Pa-2020 and number of rules

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L0 Member

Pa-2020 and number of rules

Hi,

I have PA-2020 and 160 rules. Management plane is slow in responding. Management CPU is often 98%. Commiting changes takes 10 minutes. From time to time first commit fails with error "Management server failed to send phase 1 to client websrvr". What is going wrong? Too many rules affect performance?

Thanks,

Radoslaw

Highlighted
L7 Applicator

Hello Radoslaw,

I dont think you have too many policy on this firewall. The Max numbers are given below:

admin@21-PA-2020> show system state | match policy

cfg.general.max-cp-policy-rule: 1000

cfg.general.max-di-nat-policy-rule: 6000

cfg.general.max-dip-nat-policy-rule: 200

cfg.general.max-dos-policy-rule: 1000

cfg.general.max-nat-policy-rule: 1000

cfg.general.max-oride-policy-rule: 1000

cfg.general.max-pbf-policy-rule: 500

cfg.general.max-policy-rule: 10000

cfg.general.max-qos-policy-rule: 1000

cfg.general.max-si-nat-policy-rule: 1000

cfg.general.max-ssl-policy-rule: 1000

Do you have custom signature/custom URL filtering configured on this firewall, It could take longer commit time than expected.

I would request you to verify the management plane resources of this PA-2020 firewall with below mentioned command:

> show system resources follow    ------- Please verify if management server or any other daemon taking much CPU cycle or memory.

For the time being you can apply CLI command:

  > debug software restart management-server  ----- It will reset the management-server process and it would not impact to your production traffic ( you will lost the SSH connection to the management-plane for few minute). I hope it will improve the commit time or response time.

Thanks

Highlighted
L7 Applicator

You will need to run show system resources and try to determine which process is responsible for the high cpu in the management plane.

Refer to this document for an overview.

https://live.paloaltonetworks.com/docs/DOC-4649

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted
L4 Transporter

This is related to a lack of resources for the mgmt plane. There is an upgrade kit available if needed.

This can be caused by a lot of things, a lot of User-ID that needs to be done, or even a lot of logging. If you have a few k of logs every minute then you'll notice slowness in the gui and high cpu, since it is the mgmt plane that handles all the logging.

Kind regards

Highlighted
L4 Transporter

As far as I've been told, PA does not offer an upgrade kit for the 2000 series...

This issue is also being discussed in https://live.paloaltonetworks.com/thread/10099

Highlighted
L4 Transporter

My bad, there is indeed only an upgrade kit for the PA-500 available

Highlighted
L4 Transporter

The PA2000 series is a joke and everyone that bought PA2000s should have their gear automatically replaced with either PA500s or PA3000s. In my humble opinion. The performance numbers on our PA2050 never hit published specs, ever, with extensive testing I did with breaking Point. With a Breaking Point engineer present.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!