Re: Real World PIX 535 Performance

["Marcus J. Ranum" <mjr () ranum com>]

Kevin Miller wrote:
> Does the PIX 535 actually support 500,000 simultaneous sessions in a real
> world situation?  
> Does the PIX 535 really live up to the 1.7Gbps of firewall throughput claim?


The answer to both of those is a combination of:
        - Probably
        - It depends
        - How could you tell if it didn't?
        - It almost certainly could be made to NOT live up to it if you tried

In other words, there are most likely combinations of circumstances
that would make it either easily handle those loads or be unable to
handle those loads, depending on traffic content, IP-level characteristics
of the traffic, number of hosts on either side, protocols in use, etc.
The other bummer is that building a lab that can test gigabit products
to something approaching their performance edges is a very hard and
expensive proposition. Very few of the tests that I've seen run are
even meaningful (having been consciously or unconsciously "cooked"
in one direction or another)

If you've got a network such that your existing performance measures
indicate there's a likelihood the device may not be able to handle
your load, your best bet is to test the actual device in your actual
network. The reason I say this is because when sites get up to
those performance levels, their traffic is often quite unique. i.e.: one
site might be doing a ton of streaming video, while another might
be doing a ton of file-sharing, another incoming HTTP and another
outgoing SSL. Each of those protocols has very different properties
that might cause one product to be happy, or another to fall over
bleeding on the floor.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards