The report from independent lab NSS is making news today. NSS labs evaluated six network firewalls (from Check Point, Juniper, Cisco, Fortinet, Palo Alto and Sonicwall) and discovered that three of the six firewalls failed to stay operational when subjected to stability tests. It also found that the performance claims presented in the vendor datasheets “are generally grossly overstated.”
While the former is quite startling, latter isn’t likely to surprise anyone. In addition to potential “padding” of performance numbers by firewall vendors, one has to consider the impact of the ruleset on performance. A firewall typically processes the ruleset sequentially until it finds a rule that matches traffic. An ever-increasing ruleset (and firewall rules that never get retired) inevitably results in performance degradation. One can only wonder which of the rulesets tested to produce performance numbers resemble real-life scenarios, those used by the vendors or by NSS labs?
But here are three simple things any firewall administrator can do today to improve firewall performance:
These simple three steps can be done using a manual analysis, or by using automated tools such as AlgoSec Firewall Analyzer. You can take a look of the video below to see how an automated analysis works in this case.
Receive notifications of new posts by email.