Panorama Commits Take a Long Time when "share unused Address and service object" is unchecked
30790
Created On 09/26/18 13:55 PM - Last Modified 11/10/22 21:29 PM
Symptom
- Commit times on Panorama is taking up to 12 minutes for each change when "share unused Address and service object" is unchecked
- Commits will not fail and will eventually complete
- Example below comparing commit time when "share unused Address and service object" checked vs. unchecked
Share unused Address and service object - Checked
Enqueued ID Type Status Result Completed -------------------------------------------------------------------------- 2013/02/12 19:54:00 16 Commit FIN OK 19:56:25 Time to complete: 2 min 25 sec
Share unused Address and service object - Unchecked
Enqueued ID Type Status Result Completed -------------------------------------------------------------------------- 2013/02/12 19:36:40 14 Commit FIN OK 19:48:50 Time to complete: 12 min 10 sec
Environment
- Panoram configured with "Share Unused Address and Service Objects with Devices" unchecked
- Over 500 Address/Service Objects in Panorama
- Panorama pushing changes to multiple firewalls
Cause
Disabling Share Unused Address and Service Objects with Devices might increase the commit time on Panorama because Panorama has to dynamically check whether policy rules reference all the particular objects.
Resolution
Normal behavior. See Manage Unused Shared Objects
Additional Information
Option to reduce commit time
*Disable Panorama from checking for unused objects.
-
Go to Panorama > Setup > Management
-
In the Panorama Settings section, Check "Share Unused Address and Service Objects with Devices"
*NOTE: Consider only enabling this option if you do not have lower end models such as PA-220 as they can not store as many Address/Services Objects.