Appropriately Sizing Firewalls for Your Potential Customer

TechConnect Webinar on Appropriately Sizing Firewalls for Your Potential Customer

How to size a PA?

Application Decoders (all performed in software)
• HTTP (web-browsing): Medium-weight, depends on transaction size
• PA-5060: ~8 – 10 Gbps real-world HTTP traffic (no profiles or DSRI with profiles)
• SMB and SMTP: Heavy-weight
• PA-5060: Likely ~2 – 4 Gbps real-world traffic with profiles
• Consider using DSRI if needed (protecting servers)
• App-override to get out of decoder if needed
• QOS
• PA-200/500/2000: performed in software
• PA-5000: performed in hardware

• Zone Protection Profiles
• Performed in software on all platforms today
• Policy Based Forwarding
• PA-200/500/2000: performed in software
• PA-5000: performed in hardware
• DOS Protection Profiles
• Performed in software on all platforms today
• IPv6
• Route lookup/forwarding performed in software on all platforms today

 

numbers are aggregate
• A T3 can forward up to 90 Mbps (full duplex)
• Don’t just think throughput
• Total concurrent sessions
• New Sessions Per Second (CPS)
• High Availability can add load here
• ARP and Forwarding Table Size
• Server Response Inspection?
• Number of security and NAT rules
• Traffic Pattern: packet size, transaction size, applications
• Features in hardware vs. software (latency)
• IPv6, QOS, PBF can be different by platform
• Consider SSL Decrypt performance and IPSEC/SSL VPN tunnel limits
• Vsys?

 

The document and information is from 2012, does not cover V6 or new hardware/VM platforms

Why is app override faster than full scanning?
• App override is essentially “stateful inspection”. The device scans the first syn packet, does a policy lookup, setup the session, and ignore the rest of packets as long as they match the session
• App override is useful for apples-to-apples testing VS traditional firewalls

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.