Firewall Wizards mailing list archives
Re: Question on Cisco ASA's... do all the features slow it down?
From: "John G." <isaac737 () gmail com>
Date: Tue, 11 Dec 2007 10:56:22 -0800
greetings and salutations. peace to the nations. well, i don't understand really what you mean by the packet sizes and first match vs. last match. i am more a firewall apprentice than firewall wizard. what i can definitely agree with is the performance data that a certain company from the Bay Area says their firewalls can do around 200 Megabits/second. we are seeing 80% CPU load on the firewall (watched via Nagios and Cacti) when we push around 10 Megabits/second. how is this even a useful metric is my question? 200 Megabits/second with a default ALLOW ANY to ANY ruleset on both in and out?? :P -jg On Dec 10, 2007 9:42 PM, Carson Gaspar <carson () taltos org> wrote:
jacob c wrote:1) Firewall performance figures from all vendors are highly overrated on the datasheets.If you want to get a certain firewall company to complain to your senior management that you're being "mean" and try and get you fired, demand 64 byte packet last-match performance numbers (as opposed to the 1500+ byte first match numbers they'll try and give you). Also be very careful to ask about behaviour when this limit is exceeded. It was very informative to see which vendors were packet rate limited and which were bit rate limited. The performance scaling with ruleset size was also interesting. Sadly I don't know of any vendors that publish this data openly. I do know that you can tell a good one by their reaction when you ask for it. (And, no, I'm not making this up. But I'll refrain from naming names since they can afford to sue me out of existence.) -- Carson _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Question on Cisco ASA's... do all the features slow it down? John G. (Dec 05)
- Re: Question on Cisco ASA's... do all the features slow it down? ChrisSerafin (Dec 06)
- Re: Question on Cisco ASA's... do all the features slow it down? Brett Cunningham (Dec 06)
- Re: Question on Cisco ASA's... do all the features slow it down? jacob c (Dec 10)
- Re: Question on Cisco ASA's... do all the features slow it down? Carson Gaspar (Dec 11)
- Re: Question on Cisco ASA's... do all the features slow it down? John G. (Dec 11)
- Re: Question on Cisco ASA's... do all the features slow it down? jacob c (Dec 12)
- Re: Question on Cisco ASA's... do all the features slow it down? Carson Gaspar (Dec 13)
- Re: Question on Cisco ASA's... do all the features slow it down? jacob c (Dec 10)