cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this article

Community Team Member
No ratings

There are many reasons as to why Data Plane (DP) CPUs can be high, so addressing this behavior on Palo Alto Networks firewalls can be tricky. It’s best to use a comprehensive and methodical approach to handling DP CPUs.

 

The DP handles a wide range of functions to ensure that traffic passing through the firewall is safe and follows the security rules set by the admin. It handles things like threat inspection, traffic processing, policy lookups, URL filtering, SSL decryption, session management and sending traffic logs to the management plane (MP). Because it handles so many functions, identifying the root cause can be quite challenging.

 

The load on the DP varies based on the specific features and services enabled, the amount of traffic passing through, and the complexity of the rules. Therefore, two identical firewalls can have significantly different DP CPU usage depending on their configuration and the environments they operate in.

 

We’ll go into avoiding high DP CPU later in this article but if you’re experiencing high CPU usage right now then the first step is to identify the root cause.

 

Using the CLI command ‘show running resource-monitor’, you can get an overview of CPU usage. Additionally, reviewing traffic logs for unusual patterns or spikes, and inspecting session logs with ‘show sessions all’ can provide insights into sessions that might be consuming excessive resources (packet rates).

 

How to Troubleshoot High Dataplane CPU

How to determine if high dataplane is an issue

100% DP CPU Utilization

How to Interpret: show running resource-monitor

High on-chip descriptor and packet buffer usage due to policy deny resulting in traffic latency and ...

 

Another way to start your investigation is by using the Application Command Center (ACC) in the web UI of the firewall. The ACC provides comprehensive details about the traffic passing through the firewall. By examining the information presented here, you can determine if there has been any deviation from the normal traffic load that the firewall typically handles. This can help identify unusual patterns or spikes in traffic that may be contributing to the high CPU utilization, giving you a clearer picture of what might be causing the issue.

 

Application Command Center (ACC)

Tips & Tricks: How to Use the ACC

 

Additionally, note that not all traffic is equal. Some types of traffic require more processing than others.  

 

For example, encrypted traffic needs SSL decryption before it can be inspected, which takes a lot of resources. Certain applications, like SMB, also need more processing power to identify and manage. Traffic that requires threat inspection needs more intensive scanning and analysis. Large volumes of traffic or traffic with many concurrent sessions can put a significant load on the firewall since it has to keep track of and process each session. Additionally, traffic that generates detailed logs or requires extensive monitoring increases the processing load because the firewall has to manage and forward these logs to the management plane.

 

How to mitigate High DP CPU issue due to High Application Usage

Why is SMB traffic slow ?



So instead of fixing the issue, what are some of the steps you can take in order to avoid the high DP CPU from happening in the first place ?

 

Optimizing security policies is a crucial step. Consolidating security rules reduces the number of policy lookups the firewall needs to perform, thereby lowering CPU utilization. It's also beneficial to place the most frequently matched rules at the top of the rulebase. This prioritization ensures that the firewall processes these rules first, minimizing processing time. Application and threat inspection settings also play a significant role. Utilizing application groups and filters can simplify and optimize how applications are identified.

 

TechDocs: Policy Optimizer Best Practices

 

Moreover, disabling unused threat signatures can significantly reduce the inspection load on the firewall. Ensuring that your firewall is running the latest content and threat updates can also improve the efficiency and effectiveness of threat inspections.

 

Session management is another area to consider. Adjusting session timeouts for specific applications can help reduce the number of active sessions, thus decreasing the CPU load. Implementing session limits for critical applications can prevent a single application from monopolizing firewall resources.

 

KB: Tips & Tricks: Session Timeouts

 

Network design can have a substantial impact on CPU utilization. Properly segmenting your network using zones limits the scope of traffic that each firewall has to handle, thereby reducing the processing burden. If possible, employing multiple firewalls and load balancing the traffic across them can distribute the load more evenly.

 

TechDocs: Segment Your Network Using Interfaces and Zones

 

Quality of Service (QoS) profiles can be implemented to prioritize critical traffic and limit non-critical traffic, thus managing the processing load more effectively. Additionally, managing log settings can help; using log filters to limit the amount of logging for less critical traffic can prevent excessive logging from contributing to high CPU utilization. Forwarding logs to an external syslog server can further offload logging processing from the firewall.

 

TechDocs: Quality of Service

TechDocs: Configure Log Forwarding

 

Ensuring that your hardware is adequately sized for your network's traffic load is fundamental. If necessary, upgrading hardware can provide the additional capacity needed to handle high traffic volumes. It's also important to have the appropriate licenses and subscriptions, as some advanced features can be particularly resource-intensive.  

 

If you’re unsure about the differences between the different types of hardware, you can always go and check the comparison tool: Compare Hardware

 

Regular audits and maintenance are essential for optimal performance. Performing regular audits of firewall policies, configurations, and resource utilization can identify potential issues before they become critical. Keeping the firewall's firmware up to date is also crucial, as updates often include performance improvements and bug fixes.

 

If, after implementing these strategies, high DP CPU issues persist, consulting Palo Alto Networks Support is a prudent step. They can offer in-depth analysis and tailored recommendations based on your specific environment, ensuring that your firewall operates efficiently and effectively.

 

Additional Information:

 

PANCast Episode 4: Why Is My Dataplane CPU So High?

Rate this article:
(1)
Who rated this article