What is the difference between config lock and commit lock?

• Palo Alto Firewall or Panorama
• Supported PANOS

Config and commit locks are used to prevent collisions that can occur when two administrators are making changes at the same time.

Config lock:

1. Prevents other admins from changing the configuration.
2. Blocks other administrators from making changes to the candidate configuration.
3. It's used when the admin takes a backup of the configuration. So that no one can change the candidate configuration while taking a backup. A custom role administrator who cannot commit changes can set a Config lock and save the changes to the candidate configuration.
4. This lock will not be get removed after performing a commit. Only a superuser or the administrator who set the lock can remove it.

Commit lock:

1. Prevents other admins from committing the configuration.
2. Blocks other administrators from making changes to the running configuration.
3. It's used when you want only one admin to perform changes to the firewall/panorama.
4. This lock automatically gets removed after performing a commit.
    

• Candidate configuration - Configuration which needs to the committed (Changes made to the firewall before performing commit)
• Running configuration -  Actual configuration controlling the operation of the firewall.