How to mitigate High Configuration Memory usage due to the configuration size reaching device capacity limit

How to mitigate High Configuration Memory usage due to the configuration size reaching device capacity limit

19336
Created On 04/19/24 05:32 AM - Last Modified 09/25/25 04:01 AM


Objective


To mitigate the issue of high Configuration Memory usage caused by the configuration size reaching the device capacity limit, the root cause of this high Configuration Memory usage would have been determined by noticing an increase in VSYS Config Allocator Usage. This can be achieved by executing the command 'debug dataplane show cfg-memstat statistics,' which coincided with an increase in the Firewall's config size.
 

Environment


  • Palo Alto Firwall
  • Configuration memory usage
  • Configuration size

Procedure


  1. Check the Firewall's Configuration Memory usage using CLI command:
admin@Lab> debug dataplane show cfg-memstat statistics
Policy cache usage threshold = 100%
VSYS Config Allocator Usage  : 274432KB (91% of 299904KB)
Current config memory usage
Misc                         : 5248  KB (Actual 5056  KB)
Custom URL                   : 122880 KB (Actual 122752 KB)
Global                       : 8704  KB (Actual 8626  KB)
vsys1                        : 16768 KB (Actual 15756 KB)

Last config memory usage
Misc                         : 512   KB (Actual 323   KB)
Custom URL                   : 119296 KB (Actual 0     KB)
Global                       : 8704  KB (Actual 8626  KB)
If the "current config memory usage" is close to 50% or more than 50% of the total cfg-memory (In this example 299904KB) the next commit will be likely to fail.
  1. Reduce the number of Address , Address Group , Service , Service Group , FQDN and EDL Objects.
  2. Delete unused policies like:
  • Security
  • NAT  
  • QoS 
  • Policy Based Forwarding 
  • Decryption 
  • Tunnel Inspection 
  • Application Override 
  • Authentication 
  • DoS Protection 
  • SD-WAN.
NOTE: Use Tips & Tricks: How to Identify Unused Policies on a Palo Alto Networks Device to determine which used policies can be deleted. Although the article focuses on Security Policy, the same principle can be applied to other policies.
 
  1. For Panorama managed Firewall:
    1.  Consider unchecking "Share Unused Address and Service Object with Devices"
    2.  Revisit your device-group hierarchy: consider placing the FW(s) with lesser capacity limit under a different  device-group than the FW(s) with a higher capacity limit.
  2. If, even after following the recommendations listed above, you are unable to reduce the configuration below the capacity limit of the firewall, then consider upgrading your firewall to a higher capacity platform.

Note: Current config memory usage = Misc+ Custom URL+ Global + vsys1 usage

Additional Information


During commits, the firewall's total config memory must accommodate two copies: the current 'in-use' configuration and the new 'to-be-used' configuration. If the allocated memory per configuration exceeds 50%, the firewall reaches capacity, this may lead to potential configuration failures and system instability.

Key impacts include:

        1. Configuration Commit Failures: New changes to firewall rules or objects may not be saved or applied.
        2. Policy Enforcement Degradation: The inability to update or push new policies could leave security gaps.
        3. Increased Latency in Management Operations: UI/CLI responsiveness may slow down.
        4. Reduced Operational Flexibility: This limits the ability to make urgent changes in response to dynamic threats or network conditions.
        5. Risk of Service Disruption: In extreme cases, heartbeat failure could potentially cause DP or MP crashes and trigger an HA failover.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CrN8CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language