Embed Size (px)
Citation preview
Generated by Jive on 2014-07-03-07:001
PA firewall performance FAQ
• What is the test method used for publishing the datasheet performance numbers?
Please refer to the datasheet performance test method at Data Sheet Performance TestMethod
• I am testing firewall throughput with App-MIX and not seeing the 20Gbps performance for 5060stated on the datasheet. How can I achieve the datasheet numbers?The data sheet performance numbers are tested with only HTTP traffic generated by Spirent Avalanche/Reflector. This traffic type gets identified as application "Spirent". 20Gbps firewall throughput can beachieved with transaction sizes 64K and larger.
• I am using Spirent Avalanche/Reflector to measure throughput using 64K HTTP transaction. But Iam only getting about 10Gbps of firewall throughput.
Spirent version 3.90 and later, has a change incorporated into the traffic type that is generated by default.This traffic gets identified as "Web-browsing" and not "Spirent", resulting in layer7 processing of allsessions. This will result in lower throughput. In such cases, the datasheet numbers can be achieved withhigher transaction sizes, 512K.
• I am using Breaking Point as traffic generator. Can I get datasheet rated throughput using BPS?The traffic generated by BPS is identified as "Web-browsing".The datasheet numbers can be achieved withhigher transaction sizes, 512K.
• What is the UDP throughput for PA firewalls? Can we achieve datasheet rated performance usingUDP traffic?The UDP performance data is available at performance. You can achieve data sheet rated performanceusing UDP packets sizes 256Bytes and higher.
• I am using Spirent Test Center ( STC) to measure UDP throughput using RFC 2544. But firewallthroughout remains 50% lower than the datasheet performance even for larger packet sizes.If you are using STC wizard to configure a RFC 2544 test, the traffic type generated by default is IPpackets and not UDP. You will have to modify the test to generated UDP packets on destination port 7 toreplicate the data sheet numbers.
• I am using DNS traffic to measure UDP throughput. Firewall fails to achieve the datasheet ratedthroughput.Even though DNS is UDP, it is cannot be used to measure data sheet performance. DNS App-ID enginehandles DNS packets different from other UDP traffic. The DNS throughput will be less than UDP traffic ondestination port 7 ( traffic type echo)
• I am using Spirent Test Center ( STC) to measure UDP throughput. All traffic shows as unknown-udp and I am not able to achieve the datasheet performance numbers. I get the same result usingBPSThis is because the traffic generated by STC and BP cannot be identified by app-id engine. Unknowntraffic handling require more processing, resulting in lower throughput. To replicate the datasheetperformance, change the UDP port to known application- for example port 7 (echo)
• How can I verify the Connection Per Second numbers published in the datasheet? CPS test usingBreaking Point or Spirent results in only 40K TCP connections per second for 5060 with app-idThe CPS numbers published in datasheet are UDP connections and not TCP or HTTP.
• Our competitors claim very high TCP CPS on thier datasheet. For example Fortinet 1000C claims190K CPS, and 5060 is 120 UDP or 40K TCP. How do handle this objection from our customers?
PA firewall performance FAQ
Generated by Jive on 2014-07-03-07:002
Does high number of connection per second mean high throughput ? Definitely not. TheConnections per second is measured with just TCP traffic. TCP 3 way handshake and close.This is not a reflection of any layer7 data the firewall can process. The true indication is howmany connections per second can they handle when processing layer7 traffic, like web-browsing. This is where rubber meets the road. For example from looking at Fortinet's datasheet - the IPS throughput is 6Gbps tested using using 1MB file. This is not accomplishedwith 190,000 connections per second. The realistic CPS for IPS throughput of 6Gbps with1MB file is about 700 CPS. Now you see point, 700CPS is much realistic ( because ofLayer7 processing) compared to 190K CPS with just TCP 3 way handshake and no Layer 7data. You can extrapolate the same data for their AV number- the flow based AV throughputfor FTNT is 3.1 Gbps, which is using 44K HTTP, approximately 9 K CPS. This is still lowerthan 190K CPS they claim.
• I have configured a single tunnel between sites but I am only getting a fraction of the 4Gbps datasheet IPSEC VPN throughput for PA5060. How can I scale up?
The numbers mentioned in the data sheet have been obtained with multiple site-to-site tunnels. A UDP traffic stream with 1400 byte packet size would give you the maximumpossible bandwidth for a single tunnel. You would need to configure multiple tunnels toachieve the data sheet performance.
• Okay I have setup multiple tunnels to get a fat pipe between sites. However all my traffic is goingvia just one tunnel and other tunnels have sub-optimal utilization. How can I fix this?
Currently we do not support ECMP in PAN-OS, which would be the best way toload balance IP traffic based on different subnets. However we can configure PBFpolicies to spray traffic destined to different subnets across different tunnels. A cleanerbut cumbersome way to do this is via static routes. By configuring static routes fordifferent subnets via different tunnel in your VR, you could address your load-balancingrequirements.
• I have configured App-Override for my tunnel traffic but I do not see any improvement inthroughput
App-override will improve your IPSEC performance only when the firewall is configuredas a IPSEC pass-through device.The performance hit while decrypting IPSEC traffic is muchgreater than the performance gain achieved by doing app-override.
• Do support Hardware acceleration for encryption algorithms on Palo Alto firewalls?
Yes we support HW acceleration for all the encryption algorithms 3DES, AES128 andAES256. This is achieved via the crypto instructions in the cavium processor.
PA firewall performance FAQ
Generated by Jive on 2014-07-03-07:003
• What factors affect IPSEC performance of my Palo Alto firewall?
The IPSEC performance depends on three factors - Traffic type (UDP vs HTTP vs Appmix), Packet size or Transaction size (4kB vs 64kB) and the number of tunnels.
•
