PA-220 Throughput Explanation

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

PA-220 Throughput Explanation

Can someone please tell me the maximum Upload/Download speed in megabits per second for a PA-220 with app-id and all threat prevention/ips features enabled along with an ipsec tunnel? The data sheet is a little confusing and I understand that it bases the specs from 64k packets but I don't know if this had 150 up 150 down or 50 up 50 down. Can someone tell me the the throughput I should expect in my use case mentioned above and explain yourself?
Tags (3)

Accepted Solutions
Highlighted
L4 Transporter

Hi @MarioMarquez,

 

yes that's right.

Typically the existing capacities are never used to 100%.

Even a whole building with a few hundred people may be connected with 10G fibres, but the real consumption will be around I guess 20-50 mbit.

So having a PA-220 for a small site with 200mbit is fine, we have PA-220s installed with complete network segmentation between servers and clients and so on (with smaller sites of course) - never had a problem with throughput.

 

Best Regards

Chacko

Best Regards
Chacko

View solution in original post


All Replies
Highlighted
L4 Transporter

Hi @MarioMarquez,

 

it means, that the firewall can process 150 Mbps in total, with all of the ips/app-id features enabled.

If you got this setup, A -> Palo -> B and you configured the policy set with App-ID/Content-ID and you fire as many 64KB sessions through that setup, you will achieve at lease 150 Mbps of throughput,

 

In real life, you will have a higher troughput, because youre policy set is more differentiated and the less "any" statements you have there, the better the firewall will perform. E.G. opening a normal website results in lots of sessions to donwload pictures, css files and so on.

 

You can calculate with that values but can expect better performance in real life.

 

Best Regards

Chacko

Best Regards
Chacko
Highlighted
L3 Networker

thanks for the details.  I'm up in the air about getting a 100 down 100 up internet circuit for a site with a PA-220.  if 150 Mbps is the least i will achive that means the same thing as saying 75 down 75 up is the least the PA-220 will be able to handle.  Is that correct?  Do you think a 100 down 100 up circuit is too much for this PA-220?

Highlighted
L4 Transporter

Hi @MarioMarquez,

 

yes that's right.

Typically the existing capacities are never used to 100%.

Even a whole building with a few hundred people may be connected with 10G fibres, but the real consumption will be around I guess 20-50 mbit.

So having a PA-220 for a small site with 200mbit is fine, we have PA-220s installed with complete network segmentation between servers and clients and so on (with smaller sites of course) - never had a problem with throughput.

 

Best Regards

Chacko

Best Regards
Chacko

View solution in original post

Highlighted
L4 Transporter


@MarioMarquez wrote:

thanks for the details.  I'm up in the air about getting a 100 down 100 up internet circuit for a site with a PA-220.  if 150 Mbps is the least i will achive that means the same thing as saying 75 down 75 up is the least the PA-220 will be able to handle.  Is that correct?  Do you think a 100 down 100 up circuit is too much for this PA-220?


No, that is not correct.

 

The 150 Mbps is per direction.  Meaning it can handle 150 Mbps of downloads along with 150 Mbps of uploads simultaneously.  So a 100/100 connection will be fine for a PA-220.  Even a lowly PA-200 could handle a 100/100 connection.

Highlighted
L3 Networker

if that were true wouldnt that be 300 Mbps of throughput?  The data sheet dows not say 150 both ways.  Can you please explain how your interpreting that?  Thank you.


@fjwcash wrote:

@MarioMarquez wrote:

thanks for the details.  I'm up in the air about getting a 100 down 100 up internet circuit for a site with a PA-220.  if 150 Mbps is the least i will achive that means the same thing as saying 75 down 75 up is the least the PA-220 will be able to handle.  Is that correct?  Do you think a 100 down 100 up circuit is too much for this PA-220?


No, that is not correct.

 

The 150 Mbps is per direction.  Meaning it can handle 150 Mbps of downloads along with 150 Mbps of uploads simultaneously.  So a 100/100 connection will be fine for a PA-220.  Even a lowly PA-200 could handle a 100/100 connection.


 

Highlighted
L4 Transporter

You apply the restrictions (App-ID, Threat Prevention, etc) on a Security Policy.

 

Security Policies apply to traffic going in one direction (a single session).  For example, web traffic from clients.

 

You can apply it to policies covering sessions in each direction.  For example, connections from external clients to local servers.

 

You don't have to set it on every policy.

 

It only limits traffic that matches the policy.

 

For example, on our PA-500s, we have all the restrictions enabled for our wired desktops, which limits that traffic to 250 Mbps.  But we don't enable it on our Chromebooks subnet.  And our traffic graphs routinely go over 400 Mbps for downloads.  With 100+ Mbps for uploads.

 

The restriction is per policy and only affects traffic that matches the policy.  It's not a max for the device if you enable it on a single policy.

Highlighted
L1 Bithead

Hello Chacko,

 

Would you please confirm how many users do you have behind PA-220? I'd like to buy this product for 1 office with less than 100 peoples but all recommendations says I need to buy PA-850, mainly because of the Connections per second. Everybody says modern browsers triggers like 710 connections with 5/10 tabs opened so PA-220 wouldn't be able to handle 100 users. 

 

Any advice will be highly appreciated...

 

Ariel

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!