For details on cookie usage on our site, read our Privacy Policy
Possible solution to slow commit
- LIVEcommunity
- Discussions
- General Topics
- Possible solution to slow commit
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Possible solution to slow commit
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-10-2012 09:01 AM
Hi, regarding of the desperately slow commits in PA specially with a large number of rules and object. From our experiencie in other systems the rule shadow check is a very high CPU feature. It's sure that PA do a rule shadow and this it's in concordance with the fact that as much rules and objects you have more slow is the commit (more combinations to check)
So, could it be possible to have a check before commit to have the option of no use rule shadow?. Imagine that you are change only the name of object, probably you do not need check the shadows and I suppose the commit will be faster.
Anyone from PA could have the answer??
Thank you in advance.
Samuel
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-10-2012 09:07 AM
I don't think it comes from there, with same rules and during idle times I have the following:
- PA-500 52 rules , 12 minutes commit
- PA-200 68 rules , 1 minute commit
- PA-5050 285 rules, 45 seconds commit
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-10-2012 11:58 AM
Funny how a PA-500 is so much slower than a PA-200 on commit.
I have exactly the same experience. As far as I can tell the PA-200 does have an SSD aka compactflash with very limited (16GB) capacity, but it's way faster than the PA-500 on commits (due to this ?)
(edit) Also noticed that a PA-200 has much larger "management" memory available (2,6 GB instead of 1 GB for PA-500), could be another reason for the better performance.
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-10-2012 12:35 PM
I am investigating this too : my PA-500 swaps by 400MB, up to 800MB. A linux admin would be scared by this.
Try "show system resources" to have a look at your swap.
Note : PA-2020 has 1GB of RAM too, I am going to install one next week and see if/how it's different.
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-10-2012 12:55 PM
One additional info : If I'm interpreting right, what you see with 'show system resource' is that amount of memory assigned to the control-plane. The actual firewall has more memory, but what you see is the amount left after assigning some to the data-plane. Might be wrong about this, strictly reverse-engineering from my side.
- Looking for some advice on Licenses in General Topics
- Copy Paste Task between playbooks in Cortex XSOAR Discussions
- Commit Errors on 1st Push in General Topics
- Validation errors in Palo Alto software version 10.1.6-h3 in Next-Generation Firewall Discussions
- Change forward decrypt trust cert to a new one. in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
