PA-5220 Decryption Performance Degradation

Reply
L1 Bithead

PA-5220 Decryption Performance Degradation

We have a cluster of PA-5220 firewalls with SSL decryption activated. When initiating a communication across the firewall using a decrypted protocol (scp, HTTPs, etc.) we get 5x slower connections compared to the unencrypted versions of the procotol.

 

In Certificate Revocation Checking, CRL and OCSP are unchecked.

 

Is this behaviour expected? If not, what can be done about it?


Thanks in advance!

Tags (2)
L7 Applicator

Re: PA-5220 Decryption Performance Degradation

@an.schall,

That wouldn't be expected as long as the device is sized appropriately and you aren't close to maxing resources. 

To start troubleshooting I would simply look at the resources on the box when you have decryption enabled and see if you notice any high rates. Also with SCP are you decrypting SSH, or are you just decrypting HTTPS traffic for the time being? 

L1 Bithead

Re: PA-5220 Decryption Performance Degradation

Dear BPry,

 

is there a built-in command or dashboard to extract resource usage?

 

In fact, we tested it with secure copy (scp), hence we are decrypting SSH. The details are the following:

 

OpenSSH_6.6.1, OpenSSL 1.0.1i-fips 6 Aug 2014

...

debug1: Local version string SSH-2.0-OpenSSH_6.6.1

debug1: Remote protocol version 2.0, remote software version PaloAltoNetworks_0.2

debug1: no match: PaloAltoNetworks_0.2

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

...

Sending file modes: C0600 923309458 foobar.zip
Sink: C0600 923309458 foobar.zip
foobar.zip 100% 881MB 17.6MB/s 00:50
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
Transferred: sent 924876344, received 251440 bytes, in 51.3 seconds
Bytes per second: sent 18016068.0, received 4897.9
debug1: Exit status 0

L1 Bithead

Re: PA-5220 Decryption Performance Degradation

Do you have any updates on the issue?

L1 Bithead

Re: PA-5220 Decryption Performance Degradation

Unfortunately not.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!