Central seems to initiate processing of every individual object in a firewall rule each time a rule modification is made from policy. Given an example where one new ip or fqdn object is created and added to the destinations in an existing firewall allow rule with 32 existing destination host/ip/fqdn, an XG 115 generates 100 lines of "changes" in its admin log spread over a period of 12 minutes. Upon completion the single change made is finally reflected in the local XG rule. Is there hashing of some form of every rule component on every modification? Would it make sense for the XG's and Central to both hash and timestamp each rule and object only upon creation and edits, store the results, and assume those to be valid for comparisons during future changes rather than seemingly approaching every piece as a brand new unknown every time? Comparing a page of hashes and timestamps via diff or other means should take a second vs whatever might be happening now. The concern is that processing volume will only increase over time as more objects get added to rules until this config method becomes unusable for changes that need to happen quickly.
Additionally, for both sfos 18.0.5 + 18.5.1 client dns lookup requests to XG 115(w) lan interface ip's being used as office dns servers fail intermittently during the Central policy change processing such as adding wildcard fqdn's to an existing allow rule - this results in unreachable destinations and user complaints. Central also indicates "Last seen __ minutes ago" at the same time dns lookups are failing. Is anyone else encountering this and is there a solution?
edit: support case has now been opened. this post will be updated if there is a solution.
This thread was automatically locked due to age.