Possible solution to slow commit

Reply
Highlighted
L2 Linker

Possible solution to slow commit

Hi, regarding of the desperately slow commits in PA specially with a large number of rules and object. From our experiencie in other systems the rule shadow check is a very high CPU feature. It's sure that PA do a rule shadow and this it's in concordance with the fact that  as much rules and objects you have more slow is the commit (more combinations to check)

So, could it be possible to have a check before commit to have the option of no use rule shadow?. Imagine that you are change only the name of object, probably you do not need check the shadows and I suppose the commit will be faster.

Anyone from PA could have the answer??

Thank you in advance.

Samuel

Tags (1)
Highlighted
L4 Transporter

Re: Possible solution to slow commit

I don't think it comes from there, with same rules and during idle times I have the following:

  • PA-500  52 rules , 12 minutes commit
  • PA-200 68 rules , 1 minute commit
  • PA-5050 285 rules, 45 seconds commit
Highlighted
L3 Networker

Re: Possible solution to slow commit

Funny how a PA-500 is so much slower than a PA-200 on commit.

I have exactly the same experience. As far as I can tell the PA-200 does have an SSD aka compactflash with very limited (16GB) capacity, but it's way faster than the PA-500 on commits (due to this ?)

(edit) Also noticed that a PA-200 has much larger "management" memory available (2,6 GB instead of 1 GB for PA-500), could be another reason for the better performance.

Highlighted
L4 Transporter

Re: Possible solution to slow commit

I am investigating this too : my PA-500 swaps by 400MB, up to 800MB. A linux admin would be scared by this.

Try "show system resources" to have a look at your swap.

Note : PA-2020 has 1GB of RAM too, I am going to install one next week and see if/how it's different.

Highlighted
L3 Networker

Re: Possible solution to slow commit

One additional info : If I'm interpreting right, what you see with 'show system resource' is that amount of memory assigned to the control-plane. The actual firewall has more memory, but what you see is the amount left after assigning some to the data-plane. Might be wrong about this, strictly reverse-engineering from my side.

Highlighted
L4 Transporter

Re: Possible solution to slow commit

Yes I think you are assuming right, note that Dataplane doesn't suffer any slowness, only Controlplane.

Highlighted
L6 Presenter

Re: Possible solution to slow commit

What are the odds that PAN would support an upgrade of the RAM available in the units (thinking mainly of PA-500 and 2000 series who struggles with huge commit times)?

Specially when RAM memory is really cheap nowadays...

Highlighted
L4 Transporter

Re: Possible solution to slow commit

you got data about PA-20XX  commit times? I am wondering if it's slow like 500 or not.

PA-5050 has 3GB of RAM, I just checked on mine

Highlighted
Palo Alto Networks Guru

Re: Possible solution to slow commit

PA-20XX commit times are often on par with the other older platforms with less RAM and slower processors than the newer platforms (50XX and 200).  All of our newer platforms have followed all of the statements mentioned about the cost of memory and faster hardware and therefore, you will often see improvement in commit times.  With all of that said, commit times are very much determined by what changes are being made, by the amount of configuration you are commiting, the amount of logging, and the features running on the FW. 

Highlighted
Palo Alto Networks Guru

Re: Possible solution to slow commit

As a note to essnet, PAN-OS will not recognize added RAM to the underlying OS. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!