PA-500 - Insane Commit Times

Reply
L4 Transporter

PA-500 - Insane Commit Times

We have a PA-500 running 4.1.11.

I wouldn't say we do anything special, it has some certs installed for forward and reverse SSL decryption, we do dynamic URL filtering and probably have something like 30 security policies in place on it and at any given time in terms of admin nobody is doing anything.

Commit times seem insane.  I don't think I've ever had a commit happen in less than 5 minutes and on Friday I did a commit having added a URL to a URL Category and it took 20 minutes to do the commit.

Is there any way of checking just why it would take so long?  It's always been my biggest issue with Palo Alto.

Our supplier said some of their customers had found the memory upgrade made a difference but it isn't a cheap option and I'd like to understand exactly what increasing the memory improves in terms of performance.

I am planning on upgrading to the latest 5.x release in the next week or so if that is likely to improve things.

Thanks

L4 Transporter

Re: PA-500 - Insane Commit Times

nrice had said in another post you can help  determine where the delay is by watching the commit process with the CLI command:

>tail follow yes mp-log ms-log

I have not tried it.

L6 Presenter

Re: PA-500 - Insane Commit Times

PA-500 Management Memory Upgrade Procedure

I can say that there will be about %20 improvement for commit time.But 20 minutes is completely an issue....

it will be better to open a case after 5.0.x upgrade (if it still happens)

L7 Applicator

Re: PA-500 - Insane Commit Times

Hello Sir,

Could you please check the status of the mgmtsrvr process on management-plane. The mgmtsrvr daemon is responsible to handle commit on the PAN firewall.

Use CLI command > show system resources -------> to verify the mgmtsrvr CPU/memory utilization. If you see any abnormalities, you can restart the mgmtsrvr process and verify the commit time.

Command to reset management-server process from CLI >debug software restart management-server. ---- Although It should not impact on your production traffic, i would recommend you to run this command after the business Hrs.

As per the previous recommandation, please verify the ms-log also.

Thanks

L5 Sessionator

Re: PA-500 - Insane Commit Times

Before tailing the ms.log

>tail follow yes mp-log ms-log

, please enable the following debugs :-

> debug management-server on debug

>debug management-server set commit all

> debug management-server set cfg all

the following do will help as well

https://live.paloaltonetworks.com/docs/DOC-4649

L4 Transporter

Re: PA-500 - Insane Commit Times

I saw a significant improvement in commit times by purchasing the memory upgrade for the PA500. Highly recommend it.

Hope that helps,

Bob

Highlighted

Re: PA-500 - Insane Commit Times

And check if you have custom Applications.

Custom Apps will increase the commit time about factor 5

Marco

L7 Applicator

Re: PA-500 - Insane Commit Times

This is a good point.  If your candidate configuration contains a new or modified custom App-ID or custom Vulnerability signature, then those signatures must be re-compiled (along with Palo Alto Networks' signatures) upon commit.  That compilation process will add quite a bit of time to a standard commit process (on PA-200/500/2000 platforms).  The additional compilation time is negligible on the higher-end platforms (3000/4000/5000). 

L4 Transporter

Re: PA-500 - Insane Commit Times

We have a 5050 so I don't know about the other platforms except through training. I think in training we were using the 200 and it was very slow with commits. On the 5050, the first commit after you create a custom sig, it takes a longer time, but succeeding commits are the same. Are you saying that the commit times become increasingly slower on the other platforms with the creation of custom apps?

In networkadmins original post he said "Commit times seem insane.  I don't think I've ever had a commit happen in less than 5 minutes and on Friday I did a commit having added a URL to a URL Category and it took 20 minutes to do the commit." - On the 5050 it also takes considerably longer after adding a URL to the URL category, but only on the initial commit, but it goes back to normal after that.

L7 Applicator

Re: PA-500 - Insane Commit Times

Commit times will be extended if you add or edit a custom signature.  However, subsequent commits will return to "normal" because you're not adding/editing more custom signatures.  This is true for all platforms.

I haven't noticed extended commit times when adding a URL to a custom URL category.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!