Concurrent editing and merging changes

When you allow multiple users to edit an access control policy, you have two choices:

  • Have users lock the policy when editing it. This ensures that a single user at a time can make changes. Using locking, you never have to worry about lost or conflicting changes. However, it limits your ability to respond quickly to unexpected events, especially if a user leaves the policy locked while out of the office. For more information about locking policies, see Locking an access control policy.

  • Allow users to simultaneously edit the policy. If more than one user has made unsaved edits at a given time, the first user who saves the policy gets all of their changes saved. Other users are immediately notified of the save, and must then merge their changes. The rest of this topic explains this approach.

Note

If you are using change management, where edits are done within the scope of a ticket, the ticket locks the policy and concurrent editing is not possible.

Before you begin

To limit the amount of merging you have to do, save the policy early and often.

Procedure

Step 1

Determine if other users are also editing the policy.

When you edit an access control policy, look for the following message banner at the top of the page: 


User name is currently editing this policy.

This message indicates that the named user (there might be more than one) currently have the policy open for edit.

Step 2

Watch for notifications that another user saved changes and take action.

The following banner message indicates another user saved changes and you need to take immediate action:


User name modified this policy and saved changes. Merge Discard.

Click one of the following links:

  • Merge—Open a merge window where you can make decisions about which of your changes to keep or to discard, and to identify changes that cannot be merged. See the next step when taking this option.

  • Discard—Discard all of your changes immediately and start over. If you select this option, the page is refreshed with the latest changes from the other user.

Step 3

Merge changes.

When you click the Merge option, a merge window opens with a summary of the total number of observed differences between your edits and the last user’s saved edits. No other user’s unsaved edits are included. Observations include direct conflicts and informational notifications.

Note

You must complete all merge decisions before you close the window. You cannot wait until later once you click the Merge option.

  1. Evaluate each conflict and make a decision for each.

    When evaluating the change list, consider the following:

    • Initially, all observations are shown, but you can select/deselect the filtering options for Conflict and Info to limit the displayed information. Conflicts arise when users edit the same rule or setting. Informational items are for edits to different rules or settings.

    • If there are no conflicts, your cache is immediately updated with the last saved changes and you can proceed. For example, if you are editing rule 1, and the other user saved changes to rule 2, it is unlikely that there are any conflicts.

    • For each conflict (other than rule name), the window shows the version of the element saved by the other user (Version on Firewall Management Center), and your changes (Modified Version). Changes are color-coded for new (e.g. an option that was not previously defined), edited, or deleted policy elements. You must select either to Discard your change, or to Accept Mine and overwrite the other user’s change. When discarding a change, the rule is refreshed with the other user’s saved change and yours is removed.

    • Rule conflicts are considered at the rule level, not per element within the rule. For example, if you edit destination networks, and the saved changes are for source networks, either your changes or the other user’s changes are retained, not both.

    • If the conflict involves the name of a rule, the system tries to create a unique name by adding an underscore and number to the name, such as Rule_1. You can alternatively enter a new name in the edit box provided and click Save. If you click Discard, the generated rule name is used.

    • You cannot skip any conflict. For each conflict, you must make a decision to discard or keep your change.

    • If the user who saved changes deleted a rule that you edited, the rule is deleted and you do not have the option to keep the rule.

    • If the user who saved changes updated a rule, and your change is to delete the rule, the rule is retained: you cannot merge your deletion.

    • For the following options, if your change conflicts with the saved changes, your change is discarded and merging the change is not an option:

      • Other policy assignments: prefilter, Security Intelligence, identity, decryption

      • Changes to advanced settings, policy logging, EVE, HTTP response pages.

      • Policy default action.

      • Inheritance settings.

  2. Click Close.

Step 4

Once the merger is complete, you can either save the policy immediately or continue editing it. Saving the policy might reduce the impact of future merges.