40Gb & 60mpps firewall?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

xexe

Member
Sep 30, 2013
88
4
8
Hello,
Looking for firewall to filter by the destination or source IP for up to 40Gb/s and ~60Mpps, can sm1 suggest something without needing tons of money?
Or maybe what to look for?
 

altmind

Active Member
Sep 23, 2018
285
101
43
Fortigate 1100E, ~$20000. Advanced filtering is extra.
40gbps firewall is not a trivial product, there isnt a cheap solution.
 
  • Like
Reactions: Evan and xexe

fohdeesha

Kaini Industries
Nov 20, 2016
2,728
3,078
113
33
fohdeesha.com
if all you need to filter by is L4 and above stuff like IP/port (eg you don't need NAT), then a $200 ICX6610 fits that bill if you don't need a bunch of 40gbE ports, any of the ~$500 aristas like the 7050qx-32s if you do, etc (all used prices of course). with those requirements you'll have much better luck searching for an L3 switch instead of a firewall
 
Last edited:

azev

Well-Known Member
Jan 18, 2013
768
251
63
@fohdeesha any of those hardware you mentioned does the statefull filter ?? Trying to perform firewall function using non statefull device are very troublesome.
 

Wolfstar

Active Member
Nov 28, 2015
159
83
28
48
That is very very dependent on what exactly it is you're firewalling. SPI is higher than Layer 4, which means ain't happening at 40G cheap. You are well over into the land of RFC 1925 Rule 7a: Good, Fast, Cheap - Pick any two. You can do cheap and fast (40G Layer 3 switch doing access control lists which will handle IP and port level blocking, or Good and Cheap (1G+ SPI, maybe not much more than that), or you can do SPI at 40Gbit/sec, in which case start looking at harvesting organs.
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,728
3,078
113
33
fohdeesha.com
yeah, if his ultimate goal is simply to drop/block certain source and destination IPs, there's not much reason to require stateful connection tracking
 
  • Like
Reactions: Wolfstar

xexe

Member
Sep 30, 2013
88
4
8
Fortigate 1100E, ~$20000. Advanced filtering is extra.
40gbps firewall is not a trivial product, there isnt a cheap solution.
I saw that's not cheap, especially the cisco.

if all you need to filter by is L4 and above stuff like IP/port (eg you don't need NAT), then a $200 ICX6610 fits that bill if you don't need a bunch of 40gbE ports, any of the ~$500 aristas like the 7050qx-32s if you do, etc (all used prices of course). with those requirements you'll have much better luck searching for an L3 switch instead of a firewall
Thank you for advice. Will try the arista, currently using cer 2024c-4x-rt, but hit the IP list limit. As I understood Arista has larger IP list possibilities, am I right?
 

oddball

Active Member
May 18, 2018
206
121
43
42
Take a look at the TNSR product. I was told on a Xeon D with 16GB of RAM they can statefully police 20GbE full duplex. With a faster processor and more RAM they could do 40GbE. If you throw a E5-2699 V4 with 128Gb of RAM you could easily do 80GbE full duplex, that's going to be a LOT cheaper than a "real" solution.

There are a few products that can do this pretty easily at the hardware level. Look at the Juniper SRX5400 with the current MPC. They sell dual 40GbE and dual 100GbE cards for it. I believe the standard one comes with 10GbE ports, so you can do 100GbE in a port channel out of the box.

We looked into this some and came away with a few conclusions:

1) Are you saturating 40GbE full time and need to police it at line rate? Is it possible to squish it down to 20GbE and do that at line rate?
2) Does it have to be a single 40GbE stream, or can it be 4x 10GbE. If it's the later you can get something like the Juniper SRX4100 used on eBay for $10k.
3) If you are actually saturating 40GbE and need to firewall it then your business probably has the cash to pay for the type of solution that can provide this. Expect six figures at a minimum.
4) Another alternative is to build out a zero trust network and do policing at the host level.
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,728
3,078
113
33
fohdeesha.com
I saw that's not cheap, especially the cisco.


Thank you for advice. Will try the arista, currently using cer 2024c-4x-rt, but hit the IP list limit. As I understood Arista has larger IP list possibilities, am I right?
by IP list limit do you mean you ran out of TCAM? that CER will do full tables if I remember right, so it's going to have way more TCAM than those aristas. How many ACL entries?
 
  • Like
Reactions: altmind and scline

scline

Member
Apr 7, 2016
92
33
18
36
+1 to what fohdeesha mentioned here. L3 ACL on a switch is likely going to be your best bet here for capacity and cost. Given those number, I don't a firewall exists that can handle your needs (well outside a small fortune).

Something that did stand out however, the CER being able to support 1.5M routes should have a sizable TCAM for ACL's. While I am not familiar with the platform I know depending on how rules are written you may be inefficiently using the resources on your switch.

For the Juniper platform for example, an ACL comparing many sources and destinations exponentially increases how much TCAM is used. Depending on the number of subnets your trying to block, your rules may be written a bit more simpler to compinsate for this.

ex:
Code:
From Source: {10.0.0.0/8, 10.1.0.0/24, 10.2.0.0/24}
To Destination: { 1.1.1.1/32, 2.2.2.2/32, 3.3.3.3/32}
On Port: {80, 443}
Deny
can translate to:
Code:
From Source: {10.0.0.0/8, 10.1.0.0/24, 10.2.0.0/24}
To Destination: { 1.1.1.1/32}
On Port: {80, 443}
Deny

From Source: {10.0.0.0/8, 10.1.0.0/24, 10.2.0.0/24}
To Destination: {2.2.2.2/32}
On Port: {80, 443}
Deny

From Source: {10.0.0.0/8, 10.1.0.0/24, 10.2.0.0/24}
To Destination: { 3.3.3.3/32}
On Port: {80, 443}
Deny
in TCAM space, if possible just block on source or destination and only inbound or outbound of the interface. Such a change would save 60% of the space used.

Some good reading about this (likely in a better format then I can explain):
[EX/QFX] How to calculate and to optimize TCAM usage in firewall filters - Juniper Networks


Another way around this could be BGP peering to blackhole traffic locally. Reflect routes from another device (likely a script + exaBGP or BIRD on a linux host) that maintains a list of IP's or Subnets you want blocked and simply forward it the a null route. This isn't as flexible as an ACL but can scale much larger depending on how granular the rules need to be.
 
  • Like
Reactions: fohdeesha