How we tested Juniper's SRX 5800

We assessed the Juniper SRX 5800 in terms of performance, features and usability. Because the product is marketed as a security appliance, our tests focused on security performance. We did not look at router metrics, such as BGP performance, although the SRX-5800 does have the full multiprotocol and multilayer JunOS 9.3 routing engine inside. Our security performance tests included separate sets of measurements using stateful TCP and stateless UDP traffic. For both sets of tests, we offered test traffic to 16 10-gigabit Ethernet interfaces.

We assessed the Juniper SRX 5800 in terms of performance, features and usability. Because the product is marketed as a security appliance, our tests focused on security performance. We did not look at router metrics, such as BGP performance, although the SRX-5800 does have the full multiprotocol and multilayer JunOS 9.3 routing engine inside. Our security performance tests included separate sets of measurements using stateful TCP and stateless UDP traffic. For both sets of tests, we offered test traffic to 16 10Gigabit Ethernet interfaces.

In the stateful TCP performance tests, we used 16 Spirent Avalanche 2900 traffic generator/analyzers to emulate HTTP clients and servers. We divided the test bed in half, with Avalanches on eight SRX ports emulating 2400 Web users, and Avalanches on the remaining eight SRX ports emulating 560 Web servers.

Forwarding rate was the primary metric in these tests. We configured each of the 2,400 Web "users" to request 512-kbyte objects from the servers for a steady-state period of three minutes, and measured forwarding rates at 4-second intervals during this period. We also measured transaction rates and response times at this level.

We repeated these tests with the SRX configured as a firewall; a firewall running network address translation; and a firewall running NAT and doing intrusion prevention using 252 attack signatures loaded. These signatures, as recommended by Juniper, represented critical and major events, mostly in the client-to-server direction. We also made additional tests increasing the number of attack signatures and, more importantly, adding in server-to-client-direction attack detection.

In the stateless tests, we used a Spirent TestCenter traffic generator/analyzer attached to all 16 ports of the SRX. Here, we offered UDP/IP traffic in three sizes – 64, 256, and 1,518-byte Ethernet frames – to represent minimum, average and maximum sized packets. For all tests, we used a binary search algorithm to determine the throughput rate. We also measured average and maximum latency at the throughput rate. Test duration in all cases was 180 seconds.

As part of our testing, we used an NSM Express appliance provided by Juniper to manage the SRX-5800 base, firewall, NAT and IPS configuration. NSM Express is a preconfigured server with Juniper's Network and Security Manager management tool, Version 2008.2, pre-installed and ready to use. We used Juniper's tool to configure the SRX-5800, to generate security and NAT policies for the SRX-5800 and to build and deploy IPS configurations. We also used NSM, where we could, as a log analysis tool, gathering alerts from the SRX-5800 for debugging purposes.

< Return to test: Juniper SRX 5800: Biggest firewall ever >

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10