Traffic flow

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Traffic flow

L4 Transporter

Is there a good way to determine if the traffic flow through you firewall is optimal and the most efficient?

8 REPLIES 8

L7 Applicator

What do you mean with efficient? So far only this comes into my mind about something like this:

  • Inefficient: inter-vsys routing internally in the firewall, as all is done in software
  • "Efficient": allowing traffic with application override rule as it reduces everything to l4 firewalling

 

Another inefficency from a network perspective is with MTU mismatches. So could you explain a little more what you exactly want to find out?

Cyber Elite
Cyber Elite

There's several different ways to approach 'optimizing' but you'll want to figure out what does and does not benefit/require optimizing

 

if you have no starting point, a good way is to try determine a few 'major' avenues

 

-can logging be optimized (some things are chatty and may not need to be logged, like DNS), reporting can also be tuned (some default reports turned off if they're not useful)

-is traffic being discarded because of errors (take a look at switch error counters for low level issues, firewall global counters for higher level errors show counter global filter severity error (look for 'obvious' high numbers) )

-do you have a very large amount of policies that can be combined/pruned/cropped, look for 'unused' rules (PAN-OS 8.1 has a really GREAT new feature that shows rule usage)

-if you draw out your network, can it be done in a pretty straight forward design or is there "excessive" complexity you could simplify

-could some features be leveraged to 'increase' throughput for a specific flow (app override, DSRI) or 'decrease' throughput to preserve bandwidth for more important applications (QoS)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@Remo

@reaper

I was under the impression that the order in which you put your security policies and affect the efficiency of the flow or traffic through your firewall.  So you want to put the rules that pass the most traffic at the top so it doesn't have to traverse the whole firewall, thuse making it more inefficient. We are working on reordering our rules for the best performance and to aligh with the PA best pracitces guidelines and I wondered if it is possible to get a good over idea of how we are currently doing

@reaper

Very awesome points as usual reaper.

Over the three years (:O) I have been working on this PA firewall we have pruned the number of policies down from 1300 to 400. Recently we removed DNS rules from being logged, changed policies to drop instead of deny, and now we have decided to try to reorder the security rules to see if we can make the over all traffic flow more efficient, by getting the high amount of traffic throught the firewall at a higher level then making it tarverse the whole firewall. We also just got a copy of the best practices and seeing how we can use it to make our PA work better for us :).

 

I ran the command show counter global filter severity erro and this was an obvious high number? 15032727 

 

session_dup_pkt_drop                15032727        5 drop      session   resource  Duplicate packet: Applies only for multi-DP platform with hardware (Tiger) broadcasting

 


@jdprovine wrote:

 

I was under the impression that the order in which you put your security policies and affect the efficiency of the flow or traffic through your firewall.  


I don't think this is the case.  I've participated in proof-of-concept testing where performance was identical whether traffic was passing through the 1st rule, or the 5000th rule.

 

The best practices documentation mentions rule order only so far as it matters in the evaluation of the security policy:

 - https://www.paloaltonetworks.com/documentation/80/best-practices/best-practices-data-center/data-cen...

@jvalentine

 

Interesting so if it is something like DNS traffice which there is alot of, if the only rule you have is at the bottom of all your other rules, like 399 of 400 rules, it is better to move it to the top so the traffic doesn't have to go through all the other rules first?

@jvalentine

I just reread the article you sent, so if you are segmented in to zone, which we are, the order of that zone segment makes a difference but is not order of all the rules. I think our focus is the reordering of the zone segments.

The order of rules (with or without zones) affects which rule is matched and what action is enforced.  Grouping the rules together based on zone can help "keep things straight" and reduces the possibility that traffic flows inadvertently match an unintended rule.  

 

To get a feel for why order isn't as significant from a performance standpoint, read-up on the use of trie structures for policy evaluation.  (The first link is in reference to Palo Alto Networks firewalls, while the other two are more generalized trie+security policy articles).  These should give you an idea of how a "line-by-line" policy can be compiled into a more efficient structure):

 - https://medium.com/@IrekRomaniuk/the-right-way-to-manage-a-firewall-security-policy-e5c499bfd22f 

 - https://pdfs.semanticscholar.org/bca2/0ba743daf0b9a786fe3d5faa90d53a9a7344.pdf

 - https://www.osti.gov/servlets/purl/924750

 - https://en.wikipedia.org/wiki/Trie

 

 

  • 4400 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!