topic PA-5220 Decryption Performance Degradation in General Topics

PA-5220 Decryption Performance Degradation

an.schall — Mon, 06 May 2019 13:49:14 GMT

We have a cluster of PA-5220 firewalls with SSL decryption activated. When initiating a communication across the firewall using a decrypted protocol (scp, HTTPs, etc.) we get 5x slower connections compared to the unencrypted versions of the procotol.

In Certificate Revocation Checking, CRL and OCSP are unchecked.

Is this behaviour expected? If not, what can be done about it?

Thanks in advance!

Re: PA-5220 Decryption Performance Degradation

BPry — Mon, 06 May 2019 21:22:39 GMT

@an.schall,

That wouldn't be expected as long as the device is sized appropriately and you aren't close to maxing resources.

To start troubleshooting I would simply look at the resources on the box when you have decryption enabled and see if you notice any high rates. Also with SCP are you decrypting SSH, or are you just decrypting HTTPS traffic for the time being?

Re: PA-5220 Decryption Performance Degradation

an.schall — Tue, 07 May 2019 07:21:07 GMT

Dear BPry,

is there a built-in command or dashboard to extract resource usage?

In fact, we tested it with secure copy (scp), hence we are decrypting SSH. The details are the following:

OpenSSH_6.6.1, OpenSSL 1.0.1i-fips 6 Aug 2014

...

debug1: Local version string SSH-2.0-OpenSSH_6.6.1

debug1: Remote protocol version 2.0, remote software version PaloAltoNetworks_0.2

debug1: no match: PaloAltoNetworks_0.2

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

...

Sending file modes: C0600 923309458 foobar.zip
Sink: C0600 923309458 foobar.zip
foobar.zip 100% 881MB 17.6MB/s 00:50
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
Transferred: sent 924876344, received 251440 bytes, in 51.3 seconds
Bytes per second: sent 18016068.0, received 4897.9
debug1: Exit status 0

Re: PA-5220 Decryption Performance Degradation

an.schall — Tue, 14 May 2019 13:55:48 GMT

Do you have any updates on the issue?

Re: PA-5220 Decryption Performance Degradation

an.schall — Fri, 24 May 2019 14:24:29 GMT

Unfortunately not.