5260 Experience

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

5260 Experience

L6 Presenter

Looking for some realworld deployment experience.  Anyone that's deployed a 5260 how much data have you guys pushed through it.  Anyone pushing 20-30Gbps+?  How does it perform?

 

I'm thinking about getting one and putting it off our tapping infrastructure for IPS/IDS functionality.

1 accepted solution

Accepted Solutions

So here's what I was trying to do and what I eventually deployed.  I've got a fairly extensive tapping infrastructure at my company, which is aggregated into 8 x  40G links into an Gigamon HD4.  These links are essentially the summation of "core / UCS" traffic. 

 

I then took 6 x 10G ports from the HD4 and connected them to the 5260 and configured these in "tap mode" on the 5260.  I know there's going to be some discrepancy is jumping down from 40G to 10G, but unfortunately I didn't have any 40G available on the HD4 so I had to compromise.  Evenso the 5260 seems to be taking the traffic just fine.  I'm not sure how it would perform in an inline deployment, but this box definitely has the legs to take considerable amounts of throughput.

 

App_3Day.PNG

 

 

 

 

View solution in original post

10 REPLIES 10

L7 Applicator

So far we are still in a migration project, so right now our 5260s are still totally bored with peaks of about 5 Gbit 😛

L6 Presenter

I ended up requesting a 5260 for a PoC which I'll hopefully get deployed this week.  Soon after I'll put at least 30GB of traffic so I'll update here after it gets up and running.

@Brandon_Wertz,

The pair I support have pushed just pass 15Gb/s without issue with a mix of non-decrypted and decrypted traffic utilizing full Threat Prevention without issue. If you're looking to push more than 30Gb/s you'll be maxing threat prevention capabilities on the box. 

Oh I'm attempting to "melt" the box. I know the spec sheet says 28-33G of "threat" throughput. I've got a unique use case though and really only need these boxes to do threat. (No SSL or ipsec)

L6 Presenter

So far this box is a beast...Sending about 20Gb/s with around 280k session/s and it's only at 12% dataplane.

We're up to 720k sessions/s and DP CPU is still at 14%.  I'm really impressed with the capacity of the box

 

Traffic.PNG

So here's what I was trying to do and what I eventually deployed.  I've got a fairly extensive tapping infrastructure at my company, which is aggregated into 8 x  40G links into an Gigamon HD4.  These links are essentially the summation of "core / UCS" traffic. 

 

I then took 6 x 10G ports from the HD4 and connected them to the 5260 and configured these in "tap mode" on the 5260.  I know there's going to be some discrepancy is jumping down from 40G to 10G, but unfortunately I didn't have any 40G available on the HD4 so I had to compromise.  Evenso the 5260 seems to be taking the traffic just fine.  I'm not sure how it would perform in an inline deployment, but this box definitely has the legs to take considerable amounts of throughput.

 

App_3Day.PNG

 

 

 

 

Hi,

 

Nerver tested a PA 5260 but tested a PA5250.

Be carefull if you enaled VSYS !

Inter VSYS traffic was limited to 3,5 Gbps on PA 5250...

 

Regards,

 

HA


@licenselu wrote:

Hi,

 

Nerver tested a PA 5260 but tested a PA5250.

Be carefull if you enaled VSYS !

Inter VSYS traffic was limited to 3,5 Gbps on PA 5250...

 

Regards,

 

HA


 

That's something great to point out.  I will say though that a 5260 has substainitally more capacity than a 5250.  It's possible the 5260 has a greater capacity.

 

And for clarification you're referring to enabling "multi-vsys," right?  Because "VSYS" is already enabled by default (VSYS1).

Hi @licenselu 

 

This is a known limitation of PaloAlto firewalls. If you do inter-vsys routing then everything is done in software. The only way to get the full performance of the box is if you "think outside of the box": the traffic needs to go out of the firewall and come back over a switch/router to another interface of the next vsys.

  • 1 accepted solution
  • 4461 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!