The maximum throughput of 3260 firewall is 8.8 Gbps. How does the firewall handle the traffic entering through the QSFP+ ports with 40gig throughput?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

The maximum throughput of 3260 firewall is 8.8 Gbps. How does the firewall handle the traffic entering through the QSFP+ ports with 40gig throughput?

L1 Bithead

Hello,

We have a Palo Alto 3260 firewall with two 40 Gbps QSFP+ ports, but its maximum firewall throughput is 8.8 Gbps. How does the firewall handle the traffic entering through the QSFP+ ports, considering the potential incoming traffic exceeds the firewall's throughput capacity? How does the device manage this traffic, and what happens to the packets when the traffic exceeds the firewall's 8.8 Gbps throughput limit? And the percentage of packet dropping is 3%.

Thanks.

4 REPLIES 4

Cyber Elite
Cyber Elite

The 40gb is just link speed so there's no issue there

Once you reach the firewall's maximum capacity, several things can happen depending on the kind of traffic and how much 'over' it's limit you go

the firewall will always try to forward packets accordingly, but may not be able to buffer everything flooding in (if buffering is needed) so packetloss may occur. 

you can see buffering via the CLI command > show running resource-monitor

 

packet buffer:
  7   7   7   7   7   7   7   7   7   7   7   7   7   7   7
  7   7   7   7   7   7   7   7   7   7   7   7   7   7   7
  7   7   7   7   7   7   7   7   7   7   7   7   7   7   7
  7   7   7   7   7   7   7   7   7   7   7   7   7   7   7

packet descriptor:
  0   0   0   0   0   0   0   0   0   0   0   0   0   0   0
  0   0   0   0   0   0   0   0   0   0   0   0   0   0   0
  0   0   0   0   0   0   0   0   0   0   0   0   0   0   0
  0   0   0   0   0   0   0   0   0   0   0   0   0   0   0

 

buffer is software, descriptor is hardware

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you for your answer but I checked the device and observed that 40 Gbps of traffic is entering the firewall. I want to understand how it manages to handle 40 Gbps of traffic, especially considering that the packet drop rate is very low.
Thanks again.

Cyber Elite
Cyber Elite

how are you observing 40gbps? 

can you run > show session info

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I would agree with @reaper and where he is likely going.  You mention the advertised throughput capacity of the 3260 being substantially lower than the 40Gb transceiver speed, but just because you have network connectivity of 40Gbps doesn't mean there's actually traffic coming to the FW of that or even close to it.

 

While Palo Alto advertises a certain throughput limit for it's hardware that number is a factor of probably 100+ different variables.  In some situations the hardware might be able to do double the advertised throughput or in some cases you might only get 1/4th.  The max throughput number is simply a guide customers can use to help gauge the relative performance they could expect from a certain hardware model.

 

 

--edit-- shared the hardware specs of the 3200/3400  

 

As an FYI the 3200 hardware platform is being EOLd and replaced with the 3400s.  You can see from the specs the 3400s performance is substantially greater than the older 3200 generation.

 

 

Brandon_Wertz_2-1721744209430.png

 

Brandon_Wertz_1-1721744169288.png

 

  • 1028 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!