palo alto networks ideal testing perfoamance 5060,npc

1 | ©2014, Palo Alto Networks, Inc. 1 | ©2014, Palo Alto Networks, Inc.

Next-generation Firewall Hits 120+Gbps!

Brad Turner, Product Manager- Hardware Platforms Palo Alto Networks

Prasoon Shukla, Technical Marketing Engineer -

Networking and High Availability Palo Alto Networks

April 1, 2014

2 | ©2014, Palo Alto Networks, Inc.

PA-7050: The Fastest Next-generation Firewall

§  Safely enable all applications; full next-generation firewall capabilities

§  Groundbreaking application layer performance

§  Simple, yet flexible, chassis architecture


Scalable •  Linear performance and interface density with each added card •  High-speed backplane supports future network processing cards

Simple and Flexible Chassis Architecture

Flexible •  Flexible and dynamic load distribution across multiple network

processing modules allows seamless scalability

Simple • Single system view for administration – all PAN-OS features supported • System-wide subscriptions and support provide predictable cost model


PA-7050 Hardware Overview

§  9U Chassis, 8 slots §  Hot swap cards §  2+2 redundant power and cooling

§  1 x Switch / Management Card §  High-performance management §  High-speed switch fabric §  First Packet Processor (FPP)

§  6 x Network Processing Cards §  2 Data Plane CPUs, 32 cores each §  4 x 10Gig SFP+, 8 x SFP,

12 x 10/100/1000

§  1 x Log Processing Card §  Quad core i7 & MIPS processors §  4 x 1TB HDD for 2TB RAID1


PA-7050: Scaling NGFW Performance to 120 Gbps

•  400+ processors •  1.2 TB backplane •  Dedicated first packet processing and logging

____________________

•  120 Gbps firewall throughput •  100/60 Gbps threat prevention throughput •  24 Million concurrent sessions •  720,000 connections per second


PA-7050: Performance and Capacities Summary

PA-7050 System PA-7000 NPC Firewall Gbps (App-ID™) 120 20 Threat Gbps (DSRI) 100 16+ Threat Gbps (Full) 60 10 Firewall PPS (Millions) 72 12 IPSec VPN Gbps 24 4 New sessions per second 720,000 120,000 Max sessions (Millions) 24 4 Virtual systems (base/max) 25/225 n/a

•  PA-7050 requires PAN-OS 6.0 •  All PAN-OS features are supported except Netflow

x6


PA-7050 Single NPC vs PA-5060 Performance

§  NPC similar to PA-5060 with updated components §  NPC: 2 CPUs with 32 Cores each at 1Ghz

§  3rd generation security processor with enhanced features §  PA-5060: 3 CPUs with 12 Cores each at 700Mhz

§  NPC significantly faster for CPU Bound activities §  Approximately 2 ~ 2.2 times faster

§  Threat, URL, SSL, etc. §  Provides either:

§  Higher throughput at same CPU utilization or §  Lower CPU utilization at similar traffic load


PA-7050 Single NPC vs. PA-5060: App-ID

File Size


PA-7050 Single NPC vs PA-5060: Threat

File Size


PA-7050 Single NPC vs PA-5060: Threat/DSRI

File Size


PA-7050 Single NPC vs PA-5060: SSL Forward

File Size


PA-7050 Single vs PA-5060: SSL Inbound

0.748&

2.01&

2.91&

7.3&

0.182&0.51&

1.234&

3.477&

0&

1&

2&

3&

4&

5&

6&

7&

8&

4K& 16K& 64K& 1MB&

Thro

ughp

ut

NPC PA-5060

File Size


PA-7050 Latency

9 9 9 11 13 15 15

0 5 10 15 20

64 128 256 512 1024 1280 1518

𝝻S

Packet Size

Intra Slot Packet Latency

13 13 13 15

18 18 21

0 5 10 15 20 25

64 128 256 512 1024 1280 1518

𝝻S

Packet Size

Inter Slot Packet Latency


High-performance Done Correctly

§  First packet processor §  Dedicated HW & SW provides flexible load distribution §  Configurable session distribution for tuning to environment

§  Management §  System-wide management plane reduces administrative efforts §  System-wide subscription licensing and support contract means

predictable costs over time

§  Integrated I/O and security processing §  Single line card type for all security processing functions §  Any-to-any connectivity delivers easy capacity upgrades

§  Dedicated logging §  Delivers log performance at scale and enables log management

consistency – via Panorama or other mechanism

15 | ©2014, Palo Alto Networks, Inc. 15 | ©2014, Palo Alto Networks, Inc.

Internet

palo alto networks ideal testing perfoamance 5060,npc