Commit" button enabled in the top right of the web UI, but the 'show jobs pending' is empty.

HULK · ‎02-03-2015

When you have applied the commit button, it was successfully commitedthe changes..?

Thanks

ssharma · ‎02-03-2015

You will have to run following command to view changes :

admin@PA> show config diff

HULK · ‎02-03-2015

Follow these steps to see theuncommited changes from GUI:

Thanks

mcain@Shamrock · ‎02-03-2015

This 'show config diff' method may get me what I want to know. I'm not interested in the specific details of the candidate changes. I just want to know if there exist candidate changes waiting to be applied. I'll have my network monitoring system check every couple hours and raise a warning if changes are waiting that haven't been committed.

'show config diff | match @@' may be what I need.

After a change but before commit:

admin@PN3020> show config diff | match @@
@@ -4156,7 +4156,7 @@
@@ -4174,6 +4174,14 @@
@@ -4253,7 +4261,7 @@
@@ -4271,6 +4279,14 @@
@@ -4424,33 +4440,6 @@
admin@PN3020>

After the commit:

admin@PN3020> show config diff | match @@
admin@PN3020>

mcain@Shamrock · ‎02-03-2015

This works and solved my problem!

My network monitoring system (Ipswitch WhatsUp Gold) is running an EXPECT script that logs in via SSH and runs the show config diff | match @@ command.

If there is no output, there are no pending changes.

If there is any output, there are changes waiting to be committed, and I need to be notified.

This is going to help me and my staff make sure we're following through.

Thanks for the advice everyone! :smileygrin:

Unlock your full community experience!

How to monitor pending commits

How to monitor pending commits

Show your appreciation!