>
    Strata Copilot
    Best Practices for Memory Efficient Security Policies on ION Devices
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN Administrator’s Guide
    4. Prisma SD-WAN Stacked Security Policies
    5. Best Practices for Memory Efficient Security Policies on ION Devices
    Download PDF
    Prisma SD-WAN

    Best Practices for Memory Efficient Security Policies on ION Devices

    Table of Contents

    Best Practices for Memory Efficient Security Policies on ION Devices

    Learn about the best practices for memory efficient security policies on ION devices.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN (Managed by Strata Cloud Manager)
    • Prisma SD-WAN

    Overview

    Prisma® SD-WAN software versions 6.3.6, 6.4.3, 6.5.3, and later introduce enhanced features and capabilities. While these innovations provide significant value, they can also increase memory utilization, particularly on ION models with limited memory capacity such as ION 1000, ION 1200, and ION 2000.
    In environments with extensive custom application definitions or large prefix lists within security policies, memory-intensive compilation processes may lead to resource exhaustion. This can result in instability or unexpected device behavior, including device reboots or loss of connectivity to Strata Cloud Manager, potentially requiring on-site recovery.
    The following sections outline best practices to help optimize memory usage and maintain platform stability.

    Understanding Memory Risk

    Deployments that include the following configurations experience the most memory pressure:
    • Large custom application definitions with extensive prefix lists
    • Security policies containing numerous or highly granular prefixes (for example, many /32 entries)
    • Frequent updates to prefix lists or policies
    • Devices with limited physical memory (for example, ION 1000, ION 2000, and ION 1200)

    Pre-Change Assessment

    Before you implement security policy related configuration changes, complete the following steps:
    1. Assess current memory utilization to determine risk exposure.
    2. Validate changes in a lab or sandbox environment prior to production deployment.
    3. Apply changes incrementally to minimize impact and isolate issues.
    4. Schedule updates during maintenance windows to reduce service disruption when possible.

    Checking Current Memory Utilization

    You can verify device memory status using Strata Copilot.
    Use natural language queries to identify at-risk devices. For example: "Provide a table of all connected Prisma SD-WAN ION devices, including average and maximum memory utilization, sorted by average memory utilization (high to low). Ensure the table includes the ION model for each device."
    Apply model filters (ION 1000, ION 2000, ION 1200) to focus on devices with limited memory constraints.
    In Strata Cloud Manager navigate to, Insights > ION Devices > Device Activity to review historical memory utilization graphs. Look for sustained high utilization patterns or increasing trends over time.

    Custom Application and Prefix Management

    Efficient management of custom applications and prefix filters is critical for memory optimization.
    • Removing Unused Custom Applications
      Stale or unused custom application definitions consume memory during policy compilation even when no traffic matches them.
    • Prefix Aggregation
      Replace multiple smaller prefixes with larger subnets where appropriate. For example, consolidating 256 individual /32 addresses into a single /24 subnet reduces policy table entries by approximately 99% while maintaining equivalent coverage for homogeneous subnets.
    • Managing /32 Prefix Usage
      Excessive use of /32 prefixes, especially in applications using broad port ranges, creates large policy tables during compilation. Each unique /32 entry multiplies the number of policy table entries when you combine it with source zones, destination zones, and port ranges.
    • Port Range Optimization
      Using full port ranges (1-65535) in application definitions or security policies creates 65,535 individual port entries in the policy table. This multiplies memory requirements by several orders of magnitude compared to specifying discrete ports.

    Security Policy Design Considerations

    Security policy structure plays a significant role in memory consumption. The most critical factor is the combination of broad zone assignments with large prefix lists.
    Avoid 'Any source zone' with 'Any destination zone' especially with large prefix lists. This combination creates a large number of policy objects that significantly increase memory usage, which can be catastrophic in a system with limited system memory.

    Important Considerations and Trade-offs

    While you optimize for memory, be aware of the following impacts on operational capabilities.
    • Application Visibility Without Policy References
      When you remove custom application definitions (AppDefs) entirely, you eliminate both policy control and visibility. However, you can maintain visibility while reducing memory pressure by decoupling AppDefs from security policy references.
    • Prefix Aggregation Impact on Policy Matching
      Converting granular prefixes (for example, /32 to /24) may cause unintended policy matches if the aggregated subnet contains IPs with different policy requirements. Before you aggregate, validate that all IPs within the target subnet legitimately require the same policy treatment.
    • Traffic Steering and Policy Enforcement Without AppDefs
      Without custom application definitions you reference in policies, the system cannot steer application-specific traffic based on application characteristics. The system will base path selection decisions on IP prefixes, destination zones, and general traffic types rather than application-aware intelligence.

    © 2026 Palo Alto Networks, Inc. All rights reserved.