Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Firewall limitations

To: [email protected]
Subject: Re: [FW-1] Firewall limitations
From: Jon Vandiveer <[email protected]>
Date: Thu, 15 Nov 2001 09:15:52 -0600
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

You will be hard pressed to find this type of information.
Also it depends on which FW version you are running.
4.1 The only limit I have seen is 25k connection limit back in the Nokia's
IPSO 3.1~, for some reason had a max connection limit of 25k. This was fixed
in the subsequent release of IPSO, as well as a workaround to modify the max
connections and memory for the state table.
I never ran into connection limits with NT, course it probably cannot handle
that much in the first place, and I have never run a multi cpu Solaris box.

NG: Has been tested and was said to be able to handle over 1 million
connections in it connection table, personally I have never seen this, but
with the new introduction of the ASIC fw's that Nortel and other vendors are
producing using the NG kernel, I would probably classify this as a safe bet.

Answering the rest of your question is very hardware specific and there is
no sliding scale or formula that will tell you how memory. cpu's and such
will affect your throughput.

Jon

Date:    Tue, 13 Nov 2001 12:10:49 -0500
From:    "Holland, Stephen" <[email protected]>
Subject: Firewall limitations

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C16C66.24973D80
Content-Type: text/plain;
        charset="iso-8859-1"

I am trying to find out what FW-1 limitations.  Limitations I would be
interested in would be how many socket/flows/connections can the state table
handle before the firewall is slow or dies.  What is the amount of "hits"
per second can FW-1 can handle and make stateful decisions about before it
is slow or fails?  I know there will be some limitation by bandwidth, OS,
and hardware, but lets say you are running on a SUN 4500 with 4 processors,
4 gigs of ram, Solaris 2.7 with a three legged design thus giving you 100mb
to ISP, DMZ, and internal LAN.

Does anyone have a good link or knowledge of this kind of information?



Jon Vandiveer
[email protected]

"They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety."
- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
rm -rf /bin/laden

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Prev by Date: [FW-1] Messages getting stuck in SMTP security server spool?
Next by Date: [FW-1] Firewall limitations
Previous by thread: Re: [FW-1] Firewall limitations
Next by thread: [FW-1] Firewall limitations
Index(es):
- Date
- Thread