How we tested the next-generation firewalls

We assessed performance using three sets of tests, covering forwarding rates with mixed HTTP content; rates with static HTTP content, and TCP connection behavior. Two pairs of Spirent Avalanche 3100 GT traffic generator/analyzers, each equipped with two 10G Ethernet interfaces, served as the primary test tool. We connected all devices using an Arista Networks 7124S 10-gigabit Ethernet top-of-rack switch.

For the forwarding rate tests, we configured each firewall's four 10G Ethernet interfaces to act as a gateway for a different IP subnet. We also installed more than 250 access rules on each firewall. We configured Spirent Avalanche to emulate 200 clients and 40 servers, distributed across the four subnets.

In the mixed-content tests, we offered the same combination of HTTP object types and sizes as in a previous Network World test of the Palo Alto PA-5060 firewall. Object types included text, images, and other binary content such as PDF files. Object sizes ranged from 1 kbyte to 1,536 kbytes, all requested over HTTP. We also reran the same tests using SSL with an RC4-MD5 cipher.

The static-content tests also used HTTP and SSL, but in this case involved separate tests with 100- and 512-kbyte text objects. These too were the same object sizes used in previous next-generation firewall tests.

We repeated the forwarding rate tests using five different configurations: As a firewall only; as a firewall with SSL decryption enabled; as a firewall and IPS; as a firewall, IPS, and antivirus and antispyware engine; and with all functions plus SSL decryption enabled. In all these cases, NGFWs always had application inspection enabled.

To determine concurrent TCP connection count, we configured clients emulated by Spirent Avalanche to request one object every 60 seconds, building up progressively larger numbers of connections. The maximum concurrent connection count was determined to be the largest count at which the firewall serviced all requests with no failed requests (measured to the nearest 100,000 requests).

To determine connection setup rate, we configured clients and servers emulated by Spirent Avalanche to use HTTP version 1.0, forcing the use of a new TCP connection for each HTTP request. Using a binary search, we determined the maximum rate at which the firewall could service requests for 60 seconds with no failed transactions.

Return to main test.

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022