Firewall Wizards mailing list archives
Re: Firewall scaling
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Sun, 22 Feb 2004 15:23:09 +0100
Tim Chettle wrote:
what view do you all have to Firewall Scaling / performance I have a requirement for a Gig capable firewall capable of handling approx 100k sessions concurrently varying packet sizes and i am unsure of the session setup rate. I would appreciate the lists views on factors to look for in terms of performance indicators and experience's
I'm unsure what you're asking for here, but given your actual requirements, I thought I'd give you my view of what you should be shopping for in terms of raw numbers. If by "gig capable" you mean "capable of forwarding 1 gigabit/s in each direction", you need to double your numbers and aim for something that claims to handle 4 gbps/s. The reason is that nearly all throughput figures list throughput for full packet sizes. So: rule of thumb: double your throughput figures, unless you know for a fact that the numbers presented are mixed packet size figures. For state table size: if your 100k connections is your expected normal usage, you need to guard against temporary floods to some extent, i.e. worm outbreaks such as SQL slammer. Or, heck, forget about worms, a room full of Unreal Tournament players can flood your state table by just refreshing their server lists at the same time. I'd recommend that you over dimension your state table by at least a factor of three, so you should be shopping for something with a state table size of at least 300k connections. This way, the firewall has a better chance of dropping unwanted connections when the state table does fill up. Actually, all this is just sensible engineering that has been applied to all forms of construction for oodles of years -- it's just something that we sometimes forget in network engineering. [disclaimer: i work for a company that manufactures firewalls, so for all you know, I could be flat out lying about firewall sizing just to get you to buy a bigger box :) ] -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall scaling Tim Chettle (Feb 20)
- Re: Firewall scaling Mikael Olsson (Feb 22)
- <Possible follow-ups>
- Fw: Re: Firewall scaling Subha (Feb 22)