https://live.paloaltonetworks.com/t5/general-topics/url-filtering-traffic-throughput/m-p/139770#M48175 <P>there is no 'slowdown' when only URL filtering is applied as the traffic does not need to be scanned as it does with threats. there is simply a category lookup and then an allow or deny action with no further actions on that session</P> <P>&nbsp;</P> <P>also</P> <P>Traffic will never ever ever be throttled</P> <P>these throughput numbers are _measured_ througputs (not limited) when only AppID was enabled and when all bells and whistles were enabled, so there is some throughput impact when all traffic is being scanned, but this is related to how the traffic is flowing through the system and is being inspected for threats, there is no throttle preventing traffic to surpass the 5Gbps mark</P> <P>&nbsp;</P> <P>in some cases, if your traffic is 'scan friendly' you may even have close to the 10gbps traffic even with threat prevention enabled, it depends on how much work your chassis needs to put in to get all the traffic scanned</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 27 Jan 2017 14:21:17 GMT reaper 2017-01-27T14:21:17Z https://live.paloaltonetworks.com/t5/general-topics/url-filtering-traffic-throughput/m-p/139748#M48173 <P>Does anyone know for certain what the maximum throughput of a Palo firewall is if the only security profile applied is URL Filtering?</P><P><BR />The PA-5050 can do 10Gbps of App-ID firewall throughput and 5 Gbps of Threat Prevention throughput.</P><P>&nbsp;</P><P>If you pushed 6 Gbps of traffic through a PA-5050 with only URL filtering applied, would the PA-5050 throttle&nbsp;the traffic to 5 Gbps because of the limit to Threat Prevention throughput or would it let the traffic through at full speed given the 10 Gbps App-ID throughput?</P><P>&nbsp;</P><P>You need to decode the HTTP header to determine the URL correctly and this means Content Inspection (which implies the traffic is limited to Threat Prevention throughput).</P><P>&nbsp;</P><P>However, according to the link below, the URL match happens on the same processors that do the App-ID (Security processor) and not the same as IPS, spyware, etc (Signature matching processors) so possibly URL filtering can happen at App-ID throughput speeds.<BR /><BR /><A href="https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/pa-5000-series" target="_blank">https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/pa-5000-series</A></P><P>&nbsp;</P><P>Thanks</P> Fri, 27 Jan 2017 12:51:18 GMT https://live.paloaltonetworks.com/t5/general-topics/url-filtering-traffic-throughput/m-p/139748#M48173 catalan 2017-01-27T12:51:18Z https://live.paloaltonetworks.com/t5/general-topics/url-filtering-traffic-throughput/m-p/139770#M48175 <P>there is no 'slowdown' when only URL filtering is applied as the traffic does not need to be scanned as it does with threats. there is simply a category lookup and then an allow or deny action with no further actions on that session</P> <P>&nbsp;</P> <P>also</P> <P>Traffic will never ever ever be throttled</P> <P>these throughput numbers are _measured_ througputs (not limited) when only AppID was enabled and when all bells and whistles were enabled, so there is some throughput impact when all traffic is being scanned, but this is related to how the traffic is flowing through the system and is being inspected for threats, there is no throttle preventing traffic to surpass the 5Gbps mark</P> <P>&nbsp;</P> <P>in some cases, if your traffic is 'scan friendly' you may even have close to the 10gbps traffic even with threat prevention enabled, it depends on how much work your chassis needs to put in to get all the traffic scanned</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 27 Jan 2017 14:21:17 GMT https://live.paloaltonetworks.com/t5/general-topics/url-filtering-traffic-throughput/m-p/139770#M48175 reaper 2017-01-27T14:21:17Z https://live.paloaltonetworks.com/t5/general-topics/url-filtering-traffic-throughput/m-p/140008#M48212 <P>Thank you for the clarification on how the traffic is processed.</P> Mon, 30 Jan 2017 10:10:28 GMT https://live.paloaltonetworks.com/t5/general-topics/url-filtering-traffic-throughput/m-p/140008#M48212 catalan 2017-01-30T10:10:28Z