https://live.paloaltonetworks.com/t5/general-topics/pa-500-throughputs/m-p/19673#M14362 <HTML><HEAD></HEAD><BODY><P>Hi Bob...You are correct in that throughput will vary depending on the type of traffic (SMTP, SSL, SMB, HTTP, etc) and the average packet size on your network.&nbsp; If your network carries alot of zip compressed files, this will require more resource to unzip &amp; scan.&nbsp; So every network will be different.</P><P></P><P>From your description, we would need to handle 45Mbps (you also need to consider the traffic from internal to DMZ if you have a DMZ and factor it in).&nbsp; Accounting for full duplex, we need to support 45Mbps in + 45Mbps out = 90Mbps total.&nbsp; The PA500 offers 100Mbps&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;threat prevention throughput under the best condition so the PA500 is not the right fit.&nbsp; The PA2020 offers 200Mbps threat prevention throughput which put us at 40-50% CPU usage from the start.&nbsp; Then as you turn on policies &amp; features, the CPU usage will increase as we would expect. </P><P></P><P>I would suggest looking at the PA2050 and contact your Palo Alto account team/partner for further discussion.&nbsp; Thanks. </P></BODY></HTML> Fri, 16 Mar 2012 03:50:47 GMT rmonvon 2012-03-16T03:50:47Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-throughputs/m-p/19672#M14361 <HTML><HEAD></HEAD><BODY><P>I realize that is a difficult question to answer.&nbsp; What kind of maximum throughputs are people seeing with their PA-500s?</P><P>For example: I monitor our firewall (not a PA) using PRTG via SNMP and see a fairly constant 20 Mbps with some 30-45 minute spikes up to 35 Mbps.&nbsp; Nights I see 30+ constantly (we are a boarding school and their is a lot of streaming).&nbsp; Well under the PA-500 stats, but I want to have some room for growth.</P><P>Thanks,<BR />Bob</P></BODY></HTML> Fri, 16 Mar 2012 00:26:52 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-throughputs/m-p/19672#M14361 migration 2012-03-16T00:26:52Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-throughputs/m-p/19673#M14362 <HTML><HEAD></HEAD><BODY><P>Hi Bob...You are correct in that throughput will vary depending on the type of traffic (SMTP, SSL, SMB, HTTP, etc) and the average packet size on your network.&nbsp; If your network carries alot of zip compressed files, this will require more resource to unzip &amp; scan.&nbsp; So every network will be different.</P><P></P><P>From your description, we would need to handle 45Mbps (you also need to consider the traffic from internal to DMZ if you have a DMZ and factor it in).&nbsp; Accounting for full duplex, we need to support 45Mbps in + 45Mbps out = 90Mbps total.&nbsp; The PA500 offers 100Mbps&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;threat prevention throughput under the best condition so the PA500 is not the right fit.&nbsp; The PA2020 offers 200Mbps threat prevention throughput which put us at 40-50% CPU usage from the start.&nbsp; Then as you turn on policies &amp; features, the CPU usage will increase as we would expect. </P><P></P><P>I would suggest looking at the PA2050 and contact your Palo Alto account team/partner for further discussion.&nbsp; Thanks. </P></BODY></HTML> Fri, 16 Mar 2012 03:50:47 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-throughputs/m-p/19673#M14362 rmonvon 2012-03-16T03:50:47Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-throughputs/m-p/19674#M14363 <HTML><HEAD></HEAD><BODY><P>Thank your for your reply.&nbsp; A couple thoughts:</P><P></P><P>Our internet connection is limited to 40Mbps up and 40Mbps down at the ISP level Until Dec. when we will be changing our ISP.&nbsp; So no matter what we will be limited to 40 Mbps up and down through Dec. 2012.&nbsp; Probably a 50x10 or 100x10 after that.</P><P></P><P>The high traffic is almost exclusively streaming in.&nbsp; Our outbound traffic is very low (2-5 Mpbs).</P><P></P><P>As there are only a few high usage streaming sites/apps (Netflix, Youtube, etc), If I created a separate rule to NOT scan these high usage sites/apps from all of the scanning would this help?</P><P></P><P>On a non technical note:&nbsp; The yearly renewal costs between the 500 and the 2020 are significant enough that it is going to make it VERY difficult to push through our budget.&nbsp; Especially for an academic environment.</P><P></P><P>I will be speaking with my our presales engineer and sales people soon at which time I will place it in vwire mode, but any thoughts on the above would be appreciated.</P><P>Thanks,<BR />Bob</P></BODY></HTML> Fri, 16 Mar 2012 04:48:11 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-throughputs/m-p/19674#M14363 migration 2012-03-16T04:48:11Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-throughputs/m-p/19675#M14364 <HTML><HEAD></HEAD><BODY><P>According to tests made by NSS Labs the PA boxes performed 115% of stated performance mentioned in the datasheets.</P><P></P><P>I dont know if this is valid for the PA-500 since the test was performed on a 4xxx/5xxx box.</P><P></P><P>Another observation in these tests was that it basically didnt matter if you enabled/disabled scanning features such as the IDP, AV etc. As a sidenote higher throughput was observered when ALL features was enabled compared to when only one feature at a time was enabled.</P></BODY></HTML> Fri, 16 Mar 2012 05:47:34 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-throughputs/m-p/19675#M14364 mikand 2012-03-16T05:47:34Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-throughputs/m-p/19676#M14365 <HTML><HEAD></HEAD><BODY><P>If you're planning to increase your Internet bandwidth after Dec 2012, you would want to select the unit to support traffic for 2013 and beyond. </P><P></P><P>Yes, you can define rule(s) not to scan certain traffic like NetFlix and that will help, but you run the security risk.&nbsp; Well-known sites like Sony, Gmail, RSA have been compromised so it's best practice to guard against everything.&nbsp; You may have heard of the Zero-Trust security model from Forrester.</P><P></P><P>You should also review our features (VPN, QoS, URL filtering, SSL decryption) and decide which features you plan to implement as they will require CPU &amp; memory.</P><P></P><P>Yes, budget is always a consideration.&nbsp; Maybe you're paying for URL subscription now that you can run on the PA device.&nbsp; Typically, I find that we can save our customers quite a bit by doing so.</P></BODY></HTML> Fri, 16 Mar 2012 13:49:41 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-throughputs/m-p/19676#M14365 rmonvon 2012-03-16T13:49:41Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-throughputs/m-p/19677#M14366 <HTML><HEAD></HEAD><BODY><P>Thanks to everyone in this thread.&nbsp; Couple last, non technical, points:</P><P></P><UL><LI>I am trying my best to get away from a Watchguard I inherited.&nbsp; The management is simply terrible, reporting is pretty much non existent etc.</LI><LI>I looked at Sonicwall, but who knows what it's future holds, and it seems it is a bit behind the times as for detecting apps.&nbsp; Which, in&nbsp; boarding school, with teenagers is a necessity!</LI><LI>It is probably not appropriate to go into the pricing on this board.</LI></UL><P></P><P>Next step is to take it out of TAP mode!</P><P></P><P>Thanks again for all of your help,</P><P>Bob</P></BODY></HTML> Fri, 16 Mar 2012 15:18:29 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-throughputs/m-p/19677#M14366 migration 2012-03-16T15:18:29Z