Understanding Free Memory vs. Available Memory on Firewalls: Best Practices for Monitoring

admin@Lab35-166-PA-3420> show system resources

top - 01:38:06 up 42 days, 22:53,  2 users,  load average: 13.37, 13.38, 13.54
Tasks: 340 total,  14 running, 325 sleeping,   0 stopped,   1 zombie
%Cpu(s): 87.5 us,  1.1 sy,  0.0 ni, 10.9 id,  0.0 wa,  0.4 hi,  0.0 si,  0.0 st
MiB Mem :  31402.7 total,    497.4 free,  23383.7 used,   7521.7 buff/cache
MiB Swap:      0.0 total,      0.0 free,      0.0 used.   4926.0 avail Mem 

1. What is the difference between Free mem and Avail Mem?
2. Why Free Mem have a lower value than Avail Mem?
3. Which is of the two is the recommended Metrics to use in production?
4. Is avail Mem part of the Swap Memory?
5. What SNMP MIB used to track Avail Mem?
6. Where can I download PAN-COMMON-MIB?
7. In which version is avail Mem supported in SNMP?
8. What are the supported Platform?
9. Why is the value I obtain from the output of 'show system resource' different from the SNMP output?
10. I have implemented monitoring of avail Mem via SNMP. Now, how do I use it?

• Palo Alto Firewalls
• PAN-OS 11.x
• Memory

1. Free Memory (497.4 MiB)

•  This refers to the memory that is completely unused by any applications or the operating system. It is not currently in use for anything.
• A legacy method of monitoring unused memory.

• Available memory includes both the free memory and memory that is currently used by the operating system for caching and buffering. This memory can be quickly reclaimed by applications if needed, making it "available" even though it's currently in use.
• The latest method of monitoring unused memory

2. The Operating System use as much memory as possible for things like disk caching to improve performance. This memory is technically in use, but it's not dedicated to any specific application, so it can be made available quickly if needed. Hence, the free memory is low, but the available memory is higher because it includes these buffers and caches
3. Available memory gives a better picture of how much memory is actually available for new tasks, Hence it is recommended to use the metric in tracking the available memory resource of the firewall.

4. No, although the output of the command shows 'avail Mem' in line with 'Swap,' note that the value 4926.0 is preceded by a period, indicating the separation between 'Swap' and 'avail Mem.'

5. [root@Lab35-166-PA-3420 mibs]# snmpwalk -v2c -c public localhost PAN-COMMON-MIB::panhrStorage          
   
   ----Snipped for Brevity-----
   
   PAN-COMMON-MIB::panhrStorageAvailable.1010 = INTEGER: 0
   PAN-COMMON-MIB::panhrStorageAvailable.1011 = INTEGER: 0
   PAN-COMMON-MIB::panhrStorageAvailable.1012 = INTEGER: 0
   PAN-COMMON-MIB::panhrStorageAvailable.1020 = INTEGER: 5043688
   PAN-COMMON-MIB::panhrStorageAvailable.1030 = INTEGER: 0
   PAN-COMMON-MIB::panhrStorageAvailable.1040 = INTEGER: 0
   PAN-COMMON-MIB::panhrStorageAvailable.1041 = INTEGER: 0
   PAN-COMMON-MIB::panhrStorageAvailable.1042 = INTEGER: 0
   

6. Enterprise SNMP MIB File
7. PAN-OS version 11.1 and above
8. PA-400, PA-1400, PA-3400, PA-5400f and PA-5400
9. This is expected, SNMP obtain its value from the SDB resource, as seen below, and not from the output of 'show system resource'

admin@Lab35-166-PA-3420> show system state filter resource.s1.mp.memory

resource.s1.mp.memory: { 'avail': 0x4cf5e8, 'size': 0x1eaaad0, 'units': 1024, 'used': 0x170d0f0, }

         Although their respective value aren't identical, they are close.

10. The historical data you collect should provide firsthand information about whether a memory leak is occurring in the firewall. If the trend of the graph shows a consistent decline, and your traffic volume remains stable over time, this may indicate a memory leak.