According to the Product Matrix (http://www.fortinet.com/sites/default/files/productdatasheets/Fortinet_Product_Matrix.pdf) there is no hardware from Fortinet that can establish 1 million sessions per second. The biggest irons will do 400.000 though.

First, you could handle all these sessions in 2.5 seconds on a 3100D, or in 45 seconds on your 100D. Some connections will have to wait then.

Now, we don't know what kind of session or service you are planning for. Assuming HTTP, a session buildup will (just an estimate) take 1KB (16 64-byte packets). This would mean 1000 million bytes/sec or 10 Gbps bandwidth on your WAN side. No problem to handle that for a Fortigate, even a mid-range model.

Without doing any lab tests I'd estimate that an all-purpose server with an OS like Unix, Linux or Windows will handle several order of magnitude less sessions per second as a dedicated (firewall) hardware. A software on your server will never get you into the vicinity of your goal.

halo ede_pfau,

yes it is HTTP session. but isn't in layer network/session that fortigate handling ?

isn't when one user establish TCP connection it will be count as 1 TCP session ? cmiiw

so that's why i'm asking silly question if there are 1 million user coming together on the same second. would that mean  we will be blocked by hardware limitation ?

so if firewall hardware capable up to 400.000 new session per second. what about the other 600.000 ?

going to queued/buffered for the next seconds or will be dropped ?

thanks for your help

If it's  1million sessions & all at once, some will not be handle and would be dropped or not update in the session table.

You could look at the diag system session command for statistics 

e.g

diag sys session stat | grep rate

The setup_rate  would be a starting point. Keep in mind what ede posted earlier, each  tcp session ( SYN ) could be upto 40bytes or more. So 1mill x 40bytes would a lot traffic at one given time. A FGT100D is not the firewall that you need in this case.

Do you have access to a FTNT SSE

I wholly agree with @emnoc. 1 million new sessions per second takes a tremendous effort. The top-notch FG-3700D with 400k sps costs about 150k US-$ (with 1 yr service), and you would need 2 for a cluster. Just to help you set the cost frame right, with a 100D at the moment. Quite an academic discussion if cost doesn't play a role.

One user connecting would not always mean one new session - think of loading a web page, with a number of embedded images. A click onto an average webpage can cost you a lot of new sessions, maybe even 30-40. Just watch the session table on your FGT, sessions for a single source IP address, and count them.

One million new users per second would be much, much harder to handle. I don't think you'd find a hardware firewall for this on the market today.

You can relax your requirements if you only think of handling single events where a lot of users connect, and not for a prolonged period. Session attempts would be dropped if the hardware couldn't handle it, and processed a couple of seconds later on second try. If that is acceptable is up to you.

One user connecting would not always mean one new session - think of loading a web page, with a number of embedded images. A click onto an average webpage can cost you a lot of new sessions, maybe even 30-40. Just watch the session table on your FGT, sessions for a single source IP address, and count them.

A typical web page could spin off 10+ sessions.

100% correct and so easily missed

hai emnoc,

it's a 1 million new session per second