Performance Testing Palo Alto Networks Firewalls: Real-World Traffic, Real Results

At the heart of enterprise security, performance matters just as much as protection. We recently conducted rigorous performance testing on Palo Alto Networks next-generation firewalls to validate throughput, connections per second (CPS), and real-world application handling under realistic traffic loads.

This blog post walks through our test methodology, equipment setup, and key findings—ensuring you get transparency behind the numbers in the Palo Alto Networks datasheet.

Test Equipment & Setup

Our testing leveraged BreakingPoint, a powerful traffic generation platform designed to emulate realistic client and server interactions at high scale. To accurately measure the capabilities of the Devices Under Test (DUTs), we adapted our setup as follows:

• Connections: DUTs were connected via either 1G or 10G interfaces, depending on hardware support.
  
• Port Pairing: For higher throughput models, multiple 1G or 10G pairs were used to feed BreakingPoint traffic to the DUT.
  
• Client/Server Simulation: Each test used 1,000 clients and 25 servers, configured within BreakingPoint.
  
• IP Configuration: All addresses utilized IPv4, unless noted otherwise.
  
  

HTTP Flow Setup:

• BreakingPoint’s File Generator feature was used with the ‘Exact Length’ setting to precisely control transaction sizes.
  
• Traffic was based on HTTP/1.1, using 10 GET requests per connection.
  
• The Maximum Segment Size (MSS) was set to 1460 bytes, resulting in server response packets of approximately 1500 bytes.
  

Firewall Configuration

The Palo Alto Networks firewalls were configured to reflect standard enterprise deployment best practices:

• Interface Mode: All firewall interfaces were set to Layer 3 (L3) mode.
  
• Security Policy: A universal allow policy was applied from source zone ‘Any’ to destination zone ‘Any’.
  
• Application Identification:
  
• AppOverride was enabled using protocol TCP, ports 0-65535, and application ‘100bao’.
  
• When Threat Prevention was enabled, it included default profiles for:
  
• Antivirus
  
• Anti-Spyware
  
• Vulnerability Protection
  
• WildFire Analysis
  
• Basic File Blocking
  
• Logging: Traffic logs were enabled at session end for all tests, except CPS.
  
  

HTTP Throughput Testing

To measure raw throughput under varying load conditions, we configured the following HTTP transaction sizes:

• 4K, 16K, 64K, and 1MB
  
• IPv6 tests were run exclusively at 64K
  
• MSS: 1460 bytes
  
• Resulting server packet size: ~1500 bytes
  
  

Note: All throughput numbers published in the product datasheets are based on 64K transaction size, representing an optimal balance of packet and session overhead.

Connections Per Second (CPS)

For testing the maximum connection-handling rate, we used HTTP with 1-byte transactions, simulating extremely short-lived sessions—ideal for stress testing firewall connection tables and session setup.

• Packet Size: ~320 bytes (due to MSS 1460)
  
• Logging: Disabled to eliminate performance impact
  
• CPS Tests Included:
  
• AppID
  
• AppOverride
  
• Threat Prevention
  
• Datasheet Baseline: Results reflect performance with AppOverride enabled
  
  

Application Mix Testing

To simulate real enterprise traffic, we created a diverse application mix using 20+ widely used apps and protocols. This scenario reflects typical corporate network usage, including web browsing, multimedia, cloud services, and collaboration tools.

Applications included (but not limited to):

• Web Traffic: HTTP web-browsing, HTTP audio, HTTP video
  
• Cloud & SaaS: Amazon, Gmail, Slack, Yahoo, LinkedIn
  
• Enterprise Apps: Oracle, SMB, Twitter (X), YouTube
  

Each application varied in transaction size and packet composition, providing a more realistic look at firewall behavior under mixed traffic types.

RFC 2544 Metrics: Throughput, Latency & More

In addition to the above real-world tests, we also evaluate firewall performance using RFC 2544, an industry-standard benchmarking methodology. These internal tests help provide consistency and repeatability when measuring core network performance metrics:

Throughput

• Measures the maximum rate (in bits per second) at which the firewall can forward packets without any loss.
  
• This provides a baseline of raw capacity under ideal conditions.
  

Latency

• Captures the delay (in microseconds or milliseconds) between the time a packet enters and exits the firewall.
  
• Measured under varying loads and packet sizes to identify jitter and delay characteristics.
  
  

Packet Loss & Error Rate

• Determines if the firewall drops or corrupts packets under sustained high throughput or bursty traffic conditions.
  
• Essential for assessing stability under pressure.
  
  

Internal Packet Size Testing & IMIX

To ensure performance is optimized across different traffic types, we internally test with various fixed packet sizes (e.g., 64B, 128B, 512B, 1500B, 9000B) as well as IMIX (Internet Mix) patterns. IMIX testing simulates real-world internet traffic by blending packet sizes (small control packets + medium and large data packets), helping us observe:

• How performance scales under mixed workloads
  
• Potential bottlenecks caused by small or jumbo frames
  
• True "user experience" capacity vs. synthetic max speeds
  
  

These results complement the application and HTTP testing shown in product datasheets, providing a comprehensive view of the firewall's behavior under diverse traffic profiles.

Final Thoughts

By combining BreakingPoint traffic generation, RFC 2544 benchmarking, and real-world application scenarios, our performance testing goes far beyond theoretical numbers. It reflects how Palo Alto Networks firewalls perform in environments just like yours—handling legitimate traffic, real applications, and sophisticated threats.

Whether you're scaling up a secure branch, deploying in a data center, or protecting remote users, these results validate that Palo Alto Networks solutions deliver both security and performance at scale.