cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21740
Views
0
Helpful
11
Replies

How to size a firewall ?

singhgaurav
Level 1
Level 1

Hi,

Plz help regarding sizing the firewall.
The senario is:
Customer is having two links of Intenet of 1 Gbps each.
Total number of users are around 10000 who are distributed across the country.
Need to setup a DC with centralized security.

Need urgent help for sizing the firewall. What are the parameters that needs to be taken care while sizing the firewalls.


Thanks & regards,
Gaurav

11 Replies 11

Marvin Rhoads
Hall of Fame
Hall of Fame

Consider the ASA data sheet here. The parameters in Table 1 are relevant.

So you need to consider are you using firewall feature only? Remote access VPN? site to site VPN? IPS functionality? Each of those has an associated performance characteristic. Which features you use and to what extent determines which model you would choose.

Dear Sir,

What is the relationship between firewall thorughput and Internet bandwidth?

How to calculate or can you provide formula and reference link?

Thanks.

Best regards,

WAI

It's usually best to start a new thread when replying to 5 year old posts. But Karsten and I are still around so ...

There's no fixed relationship. Generally speaking your firewall throughput should at least equal your Internet bandwidth. Of course if you have 1 Gbps Internet but never use more thast a fraction of it, that doesn't hold true.

Best is to have a discussion with a trusted advisor - your Cisco SE or partner presales engineer to review your requirements and plans.

You can just look at data sheets and bandwidth for any vendor but that may not lead you to the best conclusion if you're not fully informed of all the variables like feature impact on fireewall throughput, nature of your traffic, trends etc.

Dear Sir,

I cannot post a new discussion thread.

May I ask you how to calculate the current firewall throughput in our network?

Is it sum of all interfaces' traffic passing through our firewall? 

If not, how to calculate it?

Thank you very much.

Best regards,

WAI

Current throughput would best be characterized as the sum of all the interface inputs at their observed maximum values during a representative peak load time.

Dear Sir,

If threat protection is enabled, is the sum of all the interface inputs at peak value still valid to calculate the current throughput?

To my understanding, firewall throughput is greater than the in-out traffic if threat protection is enabled or more feature of firewall is enabled.

Beside, once we get the current throughput, say value "x", we shall buy 2 times "x" throughput firewall in the firewall model specification for 50% buffering? or other calculation?

Any reference material or website for my learning?

Thanks a lot.

Thanks and regards,

WAI

You are mixing terms in a way that is confusing the issue.

What is your use case? I assumed it is that you are trying to decide what new firewall to buy.

If that's right then look at how much traffic your current firewall is handling. the method I mentioned is one good way to measure that. It's independent of what features you are using and just measures raw traffic being presented.

Then look at the candidate replacement firewalls. They will all have data sheets that say their performance is X with certain features, lowers to Y or Z with other features active.

Decide which features you would like to use and then make sure that value is greater than your current traffic load.

If you have the luxury of buying more firewall than the mimimum required (or know of specific plans to increase your upstream bandwidth, number of users etc.) then take that into account. How much extra capacity you purchase is based on knowledge only you have. Your reseller can advise things like "for 20% more cost you can get 2x the performance". You have to decide if that makes sense in the context of your organizational plans and priorities (and budget).

There's not a formula for all of this - it is a subjective decision informed by some objective numbers.

I would choose at least the 5545-X:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf

(not sure if that is the same page that Marvin posted; the iPad app doesn't show the link ...)

"On the paper" it has more throughhput then you need. But you should size the firewall for the worst case. That could be that you are hit by a 2Gig/s DDOS from the Internet. And in that case you probably don't want to lose your communicatin from the internal network to the DMZs just because the firewall can't handle the overall load.

Sent from Cisco Technical Support iPad App

Hi karsten,

Actually what I want to ask is how you decide the throughput of the firewall ? Is it just the internet bandwidth or there are other factors also. If yes then how to size the firewall ?

Internet bandwidth is one of several parameters to consider. Others are IPS use (or not), site-site VPNs and remote access VPN peers. How those Internet connections are distributed and accessed is one other factor. Are they active/ standby or active/active (e.g. load balanced using BGP or such on the upstream routers).

I recommend you contact your Cisco reseller / local partner. They have pre-sales engineers who do this sort of thing all the time and can dive into your requirements in more depth than this forum.

Actually what I want to ask is how you decide the throughput of the firewall ? Is it just the internet bandwidth or there are other factors also. If yes then how to size the firewall ?

Not only the Internet-Bandwidth but also the bandwidth needed between the internal network and the DMZs (and between the DMZs).

But as Marvin mentioned, there is more then the bandwidth. But for my installations the bandwidth is most often the relevant parameter. The maximum connections and the connection setup-rate was never a problem. And while planning the firewall they couldn't be concidered as the typical SMB customer (my area of work) has no clue about the amount of connections and also doesn't have a baseline. The other two parameters that are important is the VPN-throughput and the IPS-throughput. For both you just should know how much of these you need or be able to estimate that.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Review Cisco Networking for a $25 gift card