Currently we have a 1 gig pipe to the internet, we will be upgrading our internet pipe to 10 gig capability in the next month. We will be aggregating several interfaces to accommodate the additional bandwidth requirements. Basically going from a 1 gig interface to port-channelling to a 2-gig interface. If we turn on Threat Prevention on this port-channel will the throughput be lowered to 1-gig for the aggregate? We have been instructed that enabling Threat Prevention lowers throughput on the interface by half and are curious how enabling Threat Prevention will affect a port-channeled interface.
Allow me to address the statement referring to an automatic loss of ½ bandwidth when “threat protection” is enabled.
The degree that any additional features will impact throughput is subjective to the type of traffic and sheer volume of sessions. Enabling “threat protection” will come with a performance cost but the impact is not a fixed variable. For instance if you had 10 sessions moving a few massive files across the firewall totaling 100 gig the performance impact would be less that 100 sessions moving 10 gig. The impact is shaped by the type and quantity of session vs. the byte count over the same window of time.
Additionally the type of hardware your running will also shape the overall performance hit that threat protection will carry. A PA-500 with 300 users and all features enabled will be stressed harder than a PA-5020 with the same users and traffic. Of course this is an extreme example but the point is valid.
To address your situation specifically, your site is running a pair of 4020’s in HA mode. This device is capable of handling your current 1 gig pipe with inspection, it is unlikely you would see a performance hit however before making any changes you should look at your average CPU usage, if you’re sitting around 20-30% moving to the 2 gig aggregate shouldn’t present any issues but if you’re running around 80% then you will are running at your limit.
One other note is that if you’re already using AV protection then the addition of Threat Protection will not carry any additional cost since they use the same mechanism.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!