Virtual Firewall with or without SR-IOV - max performance

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Stril

Member
Sep 26, 2017
191
12
18
41
Hi!

I need a new firewall that can do REAL 10 GbE firewalling between internal networks on single-streams. Instead of buying a hardware-firewall, I am thinking about a virtual one...

Sophos and Fortinet are offering quite cheap virtual licenses. Fortinet demands SR-IOV, Sophos doesn't.
I need 10/40 GbE-Interfaces for backup-copy-jobs, but still wand a good IPS for the rest of the traffic (about 3 Gbit/s) --> No L3 switches or L4-firewalls.

Do you have any experiences on the maximum, possible performance with and without SR-IOV? I want to avoid it if possible, as it makes everything more complex...

Thank you for your thoughts
KPS
 

oddball

Active Member
May 18, 2018
206
121
43
42
You can easily surpass 10GbE with TNSR, it's relatively cheap. I had a quote of $900/yr for a 5Gbps license. It's honor based on your average traffic throughput. Maybe call and ask for a 1GbE quote if you are doing bursts.

Juniper advertises 100GbE with xSRX with enough RAM and cores and that's IPS as well. We are using SRX and vSRX and throughput is exactly as advertised. We also have a Palo Alto VM-100 license we need to try out, but I've heard they exceed their rated specs. If you want to do 10GbE with Juniper or Palo Alto you're looking at $15-20k or more.

Where do you see cheap Fortigate VM licenses? The VM-00 with one vCPU is ~$1k and gets about 500Mbps of throughput. On the Fortigate website they claim 12Gbps, but if you dig into the specs it's a very specialized UDP traffic with the highest Xeon Platinum and zero firewall rules or routing configuration. I've heard you get about 90% of stated performance on Juniper, 120% on Palo, and take a 90% performance hit with Fortigate (so 10% of stated performance).

As far as I know ALL of the virtual firewalls rely on SR-IOV and DPDK, that's what makes them possible. The cool thing is if you throw cores and ram there is almost no limit to these things.