Configuration changed on standby member for Palo Alto Networks


Palo Alto Networks


Generally, making configuration changes to the standby member of a device is not recommended. Indeni will alert if this happens.

Remediation Steps

Make the configuration changes to the active member of the cluster.

How does this work?

This alert logs into the Palo Alto Networks firewall through SSH and retrieves the difference between the committed configuration and the saved configuration. If a change is found, an alert is issued.

Why is this important?

After changing the configuration of a device it is always important to remember to commit the changes. In the case of Palo Alto Networks, without committing the changes they will not take effect. A common issue is when an administrator makes certain changes, does not commit them, and walks away. Another administrator will log on later, make their own changes and commit them. In the process, they will be committing the other administrator's changes, potentially causing issues.

Without Indeni how would you find this?

The web interface on a Palo Alto Networks firewall provides an indication of whether or not there is a change which requires committing. Failing to notice that, a user would run into the problem described above.

View Source Code