How We Did It
We assessed performance using three sets of tests, covering forwarding rates with mixed HTTP content; rates with static HTTP content, and TCP connection behavior. Two pairs of Spirent Avalanche C100 traffic generator/analyzers, each equipped with eight 10G Ethernet interfaces, served as the primary test tool.
For the forwarding rate tests, we configured each of the F5 firewall's 16 10G Ethernet interfaces to act as a gateway for a different IP subnet. We also installed more than 500 access rules on each firewall. We configured Spirent Avalanche to emulate 2,048 clients and up to 80 servers, distributed across the 16 subnets.
In the mixed-content tests, we offered the same combination of HTTP object types and sizes as in previous Network World tests of next-generation firewall performance. Object types included text, images, and other binary content such as PDF files. Object sizes ranged from 1 kbyte to 1,536 kbytes, all requested over HTTP. We also reran the same tests using SSL with an RC4-MD5 cipher.
The static-content tests also used HTTP and SSL, but in this case involved separate tests with 10- and 512-kbyte text objects. For both mixed- and static-content tests, we averaged forwarding rates over a 60-second steady-state period with no failed requests.
To determine concurrent TCP connection count, we configured each new client emulated by Spirent Avalanche to request one object and then do nothing, building up progressively larger numbers of connections. The maximum concurrent connection count was determined to be the largest count at which the firewall serviced all requests with no failed requests.
To determine connection setup rate, we configured clients and servers emulated by Spirent Avalanche to use HTTP version 1.0, forcing the use of a new TCP connection for each HTTP request. Using a binary search, we determined the maximum rate at which the firewall could service requests for 60 seconds with no failed transactions.
Sign up for Computerworld eNewsletters.