Palo Alto Networks Knowledgebase: PAN-OS 7.1 Commit workflow and queueing

PAN-OS 7.1 Commit workflow and queueing

4337
Created On 07/29/19 17:24 PM - Last Updated 07/29/19 17:51 PM
Resolution

Prior to PAN-OS 7.1, only one commit was permitted to be issued at any given time.  Errors for subsequent commits prompted the user to try again later.  With this new PAN-OS 7.1 feature we add the ability to allow and queue commit operations from Panorama as well as local commits on PAN-OS devices.

 

Commit queueing feature:

 

  • These commits will no longer fail :
    • Commits from multiple device groups (in Panorama) containing VSYS on the same device.
    • When multiple VSYS or device commits are issued to the device locally or when Panorama commits are issued while another commit is ongoing.
  • Administrators are allowed to commit to the same device even when a commit (or validation) is ongoing
  • Newly requested commits are added to a "commit queue" and executed after the prior commit(s) are complete
  • Failed commits are popped out of the queue and appropriate error messages are sent to the administrators issuing the commit
  • The commit queue can be viewed from the Tasks panel
  • From Panorama Tasks panel the following information is shown:
    • The number of pending requests before this request is indicated by the depth in the queue counter
    • The depth in the commit queue for the selected commit is updated as each previous commit is updated
    • The ability to remove all queued commit jobs from the commit queue is available for the commit that is at the top of the queue
  • Content pushes from panorama, FQDN refresh, External Dynamic List (EDL) refresh jobs that arrive during an ongoing commit are executed after the commit is finished, but before starting the next commit in the queue
  • No changes to User-ID refresh behavior is expected
  • The show jobs command has been extended to show commits in the commit queue from the CLI
  • The clear job id command has been extended to include the ability to remove queued jobs from the commit queue
  • Note: FQDN and EDL refresh jobs cannot be removed from the commit queue
  • Commits from the CLI can be escaped while they are still being processed:
# commit force

Commit job 53525 is in progress. Use Ctrl+C to return to command prompt
.^C
Commit is in process
You can run the following command to monitor its status:
# run show jobs id 53525

 

Performance :

 

  • Individual commit times across various platforms and Panorama should not be increased
  • Even with multiple commits queued, time taken to perform other jobs (EBL refreshes, FQDN refreshes, Wildfire updates etc.) should not increase from the current baseline when they start executing

Commit queue capacity per platform :

 

  • PA-VM: 3
  • PA-200: 2
  • PA-500: 2
  • PA-2000: 3
  • PA-3000: 5
  • PA-4000: 3
  • PA-5000: 10
  • PA-7000: 10
  • Panorama: 10
  • Panorama VM: 10

Commit decriptions 

 

  • The length of the description field is 512 characters
  • The commit description is shown in the commit dialog and the task job panel

commit_description.png

 

  • The description field is stored across reboots and shown as tool tips in the configuration audit window when configurations are chosen for audit.
    • Inline filtering is also supported, simply type description in selection box

audit.png

 

  • Commit description has been added to the system log

system_log.png

 

Role Based Access Control :

 

  • Administrator Roles has been updated to be able to control (allow or disallow) Panorama, Device Group, Template and Collector Group (Panorama admin only) commits independent of each other.
  • An additional option shall be available for the administrator to control access to the "Force Template Value" option during the template commit

force_template_value.png

 

  • If a custom admin role is defined with no commit rights, commit option to all the commit types is disabled
  • If there is any commit type that is disabled the admin role on downgrade will have the commit option completely disabled
  • This is a UI only feature and does not apply to CLI roles - CLI roles continue to behave as before.

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGACA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language