PA-200 CPS vs Actual users

L3 Networker

PA-200 CPS vs Actual users

The specifications for the PA-200 show a CPS ( connections per second ) of 1000.

What number is generally agreed upon to calculate how many connections are actually used per user?

I've previously been told 50, which means all of 20 users being active at any one time?

Would this calculation be correct, or has real world use come up with a different figure?

Tags (2)
L5 Sessionator


It would be difficult for someone to gauge the amount of connections a network's users consume without knowing the behavior of the users or the activities they perform while on the network. Also, connections per second is a lot different than total connections per user. Your calculations for having 20 active users bog down the PA-200 assume that the 20 users are making 50 connections per second which is unlikely.

I don't know of any way to get an average as this all depends on the users. However the difference in total connections and connections per second is important here. If you'd like any further information perhaps a Palo Alto sales representitive would have some numbers for you.

Hope that helps,


L3 Networker

So the question was:

"What number is generally agreed upon to calculate how many connections are actually used per user?"

Is there therefore a generally agreed figure for the average connection per second, to establish the actual number of users

that would be acceptable to have behind a PA-200?

L4 Transporter

My rule of thumb would be <10 users on a PA-200 and <30 users on a PA-500.

CPS is important, but also remember there is a trade-off between CPS and throughput.  This is true with most any firewall.  Plus you don't really want to oversubscribe a stateful device very much to allow for peak usage, future growth, and attack scenarios (floods, etc.).



L3 Networker

Those numbers are extremely low, especially considering the PA-200 is supposed to be a 100MB throughput appliance.

I do know that partners here are positioning the PA-500 into environments that have over 100 users, and the PA-200 would be

considered for a number of schools that would have no more than 10-20MB Internet connections.

Are there any actual internal performance figures, or even site using this with real world numbers?

L4 Transporter

I do not believe partners should be positioning the PA-500 in environments with >100 students.  That is more suited for a PA-2000 device.

Throughput is only one metric in sizing a firewall.  The combination of multiple variables will determine the appropriate box:

  • CPS
  • Total concurrent sessions
  • Throughput
  • Type of traffic (HTTP, P2P, SMTP, etc.)
  • ARP/Routing table sizes
  • # of concurrent VPN users
  • # of captive portal users
  • Amount of SSL decryption
  • DOS protection in hardware vs. software
  • etc.

Like I said before, my number is a rule of thumb - but please do yourself a favor and don't underprovision a security device.  The boxes were designed for particular environments - not pure throughput numbers.  The PA-200 is a small office/home office device.  The PA-500 is a small office device.  The PA-2000 is a Branch office/Small Headquarters device.  The PA-4000 and above are Central office/Data Center devices.

Also, keep in mind that education/university traffic tends to be more demanding than normal enterprise traffic due to the amount of P2P, malware, and floods/scans that happen on those typically open networks.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!