650,000 CPS on a Firewall… say what?

On October 26th in Paris, Spirent joined Check Point at the introduction event of their high-end firewall, the 61000 appliance. It’s a blade-based chassis. Adding more blades gives you more performance because you have more cores, memory and so on. This architecture is nothing new. What’s new is the level of performance we measured.

Spirent supported Check Point with their live performance demos in a close session with their top customers. I did the set-up and presentation on behalf of Spirent. Here are some graphs of what we found:

We reached 650,000 new TCP connections per second (with 1k HTTP payload, this is not raw TCP). We measured a Time to Syn/ACK (and even Time to First Byte) remained between 0.1 and 1 millisecond. The page response time was below the millisecond. The open connections were a little on the high end, with around 400 open, which is a bit high for such test ; but given the sheer rate at which we were throwing SYNs, for me this is okay (but that’s just a personal opinion).

We then moved on to the Throughput test.Just throughput, with IPS turned on using the Recommended (not Default) profile. We reached 50+ Gbps (backplane, so incoming + outgoing) with some power left. For this test we used a traffic blend of DNS (10%), SMTP (4%) and HTTP (remainder). This required about 110,000 new TCP connections per second. This last value only would kill most existing medium- to high-end devices.

I was simply too impressed to see that kind of performance level, without any Active/Active set up, to not mention it on this blog . I can’t wait to test some customer requests on this device to run some more tests.


About acastaner

I'm the EMEA Technical Lead for Application & Security at Spirent. I specialize in layer 4-7 technologies, Cloud, Programming and CyberSecurity.
This entry was posted in General and tagged , , . Bookmark the permalink.

4 Responses to 650,000 CPS on a Firewall… say what?

  1. Cool testing, I have seen the box myself in Paris, awesome.

  2. Engineer says:

    “without any Active/Active set up” – 61000 is Active/Active setup of many firewalls actually.

  3. acastaner says:

    It’s true that the concept of the hardware (as in any blade-based chassis) uses synchronizing and load balancing across the blades, so this is close to a Active/Active setup. What I meant in the article was we used only one chassis, not two. But you were right to comment on it, it’s a sort of A/A setup.

  4. Pingback: Meet Spirent at CPX 2012 | synsynack

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s