Firewall configuration being reverted when pushing config from Panorama

• Firewall configuration being reverted when pushing config changes from Panorama 
• PAN-OS 9.1.0 introduces the ability for managed firewalls to check for connectivity to the Panorama management server and automatically revert to the last running configuration when the firewall is unable to communicate with Panorama.
• Automatic Panorama Connection Recovery (9.1)
• Enable Automated connection Recovery(10.x)
   

• Panorama managed Firewalls
• PAN-OS 9.1.0 or later
   

• During config push from Panorama to firewall, one of below conditions is encountered.
• Firewall temporarily loss connectivity to Panorama for more than 10 seconds.
• There is a security policy that deny the existing connectivity between firewall and panorama (tcp/3978).
• Firewall system log will have following relevant events.
  
  Time                Severity Subtype Object EventID ID Description
  ===============================================================================
  YYYY/MM/DD 16:29:59 info     general    general 0  Config installed
  YYYY/MM/DD 16:30:02 info     panoram    panoram 0  JobId=xx: Performing panorama connectivity check (attempt 1 of 1)
  YYYY/MM/DD 16:30:12 critical panoram    panoram 0  JobId=xx: Panorama connectivity check failed for xx.xx.xx.xx. Reason: TCP channel setup failed, reverting configuration

Option 1:

1. Disable "Enable automated commit recovery"
2. Select Device > Setup > Management > Panorama Settings > Uncheck "Enable automated commit recovery"

Option 2:

1. Increase "Number of attempts to check for Panorama connectivity" to prevent the "commit recovery" (being reverted back) too quickly if only temporary connectivity loss is expected between Firewall and Panorama
2. Select Device > Setup > Management > Panorama Settings > Number of attempts to check for Panorama connectivity > Replace "1" (default) with higher number