Questions about the decryption performance of pa-5200 series

Felixcao — Mon, 25 Mar 2024 16:34:30 GMT

The customer configures inbound decryption on the firewall. 
When the decrypted traffic exceeds the processing performance of the firewall, 
the firewall will not decrypt the traffic that needs to be decrypted. Will it be processed as normal traffic?

Can anyone explain this, thanks

Re: Questions about the decryption performance of pa-5200 series

rdumoulin — Tue, 26 Mar 2024 07:27:47 GMT

Hi @Felixcao,

this is documented under the decryption profile settings in the GUI. Alternatively, you can have a look at Techdoc

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/objects/objects-decryption-profile/settings-to-control-decrypted-ssl-traffic

You have the option to terminate the sessions when resources are not available on the firewall. By default, this option is not checked.

Block sessions if resources not available	Terminate sessions if system resources are not available to process decryption. Whether to block sessions when resources aren’t available is a tradeoff between tighter security and a better user experience. If you don’t block sessions when resources aren’t available, the firewall won’t be able to decrypt traffic that you want to decrypt when resources are impacted. However, blocking sessions when resources aren’t available may affect the user experience because sites that are normally reachable may become temporarily unreachable.

If you do not block the sessions when resources are not available, the traffic will go through encrypted provided that there is a security rule allowing it, but uninspected.

Regards

--Richard

topic Questions about the decryption performance of pa-5200 series in Next-Generation Firewall Discussions

Questions about the decryption performance of pa-5200 series

Re: Questions about the decryption performance of pa-5200 series