01-15-2019 10:05 AM
Historically, for a LONG time, we have created an object for every IP address and every port (for port based rules). Over the years, this has lead to our config being HUGE. Last tech support file from Panorama is 85MB. With thousands and thousands of objects, my opinion is that's contributing to the performance issues we see; the fact that all these objects get sent to the firewalls, and has to be updated everytime we do a push.
So question is this; do others agee with this? Has anyone actually backed down the object list (like removing unused, and removing objects for single IP policies, and just put the IP in the rule itself only) and then seen a performance gain? It would be a substantial task, but possibly a useful one. Thoughts?
01-16-2019 07:45 AM
I am talking about the option that @Astardzhiev also described:
Over the GUI go to Panorama -> Setup -> Management -> Panorama Settings -> Disable/uncheck "Share unsused addresses and service objects with devices"
01-16-2019 08:28 AM
Ya, the performance impact we see is things like changing context from one FW to another within Panorama, commits, etc. Not processing performance. The other "indirect" impact is that we currenlty can't pull the config into Expedition because of the size limite of the XML that Expedition can process. And yup, i've been at this company for about 2.5 years, and they are, overall, a shop converted from ASA side of the world 🙂
01-18-2019 02:42 AM
Try running your configuration through the Expedition tool, it'll highlight all the unused objects and can easily delete them. It'll also show duplicate objects that you can merge etc.
When exporting the configuration in Expedition it'll also try to compress the XML into one line as much as possible which really saves on configuration file size.
01-18-2019 07:58 AM
01-18-2019 08:08 AM
You can actually increase the max file size upload limit 🙂
1. Edit the file "php.ini" found in the folder:
You can use vi, or nano e.g.
sudo nano /etc/php/7.0/apache/php.ini
Find the line "upload_max_filesize = 2MB"
Modify the value to something of your choosing, e.g. 100MB
Restart the apache2 service
sudo systemctl restart apache2
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!