When we tested firewall performance as part of in our UTM firewall test we focused on how well the products would push inspected packets along with other UTM features, specifically intrusion-prevention systems and antivirus, turned on. However, many enterprise managers will use these devices primarily just as firewalls, and might be curious how fast they’d operate without UTM slowing them down.

Our initial test bed had been tuned for 1Gbps throughput, and eight of the 13 firewalls we tested blew right past the 1Gbps mark without UTM turned on. So, with the help of David Newman from Network Test, we outfitted the test bed with a 2.8Gbps capacity, and re-ran our firewalls through at that higher speed.

This second round of testing employed the same product configurations used for the 1Gbps UTM test with two exceptions. WatchGuard and Secure Computing have long offered proxy-based firewalls, claiming higher security than simple packet filters although with a cost in performance. WatchGuard’s Firebox and Secure Computing’s Sidewinder have the flexibility to use either simple packet filters, a generic proxy or an HTTP-specific proxy for HTTP traffic. Since our tests were made using HTTP traffic, we tested all three scenarios and reported all three numbers for each product.

Overall, we found that if you don’t want to turn on any of the UTM features, you can get outstanding performance with almost half of the boxes we tested running at more than gigabit speeds. Even better news is that some of those high-performance boxes (namely Juniper SSG-520M and WatchGuard’s Firebox Peak X8500e) are offered (we say almost) at a great price. (You can compare pricing for dozens of UTM products in our UTM Buyer's Guide.)

The interesting twist is that the top performers in this test are not a one-to-one match with the higher performers on our slower testbed. For example, the top-scoring device in our UTM test was the Juniper ISG-1000. However, on the price-per-megabit-of-throughput basis we can point to from this second round of testing, the ISG-1000 only falls into the middle of the pack. Instead, IT outfits looking for raw bandwidth to handle a gigabit link with power to spare will want to look at either the WatchGuard Firebox Peak X8500e (which costs just more than $20,000 and yields 1340Mbps throughput) and Juniper SSG-520M (which costs $24,600 and yields 1420Mbps throughput), either of which is one-fourth as expensive as the ISG-1000 on a price-for-bandwidth basis.

We still found that two of the firewalls, from IBM and Crossbeam, were faster than our test bed could go (that is 2800Mbps). But those are among some of the more expensive offerings we tested as well, coming in at just less than $70,000 and $100,000 respectively.

In some cases, our numbers came out below the advertised specifications for the firewalls we tested. This can happen for a number of reasons. For example, we discussed the FortiGate 3600A performance (which costs $121,790 and yielded 1240Mbps throughput) with the company’s engineers because it was much lower than the advertised specifications. They helped us to tune the firewall, and explained their specifications are based on streams of UDP packets running over a single connection at maximum packet size -- a test that will definitely give the highest performance number for a firewall.