Tips & Tricks: Reducing Management Plane Load

Tips & Tricks: Reducing Management Plane Load

184346
Created On 09/25/18 19:02 PM - Last Modified 06/09/23 02:10 AM


Resolution


fy16-tipstricks-lato.png

 

CPU usage on the management plane (MP) can sometimes be quite high and lead to other issues. We'll show you how to reduce MP usage in a series of Tips & Tricks.

 

A common cause of a high MP CPU load is logging and reporting.

 

By default, every session is logged at end. Additionally, you can opt to enable logging at start for better visibility on the morphology of applications traversing the firewall, or to simply have more data available for forensic analysis. You may also be required to log the drop-all rule at the end of the policy. These options and more logging actions cause the logrcvr process to consume more resources.

 

To enable the system to produce reports more easily, several helper processes come into play to process and prepare the log files for later report generation. These helper processes consume even more resources as more logs must then be processed.

 

 top - 12:05:07 up 511 days, 23:31,  0 users,  load average: 5.59, 5.76, 5.86
Tasks:  96 total,   2 running,  93 sleeping,   1 stopped,   0 zombie
Cpu(s): 28.5%us, 54.4%sy,  3.7%ni, 11.7%id,  0.1%wa,  0.1%hi,  1.5%si,  0.0%st
Mem:    995888k total,   937788k used,    58100k free,    47356k buffers
Swap:  2008084k total,   981484k used,  1026600k free,    91776k cached
  
PID   USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND            
2336  root      20   0  287m  77m 2100 S  112  8.0   1:16:58 logrcvr            
2307  root      20   0 1014m 132m 2656 S   73 13.6   1:41:41 mgmtsrvr           
26958 root      30  10  3996 1128  920 R    8  0.1   1:24.12 genindex.sh        
8811  root      30  10  4468 1020  800 R    1  0.1   0:00.18 top                
1     root      20   0  1836  552  528 S    0  0.1   0:08.07 init               
2     root      20   0     0    0    0 S    0  0.0   0:00.00 kthreadd

 

When the management plane is experiencing a continuous high load, consider reducing logging to reduce the load. Here are a few options for reducing logging:

 

  • Some applications may not need to be logged at all, for example, DNS tends to be extremely chatty, causing a lot of log files to be generated, which may not be vital to the organization: 

2015-09-16_11-11-58.png

 

Note that threat logs are generated by threat protection, so disabling logging in the security policy only stops generating traffic logs.

 

  • Some URL categories may be benign and permissible within the organization, so setting the URL filtering action to allow prevents a URL log from being created each time an allowed category is accessed:

2015-09-17_08-59-21.png

 

  • Report generation can also consume  considerable resources, while some pre-defined reports may not be useful to the organization, or they've been replaced by a custom report. These pre-defined reports can be disabled from Device > Setup > Logging and Reporting Settings:

2015-09-16_11-41-12.png

 

I welcome comments and suggestions in the section below.

 

Thanks for reading!

 

See also Reducing Management Plane Load Part 2 at https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Reducing-Management-Plane-Load-Part-2/ta-p/66874

 

Tom Piens
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language