Finally! With PAN-OS 11.0 Palo Alto Networks introduced an “instant commit”. That is: You no longer have to commit (and wait and wait and wait) until your changes are live, but everything you do is IMMEDIATELY active. Just as on any other firewall, e.g., the Fortis.
Here is how you can enable it along with some use cases and drawbacks:
Enabling this new feature is quite simple: It’s under Device -> Setup -> General Settings:
After that, you must make one more final commit until everything happens instantly.
To my mind, the biggest advantage of this is when testing new security policies and profiles. You no longer have to wait for the next commit until you see that it’s still not working. ;) Other changes that benefit from this are:
- NAT stuff
- routing protocol options to become neighbours
- user identification agents
- server profile settings such as RADIUS or syslog
However, there are situations where this is not advantageous though. That is: where the normal commit (that activates several changes at once) still has its charm:
- setting a new IP address of the untrust interface along with its default route
- changing IPsec tunnel parameters along with PSK and routes
- changing routes along with exit interfaces and appropriate security zones in policies
Of course, you can always disable this option again for some time.
Happy configuring. ;)