topic Pa-2020 and number of rules in General Topics

Pa-2020 and number of rules

UMWL — Wed, 12 Feb 2014 22:11:49 GMT

Hi,

I have PA-2020 and 160 rules. Management plane is slow in responding. Management CPU is often 98%. Commiting changes takes 10 minutes. From time to time first commit fails with error "Management server failed to send phase 1 to client websrvr". What is going wrong? Too many rules affect performance?

Thanks,

Radoslaw

Re: Pa-2020 and number of rules

HULK — Thu, 13 Feb 2014 00:06:45 GMT

Hello Radoslaw,

I dont think you have too many policy on this firewall. The Max numbers are given below:

admin@21-PA-2020> show system state | match policy

cfg.general.max-cp-policy-rule: 1000

cfg.general.max-di-nat-policy-rule: 6000

cfg.general.max-dip-nat-policy-rule: 200

cfg.general.max-dos-policy-rule: 1000

cfg.general.max-nat-policy-rule: 1000

cfg.general.max-oride-policy-rule: 1000

cfg.general.max-pbf-policy-rule: 500

cfg.general.max-policy-rule: 10000

cfg.general.max-qos-policy-rule: 1000

cfg.general.max-si-nat-policy-rule: 1000

cfg.general.max-ssl-policy-rule: 1000

Do you have custom signature/custom URL filtering configured on this firewall, It could take longer commit time than expected.

I would request you to verify the management plane resources of this PA-2020 firewall with below mentioned command:

> show system resources follow ------- Please verify if management server or any other daemon taking much CPU cycle or memory.

For the time being you can apply CLI command:

> debug software restart management-server ----- It will reset the management-server process and it would not impact to your production traffic ( you will lost the SSH connection to the management-plane for few minute). I hope it will improve the commit time or response time.

Thanks

Re: Pa-2020 and number of rules

pulukas — Thu, 13 Feb 2014 00:06:46 GMT

You will need to run show system resources and try to determine which process is responsible for the high cpu in the management plane.

Refer to this document for an overview.

https://live.paloaltonetworks.com/docs/DOC-4649

Re: Pa-2020 and number of rules

${userLoginName} — Fri, 14 Mar 2014 11:54:31 GMT

This is related to a lack of resources for the mgmt plane. There is an upgrade kit available if needed.

This can be caused by a lot of things, a lot of User-ID that needs to be done, or even a lot of logging. If you have a few k of logs every minute then you'll notice slowness in the gui and high cpu, since it is the mgmt plane that handles all the logging.

Kind regards

Re: Pa-2020 and number of rules

dieter_b — Wed, 19 Mar 2014 08:37:51 GMT

As far as I've been told, PA does not offer an upgrade kit for the 2000 series...

This issue is also being discussed in https://live.paloaltonetworks.com/thread/10099

Re: Pa-2020 and number of rules

${userLoginName} — Wed, 19 Mar 2014 08:53:40 GMT

My bad, there is indeed only an upgrade kit for the PA-500 available

Re: Pa-2020 and number of rules

ericgearhart — Wed, 19 Mar 2014 15:08:45 GMT

The PA2000 series is a joke and everyone that bought PA2000s should have their gear automatically replaced with either PA500s or PA3000s. In my humble opinion. The performance numbers on our PA2050 never hit published specs, ever, with extensive testing I did with breaking Point. With a Breaking Point engineer present.