This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Best Practises from a Performance perspective.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Best Practises from a Performance perspective.

sunilsadanandan
L3 Networker

‎01-27-2013 06:37 AM

Hello Everyone,

Could someone shed some light on configuration best practises that can optimise performance from GUI , Security rule processing etc ?

For example , I was told that using a App Group with a large number of Apps to whitelist might have an adverse performance impact , instead it is better to use App filters as much as possible. And when using user ID , make sure you filter out the Groups and users that you will not use in Policy.

Kind Regards,

Sunil

0 Likes Likes
2 REPLIES 2

SCoupland
L3 Networker

‎02-07-2013 03:38 PM

I can't answer regarding the App Group vs App Filters performance impact however from a management perspective App Filters are a lot easier for an admin to maintain as new applications are automatically added to the filters whenever a dynamic update occurs.

With regards to User ID, it's best practice to only include groups that you will use on the PAN device to control traffic. If you are on 4.1 or higher you can additionally reduce the amount of data that the LDAP server returns to the PAN device for the group mappings by applying search filters to your Group Mappings. This can be made easier by creating some specific groups on your LDAP server with an appended label to the group (ie. PAN-Marketing, PAN-Sales, PAN-Technical, PAN-Directors), and make your LDAP groups a member of those groups and then apply a group filter of "PAN" to your Group Mappings. This will only pull across the groups with the PAN label and the members of those groups.

vkelley
L1 Bithead

‎02-11-2013 02:28 AM

Concur on the User-ID Comment.  For the app-group vs filter;

Application Group: List of applications grouped together so only the group needs to be put into a Security Rule, (much like address groups). During commit process applications inside the group will be applied to the

security policy they are attached to.

Application Filter: List of application categories, to group matching applications together for use inside a Security Rule.  During a commit application filter parses the app-db to determine the matching signatures to apply

to the security rules. 

The primary difference between the two has far has performance is concerned is during the commit process.  Application group because it is not dynamic , white list, would not require an app-db parse for applications

matching the filter criteria.  So application group would be less resource intense, but again the difference between the two is during the commit process not normal operation.

  • 2106 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks