PA-NGFW Sizing

Hi @PaloAltorrr ,

Sizing a firewall is a critical process that begins with a fundamental understanding of your network's behavior. It's a critical process that ensures your security device becomes a force multiplier, not a bottleneck.

First you need to gather data and ask the right questions. What's the current and projected throughput, not just for the raw firewall but with all security bells and whistles enabled? This distinction is vital, as features like Threat Prevention, URL Filtering, and especially SSL Decryption can significantly reduce performance on any firewall. Beyond simple bandwidth, you must also understand your network's pulse: its session count and new session rate. A firewall can be brought to its knees by a high number of rapid, short-lived connections, even if the total bandwidth is low.

As you gather this data, consider the nature of your traffic. Is it predominantly large file transfers, which are less CPU-intensive, or a flurry of small packets from a diverse range of applications? Knowing your application mix is also crucial, especially which applications are using SSL encryption, as inspecting that traffic is a heavy lift for any firewall.

This is also where you must make a fundamental decision: will you deploy a physical appliance or a virtual firewall?

If your environment is heavily virtualized or lives in the cloud, a virtual firewall (VM-Series) might be the perfect fit. The sizing process here is a bit different; instead of just looking at hardware models, you'll need to determine the required CPU cores, RAM, and disk space. The performance of a virtual firewall is directly tied to the underlying hypervisor, host hardware, and resource allocation. You'll need to factor in hypervisor overhead and whether the virtual machine will have dedicated resources or share them with other VMs. This offers incredible flexibility, allowing you to scale up resources as your network grows without a hardware refresh.

Once you have this detailed picture, you can begin the sizing calculation. A simple rule of thumb is to always size for the Threat Prevention throughput, as this represents the real-world performance you will experience.  Threat prevention throughput is the maximum speed a firewall can process traffic when all security and inspection features are enabled. Normal throughput, on the other hand, is the maximum speed when those same security features are disabled and the device is only performing basic packet forwarding. The reason for the difference is that threat prevention services require significantly more processing power. When a firewall has to inspect every packet for threats, analyze URLs, and decrypt SSL traffic, it uses a lot of resources. Normal throughput is a raw, often theoretical number for a device acting as a basic router. Therefore, when sizing a firewall, you should always use the threat prevention throughput metric to get a realistic idea of its performance in an operational environment.

You must also think ahead and consider your business's growth projections, anticipated increases in traffic, and new applications.

Finally, your sizing process should always involve a collaborative effort. Work with a trusted partner or the vendor's engineers to validate your findings. Also, don't forget the practicalities: ensure you plan for high availability with an Active/Passive or Active/Active pair to ensure uninterrupted operation. 

Kind regards,

-Kim.