Application Delivery Controller

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Application Delivery Controller

L2 Linker

Hi All,

I know this may not be the correct place to discuss this however where I am I don't get the best response to feature requests.

What I was wondering is there any chance PAN is looking to create a load balancer (ADC), as it is the one area of our networks that is missed by the PAN devices as any traffic they see is SSL passed through to our existing ADC's that then have to terminate it and inspect it. If PAN had an ADC appliance we could do the same but get all the inspection and reporting that we get from our PAN firewalls. Yes F5 does this but if I go that way then I might as well invest fully in the F5 options and use their firewalls as well.

Anyone else have an opinion?

6 REPLIES 6

L6 Presenter

Hi, There is no option for ADC, ADC does application level load balancing. I dont think this is anywhere close to firewall functionalists.

ADC task needs lots of processing power, its always recommended to use dedicated device for it.

L3 Networker

@bcsgroup; you're not the only one - basic load balancing would be a very useful addition to PANOS.

@hshah; compared to the the processing that a PANOS box can do on a session - SSL decrypt, AV, Threat Detection etc - I don't see how basic load balancing based upon IP/Port information to farm of servers is much more load.  The firewall is already maintaining full state info - quite possibly including NAT bindings - for each session, all it needs is the ability to have the destination NAT be to one of N addresses (and include some mechanism to ensure each of N are available) instead of a single destination.

Sure, the dedicated devices will provide greater control, better back end service monitoring etc, but at least this would allow us to get rid of the horror of the few Microsoft Network Load Balancer instances we have...

While I agree this area of the network has started to cross over and now ADC products are marketed as security solutions. I know that the processing power can be high however we use HAPROXY and it does this with minimal effort so don't think modern CPU's have an issue. The PAN devices already do SSL decryption, NAT, and threat scanning so don't see this as much extra load not hat I would have any issue with it being a different device/VM-series. My biggest issue is that most of our applications are going web based and use SSL so now I am left with > 50% of my traffic not being visible or scan-able to my PAN devices as all they see is SSL/secure-web-browsing how am I supposed to know if any one of those sessions are malicious unless the session is terminated on a PAN device.

While I realize it is not a firewall function per-say it is a security function and a very important one that leaves a hole in the PA product line that we have to fill with a competitor's product then the competitor offers me firewalls at a discount to go with my ADC and suddenly PAN is gone from my datacenters. Not that this is happening but if we are faced with moving to loadbalancers that can do threat scanning why can I not turn to my network security company?

L7 Applicator

There is a blurring of roles with ADC now.  Certainly F5 is making the move to become both an ADC and a full firewall.  They are looking to use ADC as the wedge to take over all functions on the edge.

I don't think that PA or any Firewall company can easily compete in a high volume DC as an ADC.  But getting some basic low volume ADC options into the firewall environment will be needed at some point in the future.  I do think the ADC vendors will all go the F5 route ultimately and hope to displace existing firewall vendors in the DC environment.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

I do agree if the PAN devices could take on some basic ADC options would be great. As for the big ADC market I don't see that as a problem as they generally don't look to run these roles on the firewall. However starting the development for the smaller/everyday use cases would begin the process and ensure PA remained prominent in those datacenters as they grow. I would think that >80% of needs would be met with basic loadbalancing capabilities that applications like HAPROXY provide so any implementation would only need the basics.

It looks like there is a feature request pending for basic round robin load balancing on inbound nat.  This would be the one to vote for with your PA Sales team if this functionality is of interest.

FR 344

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 4704 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!