Tips to improve mgnt tasks in a PA-2020

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

Tips to improve mgnt tasks in a PA-2020

Hello Everyone,

Does anybody knows any tips to improve mgnt tasks (policy changes, monitors checks, commits... etc etc) in a slow box PA2020?

I am working w/ this model since november 2013 and I am facing so many problems w/ slow response during management....

My box do:

- User identification from external agent

- URL filtering by bright cloud

- Around 200 security policies

- Around 5 Nats (all of them outbound)

- Usually 2 users do changes at same tima during our normal business hours.... (1 deals w/ URL filtering e another one w/ FW rules, monitors, etc etc....)

- Usually we see mgnt plane working at 98% all the time....

thanks in advance for any help on that!

Highlighted
L4 Transporter

Honestly PA needs to throw in the towel on the PA 2000 platform, and replace everyone's PA2020 with a PA3000 series box for free. I could never get published bandwidth specs out of our PA2050, I can't imagine how painful it must be using a PA2020 for real workloads outside of a lab :-(

Highlighted
L6 Presenter

Hi,

using service route rather than management interface ( for management)

Cleaning All logs(if they are not important already sent to Panorama,syslog etc..) ( for commit time)

Highlighted
L5 Sessionator

You don't mention anything about what PAN-OS version you are running or your management resource utilization. I would suggest following below article for some commands to view overall system utilization.

Troubleshooting Slowness with Traffic, Management, or Intermittent SSL Decryption

If you still have issue, I would recommend contact TAC to see if there is anything perhaps consuming inordinately large amount of resources or not.

-Richard

Highlighted
L4 Transporter

Sadly, this seems to be the default answer to all 2000 series performance issues threads in this forum...

Highlighted
L4 Transporter

dieterb they should just issue a mass recall and replace everyone's PA2000 with either a PA500 (which in my personal experience can outperform a PA2000) or better yet replace them with the lowest end PA3000!

Highlighted
L4 Transporter

I totally agree with you. We've had these issues for quite some time now. We currently even have a support case open with our local support reseller right now.

Basically, PaloAlto wants "proof" that there is an issue, before they do anything. We've been collecting commit issues, commit times, memory utilization for some time now.

But still, I fear PA will not act. By the time our issue-report is complete, I expect PA support to say "please upgrade to version X first" (what we just did because they told us to) ... to start all over again.

Highlighted
L4 Transporter

Absolutely, the main negative feedback we get from customers is due to the slowness of the MP of the 2000 Series boxes. People tend to generalise this slowness to all the PAN Firewalls which leads to a bad reputation in the market. PAN should really do something about it.

Highlighted
L4 Transporter

dieterb wrote:

Sadly, this seems to be the default answer to all 2000 series performance issues threads in this forum...

Yeah, and the default reply is "We can't find anything wrong, this is expected behaviour".

I got told last time I logged a job that I should select "manual" updates when I'm sitting in the console instead of the periodic 1 minute I have it set at to take load off the management plane. Ridiculous.

Highlighted
L4 Transporter

ericgearhart wrote:

dieterb they should just issue a mass recall and replace everyone's PA2000 with either a PA500 (which in my personal experience can outperform a PA2000) or better yet replace them with the lowest end PA3000!

Or at least put out an upgrade kit to put more RAM into the management plane. I understand why they won't make it customer upgradable like the PA500 (because you have to expose the power supply on the 2000 series), but for f*** sake, I'd *pay* to have someone come out and upgrade the RAM on my 2020's.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!