04-10-2019 07:05 PM
04-11-2019 07:26 AM
Hi @MarioMarquez,
yes that's right.
Typically the existing capacities are never used to 100%.
Even a whole building with a few hundred people may be connected with 10G fibres, but the real consumption will be around I guess 20-50 mbit.
So having a PA-220 for a small site with 200mbit is fine, we have PA-220s installed with complete network segmentation between servers and clients and so on (with smaller sites of course) - never had a problem with throughput.
Best Regards
Chacko
04-11-2019 01:14 AM - edited 04-11-2019 01:14 AM
Hi @MarioMarquez,
it means, that the firewall can process 150 Mbps in total, with all of the ips/app-id features enabled.
If you got this setup, A -> Palo -> B and you configured the policy set with App-ID/Content-ID and you fire as many 64KB sessions through that setup, you will achieve at lease 150 Mbps of throughput,
In real life, you will have a higher troughput, because youre policy set is more differentiated and the less "any" statements you have there, the better the firewall will perform. E.G. opening a normal website results in lots of sessions to donwload pictures, css files and so on.
You can calculate with that values but can expect better performance in real life.
Best Regards
Chacko
04-11-2019 05:36 AM - edited 04-11-2019 05:37 AM
thanks for the details. I'm up in the air about getting a 100 down 100 up internet circuit for a site with a PA-220. if 150 Mbps is the least i will achive that means the same thing as saying 75 down 75 up is the least the PA-220 will be able to handle. Is that correct? Do you think a 100 down 100 up circuit is too much for this PA-220?
04-11-2019 07:26 AM
Hi @MarioMarquez,
yes that's right.
Typically the existing capacities are never used to 100%.
Even a whole building with a few hundred people may be connected with 10G fibres, but the real consumption will be around I guess 20-50 mbit.
So having a PA-220 for a small site with 200mbit is fine, we have PA-220s installed with complete network segmentation between servers and clients and so on (with smaller sites of course) - never had a problem with throughput.
Best Regards
Chacko
04-11-2019 08:58 AM
@MarioMarquez wrote:thanks for the details. I'm up in the air about getting a 100 down 100 up internet circuit for a site with a PA-220. if 150 Mbps is the least i will achive that means the same thing as saying 75 down 75 up is the least the PA-220 will be able to handle. Is that correct? Do you think a 100 down 100 up circuit is too much for this PA-220?
No, that is not correct.
The 150 Mbps is per direction. Meaning it can handle 150 Mbps of downloads along with 150 Mbps of uploads simultaneously. So a 100/100 connection will be fine for a PA-220. Even a lowly PA-200 could handle a 100/100 connection.
04-11-2019 09:26 AM
if that were true wouldnt that be 300 Mbps of throughput? The data sheet dows not say 150 both ways. Can you please explain how your interpreting that? Thank you.
@fjwcash wrote:
@MarioMarquez wrote:thanks for the details. I'm up in the air about getting a 100 down 100 up internet circuit for a site with a PA-220. if 150 Mbps is the least i will achive that means the same thing as saying 75 down 75 up is the least the PA-220 will be able to handle. Is that correct? Do you think a 100 down 100 up circuit is too much for this PA-220?
No, that is not correct.
The 150 Mbps is per direction. Meaning it can handle 150 Mbps of downloads along with 150 Mbps of uploads simultaneously. So a 100/100 connection will be fine for a PA-220. Even a lowly PA-200 could handle a 100/100 connection.
04-11-2019 10:04 AM - edited 04-11-2019 10:30 AM
You apply the restrictions (App-ID, Threat Prevention, etc) on a Security Policy.
Security Policies apply to traffic going in one direction (a single session). For example, web traffic from clients.
You can apply it to policies covering sessions in each direction. For example, connections from external clients to local servers.
You don't have to set it on every policy.
It only limits traffic that matches the policy.
For example, on our PA-500s, we have all the restrictions enabled for our wired desktops, which limits that traffic to 250 Mbps. But we don't enable it on our Chromebooks subnet. And our traffic graphs routinely go over 400 Mbps for downloads. With 100+ Mbps for uploads.
The restriction is per policy and only affects traffic that matches the policy. It's not a max for the device if you enable it on a single policy.
03-15-2020 07:49 AM
Hello Chacko,
Would you please confirm how many users do you have behind PA-220? I'd like to buy this product for 1 office with less than 100 peoples but all recommendations says I need to buy PA-850, mainly because of the Connections per second. Everybody says modern browsers triggers like 710 connections with 5/10 tabs opened so PA-220 wouldn't be able to handle 100 users.
Any advice will be highly appreciated...
Ariel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
