Rule merge all results

Reply
L2 Linker

Re: Rule merge all results

I just thought I would respond with an update on this thread. While the 10 case merge is working there are some anomalies while using it. The one that shows up most is that sometimes instead of merging the 10 cases it will only do some of the cases. It seems to only show up after doing a bunch in a row so I am guessing maybe the system is not keeping up. In any case, I just wanted to throw that out there. Would still be nice to do more than 10 at a time as I am currently working on a firewall with 3700 cases.

 

Thanks.

L4 Transporter

Re: Rule merge all results

Would it be possible to share the project with us a fwmigrate at paloaltonetworks dot com?

 

Next week I will work on transfering this process into a background process, so it can run to merge as many cases as you may want to select.

 

Best,

L2 Linker

Re: Rule merge all results

We used the newest version of Expedition for our most recent migration.  We had an insane amount of problems.  Ultimately the problems corrupted the project(s) and we had to start over multiple times.  Some of this is due to lack of memory or system resources.   So after that project we increased the VMs memory and the up'd the php.ini memory to 512M.  We are going to be running tests with the same files this week to see if the memory increases help performance and stop corrupting the projects.  Corruption usually happened after a timeout/error...once that happened, 9 time out of 10 the project was useless.

 

Regarding the 10 cases at a time, if you click on all 10 cases it will populate the corresponding rules in the background, if you click 'merge' before they are fully populated then it will merge only the ones that made it into the view before you clicked merge.  We found that that if we highlighted 10 at a time, we had to wait a few seconds before doing the actual merge - if we clicked to soon, it would merge only a few of them.

L2 Linker

Re: Rule merge all results

Do you mean the project after it is in Expedition? Or just the ASA config file? Never had much luck with the export feature for projects that are this big from Expedition. I will need to check with the client to see if they are ok to send the file first but is there a way to send it encrypted?

 

Thanks.

L2 Linker

Re: Rule merge all results

For large projects like these is there a recommendation for the resources (processor, memory hdd space) the VM needs?

 

Thanks.

L4 Transporter

Re: Rule merge all results

recommended resources:

 

CPU or cores: 4

RAM: 16 GB

Storage for ML usage: 100 GB (minimum), recommended 1 TB (10 or more firewalls)

 

L2 Linker

Re: Rule merge all results

yeah, my clients Expedition deployment was bare minimum.  1.5Gb memory and 1 cpu.  We were able to process about 10,000 objects and about 2000 rules - it was slow and occassionally would time out on specific filter/queries but ultimately we got through it.  We tried a project with 14,000 objects and over 5000 rules (from 33 merged FW configs) and Expedition lost its mind every time - we had to break it down into smaller projects.  As well, the php.ini was still set to max memory of 128M

 

We just upped the VM memory to 4Gb and upped the php.ini to 512M....unfortunately not able to give it anymore CPUs at the moment.  Will be doing a new project friday to see how all the memory improvements will help Expedition not puke.

Trying to get my client ti up the VM to 8GB and at least 2 CPUs....not an easy task though.

L2 Linker

Re: Rule merge all results

Any updates this issue? It seems that it has kind of gotten worse in the last release. I have almost no luck selecting 10 cases where all of the cases get merged using the method of selecting the first one, holding down the shift key and selecting the 10th one. On the other hand, if I hold down the control key and select 10 cases that seems to always work but of course it is slower. And with 1000's of cases it is already slow.

L4 Transporter

Re: Rule merge all results

Could you share the project to replicate it on our side?

fwmigrate at paloaltonetworks dot com

L2 Linker

Re: Rule merge all results

@aporue  - have you tried upgrading the assinged Expedition resources?  The default resources Expedtion uses is quite low.  Once I upgraded the VM memory and increase the php memory buffer many annoying problems, timeouts and errors went away.

 

My configuration still has 1 cpu assigned, but it now has 4Gb of memory assigned and the php memory setting was changed from the default 128mb to 512mb and it makes a world of difference in performance.  if you assign more memory to the VM you will need to delete a certain file (you will need to look it up) that then recalculates assigned vm memory when expedition boots up.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!