A company has recently migrated their branch office’s PA-220s to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices. All device group and template configuration is managed solely within Panorama.
They notice that commit times have drastically increased for the PA-220s after the migration.
What can they do to reduce commit times?
To reduce commit times for the PA-220s, the correct approach is to disable “Share Unused Address and Service Objects with Devices” in Panorama Settings. This will decrease the amount of configuration data pushed to each PA-220, as the number of objects that can be stored on these lower-end models is considerably lower than that of mid- to high-end models. Consequently, the configuration pushed to each firewall becomes smaller, thus significantly reducing the commit times on the firewalls.
I think A is correct. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS
Your own link says this increases the commit time: Disabling Share Unused Address and Service Objects with Devices might increase the commit time on Panorama because Panorama has to dynamically check whether policy rules reference all the particular objects.
On lower-end models, such as the PA-220, consider pushing only the relevant shared objects to the managed firewalls. This is because the number of objects that can be stored on the lower-end models is considerably lower than that of the mid- to high-end models. Also, if you have many address and service objects that are unused, clearing Share Unused Address and Service Objects with Devices REDUCES the commit times significantly ON THE FIREWALLS because the configuration pushed to each firewall is smaller. However, disabling this option might INCREASE the commit time ON PANORAMA because Panorama has to dynamically check whether policy rules reference a particular object. Since the question is based around the 220's being too slow, the Answer is A.
A: because the question is for the firewall commit response time, not Pano For Panorama Disabling Share Unused Address and Service Objects with Devices might increase the commit time on Panorama because Panorama has to dynamically check whether policy rules reference all the particular objects. For PA-220 On lower-end models, such as the PA-220, consider pushing only the relevant shared objects to the managed firewalls. This is because the number of objects that can be stored on the lower-end models is considerably lower than that of the mid- to high-end models. >https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects
Perfect! Right on!
I see other's saying it may make the Panorama commit take longer. Remember, on a Commit and Push, the candidate config is being pushed to both the Panorama and the Firewall(s). The question indicates the PA220 commit is taking longer. On the Panorama Administrator's guide, it says the Panorama commit can take longer when clearing "Share Unused Address and Service Objects with Devices." However, right before that it says, "if you have many address and service objects that are unused, clearing Share Unused Address and Service Objects with Devices reduces the commit times significantly on the firewalls because the configuration pushed to each firewall is smaller."
A is correct
A is valid.
THATS the correct answer for me
I don't see a correct answer at all. A would be correct if you said to enable that option, so I'm going with this question was input incorrectly.
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects
I think A is correct. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS
Your own link says this increases the commit time: Disabling Share Unused Address and Service Objects with Devices might increase the commit time on Panorama because Panorama has to dynamically check whether policy rules reference all the particular objects.