About throughput performance with only url filtering

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

About throughput performance with only url filtering

L4 Transporter

Hello,

 

I have questions.

I know throuhput performance is half when using Threat Prevention.

 

If we would use only url filtering, how is PA's throughput performance? Is it same when using TP or only using application?

And If we would use only file blocking, how about?

 

I think if url-filtering and file-blocking use signature-match-chip, it would be same when using TP.

if they do not use signature-match-chip, it would be same when using only application.

 

Please let me know it.

 

Thanks,

KC Lee 

 

 

 

 

3 REPLIES 3

Cyber Elite
Cyber Elite

Hi KC

 

The throughput reduction as indicated by the generic spec sheet per chassis gives a guesstimate of a fully loaded device with all bells and whistles enabled with a good mixture of traffic. Each environment has it's unique qualities and may see better or worse performance

 

URL filtering is not part of threat prevention and has a completely different impact on throughput than threat prevention as URL filtering does not need to inspect packets but rather needs to determine the url category by intercepting the host header/certificate common name/SNI and then doing a category lookup in the database, cache or cloud repository to verify if the connection can be allowed or needs to be blocked.

 

As such, URL filtering has no real impact on throughput directly but if for some reason cloud lookups are hindered, this could introduce latency in the individual connections that require a lookup

 

 

hope this helps

Reaper

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper

Thanks for your answer.

 

It helps me. I make sure it.

 

How about File-Blocking?

And If I would use only custom url category, The latency would reduce?

Because It have to query to cloud.

 

Thanks,

KC Lee

Hi KC

 

it will depend too much on how fileblocking is implemented (only a to b, all traffic, only filesharing apps, ...) to give a solid answer to your question. It is best to assume the worst (50% overall decrease) and then be happily surprised you get far better performance 😉

 

Or set up some rigorous testing with a realistic network design to gauge what the behavior would be like in your specific setup

 

 

using custom-categories-only would cause even less potential "latency" (as any latency would depend mostly on outside factors)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 4158 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!