Palo Alto: Instant Commit

Finally! With PAN-OS 11.0 Palo Alto Networks introduced an “instant commit”. That is: You no longer have to commit (and wait and wait and wait) until your changes are live, but everything you do is IMMEDIATELY active. Just as on any other firewall, e.g., the Fortis.

Here is how you can enable it along with some use cases and drawbacks:

Enabling this new feature is quite simple: It’s under Device -> Setup -> General Settings:

After that, you must make one more final commit until everything happens instantly.

To my mind, the biggest advantage of this is when testing new security policies and profiles. You no longer have to wait for the next commit until you see that it’s still not working. ;) Other changes that benefit from this are:

  • NAT stuff
  • routing protocol options to become neighbours
  • user identification agents
  • server profile settings such as RADIUS or syslog

However, there are situations where this is not advantageous though. That is: where the normal commit (that activates several changes at once) still has its charm:

  • setting a new IP address of the untrust interface along with its default route
  • changing IPsec tunnel parameters along with PSK and routes
  • changing routes along with exit interfaces and appropriate security zones in policies

Of course, you can always disable this option again for some time.

Note that PAN-OS 11.0 is not available on all current hardware platforms. Especially, it is not available on the PA-220. :( I tested it on a PA-820 cluster.

Happy configuring. ;)

Photo by eniko kis on Unsplash.

3 thoughts on “Palo Alto: Instant Commit

  1. As I sit here, testing options to get DHCPv6 DP working on my PA-440 with PAN-OS 11.0.1, how I wish it was true :-)

  2. Okay, i have to admit, you got me! I was was like, damn, my PA-850 might become usable again!

    LOL … I still love my 850, but the GUI commit speed wants to make me pull my hair out!

Leave a Reply to Uffe Cancel reply

Your email address will not be published. Required fields are marked *