Tips to improve mgnt tasks in a PA-2020

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Tips to improve mgnt tasks in a PA-2020

L3 Networker

Hello Everyone,

Does anybody knows any tips to improve mgnt tasks (policy changes, monitors checks, commits... etc etc) in a slow box PA2020?

I am working w/ this model since november 2013 and I am facing so many problems w/ slow response during management....

My box do:

- User identification from external agent

- URL filtering by bright cloud

- Around 200 security policies

- Around 5 Nats (all of them outbound)

- Usually 2 users do changes at same tima during our normal business hours.... (1 deals w/ URL filtering e another one w/ FW rules, monitors, etc etc....)

- Usually we see mgnt plane working at 98% all the time....

thanks in advance for any help on that!

16 REPLIES 16

L4 Transporter

Honestly PA needs to throw in the towel on the PA 2000 platform, and replace everyone's PA2020 with a PA3000 series box for free. I could never get published bandwidth specs out of our PA2050, I can't imagine how painful it must be using a PA2020 for real workloads outside of a lab 😞

L6 Presenter

Hi,

using service route rather than management interface ( for management)

Cleaning All logs(if they are not important already sent to Panorama,syslog etc..) ( for commit time)

Retired Member
Not applicable

You don't mention anything about what PAN-OS version you are running or your management resource utilization. I would suggest following below article for some commands to view overall system utilization.

Troubleshooting Slowness with Traffic, Management, or Intermittent SSL Decryption

If you still have issue, I would recommend contact TAC to see if there is anything perhaps consuming inordinately large amount of resources or not.

-Richard

Sadly, this seems to be the default answer to all 2000 series performance issues threads in this forum...

dieterb they should just issue a mass recall and replace everyone's PA2000 with either a PA500 (which in my personal experience can outperform a PA2000) or better yet replace them with the lowest end PA3000!

I totally agree with you. We've had these issues for quite some time now. We currently even have a support case open with our local support reseller right now.

Basically, PaloAlto wants "proof" that there is an issue, before they do anything. We've been collecting commit issues, commit times, memory utilization for some time now.

But still, I fear PA will not act. By the time our issue-report is complete, I expect PA support to say "please upgrade to version X first" (what we just did because they told us to) ... to start all over again.

Absolutely, the main negative feedback we get from customers is due to the slowness of the MP of the 2000 Series boxes. People tend to generalise this slowness to all the PAN Firewalls which leads to a bad reputation in the market. PAN should really do something about it.

dieterb wrote:

Sadly, this seems to be the default answer to all 2000 series performance issues threads in this forum...

Yeah, and the default reply is "We can't find anything wrong, this is expected behaviour".

I got told last time I logged a job that I should select "manual" updates when I'm sitting in the console instead of the periodic 1 minute I have it set at to take load off the management plane. Ridiculous.

ericgearhart wrote:

dieterb they should just issue a mass recall and replace everyone's PA2000 with either a PA500 (which in my personal experience can outperform a PA2000) or better yet replace them with the lowest end PA3000!

Or at least put out an upgrade kit to put more RAM into the management plane. I understand why they won't make it customer upgradable like the PA500 (because you have to expose the power supply on the 2000 series), but for f*** sake, I'd *pay* to have someone come out and upgrade the RAM on my 2020's.

dieterb wrote:


But still, I fear PA will not act. By the time our issue-report is complete, I expect PA support to say "please upgrade to version X first" (what we just did because they told us to) ... to start all over again.

Been there, done that. At least twice.

I've got a 3020 in service at another location, and the difference in commit times is staggering - I can commit the config through *10* changes on the remote site before I get *one* change done on my central site's 2020's.

Software version doesn't make one bit of difference. If anything, it gets slower with software upgrades as they push more "features" into the base OS install/

darren.g I've seen cases where the performance is increased (a lot) by upgrading the PANOS version. Except introducing new features, Palo Alto is also improving their code and making it more efficient

bdeschut - I saw an improvement exactly *once* - when I upgraded from, I think, 4.1.6 to 4.1.8-h3 - management CPU went from 70% constantly with spikes to 100% to only having spikes to 70% every five minutes - and it's been that way *ever* since. That's not an improvement - that's simply a change in priority/frequency of the process which is causing the issue.

darren.g wrote:

.... I understand why they won't make it customer upgradable like the PA500 (because you have to expose the power supply on the 2000 series)...

This, I sadly have to say, is typical American "no liability" nonsense.

Come on, we're all professionals here. Or we can find someone really easy who has the right certification to open te box. As if anyone would attempt a RAM upgrade on a box like that while it's running...

Unfortunately the reality of it is Palo Alto Networks is headquartered in America, and the sue happy society we have makes corporate lawyers gun shy about letting customers open up the boxes they sell (rightfully so.. all it would take would be one person getting shocked and PA could have a huge lawsuit on their hands).

  • 8678 Views
  • 16 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!