Firewall Datasheets – Behind the scene

Posted on April 16, 2013


I have just analysed some small office firewalls – with the newer expression UTM devices – from the market leaders and checked their datashits.
The vendors have still to much freedom to express the advantages of their products and write performance values without giving complete description on it.
The published performance values say not too much and they cannot be compared to each other. (If we could compare them, there would be only one vendor on the market.)

I have went through the following datasheets:
Fortigate 60D
Checkpoint 1100
Cisco ASA
Juniper SRX210
Juniper SSG20

I tried to compare them and summarize some values here:

Checkpoint 1100 Appliance

Users: Up to 10 (largest 50)
Firewall (Gbps): 0,75 (largest 1,5)
VPN (Mbps): 140 (largest 220)
IPS or Antivirus (Mbps): 100
Price: from 599 USD

Cisco ASA 5505 Appliance

Users: UP to 10 (largest )
Firewall (Gbps): 0,15
VPN (Mbps): 100
IPS or Antivirus (Mbps): 75
Price: ~300 USD

Cisco ASA 5510 Appliance

Users: ?
Firewall (Gbps): 0,30
VPN (Mbps): 170
IPS or Antivirus (Mbps): 150 (largest 300)
Price: ~2000 USD

Juniper SSG20

Users: Unrestricted
Firewall (Gbps): 0,16
VPN (Mbps): 90
IPS or Antivirus (Mbps): ?
Price: ~450 USD

Juniper SRX210

Users: Unrestricted
Firewall (Gbps): 0,85
VPN (Mbps): 85
IPS or Antivirus (Mbps): 65
Price: ~700 USD

Fortigate 60D

Users: ?
Firewall (Gbps): 1,5
VPN (Mbps): 1000
IPS or Antivirus (Mbps): 200 (Antivirus 35/50)
Price: ~650 USD

From this list seems to be the best choise is the Fortigate 60D. But this is not that easy, we have many points to keep in mind before we accept those values and we make a decision. I tried to summarize here the variables and the options that can change or influence the maximum values of the firewall performance.

Firewall throughput’s variables and options:

  • Multicast or unicast traffic: The most sessions are simple unicast.
  • Protocol: On layer 4 from the OSI model the transfer protocol, that is generally tcp or udp (or icmp). It can stateful or stateless (tpc is stateful, udp is stateless)
  • MTU Size: Maximum Transfer Unit (generally it is smaller then 128 Byte or between 1000 and 1500 byte) See the picture below.
  • Connection life time: the time the session exist in the firewall (generally it is less than a minute)
  • Transaction size: Byte transfer within one session (generally it is less then 2 Kbytes)
  • IP Fragmentation: Should the firewall rebuild the fragmented packets? DF bit can be set or not?
  • TCP Window size:
  • TCP MSS size:
  • Routing table: The number of route entries
  • Firewall and NAT Policies: The number of access-lists and nat rules. (The complexity counts, the optimized rulebase gives better values.)
  • Firewall Features: Normally there is no other feature activated – like IPS or Antivirus during Firewall throughput test


Firewall latency’s variables and options:

  • Same as firewall throughput’s variables
  • By latency measure we have 3 positions to “loose time” (we are talking about mikrosecond!):
    • Server (Interface Performance, Server Application Performance, etc)
    • Network (Layer 2 and 3 devices between the server and destination have latency too)
    • Client (Interface Performance, Client Application Performance, etc)

I would measure the latency of a firewall the following way:
1.) measure without firewall
If it is possible, directly connected networks of the firewall should be used
If it is not possible, measure it in the directly connected network of the server
2.) measure with firewall
If it is possible, directly connected networks of the firewall should be used

The latency will be the value from 2. minus the value from 1. That way the server latency is not included.

Variables and options of concurrent sessions:

  • Same as firewall throughput’s variables
  • need to consider if a session exists but there is no activity through the session or there will be transfered countinously high volume or small volume payload. Or no? What do you mean?

IPSec VPN troughput’s variables:

  • Authentication method: pre-shared or certificate
  • Encryption method for Phase I and II.
  • inclusive firewall throughput’s variables and options (if required. But there is no VPN Gateway without firewall…)

Variables and options of Antivirus:

  • Operational mode: It can be Flow based or Proxy based
  • inclusive firewall throughput’s variables and options (if required. But there is no AV Gateway without firewall…)
  • inclusive IPSec VPN throughput’s variables and options (if required)

IPS troughput’s variables:

  • activated protocol inspections
  • activated IPS signatures
  • activated IPS engines
  • inclusive firewall throughput’s variables and options (if required. But I guess noone uses UTM Device only for IPS…)
  • inclusive IPSec VPN throughput’s variables and options (if required)

The IPS values in datasheets from the vendors are absolutely not clear. It should be exactly defined what the vendors mean under IPS, what they configured to reach those values in datasheets.


There is one vendor, that gives us more and more details about the values and this is the Fortigate.

The best way to buy a new firewall is to test it on your own network (or with traffic generators and tools, like those mentioned here) for a couple of weeks, but before the test you should know your network and it should be clear what you would do with the firewall and what kind of traffic you have (what kind of services you uses or offers, that uses your network and crosses your firewall).

What do you think?

Posted in: Security