Reducing Management Plane Load (pt. 2)

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member

Reducing Management Plane LoadReducing Management Plane Load

Palo Alto Networks knows very well how additional remote users can slow down your web interface. The LIVEcommunity shows you how to reduce the management plane load with good tips and tricks. Find answers on LIVEcommunity.



Last week, I outlined how to reduce the management plane (MP) load with some tips and tricks. Let's continue with a few more tips that you can add to your bag of tricks to reduce the load on the management plane.


A common cause for a high load on the management plane are automated processes running in the background. Some of those can be tuned to happen less frequently if they are causing issues. One of these processes is the periodic refresh of FQDN objects used in the policy. These will trigger DNS lookups to refresh the associated IP addresses. If the management plane is already taxed, it could cause spikes. The frequency can be decreased by setting the refresh time to a longer timeframe, up to four hours for regular refreshes and 24 hours for a full refresh.


> configure 
Entering configuration mode
# set deviceconfig system fqdn-refresh-time <600-14399>
# set deviceconfig system fqdn-forcerefresh-time <14400-86400>


Last week, I also discussed disabling logging for certain applications that are very chatty but do not necessarily require extensive logging. This can also be applied to more generic rules like intrazone policies where traffic logging may not be essential.


Policies that require detailed logging should have only logging at end enabled, as log at session start could cause several logs to be generated for a single session. WebEx, for example, may change several times over the course of a session—from TLS/SSL to web-browsing, to WebEx, to WebEx Desktop, and so on. This will create several logs at start log entries, one for every time the session shifts into a different application.


In larger or more complex LDAP environments, User Identification and, more specifically, group mapping can put a significant strain on the system when large amounts of group objects are loaded onto the firewall. Decreasing the amount of group objects by filtering out the LDAP query results to only the groups used in policy can also decrease the load on the management plane.


To accomplish this, after creating an LDAP profile to retrieve LDAP information from a server,  a User Identification Group Mapping filter can be created


User Identification > Devices > Group Mapping SettingsUser Identification > Devices > Group Mapping Settings


Additional filters can be added, so only users and groups containing the appropriate entries are stored. In the example below, users need to have the string 'WebUser' in their description field to get added.


Group Mapping where Search Filter is Description=webuserGroup Mapping where Search Filter is Description=webuser


Specific groups can also be selected as a sole source of user information.


Group Include ListGroup Include List


Here is another trick to reduce the MP load, as a best practice during times of high load.

It may be beneficial for administrators to not have the ACC or log monitoring open and set to auto refresh, as this queries the log database and recompiles the output on screen every few seconds.


I hope these tips will come in handy and help you keep the load down on your firewall's management plane.


Thanks for taking time to read the blog.

If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.


As always, we welcome all comments and feedback in the comments section below.


Stay Secure,
Kiwi out!

Register or Sign-in
Top Liked Authors