How Configuration Change is Being Applied Depending on “Merge with Candidate Config” Commit Option

How Configuration Change is Being Applied Depending on “Merge with Candidate Config” Commit Option

39529
Created On 09/25/18 18:47 PM - Last Modified 02/07/19 23:52 PM


Resolution


PAN-OS 6.0 and later

 

Details

When pushing "Device Group" configuration change from Panorama down to the managed Palo Alto Networks firewall, the user can select "Merge with Device Candidate Config" option, as shown below:

User-added image

 

This option causes the Palo Alto Networks firewall to include its local candidate configuration when the commit is invoked from Panorama. So the commit process of "Device Group" configuration on the firewall (sent by Panorama) depends on "Merge with Device Candidate Config" in the following way:

  • If the "Merge with Candidate Config" option is disabled, the configuration sent from Panorama is merged directly with the local running-config on the firewall, and then applied (committed), so candidate-config is left untouched.
  • If the "Merge with Candidate Config" option is enabled, the configuration sent from Panorama is first merged with candidate-config and then intermediate commit is done on candidate-config. Then running-config is replaced with a new candidate-config and the final commit is done on running-config.

 

owner: djoksimovic
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQqCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language