04-12-2018 10:54 AM
I am planning to bring in a new ssl decryption appliance to my current network. How can I guage the ssl throughput on my curent PA-5020 to make decision on right size of appliance?
TIA
04-12-2018 11:32 AM
Well the public specs are around 2Gb of capacity through the appliance when doing features other than App-ID.
Are you going to be putting this appliance before or after the FW? You're wanting it to have the same SSL performance capabilities as your 5020?
04-12-2018 11:45 AM
This appliance will be in-line(Probably layer-2) with firewall. Yes, we want same ssl performance as on firewall. Before making any decisions on product, I want to guage our ssl throughput because we hardly touch 150Mbps(Total) throughput at any point.
04-12-2018 11:53 AM
Can I ask why you're wanting to get a separate SSL appliance? The firewall can SSL decrypt redirect (mirror) native on the appliance.
I admit I don't know how to get you exactly what you're looking for. Are you wanting decrypted SSL or just general SSL throughput? You should easily be able to use ACC to get general SSL throughput but getting a "bps" decrypted throughput will probably be challenging.
It might be safer getting an appliance that can do 1Gbps of decrypted SSL. That way you had plenty of headway and don't need to revisit this topic in the future.
04-12-2018 12:15 PM
I am very comfortable doing decryption on firewall but I learnt there would be a significant performance loss if done.
https://www.nsslabs.com/linkservid/13C7BD87-5056-9046-93FB736663C0B07A/
So, we want to deploy a dedicated appliance. Not sure about sizing. So, I am struggling to get the numbers right.
04-12-2018 12:30 PM
I would attempt to get a current report if you are making your purchasing decisions off of this report. Palo Alto has made a number of performance enhancements since 2013 that make anything your looking at in this report outdated.
04-13-2018 11:28 AM
@SThatipelly wrote:I am very comfortable doing decryption on firewall but I learnt there would be a significant performance loss if done.
https://www.nsslabs.com/linkservid/13C7BD87-5056-9046-93FB736663C0B07A/
So, we want to deploy a dedicated appliance. Not sure about sizing. So, I am struggling to get the numbers right.
To add on to what @BPry said if you're going to off-load SSL interception you're going to lose some pretty critical capabilities to protect your network on the firewall. Proper URL filtering enforcement as well as application controls need SSL decryption.
04-13-2018 11:31 AM
SSL offloading will be done before firewall and plain traffic is fed to firewall. I donot anticipate any lose of visibility. Please correct me if I am wrong.
04-13-2018 11:47 AM
If you're going to give the firewall a decrypted view of the traffic then it shouldn't be a problem; but like @BPry said the SSL performance specs of the firewalls / PAN-OS 8.X code has been greatly improved.
I wouldn't base the assumption that you're going to have a performance hit solely based on a 5 year old report.
04-13-2018 12:33 PM
May I add something here: The connections will not be "slower" with decryption enabled, but the maximum throughput decreases dramatically on PA-5000 series hardware. It is true that there are major improvements with PAN-OS 8.X but only in software ... the hardware remains the same. I don't know exactly about PA-5020 but with a PA-5050 the hardware reaches its limits at a max of 300 Mbit/s of decrypted traffic.
The major problem is that the hardware is already "old" and since then there where major improvements about the used encryption algorithms in the internet and for all these new algorithms the chips aren't really made specifically. So with this hardware (PA-5020) this report could still be true or even worse because of the mentionned algorithms.
But back to topic. @SThatipelly how are you going to configure everything like you proposed and still maintain the visibility on your PA firewall? Only in TAP mode? Because without that I don't get how the PA would see and actively process the unencrypted traffic. I mean this new appliance cannot simply terminate all encrypted connections and forward them decrypted. This will break almost everything in my eyes. Or are you talking about inbound decryption?
04-13-2018 12:34 PM
If you are stuck on going with an additional appliance, which I'll reiterate that I personally believe is a waste of resources at this point (esspecailly given your stated max bandwidth); make sure that the appliance that you purchase is actually capable of handing the firewall unencrypted traffic.
The vast majority of decryption appliances are not going to pass unencrypted traffic. It will decrypt the traffic and re-encrypt it with its own certificate as it keeps track of what that traffic actually looks like in it's unencrypted format. This means that the Palo Alto will once again still be looking at encrypted traffic.
What I highly recommend doing is setting up a test with what you already have (the 5020) and seeing if you actually see any noticable performance hits. If you are only processing max 150Mbps total throughput you aren't going to notice anything with SSL-Decryption enabled directly on the firewall.
If after this test you still feel the need to install an additional appliance then do so, just make sure that it actually can pass unencrypted traffic to the firewall.
04-13-2018 12:39 PM - edited 04-13-2018 12:40 PM
SSL appliance would be in-line layer 2 with firewall. It just decrypts outbound and feeds plain traffic to firewall. Firewall processes it and sends it back out through same switch which inturn connects to a router to internet. It's little complicated network architecture. I actually donot like to bring in an extra appliance for decryption sake but the performance loss and future scalability are the only issues that are holding me back from doing it on firewall itself.
04-13-2018 12:43 PM
Bluecoat for eg decrypts the traffic and feeds plain traffic to inline active devices like firewall. The problem here is the firewall is already in production and cannot risk any performance drops since this is the critical node. I may have to talk to palo to see what performance loss can be anticipated with my peak traffic rate decryption.
04-13-2018 12:51 PM
I'm not seeing anywhere in this plan where the appliance would take the traffic again to actually re-encrypt the session, so the plan is to simply send it out the router in an unencrypted format? That might need some additional design thought unless I'm simply just misunderstanding what is planned.
If you are looking at a Bluecoat appliance wouldn't it be cheaper to simply upgrade to a newer firewall that wouldn't have any issue at all doing the decryption? Bluecoat gets expensive really quickly. I would likely look into Zscaler if an upgrade to a 5220 isn't available. At least with Zscaler you don't really have an appliance to worry about and the costs are relatively resonable; then you can cancel when you actually get the approval to right-size your firewall with an upgrade.
04-13-2018 01:03 PM - edited 04-13-2018 01:03 PM
Bluecoat acts like a switch,so as soon as it receives traffic from firewall,if it matches exisiting session it gets reencrytped.
My concern with using up good amount of CPU on firewall is it may make firewall less resistant to some attacks like DDOS where packet handling capacity would be drastically be reduced.
I am simply planning these with future scalability in mind. Thank you all for your responses. These will definitely help me in decision making.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
