Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
fjulianom
Contributor

How to size a firewall according to the different throughputs

Hi checkmates,

For sizing a firewall I know I have to consider many things such as max. number of concurrent connections, types of interfaces, throughputs and so on. According to the different kind of throughputs I have some doubts. Let's take 5600 SG appliance as an example, which has a firewall throughput of 20.4 Gbps, a NGFW throughtput of 5.1 Gbps, and a threat prevention throughput of 2.78 Gbps. As far as I know, briefly that means that if you don't use any UTM features you will have total throughput of 20.4 Gbps, but if you activate application control and IPS, you will have a throughput of 5.1 Gbps because the gateway has to scan the traffic, and if you also want to use the URL filtering and antivirus features, you will have a throughput of 2.78 Gbps, because the gateway has to do more even scan.
Then, my doubts are:
 
  1. If you don't activate any UTM features, I will have 20.4 Gbps of throughput. This considers the sum of the transmited and received traffic of all the interfaces of the firewall, right?
  2. If I have a users VLAN interface which uses 500 Mbps and where I want to activate URL filtering and antivirus. Will I have to consider a throughput of 2.78 Gbps?
  3. If I have a mix of interfaces which uses antivirus, others which uses application control and IPS, others which only use firewall rules, will I have to add the bandwitdh of all the interfaces and consider the threat prevention throughput which is the most restrictive?
  4. What about the VPN throughput which is 6.5 Gbps for 5600 SG appliance. Is this SSL VPN throughput? Or IPSec VPN throughput? Is this the VPN throughput if I don't activate any other UTM features or it will be decreased if I activate antivirus, IPS or other UTM feature?
Thanks in advance.
Regards,
Julián

 

 

 

0 Kudos
14 Replies
Chris_Atkinson
Employee
Employee

To understand the basis of the test numbers you can review the white paper available here:

https://pages.checkpoint.com/enterprise-security-performance.html

Additional consideration should be given to the volume of SSL/TLS traffic to be inspected if enabled.

fjulianom
Contributor

H Chris,

 

Interesting article, however it explains the basis of the test numbers as you said but it doesn’t address my doubts. But if we take the appliance sizing tool and manual sizing, the tool has two key inputs: gateway total throughput and number of users. I am surprised why the utility ask for the number of users instead of number of concurrent connections. And by the other hand, what number do we have to type for the gateway total throughput? The sum of all the gateway interfaces’ bandwidth? The Internet bandwidth?

 

Regards,

Julian

0 Kudos
Chris_Atkinson
Employee
Employee

The tool is intended to be simple to use, from the number of users provided we can derive the other data for a typical use case based on some assumptions.

If you have advanced requirements please discuss those with your local SE who can if necessary liaise with Solution Center for a detailed sizing analysis based on a current appliance model. For concurrent connections memory population is typically the concern.

Chris_Atkinson
Employee
Employee

1.  Up to the stated datasheet figure depending upon your installed version, configuration and traffic profile/mix.

2. Possibly higher and approaching the NGFW firewall figure in some cases, again depending on your unique deployment scenario and if things like deep archive scanning or SSL inspection are enabled (impacts performance).

3. Reference the threat prevention performance metrics in such as case. Technologies such as "fast accel" can assist with extracting the most performance for specific trusted flows.

4. IPSec VPN throughput with AES-128 (AES-NI compatible algorithms are used for optimal results.)

Kaspars_Zibarts
Authority
Authority

There's one more thing you need to consider - all those numbers are MAX when CPUs have been pushed to the limit. In your daily life you don't want your appliance running 99% CPU and having no headroom for any "bumps". Half the numbers for realistic approach.

To give you real life example from the same series - 5900. We run all blades but threat extraction and box at 100% CPU probably would meet the datasheet numbers roughly 7Gbps. But I would never allow to go that far. Normally we start planning upgrades at 50% CPU as it gives us sufficient time to plan and implement.

Pure FW throughput - I actually never seen any of appliance getting anywhere near advertised numbers in real life I'm afraid. We have bunch of mid and high end appliances and at best I would say we could squeeze out about half of advertised FW throughput.

With Checkpoint it is a big "guestimation" when it comes to sizing. All depends on traffic mix  you have and your own experience / gut feeling. 🙂

fjulianom
Contributor

Thank you guys for your answers! Much more clear 😊

0 Kudos
fjulianom
Contributor

Hi,

 

This is an excerpt of the 5900 series datasheet:

5900.PNG

Why does Check Point give the values under Ideal Testing Conditions if they are not very useful? Why the connections per second and concurrent connections parameters values are only give under Ideal Testing Conditions and not under more realistic Enterprise Testing Conditions like the others?

 

Regards,

Julián

0 Kudos
Chris_Atkinson
Employee
Employee

The values are often used for paper based comparisons with other vendors products where similar logic is used.

If a detailed sizing is required please consult with your SE as the data will likely also have changed with optimizations in more recent software versions.

fjulianom
Contributor

Then that’s a good point, but I still think it would be nice they give the max current connections and max connections per second under Enterprise Testing Conditions.

On the other hand, generally in real enterprise networks, what limits more the firewall performance, current connections or throughput?

Regards,

Julian

0 Kudos
Marcel_Gramalla
Advisor

From what I know the max concurrent connections is just limited by RAM of the machine. The connections per second are such a theoretical thing and depend on so many factors that you can't really give a number. I bet you will never ever be somewhere near the 200k connections for that appliance in a real environment. With many enabled blades a 6 Core VM (GCP in my case) is nearly at max utilization with around 3000-5000 connections per second and just 200MBit/s of traffic. With low connections it can also handle 3GBit/s of throughput.

Your last question really depends where your Firewall is located. It it handling internet access for many users with Anti Virus, https Inspection etc. you will clearly hit the limit with the connections per seconds first rather than throughput. In other cases you can easily be limited by throughput. 

fjulianom
Contributor

Thanks for the answer. I thought the number of current sessions was given by the traffic the users are generating, and not by the security features the firewall is using for that traffic (AV, App Control, etc.). Am I wrong?

0 Kudos
Marcel_Gramalla
Advisor

Concurrent sessions mean (if I'm not wrong) the number of connections in the Firewall Table so it's just limited by RAM on does not depend on activated features. On our external Firewall (Internet Access for Users) we have the following stats to give you an idea:

80000 concurrent connections
1500 connections per second
1,5GBit/s throughput
Nearly all blades are enabled, https inspection only for about 10% of the connections (but no Threat Emulation)

Our 16 Core Open Server (HPE DL360 Gen10) has an average load of about 25-30% with that setup. 

fjulianom
Contributor

That's ok, I only misunderstood when you said "It it handling internet access for many users with Anti Virus, https Inspection etc. you will clearly hit the limit with the connections per seconds first rather than throughput.". Thanks for the clarification.

 

Regards,

Julián

0 Kudos
the_rock
Champion
Champion

Im no Sales person, but I can tell you from my experience, 6200 and 6400 are fantastic even for bigger size companies, they perform really well.

0 Kudos