How to reduce the number of FQDN Address Objects configured on the Firewall
7780
Created On 03/22/23 17:51 PM - Last Modified 11/29/23 17:30 PM
Objective
- Check the maximum number of FQDN Address Objects supported by the Firewall.
- Check the current number of configured FQDN Address Objects on the Firewall.
- Reduce the FQDN Address Objects of a locally managed Firewall.
- Reduce the FQDN Address Objects of a Panorama managed Firewall.
Environment
- NGFW
- FQDN Address Objects
Procedure
- Check the maximum capacity of FQDN Address Objects for your Firewall.
- Use the Product Selection web page click Show More under your platform name to find the maximum FQDN address objects.
- For VM-Flex Firewall running a version lower than 10.2.x, refer Maximum Limits Based on Tier and Memory. For versions 10.2.x and higher, refer to Maximum Limits Based on Tier and Memory. Note that the memory size (memory profile) determines the capacity of the firewall. Check the memory profile "vm-cap-tier:" in the output of the FW CLI command:
> show system info
- Check the current number of FQDN Address Objects from CLI:
- For FW with one vsys:
> configure # show address | match fqdn
Note: You will need to copy the output of that command into a Notepad++ and then Find (Ctrl+F) keyword "fqdn" then click the Count button. - For FW with multi-vsys:
> configure # show vsys vsys1 address | match fqdn
Note: You will need to copy the output of that command into a Notepad++ and then Find (Ctrl+F) keyword "fqdn" then click the Count button. You need to repeat for each vsys then add the total number of FQDN Address objects found under each vsys to get the total of FQDN Address Objects configured on the FW.
- For FW with one vsys:
- For locally managed Firewall:
- Delete the unused FQDN Addresses Objects configured under OBJECTS > Addresses.
- To check if a FQDN Address object is used in a security rule or any other Firewall configuration, click the drop down arrow next to its name; then click Global Find.
- Delete the unused FQDN Addresses Objects configured under OBJECTS > Addresses.
- For Panorama managed Firewall:
- Consider unchecking "Share Unused Address and Service Objects with Devices".
- Revisit your device-group hierarchy: consider placing the FW(s) with lesser capacity limit under a different device-group than the FW(s) with a higher capacity limit.
- Reduce the number of FQDN Addresses Objects configured under Device Groups > OBJECTS > Adresses.
- If even after following the recommendation listed above you are unable to reduce the number of FQDN Addresses Objects below the capacity limit of the FW then:
- For a hardware FW consider upgrading your FW to a higher capacity platform.
- For a VM-Flex FW if its running a version lower than 10.2.0, consider upgrading to a version greater than 10.2.0 to take advantage of the increased configuration capacity offered by the Memory Scaling of the VM-Series Firewall Feature. Also consider increasing the FW memory/RAM to increase the capacity of your VM-Flex FW.