Created On 09/25/18 19:02 PM - Last Updated 02/07/19 23:50 PM
Reporting and Logging
CPU usage on the management plane (MP) can sometimes be quite high and lead to other issues. We'll show you how to reduce MP usage in a series of Tips & Tricks.
A common cause of a high MP CPU load is logging and reporting.
By default, every session is logged at end. Additionally, you can opt to enable logging at start for better visibility on the morphology of applications traversing the firewall, or to simply have more data available for forensic analysis. You may also be required to log the drop-all rule at the end of the policy. These options and more logging actions cause the logrcvr process to consume more resources.
To enable the system to produce reports more easily, several helper processes come into play to process and prepare the log files for later report generation. These helper processes consume even more resources as more logs must then be processed.
When the management plane is experiencing a continuous high load, consider reducing logging to reduce the load. Here are a few options for reducing logging:
Some applications may not need to be logged at all, for example, DNS tends to be extremely chatty, causing a lot of log files to be generated, which may not be vital to the organization:
Note that threat logs are generated by threat protection, so disabling logging in the security policy only stops generating traffic logs.
Some URL categories may be benign and permissible within the organization, so setting the URL filtering action to allow prevents a URL log from being created each time an allowed category is accessed:
Report generation can also consume considerable resources, while some pre-defined reports may not be useful to the organization, or they've been replaced by a custom report. These pre-defined reports can be disabled from Device > Setup > Logging and Reporting Settings:
I welcome comments and suggestions in the section below.