Re: Firewall throughput calculation

CyberSafekeeper · ‎04-30-2024

hi Everybody

We’re designing the system architecture for a specific project and need to calculate the required throughput to select the appropriate firewall throughput and avoid any potential latency.

Our cybersecurity applications are primarily the standard ones, such as:

1. Domain Controller

2. Backup server

3. Windows patch management WSUS

4. Tellix ePO Antimalware

is there any documentation template for such calculation to get some throughput estimation to ensure firewall sizing is ok

Thanks in advance

balaji.bandi · ‎04-30-2024

Some of the stuff i avoid going from Firewall - like backups (if no other options available or route available)

check exiting on the network cisco switch level or interface level - put the data in excel sheet and put additional 30% of all the traffic and make sizing of the Firwall.

If no other information available so far, then better to have estimated traffic or buy a bigger model and Monitor is the only option available here.

If you are not looking Multi-context, FTD 3K Models are decent to perform DC firewalls.

https://www.cisco.com/c/en/us/products/collateral/security/firewalls/secure-firewall-3100-series-ds.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

CyberSafekeeper · ‎05-01-2024

Thanks for your reply. we are still in the engineering phase and we cannot measure actual throughput. we are still in engineering phase we did not purchase anything however we approached certain models but still the customer wants a certain calculation that proves that this firewall will not have any issues due to traffic.

For backup, we are using a centralized backup solution and it is in a different network and need to pass through firewall through policies

balaji.bandi · ‎05-01-2024

Again this information gathering Excise (sometime hard to determine the capacity assumed vs reality).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Joseph W. Doherty · ‎07-11-2024

It's quite simple, actually.

Ideally size a FW such that it can support whatever is the bottleneck for bandwidth that can transit the FW, regardless of packet sizes and traffic kinds. For example if you had two gig links connected to the FW, it should be able to support 2 gig of throughput. Of course, if you might increase bandwidth, you need to plan for that too.

Although sizing the FW is easy, the underlying issue is sizing for necessary bandwidth (which applies to more than just the FW).

Optimal bandwidth sizing is especially difficult if you don't have an existing network which you can analyze.

To put it another way, your question is much like asking what size truck with what size engine should I obtain, but you don't know what you need to transport.

If you can provide payload requirements, then it's fairly easy to provide the specs for your truck.

Somethings to keep in mind include obtaining useful device performance specs, can be difficult (vendor specs might be best case), bandwidth needs can suddenly change, "real" network engineering/management can dramatically change needs (one example mentioned in another reply is having backup traffic bypass FW [or perhaps time-of-day restrictions], etc.)

CyberSafekeeper · ‎08-01-2024

Yes, I completely agree that is why I am trying to estimate the loading on the network during system architecture design which is somehow hard to confirm as you said. yes I can expect some bandwidth loading in some activities like backups transferred to the backup server during the backup job or deploying Windows patch however this will be scheduled to avoid peak activities during normal working hours and will be in separate time slots which will not intercept