How can we determine the configuraiton file size on Palo Alto PA devices.
We wish to determine were our configuraiton size is compared to the recommened size for each PA type 5K 7k etc.
Where did you read something about a "recommended configuration file size"?
I don't think there is such a value. There are maximum values for objects and rules where if you reach such a max you should keep an eye on the cpu. If you have 65000 security policy rules on a PA-7050 your configuration file probably is pretty big, but the platform is theoretically made for that and (for whatever reason) 55000 rules could be disabled then the configuration is still big but this shouldn't have any impact on anything as the firewall only has to check 10000 rules for new connections. The same with objects. If you have configured 160000 objects on a 7050 but you use only a small part this does not mean a lot.
We were told my our Palo Alto Team that there are recommended config file size, and we have proven that going over that to much has performance impacts. We were told 35m for 5060, and 40m for 7050.
We had one that was almost 100m, and we experience management performance issues, with the mgmt service would crash anytime a push was done, and even on its own. Were were forced to move vsys off and increase our footprint of devices.
We are back to needed to know were we stand now, to make any further recommendations to leadership, or to move to another solution. I prefer we stick with Palo I am an advocate and love them myself.
Ok, yes from a management process/cpu perspective, this could have impacts. But if the process crashes this sounds more like a bug to me.
Anyway, do you have a lot of unused objects or disaabled firewallrules that you no longer need?
As @vsys_remo mentioned the size of the configuration only effects the performance of the management process, as there is more information for it to process when doing certain actions such as the validate process. If the device is crashing when you do a commit, it sounds like the validate process is simply failing to process that large of a configuration.
As @vsys_remo mentioned this would be a really good time to go through and look for unused objects, object groups, firewall rules, old admin accounts, and all the like to attempt to actually give the validation process a chance to breath.
When you say 100m what exactly are you referencing here? I'm assuming megabytes and not millions of lines? Either way I have to assume that you have large amounts of rules or objects that aren't being utilized. I mean, we're talking about an XML file, it's not like those take up a lot of space. Regardless if your talking about megabytes or millions of lines of configuration you'd still have millions of lines of configuration to get a file that large, which to avoid crossing platform limitations I would have to imagine you have a large part of that disabled or unused.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!