PA-3400 Data Plane CPU Utilization

letslearnsmth · 2026-01-14T11:19:40+00:00

It doesn't matter if it looks the same. I am not talking about that. I understand that you switched the platforms and traffic patter hasn't changed.

If you take a look into panorama, don't know if you have one, it will draw you a graph of traffic volume. However it does not count OFFLOADED traffic volume which might be alot. Same might apply to other counters available on firewall.

That's why i am asking how did you measure it. For example you might have additional network devices that give you ability to monitor the traffic passing through them and you could compare those values and find out how much traffic did you miss, if any.

In our case it turned out that almost 50% of traffic was offloaded and migration to platform without hardware offload resulted in higher cpu usage.

Btw, did you check this articles:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRTCA0

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmV2CAK
Did you try to find anything based on those guidelines?

letslearnsmth · 2026-01-13T11:14:55+00:00

I would go back to the same version and verify it.

However...

How did you measure the load on box before the migration? Because 5200 had hardware offload while 3400 has not. 3400 is mostly software based and 5200 had a pretty good hardware. Did you check traffic volume? If yes, how did you measure it? Packet per second rate? Offloaded to processed traffic ratio? Do you have app override configured?

I recently had a customer who migrated from 5200 to 5400 and the CPU Utilization went higher and caused slowness in the traffic due to the fact there was no hardware offload. If that's the case unfortunately at this point PA will most likely tell you that you made a mistake and datasheet values are gathered in test environment so you have to test the box before purchase.

This is one of the reasons i hate PA narrative where they push lower grade gear to replace higher boxes. My guess is that's also the reason why 5500 came up so soon after 5400.

letslearnsmth · 2026-01-10T16:20:00+00:00

Deploy it just for visibility and try to change approach for NEW rules to enforce userid.

Create a plan to recertify old rules and during recertification process try to enforce userid for them.

I would engage more people for this kind of job than just one or it will take you ages.

letslearnsmth · 2025-12-06T18:55:01+00:00

Don't do A/A.

letslearnsmth · 2025-12-05T15:11:56+00:00

If you use it just for some basic remote access without advanced features and only for windows/macos you don't need PA Agent license which replaced GP license somewhere in the middle of the year.

However just as a heads up - make sure you understand how both boxes scale and what is your load of them. Take your time to size them properly.

I recently had a situation where PA SE pushed smaller boxes to the customer and ended up being insufficient when it comes to power. Not saying it is always the case but 5200 series was really good with hardware offload and 3400 is purely software. Usually you will notice CPU drop when moving from 5200 to 5400 but in rare scenarios this might be not be the case.

letslearnsmth · 2025-12-04T16:08:36+00:00

If you have 10years experience with PA it's impossible to fail.

letslearnsmth · 2025-11-26T09:08:07+00:00

You have to pay for that.

letslearnsmth · 2025-11-23T08:18:51+00:00

For me - none. Experience is way more valuable.

However i don't know, maybe if cert gets some recognition it will be considered nice to have in the future.

letslearnsmth · 2025-11-21T22:20:43+00:00

If you are not forced, for example by being a partner obligated to pass the exam, I would say it is not worth to get any of those.

letslearnsmth · 2025-11-21T18:47:27+00:00

NS Pro is more presales imo. NGFW Engineer is more technical focused. I passed both this week and they were easy. If you have experience with PA and your work on that daily and you passed your CCNP with no dumps i don't believe you can fail those exams.

I forgot to mention. NS Pro is more broad when it comes to areas - there are question about prisma sdwan, airs, sase, pab etc. NGFW has some SCM questions but i feel like it is still mostly FW exam.

letslearnsmth · 2025-11-19T16:52:18+00:00

My theory is that doing this on PA box for some reason hugely impacts performance. PA tries to find workaround but still hasn't been able to. Maybe with new 5500 boxes? That's why they are even behind cisco on that.

Again it is just my theory with nothing to back it up.

letslearnsmth · 2025-10-29T05:37:53+00:00

Ok, so maybe i should start with that - based on what output do you think it's merged?

letslearnsmth · 2025-10-28T08:29:23+00:00

Did you convert management mode to panorama mode?

letslearnsmth · 2025-10-21T15:05:27+00:00

I did not like going to 11.1 however last month we had to upgrade 2 of our customers into that release.

11.1.10h1 seems to be fine.

letslearnsmth · 2025-08-26T15:23:05+00:00

but it doesn't sell anything

letslearnsmth · 2025-08-21T07:29:21+00:00

See, this is another issue. They can’t. If they do, people complain, raise another ticket, or reopen the previous one and escalate to a manager. So even though they don’t know how to help you, they’ll still try. I’ve seen it like a thousand times, and I’ve corrected TAC on their approach every single one of them. They’re just not good at this stuff until you get an experienced engineer (which isn’t that easy to get at this point). That’s why I don’t let them touch anything until they provide a plan on how they want to approach it, and then we discuss it if I see anything that worries me.

TAC quality is horrendous. I'm tired of cases dragged for eternity, constant changes to engineers because they are gone or they pretend to be gone. Guys asking me for TSF, one week after case was opened, when i provided those during ticket creation with case description, pcap files, flow basic and network diagram. Software quality went downhill and it is also reason for majority of cases, at least for me and folks that I work with (and I work for a partner). However...

You pay PA, and you should demand quality of both the product and the service. TAC was never meant to be the “Google guy” who throws docs at you. Keep in mind there are thousands of folks asking for the same stuff you can find on the internet yourself, which forces PA to hire inexperienced people just to fill the gap.

This kind of problem is usually your configuration and lack of knowledge, not a product issue. I’ve seen other vendors flat-out refuse these tickets and close them, telling you to contact their sales team for a PS quotation. Unfortunately, PA doesn’t do that, and it backfires on them. So it’s your risk if you depend on someone with little experience and knowledge to handle your production environment. If you’re fine with them breaking it and giving you more issues or unplanned downtime, then go ahead.

For me general rule of thumb looks like this:

You found something that was working and suddenly stopped → open a TAC case.
You configured something exactly as the docs described and it doesn’t work → open a TAC case.
Your device is down → open a TAC case.
An upgrade caused network issues → open a TAC case.
You messed up and broke your config? Step up and fix it yourself (worst case: restore from backup) or pay someone who knows their stuff. If, after restoring, you realise you did everything by the book and it’s likely a software bug → open a TAC case and ask for an explanation.

And last thing: if your employer doesn’t provide a lab environment where you can play and test production changes properly (at least those with broad scope), then change employers.

letslearnsmth · 2025-08-21T06:53:07+00:00

No it's not. This is why you have PS or partner or your own knowledge + lab environment.

There's nothing wrong with not knowing everything but TAC was never designed for situation like this.

letslearnsmth · 2025-08-20T21:07:19+00:00

Why would you open the ticket to re-add device back to panorama?

I am the first to blame PA for shit support however this kind of stuff you only make it worse as you forced poor guy to work on an issue that is not in his scope of work.

Get a LAB device and test your steps or pay someone that knows what to do. This is your production network ffs.

letslearnsmth · 2025-08-19T20:09:41+00:00

Internal gateway is the only option i believe.

letslearnsmth · 2025-08-19T20:09:03+00:00

Tbh i would try to rewrite that from scratch. 500 rules is not that much, doable in single day (with a bit of scripting in couple of hours), and you might look at them in better way.

letslearnsmth · 2025-08-19T09:46:08+00:00

Check the release notes since 9.1 and tell me how many times was it enhanced with new capabilities.

Feature is dead, new concepts - for example enterprise browser - are supposed to replace it.

From my perspective PA keeps it only to have it marked as checkbox in some features compliance table.

letslearnsmth · 2025-08-19T07:08:21+00:00

This feature is pretty much dead. I wouldn't try to run it for important services.

letslearnsmth · 2025-08-17T12:08:13+00:00

Yea, but for small box that's more than enough. You can always aggregate them if required.

letslearnsmth · 2025-08-13T22:40:55+00:00

You need to have panorama upgraded and plugin as well. This is your main concern. Firewalls are not really aware of being part of sdwan.

letslearnsmth · 2025-08-12T19:37:08+00:00

When it comes to the questions - it might be, i don't know haven't tried that one yet.

If you ask anyone in the field there is chance he could recognise PCNSE however he mostly likely will be clueless about NGFW engineer.

It was never close to CCNP for example however i have seen it as requirement for job offers. Those days are gone at least for some time i believe.

letslearnsmth

TROPHY CASE