This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Panorama/Firewall performance

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Panorama/Firewall performance

Tony_Kiser
L2 Linker

‎01-15-2019 10:05 AM

Historically, for a LONG time, we have created an object for every IP address and every port (for port based rules).  Over the years, this has lead to our config being HUGE.  Last tech support file from Panorama is 85MB.  With thousands and thousands of objects, my opinion is that's contributing to the performance issues we see; the fact that all these objects get sent to the firewalls, and has to be updated everytime we do a push.

 

So question is this; do others agee with this?  Has anyone actually backed down the object list (like removing unused, and removing objects for single IP policies, and just put the IP in the rule itself only) and then seen a performance gain?  It would be a substantial task, but possibly a useful one.  Thoughts?

0 Likes Likes
10 REPLIES 10

vsys_remo
Cyber Elite
Cyber Elite
In response to Astardzhiev

‎01-16-2019 07:45 AM

@MP18

I am talking about the option that @Astardzhiev also described:

@Astardzhiev wrote:

Over the GUI go to Panorama -> Setup -> Management -> Panorama Settings -> Disable/uncheck "Share unsused addresses and service objects with devices"

 

0 Likes Likes

Tony_Kiser
L2 Linker
In response to BPry

‎01-16-2019 08:28 AM

Ya, the performance impact we see is things like changing context from one FW to another within Panorama, commits, etc.  Not processing performance.  The other "indirect" impact is that we currenlty can't pull the config into Expedition because of the size limite of the XML that Expedition can process.  And yup, i've been at this company for about 2.5 years, and they are, overall, a shop converted from ASA side of the world  🙂

0 Likes Likes

LukeBullimore
L5 Sessionator
In response to Tony_Kiser

‎01-18-2019 02:42 AM

Hey @Tony_Kiser

 

Try running your configuration through the Expedition tool, it'll highlight all the unused objects and can easily delete them. It'll also show duplicate objects that you can merge etc.

 

https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool

 

When exporting the configuration in Expedition it'll also try to compress the XML into one line as much as possible which really saves on configuration file size.

 

Cheers,

Luke.

0 Likes Likes

Tony_Kiser
L2 Linker
In response to LukeBullimore

‎01-18-2019 07:58 AM

That's actually part of the issue @LukeBullimore; our xml is so big, Expedition can't digest it.  🙂

0 Likes Likes

LukeBullimore
L5 Sessionator
In response to Tony_Kiser

‎01-18-2019 08:08 AM

Hey @Tony_Kiser

 

You can actually increase the max file size upload limit 🙂

 

1. Edit the file "php.ini" found in the folder:

 

/etc/php/7.0/apache

 

You can use vi, or nano e.g.

 

sudo nano /etc/php/7.0/apache/php.ini

 

Find the line "upload_max_filesize = 2MB"

 

Modify the value to something of your choosing, e.g. 100MB

 

 

Restart the apache2 service

 

sudo systemctl restart apache2

(1)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks