A large enterprise has deployed two Palo Alto Networks PA-5250 firewalls in active/passive HA mode with Panorama for centralized management. The network contains over 10,000 users across multiple sites. Recently, the security team deployed a new security policy rule to block a set of high-risk applications. After the commit, the firewall's CPU utilization spiked to 95% and sessions started to drop intermittently. The firewall logs show a high number of session setup failures and timeouts. The existing security policy contains over 5,000 rules. The new rule uses application-based filtering and is placed near the top of the rulebase. What is the most effective course of action to reduce CPU load while maintaining security?
Threat Prevention profiles are more efficient for blocking known applications and offload processing from the policy engine.
Why this answer
The CPU spike is likely due to the heavy application identification processing required for the new rule. Option A is the most effective because using a Threat Prevention profile to block the applications offloads the processing to the threat engine, which is more efficient than application-based security rules. Option B is incorrect because moving the rule to the bottom does not reduce the number of sessions that must be matched; it may actually increase processing as rules above it are evaluated.
Option C is incorrect because service-based filtering would not effectively block the targeted applications. Option D is incorrect because increasing session table size does not reduce CPU load; it might exacerbate the issue.