Network technologies and trends

Oct 12 2015   7:03PM GMT

What is transaction lock feature in Palo Alto Networks Firewalls?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Tags:
Administrator
Firewalls
lock
Network
Network Technology
Palo Alto Networks

Palo Alto Networks Firewalls can be administrated by multiple Administrators using WebUI access, it becomes quite challenging to see who is controlling the firewall and making either config changes or committing the changes done in Palo Alto Networks Firewalls.

To provide more flexibility and accounting Palo Alto Networks offers two types of locks

  1. Config Lock
  2. Commit Lock

Using these two features a Palo Alto Network Firewall administrator can prevent configuration changes or commit operations by another administrator. Until the lock is removed another administrator cannot do any changes.

Config Lock – Basically blocks other administrators from making changes to the configuration of the Palo Alto Firewall. One should set Config Lock at the global level. Only the administrator who set this lock or a superadmin can remove Config Lock.

Commit Lock – Basically block other administrators from committing any changes until all the locks have been released. By using this lock one can prevent any collisions occur when two administrators try to make changes to the Palo Alto Firewall at the same time. This lock releases automatically the moment the commit operation is completed by the administrator who started the commit activity first, or this can be release manually as well.

Any one can see, who is hold Commit Lock from the WebUI and can ask the concerned administrator to release the commit lock. Only the administrator who set this lock or a superadmin can remove the Commit Lock

From the below example its quite evident that the commit lock is held by the user admin and yasir is the user who has logged into the Palo Alto Firewall. Yasir cannot do any changes until admin completes his task. The only way to overcome this is either release the commit lock by admin or by the superadmin.

 Screen Shot 2015-10-12 at 9.47.43 PM

This little feature is quite handy and ensures who have control over the Palo Alto Firewall and I recommend one should enable this feature to ensure no changes are done accidently by the other administrator.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: