Panorama Commits--what actually happens when I commit to a device-group?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Panorama Commits--what actually happens when I commit to a device-group?

L2 Linker

What happens when I push a policy from Panorama to a device-group firewall?  Does Panorama always push the entire configuration file, or does it first perform a 'diff,' and only push the changes?  If it performs a diff, what is the underlying mechanism it uses to track the changes?  Is it some sort of table of rule hashes, etc?  It seems pretty silly to push an entire config if only a single line changes.

1 accepted solution

Accepted Solutions

L4 Transporter

The entire config is pushed during the commit and not just the changes.

View solution in original post

7 REPLIES 7

L7 Applicator

Hi Mgentile,

As per my understanding, upon commit the PAN-OS will always verify the difference between running config and the candidate config and then push only the difference or changes to the firewall.

Hope this helps.

Thanks

L7 Applicator

See the full description of the commit process and all the options in the Panorama Admin guide page 79

Panorama Administrator's Guide 5.1

Commit Changes on Panorama

When you edit the configuration on Panorama, you are making changes to the candidate configuration file. The

candidate configuration is a copy of the running configuration along with the modifications that you have saved

using the Save option. The Panorama web interface displays all the configuration changes immediately, however

the changes are not implemented until you commit the changes. The commit process validates the changes in

the candidate configuration file and saves it as the running configuration on Panorama.

PanoramaCommits.PNG.png

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L4 Transporter

The entire config is pushed during the commit and not just the changes.

Is a FULL commit performed on the actual firewall(s) or a PARTIAL commit?

Jwolach,

When a commit from Panorama to a device group, It is a Full commit. But you do have some options at the bottom of the screen that you can choose:

Include Device and Network Templates—

This option is available when committing a Device Group from Panorama and is a combo operation that will include both the device and network template changes. The template that will be applied to the device is the template that the device belongs to as defined in Panorama > Templates. You can also select Commit Type Template to commit templates to devices.

2015-07-13 11_25_22-HOUDC-PA-MON.png

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Hello Jdelio,

I'm familiar with the Include Device and NetworkTemplates checkbox when performing a Device Group commit.  What I wanted to know, is what type of commit actually takes place on the managed firewall(s) when just a Device Group or Device and Network Templates commit is performed.  Is it a Granular Commit or a Full Commit?

Thanks,

Jeff

It is a Full commit.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!
  • 1 accepted solution
  • 6920 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!