I would prefer to see both: the common practice, to compare with the competition and the real sizing, with HTTPS CIFS, SMB, etc..

Right now, we are left to guess what the performance will be once these inspections are enabled and may either over or under size the appliances.

Having Check Point's figures would be a lot better.

I recently went through the sales process and I agree that having the HTTPS inspection numbers published would have been very helpful. However, their other performance statistics were essential to making an informed decision especially when comparing to other vendors.

That being said, to get those extra answers about sizing I heavily utilized their sales team which helped tighten up on the model I needed.

In my book I gave a very general recommendation to basically double the sizing of an appliance if HTTPS Inspection will be deployed, and this has been spot-on in the real world.  However keep in mind that suggestion was based on R80.10 and R77.30 gateway, and there have been some optimizations regarding HTTPS Inspection in R80.20 gateway; I'm still working out just how much of an improvement. Buying a firewall appliance possessing a processor architecture that supports AES-NI (5600+) and SMT/Hyperthreading (5800+) will certainly help if you plan to use HTTPS Inspection extensively, as will making sure Gaia is running in 64-bit mode.

The upcoming Falcon cards will of course be a major game changer in this area and are expected to be supported all the way down to the 5100 appliance.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Tim, can you elaborate if the x2 you are referring to is applicable to the 5600+ appliances or the smaller units?

I would imagine that this number would differ significantly between smaller units and those capable of AES-NI.

Additionally, I recall having a conversation while in CP HQ, in which I have stated that nothing with less than 4 cores should really be recommended in post R80.20 world.

Do you, perchance, recall in what context I could've come up with it?

Hi Vladimir,

AES-NI will certainly help, at least with websites utilizing that in their active cipher suite.  The x2 is a rough recommendation; frankly I wouldn't be comfortable doing HTTPS Inspection on a 5400 or smaller box at all unless Internet bandwidth was less than 50Mbps and ended up being the primary performance constraint.  Unless the <5400 box has a Falcon accelerator card in it course.  🙂  I doubt the HTTPS Inspection optimizations in R80.20 will help much on a 2-core firewall.

The context of that "less than 4 cores" conversation concerned the fact that if CoreXL is enabled and a firewall has 2 cores, both of them will try to serve "double duty" by acting both as a SND/IRQ core and a Firewall Worker core.  This is much less efficient than having each core dedicated to only one function and defeats many of the gains provided by CPU fast caching, as the CPU caches thrash back and forth between the two functions.  In some cases disabling CoreXL completely on a 2-core firewall can actually improve the situation, as one core is dedicated to SND/IRQ functions and the other one is the solitary Firewall Worker.  No easy way to know for sure ahead of time if disabling CoreXL on a 2-core firewall will help or hurt, just have to try it...

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Thank you!

I was going nuts trying to pin-down the reasoning for that conviction but could not recall the particulars.

Going to CC Valeri Loukine‌ as I've mentioned it to him but he could not recall this discussion.

Your reply is extremely timely: am in a process of recommending appliances for potential client and this was the sticking point.

Cheers,

Vladimir

Tim,

Did you ever get to test the disabling CoreXL on a 2-core firewall to determine if it helps with performance improvements or doesn't?

As mentioned in my book disabling CoreXL on a 2-core firewall might help and it might not, depends mainly on the distribution of traffic in the various paths.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

I am still reading it, but jumping from chapter to chapter as I go