How to disable Selective Push feature on Panorama

• This document provides information on how to disable selective push feature on Panorama.
• This includes the necessary prerequisites and a list of important caveats.

• Panorama, M Series.
• PAN-OS 10.2.11, 11.1.5, 11.2.5 and above.
• Selective Push

To Disable:

> debug selective-push disable

To Re-enable:

> debug selective-push enable

To view if selective push is enabled or disabled:

> debug selective-push show

• To disable Selective Push Panorama should be running 11.1.5, 10.2.11, 11.2.5 version and above.
• The command to disable selective push has to be run on both HA panorama devices.
• Similarly if any Panorama is RMA'd, the command needs to be dun on the RMA'd Panorama device.
• There is no commit or reboot required after the commands.
• A logout/relogin or browser refresh is required for the selective push not show up.

Caveats or Unsupported Functionalities:

• Commit and Push is not supported if performing partial commit (selecting one user changes).
  • The Local Commit will go through but Push to firewalls will fail since selective push is disabled.
  • Perform a full Push to the firewalls.
• Selective Config Validate via XML API is not supported when selective push is disabled.
  • This validation is successful. However, an XML API user attempting a selective push will encounter a failure because selective push is disabled.
  • Schedule Push is not supported when selective push is disabled.
• If Selective Push is disabled, it is recommended that an administrator perform a two-step process.
  • First commit changes to Panorama.
  • Then perform full push to the firewalls.
  • Avoid using the "Commit and Push" option simultaneously.
• Disabling Selective Push does not impact partial commits to Panorama.