When Fortinet is testing FortiGate devices for publishing the values in the datasheet multiple techniques are used to carry out the tests. Values that are collected are displayed in the datasheet as the maximum values for specific features (like maximum throughput, number of connections, VPN tunnels etc.).

One of the features measured is the throughput of the device. The question that is often asked is if Firewall throughput is the same as the L3 routing throughput of the device, and how it is different from Next Generation Firewall throughput.

First of all, let’s see what is the difference between Firewall throughput and Next Generation Firewall throughput. Firewall throughput refers to legacy firewall throughput (with no application awareness) measured only with the basic network functionalities configured (like routing, NAT, traffic shaping, QoS, and some basic ACLs).

Firewall throughput can be considered the same as the L3 routing throughput. Next-generation firewall throughput is measured with various advanced inspections (with application awareness) turned on and combined (like IPS, Application Control, Web Filtering, Firewall, etc.).

Firewall throughput is measured and displayed with three different UDP packet sizes since the Firewall performance can vary based on the packet size (smaller packets usually overwhelm the device hardware resources like RAM, and CPU, and the device performance measurements are lower when the traffic is comprised of smaller packets.).

An example of the Firewall throughput measurement in the datasheet is displayed in the image below.

When NGFW throughput is measured, various advanced inspections are carried out and the Enterprise Mix of the traffic is used. More information about the NGFW firewall through and Enterprise Mix of applications used can be found in this related KB article: Technical Tip: FortiGate specifications using Enterprise Mix .