- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-13-2014 09:42 AM
We have a PA-500 running 4.1.11.
I wouldn't say we do anything special, it has some certs installed for forward and reverse SSL decryption, we do dynamic URL filtering and probably have something like 30 security policies in place on it and at any given time in terms of admin nobody is doing anything.
Commit times seem insane. I don't think I've ever had a commit happen in less than 5 minutes and on Friday I did a commit having added a URL to a URL Category and it took 20 minutes to do the commit.
Is there any way of checking just why it would take so long? It's always been my biggest issue with Palo Alto.
Our supplier said some of their customers had found the memory upgrade made a difference but it isn't a cheap option and I'd like to understand exactly what increasing the memory improves in terms of performance.
I am planning on upgrading to the latest 5.x release in the next week or so if that is likely to improve things.
Thanks
01-13-2014 01:01 PM
nrice had said in another post you can help determine where the delay is by watching the commit process with the CLI command:
>tail follow yes mp-log ms-log
I have not tried it.
01-13-2014 01:34 PM
PA-500 Management Memory Upgrade Procedure
I can say that there will be about %20 improvement for commit time.But 20 minutes is completely an issue....
it will be better to open a case after 5.0.x upgrade (if it still happens)
01-13-2014 01:34 PM
Hello Sir,
Could you please check the status of the mgmtsrvr process on management-plane. The mgmtsrvr daemon is responsible to handle commit on the PAN firewall.
Use CLI command > show system resources -------> to verify the mgmtsrvr CPU/memory utilization. If you see any abnormalities, you can restart the mgmtsrvr process and verify the commit time.
Command to reset management-server process from CLI >debug software restart management-server. ---- Although It should not impact on your production traffic, i would recommend you to run this command after the business Hrs.
As per the previous recommandation, please verify the ms-log also.
Thanks
01-13-2014 02:29 PM
Before tailing the ms.log
>tail follow yes mp-log ms-log
, please enable the following debugs :-
> debug management-server on debug
>debug management-server set commit all
> debug management-server set cfg all
the following do will help as well
01-14-2014 10:20 AM
I saw a significant improvement in commit times by purchasing the memory upgrade for the PA500. Highly recommend it.
Hope that helps,
Bob
01-15-2014 01:30 AM
And check if you have custom Applications.
Custom Apps will increase the commit time about factor 5
Marco
01-15-2014 06:11 AM
This is a good point. If your candidate configuration contains a new or modified custom App-ID or custom Vulnerability signature, then those signatures must be re-compiled (along with Palo Alto Networks' signatures) upon commit. That compilation process will add quite a bit of time to a standard commit process (on PA-200/500/2000 platforms). The additional compilation time is negligible on the higher-end platforms (3000/4000/5000).
01-15-2014 06:28 AM
We have a 5050 so I don't know about the other platforms except through training. I think in training we were using the 200 and it was very slow with commits. On the 5050, the first commit after you create a custom sig, it takes a longer time, but succeeding commits are the same. Are you saying that the commit times become increasingly slower on the other platforms with the creation of custom apps?
In networkadmins original post he said "Commit times seem insane. I don't think I've ever had a commit happen in less than 5 minutes and on Friday I did a commit having added a URL to a URL Category and it took 20 minutes to do the commit." - On the 5050 it also takes considerably longer after adding a URL to the URL category, but only on the initial commit, but it goes back to normal after that.
01-15-2014 06:32 AM
Commit times will be extended if you add or edit a custom signature. However, subsequent commits will return to "normal" because you're not adding/editing more custom signatures. This is true for all platforms.
I haven't noticed extended commit times when adding a URL to a custom URL category.
01-15-2014 09:19 AM
We don't tend to add things like signatures or do anything at all complex. I don't think (obviously I don't time every one) that I've ever seen a commit take less than five minutes.
How much difference is the "additional memory" module likely to make here please?
I ask because it isn't cheap for a 2GB memory module.
01-15-2014 11:14 AM
There are some users who have upgraded their PA-500s and posted their observations here:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!