01-27-2017 04:51 AM
Does anyone know for certain what the maximum throughput of a Palo firewall is if the only security profile applied is URL Filtering?
The PA-5050 can do 10Gbps of App-ID firewall throughput and 5 Gbps of Threat Prevention throughput.
If you pushed 6 Gbps of traffic through a PA-5050 with only URL filtering applied, would the PA-5050 throttle the traffic to 5 Gbps because of the limit to Threat Prevention throughput or would it let the traffic through at full speed given the 10 Gbps App-ID throughput?
You need to decode the HTTP header to determine the URL correctly and this means Content Inspection (which implies the traffic is limited to Threat Prevention throughput).
However, according to the link below, the URL match happens on the same processors that do the App-ID (Security processor) and not the same as IPS, spyware, etc (Signature matching processors) so possibly URL filtering can happen at App-ID throughput speeds.
https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/pa-5000-series
Thanks
01-27-2017 06:21 AM
there is no 'slowdown' when only URL filtering is applied as the traffic does not need to be scanned as it does with threats. there is simply a category lookup and then an allow or deny action with no further actions on that session
also
Traffic will never ever ever be throttled
these throughput numbers are _measured_ througputs (not limited) when only AppID was enabled and when all bells and whistles were enabled, so there is some throughput impact when all traffic is being scanned, but this is related to how the traffic is flowing through the system and is being inspected for threats, there is no throttle preventing traffic to surpass the 5Gbps mark
in some cases, if your traffic is 'scan friendly' you may even have close to the 10gbps traffic even with threat prevention enabled, it depends on how much work your chassis needs to put in to get all the traffic scanned
01-27-2017 06:21 AM
there is no 'slowdown' when only URL filtering is applied as the traffic does not need to be scanned as it does with threats. there is simply a category lookup and then an allow or deny action with no further actions on that session
also
Traffic will never ever ever be throttled
these throughput numbers are _measured_ througputs (not limited) when only AppID was enabled and when all bells and whistles were enabled, so there is some throughput impact when all traffic is being scanned, but this is related to how the traffic is flowing through the system and is being inspected for threats, there is no throttle preventing traffic to surpass the 5Gbps mark
in some cases, if your traffic is 'scan friendly' you may even have close to the 10gbps traffic even with threat prevention enabled, it depends on how much work your chassis needs to put in to get all the traffic scanned
01-30-2017 02:10 AM
Thank you for the clarification on how the traffic is processed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
