Sorry to necro an old thread but this one seems to be the most relevent I've come across so far to my related question in that: For sizing zone protection / flood protection, the values are all set in packets/second. If I'm trying to accurately size my zone protection to enable for my own in-house load runner servers which generates traffic on thousands of IPs I'm sure I could say I will easily be able to push the firewall to its max if we don't restrict them down. 'show system statistics session' only relays the current packet rate, which I do thank you all for pointing out if I can get my load runner guys to generate the traffic at a reasonable hour rather than 2 in the morning I can now at least watch from the console what is happening before my network shuts itself down (anyone else who comes upon this thread and has the same situation where ZP is killing your network, avoid "random early packet drop" go with SYN cookies) If I go with simple MTU 1500, and PA-5060 full theoretical max of 10Gb/s througput, and my math is correct that would be a potential maximum of 833,333 pps? 10Gb/s = 1,250,000,000B/s 1,250,000,000 / 1500 = 833,333.33~ This of course can't take into account for any overhead the firewall is doing on L4+ deeper inspection, AppID, if decrypting SSL, etc. etc. right? So would a safe rule of thumb be 800k pps max that the unit is capable of in terms of pure L3 firewall inspection? I've already tripped ZP and had to disable at 400k pps so I want to be sure I know what I'm up against. Thanks for any help anyone can provide. If there is a white doc somewhere with the actual pps I truely appreciate your search skills as I haven't found it and of course talking with Palo Alto Engineers specializing in ZP they've told me it's all subjective to the environment so they can't make recommendations.
... View more