Create a Post
Showing results for 
Search instead for 
Did you mean: 

General question about firewalls

Hi Guys,
I am extreme beginner on firewalls and network. I have a question, which will sound very naive. My brother company has around 500 employees in the same branch where he works. They have two firewalls in HA and then switches and then their servers. They run many web applications in their servers and a large amount of data is uploaded to the internal storages from internal endpoints.

They have multiple 16G and 25G network cards in their server, storage, switches and firewalls and they have 3 ILL line 2x500 Mbps and 1x350 Mbps.

My question is why do they need 25G interfaces in the firewalls? For servers, storage and swithes I can understand, since a lot of data is moved internally. But internal data can be routed through switches and their fastest ILL is 500Mbps. Since internal data dosen't need firewall to move around, so whats the use for 25G interfaces? Even most companies I have seen with fast ILL is 1Gbps, so shouldn't 1Gbps interface on firewall is enough, since data that come and goes through internet cannot be more than their ILL spped ? In general whats the use of firewall interfaces with higher gigabit speed than the ILL ?

0 Kudos
2 Replies

Is the firewall an appliance or open server?

Often depends on the role of the FW i.e. DMZ or Internal east-west segmentation etc

Perhaps also the switches predominant port type is favoured for standardization vs others needing different equipment/models?


Chris already mentioned a few points. We (1500 employees in the HQ) use two separate Firewall Clusters. One is for DMZ/Internet use so every subnet/vlan is routed on the Firewalls and not the Switches because we only want to allow minimum access between those subnets and DMZ servers are reachable from the Internet most of the time. In this case we are using 10G interfaces because we need more speed than just the Internet connection.

A valid point is also that most Core Switches where the Firewalls are connected are Fiber only and you really don't want 1G Transceivers in there. So you choose 10G or even 25G depending on the Switch or available Ports.

The second Cluster is for separating internal networks between each other. This is fairly new for us but also forces us to use the Firewalls as the routing instance and not the Switches. In that case we have 25G Interfaces on that Firewall as there can be very high traffic for Backups etc. It also allows us to use the IPS feature between internal networks.