5.x seems to require more management CPU utilization altogether than 4.x did. That shouldn't be surprising to anyone, given all the new features. We can hope that efficiency will improve as the 5.x code matures.
However, 5.0.2 (and 4.1.11) seem to have a very clear bug related to the User ID process consuming excessive resources.
Honestly I wish PA would slow down on the new features and beef up the stability/QA. It seems like we upgrade on support's advice to fix bugs and then after we upgrade we find other bugs... it's bug whack-a-mole.
Yes it doesn't get easier to recommend software versions for our customers.
Very disappointed that 4.1.11 seems to have the same bug, especially since they released that version some time after that this bug was known in 5.0.2.
It's time and time again for us with PA... I like the "distruptive startup" nature of the company and all the features packed into the boxes they sell (and the complete lack of dealing with the insane licensing scheme of Check Point), but these QA issues are making it hard for me to make a case with my management to move forward with handing off more load to the PA boxes we have, especially since the Check Point firewalls we have in production seem to just hum along and "just work."
We're "dipping our toe" into Palo Alto slowly, and honestly these "bug whack-a-mole" issues are causing us to reconsider our firewall strategy.
Don't even get me started on the GlobalProtect client...
It is surely harder to get to get extremely high stability when dealing with some many things simultaneously, than it is just checking simply ACLs, That PAN has been able to do what it does so effectively is impressive now matter how you look at it. I continue to be very very impressed with the product (of course as a partner I am biased I suppose), and wouldn't recommend anything else given the current threat landscape, but I will be taking a less aggressive approach to updating firmware for a while. I tend to try and keep on the current release under the idea that I _should_ be keeping my bug exposure down. I pushed our various boxes up through all the 4.1.x releases with no ill effects and was lulled into overconfidence I suppose. I suspect most people in these forums would say "what do you expect running the very latest release"...
We're sticking with 4.1 on a pair of our PA devices and we're still running into bugs. Not trivial stuff either... things like PA's implementation of DHCP doesn't work correctly (ticket open for a month and a half), GlobalProtect doesn't work correctly/crashes/throws errors (client and gateway)
We've got a ticket that's been open for two months for User-ID mapping not working correctly (on 4.1 code), where we basically can't use the 'user' column in our rulebase. That's a major feature that we can't take advantage of.
It's not "oh another customer is complaining and whining"... it's features that are advertised as working that weren't tested or that get broken by bugfixes.
I suppose your mileage may vary though.
Same issue here with 5.0.2 and PA 2050.
top - 07:57:29 up 25 days, 11:10, 1 user, load average: 12.15, 11.85, 11.66
Tasks: 105 total, 2 running, 102 sleeping, 1 stopped, 0 zombie
Cpu(s): 32.3%us, 47.5%sy, 5.0%ni, 13.8%id, 0.8%wa, 0.1%hi, 0.4%si, 0.0%st
Mem: 995872k total, 964828k used, 31044k free, 20132k buffers
Swap: 2008084k total, 545768k used, 1462316k free, 535468k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1796 20 0 212m 73m 64m S 174 7.5 8106:37 useridd
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!