Skip Links

Network World

  • Social Web 
  • Email 
  • Close

(Comma separation for multiple addresses)
Your Message:
Clear Choice Test Unified Threat Management Firewalls. All-in-one firewalls show spotty performance: Juniper, Cisco, Check Point lead the way in test of 13 unified threat management devices.
Intro to UTM Testing Testing categories Product Summaries Click tabs to expand

Tracking UTM high availability

By Joel Snyder , Network World , 11/12/2007
  • Share/Email
  • Tweet This
  • Comment
  • Print

The high-availability (HA) and scalability features in the enterprise UTM firewalls we tested range from very fancy to dead simple.

We believe that most network managers will go for the “dead simple” end of the spectrum on the theory that the more complicated it is, the more likely it is to fail.

We gave the highest scores to products that recovered within four seconds and took points off when products took more than a minute to restart traffic flows.

Tracking UTM firewall high availability

Juniper, Check Point and and Nokia all excelled in our failover tests, taking virtually no time to migrate data to the standby machine when the primary machine lost power
Vendor Product Supports Active/ Passive Failover Support Active/ Active failover Supports Clustering Time to recovery
Astaro ASG 425a Y Y Y 72 seconds / A/P
Check Point UTM-1 2050 Y Y N 0 seconds / A/A
Cisco ASA5540 with SSM-20 IPS module Y Y N 72 seconds / A/P
Crossbeam C25 Y Y N 0 seconds / A/P
Fortinet FortiGate 3600A Y Y N 64 seconds / A/P
IBM System x3650 Y Y N Not tested*
IBM/ISS Proventia MX5010 Y N N 60 seconds / A/P
Juniper Networks ISG-1000 Y Y N 0 seconds / A/P
Juniper Networks SSG-520M Y Y N 0 seconds / A/P
Nokia IP290 Y Y Y 0 seconds / A/A
Secure Computing Sidewinder 2150D with IPS accel. Y Y N 68 seconds / A/P
SonicWALL PRO 5060 Y N N 8 seconds / A/P
WatchGuard Firebox Peak X8500e Y N N 16 seconds / A/P
* Vendor submitting a single box for testing
Click to see: Tracking UTM Firewall High Availability

While most vendors -- SonicWall and WatchGuard were the exceptions -- also offer active/active HA in which two firewalls load-balance automatically between themselves, we tested active/passive HA in which a hot standby system takes over when the active node goes down. 

The argument here is that any performance benefits achieved from an active/active configuration would pale in comparison to the guarantee that when a HA event occurs to an active/passive configuration, you'll still have just as good performance as before the event. Because a typical HA event might be a hardware failure that could take a box out for 24 to 72 hours, having the same performance before and after would be pretty important.

We made an exception to this rule, for Check Point firewalls, because we had four platforms running the same software, and we wanted to see whether there were differences in the different HA approaches. On Check Point’s own hardware, we tested using Check Point’s active/active and on Nokia hardware, we tested using Nokia’s IPSO clustering.

Our tests showed that the HA features in Check Point’s software running on all hardware platforms and on Juniper products fails over with no traffic blocked (by our four-second definition). We turned off a system and sessions kept flowing through both vendor’s failover UTM firewall. This was true for the Check Point UTM-1 2050, Crossbeam C25, Nokia IP290, and both the Juniper ISG-1000 and SSG-520M firewalls.

  • Share/Email
  • Tweet This
  • Comment
  • Print

Comment
Login
Forgot your account info?
Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Videos

rssRss Feed