A company has recently migrated their branch office’s PA-220S to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama
They notice that commit times have drastically increased for the PA-220S after the migration
What can they do to reduce commit times?
A. Disable "Share Unused Address and Service Objects with Devices" in Panorama Settings.
B. Update the apps and threat version using device-deployment
C. Perform a device group push using the "merge with device candidate config" option
D. Use "export or push device config bundle" to ensure that the firewall is integrated with the Panorama config.
Answer: A
Explanation:
According to the Palo Alto Networks documentation1, disabling “Share Unused Address and Service Objects with Devices” in Panorama Settings is a possible solution to reduce commit times for firewalls managed by Panorama. This option prevents Panorama from pushing address and service objects that are not used in any policy rules to the firewalls, which can reduce the size of the configuration and improve the commit performance. Therefore, the correct answer is A.
The other options are not relevant or effective for reducing commit times:
✑ Update the apps and threat version using device-deployment: This option would not help because it is not related to the commit process. Updating the apps and threat version using device-deployment is a feature that allows Panorama to distribute content updates to firewalls without requiring a commit2.
✑ Perform a device group push using the “merge with device candidate config” option: This option would not help because it is not related to the commit performance. Performing a device group push using the “merge with device candidate config” option is a feature that allows Panorama to merge the local changes on a firewall with the Panorama configuration without overwriting them3.
✑ Use “export or push device config bundle” to ensure that the firewall is integrated with the Panorama config: This option would not help because it is not related to the commit performance. Using “export or push device config bundle” is a feature that allows Panorama to export or push a complete configuration bundle to a firewall, which can be useful for troubleshooting or migrating configurations4.
References:
1: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleLCAS
2: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewalls/manage-content-updates-on-managed-firewalls/update-the-apps-and-threats-version-using-device-deployment
3: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewalls/manage-firewall-configurations/perform-a-device-group-push-using-the-merge-with-device-candidate-config-option
4: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewalls/manage-firewall-configurations/use-export-or-push-device-config-bundle-to-ensure-that-the-firewall-is-integrated-with-the-panorama-config
Latest PCNSE Dumps Valid Version with 280 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund