Hi Guys, I am extreme beginner on firewalls and network. I have a question, which will sound very naive. My brother company has around 500 employees in the same branch where he works. They have two firewalls in HA and then switches and then their servers. They run many web applications in their servers and a large amount of data is uploaded to the internal storages from internal endpoints.
They have multiple 16G and 25G network cards in their server, storage, switches and firewalls and they have 3 ILL line 2x500 Mbps and 1x350 Mbps.
My question is why do they need 25G interfaces in the firewalls? For servers, storage and swithes I can understand, since a lot of data is moved internally. But internal data can be routed through switches and their fastest ILL is 500Mbps. Since internal data dosen't need firewall to move around, so whats the use for 25G interfaces? Even most companies I have seen with fast ILL is 1Gbps, so shouldn't 1Gbps interface on firewall is enough, since data that come and goes through internet cannot be more than their ILL spped ? In general whats the use of firewall interfaces with higher gigabit speed than the ILL ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1st If the traffic going thru the firewall between server(s) and storage and if the nic was at 1g, that would be a bottleneck
2nd, the trunks are a share Infrastructure interface, you might have 1-2-3-4 + servers with 10/25gig nic sending data to a server, storage or some other device.
btw 25gbps is nothing impression, most medium-big outfits are building 100gbps core and or have 40gig backbone in. LAG bundle for years now.
The prices of 25gb vsr 10gb is dropping every year.
YMMV
Ken Felix
PCNSE
NSE
StrongSwan
Hi,
But my question is that if internal data can be routed through switches and doesn't need a firewall for that, then what is the requirement of 25G on a firewall?
Maybe the switch does not support 1gige, maybe they want to run everything at 25Gbe, maybe the only transceiver they have are 25gbe, maybe their's other traffic is going thru this firewall at speeds higher than 1gige , maybe they got reduce $$ rate and decided to buy 25Gbe dual/single port adapters, maybe they have one of those switch that if you want to run mix-speeds on the controller you take a penalty or increased limitations, etc.....
I mean you're asking a question that nobody can really answer except the org that has this setup ;)
I personally do not build around 100meg or 1gige interfaces any more, BUT that is mine preference. I think 10gbe will be a minority in the next 4-5 years ( just my guess )
YMMV
Ken Felix
PCNSE
NSE
StrongSwan
In the old days, it may have been considered wasteful to route internal traffic through a firewall since firewalls had an inherent performance penalty. So a dedicated router or routing switch would be used and it was considered solid practice. However, you miss out on the cool traffic classification and policy based security that a firewall can provide. I'm generalizing, of course.
One of the benefits of the FortiGate design, particularly on the mid to high tier models, is the offloading architecture designed to minimize the kind of latency that's typically associated with packet inspection.
In many of our middle and high tier clients, we will have a FortiGate (often in a cluster) handling all internal routing duties. This gives us some excellent visualization into the kind of traffic flowing within the organization while allowing very granular inter-vlan security policies.
For example: a company has a VLAN for staff computers and another VLAN where the building controls reside. Everything is AD-bound and FSSO is set up. I can create a policy that only allows only the "HVAC control operators" group in AD to access resources on the building controls VLAN. We can also have IPS scanning traffic between those two VLANs to find and stop infected computers from attacking internal resources. All without sacrificing performance.
Internal traffic, at almost any org, passes through the firewall due to existence of vlans.
When you handle large networks you want to separate your LAN to different vlans, and traffic between vlans has to pass through the firewall and match the corresponding policies.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.