At Corporate Armor, we’re all about taking the pain out of IT security and networking for our customers. And a lot of our customers are from small-to-medium-sized organizations. They don’t always have IT staff in-house to manage their network health and security. So we see it as our job to try to help people understand all the technical jargon that unfortunately populates most of the product literature in this field. Firewall throughput is a phrase that has several meanings, and since it’s important we thought it might be helpful to explain it a little.
There are many kinds of firewalls, of course. Some of our biggest sellers are small firewalls, like the FortiGate 40F, FortiGate 60F, Meraki MX64 and MX68, and Sophos XG115 and XG125. But suppose you’re a non-IT type who’s faced with making a firewall purchase for your 30-employee company. As you seek to learn the basics about firewalls, you’re bound to run into a real word-salad of baffling techno-terms. Many of these terms won’t mean a thing to you. In other words, vendors don’t make it easy for the average person to understand their products. So we want to try to simplify some of the terminology for you.
Now, if you’ve ever looked at firewall datasheets, you might have seen the word ‘throughput.’ And you might have noticed it paired with other words, for example NGFW Throughput, Firewall Throughput SSL VPN Throughput, IPsec Throughput, and so on. And keep in mind, vendors don’t all list the same kinds of throughput in their respective literatures.
What is Firewall Throughput? Also called Total, or Maximum Firewall Throughput, it’s the highest throughput speed stat in the in the whole datasheet. It’s measured in megabits or gigabits per second. This spec measures a firewall’s raw, unhindered processing speed in its base state. With no additional security services activated. It’s sort of interesting to know how much raw traffic can fly through your firewall unimpeded. But it doesn’t tell you much about how a firewall will behave on a real network. That’s because nearly every firewall deployment will include some security services. Things like antivirus scanning, intrusion prevention, or data loss prevention. That’s the point of having a firewall, after all.
Next-Gen Firewall Throughput
NGFW is generally a measure of throughput when Intrusion Prevention Services and Application Control are running. IPS and App Control are very common services, so NGFW Throughput is a great statistic to take note of.
It’s important to remember that there is a performance cost for every next gen firewall feature that is enabled. Some firewalls drop as much as 82 percent by enabling IPS and application identification. And that’s not even including more resource-intense features such as AV, web filtering and DLP. So NGFW Throughput will give you a good idea of how the appliance will perform in a real-world environment. In other words, it’s a very relevant spec. For example, the NGFW Throughput of the Fortinet FortiGate-60F is 1.0 Gbps, which is huge for a small-business firewall. It’s a substantial step up from its predecessor, the FortiGate-60E. The FG-60E pushes 250 Mbps NGFW Throughput.
This one measures the traffic that can pass through a firewall for a user who has connected to the network via an SSL-VPN. It stands for ‘Secure Sockets Layer’ virtual private network. It’s a type of remote access connection. SSL-VPN Throughput is especially crucial for any business that regularly allows users to work remotely.
Remote access connections are exploding in popularity these days, of course. But that calls for additional layers of security for your employees and your data, no matter where they connect. SSL-VPN Throughput numbers will be much lower than other metrics. That’s because it takes a lot of processing power to decrypt, scan, and verify encrypted traffic. Again using the FG-60F as an example, the SSL-VPN Throughput is 900 Mbps. It is a great choice for remote branches and outposts. Keep in mind that low SSL-VPN Throughput can create bottlenecks for remote workers.
Threat Protection Throughput measures speeds for a firewall using IPS, Application Control, and Malware Protection with logging enabled. The FG-60F delivers Threat Protection Throughput of 700 Mbps.
This is for organizations that use site-to-site VPN. IPSec throughput is the amount of traffic that can pass through the firewall and the encrypted tunnel to your remote site. Most good firewalls use hardware encryption so IPSec numbers should approximate the overall throughput of your firewall. If your business has many sites and IPSec VPNs are a logical part of the business, then this is an important figure to consider. To stress, your firewall cannot route traffic faster than your internet connection! If your internet is 100Mbps and your firewall can handle 5Gbps of IPSec, you have a bottleneck! Naturally, always build in headroom.
As your firewall scans web traffic, often it’s unable to scan encrypted SSL sessions. Think banks, Gmail, and other encryted Internet destinations. Since lots of viruses and threats travel down encrypted channels, firewalls such as Fortigates actively scan encrypted traffic for malware. The firewall needs to decrypt, scan and then re-encrypt traffic on the fly. That’s what SSL Inspection throughput measures. This is similar to SSL VPN Throughput.
There’s lots of other specs besides these Throughput numbers that you need to consider when looking at firewalls. Things like Recommended Users, Maximum Concurrent Connections, Latency, and so on. And we’d love to tell you more about these specifications and what they mean. So, why not give us a call at 877-449-0458, or reach out at [email protected]? Thanks for reading!
Different kinds of throughput
|Total Firewall Throughput – Wide open, no security features|
|NGFW Throughput – Intrusion Prevention Services and Application Control are on|
|SSL-VPN Throughput – Throughput when connected to the network via an SSL-VPN|
|Threat Protection Throughput – Speed when IPS, Application Control, and Malware Protection|
|IPsec Throughput – Traffic that can pass through the firewall & the encrypted tunnel to your remote site|
|SSL Inspection Throughput – Traffic that is decrypted, scanned and then re-encrypted|