Reducing Management Plane Load (pt. 1)

CPU load on the management plane (MP) can get quite high and can in turn lead to other issues. With this in mind, it might be necessary to reduce the load on the MP. We'll cover some ways to reduce MP CPU usage.

A common cause of a high MP CPU load is logging and reporting.

By default, every session is logged at the end. Additionally, you can opt to enable logging from the start for better visibility on the morphology of applications traversing the firewall or to simply have more data available for forensic analysis. You may also be required to log the drop-all rule at the end of the policy. These options and more logging actions cause the logrcvr process to consume more resources.

Security Policy Log Setting

To enable the system to produce reports easier, there are several helper processes that come into play to process and prepare the log files for later report generation. These helper processes consume even more resources as more logs must be processed.

 top - 12:05:07 up 511 days, 23:31,  0 users,  load average: 5.59, 5.76, 5.86
Tasks:  96 total,   2 running,  93 sleeping,   1 stopped,   0 zombie
Cpu(s): 28.5%us, 54.4%sy,  3.7%ni, 11.7%id,  0.1%wa,  0.1%hi,  1.5%si,  0.0%st
Mem:    995888k total,   937788k used,    58100k free,    47356k buffers
Swap:  2008084k total,   981484k used,  1026600k free,    91776k cached
  
PID   USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND            
2336  root      20   0  287m  77m 2100 S  112  8.0   1:16:58 logrcvr            
2307  root      20   0 1014m 132m 2656 S   73 13.6   1:41:41 mgmtsrvr           
26958 root      30  10  3996 1128  920 R    8  0.1   1:24.12 genindex.sh        
8811  root      30  10  4468 1020  800 R    1  0.1   0:00.18 top                
1     root      20   0  1836  552  528 S    0  0.1   0:08.07 init               
2     root      20   0     0    0    0 S    0  0.0   0:00.00 kthreadd           

When the management plane is experiencing a continuous high load and you need to reduce the load, then you might want to consider reducing logging. Below are a few options for reducing logging.

• Some applications may not be critical enough to be logged all the time. For example, DNS tends to be extremely chatty, causing a lot of log files to be generated, which may not be vital to the organization: 

NOTE: That threat logs are generated by threat protection, so disabling logging in the security policy only stops generating traffic logs.

• Some URL categories may be benign and permissible within the organization, so setting the URL filtering action to allow prevents a URL log from being created each time an allowed category is accessed:

• Report generation can also consume  considerable resources, while some pre-defined reports may not be useful to the organization, or they've been replaced by a custom report. These pre-defined reports can be disabled from
  Device > Setup > Logging and Reporting Settings

Logging and Reporting Settings Pre-Defined Reports

There are more ways to reduce the MP load and not all of these will be considered best practice but they might be necessary if the load on your device is too high.

Thanks for taking time to read the blog.

If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.

As always, we welcome all comments and feedback in the comments section below.

Stay Secure,
Kiwi out!