article Memory Management Best Practices for ION1000, ION2000, ION1200 Platforms in Prisma SD-WAN Articles

article Memory Management Best Practices for ION1000, ION2000, ION1200 Platforms in Prisma SD-WAN Articles https://live.paloaltonetworks.com/t5/prisma-sd-wan-articles/memory-management-best-practices-for-ion1000-ion2000-ion1200/ta-p/1240163 <DIV class="lia-message-template-content-zone"> <P><FONT face="helvetica" size="3">This article provides guidance to customers with lower end ION Platform (ION1000, ION2000, ION1200) for memory management considerations prior to upgrading ION software.  </FONT></P> <P> </P> <P><U><FONT face="helvetica" size="3"><STRONG>1.  Introduction: Understanding Memory Considerations for ION Platforms</STRONG></FONT></U></P> <P class="lia-indent-padding-left-30px"><FONT face="helvetica" size="3"><SPAN>Lower end ION Platforms (ION1000, ION2000, ION1200) which are running ION Element SW series 5.x and currently using >80% of memory are at risk of experiencing unexpected reboots due to </SPAN>out-of-memory (OOM) errors<SPAN>.  The risk increases after upgrading from 5.6.x to 6.x due to overall software architecture difference between the release series. Prior to making any upgrade, it is important to ensure that an <A href="https://docs.paloaltonetworks.com/prisma-sd-wan/administration/get-started-with-prisma-sd-wan/device-activity-dashboard" target="_self">assessment of available system memory</A> is considered.  </SPAN></FONT><FONT face="helvetica" size="3"><SPAN>Memory exhaustion can occur in environments where customers have custom application definitions with a large prefix list, and or security policy rules with similarly large prefixes.   The compilation process is memory-intensive and can lead to out of memory issues with large or complex policies.  An Upgrade advisory has been added to our <A href="https://docs.paloaltonetworks.com/prisma-sd-wan/release-notes/5-6/prisma-sd-wan-ion-device-release-5-6/upgrade-or-downgrade-considerations-in-release-5-6" target="_self">release notes in the upgrade considerations</A> page.</SPAN></FONT></P> <P class="lia-indent-padding-left-30px"> </P> <P><U><FONT face="helvetica" size="3"><STRONG>2.  Proactive Configuration Best Practices for Memory Optimization</STRONG></FONT></U></P> <P class="lia-indent-padding-left-30px"><FONT face="helvetica" size="3"><SPAN>Implementing the below practices can help reduce memory exhaustion conditions and improve device stability on lower end ION Platforms</SPAN></FONT></P> <P class="lia-indent-padding-left-30px"> </P> <P class="lia-indent-padding-left-30px"><U><FONT face="helvetica" size="3"><STRONG>a.  General Guidelines</STRONG></FONT></U></P> <UL> <LI><FONT face="helvetica" size="3">Removing <A href="https://docs.paloaltonetworks.com/prisma-sd-wan/administration/prisma-sd-wan-stacked-policies/prisma-sd-wan-applications/configure-custom-applications" target="_self">Custom Applications</A>: Sanitize and trim the custom applications which are not in use, this can increase system available memory. </FONT> <UL> <LI><FONT face="helvetica" size="3">Regrouping the prefix which can accommodate in the larger subnet</FONT></LI> <LI><FONT face="helvetica" size="3">Remove unused prefix sets</FONT></LI> <LI><FONT face="helvetica" size="3">Review any custom apps that are configured as scan apps and ensure affinity is set to "None"</FONT></LI> <LI><FONT face="helvetica" size="3">Prior to making changes to prefix filters or custom applications assess the current memory utilization to determine risk.   </FONT></LI> </UL> </LI> <LI><FONT face="helvetica" size="3">Make changes during a maintenance window / off hours when usage should be lower.  There is the possibility of a reboot while implementing some of the changes below</FONT></LI> <LI><FONT face="helvetica" size="3">Consider moving a high number of <A href="https://docs.paloaltonetworks.com/prisma-sd-wan/administration/prisma-sd-wan-stacked-policies/prisma-sd-wan-applications/configure-custom-applications" target="_self">global prefixes to local prefixes</A></FONT></LI> </UL> <P class="lia-indent-padding-left-30px"><U><STRONG style="font-family: helvetica; font-size: medium; color: inherit;">b.  Specific considerations for managing Prefix lists and Custom Application Design</STRONG></U></P> <P class="lia-indent-padding-left-30px"> </P> <P class="lia-indent-padding-left-30px"><FONT face="helvetica" size="3"><STRONG>Prefix List Management:</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><FONT face="helvetica" size="3"><STRONG>Avoid full port ranges:</STRONG><SPAN> Do not add a full port range (1 to 65535) for custom applications which are not scan apps</SPAN></FONT></LI> <LI style="font-weight: 400;" aria-level="1"><FONT face="helvetica" size="3"><STRONG>Minimize /32 prefixes:</STRONG><SPAN> Avoid adding too many /32 prefixes to existing custom applications, especially those that already use a full port range.</SPAN></FONT></LI> <LI style="font-weight: 400;" aria-level="1"><FONT face="helvetica" size="3"><STRONG>Group local prefixes:</STRONG><SPAN> It is better to group local prefixes within an associated security policy and update them in a single operation.</SPAN></FONT></LI> <LI style="font-weight: 400;" aria-level="1"><FONT face="helvetica" size="3"><STRONG>Optimize prefix list updates:</STRONG><SPAN> Design prefix list updates to be optimized for either their size or frequency to better handle scenarios where available memory is low.</SPAN></FONT></LI> </UL> <P class="lia-indent-padding-left-30px"><FONT face="helvetica" size="3"><A href="https://docs.paloaltonetworks.com/prisma-sd-wan/administration/prisma-sd-wan-stacked-policies/prisma-sd-wan-applications/configure-custom-applications" target="_blank" rel="noopener"><STRONG>Custom Application Design</STRONG></A></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><FONT face="helvetica" size="3"><STRONG>Set </STRONG><STRONG>path_affinity</STRONG><STRONG>:</STRONG><SPAN> If strict affinity is not required, set </SPAN><SPAN>path_affinity=none</SPAN><SPAN> as the default value.</SPAN></FONT></LI> <LI style="font-weight: 400;" aria-level="1"><FONT face="helvetica" size="3"><STRONG>Set </STRONG><STRONG>app_unreachability</STRONG><STRONG>:</STRONG><SPAN> If application unreachability is not required, set </SPAN><SPAN>app_unreachability=false</SPAN><SPAN> as the default value.</SPAN></FONT></LI> <LI style="font-weight: 400;" aria-level="1"><FONT face="helvetica" size="3"><STRONG>Use only needed ports for custom apps:</STRONG><SPAN> When defining custom applications, specify only the necessary ports rather than using full port ranges (1 to 65535). This approach can reduce the memory footprint and maintain application visibility. However, identifying the exact ports used can be challenging, requiring an understanding of the application's purpose and usage, and may necessitate freezing port ranges to current configurations.</SPAN></FONT></LI> </UL> <P class="lia-indent-padding-left-30px"><U><FONT face="helvetica" size="3"><STRONG>c.  Important Considerations and Potential Impacts</STRONG></FONT></U></P> <UL> <LI style="font-weight: 400;" aria-level="1"><FONT face="helvetica" size="3"><STRONG>Application Visibility:</STRONG><SPAN> Moving to a security policy with a local prefix (without AppDef) will result in </SPAN><STRONG>limited application-specific visibility</STRONG><SPAN>. For example, in "flow browser," you will only be able to view flows by source IP rather than by AppDef. Application health visibility will be lost until the AppDef is recreated and added back into the policy.</SPAN></FONT></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG style="font-family: helvetica; font-size: medium;">Traffic Steering and Dropping:</STRONG><SPAN> Without AppDef, you will not be able to steer custom application traffic. If someone unintentionally adds a security rule above this with DENY for these prefixes but with other applications, the custom application traffic would be dropped.</SPAN></LI> </UL> </DIV> Thu, 23 Oct 2025 15:27:08 GMT rronco 2025-10-23T15:27:08Z Memory Management Best Practices for ION1000, ION2000, ION1200 Platforms https://live.paloaltonetworks.com/t5/prisma-sd-wan-articles/memory-management-best-practices-for-ion1000-ion2000-ion1200/ta-p/1240163 <P>Learn about Memory Management Considerations for the ION1000, ION2000, ION1200 Platforms</P> Thu, 23 Oct 2025 15:27:08 GMT https://live.paloaltonetworks.com/t5/prisma-sd-wan-articles/memory-management-best-practices-for-ion1000-ion2000-ion1200/ta-p/1240163 rronco 2025-10-23T15:27:08Z