Schedule a rollback to last known good configuration

Reply
nawaza
L2 Linker

Schedule a rollback to last known good configuration

Hi all,

 

Is it possible to rollback to 'last known good' configuration, or even previously running config.

 

Say for example I make some changes and issue a commit, then subsequently lose connectivity. Is there a mechanism to schedule a rollback to previously running config after say 5minutes?.

 

Many thanks

Ajaz Nawaz

JNCIE-SEC No. 254

CCIE-RS No. 15721

 


Accepted Solutions
pulukas
L7 Applicator

The feature is called "commit confirmed" in the Juniper world.  There is a feature request pending for a while now.  

 

FR ID 204

 

Contact your sales engineer and have your company also vote for this feature.

 

Previous discussion

https://live.paloaltonetworks.com/t5/General-Topics/commit-confirmed-X-on-PaloAlto-firewall/m-p/4575...

 

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post


All Replies
BPry
Cyber Elite

@nawaza,

From a straight feature standpoint; not that I know of. I'm assuming that this is on a remote Palo (otherwise it wouldn't really matter) so in that case you could use a local computer within that firewalls network to script this function via the API. 

 

OtakarKlier
Cyber Elite

Hello,

Not sure what changes you are making, however if they are policies, then you add a new policy above the one you want to modify and check the logs to see if the new one gets hit. WIth routing now much to do there but to have hands on the device :(.

 

Regards,

nawaza
L2 Linker

Thanks for the replies.

 

Its a valuable feature so am somewhat surprised it isn't already there...

 

Juniper seemed to have it nailed.

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/junos-cli-configuration-...

 

Will probably make its way into the code I imagine at some point.

pulukas
L7 Applicator

The feature is called "commit confirmed" in the Juniper world.  There is a feature request pending for a while now.  

 

FR ID 204

 

Contact your sales engineer and have your company also vote for this feature.

 

Previous discussion

https://live.paloaltonetworks.com/t5/General-Topics/commit-confirmed-X-on-PaloAlto-firewall/m-p/4575...

 

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

nawaza
L2 Linker

Hi Steve - thanks for the info.

 

I could be accused of being over-paranoid here but its understandable why any vendor would be reluctant to introduce such a feature as its facilitates migrating to a different vendor.

 

Kind regards

Ajaz

 

 

pulukas
L7 Applicator

Commit confirmed has nothing to do with migration.

 

Have you ever applied a new configuration to a network device and found yourself suddenly disconnected and cut off from the remote device because there was an error you failed to notice in your configuration?

 

This is the problem that commit confirmed solves.  You commit the new configuration.

If you don't confirm that all is well in the alloted time, the configuration automatically rolls back to the previous settings restoring access.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!