Threat Protection

BBHLTD · ‎07-26-2012

I hope you may be able to answer a couple of quick questions for me as i am planning on switching Threat Protection on in the next few weeks.

1. When we turn on Threat Protection i remember you saying that the throughput for the dataplane is cut in half, Is there any way of monitoring the throughput of the dataplane?

2. When Threat protection is enabled will it limit the throughput for every Network/Port on the Firewall. From what I have read you have to configure Threat Protection on every policy, does that mean only limits the throughput on the zones.

If you could help me with this it would be great.

Cheers

mikand · ‎07-26-2012

1) You can see the various performance numbers (which depends on model) for throughput with threat preventation enabled in the datasheets:

PA-5060

20 Gbps firewall throughput

10 Gbps threat prevention throughput

PA-5050

10 Gbps firewall throughput

5 Gbps threat prevention throughput

PA-5020

5 Gbps firewall throughput

2 Gbps threat prevention throughput

PA-4060

10 Gbps firewall throughput

5 Gbps threat prevention throughput

PA-4050

10 Gbps firewall throughput

5 Gbps threat prevention throughput

PA-4020

2 Gbps firewall throughput

2 Gbps threat prevention throughput

PA-2050

1 Gbps firewall throughput

500 Mbps threat prevention throughput

PA-2020

500 Mbps firewall throughput

200 Mbps threat prevention throughput

PA-500

250 Mbps firewall throughput

100 Mbps threat prevention throughput

PA-200

100 Mbps firewall throughput

50 Mbps threat prevention throughput

In order to monitor the throughput you can use snmp, here is some info on how to do this with cacti:

2) As I understand it the singlepass engine in PA will work no matter if you have a specific rule using threat protection or not. Some benchmarks published on the Internet even shows that throughput went down when you disabled threat preventation compared to a rule with everything enabled. Also the figures mentioned in PA's datasheets isnt max values (like most competitors) but rather low values (NSS Labs found that actual performance was 115% of stated in the datasheet - of course this might vary depending on what kind of traffic, packetsizes, segmentsizes etc).

Edit: I guess these two docs might be of interrest:

View solution in original post

mikand · ‎07-26-2012

1) You can see the various performance numbers (which depends on model) for throughput with threat preventation enabled in the datasheets:

PA-5060

20 Gbps firewall throughput

10 Gbps threat prevention throughput

PA-5050

10 Gbps firewall throughput

5 Gbps threat prevention throughput

PA-5020

5 Gbps firewall throughput

2 Gbps threat prevention throughput

PA-4060

10 Gbps firewall throughput

5 Gbps threat prevention throughput

PA-4050

10 Gbps firewall throughput

5 Gbps threat prevention throughput

PA-4020

2 Gbps firewall throughput

2 Gbps threat prevention throughput

PA-2050

1 Gbps firewall throughput

500 Mbps threat prevention throughput

PA-2020

500 Mbps firewall throughput

200 Mbps threat prevention throughput

PA-500

250 Mbps firewall throughput

100 Mbps threat prevention throughput

PA-200

100 Mbps firewall throughput

50 Mbps threat prevention throughput

In order to monitor the throughput you can use snmp, here is some info on how to do this with cacti:

2) As I understand it the singlepass engine in PA will work no matter if you have a specific rule using threat protection or not. Some benchmarks published on the Internet even shows that throughput went down when you disabled threat preventation compared to a rule with everything enabled. Also the figures mentioned in PA's datasheets isnt max values (like most competitors) but rather low values (NSS Labs found that actual performance was 115% of stated in the datasheet - of course this might vary depending on what kind of traffic, packetsizes, segmentsizes etc).

Edit: I guess these two docs might be of interrest:

Unlock your full community experience!

Threat Protection

Threat Protection

Show your appreciation!