IT Support and Network Admin at Escuela Carlos Pereyra
User
Top 20
Mar 22, 2022
The "old" answer: calculate how many concurrent connections you are gonna get from the devices in your network. But, nowadays, you should also define if it's an HW-based or SW-based router.
Also, check how many;
-VPN connections you need
-if you're gonna use QoS (consumes a lot of processor and RAM).
-if you're gonna use traffic analysis (same as above).
If you can get the sales area from any brand they gonna ask you those and more questions!!
I would add the throughput of NGFWs for the internal nets to my list.
Most people only focus on their WAN and forget they may have internal networks they need to protect from one another. Well, those networks operate at 1 GB normally if not higher.
If your firewall cannot handle the traffic odd things can happen. For example, on certain Sophos models if you attempt to pass more traffic than it can handle the firewalls simply reboot themselves. Thus, pay attention to the numbers.
To estimate the capacity of the firewall we need to consider:
1. Connectivity links to be connected, their throughput.
2. Concurrent and sessions.
3. Additional functions to be enabled: application control, SSL traffic inspection, web filtering, IPS, antivirus. 4. if it is going to be used for SSL VPN we need to consider the amount of SSL concurrent VPN connections.
On the physical side:
1. Type and quantity of ports to be used for links and to connect to the LAN: fiber and RJ45.
2. Single or dual power supply.
3. Rack space required.
Nowadays, we have advanced NGFW with SD-WAN and application control functionalities that allow collapsing in one single hardware with specialized processors that integrates border functions, LAN & WLAN management with security facilitating the It management and expanding security policies across all infrastructure.
E.g., Check the Fortinet Mesh concept for more details, great vision and Gartner's new security management concept.
The number of users - increasing # of users both local/remote will increase the size of the firewall needed.
The bandwidth available - Larger ISP pipes imply more user traffic increasing the size of the firewall needed.
SSL decryption - Requires more CPU and memory resources. Look to the SSL decryption throughput and then test this against your actual HTTPS traffic. Faster decryption/re-encryption requires firewalls with more throughput. Larger firewalls tend to have better throughput numbers.
Applications to be traffic shaped, SDWAN connections and the number of remote users supported by the firewall have an impact on the sizing.
Fortinet firewalls can be configured to control switches and APs. The number of devices controlled has a marginal impact but does require some CPU and memory resources.
Finally, the money available for purchase is the final calculation. Note that maintenance agreements are also part of this equation as an NGFW is a brick without maintenance.
Firewalls serve as essential network security devices designed to monitor incoming and outgoing traffic, establishing a barrier between trusted and untrusted networks to protect against cyber threats. Firewalls, critically important in IT infrastructure, offer a range of security features that include packet filtering, stateful inspection, and proxy service. They are used extensively to define policies that allow or block traffic, playing a crucial role in preventing unauthorized access....
The "old" answer: calculate how many concurrent connections you are gonna get from the devices in your network. But, nowadays, you should also define if it's an HW-based or SW-based router.
Also, check how many;
-VPN connections you need
-if you're gonna use QoS (consumes a lot of processor and RAM).
-if you're gonna use traffic analysis (same as above).
If you can get the sales area from any brand they gonna ask you those and more questions!!
Good luck!
These are some excellent comments.
I would add the throughput of NGFWs for the internal nets to my list.
Most people only focus on their WAN and forget they may have internal networks they need to protect from one another. Well, those networks operate at 1 GB normally if not higher.
If your firewall cannot handle the traffic odd things can happen. For example, on certain Sophos models if you attempt to pass more traffic than it can handle the firewalls simply reboot themselves. Thus, pay attention to the numbers.
Hi Niranjan,
In my case, I use this simple template:
Throughput:
- Total WAN Bandwidth (Mbps)
- Average WAN Consumption (Mbps)
- Anticipated WAN growth over 3 years (%)
- Anticipated Peak Growth
- Anticipated Average Growth
WAN Protection:
- SSL/TLS Decryption (Yes/No)
- Intrusion Prevention (Yes/No)
- Application Control (Yes/No)
- Anti-Malware Protection (Yes/No)
- Web Protection (Yes/No)
VPN:
- Concurrent IPSec tunnels
- Concurrent SSL VPN tunnels
-IPSec peak throughput requirements (Mbps)
Authentication:
-Nb users
After filling this template, I compare it with the market firewall's constructors.
At this point, the calculator is my experience to choose the best solution :)
Regards,
A.Rastello
To estimate the capacity of the firewall we need to consider:
1. Connectivity links to be connected, their throughput.
2. Concurrent and sessions.
3. Additional functions to be enabled: application control, SSL traffic inspection, web filtering, IPS, antivirus.
4. if it is going to be used for SSL VPN we need to consider the amount of SSL concurrent VPN connections.
On the physical side:
1. Type and quantity of ports to be used for links and to connect to the LAN: fiber and RJ45.
2. Single or dual power supply.
3. Rack space required.
Nowadays, we have advanced NGFW with SD-WAN and application control functionalities that allow collapsing in one single hardware with specialized processors that integrates border functions, LAN & WLAN management with security facilitating the It management and expanding security policies across all infrastructure.
E.g., Check the Fortinet Mesh concept for more details, great vision and Gartner's new security management concept.
The number of users - increasing # of users both local/remote will increase the size of the firewall needed.
The bandwidth available - Larger ISP pipes imply more user traffic increasing the size of the firewall needed.
SSL decryption - Requires more CPU and memory resources. Look to the SSL decryption throughput and then test this against your actual HTTPS traffic. Faster decryption/re-encryption requires firewalls with more throughput. Larger firewalls tend to have better throughput numbers.
Applications to be traffic shaped, SDWAN connections and the number of remote users supported by the firewall have an impact on the sizing.
Fortinet firewalls can be configured to control switches and APs. The number of devices controlled has a marginal impact but does require some CPU and memory resources.
Finally, the money available for purchase is the final calculation. Note that maintenance agreements are also part of this equation as an NGFW is a brick without maintenance.
Different vendors have different metrics to consider but it all comes down to throughput, user count and processing power requirements.
For instance, if you switch on all the NGFW features, the device may have to be sized up to cope with the extra processing requirements.
There are many factors but it is the number of users and the second is throughput.