Best Practises from a Performance perspective.

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best Practises from a Performance perspective.

L3 Networker

Hello Everyone,

Could someone shed some light on configuration best practises that can optimise performance from GUI , Security rule processing etc ?

For example , I was told that using a App Group with a large number of Apps to whitelist might have an adverse performance impact , instead it is better to use App filters as much as possible. And when using user ID , make sure you filter out the Groups and users that you will not use in Policy.

Kind Regards,



L3 Networker

I can't answer regarding the App Group vs App Filters performance impact however from a management perspective App Filters are a lot easier for an admin to maintain as new applications are automatically added to the filters whenever a dynamic update occurs.

With regards to User ID, it's best practice to only include groups that you will use on the PAN device to control traffic. If you are on 4.1 or higher you can additionally reduce the amount of data that the LDAP server returns to the PAN device for the group mappings by applying search filters to your Group Mappings. This can be made easier by creating some specific groups on your LDAP server with an appended label to the group (ie. PAN-Marketing, PAN-Sales, PAN-Technical, PAN-Directors), and make your LDAP groups a member of those groups and then apply a group filter of "PAN" to your Group Mappings. This will only pull across the groups with the PAN label and the members of those groups.

L1 Bithead

Concur on the User-ID Comment.  For the app-group vs filter;

Application Group: List of applications grouped together so only the group needs to be put into a Security Rule, (much like address groups). During commit process applications inside the group will be applied to the

security policy they are attached to.

Application Filter: List of application categories, to group matching applications together for use inside a Security Rule.  During a commit application filter parses the app-db to determine the matching signatures to apply

to the security rules. 

The primary difference between the two has far has performance is concerned is during the commit process.  Application group because it is not dynamic , white list, would not require an app-db parse for applications

matching the filter criteria.  So application group would be less resource intense, but again the difference between the two is during the commit process not normal operation.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!