Determine configuration size on Palo Devices

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Determine configuration size on Palo Devices

Hi,

How can we determine the configuraiton file size on Palo Alto PA devices.

We wish to determine were our configuraiton size is compared to the recommened size for each PA type 5K 7k etc.

Thank you

Highlighted
Cyber Elite

@dwmaas

Where did you read something about a "recommended configuration file size"?

I don't think there is such a value. There are maximum values for objects and rules where if you reach such a max you should keep an eye on the cpu. If you have 65000 security policy rules on a PA-7050 your configuration file probably is pretty big, but the platform is theoretically made for that and (for whatever reason) 55000 rules could be disabled then the configuration is still big but this shouldn't have any impact on anything as the firewall only has to check 10000 rules for new connections. The same with objects. If you have configured 160000 objects on a 7050 but you use only a small part this does not mean a lot.

Highlighted
L2 Linker

We were told my our Palo Alto Team that there are recommended config file size, and we have proven that going over that to much has performance impacts. We were told 35m for 5060, and 40m for 7050.

We had one that was almost 100m, and we experience management performance issues, with the mgmt service would crash anytime a push was done, and even on its own. Were were forced to move vsys off and increase our footprint of devices.

We are back to needed to know were we stand now, to make any further recommendations to leadership, or to move to another solution. I prefer we stick with Palo I am an advocate and love them myself.

Highlighted
Cyber Elite

Ok, yes from a management process/cpu perspective, this could have impacts. But if the process crashes this sounds more like a bug to me.

Anyway, do you have a lot of unused objects or disaabled firewallrules that you no longer need?

Highlighted
Cyber Elite

@dwmaas,

As @vsys_remo mentioned the size of the configuration only effects the performance of the management process, as there is more information for it to process when doing certain actions such as the validate process. If the device is crashing when you do a commit, it sounds like the validate process is simply failing to process that large of a configuration. 

As @vsys_remo mentioned this would be a really good time to go through and look for unused objects, object groups, firewall rules, old admin accounts, and all the like to attempt to actually give the validation process a chance to breath. 

 

When you say 100m what exactly are you referencing here? I'm assuming megabytes and not millions of lines? Either way I have to assume that you have large amounts of rules or objects that aren't being utilized. I mean, we're talking about an XML file, it's not like those take up a lot of space. Regardless if your talking about megabytes or millions of lines of configuration you'd still have millions of lines of configuration to get a file that large, which to avoid crossing platform limitations I would have to imagine you have a large part of that disabled or unused. 

Highlighted
L2 Linker

yes, megabytes, and found the way to get the apprx size

download and expand techsupport file and go to opt\pancfg\mgmt\saved-configs and look for the merged file.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!