The firewall sizing guide below helps you to get a baseline for sizing your Next Generation Firewall. Please read the entire blog before going to purchase a firewall. There are many factors that you should take into consideration that can affect the sizing of your firewall.

Firewall Sizing Guide:

The firewall sizing guide above, is just that, a guide. There are two common ways to size a firewall:
1. User and Device Count
2. Throughput

The guide above uses the user and device count to average the size needed for your firewall. Some manufacturers don’t give a recommended user count for their firewalls so assumptions need to be made. The guide assumes an that a user uses between 3-7 sessions per second. This means that if you have 10 users, you will have need a firewall that provides at least 70 sessions per second. Similarly, we averaged non-user device traffic at 1-2 connections per second. The firewall’s peak connections per second is a combination of the total sessions needed for users and devices. The maximum concurrent session assumes that each user or device will use up to 100 sessions at any given time. This means that 10 users would mean that the firewall needs to support 1000 concurrent sessions.

A point to note is that the guide above doesn’t take the amount of servers on the network into consideration. If they are existing servers you can look at the available data and find their maximum concurrent sessions and their peak connections per seconds. If this cannot be done, some persons average each server as 10 users. This would allow you to have a average of the amount of sessions necessary for your server.

A mistake many persons make is forgetting that there are guest users on the network. Does your firewall service users connected to your guest wireless? Have you included these users in your estimate? If these users will be browsing the Internet using your firewall then they count toward your overall session counts.

Firewall Throughput Sizing Considerations

Before buying a firewall we need to understand the role that the firewall will play in our network. Where will the firewall be deployed, at the core, in the datacenter or at the network edge? The location of the firewall helps determine the features that may be enabled on the firewall. For instance your core firewall, depending on the configuration, may not have URL filtering enabled. If your firewall is installed at the edge and controls internet browsing, URL filtering will be need to restrict malicious or unwanted sites. Enabling URL filtering on your firewall affects the overall performance and reduces the available resources available for processing traffic.

Throughput is the amount of traffic that can be processed by your firewall every second. Next Generation Firewalls have features such as Firewalling, Anti-Virus, Intrusion Prevention System (IPS), Application Control, Malware protection and URL Filtering. The more features that are enabled, the more resources are used on the firewall reducing available throughput. If we look at the FortiGate 201F for instance, we can see the difference in available throughput when multiple features are enabled:

1. Firewalling 27 Gbps
2. IPS 5 Gbps
3. NGFW (Firewall, IPS, Application Control) 3.5 Gbps
4. Threat Protection (Firewall, IPS, Application Control, URL filtering, Malware Protection) 3 Gbps

As you saw above, the firewall is capable of 27 Gbps of throughput but when all the features are enabled, only 3 Gbps are supported. A point to note is that we need to look at the traffic type and testing conditions that were used to provide the firewall capabilities. This will help us to get a better understanding of the firewall’s capabilities.

These are just some of the configurations needed when sizing your Next Generation Firewall. Before purchasing any firewall please ensure that you understand its role on your network. If you need help sizing or configuring your firewall please feel free to fill out this form and we will reach out to you.

I hope you benefited from reading this post.