PA-5220 Decryption Performance Degradation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA-5220 Decryption Performance Degradation

L1 Bithead

We have a cluster of PA-5220 firewalls with SSL decryption activated. When initiating a communication across the firewall using a decrypted protocol (scp, HTTPs, etc.) we get 5x slower connections compared to the unencrypted versions of the procotol.

 

In Certificate Revocation Checking, CRL and OCSP are unchecked.

 

Is this behaviour expected? If not, what can be done about it?


Thanks in advance!

4 REPLIES 4

Cyber Elite
Cyber Elite

@an.schall,

That wouldn't be expected as long as the device is sized appropriately and you aren't close to maxing resources. 

To start troubleshooting I would simply look at the resources on the box when you have decryption enabled and see if you notice any high rates. Also with SCP are you decrypting SSH, or are you just decrypting HTTPS traffic for the time being? 

Dear BPry,

 

is there a built-in command or dashboard to extract resource usage?

 

In fact, we tested it with secure copy (scp), hence we are decrypting SSH. The details are the following:

 

OpenSSH_6.6.1, OpenSSL 1.0.1i-fips 6 Aug 2014

...

debug1: Local version string SSH-2.0-OpenSSH_6.6.1

debug1: Remote protocol version 2.0, remote software version PaloAltoNetworks_0.2

debug1: no match: PaloAltoNetworks_0.2

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

...

Sending file modes: C0600 923309458 foobar.zip
Sink: C0600 923309458 foobar.zip
foobar.zip 100% 881MB 17.6MB/s 00:50
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
Transferred: sent 924876344, received 251440 bytes, in 51.3 seconds
Bytes per second: sent 18016068.0, received 4897.9
debug1: Exit status 0

Do you have any updates on the issue?

Unfortunately not.

  • 3639 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!