: Enable Automated Commit Recovery
Focus
Focus

Enable Automated Commit Recovery

Table of Contents

Enable Automated Commit Recovery

Enable Automated Commit Recovery to enable firewalls to locally test the connection to Panorama and revert if the connection is broken.
To ensure that broken configurations caused by configuration changes pushed from the Panorama™ management server to managed firewalls, or committed locally on the firewall, enable Automated Commit Recovery to enable managed firewalls to test configuration changes for each commit and to verify that the changes did not break the connection between Panorama and the managed firewall. You can configure the number of tests that each managed firewall performs and the interval at which each test occurs before the managed firewall automatically reverts its configuration back to the previous running configuration. When you enable automated commit recovery, the managed firewall configuration reverts and not the Panorama configuration. Additionally, the managed firewall tests its connection to Panorama every 60 minutes to ensure continued communication in the event unrelated network configuration changed disrupted connectivity between the firewall and Panorama or if impacts from a past committed configuration affected connectivity. For high availability (HA) configurations, HA synchronization between the HA peers after a push from Panorama occurs only after a connectivity test.
Automated commit recovery is enabled by default. However, if you disabled automated commit recovery and then want to re-enable this feature in an existing production environment, first verify that there are no policy rules that will break the connection between Panorama and the managed firewall. For example, in the event where management traffic traverses the dataplane, it is possible there is a policy rule that restricts traffic from the firewall to Panorama.
The firewall generates a config log after the firewall configuration successfully reverts to the last running configuration. Additionally, the firewall generates a system log when the administrator disables this feature, when a configuration revert event begins due to a connectivity test that fails after a configuration push, and when the Panorama connectivity test that is performed every 60 minutes fails and causes the firewall configuration to revert.
Enable Automated Commit Recovery independent of any other configuration change. If enabled alongside any other configuration changes that result in a connection break between Panorama and managed firewalls, the firewall configuration cannot automatically revert.
  1. Select DeviceSetupManagement and select the desired Template or Template Stack from the Template context drop-down.
  2. Enable automated commit recovery.
    (ZTP Firewalls) Enabling automated commit recovery may cause the initial configuration push after you add ZTP firewalls to Panorama to be automatically reverted. To enable automated commit recovery for your managed ZTP firewalls, configure the Number of attempts to check for Panorama connectivity as 5.
    1. Edit (
      ) the Panorama Settings.
    2. Enable automated commit recovery.
    3. Configure the Number of attempts to check for Panorama connectivity (default is 1 attempt).
      (ZTP Firewalls) Configure the number of attempts as 5 to avoid unintended configuration revets after the first push from Panorama.
    4. Configure the Interval between retries (default is 10 seconds).
    5. Click OK to save your changes.
  3. CommitCommit and Push and Commit and Push your changes.
  4. Verify that the automated commit recovery feature is enabled on your managed firewalls.
    1. Select DeviceSetupManagement and, in the Panorama Settings, verify that Enable automated commit recovery is enabled (checked).