Part#3: Performance, Performance, Performance...Customers like it!!

Palo Alto Networks, Fortinet, Checkpoint..

Starting off this edition with a modified dialogue of KGF2. Lets start with some fun!!

Every vendor be like “Performance, Performance, Performance,..… I don’t like it!!… I avoid.. But, Customer like Performance… I cant avoid!!”. subtitles. Enjoy the BGM for a moment.

Now lets get back to article!! Every vendor need to strike a balance between features, price and performance to remain competitive. This article is Part#3 of a series to cover the performance numbers of the top three hardware NGFW vendors namely Palo Alto Networks, Fortinet and Checkpoint. If you have missed reading the Part#1 & Part#2 of this series, click on links below.

1. Hardware Configuration (Part #1).

2. Networking/Security Features (Part #2).

3. Performance Numbers (Part #3).

4. Architecture and Comparative analysis (Part#4)

The scope of this article is on the product offerings in Desktop form factor from each vendor in Branch/Retail segment. Note: Ruggedized Desktop model is skipped.

Palo Alto Networks (PAN):

The Palo Alto Networks PA-400 Series Next-Generation Firewalls, spans a range of performance needs for the distributed enterprise with a broad lineup. It delivers predictable performance with security services.

Fortinet:

Fortinet’s range of desktop firewalls provide unparalleled performance with Fortinet’s patented SoC processors. Traditional firewalls cannot protect against today’s content- and connection-based threats because they rely on off-the-shelf hardware and general-purpose CPUs, causing a dangerous performance gap. Fortinet’s custom SPU processors deliver the power you need—up to 520Gbps—to detect emerging threats and block malicious content while ensuring your network security solution does not become a performance bottleneck.

FortiWifi-40F

FortiWifi-60F

FortiGate-70F

FortiWifi-80F

Restrictions:

Checkpoint:

The Check Point Quantum Spark 1500 Pro security gateway family delivers enterprise-grade security in a series of simple and affordable, all-in-one security solutions to protect small business employees, networks, and data from cyber-theft. Models with Wi-Fi, and Wi-Fi with an embedded 5G modem fit seamlessly into your home and branch office networks.

1535, 1555 Pro (Wi-Fi model) performance numbers:

1575, 1595 Pro (Wi-Fi, 5G model) performance numbers:

Restrictions:

1 - Includes Firewall, Application Control, URL Filtering, IPS, Antivirus, Anti-Bot, SandBlast Zero-Day Protection with logging.

2 - Includes Firewall, Application Control, IPS with logging.

* Smart Accel is available on release R81.10 and above. Smart Accel must be enabled on Web UI and is currently supported on devices managed via Web UI or SMP

Summary:

1. The below is range of throughput for popular performance profiles, one important point to note here is that the below are datasheet numbers tested in ideal conditions. The throughput depends on factors like traffic profiles (HTTP/EMIX), features enabled, packet size, the number of connections and connections-per-second.. etc. So it is not an apple-to-apple comparison.

   1. Threat Prevention: PAN (600 Mbps- 2 Gbps), Fortinet (600 Mbps- 900Mbps), Checkpoint (340 Mbps - 660 Mbps).

   2. NGFW : PAN (1.1 Gbps - 4.4 Gbps), Fortinet (800 Mbps - 1 Gbps), Checkpoint(600 Mbps - 1.3 Gbps).

   3. IPSec VPN: PAN(920 Mbps - 3 Gbps), Fortinet(4.4 Gbps - 6.5 Gbps), Checkpoint(970 Mbps - 2.6 Gbps).

2. Fortinet uses specialized ASIC as its core security processing unit and has larger market-share due to it low price-to-performance ratio in the Desktop segment. Although it is reported that the performance drops significantly with more advanced features.

3. PAN has highly advanced threat prevention features across all performance ranges, but at a higher price point.

4. Fortinet is popular for providing lowest latency for traffic through the box and the due to its FortiASIC acceleration.

5. The vendors publish performance numbers across in an ideal test setup, usually it is seen that performance drops with more advanced features enabled. the customers need to consider the following for evaluating a vendor.

   1. Customer’s typical traffic profile (EMIX/HTTP/Data centre) .

   2. Features commonly enabled/required for the customer.

   3. Max connections and Connections per second requirements( # users).

   4. Long term hardware and software support of the vendor.

   5. Roadmap for current/future feature/performance/product upgrades.

   6. Independent lab testing to evaluate true performance and features required by customer.

   7. Ease of management of the device, licensing, logging, compliance and total cost of ownership.

Reference and credits:

1. Official websites of PAN, Fortinet and Checkpoint for datasheets.

2. Youtube videos of KGF2 :) and online editing tools.