Communication performance issues between zones

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Communication performance issues between zones

L2 Linker

Hi

I have a firewall configured with different zones (users, servers-prod, servers-dev). At network configuration level, 4 network interfaces are linked to 1 aggregate  group and under this aggreate group, I have on subinterface linked with each secuirty zone (ae1.1 for users, ae1.2 for servers-prod, ae1.3 for servers-dev). The 4 interfaces of the Palo Alto are connected on a Cisco stack with aggregate configuration on the Cisco.

 

My problem is : when I start a copy between 2 servers hosted in servers-prod zone, 1 have a good speed for the copy but when I try to copy the same file between users to servers-prod, the speed of the copy is bad. Do you have an idea about this performance issue ?

 

BR  

4 REPLIES 4

Cyber Elite
Cyber Elite

Have you tried setting an app override to see if that speeds up the transfer?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Cyber Elite
Cyber Elite

@CARRIERJerome,

There's a few things you can do:

1) You can do what @reaper suggested and utilize an application-override policy, although this will disable content inspection. 

2) You can disable server response inspection, which will still allow content inspection and proper application inspection to take place while still giving you increased speeds. 

 

Which method you go with really depends on your needs and how secure you actually want to make the traffic. 

Hello

 

I desactivated the server response on the Policy Rule (policy rule to allow SMB access) but without any change about the performance. When I copy a file between 2 servers under the same zone (prod-servers), there is no bad performance but when I copy the same file between to differents zones (users to servers-prod), the speed for the copy is very poor.

@CARRIERJerome,

Okay, so next step would be to create an application-override policy for the traffic. By default, the traffic entering and leaving from the same zone would hit your intrazone-default policy. That policy doesn't actually perform any content inspection and simply does application identification. The application-override policy will prevent content inspection from taking place, but the trade-off is much faster SMB transfers. 

  • 3625 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!