How We Tested the Palo Alto PA-5060 firewall

We assessed the performance of the Palo Alto PA-5060 firewall using three sets of tests, covering rates with mixed content; rates with static content, and TCP connection behavior. Two pairs of Spirent Avalanche 3100 GT traffic generator/analyzers, each equipped with two 10G Ethernet interfaces, served as the primary test tool.

For tests that measured forwarding rates, we configured each of the PA-5060's four 10G Ethernet interfaces to act as a gateway for a different IP subnet. We also configured static NAT on the device's unprotected interfaces for all tests, and installed more than 200 access rules. We configured Spirent Avalanche to emulate 200 clients and 40 servers, distributed across the four subnets.

In the mixed-content tests, we offered the same combination of HTTP object types and sizes as in a previous Network World test of the Palo Alto PA-4020 firewall. Object types included text, images, and other binary content such as PDF files. Object sizes ranged from 1 kbyte to 1,536 kbytes, all requested over HTTP. We also reran the same tests using SSL with an RC4-MD5 cipher.

The static-content tests also used HTTP and SSL, but in this case involved separate tests with 10- and 512-kbyte text objects. We chose 10-kbyte objects because they are close to the average object size seen in multiple studies of Web object size distribution, and 512-kbyte objects to represent a large object that should produce a high forwarding rate.

To determine concurrent TCP connection count, we configured clients emulated by Spirent Avalanche to request one object every 60 seconds, building up progressively larger numbers of connections. The maximum concurrent connection count was determined to be the largest count at which the firewall serviced all requests with no failed requests (measured to the nearest 100,000 requests).

To determine connection setup rate, we configured clients and servers emulated by Spirent Avalanche to use HTTP version 1.0, forcing the use of a new TCP connection for each HTTP request. Using a binary search, we determined the maximum rate at which the firewall could service requests for 60 seconds with no failed transactions.

Calling All Next-Generation Firewall Vendors

Network World invites all vendors of next-generation firewalls to have their products undergo the same rigorous tests used with Palo Alto's PA-5060. By "next generation," we mean firewalls with UTM capabilities; multiple 10-gigabit Ethernet interfaces; and the ability to inspect and act upon traffic at the application layer (for example, by distinguishing between Google Talk file-transfer and voice traffic, even though both use the same 5-tuple). Please send inquiries to Neal Weinberg.

Return to main test.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10