Hi All,
i have a little question to ask
i'm using fortigate 100D right now. based on this link https://www.fortinet.com/sites/default/files/productdatasheets/FortiGate-100D.pdf , New session/sec up to 22.000
if i'm facing a site that handling people coming together at some time up to 1 million or more. is it mean that all fortigate low-end,high-end, and most high-end product can not comply with my situasion ?
should i remove the firewall ?
or should i change with server based firewall (iptables or something else) ?
or my understanding about new session/sec was wrong ?
really appreciate if there's anyone helping me
thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Is that 1million session per/sec? Bad news even most mid-range firewall can't handle that number. So are these a 1million total session or 1 million new sessions ( tcp ) per/second?
I think you should work with a SSE on the proper sized appliance imho.
PCNSE
NSE
StrongSwan
According to the Product Matrix (http://www.fortinet.com/sites/default/files/productdatasheets/Fortinet_Product_Matrix.pdf) there is no hardware from Fortinet that can establish 1 million sessions per second. The biggest irons will do 400.000 though.
First, you could handle all these sessions in 2.5 seconds on a 3100D, or in 45 seconds on your 100D. Some connections will have to wait then.
Now, we don't know what kind of session or service you are planning for. Assuming HTTP, a session buildup will (just an estimate) take 1KB (16 64-byte packets). This would mean 1000 million bytes/sec or 10 Gbps bandwidth on your WAN side. No problem to handle that for a Fortigate, even a mid-range model.
Without doing any lab tests I'd estimate that an all-purpose server with an OS like Unix, Linux or Windows will handle several order of magnitude less sessions per second as a dedicated (firewall) hardware. A software on your server will never get you into the vicinity of your goal.
halo ede_pfau,
yes it is HTTP session. but isn't in layer network/session that fortigate handling ?
isn't when one user establish TCP connection it will be count as 1 TCP session ? cmiiw
so that's why i'm asking silly question if there are 1 million user coming together on the same second. would that mean we will be blocked by hardware limitation ?
so if firewall hardware capable up to 400.000 new session per second. what about the other 600.000 ?
going to queued/buffered for the next seconds or will be dropped ?
thanks for your help
If it's 1million sessions & all at once, some will not be handle and would be dropped or not update in the session table.
You could look at the diag system session command for statistics
e.g
diag sys session stat | grep rate
The setup_rate would be a starting point. Keep in mind what ede posted earlier, each tcp session ( SYN ) could be upto 40bytes or more. So 1mill x 40bytes would a lot traffic at one given time. A FGT100D is not the firewall that you need in this case.
Do you have access to a FTNT SSE
PCNSE
NSE
StrongSwan
I wholly agree with @emnoc. 1 million new sessions per second takes a tremendous effort. The top-notch FG-3700D with 400k sps costs about 150k US-$ (with 1 yr service), and you would need 2 for a cluster. Just to help you set the cost frame right, with a 100D at the moment. Quite an academic discussion if cost doesn't play a role.
One user connecting would not always mean one new session - think of loading a web page, with a number of embedded images. A click onto an average webpage can cost you a lot of new sessions, maybe even 30-40. Just watch the session table on your FGT, sessions for a single source IP address, and count them.
One million new users per second would be much, much harder to handle. I don't think you'd find a hardware firewall for this on the market today.
You can relax your requirements if you only think of handling single events where a lot of users connect, and not for a prolonged period. Session attempts would be dropped if the hardware couldn't handle it, and processed a couple of seconds later on second try. If that is acceptable is up to you.
One user connecting would not always mean one new session - think of loading a web page, with a number of embedded images. A click onto an average webpage can cost you a lot of new sessions, maybe even 30-40. Just watch the session table on your FGT, sessions for a single source IP address, and count them.
A typical web page could spin off 10+ sessions.
100% correct and so easily missed
PCNSE
NSE
StrongSwan
hai emnoc,
it's a 1 million new session per second
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.