High Loads on Management CPU

by 3 weeks ago - last edited 2 weeks ago (878 Views)

Seeing a high management CPU load is an ever returning topic and gives many administrators headaches.  I'm not saying you can safely ignore all these events but seeing a high load on the management CPU is not entirely uncommon when performing certain tasks on the firewall.

 

Last week community member jproving posted an interesting question regarding high management plane CPU load:

 

Discussion forumDiscussion forum

 

So, before getting all worked up like Vegeta in the illustration below, try figuring out what's causing the high load.

 

It's over 9000 !It's over 9000 !

Is the high load always present or only when doing specific tasks.  

Some examples that can cause spikes :

 

  • Watching ACC can cause high spikes in the management CPU because this queries the log database and recompiles the output on screen!
  • Performing commits are known to give high CPU spikes.  A lot depends on your configuration vs hardware of course.  The more objects, rules, etc. your firewall needs to compile during a commit, the more likely it is that you will get a spike in CPU.  This mostly happens in phase1 of your commit.  The load should go down after phase1 is complete.

 

It gets a little more challenging when the load is always there.  There are a couple of tips and trick you can use to reduce the management CPU load in general.

 

Some of these tips involve changing your logging behaviour or disabling some of the pre-defined reports.  Explained in more details right here :

 

https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Reducing-Management-Plane-Loa...

 

Tuning down specific processes or using filters in your LDAP queries are other great ways to help reduce the management CPU load.  More details can be found in this article:

 

 

 

https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Reducing-Management-Plane-Loa...

 

As usual, I hope this was helpful! Feel free to leave any comments or questions below.

 

Thanks to @jprovine@Brandon_Wertz and @BPry for contributing to the discussion!

 

That's it for me ... Kiwi out !

Comments
by jprovine
3 weeks ago

@kiwi

Thanks for the comment kiwi, so are you saying this is normal for certain activities and can not be fixed? It also happens during the commit preview as well. It seems to have gotten worse over time and we only have 409 rules which I don't think is a lot compared to other organizations. 

by
3 weeks ago

Hi @jprovine,

 

If the spikes are short lived and happening during commits or preview commits then it's likely related to the number of objects on your device.  409 rules is actually quite a lot ... I'm just comparing to the thousands of cases I worked with several hundreds of customers.

 

That said, I don't know the environment you are in and you might actually need all those ^_^

 

 

by jprovine
3 weeks ago

@kiwi

Believe it or not kiwi we used to have over 1000 rules but I have been able to remove over 600 in the last year.  The rules were migrated from an ASA 5510. But one thing I don't understand is that the commits were not as slow when we had over 1000 rules as it is now. So why is the typical number of rules used? 

Yes there are spikes in the CPU it is not consistently high, in fact outside of the commit previes, commits, using the ACC and also logging into the box the managment CPU runs about 2- 10%. 

So all that being said should I be concerned about the high CPU, is there anything I can do to pin point the cause and/or do something about it and reduce it

Ask Questions Get Answers Join the Live Community
Announcements
Customer Notice: Panorama Certificate Expiration on June 16 2017.  Read More >