Is A/P Throughput synchronized?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Is A/P Throughput synchronized?

L3 Networker

Dear Team,

 

I know that sessions are synchronized except for the conditions below in the A/P configuration.

 

-In Active/Passive mode, ICMP and host sessions are not synchronized between peers.
(Note: A host session is a session terminated on one of the firewall interfaces, such as an ICMP session pinging one of the firewall interfaces or a GP tunnel.)

 

What I'm curious about is whether the throughput between A/P is also synchronized.

 

I configured the A/P LAB, and if I check the 'show system statistics session' output value, I can see that the throughput of the passive equipment also increases as shown below.

CHOEKyungJun_0-1669957164036.png

 

If anyone has any information or related documents that they know about this, I would appreciate it if anyone could share it with me.

 

Thanks in advance,
Kyungjun,

1 accepted solution

Accepted Solutions

Hi @CHOE-KyungJun ,

 

This is a little bit strange question..

As it is defined here Network throughput - Wikipedia is the rate (speed) with which traffic is forwarded/delivered over the firewall.Now in Active/Passive HA deployment the passive member does not process any traffic over its dataplane interfaces. It actually disable its routing engine, which ensure that any packet that was forwarded to passive FW dataplane interfaces will be ignored by the firewall.

 

Which means only the active member is forwarding traffic, therefor throughput is relevant only for the current active device. Each network devices (including any PA FW) is sized for particular maximum throughput - this is the maximum data firewall can process for one second, before start dropping or queuing the traffic. Palo Alto firewall can form HA cluster only if the two members are of the same hardware model (or VM-series capacity). Which means both HA members must have same maximum throughput.

 

Your question is like asking the question - If you and I are holding hands and you were given a glass of water and start drinking fast, will I start drinking at the same speed as you, because we are holding hands? The answer is no, because only you have a glass and I am sitting idle. You could pass out and I could take the glass and keep drinking.

 

Now back to your output in the screenshot.

You could think that it make sense the passive member to show 0Kbps - because it shouldn't process any traffic. Yes that is correct, BUT, this value will show all the traffic that is processed by the firewall - this will include HA traffic between the two members as well as traffic to its management interface.

 

To be honest I haven't look at throughput for the passive member, but for me it make sense to see current throughput on passive increase when current throughput on the active increase, this is because more sessions are passive over the active firewall and this data needs to be sync-ed with the passive member, which means sync traffic (HA) traffic between the two members will increase - increasing the current throughput.

 

View solution in original post

1 REPLY 1

Hi @CHOE-KyungJun ,

 

This is a little bit strange question..

As it is defined here Network throughput - Wikipedia is the rate (speed) with which traffic is forwarded/delivered over the firewall.Now in Active/Passive HA deployment the passive member does not process any traffic over its dataplane interfaces. It actually disable its routing engine, which ensure that any packet that was forwarded to passive FW dataplane interfaces will be ignored by the firewall.

 

Which means only the active member is forwarding traffic, therefor throughput is relevant only for the current active device. Each network devices (including any PA FW) is sized for particular maximum throughput - this is the maximum data firewall can process for one second, before start dropping or queuing the traffic. Palo Alto firewall can form HA cluster only if the two members are of the same hardware model (or VM-series capacity). Which means both HA members must have same maximum throughput.

 

Your question is like asking the question - If you and I are holding hands and you were given a glass of water and start drinking fast, will I start drinking at the same speed as you, because we are holding hands? The answer is no, because only you have a glass and I am sitting idle. You could pass out and I could take the glass and keep drinking.

 

Now back to your output in the screenshot.

You could think that it make sense the passive member to show 0Kbps - because it shouldn't process any traffic. Yes that is correct, BUT, this value will show all the traffic that is processed by the firewall - this will include HA traffic between the two members as well as traffic to its management interface.

 

To be honest I haven't look at throughput for the passive member, but for me it make sense to see current throughput on passive increase when current throughput on the active increase, this is because more sessions are passive over the active firewall and this data needs to be sync-ed with the passive member, which means sync traffic (HA) traffic between the two members will increase - increasing the current throughput.

 

  • 1 accepted solution
  • 1312 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!