Slow Performanced Based on Order of ACL Rules

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Slow Performanced Based on Order of ACL Rules

L4 Transporter

We have several PAN 3020s at a client site with similar issues but for this, I’ll focus on a specific case. One pair in Active\Passive HA has 124 rules. We started noticing really slow RDP connect performance. (it would take 45 seconds to establish an RDP session to a target where the traffic was passed through the firewall). Out of the 124 rules, the rule which this RDP traffic matched on was around rule 100. If we moved that rule up earlier in the ACL to say, rule 5, the RDP session would only take 10 seconds or less to establish.

So initially, it is looking like the further down the ACL the rule is, the longer it takes the PAN to process that traffic. However, seeing that the 3020 supports up to 2500 policies and we only have 124, I wanted to check with you as it doesn’t seem right.

We are not doing any PBF here. Or App-ID override. Jumbo frames are enabled.

17 REPLIES 17

Click on User Advanced Editor, it will give options to add files.

Note that even on rule 5, establishing the RDP session takes 18 seconds (while going through PAN) which still seems like a long time compared to other environments.

There is no reason to see such a delay. You should check that no rule is denying connections from client to server and server to anywhere else (a bit like SSH when DNS is filtered on server side).

If you still experience that problem, you should open a TAC case.

  • 7804 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!