Panorama/Firewall performance

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Panorama/Firewall performance

L2 Linker

Historically, for a LONG time, we have created an object for every IP address and every port (for port based rules).  Over the years, this has lead to our config being HUGE.  Last tech support file from Panorama is 85MB.  With thousands and thousands of objects, my opinion is that's contributing to the performance issues we see; the fact that all these objects get sent to the firewalls, and has to be updated everytime we do a push.


So question is this; do others agee with this?  Has anyone actually backed down the object list (like removing unused, and removing objects for single IP policies, and just put the IP in the rule itself only) and then seen a performance gain?  It would be a substantial task, but possibly a useful one.  Thoughts?



I am talking about the option that @Astardzhiev also described:

@Astardzhiev wrote:

Over the GUI go to Panorama -> Setup -> Management -> Panorama Settings -> Disable/uncheck "Share unsused addresses and service objects with devices"


Ya, the performance impact we see is things like changing context from one FW to another within Panorama, commits, etc.  Not processing performance.  The other "indirect" impact is that we currenlty can't pull the config into Expedition because of the size limite of the XML that Expedition can process.  And yup, i've been at this company for about 2.5 years, and they are, overall, a shop converted from ASA side of the world  🙂

Hey @Tony_Kiser


Try running your configuration through the Expedition tool, it'll highlight all the unused objects and can easily delete them. It'll also show duplicate objects that you can merge etc.


When exporting the configuration in Expedition it'll also try to compress the XML into one line as much as possible which really saves on configuration file size.




That's actually part of the issue @LukeBullimore; our xml is so big, Expedition can't digest it.  🙂

Hey @Tony_Kiser


You can actually increase the max file size upload limit 🙂


1. Edit the file "php.ini" found in the folder:




You can use vi, or nano e.g.


sudo nano /etc/php/7.0/apache/php.ini


Find the line "upload_max_filesize = 2MB"


Modify the value to something of your choosing, e.g. 100MB



Restart the apache2 service


sudo systemctl restart apache2

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!