The PA-220 Firewall is here!

May 21, 2017 at 11:20 am 7 comments

The PA-220 has 8 ports of Gigabit goodness on the front, aside from the management port.

The PA-220 supports some pretty high-end features, making it suitable for use in a small business office.  First, there is High Availability mode (HA), if you have a pair of PA-220s and duplicate your connectivity (even to your WAN, so you’d need a switch between a Cable/DSL modem and the pair of firewalls)  Another big feature is LACP support (Link Aggregation Control Protocol), so you could have multiple connections between your firewall and an Ethernet switch.  This redundancy is something that small offices would likely want, as when the WAN connection is down, there is probably work that can’t be done.

The PA-220 comes with a template and hardware to mount it sideways on a wall, something that I plan to do at some point but haven’t gotten around to yet.

Since the speed that the PA-220 handles traffic is limited to about 500 Mbps firewalled, and down to about 150 Mbps with Threat enabled, I recommend only putting relatively low speed or volume devices directly on the ports of the firewall itself, if the primary thing they are communicating to is also on the local LAN.  You could always add a rule in for intrazone traffic to be allowed and not place any Threat profiles on that rule, giving you the maximum 500 Mbps speed to the internal network.

I’ve got it in place, doing SSL decryption, Threat, URL filtering, Wildfire, and GlobalProtect VPN.  It seems to perform pretty well so far.

Advertisements

Entry filed under: Networking. Tags: , .

UnRAID experiences Adventures in DNS

7 Comments Add your own

  • 1. Koen Peetermans  |  June 7, 2017 at 8:12 am

    Hi , Could you do a “show running resource-monitor minute” in the cli ? I’m wondering if it still has only one dataplance core … THANK YOU

    Reply
    • 2. ptaylor  |  June 7, 2017 at 4:19 pm

      Doesn’t look great in this font, but here it is:

      show running resource-monitor minute

      Resource monitoring sampling data (per minute):

      CPU load (%) during last 60 minutes:
      core 0 1 2 3
      avg max avg max avg max avg max
      * * 2 11 3 18 * *
      * * 1 7 2 9 * *
      * * 1 5 2 8 * *
      * * 1 5 3 7 * *
      * * 6 27 6 24 * *
      * * 3 27 4 30 * *
      * * 2 6 3 10 * *
      * * 1 11 2 11 * *
      * * 2 18 3 20 * *
      * * 1 12 3 9 * *
      * * 2 26 3 27 * *
      * * 5 63 5 59 * *
      * * 2 21 3 20 * *
      * * 1 10 2 12 * *
      * * 1 8 3 17 * *
      * * 1 8 3 8 * *
      * * 3 20 4 15 * *
      * * 2 17 3 16 * *
      * * 3 32 4 19 * *
      * * 1 7 2 9 * *
      * * 1 18 3 20 * *
      * * 2 25 3 23 * *
      * * 3 14 3 17 * *
      * * 2 9 3 9 * *
      * * 3 15 4 17 * *
      * * 3 7 3 10 * *
      * * 3 7 3 9 * *
      * * 3 8 4 11 * *
      * * 3 9 4 11 * *
      * * 3 13 4 11 * *
      * * 3 11 4 11 * *
      * * 2 11 3 11 * *
      * * 3 9 3 8 * *
      * * 2 5 3 8 * *
      * * 2 5 3 8 * *
      * * 2 12 4 15 * *
      * * 3 8 4 14 * *
      * * 3 8 4 11 * *
      * * 3 11 3 11 * *
      * * 2 10 3 9 * *
      * * 4 27 5 28 * *
      * * 4 16 5 15 * *
      * * 3 11 3 12 * *
      * * 2 5 3 9 * *
      * * 2 11 3 9 * *
      * * 2 7 3 9 * *
      * * 2 7 4 9 * *
      * * 3 28 4 28 * *
      * * 2 6 3 9 * *
      * * 2 6 3 8 * *
      * * 2 7 3 7 * *
      * * 2 6 3 8 * *
      * * 2 9 3 10 * *
      * * 2 7 3 9 * *
      * * 2 12 4 13 * *
      * * 3 40 4 37 * *
      * * 2 8 2 7 * *
      * * 2 10 3 14 * *
      * * 1 7 3 9 * *
      * * 5 55 6 55 * *

      Resource utilization (%) during last 60 minutes:
      session (average):
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

      session (maximum):
      0 0 0 0 0 0 0 0 1 0 0 0 0 0 0
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

      packet buffer (average):
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

      packet buffer (maximum):
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

      packet descriptor (average):
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

      packet descriptor (maximum):
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
      0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

      packet descriptor (on-chip) (average):
      51 51 51 51 51 51 51 51 51 51 51 52 51 51 51
      51 51 51 51 51 51 51 51 51 51 51 51 51 51 51
      51 51 51 51 51 51 51 51 51 51 51 51 51 51 51
      51 51 51 51 51 51 51 51 51 51 51 51 51 51 51

      packet descriptor (on-chip) (maximum):
      51 51 51 51 52 51 51 51 51 51 51 72 51 51 51
      51 52 51 63 52 51 51 51 52 51 51 53 52 52 51
      51 51 52 52 51 51 52 51 51 52 51 54 51 51 52
      51 51 51 52 51 51 51 51 51 51 58 51 51 51 56

      Reply
  • 3. Koen Peetermans  |  June 7, 2017 at 8:16 am

    Or a “show system state | match cpuinfo” which has even more info 🙂 Thanks again.

    Reply
    • 4. ptaylor  |  June 7, 2017 at 4:15 pm

      show system state | match cpuinfo
      hw.s1.mp.cpuinfo: { ‘bogomips’: 2000.00, ‘cores’: 4, ‘model’: Cavium Octeon III V0.2 FPU V0.0, }

      Reply
  • 5. Koen Peetermans  |  June 7, 2017 at 8:22 am

    show system state | match clock

    additionaly gives you the clock (Hz)

    BTW, congrats on your PA-220, I’m sure it’s as much or more fun than my PA-200

    Reply
    • 6. ptaylor  |  June 7, 2017 at 4:15 pm

      show system state | match clock
      local.cpu_clock: 1000000000
      local.info: { ‘cpu_clock’: 1000000000, ‘family’: 220, ‘model’: PA-220, ‘name’: mp, ‘ppid’: 0, ‘role’: mp, ‘slot’: 1, }

      Reply
  • 7. Koen Peetermans  |  June 8, 2017 at 2:18 am

    Hey, looks fine to me for a box which costs half and doesn’t consume more power ! It has a 4 core processor instead of the 2 core processor on the PA-200, 1Ghz instead of 800 Mhz. 2 cores are used for the dataplane (1 on PA-200) , and 2 cores for the management plane it seems. So at least double speed on both planes which is very welcome 😛 Thanks for the info I’m going to get one when my support contract for the PA-200 runs out ….

    Reply

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Calendar

May 2017
S M T W T F S
« Apr    
 123456
78910111213
14151617181920
21222324252627
28293031  

Most Recent Posts


%d bloggers like this: