>
    Strata Copilot
    Best Practices for Memory Efficient Security Policies on ION Devices
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN Administrator’s Guide
    4. Prisma SD-WAN Stacked Security Policies
    5. Best Practices for Memory Efficient Security Policies on ION Devices
    Download PDF
    Prisma SD-WAN

    Best Practices for Memory Efficient Security Policies on ION Devices

    Table of Contents

    Best Practices for Memory Efficient Security Policies on ION Devices

    Learn about the best practices for memory efficient security policies on ION devices.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN (Managed by Strata Cloud Manager)
    • Prisma SD-WAN

    Overview

    Prisma® SD-WAN software versions 6.3.6, 6.4.3, 6.5.3, and later introduce enhanced features and capabilities. While these innovations provide significant value, they can also increase memory utilization, particularly on ION models with limited memory capacity such as ION 1000, ION 1200, and ION 2000.
    In environments with extensive custom application definitions, large prefix lists or large number of security zones referenced within security policies, memory-intensive compilation processes may lead to resource exhaustion. This can result in instability or unexpected device behavior, including device reboots or loss of connectivity to Strata Cloud Manager, potentially requiring on-site recovery.
    The following sections outline best practices to help optimize memory usage and maintain platform stability.

    Understanding Memory Risk

    Deployments that include the following configurations experience the most memory pressure:
    • Large custom application definitions with extensive prefix lists
    • Large number of security zones
    • Security policies containing numerous or highly granular prefixes (for example, many /32 entries)
    • Frequent updates to prefix lists or policies
    • Devices with limited physical memory (for example, ION 1000, ION 2000, and ION 1200)

    Pre-Change Assessment

    Before you implement security policy related configuration changes, complete the following steps:
    1. Assess current memory utilization to determine risk exposure.
    2. Validate changes in a lab or sandbox environment prior to production deployment.
    3. Apply changes incrementally to minimize impact and isolate issues.
    4. Schedule updates during maintenance windows to reduce service disruption when possible.

    Checking Current Memory Utilization

    You can verify device memory status using Strata Copilot.
    Use natural language queries to identify at-risk devices. For example: "Provide a table of all connected Prisma SD-WAN ION devices, including average and maximum memory utilization, sorted by average memory utilization (high to low). Ensure the table includes the ION model for each device."
    Apply model filters (ION 1000, ION 2000, ION 1200) to focus on devices with limited memory constraints.
    In Strata Cloud Manager navigate to, Insights > ION Devices > Device Activity to review historical memory utilization graphs. Look for sustained high utilization patterns or increasing trends over time.

    Custom Application and Prefix Management

    Efficient management of custom applications and prefix filters is critical for memory optimization.
    • Removing Unused Custom Applications
      Stale or unused custom application definitions consume memory during policy compilation even when no traffic matches them.
    • Prefix Aggregation
      Replace multiple smaller prefixes with larger subnets where appropriate. For example, consolidating 256 individual /32 addresses into a single /24 subnet reduces policy table entries by approximately 99% while maintaining equivalent coverage for homogeneous subnets.
    • Managing /32 Prefix Usage
      Excessive use of /32 prefixes, especially in applications using broad port ranges, creates large policy tables during compilation. Each unique /32 entry multiplies the number of policy table entries when you combine it with source zones, destination zones, and port ranges.
    • Port Range Optimization
      Using full port ranges (1-65535) in application definitions or security policies creates 65,535 individual port entries in the policy table. This multiplies memory requirements by several orders of magnitude compared to specifying discrete ports.

    Security Policy Design Considerations

    Security policy structure plays a significant role in memory consumption. The most critical factor is the combination of broad zone assignments with large prefix lists.
    Avoid 'Any source zone' with 'Any destination zone' especially with large prefix lists. This combination creates a large number of policy objects that significantly increase memory usage, which can be catastrophic in a system with limited system memory.

    Important Considerations and Trade-offs

    While you optimize for memory, be aware of the following impacts on operational capabilities.
    • Application Visibility Without Policy References
      When you remove custom application definitions (AppDefs) entirely, you eliminate both policy control and visibility. However, you can maintain visibility while reducing memory pressure by decoupling AppDefs from security policy references.
    • Prefix Aggregation Impact on Policy Matching
      Converting granular prefixes (for example, /32 to /24) may cause unintended policy matches if the aggregated subnet contains IPs with different policy requirements. Before you aggregate, validate that all IPs within the target subnet legitimately require the same policy treatment.
    • Traffic Steering and Policy Enforcement Without AppDefs
      Without custom application definitions you reference in policies, the system cannot steer application-specific traffic based on application characteristics. The system will base path selection decisions on IP prefixes, destination zones, and general traffic types rather than application-aware intelligence.

    Recovery Process

    When the ION is unable to compile and install large security policy updates due to memory constraints, this may lead to service instability, including crashes, unexpected reboots, and in some cases, loss of connectivity to the SD-WAN Controller. The following recovery steps can be performed as the case may be:
    1. Reapply Security Policy
      In Strata Cloud Manager, unbind the Security Policy associated with the site. Wait approximately 30 seconds, then reapply the Security Policy to the site. Verify whether the ION returns to an online and stable state.
    2. Reboot the Device
      If the issue persists and the ION remains offline, perform a reboot of the device and check the status again.
    3. Recover via Console Access
      If the reboot does not resolve the issue, the ION may be stuck in a continuous reboot cycle. In this case, console access is required to recover the device:
      1. Unbind the newly applied Security Policy from the site in Strata Cloud Manager.
      2. Connect a console cable to the ION and open a terminal application to access the device CLI. Configure the terminal settings to 115200/8/N/1.
      3. Execute the following command to stop the process:
        debug process stop name=fc
        This step may take approximately 5 minutes.
      4. Verify if the ION has re-established connectivity with the SD-WAN Controller.
      5. Restart the process using the command:
        debug process start name=fc
      6. Reapply the last known working Security Policy to the site after the device is stable.

    © 2026 Palo Alto Networks, Inc. All rights reserved.