PA-220 Throughput Explanation

Reply
L3 Networker

PA-220 Throughput Explanation

Can someone please tell me the maximum Upload/Download speed in megabits per second for a PA-220 with app-id and all threat prevention/ips features enabled along with an ipsec tunnel? The data sheet is a little confusing and I understand that it bases the specs from 64k packets but I don't know if this had 150 up 150 down or 50 up 50 down. Can someone tell me the the throughput I should expect in my use case mentioned above and explain yourself?
Tags (3)
L4 Transporter

Re: PA-220 Throughput Explanation

Hi @MarioMarquez,

 

it means, that the firewall can process 150 Mbps in total, with all of the ips/app-id features enabled.

If you got this setup, A -> Palo -> B and you configured the policy set with App-ID/Content-ID and you fire as many 64KB sessions through that setup, you will achieve at lease 150 Mbps of throughput,

 

In real life, you will have a higher troughput, because youre policy set is more differentiated and the less "any" statements you have there, the better the firewall will perform. E.G. opening a normal website results in lots of sessions to donwload pictures, css files and so on.

 

You can calculate with that values but can expect better performance in real life.

 

Best Regards

Chacko

L3 Networker

Re: PA-220 Throughput Explanation

thanks for the details.  I'm up in the air about getting a 100 down 100 up internet circuit for a site with a PA-220.  if 150 Mbps is the least i will achive that means the same thing as saying 75 down 75 up is the least the PA-220 will be able to handle.  Is that correct?  Do you think a 100 down 100 up circuit is too much for this PA-220?

L4 Transporter

Re: PA-220 Throughput Explanation

Hi @MarioMarquez,

 

yes that's right.

Typically the existing capacities are never used to 100%.

Even a whole building with a few hundred people may be connected with 10G fibres, but the real consumption will be around I guess 20-50 mbit.

So having a PA-220 for a small site with 200mbit is fine, we have PA-220s installed with complete network segmentation between servers and clients and so on (with smaller sites of course) - never had a problem with throughput.

 

Best Regards

Chacko

L4 Transporter

Re: PA-220 Throughput Explanation


@MarioMarquez wrote:

thanks for the details.  I'm up in the air about getting a 100 down 100 up internet circuit for a site with a PA-220.  if 150 Mbps is the least i will achive that means the same thing as saying 75 down 75 up is the least the PA-220 will be able to handle.  Is that correct?  Do you think a 100 down 100 up circuit is too much for this PA-220?


No, that is not correct.

 

The 150 Mbps is per direction.  Meaning it can handle 150 Mbps of downloads along with 150 Mbps of uploads simultaneously.  So a 100/100 connection will be fine for a PA-220.  Even a lowly PA-200 could handle a 100/100 connection.

L3 Networker

Re: PA-220 Throughput Explanation

if that were true wouldnt that be 300 Mbps of throughput?  The data sheet dows not say 150 both ways.  Can you please explain how your interpreting that?  Thank you.


@fjwcash wrote:

@MarioMarquez wrote:

thanks for the details.  I'm up in the air about getting a 100 down 100 up internet circuit for a site with a PA-220.  if 150 Mbps is the least i will achive that means the same thing as saying 75 down 75 up is the least the PA-220 will be able to handle.  Is that correct?  Do you think a 100 down 100 up circuit is too much for this PA-220?


No, that is not correct.

 

The 150 Mbps is per direction.  Meaning it can handle 150 Mbps of downloads along with 150 Mbps of uploads simultaneously.  So a 100/100 connection will be fine for a PA-220.  Even a lowly PA-200 could handle a 100/100 connection.


 

L4 Transporter

Re: PA-220 Throughput Explanation

You apply the restrictions (App-ID, Threat Prevention, etc) on a Security Policy.

 

Security Policies apply to traffic going in one direction (a single session).  For example, web traffic from clients.

 

You can apply it to policies covering sessions in each direction.  For example, connections from external clients to local servers.

 

You don't have to set it on every policy.

 

It only limits traffic that matches the policy.

 

For example, on our PA-500s, we have all the restrictions enabled for our wired desktops, which limits that traffic to 250 Mbps.  But we don't enable it on our Chromebooks subnet.  And our traffic graphs routinely go over 400 Mbps for downloads.  With 100+ Mbps for uploads.

 

The restriction is per policy and only affects traffic that matches the policy.  It's not a max for the device if you enable it on a single policy.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!