URL Filtering Traffic Throughput

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

URL Filtering Traffic Throughput

L1 Bithead

Does anyone know for certain what the maximum throughput of a Palo firewall is if the only security profile applied is URL Filtering?


The PA-5050 can do 10Gbps of App-ID firewall throughput and 5 Gbps of Threat Prevention throughput.

 

If you pushed 6 Gbps of traffic through a PA-5050 with only URL filtering applied, would the PA-5050 throttle the traffic to 5 Gbps because of the limit to Threat Prevention throughput or would it let the traffic through at full speed given the 10 Gbps App-ID throughput?

 

You need to decode the HTTP header to determine the URL correctly and this means Content Inspection (which implies the traffic is limited to Threat Prevention throughput).

 

However, according to the link below, the URL match happens on the same processors that do the App-ID (Security processor) and not the same as IPS, spyware, etc (Signature matching processors) so possibly URL filtering can happen at App-ID throughput speeds.

https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/pa-5000-series

 

Thanks

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

there is no 'slowdown' when only URL filtering is applied as the traffic does not need to be scanned as it does with threats. there is simply a category lookup and then an allow or deny action with no further actions on that session

 

also

Traffic will never ever ever be throttled

these throughput numbers are _measured_ througputs (not limited) when only AppID was enabled and when all bells and whistles were enabled, so there is some throughput impact when all traffic is being scanned, but this is related to how the traffic is flowing through the system and is being inspected for threats, there is no throttle preventing traffic to surpass the 5Gbps mark

 

in some cases, if your traffic is 'scan friendly' you may even have close to the 10gbps traffic even with threat prevention enabled, it depends on how much work your chassis needs to put in to get all the traffic scanned

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

there is no 'slowdown' when only URL filtering is applied as the traffic does not need to be scanned as it does with threats. there is simply a category lookup and then an allow or deny action with no further actions on that session

 

also

Traffic will never ever ever be throttled

these throughput numbers are _measured_ througputs (not limited) when only AppID was enabled and when all bells and whistles were enabled, so there is some throughput impact when all traffic is being scanned, but this is related to how the traffic is flowing through the system and is being inspected for threats, there is no throttle preventing traffic to surpass the 5Gbps mark

 

in some cases, if your traffic is 'scan friendly' you may even have close to the 10gbps traffic even with threat prevention enabled, it depends on how much work your chassis needs to put in to get all the traffic scanned

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you for the clarification on how the traffic is processed.

  • 1 accepted solution
  • 3140 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!