08-08-2025 05:56 AM
Specific situation we're dealing with, looking to see if anybody else has and has any input.
Over the past few years we have worked a Global Protect build and deployment in our org. We opted to use PA-5250s solely on the basis that they documentation claims that model supports 30k GlobalProtect connections (IPsec AND SSL specifically).
In our configuration we prefer ipsec, but have SSL Fallback enabled to the smallest possible configurable interval (1 hour). In production today we have about 10,000 users on one GP GW. about 9,200 are ipsec and about 200 are on SSL. We have a use-case for users who may be connecting from customer networks or home networks where ipsec is disabled.
Well, turns out the documentation regarding the specs is inaccurate specifically due to some sort of inefficiency in the PA-5250 architecture in which SSL sessions use CONSIDERABLY more resources than expected. We've had situations where single SSL sessions can use upwards of 20% of the entire packet buffers. We're seeing packet buffers and related protections constantly triggering, and DPU is solidly at about 75% during normal production, sometims spiking in the 90s. Confirmed this issue with Palo TAC.
Palo's only real recommendation so far has been to
1. upgrade the hardware to a newer and beefier x86 architecture
2. separate IPsec and SSL Gateways into separate hardware to spread the load out better
Curious if anyone has dealt with this situation before?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
