UTM firewall review: SonicWall smashes speed records

New appliance offers enterprise-level UTM performance

Last month, SonicWall rolled out its next-generation UTM firewall appliance geared straight for the enterprise. In our exclusive test of the Network Security Appliance E7500, results show that SonicWall has, indeed, crashed through the speed barrier.

Last month, SonicWall rolled out its next-generation unified threat management firewall appliance geared for the enterprise. In our exclusive test of the Network Security Appliance E7500, results show that SonicWall has, indeed, crashed through the speed barrier.

This box offers 1.3Gbps of UTM performance, which is nearly triple the speed of the fastest product in our comparative UTM test last November (See comparative UTM test).

How we tested SonicWall

Archive of Network World tests

Subscribe to the Network Product Test Results newsletter

While SonicWall has not changed much on the surface of its firewall, there are dramatic differences in the internal architecture that yield performance gains that leapfrog the throughput numbers of the SonicWall Pro product line. This makes UTM features including intrusion-prevention system (IPS), antivirus, antispyware, and content filtering cost-effective because they can run at gigabit speeds. (Compare UTM products in UTM Buyer’s Guide.)

Fifth generation multicore performance

SonicWall's NSA firewall line, based on a family of multi-core security processors from Cavium, is called the company's "generation 5 product." The new hardware (six models have been announced already) is slated to entirely replace the company's old Pro series.

SonicWall NSA E7500 Version 5.0

Pros:Very high-performance UTM features; small size; low power consumption; high interface density; redundant power supplies and fans; SonicPoint wireless LAN management system and wireless IDS
Cons:Manageability of UTM features limited, especially in IPS; Web-based management system had difficulty handling complex policies in firewall or NAT; firewall configuration flexibility held back by built-in configuration limits
Performance 25%4.75Scoring Key: 5: Exceptional4: Very good3: Average2: Below average1: Subpar or not available
Intrusion prevention 15%2.50

Antivirus 15%

VPN 15%4.00
Management 15%3.50
Hardware architecture 10%4.50

The high-end E7500 that we tested has a 16-core Cavium CPU, with each core operating at 600MHz. One core is dedicated to system management, while the other 15 are used for security processing, including firewall, VPN and other UTM features such as antivirus, IPS and content filtering. Also built into the CPU is hardware acceleration for cryptography (useful in VPNs), compression, and regular expressions, which compare a pattern against a string, and are heavily used in most IPS rule sets. SonicWall claims it took 18 months to port its existing operating system to effectively make use of the multicore capabilities of the new hardware.

The E7500 is a 1U, short (16-inch) rack-mountable device with eight firewall ports: four are copper gigabit Ethernet, and four are SFP gigabit interfaces. An additional port is marked for high availability connectivity to another firewall. The E7500 also has redundant, hot-swappable fans and power supplies. Drawing 0.9 amps when unloaded (and 1.1 amps when fully loaded), the E7500 is middle-of-the-road in terms of power consumption for an appliance of its size.

We tested the E7500 by putting it through performance tests very similar to we used in our November UTM test. However, to drive the E7500 to its UTM limits, we used a faster set of Spirent Avalanche/Reflector test devices.

Full UTM performance (including client and server-side IPS signatures, antivirus, antispyware, and content filtering) was 1,288Mbps using recommended settings. For comparison, the fastest fully loaded UTM performance registered in our November test was by the FortiGate 3600A, which came in at 520Mbps, but also carries with it a list price nearly double that of the E7500.

Although firewall vendors are constantly upgrading their wares, SonicWall is the first with a major leap past the gear in our November test.

We had similar results when testing IPS performance on the E7500 (1914Mbps using recommended settings) and antivirus performance (1615Mbps using recommended settings), all significantly faster than the best numbers from high-end gigabit products in our November test. Compared with SonicWall's own previous top-of-the-line Pro 5060, the results are even more dramatic, with the E7500 coming in six to eight times faster on all UTM tests.

Overall, the E7500 provides a dramatic boost in speed that makes UTM possible in enterprises needing gigabit speeds.

User interface remains the same

While the hardware changes are hugely evident in the performance numbers, the Web-based user interface (which most enterprise network managers will find to be easy to learn) and the underlying firewall feature set are little changed from what we saw in our November UTM test.

The strong extra features of the SonicWall family that the products are known for, such as wireless LAN management system, wireless intrusion-detection system, and VoIP using Session Initiation Protocol support, and high-end diagnostic tools, are all still there and haven't changed significantly from prior versions.

One new feature is that IT can change the scanning parameters for UTM features between "Recommended" and "Performance Optimized" settings. A third setting called "Maximum Security" was also included in the firmware we tested, but it will be removed from the next version. SonicWall engineers say they are making the change because the level of security in the "Recommended" and "Maximum" settings was actually the same. SonicWall told us (the feature is so new it isn’t in the documentation yet) that this doesn’t turn on and off signatures in the IPS or antivirus parts of the product, but rather optimizes how it scans to look for the most common threats. In our performance testing, we saw some fairly dramatic speed differences when we employed the various security settings.

Tracking SonicWall UTM performance

The NSA E7500’s UTM results set a new bar for UTM-firewall price and performance. With full UTM scanning at 1.3Gbps, SonicWall has an enterprise-speed product in a pint-size box.
 Performance* with only AV enabledPerformance* with only IPS enabledPerformance* with AV, IPS, antispyware and content filtering enabled
Using recommended settings161519141288
Using maximum security setting **16091221848
Using performance-optimized setting193719211867
*in Mbps ** This setting option will be eliminated in future firmware versions of this product.

The higher performance of the E7500 on UTM tasks also led us to upgrade its overall IPS score. The management and coverage of the IPS in the E7500 is largely unchanged from Version 4 of the SonicWall software.

The E7500 does still show signs of SonicWall's SMB heritage. So while some features, such as IPS, are now extremely fast, SonicWall hasn't done much to improve the manageability or control of the firewall or the UTM feature set. For example, tuning the IPS to suppress an alert for a particular system is still very difficult and produces a nearly unmaintainable configuration. Similarly, you still cannot have different UTM configuration sets for different zones or different flows through your network. The result is that while this firewall is capable of handling an immense amount of traffic, it fits best into networks where all the traffic should be handled the same way.

If you already love the SonicWall interface and features, the E7500 will be a great way for you to boost performance. On the other hand, if you're unhappy with SonicWall's feature set or management system before, the E7500 won't give you any reason to change your mind.

Bottom line

SonicWall has garnered tremendous loyalty in its customer base by offering network managers a UTM feature set at a competitive price. One of the Achilles' heels of the product line, though, has always been its UTM performance. With the E7500, SonicWall takes their firewall products up to enterprise speeds.

Snyder is a senior partner at Opus One, a consulting firm in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.

NW Lab Alliance

Snyder is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022