This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

5260 Experience

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

5260 Experience

Go to solution
Brandon_Wertz
L6 Presenter

‎04-12-2019 10:33 AM

Looking for some realworld deployment experience.  Anyone that's deployed a 5260 how much data have you guys pushed through it.  Anyone pushing 20-30Gbps+?  How does it perform?

 

I'm thinking about getting one and putting it off our tapping infrastructure for IPS/IDS functionality.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Brandon_Wertz
L6 Presenter
In response to Brandon_Wertz

‎04-29-2019 05:55 AM

So here's what I was trying to do and what I eventually deployed.  I've got a fairly extensive tapping infrastructure at my company, which is aggregated into 8 x  40G links into an Gigamon HD4.  These links are essentially the summation of "core / UCS" traffic. 

 

I then took 6 x 10G ports from the HD4 and connected them to the 5260 and configured these in "tap mode" on the 5260.  I know there's going to be some discrepancy is jumping down from 40G to 10G, but unfortunately I didn't have any 40G available on the HD4 so I had to compromise.  Evenso the 5260 seems to be taking the traffic just fine.  I'm not sure how it would perform in an inline deployment, but this box definitely has the legs to take considerable amounts of throughput.

 

App_3Day.PNG

 

 

 

 

View solution in original post

0 Likes Likes
10 REPLIES 10

Go to solution
Remo
L7 Applicator

‎04-12-2019 11:39 AM

So far we are still in a migration project, so right now our 5260s are still totally bored with peaks of about 5 Gbit 😛

Go to solution
Brandon_Wertz
L6 Presenter

‎04-22-2019 11:28 AM

I ended up requesting a 5260 for a PoC which I'll hopefully get deployed this week.  Soon after I'll put at least 30GB of traffic so I'll update here after it gets up and running.

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to Brandon_Wertz

‎04-22-2019 07:47 PM

@Brandon_Wertz,

The pair I support have pushed just pass 15Gb/s without issue with a mix of non-decrypted and decrypted traffic utilizing full Threat Prevention without issue. If you're looking to push more than 30Gb/s you'll be maxing threat prevention capabilities on the box. 

0 Likes Likes

Go to solution
Brandon_Wertz
L6 Presenter
In response to BPry

‎04-22-2019 08:06 PM

Oh I'm attempting to "melt" the box. I know the spec sheet says 28-33G of "threat" throughput. I've got a unique use case though and really only need these boxes to do threat. (No SSL or ipsec)
0 Likes Likes

Go to solution
Brandon_Wertz
L6 Presenter

‎04-26-2019 07:57 AM

So far this box is a beast...Sending about 20Gb/s with around 280k session/s and it's only at 12% dataplane.

0 Likes Likes

Go to solution
Brandon_Wertz
L6 Presenter
In response to Brandon_Wertz

‎04-26-2019 11:48 AM

We're up to 720k sessions/s and DP CPU is still at 14%.  I'm really impressed with the capacity of the box

 

Traffic.PNG

0 Likes Likes

Go to solution
Brandon_Wertz
L6 Presenter
In response to Brandon_Wertz

‎04-29-2019 05:55 AM

So here's what I was trying to do and what I eventually deployed.  I've got a fairly extensive tapping infrastructure at my company, which is aggregated into 8 x  40G links into an Gigamon HD4.  These links are essentially the summation of "core / UCS" traffic. 

 

I then took 6 x 10G ports from the HD4 and connected them to the 5260 and configured these in "tap mode" on the 5260.  I know there's going to be some discrepancy is jumping down from 40G to 10G, but unfortunately I didn't have any 40G available on the HD4 so I had to compromise.  Evenso the 5260 seems to be taking the traffic just fine.  I'm not sure how it would perform in an inline deployment, but this box definitely has the legs to take considerable amounts of throughput.

 

App_3Day.PNG

 

 

 

 

0 Likes Likes

Go to solution
licenselu
L4 Transporter
In response to Brandon_Wertz

‎04-29-2019 10:44 AM

Hi,

 

Nerver tested a PA 5260 but tested a PA5250.

Be carefull if you enaled VSYS !

Inter VSYS traffic was limited to 3,5 Gbps on PA 5250...

 

Regards,

 

HA

0 Likes Likes

Go to solution
Brandon_Wertz
L6 Presenter
In response to licenselu

‎04-29-2019 11:57 AM

@licenselu wrote:

Hi,

 

Nerver tested a PA 5260 but tested a PA5250.

Be carefull if you enaled VSYS !

Inter VSYS traffic was limited to 3,5 Gbps on PA 5250...

 

Regards,

 

HA

 

That's something great to point out.  I will say though that a 5260 has substainitally more capacity than a 5250.  It's possible the 5260 has a greater capacity.

 

And for clarification you're referring to enabling "multi-vsys," right?  Because "VSYS" is already enabled by default (VSYS1).

0 Likes Likes

Go to solution
Remo
L7 Applicator
In response to licenselu

‎04-29-2019 12:27 PM

Hi @licenselu 

 

This is a known limitation of PaloAlto firewalls. If you do inter-vsys routing then everything is done in software. The only way to get the full performance of the box is if you "think outside of the box": the traffic needs to go out of the firewall and come back over a switch/router to another interface of the next vsys.

  • 1 accepted solution
  • 5210 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks