packet rate limit

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

packet rate limit

L3 Networker

Hi,

Where can ı find packet rate limit for 5050 and 5060 ? (not new session per second)

1 accepted solution

Accepted Solutions

Hello Panlst,

We may not be able to define the max limit for "packet rate" on a FW, since it depends, what is the size of those individual packets.  Hence, a firewall can be defined with it's throughput limit.

PA-5060 --max throughput 20 Gbps

PA-5050 --max throughput 10 Gbp

You may apply below mentioned CLI command for a runtime statistics:

admin@DADA> show system statistics session

Device is up          : 62 days 17 hours 14 mins 7 sec

Packet rate           : 8/s   >>>>>>>>>>>>>>>>>>>>> runtime packet rate

Throughput            : 3 Kbps >>>>>>>>>>>>>>>>>> Throughput through the firewall

Total active sessions : 4

Active TCP sessions   : 4

Active UDP sessions   : 0

Active ICMP sessions  : 0


Thanks

View solution in original post

6 REPLIES 6

L7 Applicator

Hello Panlst,

You may check the the current packet rate through below mentioned CLI command:

admin@55-PA-5060> show session info

--------------------------------------------------------------------------------

Number of sessions supported:                    4194302

Number of active sessions:                       0

Number of active TCP sessions:                   0

Number of active UDP sessions:                   0

Number of active ICMP sessions:                  0

Number of active BCAST sessions:                 0

Number of active MCAST sessions:                 0

Number of active predict sessions:               0

Session table utilization:                       0%

Number of sessions created since bootup:         190597

Packet rate:                                    5525/s >>>>>>>>>>>>>>>>>>>>>>>>

Throughput:                                      2 kbps

New connection establish rate:                   0 cps

--------------------------------------------------------------------------------

Thanks

so what is the limit for the device ?

Hello Panlst,

We may not be able to define the max limit for "packet rate" on a FW, since it depends, what is the size of those individual packets.  Hence, a firewall can be defined with it's throughput limit.

PA-5060 --max throughput 20 Gbps

PA-5050 --max throughput 10 Gbp

You may apply below mentioned CLI command for a runtime statistics:

admin@DADA> show system statistics session

Device is up          : 62 days 17 hours 14 mins 7 sec

Packet rate           : 8/s   >>>>>>>>>>>>>>>>>>>>> runtime packet rate

Throughput            : 3 Kbps >>>>>>>>>>>>>>>>>> Throughput through the firewall

Total active sessions : 4

Active TCP sessions   : 4

Active UDP sessions   : 0

Active ICMP sessions  : 0


Thanks

Hulk,

I just told by support the show system statistics session throughput number does not include traffics using fast path.  Is that true? 

E

L3 Networker

debug dataplane pool statistics will show you all kinds of hw and sw pools . Smiley Wink

Look for use / available . When your dataplane cpu spikes because of large packets you'll see the pools getting depleted.

match that with a show running resource-monitor to see if it was related to cpu, session or packets

L2 Linker

Sorry to necro an old thread but this one seems to be the most relevent I've come across so far to my related question in that:

 

For sizing zone protection / flood protection, the values are all set in packets/second. If I'm trying to accurately size my zone protection to enable for my own in-house load runner servers which generates traffic on thousands of IPs I'm sure I could say I will easily be able to push the firewall to its max if we don't restrict them down.

 

'show system statistics session' only relays the current packet rate, which I do thank you all for pointing out if I can get my load runner guys to generate the traffic at a reasonable hour rather than 2 in the morning I can now at least watch from the console what is happening before my network shuts itself down (anyone else who comes upon this thread and has the same situation where ZP is killing your network, avoid "random early packet drop" go with SYN cookies)

 

If I go with simple MTU 1500, and PA-5060 full theoretical max of 10Gb/s througput, and my math is correct that would be a potential maximum of 833,333 pps?

 

10Gb/s =  1,250,000,000B/s

1,250,000,000 / 1500 = 833,333.33~

 

This of course can't take into account for any overhead the firewall is doing on L4+ deeper inspection, AppID, if decrypting SSL, etc. etc. right? So would a safe rule of thumb be 800k pps max that the unit is capable of in terms of pure L3 firewall inspection?

 

I've already tripped ZP and had to disable at 400k pps so I want to be sure I know what I'm up against.

 

Thanks for any help anyone can provide. If there is a white doc somewhere with the actual pps I truely appreciate your search skills as I haven't found it and of course talking with Palo Alto Engineers specializing in ZP they've told me it's all subjective to the environment so they can't make recommendations.


--Why so many drops! Firewall stop telling me I made the rule wrong and tell me how to fix it 😛
  • 1 accepted solution
  • 11139 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!