DX NetOps

 View Only
  • 1.  Memory measurement for Palo Alto Firewall

    Posted Feb 20, 2020 10:56 AM
    Edited by Tao Yang Feb 20, 2020 03:34 PM
    We have Palo Alto devices that are always having higher percentage utilization compare to CA-PM.

    We sent a case to CA Support but was replied that everything from CA is correct.

    I dig a bit and found out ​the reason might be from Linux based system, which Palo Alto units are Linux base.

    For example, on PA, total memory is 10000, used 8000, with cached 2000 and 2000 buffered. So on Palo Alto side, it showed Memory is 8000/10000 = 80%;

    However, for SNMP, it take that cache/buffer account so the dashboard only shows (8000 - 2000 - 2000) / 10000 = 40%.

    So we have two different results on Memory Usage: 80% and 40%;

    I know one option is we don't have to do anything, just keep as it is. Because we don't have to consider cache/swap/buffer as real memory. Any comment?

    Many thanks!


    Tao Yang


  • 2.  RE: Memory measurement for Palo Alto Firewall

    Broadcom Employee
    Posted Feb 21, 2020 10:41 AM
    Tao,

    Some memory OIDs take Cached Memory into account and some do not and only look at the overall memory used.

    1. What case number did you have prior? (can private message the number to me if you want)
    2. What Vendor Cert/OIDs are being used?

    Ultimately the data we collect is only as correct as the OIDs we gather it from.  If the OIDs count cached memory as real memory and there are no other memory utilization OIDs, there is little we can do on our side and you would need to address it with the vendor, Palo Alto, at that point.

    Regards,
    Troy


  • 3.  RE: Memory measurement for Palo Alto Firewall

    Broadcom Employee
    Posted Feb 21, 2020 11:12 AM
    Tao,

    Thank you for the message and information.  I took a look at the case and it is what I had thought, it is using the Host Resources Vendor Certification and these OIDs to not separate cached and non-cached memory.  I believe a similar cert, UC Davis Memory, does separate them but given the default Vendor Cert Priority listing the UC Davis over the Host Resources, your device likely does not support it.

    As for the deficiency in the current Palo Alto environment, you are not the only one it seems:

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsTCAS

    At this point, I would take the route I mentioned before, reach out to Palo Alto and see if they have other valid OID's in their devices for Memory Utilization metrics, ones that do not consider Cached Memory and Memory Used.

    Regards,
    Troy


  • 4.  RE: Memory measurement for Palo Alto Firewall

    Posted Feb 21, 2020 11:21 AM
    ​Thanks a lot Troy! Learned a lot from you :)
    At this point, the percentage from Palo Alto is only from their CLI. So if we follow the way without cache taken account, then we are ok. We just take whatever CA NetOps provided as real Memory Usage.

    Thanks again!

    Regards,
    Tao Yang


  • 5.  RE: Memory measurement for Palo Alto Firewall
    Best Answer

    Broadcom Employee
    Posted Feb 21, 2020 12:17 PM
    Tao,

    Anytime, I am glad to help.

    The OIDs that NetOps is using are combining memory utilization and cached memory so that is what we are displaying in the Dashboard and why it is different if you view only non-cached memory utilization.  If you want to see the utilization from an SNMP source that does not count cached as used memory, you would need to find out from Palo Alto just what OIDs they provide that can do this.

    Kind Regards
    Troy


  • 6.  RE: Memory measurement for Palo Alto Firewall

    Posted Feb 21, 2020 12:34 PM
    ​I guess you had a typo there ?
    The one NetOps used is not taking cache as memory, that is why it's always lower percentage compare to Palo Alto command line usage.

    Tao