Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ede_pfau
Esteemed Contributor III

Right-Sizing: which FortiGate for 300 SSLVPN users?

hi guys,

 

I need to size a FGT as an SSLVPN gateway. There will be around 300 concurrent users, albeit on a 400 Mbps line (as of now). No heavy UTM is planned, just some AV, anti-botnet stuff. Remote users will access intranet servers for HTTP, HTTPS, some SAP (ERP), no big file transfers. Web portal and tunneling as well.

 

I thought of going for a 500D in a cluster of 2. Running v5.2.7.

 

Any comments, experience with the 500D and opinions on this are very welcome, time is pressing!

Thanks.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
1 Solution
ede_pfau
Esteemed Contributor III

@Prab:

to some extent you are right. Your example OTOH is a bad one: IPsec throughput is easily guaranteed as it's offloaded onto the NP ASIC while SSL throughput is limited by CPU. The latter will be much more hurt by other activities (like session setup) than IPsec.

Of course, you can always get a test drive and see for yourself, in your environment.

In my experience, the FTNT datasheet values are close to reality, even in a mix. They even state throughput for a mix of UTM features ('enterprise mix'). I've seen plain bull in other vendor's datasheet where even firewalling throughput is reduced to 10% only by activating AV.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

4 REPLIES 4
emnoc
Esteemed Contributor III

That might be too small  if your planning on growing or doing anything bigger. I believe the latest datasheet have you peaked at 400mbps max sslvpn. Than again  FTNT are very loose with the numbers  that they post ( ideal vrs real world experience could be a big stretch )

 

imho

 

For the price bump , a 1K are slightly better  performance ratio,  but a FGT800/900D could be a great contender since it also has a NP6 and over 2gbps sslvpn performance with the dual plus of 10GE and dual PWRSupply. The latter is a must  if you need 99.999availability  and 100% uptime in a DC env.

 

We use FGT600D currently, and they are not to bad but i would shy away from a 500D unless the $$$$s budget number  mandate a FGT500D

 

YMMV  on FortiOS 5.2.7. We've seen awkward performance in all release of  5.2.x across everything from a FGT92 to 3240C.

 

 

 

PCNSE 

NSE 

StrongSwan  

ede_pfau
Esteemed Contributor III

Thanks Ken for the helpful hints, really appreciate.

 

 

As I compare 500D to 600D and 800D, the (new) 800D has even slightly less performance than the 600D, at a higher price point. The 600D features 2.2 Gbps SSLVPN and 2.4 Gbps AV (though probably not at the same time) but lacks redundant PSUs internally, RPS available externally.

If it was my choice, I'd prefer the 600D over the 500D for this task. Price difference is about +15% in EMEA.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Prab
New Contributor

Hi Ede,

 

Unfortunately I never got my hands on 500D series FGs yet.

However I would like to add to the reply from Emnoc, I would suggest not to decide a model purely based on datasheets only.

As per my understanding the metrics provided in the datasheet for a specific feature is measured when the FGT is only configured & mainly used for that specific feature. Also, please be aware that the performance tests are performed in a Lab environment.

 

For eg: Lets say a datasheet states that a FGT model has 1Gbps IPsec throughput and 500Mbps SSL VPN throughput. This means that this FGT can provide 1Gbps IPsec throughput, when it is only being used as a IPsec VPN server. It shall provide 500Mbps SSL VPN througput when it is only serving as a SSL VPN server.

If you use the FGT as IPsec and SSL VPN server simultaneously then you never see the performance mentioned in the datasheets. You shall then get a mixed performance.

 

Hope it helps in some way.

Thanks & regards,

Prab

ede_pfau
Esteemed Contributor III

@Prab:

to some extent you are right. Your example OTOH is a bad one: IPsec throughput is easily guaranteed as it's offloaded onto the NP ASIC while SSL throughput is limited by CPU. The latter will be much more hurt by other activities (like session setup) than IPsec.

Of course, you can always get a test drive and see for yourself, in your environment.

In my experience, the FTNT datasheet values are close to reality, even in a mix. They even state throughput for a mix of UTM features ('enterprise mix'). I've seen plain bull in other vendor's datasheet where even firewalling throughput is reduced to 10% only by activating AV.


Ede

"Kernel panic: Aiee, killing interrupt handler!"