PA-VM Firewall in AWS achieves Predictable Throughput of 1.5 Gbps Over IPsec Tunnel

• The Bi-directional throughput of the traffic across the IPsec tunnel is approximately to be about 1.5 gigabits across the tunnel.

Log in to the firewall CLI and execute the CLI command below:

> show session info

Number of sessions supported: 4194290
Number of active sessions: 135
Number of active TCP sessions: 103
Number of active UDP sessions: 20
Number of active ICMP sessions: 5
Number of active BCAST sessions: 0
Number of active MCAST sessions: 0
Number of active predict sessions: 2
Session table utilization: 3%
Number of sessions created since bootup: 34
Packet rate: 170388/s
Throughput: 1823660 kbps <<<<<<<<<<<<<<<<<<<<<<<<<<<<<
New connection establish rate: 3 cps

• The CLI highlighted above will show the overall Firewall throughput, not just for the IPsec tunnel.
• To determine the specific IPsec tunnel throughput, either the FW should only handle IPsec traffic or a client/server can be used for testing.
• In this case, we have predicted the throughput on the PA-VM FW of about 1.5 gigabit. depending upon the amount of traffic.

• Platform: PA-VM
• PAN-OS: 10.2.x versions and above
• Deployment: AWS

• This limitation is due to the PAN-OS architecture, where each IPsec tunnel session is processed by only one core. Each core encapsulates and decapsulates the traffic, resulting in a bidirectional throughput of approximately 1.5 gigabits.

• Create multiple tunnels across two sites wherein each tunnel can provide a bi-directional throughput of 1.5 gigabit and further load balance the interesting traffic across them.