Skip to main content
tarjo
tarjo
New Member
January 11, 2016
Question

New Session Per Second

  • January 11, 2016
  • 1 reply
  • 17263 views

Hi All,

i have a little question to ask

i'm using fortigate 100D right now. based on this link https://www.fortinet.com/sites/default/files/productdatasheets/FortiGate-100D.pdf , New session/sec up to 22.000

if i'm facing a site that handling people coming together at some time up to 1 million or more. is it mean that all fortigate low-end,high-end, and most high-end product can not comply with my situasion ?

should i remove the firewall ?

or should i change with server based firewall (iptables or something else) ?

or my understanding about new session/sec was wrong ?

really appreciate if there's anyone helping me

thanks

    1 reply

    emnoc
    emnoc
    New Member
    January 11, 2016

    Is that 1million session per/sec? Bad news even most mid-range firewall can't handle that number. So are these a 1million total session or 1 million new sessions ( tcp  ) per/second?

     

    I think you should work with a SSE on the proper sized appliance imho.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    January 11, 2016

    According to the Product Matrix (http://www.fortinet.com/sites/default/files/productdatasheets/Fortinet_Product_Matrix.pdf) there is no hardware from Fortinet that can establish 1 million sessions per second. The biggest irons will do 400.000 though.

    First, you could handle all these sessions in 2.5 seconds on a 3100D, or in 45 seconds on your 100D. Some connections will have to wait then.

     

    Now, we don't know what kind of session or service you are planning for. Assuming HTTP, a session buildup will (just an estimate) take 1KB (16 64-byte packets). This would mean 1000 million bytes/sec or 10 Gbps bandwidth on your WAN side. No problem to handle that for a Fortigate, even a mid-range model.

     

    Without doing any lab tests I'd estimate that an all-purpose server with an OS like Unix, Linux or Windows will handle several order of magnitude less sessions per second as a dedicated (firewall) hardware. A software on your server will never get you into the vicinity of your goal.

    tarjo
    tarjoAuthor
    New Member
    January 12, 2016

    halo ede_pfau,

    yes it is HTTP session. but isn't in layer network/session that fortigate handling ?

    isn't when one user establish TCP connection it will be count as 1 TCP session ? cmiiw

    so that's why i'm asking silly question if there are 1 million user coming together on the same second. would that mean  we will be blocked by hardware limitation ?

    so if firewall hardware capable up to 400.000 new session per second. what about the other 600.000 ?

    going to queued/buffered for the next seconds or will be dropped ?

    thanks for your help

    Terms & ConditionsAccessibility statement