Pa-2020 and number of rules

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Pa-2020 and number of rules

L0 Member

Hi,

I have PA-2020 and 160 rules. Management plane is slow in responding. Management CPU is often 98%. Commiting changes takes 10 minutes. From time to time first commit fails with error "Management server failed to send phase 1 to client websrvr". What is going wrong? Too many rules affect performance?

Thanks,

Radoslaw

6 REPLIES 6

L7 Applicator

Hello Radoslaw,

I dont think you have too many policy on this firewall. The Max numbers are given below:

admin@21-PA-2020> show system state | match policy

cfg.general.max-cp-policy-rule: 1000

cfg.general.max-di-nat-policy-rule: 6000

cfg.general.max-dip-nat-policy-rule: 200

cfg.general.max-dos-policy-rule: 1000

cfg.general.max-nat-policy-rule: 1000

cfg.general.max-oride-policy-rule: 1000

cfg.general.max-pbf-policy-rule: 500

cfg.general.max-policy-rule: 10000

cfg.general.max-qos-policy-rule: 1000

cfg.general.max-si-nat-policy-rule: 1000

cfg.general.max-ssl-policy-rule: 1000

Do you have custom signature/custom URL filtering configured on this firewall, It could take longer commit time than expected.

I would request you to verify the management plane resources of this PA-2020 firewall with below mentioned command:

> show system resources follow    ------- Please verify if management server or any other daemon taking much CPU cycle or memory.

For the time being you can apply CLI command:

  > debug software restart management-server  ----- It will reset the management-server process and it would not impact to your production traffic ( you will lost the SSH connection to the management-plane for few minute). I hope it will improve the commit time or response time.

Thanks

L7 Applicator

You will need to run show system resources and try to determine which process is responsible for the high cpu in the management plane.

Refer to this document for an overview.

https://live.paloaltonetworks.com/docs/DOC-4649

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L4 Transporter

This is related to a lack of resources for the mgmt plane. There is an upgrade kit available if needed.

This can be caused by a lot of things, a lot of User-ID that needs to be done, or even a lot of logging. If you have a few k of logs every minute then you'll notice slowness in the gui and high cpu, since it is the mgmt plane that handles all the logging.

Kind regards

As far as I've been told, PA does not offer an upgrade kit for the 2000 series...

This issue is also being discussed in https://live.paloaltonetworks.com/thread/10099

My bad, there is indeed only an upgrade kit for the PA-500 available

The PA2000 series is a joke and everyone that bought PA2000s should have their gear automatically replaced with either PA500s or PA3000s. In my humble opinion. The performance numbers on our PA2050 never hit published specs, ever, with extensive testing I did with breaking Point. With a Breaking Point engineer present.

  • 3876 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!