Security software

Palo Alto Performance Holds Steady

In August, we tested Palo Alto Networks' PA-4020, the first fully application-aware firewall to be commercially marketed. When we attempted to test performance on the PA-4020 we ran into a hitch: Palo Alto's application identification logic discovered that we were using Spirent test tools.

While this was an interesting validation of their application identification logic, it came with a downside. Palo Alto uses the same tools, and as part of its internal test procedures, company engineers had disabled security inspection for the "Spirent" application -- with no way to turn it back on.

Palo Alto has since updated its firmware to allow for security inspection of traffic generated by the test gear. We tested the PA-4020 using a heavy load of HTTP traffic to see how it would behave.

The PA-4020 has a specified performance of 2Gbps of threat protection throughput. Our results show performance about 20% lower than Palo Alto's specifications for the intensive all-HTTP testing we conducted on the PA-4020.

We also found that no matter which security features we enabled or disabled, the PA-4020 turned in the same performance: approximately 1.627Gbps of throughput. This included intrusion-prevention systems (IPS)  (both enabled and disabled), antivirus (both enabled and disabled), and content filtering (both enabled and disabled), all on top of basic firewall and network address translation. This behavior is quite different from what we saw in all other UTM tests we've conducted recently, where performance varied based on which services were enabled. For example, when we tested SonicWall's e7500 last April, it was faster (1.9 Gbit/sec) with only IPS enabled, about the same (1.6 Gbit/sec) with A/V enabled, and slower (1.3Gbps) with all security services enabled.

We contacted Palo Alto to ask why performance was the same whether security features are enabled or not and were told that this was a side effect of how their application identification code works. According to Palo Alto representative, because an HTTP applications can "change types" in the middle of a single TCP connection, all security features on the PA04020 are running at all times on HTTP applications. For example, a TCP connection that starts out as standard HTTP on a non-standard port might need to be re-classified as webmail once the server responds and the PA-4020 can see more of the traffic. Because the policies for each application can be different, the security inspection logic for the PA-4020 is engaged at all times on HTTP traffic.

In our UTM test published in November 2007, we looked at similar UTM firewall products aiming at the 1Gbps performance level. No product in that test broke the 1Gbps performance barrier with security features enabled. However, some of the products we tested -- including Crossbeam C25 and IBM x3650 hardware running Check Point software, and Secure Computing's Sidewinder 2150D -- all outperformed the PA-4020 when security features were disabled and did so at a much lower price.

With its $49,000 price tag for hardware and software, the PA-4020 is more expensive than most of the UTM firewalls we tested last November. These results suggest that the PA-4020 is a good performance competitor when security features are enabled, but if you don't need the UTM features, you'll have to consider whether the application inspection feature is worth the higher price tag. (See full Palo Alto review.) 

Subscribe to the Daily Downloads Newsletter

Comments