Historically, for a LONG time, we have created an object for every IP address and every port (for port based rules). Over the years, this has lead to our config being HUGE. Last tech support file from Panorama is 85MB. With thousands and thousands of objects, my opinion is that's contributing to the performance issues we see; the fact that all these objects get sent to the firewalls, and has to be updated everytime we do a push. So question is this; do others agee with this? Has anyone actually backed down the object list (like removing unused, and removing objects for single IP policies, and just put the IP in the rule itself only) and then seen a performance gain? It would be a substantial task, but possibly a useful one. Thoughts?
... View more