Communication performance issues between zones

Reply
Highlighted
L1 Bithead

Communication performance issues between zones

Hi

I have a firewall configured with different zones (users, servers-prod, servers-dev). At network configuration level, 4 network interfaces are linked to 1 aggregate  group and under this aggreate group, I have on subinterface linked with each secuirty zone (ae1.1 for users, ae1.2 for servers-prod, ae1.3 for servers-dev). The 4 interfaces of the Palo Alto are connected on a Cisco stack with aggregate configuration on the Cisco.

 

My problem is : when I start a copy between 2 servers hosted in servers-prod zone, 1 have a good speed for the copy but when I try to copy the same file between users to servers-prod, the speed of the copy is bad. Do you have an idea about this performance issue ?

 

BR  

Community Manager

Re: Communication performance issues between zones

Have you tried setting an app override to see if that speeds up the transfer?


Help the community: Like helpful comments and mark solutions
Reaper out
L7 Applicator

Re: Communication performance issues between zones

@CARRIERJerome,

There's a few things you can do:

1) You can do what @reaper suggested and utilize an application-override policy, although this will disable content inspection. 

2) You can disable server response inspection, which will still allow content inspection and proper application inspection to take place while still giving you increased speeds. 

 

Which method you go with really depends on your needs and how secure you actually want to make the traffic. 

L1 Bithead

Re: Communication performance issues between zones

Hello

 

I desactivated the server response on the Policy Rule (policy rule to allow SMB access) but without any change about the performance. When I copy a file between 2 servers under the same zone (prod-servers), there is no bad performance but when I copy the same file between to differents zones (users to servers-prod), the speed for the copy is very poor.

L7 Applicator

Re: Communication performance issues between zones

@CARRIERJerome,

Okay, so next step would be to create an application-override policy for the traffic. By default, the traffic entering and leaving from the same zone would hit your intrazone-default policy. That policy doesn't actually perform any content inspection and simply does application identification. The application-override policy will prevent content inspection from taking place, but the trade-off is much faster SMB transfers. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!