04-11-2011 06:49 AM
Hello guys,
My question is about a Palo Alto PA-500.
The firewall througput is around 250Mbps, and 100Mbps with inspection of packets.
I have 1 Firewall PA-500, with 5 interfaces (L3):
Eth1/1: Untrust zone
Eth1/2: DMZ Zone
Eth1/3 to Eth1/5: Trust zone
What about the throughput between 2 interfaces (L3) in the same zone ?
As far as I understand, this trafic is allowed with a implicit rule (unless we configure a "deny all" rule at the end of our rules).
Does the firewall inspect (APP-ID) the packets between a same zone or not? What will be the throuhput in this case? 250Mbps? More?
I read the document about the packet flows, but it's not clear for me about these questions I have...
Thanks you for your answers,
Regards
Khay
04-12-2011 02:37 PM
Khay
The throughout will not change, for inter or intra zone traffic. APPID will still be applied for all traffic . Unless you create an intra zone policy to permit traffic you will not be able to see the detected apps.
Thank you
Jerish
04-12-2011 02:37 PM
Khay
The throughout will not change, for inter or intra zone traffic. APPID will still be applied for all traffic . Unless you create an intra zone policy to permit traffic you will not be able to see the detected apps.
Thank you
Jerish
04-12-2011 03:17 PM
Can I ask a stupid question - is there a simple way to report on the throughput on a given interface?
04-13-2011 03:33 AM
Thanks you Jerish for your answer.
Just a last question about that:
Is there any way or trick to desactive the APP-ID for particulars flows which go through the firewall ?
Ksemenov > A simple way will be to use SNMP (SNMP Traffic Grapher / CACTI / etc.) and graphe the real-time throughput on the interfaces. With Palo Alto, maybe there is another way with the WEBUI or CLI...
Khay
04-13-2011 06:59 AM
alliance ha scritto:
Thanks you Jerish for your answer.
Just a last question about that:
Is there any way or trick to desactive the APP-ID for particulars flows which go through the firewall ?
Ksemenov > A simple way will be to use SNMP (SNMP Traffic Grapher / CACTI / etc.) and graphe the real-time throughput on the interfaces. With Palo Alto, maybe there is another way with the WEBUI or CLI...
Khay
Hi alliance.
The only way to deactivate App-ID is through an Application Override policy that match the app you want to exclude from App-ID identification.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
