Threat Protection

Reply
Highlighted
Not applicable

Threat Protection

I hope you may be able to answer a couple of quick questions for me as  i am planning on switching Threat Protection on in the next few weeks.

1.  When we turn on Threat Protection i remember you saying that the throughput for the dataplane is cut in half,  Is there any way of monitoring the throughput of the dataplane?

2.  When Threat protection is enabled will it limit the throughput for every Network/Port on the Firewall. From what I have read you have to configure Threat Protection on every policy,  does that mean only limits the throughput on the zones.

If you could help me with this it would be great.

Cheers


Accepted Solutions
Highlighted
L6 Presenter

1) You can see the various performance numbers (which depends on model) for throughput with threat preventation enabled in the datasheets:

PA-5060

    20 Gbps firewall throughput

    10 Gbps threat prevention throughput

PA-5050

    10 Gbps firewall throughput

    5 Gbps threat prevention throughput

PA-5020

    5 Gbps firewall throughput

    2 Gbps threat prevention throughput

PA-4060

    10 Gbps firewall throughput

    5 Gbps threat prevention throughput

PA-4050

    10 Gbps firewall throughput

    5 Gbps threat prevention throughput

PA-4020

    2 Gbps firewall throughput

    2 Gbps threat prevention throughput

PA-2050

    1 Gbps firewall throughput

    500 Mbps threat prevention throughput

PA-2020

    500 Mbps firewall throughput

    200 Mbps threat prevention throughput

PA-500

    250 Mbps firewall throughput

    100 Mbps threat prevention throughput

PA-200

    100 Mbps firewall throughput

    50 Mbps threat prevention throughput

In order to monitor the throughput you can use snmp, here is some info on how to do this with cacti:

2) As I understand it the singlepass engine in PA will work no matter if you have a specific rule using threat protection or not. Some benchmarks published on the Internet even shows that throughput went down when you disabled threat preventation compared to a rule with everything enabled. Also the figures mentioned in PA's datasheets isnt max values (like most competitors) but rather low values (NSS Labs found that actual performance was 115% of stated in the datasheet - of course this might vary depending on what kind of traffic, packetsizes, segmentsizes etc).

Edit: I guess these two docs might be of interrest:

View solution in original post


All Replies
Highlighted
L6 Presenter

1) You can see the various performance numbers (which depends on model) for throughput with threat preventation enabled in the datasheets:

PA-5060

    20 Gbps firewall throughput

    10 Gbps threat prevention throughput

PA-5050

    10 Gbps firewall throughput

    5 Gbps threat prevention throughput

PA-5020

    5 Gbps firewall throughput

    2 Gbps threat prevention throughput

PA-4060

    10 Gbps firewall throughput

    5 Gbps threat prevention throughput

PA-4050

    10 Gbps firewall throughput

    5 Gbps threat prevention throughput

PA-4020

    2 Gbps firewall throughput

    2 Gbps threat prevention throughput

PA-2050

    1 Gbps firewall throughput

    500 Mbps threat prevention throughput

PA-2020

    500 Mbps firewall throughput

    200 Mbps threat prevention throughput

PA-500

    250 Mbps firewall throughput

    100 Mbps threat prevention throughput

PA-200

    100 Mbps firewall throughput

    50 Mbps threat prevention throughput

In order to monitor the throughput you can use snmp, here is some info on how to do this with cacti:

2) As I understand it the singlepass engine in PA will work no matter if you have a specific rule using threat protection or not. Some benchmarks published on the Internet even shows that throughput went down when you disabled threat preventation compared to a rule with everything enabled. Also the figures mentioned in PA's datasheets isnt max values (like most competitors) but rather low values (NSS Labs found that actual performance was 115% of stated in the datasheet - of course this might vary depending on what kind of traffic, packetsizes, segmentsizes etc).

Edit: I guess these two docs might be of interrest:

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!