- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-20-2014 01:49 AM
Hi,
Where can ı find packet rate limit for 5050 and 5060 ? (not new session per second)
11-20-2014 05:20 AM
Hello Panlst,
We may not be able to define the max limit for "packet rate" on a FW, since it depends, what is the size of those individual packets. Hence, a firewall can be defined with it's throughput limit.
PA-5060 --max throughput 20 Gbps
PA-5050 --max throughput 10 Gbp
You may apply below mentioned CLI command for a runtime statistics:
admin@DADA> show system statistics session
Device is up : 62 days 17 hours 14 mins 7 sec
Packet rate : 8/s >>>>>>>>>>>>>>>>>>>>> runtime packet rate
Throughput : 3 Kbps >>>>>>>>>>>>>>>>>> Throughput through the firewall
Total active sessions : 4
Active TCP sessions : 4
Active UDP sessions : 0
Active ICMP sessions : 0
Thanks
11-20-2014 04:48 AM
Hello Panlst,
You may check the the current packet rate through below mentioned CLI command:
admin@55-PA-5060> show session info
--------------------------------------------------------------------------------
Number of sessions supported: 4194302
Number of active sessions: 0
Number of active TCP sessions: 0
Number of active UDP sessions: 0
Number of active ICMP sessions: 0
Number of active BCAST sessions: 0
Number of active MCAST sessions: 0
Number of active predict sessions: 0
Session table utilization: 0%
Number of sessions created since bootup: 190597
Packet rate: 5525/s >>>>>>>>>>>>>>>>>>>>>>>>
Throughput: 2 kbps
New connection establish rate: 0 cps
--------------------------------------------------------------------------------
Thanks
11-20-2014 04:56 AM
so what is the limit for the device ?
11-20-2014 05:20 AM
Hello Panlst,
We may not be able to define the max limit for "packet rate" on a FW, since it depends, what is the size of those individual packets. Hence, a firewall can be defined with it's throughput limit.
PA-5060 --max throughput 20 Gbps
PA-5050 --max throughput 10 Gbp
You may apply below mentioned CLI command for a runtime statistics:
admin@DADA> show system statistics session
Device is up : 62 days 17 hours 14 mins 7 sec
Packet rate : 8/s >>>>>>>>>>>>>>>>>>>>> runtime packet rate
Throughput : 3 Kbps >>>>>>>>>>>>>>>>>> Throughput through the firewall
Total active sessions : 4
Active TCP sessions : 4
Active UDP sessions : 0
Active ICMP sessions : 0
Thanks
11-21-2014 03:03 PM
Hulk,
I just told by support the show system statistics session throughput number does not include traffics using fast path. Is that true?
E
01-08-2015 08:21 AM
debug dataplane pool statistics will show you all kinds of hw and sw pools .
Look for use / available . When your dataplane cpu spikes because of large packets you'll see the pools getting depleted.
match that with a show running resource-monitor to see if it was related to cpu, session or packets
01-13-2017 06:06 PM
Sorry to necro an old thread but this one seems to be the most relevent I've come across so far to my related question in that:
For sizing zone protection / flood protection, the values are all set in packets/second. If I'm trying to accurately size my zone protection to enable for my own in-house load runner servers which generates traffic on thousands of IPs I'm sure I could say I will easily be able to push the firewall to its max if we don't restrict them down.
'show system statistics session' only relays the current packet rate, which I do thank you all for pointing out if I can get my load runner guys to generate the traffic at a reasonable hour rather than 2 in the morning I can now at least watch from the console what is happening before my network shuts itself down (anyone else who comes upon this thread and has the same situation where ZP is killing your network, avoid "random early packet drop" go with SYN cookies)
If I go with simple MTU 1500, and PA-5060 full theoretical max of 10Gb/s througput, and my math is correct that would be a potential maximum of 833,333 pps?
10Gb/s = 1,250,000,000B/s
1,250,000,000 / 1500 = 833,333.33~
This of course can't take into account for any overhead the firewall is doing on L4+ deeper inspection, AppID, if decrypting SSL, etc. etc. right? So would a safe rule of thumb be 800k pps max that the unit is capable of in terms of pure L3 firewall inspection?
I've already tripped ZP and had to disable at 400k pps so I want to be sure I know what I'm up against.
Thanks for any help anyone can provide. If there is a white doc somewhere with the actual pps I truely appreciate your search skills as I haven't found it and of course talking with Palo Alto Engineers specializing in ZP they've told me it's all subjective to the environment so they can't make recommendations.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!