How to monitor pending commits

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
mcain@Shamrock
L1 Bithead

How to monitor pending commits

I'm looking for a way to externally check that there are no policy commits pending.

Is there an SNMP OID signalling a commit is pending?

Or, is there a SSH CLI command that shows a commit is pending?

I'm running a PA-3020 with PANOS 5.0.15.


Accepted Solutions
mcain@Shamrock
L1 Bithead

This 'show config diff' method may get me what I want to know.  I'm not interested in the specific details of the candidate changes.  I just want to know if there exist candidate changes waiting to be applied.  I'll have my network monitoring system check every couple hours and raise a warning if changes are waiting that haven't been committed.

'show config diff | match @@' may be what I need.

After a change but before commit:

admin@PN3020> show config diff | match @@

@@ -4156,7 +4156,7 @@

@@ -4174,6 +4174,14 @@

@@ -4253,7 +4261,7 @@

@@ -4271,6 +4279,14 @@

@@ -4424,33 +4440,6 @@

admin@PN3020>


After the commit:

admin@PN3020> show config diff | match @@

admin@PN3020>

View solution in original post

mcain@Shamrock
L1 Bithead

This works and solved my problem!  :smileyhappy:

My network monitoring system (Ipswitch WhatsUp Gold) is running an EXPECT script that logs in via SSH and runs the show config diff | match @@ command.

If there is no output, there are no pending changes.

If there is any output, there are changes waiting to be committed, and I need to be notified.

This is going to help me and my staff make sure we're following through.

Thanks for the advice everyone!  :smileygrin:

View solution in original post


All Replies
kattaullah
L3 Networker

Hello Mcain

From the CLI you can use the below command to see the pending commits

> show jobs pending

Enqueued ID Type Status Result Completed

--------------------------------------------------------------------------

To check the commit jobs that were processed use the below command. The output is from one of my local device

> show jobs processed

Enqueued                     ID             Type    Status Result Completed

--------------------------------------------------------------------------

2015/02/03 10:19:33        9904         WildFire       FIN     OK 10:19:40

2015/02/03 10:19:26        9903          Install       FIN     OK 10:19:33

2015/02/03 10:18:24        9902           Downld       FIN     OK 10:19:26

2015/02/03 10:04:20        9900         WildFire       FIN     OK 10:04:25

2015/02/03 10:04:13        9899          Install       FIN     OK 10:04:20

2015/02/03 10:03:35        9898           Downld       FIN     OK 10:04:10

2015/02/03 09:49:35        9896         WildFire       FIN     OK 09:49:41

2015/02/03 09:49:28        9895          Install       FIN     OK 09:49:35

2015/02/03 09:48:24        9894           Downld       FIN     OK 09:49:28

2015/02/03 09:34:27        9892         WildFire       FIN     OK 09:34:33

2015/02/03 09:34:21        9891          Install       FIN     OK 09:34:27

Hope that helps!

Note: Please mark any helpful or correct answers.

Regards

Khan

HULK
L7 Applicator

Add to it:

In case of a commit pending or failure, you may also see detail information about the failure reason.

> show jobs all

Enqueued                     ID             Type    Status Result Completed

--------------------------------------------------------------------------

2015/02/03 10:34:24        1900         WildFire       FIN     OK 10:34:28

2015/02/03 10:34:20        1899          Install       FIN     OK 10:34:24

admin@34-PA-3020> show jobs id 1900

Enqueued                     ID             Type    Status Result Completed

--------------------------------------------------------------------------

2015/02/03 10:34:24        1900         WildFire       FIN     OK 10:34:28

Warnings:

Details:Configuration committed successfully

Successfully committed last configuration

Thanks

HULK

ssharma
L5 Sessionator

Hi,

Command you are looking for is "> show config diff" ; this will show you all the configs that are modified but are not committed yet.

admin@PA> show config diff

<no changes made, so blank output>

Then added a address group called test_3 along with other changes.

admin@PA> show config diff

@@ -3447,6 +3447,9 @@

             v6-WINSRVR {

               ip-netmask fc00:2:6::242;

             }

+            test_3 {

+              ip-netmask 3.3.3.3;

+            }

           }

           application-filter {

             file-sharing {

Hope this helps. Thank you.

mcain@Shamrock
L1 Bithead

Thanks for the 'show jobs' suggestion, however, that didn't seem to work.  I made a small policy configuration change, and the "Commit" button enabled in the top right of the web UI, but the 'show jobs pending' is empty.

HULK
L7 Applicator

When you have applied the commit button, it was successfully commitedthe changes..?

Thanks

ssharma
L5 Sessionator

You will have to run following command to view changes :

admin@PA> show config diff

HULK
L7 Applicator

Follow these steps to see theuncommited changes from GUI:

Config-diff.JPG

Config-diff-1.JPG

Thanks

mcain@Shamrock
L1 Bithead

This 'show config diff' method may get me what I want to know.  I'm not interested in the specific details of the candidate changes.  I just want to know if there exist candidate changes waiting to be applied.  I'll have my network monitoring system check every couple hours and raise a warning if changes are waiting that haven't been committed.

'show config diff | match @@' may be what I need.

After a change but before commit:

admin@PN3020> show config diff | match @@

@@ -4156,7 +4156,7 @@

@@ -4174,6 +4174,14 @@

@@ -4253,7 +4261,7 @@

@@ -4271,6 +4279,14 @@

@@ -4424,33 +4440,6 @@

admin@PN3020>


After the commit:

admin@PN3020> show config diff | match @@

admin@PN3020>

View solution in original post

mcain@Shamrock
L1 Bithead

This works and solved my problem!  :smileyhappy:

My network monitoring system (Ipswitch WhatsUp Gold) is running an EXPECT script that logs in via SSH and runs the show config diff | match @@ command.

If there is no output, there are no pending changes.

If there is any output, there are changes waiting to be committed, and I need to be notified.

This is going to help me and my staff make sure we're following through.

Thanks for the advice everyone!  :smileygrin:

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!