Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

New periodic alert: Configuration size 19MB is above 80% of the maximum recommended configuration size 23MB for the platform.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

New periodic alert: Configuration size 19MB is above 80% of the maximum recommended configuration size 23MB for the platform.

L3 Networker

Dear all,

 

since a couple of days I'm getting alerts like:

Configuration size 19MB is above 80% of the maximum recommended configuration size 23MB for the platform. Please consider removing unused configuration

 

I removed all old auto saved configs after upgrades, and the config size looks ok:
> show management-server last-committed config-size
392261 bytes

 

What seems to be strange is the size of the candidate configs;

> show management-server candidate config-size
20213190 bytes

 

Apparently there is no way to delete these, except may be TAC getting root access.

 

Did anyone else see this and found a solution?

 

Regards

   Andreas

11 REPLIES 11

Cyber Elite
Cyber Elite

@idelconsulting,

This isn't saved configurations that you may have on the device, it's regarding the actual size of the configuration file being utilized on the device. Assuming that you utilize Panorama, make sure you aren't pushing unused objects since that's a very quick way to run into this issue. You have to have a relatively large configuration to be at 19MB, and the quickest way to get there is having Panorama pushing unused objects.

L3 Networker

I'm not sing Panorama.

The firewall is locally managed.

And according to the CLI these are all candidate contigs, but no pending commit.

 

Regards,

  Andreas

L0 Member

Hi Andreas,

we're having the same issue with a vm platform (not panorama managed).

Disk space especially root partition is around 30% space left. 

 

I just opened a case with pan. 

 

The Supporter mentioned that a fix will be provided in 11.1.3.

 

For a workaround you could exclude the alert. From the logs setting > system, you can try to negate keywords. For example, "(severity eq critical) and not (description contains 'Configuration size')".

KR

Max

L3 Networker

Hi Max,

 

I'm running 11.1.3-h2 and the issue is not fixed yet.

 

Regards,

  Andreas

L3 Networker

Hello @M-WBERB , hope you are doing well. Did TAC provide a PAN-ID for the issue?

Hi @EdmarFrancis unfortunately not.

 

TAC only mentioned that this is known internally but sadly was not published as a known Issue with an Issue ID.

 

KR

L1 Bithead

Anyone found an Issue ID for this or seeing this problem in 11.1.4?

L0 Member

I was on 11.1.2-h3 and was seeing this alert.  I updated to 11.1.4.-h1 last night but still see a giant config file.

Same. I upgraded to 11.1.4h1 and opened a tac case, they just replied w/ same which is you must delete policies, nats, url lists or unused items to get below threshold. he said the max is 23MB and said its bigger on newer models. i check data specs and no mention of configuration size and when you google configuration size limit on palo, the response is 23MB for ALL NGFWs. You would think with all these new OS upgrades, they would have increased the size of the configuration space. 23MB ? smh.

L0 Member

Yeah, it’s pretty frustrating. You’d expect with all the advancements in the OS, they'd allow for larger config sizes, especially considering how complex setups can get these days. 23MB feels super limiting, and it's not like the hardware can't handle it, especially with newer models. I mean, deleting policies or NATs just to stay under a cap seems like an outdated solution. Hopefully, they address this soon in future updates.

L1 Bithead

just found out from SE, they advise against upgrading to 11.1.4h1 for PA850 due to the size of 11.x OS , it causes a performance hit when it approaches the config size limit since 11.x is bigger. they recommend staying at 10.2 /10.1 series

  • 3981 Views
  • 11 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!