Tips to improve mgnt tasks in a PA-2020

Showing results for 
Search instead for 
Did you mean: 

Tips to improve mgnt tasks in a PA-2020

L3 Networker

Hello Everyone,

Does anybody knows any tips to improve mgnt tasks (policy changes, monitors checks, commits... etc etc) in a slow box PA2020?

I am working w/ this model since november 2013 and I am facing so many problems w/ slow response during management....

My box do:

- User identification from external agent

- URL filtering by bright cloud

- Around 200 security policies

- Around 5 Nats (all of them outbound)

- Usually 2 users do changes at same tima during our normal business hours.... (1 deals w/ URL filtering e another one w/ FW rules, monitors, etc etc....)

- Usually we see mgnt plane working at 98% all the time....

thanks in advance for any help on that!


dieterb wrote:

But still, I fear PA will not act. By the time our issue-report is complete, I expect PA support to say "please upgrade to version X first" (what we just did because they told us to) ... to start all over again.

Been there, done that. At least twice.

I've got a 3020 in service at another location, and the difference in commit times is staggering - I can commit the config through *10* changes on the remote site before I get *one* change done on my central site's 2020's.

Software version doesn't make one bit of difference. If anything, it gets slower with software upgrades as they push more "features" into the base OS install/

darren.g I've seen cases where the performance is increased (a lot) by upgrading the PANOS version. Except introducing new features, Palo Alto is also improving their code and making it more efficient

bdeschut - I saw an improvement exactly *once* - when I upgraded from, I think, 4.1.6 to 4.1.8-h3 - management CPU went from 70% constantly with spikes to 100% to only having spikes to 70% every five minutes - and it's been that way *ever* since. That's not an improvement - that's simply a change in priority/frequency of the process which is causing the issue.

darren.g wrote:

.... I understand why they won't make it customer upgradable like the PA500 (because you have to expose the power supply on the 2000 series)...

This, I sadly have to say, is typical American "no liability" nonsense.

Come on, we're all professionals here. Or we can find someone really easy who has the right certification to open te box. As if anyone would attempt a RAM upgrade on a box like that while it's running...

Unfortunately the reality of it is Palo Alto Networks is headquartered in America, and the sue happy society we have makes corporate lawyers gun shy about letting customers open up the boxes they sell (rightfully so.. all it would take would be one person getting shocked and PA could have a huge lawsuit on their hands).

L4 Transporter

Did anyone have any luck with this ?

So far, our support case is still open ... and has been quiet for some time :smileyconfused:

L0 Member

I am sad that this is still an issue, we are a small University, and are having this data-plane issue, we are biting the bullet and moving to the 3020, but its horribly painful, the last week we have had to reset the data-plane every couple hours...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!