PA-VM Firewall in AWS achieves throughput of 2Gbps Over IPsec Tunnel

• The Bi-directional throughput of the traffic across the IPsec tunnel is 2Gbps across the tunnel.

Log in to the firewall CLI and execute the CLI command below:

> show session info

Number of sessions supported: 4194290
Number of active sessions: 135
Number of active TCP sessions: 103
Number of active UDP sessions: 20
Number of active ICMP sessions: 5
Number of active BCAST sessions: 0
Number of active MCAST sessions: 0
Number of active predict sessions: 2
Session table utilization: 3%
Number of sessions created since bootup: 34
Packet rate: 170388/s
Throughput: 1823660 kbps <<<<<<<<<<<<<<<<<<<<<<<<<<<<<
New connection establish rate: 3 cps

• The CLI highlighted above will show the overall Firewall throughput, not just for the IPsec tunnel.
• To determine the specific IPsec tunnel throughput, either the FW should only handle IPsec traffic or a client/server can be used for testing.
• In this case, we have the throughput on the PA-VM FW of about 2Gbps.

• Platform: PA-VM
• PAN-OS: 10.2.x versions and above
• Deployment: AWS

• This limitation is due to the PAN-OS architecture, where each IPsec tunnel session is processed by only one core. Each core encapsulates and decapsulates the traffic, resulting in a bidirectional throughput of approximately 2Gbps.

• To test the data transfer capacity of the IPsec tunnel, you can initiate data flow through the tunnel using both a client and a server. Currently, we are using AWS with 4 CPUs, capable of supporting a throughput of 2 Gigabits.