topic Re: Errors and commit warnings after 11.1.2-h3 upgrade in Next-Generation Firewall Discussions

Errors and commit warnings after 11.1.2-h3 upgrade

GregorJus — Sun, 23 Jun 2024 11:26:39 GMT

Hi,

If anyone could shed some light on the issue below, it would be greatly appreciated. Since upgrading my PA-440 to 11.1.2-h3 (preferred version), I am seeing the following two issues:

1. Every 5 minutes, there is a system log error:
Failed to perform task resulting in connection timeout with WildFire Cloud wildfire.paloaltonetworks.com

2. After committing changes to the firewall, the following is observed:
Configuration committed successfully
Local configuration size: 174 KB
Predefined configuration size: 17 MB
Merged configuration size(local, panorama pushed, predefined): 18 MB
Maximum recommended merged configuration size: 35 MB (51% configured)

Anyone else experiencing these issues or have some kind of idea what has happened or how to fix it?

Thanks,

Re: Errors and commit warnings after 11.1.2-h3 upgrade

MeCJay12 — Fri, 28 Jun 2024 19:15:48 GMT

Same issue here. Upgraded from 10.2.8-h3 to 11.1.2-h3 on a VM series KVM firewall.

If ospf router ID changed,it require restart ospf processor(Module: routed) client routed phase 1 failure Commit failed Local configuration size: 7 KB Predefined configuration size: 17 MB Merged configuration size(local, panorama pushed, predefined): 18 MB Maximum recommended merged configuration size: 17 MB (105% configured) Failed to commit policy to device

Re: Errors and commit warnings after 11.1.2-h3 upgrade

P.Piro — Thu, 04 Jul 2024 04:03:20 GMT

Same issue here with the 17MB limit. Need a fix for this asap.

Re: Errors and commit warnings after 11.1.2-h3 upgrade

GregorJus — Thu, 04 Jul 2024 06:05:04 GMT

Apart from the limit "issue", can anyone shed some light on the the matter of:

Failed to perform task resulting in connection timeout with WildFire Cloud wildfire.paloaltonetworks.com

I am loosing my mind 🙂

Re: Errors and commit warnings after 11.1.2-h3 upgrade

Jpergolizzi — Thu, 10 Oct 2024 21:43:08 GMT

I am also seeing this on multiple PA-850's since moving to 11.1.4-h1:

Local configuration size: 429 KB
Predefined configuration size: 18 MB
Merged configuration size(local, panorama pushed, predefined): 20 MB
Maximum recommended merged configuration size: 23 MB (86% configured)

Re: Errors and commit warnings after 11.1.2-h3 upgrade

suzannomer258 — Fri, 11 Oct 2024 06:39:47 GMT

It sounds like you're running into configuration size issues after upgrading to 11.1.4-h1 on the PA-850s. The merged config size being at 86% of the max recommended could definitely be a cause for concern, especially as you continue to push updates or add new policies. Have you tried reaching out to Palo Alto support to see if there's a way to optimize the config? Sometimes there are unused objects or old rules that can be cleaned up to reduce the overall size. Alternatively, it might be worth monitoring it closely and planning for a more efficient setup if you anticipate growth.

Re: Errors and commit warnings after 11.1.2-h3 upgrade

Jpergolizzi — Thu, 31 Oct 2024 17:48:44 GMT

Hi there, thanks for responding! yes, I believe that's exactly whats going on. I've cleaned up my config but in looking at whats taking the space, the majority of it is the pre-defined data sent from Palo Alto. I'm hoping they have a way to trim that down, it will be a hard-sell to my client to purchase new firewalls. 😞

Re: Errors and commit warnings after 11.1.2-h3 upgrade

DZamudio — Thu, 05 Dec 2024 16:25:29 GMT

Have you heard anything back from Palo Alto in regard to trim the predefined config? We just got his with a full 1MB change overnight for their predefined config and it is annoying that Palo Alto is doing this. I guess it's their way of forcing people to upgrade, yet their newer firewalls aren't that high in max config size & they can't be straight forward how much will this increase over the years. I seriously feel like Palo Alto has gone south on their products. We are actively considering moving to another vendor due to this. Our config is very small and we even removed any unused items. Support has gone nowhere for a solution, just stated we should upgrade and yet our firewalls aren't EOL until 2029.

Re: Errors and commit warnings after 11.1.2-h3 upgrade

Jpergolizzi — Thu, 05 Dec 2024 16:58:59 GMT

Hi there. Unfortunately, I haven't had a chance to speak with them yet about it but planning to. I've got 2 clients with PA-850's and PA-220s and all devices are reporting the issue. My suspicion is that it's pre-defined config and dynamically downloaded content like threat signatures, etc, etc. Not sure if anything can be done about that. I will open a case and let you know if I get any good answers.

Re: Errors and commit warnings after 11.1.2-h3 upgrade

Adi-Benbrima — Fri, 21 Feb 2025 15:56:36 GMT

any feedback about this topic ?

Re: Errors and commit warnings after 11.1.2-h3 upgrade

DZamudio — Mon, 24 Feb 2025 14:36:42 GMT

@Adi-Benbrima - I assume in regard to the 'limit' issue? If so, there are a few commands we have been told by Palo Alto TAC to run to expand the max size.

You can find more information in this other post: Solved: LIVEcommunity - New periodic alert: Configuration size 19MB is above 80% of the maximum recommended configuration size 23MB for the platform. - LIVEcommunity - 592593

Summary:

Check first if the commands are available, Not sure in which version they were added:

find command keyword max-config-size
debug management-server max-config-size set size <1-500>
debug management-server max-config-size show