Hi, regarding of the desperately slow commits in PA specially with a large number of rules and object. From our experiencie in other systems the rule shadow check is a very high CPU feature. It's sure that PA do a rule shadow and this it's in concordance with the fact that as much rules and objects you have more slow is the commit (more combinations to check)
So, could it be possible to have a check before commit to have the option of no use rule shadow?. Imagine that you are change only the name of object, probably you do not need check the shadows and I suppose the commit will be faster.
Anyone from PA could have the answer??
Thank you in advance.
Funny how a PA-500 is so much slower than a PA-200 on commit.
I have exactly the same experience. As far as I can tell the PA-200 does have an SSD aka compactflash with very limited (16GB) capacity, but it's way faster than the PA-500 on commits (due to this ?)
(edit) Also noticed that a PA-200 has much larger "management" memory available (2,6 GB instead of 1 GB for PA-500), could be another reason for the better performance.
One additional info : If I'm interpreting right, what you see with 'show system resource' is that amount of memory assigned to the control-plane. The actual firewall has more memory, but what you see is the amount left after assigning some to the data-plane. Might be wrong about this, strictly reverse-engineering from my side.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!