- How to use electrical outlets and cheap lasers to steal data
- The botnet world is booming
- NTIA seeks volunteers to review broadband applications
- The 10 dumbest mistakes network managers make
- What's driving this university to IPv6? Going green
In August, we tested Palo Alto Networks' PA-4020, the first fully application-aware firewall to be commercially marketed. When we attempted to test performance on the PA-4020 we ran into a hitch: Palo Alto's application identification logic discovered that we were using Spirent test tools.
While this was an interesting validation of their application identification logic, it came with a downside. Palo Alto uses the same tools, and as part of its internal test procedures, company engineers had disabled security inspection for the "Spirent" application — with no way to turn it back on.
Palo Alto has since updated its firmware to allow for security inspection of traffic generated by the test gear. We tested the PA-4020 using a heavy load of HTTP traffic to see how it would behave.
The PA-4020 has a specified performance of 2Gbps of threat protection throughput. Our results show performance about 20% lower than Palo Alto's specifications for the intensive all-HTTP testing we conducted on the PA-4020.
We also found that no matter which security features we enabled or disabled, the PA-4020 turned in the same performance: approximately 1.627Gbps of throughput. This included intrusion-prevention systems (IPS) (both enabled and disabled), antivirus (both enabled and disabled), and content filtering (both enabled and disabled), all on top of basic firewall and network address translation. This behavior is quite different from what we saw in all other UTM tests we've conducted recently, where performance varied based on which services were enabled. For example, when we tested SonicWall's e7500 last April, it was faster (1.9 Gbit/sec) with only IPS enabled, about the same (1.6 Gbit/sec) with A/V enabled, and slower (1.3Gbps) with all security services enabled.
We contacted Palo Alto to ask why performance was the same whether security features are enabled or not and were told that this was a side effect of how their application identification code works. According to Palo Alto representative, because an HTTP applications can "change types" in the middle of a single TCP connection, all security features on the PA04020 are running at all times on HTTP applications. For example, a TCP connection that starts out as standard HTTP on a non-standard port might need to be re-classified as webmail once the server responds and the PA-4020 can see more of the traffic. Because the policies for each application can be different, the security inspection logic for the PA-4020 is engaged at all times on HTTP traffic.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (4)
Aladdin eSafe versus Palo Alto Network FirewallBy Anonymous on May 11, 2009, 8:39 pmBoth claim applications inspection (mostly web). I wonder who will win.
Reply | Read entire comment
UTM Content FilteringBy Anonymous on December 10, 2008, 7:35 pmOne of the main problem with most UTM devices is the customization of the IPS/URL Filtering/AV. They can all do the Firewall/NAT/VPN based on IP Subnet and User...
Reply | Read entire comment
Policies for different protocols might be differentBy Joel Snyder on October 7, 2008, 12:19 amThere are a lot of UTM firewalls out there (in fact, most of the firewalls on the market out there are UTM firewalls) that don't have the A/V, IPS, or content filtering...
Reply | Read entire comment
So I am stumped.By Anonymous on October 6, 2008, 3:51 pmWho buys a security product only to turn off the security?
Reply | Read entire comment
View all comments