Steps to Reduce MP CPU on PA-2000 Series and PA-4000 Series
Created On 08/05/19 20:22 PM - Last Updated 08/05/19 20:36 PM
The management plane on the PA-2000 Series and PA-4000 Series firewalls remain consistently high, and cause sluggish behavior when accessing the devices.
- Remove logging of non user significant traffic like DNS, NetBios, Dynamic Routing protocols, SNMP, ICMP
Logs should be forwarded on the Panorama and reports ran from the Panorama, not on the firewall itself.
- Delete all logs except the most recent ones so that log indexing can run faster.
- Make sure all policies are log at session end only.
- Setup security policies for any internal to internal trusted traffic with no logging at all.
- Use internal DNS server to reduce outbound DNS traffic.
- Make sure backup processes that traverse the firewall are completing before peak business hours.
- Minimize admin logins during business hours (log refreshes and ACC views consume resources).
- In PAN-OS 6.0 and 6.1 software versions the commit process optimization code was introduced.
Note: Another feature that is helpful in the PAN-OS 6.0 versions is to disable predefined reports on the firewall, refer to the following document for more information: How to Disable Predefined Reports on a Palo Alto Networks Device
- Reduce the frequency of FQDN refreshes, WildFire, content and threat updates. Set the antivirus updates to 12 or 24 hours instead of 15 minutes or at every hour.
To change the FQDN refresh interval, use the following command:
# set deviceconfig system fqdn-forcerefresh-time
- Change the GUI refresh to manual.
- Reduce the number of customer reports - both the device local reports and Panorama pushed reports.