Panorama Commits--what actually happens when I commit to a device-group?

Reply
Highlighted
L2 Linker

Panorama Commits--what actually happens when I commit to a device-group?

What happens when I push a policy from Panorama to a device-group firewall?  Does Panorama always push the entire configuration file, or does it first perform a 'diff,' and only push the changes?  If it performs a diff, what is the underlying mechanism it uses to track the changes?  Is it some sort of table of rule hashes, etc?  It seems pretty silly to push an entire config if only a single line changes.

Tags (1)

Accepted Solutions
Highlighted
L4 Transporter

The entire config is pushed during the commit and not just the changes.

View solution in original post


All Replies
L7 Applicator

Hi Mgentile,

As per my understanding, upon commit the PAN-OS will always verify the difference between running config and the candidate config and then push only the difference or changes to the firewall.

Hope this helps.

Thanks

Highlighted
L7 Applicator

See the full description of the commit process and all the options in the Panorama Admin guide page 79

Panorama Administrator's Guide 5.1

Commit Changes on Panorama

When you edit the configuration on Panorama, you are making changes to the candidate configuration file. The

candidate configuration is a copy of the running configuration along with the modifications that you have saved

using the Save option. The Panorama web interface displays all the configuration changes immediately, however

the changes are not implemented until you commit the changes. The commit process validates the changes in

the candidate configuration file and saves it as the running configuration on Panorama.

PanoramaCommits.PNG.png

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted
L4 Transporter

The entire config is pushed during the commit and not just the changes.

View solution in original post

Highlighted
L4 Transporter

Is a FULL commit performed on the actual firewall(s) or a PARTIAL commit?

Highlighted
Community Team Member

Jwolach,

When a commit from Panorama to a device group, It is a Full commit. But you do have some options at the bottom of the screen that you can choose:

Include Device and Network Templates—

This option is available when committing a Device Group from Panorama and is a combo operation that will include both the device and network template changes. The template that will be applied to the device is the template that the device belongs to as defined in Panorama > Templates. You can also select Commit Type Template to commit templates to devices.

2015-07-13 11_25_22-HOUDC-PA-MON.png

Stay Secure,
Joe
End of line
Highlighted
L4 Transporter

Hello Jdelio,

I'm familiar with the Include Device and NetworkTemplates checkbox when performing a Device Group commit.  What I wanted to know, is what type of commit actually takes place on the managed firewall(s) when just a Device Group or Device and Network Templates commit is performed.  Is it a Granular Commit or a Full Commit?

Thanks,

Jeff

Highlighted
Community Team Member

It is a Full commit.

Stay Secure,
Joe
End of line
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!