We have a PA-500 running 4.1.11.
I wouldn't say we do anything special, it has some certs installed for forward and reverse SSL decryption, we do dynamic URL filtering and probably have something like 30 security policies in place on it and at any given time in terms of admin nobody is doing anything.
Commit times seem insane. I don't think I've ever had a commit happen in less than 5 minutes and on Friday I did a commit having added a URL to a URL Category and it took 20 minutes to do the commit.
Is there any way of checking just why it would take so long? It's always been my biggest issue with Palo Alto.
Our supplier said some of their customers had found the memory upgrade made a difference but it isn't a cheap option and I'd like to understand exactly what increasing the memory improves in terms of performance.
I am planning on upgrading to the latest 5.x release in the next week or so if that is likely to improve things.
nrice had said in another post you can help determine where the delay is by watching the commit process with the CLI command:
>tail follow yes mp-log ms-log
I have not tried it.
Could you please check the status of the mgmtsrvr process on management-plane. The mgmtsrvr daemon is responsible to handle commit on the PAN firewall.
Use CLI command > show system resources -------> to verify the mgmtsrvr CPU/memory utilization. If you see any abnormalities, you can restart the mgmtsrvr process and verify the commit time.
Command to reset management-server process from CLI >debug software restart management-server. ---- Although It should not impact on your production traffic, i would recommend you to run this command after the business Hrs.
As per the previous recommandation, please verify the ms-log also.
Before tailing the ms.log
>tail follow yes mp-log ms-log
, please enable the following debugs :-
> debug management-server on debug
>debug management-server set commit all
> debug management-server set cfg all
the following do will help as well
This is a good point. If your candidate configuration contains a new or modified custom App-ID or custom Vulnerability signature, then those signatures must be re-compiled (along with Palo Alto Networks' signatures) upon commit. That compilation process will add quite a bit of time to a standard commit process (on PA-200/500/2000 platforms). The additional compilation time is negligible on the higher-end platforms (3000/4000/5000).
We have a 5050 so I don't know about the other platforms except through training. I think in training we were using the 200 and it was very slow with commits. On the 5050, the first commit after you create a custom sig, it takes a longer time, but succeeding commits are the same. Are you saying that the commit times become increasingly slower on the other platforms with the creation of custom apps?
In networkadmins original post he said "Commit times seem insane. I don't think I've ever had a commit happen in less than 5 minutes and on Friday I did a commit having added a URL to a URL Category and it took 20 minutes to do the commit." - On the 5050 it also takes considerably longer after adding a URL to the URL category, but only on the initial commit, but it goes back to normal after that.
Commit times will be extended if you add or edit a custom signature. However, subsequent commits will return to "normal" because you're not adding/editing more custom signatures. This is true for all platforms.
I haven't noticed extended commit times when adding a URL to a custom URL category.
We don't tend to add things like signatures or do anything at all complex. I don't think (obviously I don't time every one) that I've ever seen a commit take less than five minutes.
How much difference is the "additional memory" module likely to make here please?
I ask because it isn't cheap for a 2GB memory module.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!