Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PA-500 - Insane Commit Times

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA-500 - Insane Commit Times

L4 Transporter

We have a PA-500 running 4.1.11.

I wouldn't say we do anything special, it has some certs installed for forward and reverse SSL decryption, we do dynamic URL filtering and probably have something like 30 security policies in place on it and at any given time in terms of admin nobody is doing anything.

Commit times seem insane.  I don't think I've ever had a commit happen in less than 5 minutes and on Friday I did a commit having added a URL to a URL Category and it took 20 minutes to do the commit.

Is there any way of checking just why it would take so long?  It's always been my biggest issue with Palo Alto.

Our supplier said some of their customers had found the memory upgrade made a difference but it isn't a cheap option and I'd like to understand exactly what increasing the memory improves in terms of performance.

I am planning on upgrading to the latest 5.x release in the next week or so if that is likely to improve things.

Thanks

11 REPLIES 11

L4 Transporter

nrice had said in another post you can help  determine where the delay is by watching the commit process with the CLI command:

>tail follow yes mp-log ms-log

I have not tried it.

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.

L6 Presenter

PA-500 Management Memory Upgrade Procedure

I can say that there will be about %20 improvement for commit time.But 20 minutes is completely an issue....

it will be better to open a case after 5.0.x upgrade (if it still happens)

L7 Applicator

Hello Sir,

Could you please check the status of the mgmtsrvr process on management-plane. The mgmtsrvr daemon is responsible to handle commit on the PAN firewall.

Use CLI command > show system resources -------> to verify the mgmtsrvr CPU/memory utilization. If you see any abnormalities, you can restart the mgmtsrvr process and verify the commit time.

Command to reset management-server process from CLI >debug software restart management-server. ---- Although It should not impact on your production traffic, i would recommend you to run this command after the business Hrs.

As per the previous recommandation, please verify the ms-log also.

Thanks

L5 Sessionator

Before tailing the ms.log

>tail follow yes mp-log ms-log

, please enable the following debugs :-

> debug management-server on debug

>debug management-server set commit all

> debug management-server set cfg all

the following do will help as well

https://live.paloaltonetworks.com/docs/DOC-4649

L4 Transporter

I saw a significant improvement in commit times by purchasing the memory upgrade for the PA500. Highly recommend it.

Hope that helps,

Bob

And check if you have custom Applications.

Custom Apps will increase the commit time about factor 5

Marco

This is a good point.  If your candidate configuration contains a new or modified custom App-ID or custom Vulnerability signature, then those signatures must be re-compiled (along with Palo Alto Networks' signatures) upon commit.  That compilation process will add quite a bit of time to a standard commit process (on PA-200/500/2000 platforms).  The additional compilation time is negligible on the higher-end platforms (3000/4000/5000). 

We have a 5050 so I don't know about the other platforms except through training. I think in training we were using the 200 and it was very slow with commits. On the 5050, the first commit after you create a custom sig, it takes a longer time, but succeeding commits are the same. Are you saying that the commit times become increasingly slower on the other platforms with the creation of custom apps?

In networkadmins original post he said "Commit times seem insane.  I don't think I've ever had a commit happen in less than 5 minutes and on Friday I did a commit having added a URL to a URL Category and it took 20 minutes to do the commit." - On the 5050 it also takes considerably longer after adding a URL to the URL category, but only on the initial commit, but it goes back to normal after that.

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.

Commit times will be extended if you add or edit a custom signature.  However, subsequent commits will return to "normal" because you're not adding/editing more custom signatures.  This is true for all platforms.

I haven't noticed extended commit times when adding a URL to a custom URL category.

L4 Transporter

We don't tend to add things like signatures or do anything at all complex.  I don't think (obviously I don't time every one) that I've ever seen a commit take less than five minutes.

How much difference is the "additional memory" module likely to make here please?

I ask because it isn't cheap for a 2GB memory module.

There are some users who have upgraded their PA-500s and posted their observations here:

- Re: PA-500 and memory upgrade

  • 5848 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!