topic Communication performance issues between zones in General Topics

Communication performance issues between zones

CARRIERJerome — Thu, 03 Oct 2019 13:36:16 GMT

I have a firewall configured with different zones (users, servers-prod, servers-dev). At network configuration level, 4 network interfaces are linked to 1 aggregate group and under this aggreate group, I have on subinterface linked with each secuirty zone (ae1.1 for users, ae1.2 for servers-prod, ae1.3 for servers-dev). The 4 interfaces of the Palo Alto are connected on a Cisco stack with aggregate configuration on the Cisco.

My problem is : when I start a copy between 2 servers hosted in servers-prod zone, 1 have a good speed for the copy but when I try to copy the same file between users to servers-prod, the speed of the copy is bad. Do you have an idea about this performance issue ?

Re: Communication performance issues between zones

reaper — Thu, 03 Oct 2019 16:57:42 GMT

Have you tried setting an app override to see if that speeds up the transfer?

Re: Communication performance issues between zones

BPry — Thu, 03 Oct 2019 18:39:58 GMT

@CARRIERJerome,

There's a few things you can do:

1) You can do what @reaper suggested and utilize an application-override policy, although this will disable content inspection.

2) You can disable server response inspection, which will still allow content inspection and proper application inspection to take place while still giving you increased speeds.

Which method you go with really depends on your needs and how secure you actually want to make the traffic.

Re: Communication performance issues between zones

CARRIERJerome — Fri, 04 Oct 2019 06:47:41 GMT

Hello

I desactivated the server response on the Policy Rule (policy rule to allow SMB access) but without any change about the performance. When I copy a file between 2 servers under the same zone (prod-servers), there is no bad performance but when I copy the same file between to differents zones (users to servers-prod), the speed for the copy is very poor.

Re: Communication performance issues between zones

BPry — Fri, 04 Oct 2019 13:18:04 GMT

@CARRIERJerome,

Okay, so next step would be to create an application-override policy for the traffic. By default, the traffic entering and leaving from the same zone would hit your intrazone-default policy. That policy doesn't actually perform any content inspection and simply does application identification. The application-override policy will prevent content inspection from taking place, but the trade-off is much faster SMB transfers.