I realize that is a difficult question to answer. What kind of maximum throughputs are people seeing with their PA-500s?
For example: I monitor our firewall (not a PA) using PRTG via SNMP and see a fairly constant 20 Mbps with some 30-45 minute spikes up to 35 Mbps. Nights I see 30+ constantly (we are a boarding school and their is a lot of streaming). Well under the PA-500 stats, but I want to have some room for growth.
Hi Bob...You are correct in that throughput will vary depending on the type of traffic (SMTP, SSL, SMB, HTTP, etc) and the average packet size on your network. If your network carries alot of zip compressed files, this will require more resource to unzip & scan. So every network will be different.
From your description, we would need to handle 45Mbps (you also need to consider the traffic from internal to DMZ if you have a DMZ and factor it in). Accounting for full duplex, we need to support 45Mbps in + 45Mbps out = 90Mbps total. The PA500 offers 100Mbps threat prevention throughput under the best condition so the PA500 is not the right fit. The PA2020 offers 200Mbps threat prevention throughput which put us at 40-50% CPU usage from the start. Then as you turn on policies & features, the CPU usage will increase as we would expect.
I would suggest looking at the PA2050 and contact your Palo Alto account team/partner for further discussion. Thanks.
Thank your for your reply. A couple thoughts:
Our internet connection is limited to 40Mbps up and 40Mbps down at the ISP level Until Dec. when we will be changing our ISP. So no matter what we will be limited to 40 Mbps up and down through Dec. 2012. Probably a 50x10 or 100x10 after that.
The high traffic is almost exclusively streaming in. Our outbound traffic is very low (2-5 Mpbs).
As there are only a few high usage streaming sites/apps (Netflix, Youtube, etc), If I created a separate rule to NOT scan these high usage sites/apps from all of the scanning would this help?
On a non technical note: The yearly renewal costs between the 500 and the 2020 are significant enough that it is going to make it VERY difficult to push through our budget. Especially for an academic environment.
I will be speaking with my our presales engineer and sales people soon at which time I will place it in vwire mode, but any thoughts on the above would be appreciated.
According to tests made by NSS Labs the PA boxes performed 115% of stated performance mentioned in the datasheets.
I dont know if this is valid for the PA-500 since the test was performed on a 4xxx/5xxx box.
Another observation in these tests was that it basically didnt matter if you enabled/disabled scanning features such as the IDP, AV etc. As a sidenote higher throughput was observered when ALL features was enabled compared to when only one feature at a time was enabled.
If you're planning to increase your Internet bandwidth after Dec 2012, you would want to select the unit to support traffic for 2013 and beyond.
Yes, you can define rule(s) not to scan certain traffic like NetFlix and that will help, but you run the security risk. Well-known sites like Sony, Gmail, RSA have been compromised so it's best practice to guard against everything. You may have heard of the Zero-Trust security model from Forrester.
You should also review our features (VPN, QoS, URL filtering, SSL decryption) and decide which features you plan to implement as they will require CPU & memory.
Yes, budget is always a consideration. Maybe you're paying for URL subscription now that you can run on the PA device. Typically, I find that we can save our customers quite a bit by doing so.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!