Port/Bandwidth Usage and Overhead

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Port/Bandwidth Usage and Overhead

L1 Bithead

We have a few firewalls and we are using Wildfire, Threat protection, routing and other features on the firewall. Our question is with all these features turned on will this affect the port traffic flow. We are looking for a scale or formula that we can refer to regarding these features and best practices for the configuration on our devices.

 

 

 

1 accepted solution

Accepted Solutions


@derekgriffin2019 wrote:

Thank you Brandon,

 

That is exactly what i am talking about. I undeestand the Threat  protection and Wildfire but when it comes to routing and other features to the firewall how can I tell other than third party tools which will tell me such notes. I would assume palo alto would have some sort of documentation for this. 


 

"Routing" won't necessarily impact throughput.  "Interzone" routing of particular traffic types can impact throughput.  You won't get the real numbers without a NDA from Palo, which your account team can get setup with your company.

View solution in original post

6 REPLIES 6

L4 Transporter

Have you looked at the product-selection page where you can compare firewalls?

 

https://www.paloaltonetworks.com/products/product-selection

 

This will show you expected throughput for each enabled feature.  ie - 

 

PA-5220

App-ID firewall throughput20 Gbps
Threat prevention throughput9 Gbps
Connections per second150,000
Max sessions (IPv4 or IPv6)4,000,000

I see what the throughput is but if it is a 10G port and I have routing, Wildfire, Threat Protection etc with that oiverhead, i assume the port will not be pushing 10G through the port. 

 

What is the throughput after these feature being turned on. 

It's listed on the right hand side of the model.  In my example, you will only get an average throughput of 9Gbs on the 5220 with Threat Protection turned on.  Basically, look for the lowest number (Threat Protection) and this will be a pretty good gauge of expected throughput.

The true answer to your question is, "it depends."

 

 

Realworld numbers will vary by all the various features and traffic scenarios.  IPSec / SSL decrypt are big things which will significantly impact expected throughput as well as over all sessions per second with associated packet size.  Each hardware type will have it's own variances.

 

In general though start off with the published numbers.  Then you can hone in on exactly which hardware type is right for your environment.

Thank you Brandon,

 

That is exactly what i am talking about. I undeestand the Threat  protection and Wildfire but when it comes to routing and other features to the firewall how can I tell other than third party tools which will tell me such notes. I would assume palo alto would have some sort of documentation for this. 


@derekgriffin2019 wrote:

Thank you Brandon,

 

That is exactly what i am talking about. I undeestand the Threat  protection and Wildfire but when it comes to routing and other features to the firewall how can I tell other than third party tools which will tell me such notes. I would assume palo alto would have some sort of documentation for this. 


 

"Routing" won't necessarily impact throughput.  "Interzone" routing of particular traffic types can impact throughput.  You won't get the real numbers without a NDA from Palo, which your account team can get setup with your company.

  • 1 accepted solution
  • 5385 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!