We're currently deploying a PA-2050 firewall in HA mode in our headquarters. We plan to protect all data lines entering or leaving the HQ through the new firewall - including our MPLS WAN infrastructure where we run a lot of time-sensitive Citrix applications (actually our world-wide users turned out to have an advanced sensitivity for the responsiveness of our Citrix applications...).
Question: Do we have to expect any negative impact on such real-time connections during the following activities or won't users notice anything?
- Committing a new config (takes about 3 min to complete)
- Installing new content (applications and threats - takes 20 - 30 min to complete!)
- Installing new AV signatures
If there is any negative impact, how would it look like for the users? Just a 1 sec lag or a 1 min general slowness, etc.?
Solved! Go to Solution.
Important to note that on all platforms the management plane and data plane are separate entities with separate processing. You can expect no impact for user traffic crossing the data plane for any of these activities, however the management plane will be busier during all three. The management plane is what handles the WebUI management, logging, downloads, configuration, etc. All three activities require a commit, and in the case of new content and AV signatures, it requires a re-compile of the App and Threat databases. On the 2000 series, since the processors are smaller than the 5000 series, it can take longer, as you've noticed with the content installs. So again no impact to the user traffic, but you may notice some slower response on the WebUI during these events, as the management plane CPUs will be busier.
Not entirely true.
On 2000-series the SSL MITM cert is being issued by the mgmtplane.
Also userid stuff goes through the mgmtplane which gives that if mgmtplane is busy or offline (reboot mgmtplane) and the ip isnt already cached in the dataplane regarding userid then userid based security policies will never trigger until the mgmtplane returns.
Thanks for the add-on. Am I correct that the recompile process runs with a slightly lower priority than issuing MITM certs or user ID?
It's just out of curiosity, I think it's not much of an issue for us.
Sorry I dont know that, perhaps someone from PA can inform us? :-)
I just wanted to highlight that mgmtplane and dataplane isnt as "separate" as one might think and that there are dependencies that in some situations (and models) would stop new sessions from being setup until the mgmtplane returns (except for the loss of logging during downtime of mgmtplane). However already setup sessions shouldnt be affected as far as I know (unless you put in some bad security policy and must revert).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!