CPU usage on the management plane (MP) can sometimes be quite high and lead to other issues. We'll show you how to reduce MP usage in a series of Tips & Tricks.
A common cause of a high MP CPU load is logging and reporting.
By default, every session is logged at end. Additionally, you can opt to enable logging at start for better visibility on the morphology of applications traversing the firewall, or to simply have more data available for forensic analysis. You may also be required to log the drop-all rule at the end of the policy. These options and more logging actions cause the logrcvr process to consume more resources.
To enable the system to produce reports more easily, several helper processes come into play to process and prepare the log files for later report generation. These helper processes consume even more resources as more logs must then be processed.
top - 12:05:07 up 511 days, 23:31, 0 users, load average: 5.59, 5.76, 5.86
Tasks: 96 total, 2 running, 93 sleeping, 1 stopped, 0 zombie
Cpu(s): 28.5%us, 54.4%sy, 3.7%ni, 11.7%id, 0.1%wa, 0.1%hi, 1.5%si, 0.0%st
Mem: 995888k total, 937788k used, 58100k free, 47356k buffers
Swap: 2008084k total, 981484k used, 1026600k free, 91776k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2336 root 20 0 287m 77m 2100 S 112 8.0 1:16:58 logrcvr
2307 root 20 0 1014m 132m 2656 S 73 13.6 1:41:41 mgmtsrvr
26958 root 30 10 3996 1128 920 R 8 0.1 1:24.12 genindex.sh
8811 root 30 10 4468 1020 800 R 1 0.1 0:00.18 top
1 root 20 0 1836 552 528 S 0 0.1 0:08.07 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
When the management plane is experiencing a continuous high load, consider reducing logging to reduce the load. Here are a few options for reducing logging:
- Some applications may not need to be logged at all, for example, DNS tends to be extremely chatty, causing a lot of log files to be generated, which may not be vital to the organization:
Note that threat logs are generated by threat protection, so disabling logging in the security policy only stops generating traffic logs.
- Some URL categories may be benign and permissible within the organization, so setting the URL filtering action to allow prevents a URL log from being created each time an allowed category is accessed:
- Report generation can also consume considerable resources, while some pre-defined reports may not be useful to the organization, or they've been replaced by a custom report. These pre-defined reports can be disabled from Device > Setup > Logging and Reporting Settings:
I welcome comments and suggestions in the section below.
Thanks for reading!
See also Reducing Management Plane Load Part 2 at https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Reducing-Management-Plane-Load-Part-2/ta-p/66874
Tom Piens