Application Override functionality on Palo Alto devices under test with the T-Rex traffic generator
Hi friends,
A few weeks ago, many people started a new journey around the sun; of course, for many others, they didn’t. But what is a fact for everyone (including flat-earthers —how many idiots are there in the world!—) is that the Perihelion occurred on January 4th... a random fact that might not matter, or maybe it does. Anyway, as it couldn’t be otherwise, here’s a musical recommendation: "A Sky Full of Stars" (Coldplay, 2014). In this post, I’ll discuss some load tests I’ve conducted using the T-Rex traffic generator. In this particular case, I’ve tried to highlight the effectiveness of the “application override” functionality in Palo Alto firewalls. Let’s start with a brief description of the main players...
For some time now, I’ve been working with T-Rex. Honestly, it has some impressive features.
TRex is an open source, low cost, stateful and stateless traffic generator fuelled by DPDK. It generates L3-7 traffic and provides in one tool capabilities provided by commercial tools. TRex Stateless functionality includes support for multiple streams, the ability to change any packet field and provides per stream/group statistics, latency and jitter. Advanced Stateful functionality includes support for emulating L7 traffic with fully-featured scalable TCP/UDP support. TRex Emulation functionality includes client side protocols i.e ARP, IPv6, ND, MLD, IGMP, ICMP, DOT1X, DCHPv4, DHCPv6, DNS in order to simulate a scale of clients and servers. TRex can scale up to 200Gb/sec with one server.
T-Rex is a very interesting project. In this post, we’ll just scratch the surface; you’ll only get a whiff of it... The folks at Cisco have done a great job, and it deserves recognition. The work presented in this post is based on the Advanced Stateful Mode – ASTF functionality, which, among other things, allows:
As shown in the image above we will use an astf profile that will generate multiple sessions, https://github.com/cisco-system-traffic-generator/trex-core/blob/master/scripts/astf/sfr_full_2k.py: http, exchange, mail, rtp, smtp, sip, rtsp, video calls...
Palo Alto firewall: What is Application Override?
Application Override policies bypass layer 7 processing and threat inspection and instead use less secure stateful layer 4 inspection. This functionality allows bypassing the “deep” traffic analysis that the firewall normally performs. Instead of identifying and classifying traffic based on specific applications, this configuration enables traffic to be handled “generically,” according to rules based on ports and protocols.
This option can be useful in scenarios where the traffic is well-known, and performance is critical, but it has security implications that should not be overlooked.
Application Override policies prevent the firewall from performing layer 7 application identification and layer 7 threat inspection and prevention; do not use Application Override unless you must.
Performance Testing: With and Without Application Override Methodology We used the T-Rex traffic generator to emulate high-speed data flows, setting up tests in two scenarios:
Lab
In this lab, we’ll use a T-Rex virtual machine as the traffic generator, mapping 2 network interfaces from the KVM host. The interfaces are 1G Ethernet. The DUT (Device Under Test) we’ll analyze under load is a Palo Alto NGFW configured with a Virtual Wire (nothing more) and several policies.
It’s important to note that this is a lab whose main objective is to highlight the effectiveness of the Application Override functionality.
With T-Rex, we will generate random traffic from the client network, 16.0.0.0/8, to the server network, 48.0.0.0/8.
Results - Routing only: L3 Switch
领英推荐
Without Application Override:
With Application Override:
The results confirm that throughput improves significantly with Application Override enabled. This is because the firewall dedicates fewer resources to processing traffic, prioritizing performance over security.
Balance: Performance vs Security
Application Override is a useful tool in specific scenarios, such as labs or environments where the generated traffic is known and trusted. However, its use comes with a significant security trade-off. By disabling deep analysis, the firewall's ability to:
Conclusion
When evaluating the performance of a Palo Alto device using the T-Rex generator, Application Override demonstrates its potential to enhance throughput. However, this functionality must be used with extreme caution, as it sacrifices security in exchange for speed. In critical environments, it is vital to balance performance and security, maintaining strict controls and using Application Override only when absolutely necessary.
Have you tested this functionality on your devices?
DOCUMENTATION