How to reduce the number of Service Objects configured on the Firewall

How to reduce the number of Service Objects configured on the Firewall

9453
Created On 03/22/23 16:51 PM - Last Modified 11/29/23 17:30 PM


Objective


  • Check the maximum number of Service Objects supported by the Firewall.
  • Check the current number of configured Service Objects on the Firewall.
  • Reduce the Service Objects of a locally managed Firewall.
  • Reduce the Service Objects of a Panorama managed Firewall.

Environment


  • NGFW
  • Service Objects

Procedure


  1. Check the maximum capacity of Service Objects for your Firewall.
    1. Use Firewall CLI: 
      show system state | match cfg.general.max-service:
      1. Note: In case the value is listed in hexadecimal format 0x then it needs to be converted to decimal. Most recent platforms and PAN-OS versions will list the value in decimal.
    2. Use the Product Selection web page click Show More under your platform name to find the maximum Service objects.
    3. For VM-Flex Firewall running a version lower than 10.2.x, refer Maximum Limits Based on Tier and Memory. For versions 10.2.x and higher, refer to Maximum Limits Based on Tier and Memory. Note that the memory size (memory profile) determines the capacity of the firewall. Check the memory profile "vm-cap-tier:" in the output of the FW CLI command: 
      > show system info
  2. Check the current number of Service Objects from OBJECTS > Services.
How to check the number of currently configured Services Objects.Note: that if your FW is multi-vsys you need to add the number of items listed under each vsys to get the total of Service Objects configured on the FW.
  1. For locally managed Firewall:
    1. Delete the unused Service Objects configured under OBJECTS > Services.
      1. To check if a Service Object is used in a security rule or any other Firewall's configuration, click the drop down arrow drop downnext to its name; then click Global Find.
    2. Consider, when applicable, replacing a group of single port Service Objects with one Service Object of port range or list of ports.
  2. For Panorama managed Firewall:
    1. Consider unchecking "Share Unused Address and Service Objects with Devices".
    2. Revisit your device-group hierarchy: consider placing the FW(s) with lesser capacity limit under a different device-group than the FW(s) with a higher capacity limit.
    3. Reduce the number of Service Objects configured under Device Groups > OBJECTS > Services.
  3. If even after following the recommendation listed above you are unable to reduce the number of Service Objects below the capacity limit of the FW then:
    1. For a hardware FW consider upgrading your FW to a higher capacity platform.
    2. For a VM-Flex FW if its running a version lower than 10.2.0, consider upgrading to a version greater than 10.2.0 to take advantage of the increased configuration capacity offered by the Memory Scaling of the VM-Series Firewall Feature. Also consider increasing the FW memory/RAM to increase the capacity of your VM-Flex FW.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kHSZCA2&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language