Revision A ©2013, Palo Alto Networks, Inc. www.paloaltonetworks.com

Understanding Datasheet Specification

 ©2013, Palo Alto Networks, Inc. [2]

Contents Overview ................................................................................................................................................................................ 3  Topology ................................................................................................................................................................................ 3  Firewall Configuration ........................................................................................................................................................... 3  Throughput Measurement ...................................................................................................................................................... 3  

Traffic Type ........................................................................................................................................................................ 3  Firewall Throughput ........................................................................................................................................................... 4  Threat Prevention Throughput ........................................................................................................................................... 4  

Maximum Concurrent Connections ....................................................................................................................................... 4  Connections Per Second ......................................................................................................................................................... 4  IPSec throughput .................................................................................................................................................................... 4  Revision History ..................................................................................................................................................................... 5  

 ©2013, Palo Alto Networks, Inc. [3]

Overview This document describes the test setup, the configuration and the test method used for deriving the datasheet performance numbers.

Topology Spirent 3100B appliance is used to simulate servers (6 servers) and clients (65,000 clients) for measuring performance. For the firewalls (PA 5060 and PA 5050) that support 10G interfaces, the traffic generator is directly connected to interfaces. Performance testing of all other platforms uses a switch to convert 10G to 1G.

The number of interfaces used to achieve the datasheet published throughput is listed below:

• PA 5060 -4X10G interfaces • PA 5050 – 2X10G interfaces • PA 5020- 10 X1 G interfaces • PA 3050 -8 X1G interfaces • PA-3020- 8X1G interfaces

Firewall Configuration This section summarizes the firewall configuration used for testing

1. Traffic forwarding interfaces are configured in VWIRE mode 2. Single security policy to allow all application with “logging on session end” for all throughput tests. 3. Threat prevention tests are configured with default profiles for AntiVirus, Anti Spyware, and Vulnerability

Protection

Throughput Measurement

Traffic Type Spirent Avalanche and Reflector is used to simulate Web Servers and Clients. The traffic pattern generated by Spirent is as shown below.

 ©2013, Palo Alto Networks, Inc. [4]

It is important to note that this traffic type is identified as “Spirent” by the app-id engine.

Firewall Throughput The firewall datasheet performance numbers is measured at zero drops during the steady state of test. The datasheet throughput numbers can be achieved using transaction sizes 64K and higher.

Threat Prevention Throughput Threat prevention throughput is measured with default profiles for AntiVirus, Anti Spyware, and Vulnerability Protection enabled on security policy. The datasheet throughput numbers can be achieved using transaction sizes 64K and higher. Threat Prevention throughput is measured with both DSRI enabled and disabled. The datasheet number is the best-case performance of DSRI and no DSRI

Maximum Concurrent Connections The maximum concurrent sessions are measured using TCP. This is maximum number of active TCP connections the firewall that can process. The test tool is configured to generated TCP connections and keeping it open for the entire duration of the test.

Connections Per Second This is the maximum number of UDP sessions per second the firewall can process. The firewall is configured with a single policy with no logging enabled for this test.

IPSec throughput The following parameters are used for measuring IPSec throughput

1. IKE – Main Mode, Preshared Key, DH2 -AES128-SHA1 2. IPSec – ESP, DH2-AES128-SHA1 3. UDP 1400 byte packets

Note: Since the firewalls use multi core processors, each VPN tunnel is assigned to a specific core. Multiple IPSec tunnels are required to achieve the rated IPSec throughput

 ©2013, Palo Alto Networks, Inc. [5]

Revision History Date Revision Comment July 25th 2013 A First Draft