Palo Alto Networks Knowledgebase: Tips & Tricks: Reducing Management Plane Load—Part 2

Tips & Tricks: Reducing Management Plane Load—Part 2

12768
Created On 02/07/19 23:49 PM - Last Updated 02/07/19 23:50 PM
Resolution

Let's continue with the second in a series and add a few more tips in your bag of tricks to reduce the load on the management plane. A few weeks ago we started a Tips & Tricks series on this topic, so this week we'll continue with Part 2.

 

 

A common cause for a heightened load on the management plane during production hours are automated processes running in the background, some of which can be tuned to occur less frequently if they are causing issues. One of these processes is the periodic refresh of FQDN objects used in the policy. These will trigger DNS lookups to refresh the associated IP addresses, and if the management plane is already taxed, could cause spikes. The frequency can be decreased by setting the refresh time to a longer timeframe, up to 4 hours for regular refreshes and 24 hours for a full refresh.

 

> configure 
Entering configuration mode
[edit]                                                                          
# set deviceconfig system fqdn-refresh-time <600-14399>
# set deviceconfig system fqdn-forcerefresh-time <14400-86400>

 

In the previous article, we also discussed disabling logging for certain applications that are very chatty but do not necessarily require extensive logging. This can also be applied to more generic rules like intrazone policies where traffic logging may not be essential.

 

Policies that require detailed logging should have only logging at end enabled, as log at session start could cause several logs to be generated for a single session: WebEx, for example, could change several times over the course of a session, from TLS/SSL to web-browsing, to WebEx, to WebEx Desktop, and so on. This would create several log at start log entries, one for every time the session shifts into a different application.

 

In larger or more complex LDAP environments, User Identification and more specifically, group mapping, can put a significant strain on the system when large amounts of group objects are loaded onto the firewall. Decreasing the amount of group objects by filtering out the LDAP query results to only the groups used in policy can also decrease the load on the management plane.

 

To accomplish this, after creating an LDAP profile to retrieve LDAP information from a server,  a User Identification Group Mapping filter can be created:

2015-10-20_11-35-02.png

 

Additional filters can be added so only users and groups containing the appropriate entries are stored. In the example below, users need to have the string "WebUser" in their description field to get added.

 

2015-10-20_11-47-46.png

 

Specific groups can also be selected as a sole source of user information:

 

2015-10-20_11-43-51.png

 

Finally, as a best practice during times of high load, it may be beneficial for administrators to not have the ACC or log monitoring open and set to auto refresh, as this queries the log database and recompiles the output on screen every few seconds.

 

I hope these tips will come in handy and help you keep the load down on your firewall's management plane.

 

Thanks for reading!

Tom Piens



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU4CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language