Need 100 gb/sec firewall... suggestions?

L

lordsegan

Gawd
Joined
Jun 16, 2004
Messages
624
I need a firewall that can handle 100 gigabits per second to the internet.

Budget is essentially unlimited. Does anyone know which manufacturers (if any) offer such a product? I think I saw one from fortinet that claims 480 gb/sec which would be overkill...
 
Fortinet 3950-B

Can handle 120gbit/s

Should be sufficient for your requirements....

Fortinet 5140-B is the worlds fastest firewall according to several reviews. It will cost about $50-70K in price said and done. The 3950 should be significantly less expensive.

Must be nice to have an unlimited budget. I would have that same budget pay to train and certify you in whatever tech you decide to go live with.
 
Last edited:
Palo Alto might be one to look at as well. A friend of mine has been recommending them pretty strongly, and I found a pretty nice tech brief showing a 100Gbps implementation using some Arista switches in front of a few PA-5060s running in parallel:
http://www.paloaltonetworks.com/literature/solution-briefs/tech-partners/arista.pdf

I have absolutely zero idea what that would cost. Probably a lot, but it sure looks cool.

And also, those Fortinet prices in the post above mine seem way too low, but that's just off my random googling and not any real experience with them.
 
That fortinet price seems low. If it is under 100K I would be extremely excited...
 
Also, perhaps you should investigate being able to scale outwards... a design of 10 firewalls that each do 10Gb/sec is much easier to scale than 1 that does 100.
 
JBark said:
Palo Alto might be one to look at as well. A friend of mine has been recommending them pretty strongly, and I found a pretty nice tech brief showing a 100Gbps implementation using some Arista switches in front of a few PA-5060s running in parallel:
http://www.paloaltonetworks.com/literature/solution-briefs/tech-partners/arista.pdf

I have absolutely zero idea what that would cost. Probably a lot, but it sure looks cool.

And also, those Fortinet prices in the post above mine seem way too low, but that's just off my random googling and not any real experience with them.
Click to expand...


I have mixed feelings on the Palos so far. Hoping new firmware changes my opinions of that though. They seem to creep at times.
 
The Check Point 61000 is faster than a Fortinet 5140. It is anything but inexpensive. I had one in the lab a few weeks back. The load gen gear I've got in our eval lab was unable to come anywhere close to maxing it. I was able to get it to just above 100Gb. CP claims it will do 200Gb. However, it is not that simple. Are you looking for just firewall or firewall+ips or firewall+ips+av or firewall+ips+url or some other combination? How many and what types types of interfaces? All of this matters a great deal. Both the CP 61K and the Fortinet 5K are chassis and are built using blades and your throughput will vary greatly depending on how the chassis are populated. Also both are incredibly loud, the 61K is louder, and generate tremendous heat. If you have specific questions I can likely answer them. I still have a 5K in the lab but the 61K has been sent to another group for eval.

I notice you are using Fortinet marketing numbers. Please note almost all firewall marketing numbers are based on stateless UDP packet sizes. Fortinet, to their credit, generally do provide different # for different packets sizes. In general the larger the packet the higher the throughput. You can read RFC2544 for a quick primer on the published testing methodology they all use it to some degree. IMHO this is a worthless benchmark for firewalls. It is a router test. You must to understand what your traffic mix is and and focus on that. I can tell for certain if your shop is voip or streaming video centric and you're looking for more than basic firewall good luck.
 
Last edited:
Soldier101 said:
I have mixed feelings on the Palos so far. Hoping new firmware changes my opinions of that though. They seem to creep at times.
Click to expand...

Ditto, the GUI is pokey as hell. Sweet feature base, but the GUI leaves much to be desired.
 
lordsegan said:
I need a firewall that can handle 100 gigabits per second to the internet.

Budget is essentially unlimited. Does anyone know which manufacturers (if any) offer such a product? I think I saw one from fortinet that claims 480 gb/sec which would be overkill...
Click to expand...

100gb/sec doing what? AV? IPS? IDP? Deep packet inspection for L7? App firewall?

Firewall is a lot more than just raw throughput...
 
lizardking009 said:
100gb/sec doing what? AV? IPS? IDP? Deep packet inspection for L7? App firewall?

Firewall is a lot more than just raw throughput...
Click to expand...

Also when you come to compare different vendors with each other.

I have seen loadtests where new Checkpoint gear were tested and they could only push 37% of stated performance compared to their datasheets (a huge disapointment to say the least) - and this was with everything disabled (would be fun to see how many, if any, Mbit/s will be able to pass when you enable everything like AV, IPS, Application identification, User identification, SSL termination, URL-categorization etc).
 
You must log in or register to reply here.
Back
Top