How to reduce the number of IKE Gateway configured on the Firewall

How to reduce the number of IKE Gateway configured on the Firewall

6536
Created On 03/22/23 22:32 PM - Last Modified 11/29/23 17:28 PM


Objective


  • Check the maximum number of IKE Gateways supported by the Firewall.
  • Check the current number of configured IKE Gateways on the Firewall.
  • Reduce the number of IKE Gateways of a locally managed Firewall.
  • Reduce the number of IKE Gateways of a Panorama managed Firewall.

Environment


  • NGFW
  • IKE Gateways

Procedure


  1. Check the maximum capacity of IKE Gateways for your Firewall.
    1. Use Firewall CLI: 
      show system state filter cfg.general.max* | match ike
      1. Note: In case the value is listed in hexadecimal format 0x then it needs to be converted to decimal. Most recent platforms and PAN-OS versions will list the value in decimal.
    2. Use the Product Selection web page click Show More under your platform name to find the maximum Max IKE Peers.
    3. For VM-Flex Firewall running a version lower than 10.2.x, refer Maximum Limits Based on Tier and Memory. For versions 10.2.x and higher, refer to Maximum Limits Based on Tier and Memory. Note that the memory size (memory profile) determines the capacity of the firewall. Check the memory profile "vm-cap-tier:" in the output of the FW CLI command: 
      > show system info
  2. Check the current number of IKE Gateway from NETWORK > Network Profiles > IKE Gateways.
How to check the number of currently configured IKE Gateways.
  1. For locally managed Firewall:
    1. Delete the unused IKE Gateways configured under NETWORK > Network Profiles > IKE Gateways.
      1. To check if an IKE Gateway object is used in a IPsec tunnel configuration, click the drop down arrow drop downnext to its name; then click Global Find.
  2. For Panorama managed Firewall:
    1. Revisit your device-group hierarchy: consider placing the FW(s) with lesser capacity limit under a different device-group than the FW(s) with a higher capacity limit.
    2. Delete the unused IKE Gateways configured under Device Groups > NETWORK > Network Profiles > IKE Gateways.
  3. If even after following the recommendation listed above you are unable to reduce the number of IKE Gateways below the capacity limit of the FW then:
    1. For a hardware FW consider upgrading your FW to a higher capacity platform.
    2. For a VM-Flex FW if its running a version lower than 10.2.0, consider upgrading to a version greater than 10.2.0 to take advantage of the increased configuration capacity offered by the Memory Scaling of the VM-Series Firewall Feature. Also consider increasing the FW memory/RAM to increase the capacity of your VM-Flex FW.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kHSyCAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language