A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time.
How can they achieve this?
A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time.
How can they achieve this?
To ensure that all Panorama configuration is committed and pushed to devices at the end of the day at a specific time, the correct approach would be to use the Scheduled Config Push to schedule the push to devices and separately schedule an API call to commit all Panorama changes. The commit to Panorama cannot be scheduled directly through Scheduled Config Push; it needs to be done via an API call or manually. Therefore, combining the two actions—Scheduled Config Push for pushing to devices and an API call for committing changes to Panorama—achieves the desired result.
Here's how this approach works: Schedule Config Push to Devices: Use the Scheduled Config Push feature to schedule the push of Panorama configurations to the managed devices. This will ensure that the configurations are pushed to the devices at the specified time. Schedule an API Call to Commit Changes: Separately schedule an API call (such as a REST API call) to commit all the changes made in Panorama. This API call should trigger the commit process in Panorama to save all configuration changes. This step should be scheduled to occur before or after the scheduled Config Push, depending on your specific workflow. This combination of scheduled Config Push and a separate API call to commit changes allows you to control and automate the process of ensuring that all configurations are committed and pushed to the devices at the desired time. It provides flexibility and control over the commit and push operations.
In Panorama version 10.1.0, we can schedule commit and push. Tested in a virtual LAB.
Not sure what he tested... Changes that were not committed were not pushed towards the FW...and this is on 11.1 A manual commit or an API commit needs to be done period to the schedule
The function will not "schedule commit to Panorama". It firstly need to commit PN , like using API or other utilities , then is "Schedule config push"
Answer is B : https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/panorama-features/scheduled-configuration-push-to-managed-firewalls
B according to this link https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/schedule-a-configuration-push-to-managed-firewalls Log in to the Panorama Web Interface. Create a scheduled configuration push. Select PanoramaScheduled Config Push and Add a new scheduled configuration push. You can also schedule a configuration push to managed firewalls when you push to devices (CommitPush to Devices).
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/panorama-features/scheduled-configuration-push-to-managed-firewalls. Pano commit is not an option in this feature
B https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/panorama-features/scheduled-configuration-push-to-managed-firewalls
B is reasonable. The below discusses impact and config rollback which would only happen if the pushed configs are also being committed on the firewalls. "After a successful scheduled configuration push occurs, you can view the scheduled configuration push execution history to understand when the last push for a specific schedule occurred, and how many managed firewalls were impacted. From the total number of impacted managed firewalls, you can view how many configuration pushes to managed firewalls were successful and how many failed. Of the failed pushes, you can view the total number of managed firewalls with automatically reverted configurations due to a configuration change that interrupted the connection between the managed firewall and Panorama."
https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/schedule-a-configuration-push-to-managed-firewalls
Actually ignore my comment. The push to Panorama is what isn't part of 'Scheduled Config Push' so I guess it has to be C indeed. The ansible for the API call to commit Pano is here : https://paloaltonetworks.github.io/pan-os-ansible/modules/panos_commit_panorama_module.html
The Question is about Commit to Panorama and Push to managed devices, the Schedule configuration push is only for pushing to devices: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/panorama-features/scheduled-configuration-push-to-managed-firewalls so to make an auto Commit we have to do it using API calls.
https://live.paloaltonetworks.com/t5/automation-api-discussions/commit-and-push-in-panorama-8-0-3/td-p/162448
if you are too lazy that you need an API to commit your config changes in Panorama, you should not be a firewall admin in the 1st place... the only thing that makes sense is scheduled push to managed firewalls
First Commit to Panorama, then Scheduled Push to Devices. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/panorama-features/scheduled-configuration-push-to-managed-firewalls
This is only half the answer since the question asks to commit to Panorama as well. The link provided only mentions pushing already committed configuration to the firewalls.
B is the answer
The answer should be B. You commit your changes to Panorama first, then you push to the devices.
B: PANOS 10.1.0 allows you to create a scheduled configuration push to automatically push changes to your managed firewalls on a specified date and time. You can configure a scheduled configuration push to either occur once or to push on a regularly occurring schedule. This allows you to effectively push configurations made by multiple administrators to multiple firewalls without the need for involvement of any administrator.
B.makes the most sense.
There is no commit option on the push scheduler
Then what is the point?
You make changes the day before for a firewall on the other side of the world. Commit, schedule the push for 3am and enjoy a good night sleep. Did it many times.