08-15-2013 07:27 PM
08-15-2013 07:53 PM
I don't believe there is a global setting to turn of appid, but you can configure two application override policies( https://live.paloaltonetworks.com/docs/DOC-1071) and include all ports (1-65535) for both tcp and udp.
08-15-2013 08:44 PM
So basically create two custom applications one for tcp(tcp/1-65535), the other for udp(udp/1-65535) and create two policies one for all tcp ports the other for all udp ports
08-16-2013 07:28 AM
Haha wow I never thought about trying to benchmark App-ID versus non-App-ID in this way... yes this in theory should work, if you built app overrides for any to any traffic and bind them to the App-IDs that define every TCP port and every UDP port.
You'd have to build more specific app overrides for specific ports if you wanted to actually firewall I suppose... or I guess your rules could be defined as App 'any' and define specific services in the service column... this would in essence give you a traditional layer 4 firewall.
Interesting stuff... I have a Breaking Point appliance, and it's tempting to go build this in the lab and see what kind of performance I get out of it compared to App-ID being on,
08-16-2013 08:49 AM
keep in mind a rule with a custom application override does not pass through any of the URL, threat or anti-virus scanning engines. The scanning engine will be used with an app-override if you use an existing built-in application such as web-browsing.
The above information can also be found at the following link
Application Override and Scanning Engines
Hope this helps.
Thanks
Numan
08-19-2013 12:42 AM
Would be nice if those numbers could be posted online 🙂
Specially the case between appid override which disables everything vs "appid:any" which should be equal (at least securitywise).
I think Network World got slightly lower throughput when they tried to "disable everything" and one of the theories back then was that a disable added one (or more) cpu-cycles within the PA which would end up with 1%'ish lower throughput. That is the PA will do AppID no matter what, when you disable/ignore the result from the AppID it will take one (or more) additional cpu/fpga/asic cycles to ignore the result.
08-12-2014 11:31 AM
I'm trying to get more throughput through my 2020. I got the gig interfaces but the FW app ID performance are 500Mb. I want to terminate a Gig Eth circuit to the FW but don't want to impede performance. The circuit carries our VM replication, TSM backup, file sharing, and management. I was expecting that application override would be the best choice to implement, but the Network World comment had me guessing. Any further thoughts or comments on this one?
Thank you
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
