How to reduce the number of Service Group Objects configured on the Firewall

How to reduce the number of Service Group Objects configured on the Firewall

8007
Created On 03/21/23 16:50 PM - Last Modified 11/29/23 17:31 PM


Objective


  • Check the maximum capacity of the Firewall in the number of Service Group Objects.
  • Check the current number of configured Service Group Objects on the Firewall.
  • Reduce the Service Group Objects of a locally managed Firewall.
  • Reduce the Service Group Objects of a Panorama managed Firewall.

Environment


  • NGFW
  • Service Group Objects

Procedure


  1. Check the maximum capacity of Service Group Objects for your Firewall.
    1. Use Firewall CLI:  
      show system state | match cfg.general.max-service-group
      1. Note: In case the value is listed in hexadecimal format 0x then it needs to be converted to decimal. Most recent platforms and PAN-OS versions will list the value in decimal.
    2. Use the Product Selection web page click Show More under your platform name to find the maximum Service groups.
    3. For VM-Flex Firewall running a version lower than 10.2.x, refer Maximum Limits Based on Tier and Memory. For versions 10.2.x and higher, refer to Maximum Limits Based on Tier and Memory. Note that the memory size (memory profile) determines the capacity of the firewall. Check the memory profile "vm-cap-tier:" in the output of the FW CLI command: 
      > show system info
  2. Check the current number of Service Group Objects from OBJECTS > Service Groups
How to check the number of currently configured Service Group Objects.
Note: that if your FW is multi-vsys you need to add the number of items listed under each vsys to get the total of Service Group Objects configured on the FW.
  1. For locally managed Firewall:
    1. Delete the unused Service Group Objects configured under OBJECTS > Service Groups.
      1. To check if an Service Group Object is used in a security rule or any other Firewall's configuration, click the drop down arrow drop downnext to its name; then click Global Find.
    2. Consider, when applicable, merging Service Groups while accounting for the maximum number of members per Service Group supported by the Firewall.
  2. For Panorama managed Firewall:
    1. Consider unchecking "Share Unused Address and Service Objects with Devices".
    2. Revisit your device-group hierarchy: consider placing the FW(s) with lesser capacity limit under a different device-group than the FW(s) with a higher capacity limit.
    3. Reduce the number of Service Group Objects configured under Device Groups > OBJECTS > Service Groups.
  3. If even after following the recommendation listed above you are unable to reduce the number of Service Group Objects below the capacity limit of the FW then:
    1. For a hardware FW consider upgrading your FW to a higher capacity platform.
    2. For a VM-Flex FW if its running a version lower than 10.2.0, consider upgrading to a version greater than 10.2.0 to take advantage of the increased configuration capacity offered by the Memory Scaling of the VM-Series Firewall Feature. Also consider increasing the FW memory/RAM to increase the capacity of your VM-Flex FW.
 
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kHRbCAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language