This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Errors and commit warnings after 11.1.2-h3 upgrade

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Errors and commit warnings after 11.1.2-h3 upgrade

GregorJus
L0 Member

‎06-23-2024 04:15 AM - edited ‎06-23-2024 04:26 AM

Hi,

If anyone could shed some light on the issue below, it would be greatly appreciated. Since upgrading my PA-440 to 11.1.2-h3 (preferred version), I am seeing the following two issues:

1. Every 5 minutes, there is a system log error:
Failed to perform task resulting in connection timeout with WildFire Cloud wildfire.paloaltonetworks.com

 

2. After committing changes to the firewall, the following is observed:
Configuration committed successfully
Local configuration size: 174 KB
Predefined configuration size: 17 MB
Merged configuration size(local, panorama pushed, predefined): 18 MB
Maximum recommended merged configuration size: 35 MB (51% configured)

Anyone else experiencing these issues or have some kind of idea what has happened or how to fix it?

 

Thanks,

G

1 person had this problem.
(1)
8 REPLIES 8

MeCJay12
L1 Bithead

‎06-28-2024 12:15 PM

Same issue here. Upgraded from 10.2.8-h3 to 11.1.2-h3 on a VM series KVM firewall.

 

If ospf router ID changed,it require restart ospf processor(Module: routed)
client routed phase 1 failure
Commit failed
Local configuration size: 7 KB
Predefined configuration size: 17 MB
Merged configuration size(local, panorama pushed, predefined): 18 MB
Maximum recommended merged configuration size: 17 MB (105% configured)
Failed to commit policy to device

P.Piro
L0 Member

‎07-03-2024 09:03 PM

Same issue here with the 17MB limit. Need a fix for this asap.

0 Likes Likes

GregorJus
L0 Member

‎07-03-2024 11:05 PM

Apart from the limit "issue", can anyone shed some light on the the matter of:

Failed to perform task resulting in connection timeout with WildFire Cloud wildfire.paloaltonetworks.com

 

I am loosing my mind 🙂

0 Likes Likes

Jpergolizzi
L1 Bithead

‎10-10-2024 02:43 PM

I am also seeing this on multiple PA-850's since moving to 11.1.4-h1:

Local configuration size: 429 KB
Predefined configuration size: 18 MB
Merged configuration size(local, panorama pushed, predefined): 20 MB
Maximum recommended merged configuration size: 23 MB (86% configured)

0 Likes Likes

suzannomer258
L0 Member

‎10-10-2024 11:39 PM

It sounds like you're running into configuration size issues after upgrading to 11.1.4-h1 on the PA-850s. The merged config size being at 86% of the max recommended could definitely be a cause for concern, especially as you continue to push updates or add new policies. Have you tried reaching out to Palo Alto support to see if there's a way to optimize the config? Sometimes there are unused objects or old rules that can be cleaned up to reduce the overall size. Alternatively, it might be worth monitoring it closely and planning for a more efficient setup if you anticipate growth. 

CredibleBH
0 Likes Likes

Jpergolizzi
L1 Bithead
In response to suzannomer258

‎10-31-2024 10:48 AM

Hi there, thanks for responding! yes, I believe that's exactly whats going on. I've cleaned up my config but in looking at whats taking the space, the majority of it is the pre-defined data sent from Palo Alto. I'm hoping they have a way to trim that down, it will be a hard-sell to my client to purchase new firewalls. 😞

0 Likes Likes

DZamudio
L1 Bithead
In response to Jpergolizzi

‎12-05-2024 08:25 AM

Have you heard anything back from Palo Alto in regard to trim the predefined config? We just got his with a full 1MB change overnight for their predefined config and it is annoying that Palo Alto is doing this. I guess it's their way of forcing people to upgrade, yet their newer firewalls aren't that high in max config size & they can't be straight forward how much will this increase over the years. I seriously feel like Palo Alto has gone south on their products. We are actively considering moving to another vendor due to this. Our config is very small and we even removed any unused items. Support has gone nowhere for a solution, just stated we should upgrade and yet our firewalls aren't EOL until 2029.

0 Likes Likes

Jpergolizzi
L1 Bithead
In response to DZamudio

‎12-05-2024 08:58 AM

Hi there. Unfortunately, I haven't had a chance to speak with them yet about it but planning to. I've got 2 clients with PA-850's and PA-220s and all devices are reporting the issue. My suspicion is that it's pre-defined config and dynamically downloaded content like threat signatures, etc, etc. Not sure if anything can be done about that. I will open a case and let you know if I get any good answers.

0 Likes Likes
  • 3635 Views
  • 8 replies
  • 4 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks