PA-NGFW Sizing

JeanPaul222 — Wed, 08 Oct 2025 07:28:11 GMT

Hello,

I’m new to firewall sizing and would appreciate some expert guidance. Could someone help me understand the process to follow, the key questions to ask, and the important factors to consider when sizing a data center or edge firewall?

Re: PA-NGFW Sizing

kiwi — Wed, 08 Oct 2025 15:19:43 GMT

Hi @JeanPaul222 ,

Sizing a firewall is a critical process that begins with a fundamental understanding of your network's behavior. It's a critical process that ensures your security device becomes a force multiplier, not a bottleneck.

First you need to gather data and ask the right questions. What's the current and projected throughput, not just for the raw firewall but with all security bells and whistles enabled? This distinction is vital, as features like Threat Prevention, URL Filtering, and especially SSL Decryption can significantly reduce performance on any firewall. Beyond simple bandwidth, you must also understand your network's pulse: its session count and new session rate. A firewall can be brought to its knees by a high number of rapid, short-lived connections, even if the total bandwidth is low.

As you gather this data, consider the nature of your traffic. Is it predominantly large file transfers, which are less CPU-intensive, or a flurry of small packets from a diverse range of applications? Knowing your application mix is also crucial, especially which applications are using SSL encryption, as inspecting that traffic is a heavy lift for any firewall.

This is also where you must make a fundamental decision: will you deploy a physical appliance or a virtual firewall?

If your environment is heavily virtualized or lives in the cloud, a virtual firewall (VM-Series) might be the perfect fit. The sizing process here is a bit different; instead of just looking at hardware models, you'll need to determine the required CPU cores, RAM, and disk space. The performance of a virtual firewall is directly tied to the underlying hypervisor, host hardware, and resource allocation. You'll need to factor in hypervisor overhead and whether the virtual machine will have dedicated resources or share them with other VMs. This offers incredible flexibility, allowing you to scale up resources as your network grows without a hardware refresh.

Once you have this detailed picture, you can begin the sizing calculation. A simple rule of thumb is to always size for the Threat Prevention throughput, as this represents the real-world performance you will experience. Threat prevention throughput is the maximum speed a firewall can process traffic when all security and inspection features are enabled. Normal throughput, on the other hand, is the maximum speed when those same security features are disabled and the device is only performing basic packet forwarding. The reason for the difference is that threat prevention services require significantly more processing power. When a firewall has to inspect every packet for threats, analyze URLs, and decrypt SSL traffic, it uses a lot of resources. Normal throughput is a raw, often theoretical number for a device acting as a basic router. Therefore, when sizing a firewall, you should always use the threat prevention throughput metric to get a realistic idea of its performance in an operational environment.

You must also think ahead and consider your business's growth projections, anticipated increases in traffic, and new applications.

Finally, your sizing process should always involve a collaborative effort. Work with a trusted partner or the vendor's engineers to validate your findings. Also, don't forget the practicalities: ensure you plan for high availability with an Active/Passive or Active/Active pair to ensure uninterrupted operation.

Kind regards,

-Kim.

Re: PA-NGFW Sizing

BPry — Thu, 09 Oct 2025 00:53:34 GMT

@JeanPaul222,

I would highly recommend doing as @kiwi mentioned and making sure that the first couple of times you size an environment that you have someone who actually knows everything you need to consider guide you in this process. There's a lot of traffic analysis that should be part of this when you're starting from ground zero, and someone gathering that data will also need to consider what your business cycle actually looks like (IE: You don't want to look at traffic patterns from a slow business period and use them for sizing if your busy period will be 2X that data or drastically change traffic patterns).

This is something that you really won't want to get wrong, but you also won't want to needlessly oversize things just because proper analysis wasn't performed.

Re: PA-NGFW Sizing

OtakarKlier — Wed, 22 Oct 2025 19:34:53 GMT

Hello,

In simple terms I first look at the throughput of Gbps. Then I choose the device that meets the minimum.

Example: I need to push through 10Gbps. I would look at which device has that as its slowest and start there and then maybe go higher.

So in this case I would start with the 3430.

Depending on other aspects etc, might go to a higher model, i.e. the 5410.

Regards,

topic Re: PA-NGFW Sizing in General Topics

PA-NGFW Sizing

Re: PA-NGFW Sizing

Re: PA-NGFW Sizing

Re: PA-NGFW Sizing