topic Re: Determine configuration size on Palo Devices in General Topics

Determine configuration size on Palo Devices

dwmaas — Thu, 26 Jul 2018 15:53:55 GMT

Hi,

How can we determine the configuraiton file size on Palo Alto PA devices.

We wish to determine were our configuraiton size is compared to the recommened size for each PA type 5K 7k etc.

Thank you

Re: Determine configuration size on Palo Devices

Remo — Thu, 26 Jul 2018 16:22:05 GMT

@dwmaas

Where did you read something about a "recommended configuration file size"?

I don't think there is such a value. There are maximum values for objects and rules where if you reach such a max you should keep an eye on the cpu. If you have 65000 security policy rules on a PA-7050 your configuration file probably is pretty big, but the platform is theoretically made for that and (for whatever reason) 55000 rules could be disabled then the configuration is still big but this shouldn't have any impact on anything as the firewall only has to check 10000 rules for new connections. The same with objects. If you have configured 160000 objects on a 7050 but you use only a small part this does not mean a lot.

Re: Determine configuration size on Palo Devices

dwmaas — Thu, 26 Jul 2018 16:28:27 GMT

We were told my our Palo Alto Team that there are recommended config file size, and we have proven that going over that to much has performance impacts. We were told 35m for 5060, and 40m for 7050.

We had one that was almost 100m, and we experience management performance issues, with the mgmt service would crash anytime a push was done, and even on its own. Were were forced to move vsys off and increase our footprint of devices.

We are back to needed to know were we stand now, to make any further recommendations to leadership, or to move to another solution. I prefer we stick with Palo I am an advocate and love them myself.

Re: Determine configuration size on Palo Devices

Remo — Thu, 26 Jul 2018 16:36:15 GMT

Ok, yes from a management process/cpu perspective, this could have impacts. But if the process crashes this sounds more like a bug to me.

Anyway, do you have a lot of unused objects or disaabled firewallrules that you no longer need?

Re: Determine configuration size on Palo Devices

BPry — Thu, 26 Jul 2018 16:57:42 GMT

@dwmaas,

As @Remo mentioned the size of the configuration only effects the performance of the management process, as there is more information for it to process when doing certain actions such as the validate process. If the device is crashing when you do a commit, it sounds like the validate process is simply failing to process that large of a configuration.

As @Remo mentioned this would be a really good time to go through and look for unused objects, object groups, firewall rules, old admin accounts, and all the like to attempt to actually give the validation process a chance to breath.

When you say 100m what exactly are you referencing here? I'm assuming megabytes and not millions of lines? Either way I have to assume that you have large amounts of rules or objects that aren't being utilized. I mean, we're talking about an XML file, it's not like those take up a lot of space. Regardless if your talking about megabytes or millions of lines of configuration you'd still have millions of lines of configuration to get a file that large, which to avoid crossing platform limitations I would have to imagine you have a large part of that disabled or unused.

Re: Determine configuration size on Palo Devices

dwmaas — Thu, 02 Aug 2018 12:28:21 GMT

yes, megabytes, and found the way to get the apprx size

download and expand techsupport file and go to opt\pancfg\mgmt\saved-configs and look for the merged file.

Re: Determine configuration size on Palo Devices

begilmore — Mon, 04 Sep 2023 06:55:05 GMT

You can check the current size by following this KB:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlF4CAI&lang=en_US%E2%80%A9