topic Re: using rules on application base and cpu overhead? in General Topics

using rules on application base and cpu overhead?

MP18 — Fri, 08 Mar 2019 16:56:51 GMT

If I use application in the rule instead of port will that increase any cpu load on PA

Re: using rules on application base and cpu overhead?

BetterGriffin — Fri, 08 Mar 2019 17:51:38 GMT

i have not notice a performance hit on the CPU when using app-id. the only hit I've notice is when i enabled decryption and/or inbound inspection

hope this helps

Re: using rules on application base and cpu overhead?

OtakarKlier — Fri, 08 Mar 2019 19:01:17 GMT

Hello,

I also try to use application rather than specific port to get layer 7 insepction. havent noticed much if any, but then I never really did a comparison. I try to make my policies as specific as possible so I use applicaitons in 99% of my policies.

Regards,

Re: using rules on application base and cpu overhead?

BPry — Sun, 10 Mar 2019 04:28:12 GMT

@MP18,

Unless you are using application-override policies for all of your traffic, which you absolutely should not be, the firewall goes through the same process for identifying the traffic regardless of the security policy. Even when you allow application 'any' on tcp/8443 for example, the firewall itself still identifies the application and does the same process it would if you had identified application ssl on tcp/8443 or otherwise made a custom application signature for the traffic in question.

The only way you would see a performance increase would be if you stop layer-7 processing through something like an application-override security policy. This would be ill-advised and honestly wouldn't provide any major performance increases outside of a few outlier applications.