Next-Generation Performance Testing for Next-Generation Firewalls

Posted by Samaresh Nair on Sep 3, 2021 3:52:45 PM

Friday, September 3, 2021

By Samaresh Nair, Palo Alto Networks

Firewalls have evolved over the last 20 years from stateless packet-based processing to stateful firewalls that were still based on ports and protocols. Then came the next evolution of Next Generation Firewall (NGFW). NGFWs are what's known as "application aware."

Some legacy firewall vendors layered NGFW functionalities on top of their legacy architecture, but the additions simply took more resources and dropped the performance of the firewall. Others tried to overcome this by using application-specific integrated circuits (ASICs) that merely do raw-packet processing, claiming to be the “fastest firewall in the industry."

These vendors make claims of superior performance compared with their competitors on the basis of Transmission Control Protocol User Datagram Protocol throughputs (TCP/UDP), raw packet latencies and similar — without mentioning it excludes any security processing. The network security industry is also still lagging behind on appropriately representing the performance of firewalls, and customers are often misled to choose a vendor based on flawed claims published in their datasheets

Palo Alto Networks has taken a different approach to firewalls from its inception. It has architected its product differently from the legacy vendors by fundamentally architecting how they process the data with single pass architecture.

In real-world deployments — unlike networking gears like switches and routers — firewalls are required to perform inspection and processing of various applications. It has been Palo Alto Networks’ long-standing position that they don’t believe raw L3/L4 throughputs without threat inspection turned on are correct parameters to measure performance of NGFWs. This is why they have always guided performance of their firewalls with threat prevention enabled.

PA-400 Series ML-Powered NGFWs and the Miercom Report

The recently launched PA-400 series ML-Powered NGFWs are purpose-built for small office locations, both distributed enterprise branch uses as well as for small and medium-sized business customers. Palo Alto Networks worked with Miercom — a network and security testing company that performs and publishes independent analysis, research and reviews — for an independent assessment of their PA-400 series performance in real-world deployments versus Fortinet’s similarly priced Fortigate platforms.

The Miercom report proves that along with significant savings, customers do not have to choose between security and performance with PA-400 series NGFWs. 

What’s in the Miercom Report?

Here are the key findings from the Miercom report on Palo Alto Networks' PA-400 Series:

  • PA-400 series devices saw up to 6x higher throughput across the parameters tested.

  • On single application tests, the PA-400 series consistently achieved a low performance degradation while Fortinet failed in Session Initiation Protocol (SIP) and Financial Information eXchange (FIX) tests.

  • PA-400 series provide up to 9x lower total cost of operations (TOC) compared to their equivalent Fortigate platforms.

 Digging a bit deeper in the report, here are some of the other findings:

  • Fortigate platforms’ session capacity dropped significantly (up to 97%) when services were enabled (section 5.4.1).

  • Fortigate platforms are undeployable if some of the common services like SIP and FIX that are relevant for server message block (SMB) deployments are needed (section 5.3).

  • The PA-400 series NGFWs, in contrast, achieved consistent performance with security processing enabled, surpassing Fortigate platforms in most of the tested parameters.

In addition to the Miercom report, in the 2019 NSS NGFW report — the last independent assessment published by NSS before they ceased operations — Palo Alto Networks firewalls achieved the highest security efficacy results compared with all the vendors participating in the test. 

Palo Alto Networks is excited to share these findings because they validate that Palo Alto Networks not only provides the industry’s most comprehensive security platform, but also a consistent performance for their firewalls at a lowest total cost possible.

Topics: Palo Alto Networks Next-Generation Firewall, Performance Testing

Posts by Topic

see all

Subscribe to Blog Updates

Recent Posts

Posts by Topic

see all