Policies are Pushed from Panorama, but Local Commit on Panorama was Never Performed
Resolution
Issue
Polices created on Panorama are pushed to the managed Palo Alto Networks device. However, the policies were not saved or committed on the Panorama. Panorama is restarted/rebooted and those shared policies are not found. How can the shared policies that were pushed to the managed devices, but not locally committed, be recovered on Panorama?
Note: This document applies to Panorama running 5.0.x.
Details
When configuration changes on Panorama are pushed to devices without performing a commit on Panorama, the candidate configuration from Panorama is pushed to the devices. The new changes from Panorama that were pushed will appear on the running configuration of the managed devices. However, the changes are not saved on Panorama. When a restart/reboot of Panorama occurs, the changes on the candidate configuration will be lost since they were never committed to Panorama's running configuration.
Resolution
First, check to make sure the missing policies are not located on Panorama. If they are not found, then try one of the following to recover the pushed policies:
- Manually add the policies back to Panorama.
- Use TFTP or SCP export out the (.merged-running-config.xml).
- Export out the Panorama running-config.xml
- Edit the running-config.xml and add the missing policies.
- Import and load the running-config.xml.
owner: acamacho