Palo Alto Firewall Config Size

 

On the Firewall:

show management-server last-committed config-size

   locally committed configuration on the firewall itself.

show management-server candidate config-size

   Includes both local configuration AND any configuration pushed from Panorama management server

   usually larger than the last-committed config because it includes Panorama-pushed objects, templates, and device group configurations

admin@PA-11.0> show management-server last-committed config-size
17955 bytes
admin@PA-11.0>
admin@PA-11.0>
admin@PA-11.0> show management-server candidate config-size
25126769 bytes
admin@PA-11.0>

If your candidate config is significantly larger than your last-committed config (as seen in the community example with ~20MB candidate vs ~0.4MB committed), this usually indicates accumulated Panorama-pushed objects that may need cleanup

What is the recommended maximum configuration file size for GEN 3 devices (PA-800, PA-3200, PA-5200, PA-7000)

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HEUuCAO&lang=en_US

debug management-server max-config-size set size <1-500> >>>> set it to the recommended value.
debug management-server max-config-size show >>> this command displays the config size.

What is the recommended maximum configuration file size for Gen4 and Gen5 Platforms?

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000TpH4CAK&lang=en_US

Merged configuration size(local, panorama pushed, predefined)

The Predefined configuration in PAN-OS consists of built-in, read-only objects that come with the firewall out-of-the-box. These are maintained by Palo Alto Networks and updated through content updates.

1. Predefined Applications
2. Predefined Services
3. Predefined Tags
4. Predefined Security Profiles
5. Predefined Data Patterns
6. Predefined Threat Signature

Predefined objects referenced by your local config are pulled in, but not all predefined data is necessarily loaded—only what's actively used