Hello Palo Alto Experts,
We have a PAN 5050 firewall that is rated at 5Gb/s of threat. We have a 5Gb/s Internet circuit. To date, I've only ever seen us pull about 2.7Gb/s. We have more demand than that and we're seeing performance issues out at sites that's indicative of us running out of Internet. I suspect the bottleneck is the firewall, but PAN support (the tier 1 guy, at least) is telling me otherwise.
We've had the firewall for a few years now and are putting in a bigger one this summer (along with upgrading our Internet circuit to 30Gb/s), but I need to make it until about August or September on what we have.
Those of you that run PAN stuff, what would you look at? We hit about 50-60% CPU day to day on the data plane. We're never close to the max sessions (we hit around 600-700k per day out of the 2M max). We're not running out of NAT addresses or ports. I've tried turning off the threat profiles, and that helps the CPU a little, but it doesn't help the throughput.
Any ideas anyone has is appreciated. Also, if any of you have some good ways to do some sort of accurate Internet speed testing at 5Gb/s, I'd appreciate ideas on that too. Even our 10G servers don't get much more than 1Gb/s on the regular speedtest sites. I've been thinking of downloading Linux distributions or something from the torrent or usenet where I can download from multiple connections, but if anyone has better ideas, let me know.
Thanks!
No comments:
Post a Comment