What Does it Take to Validate Fortinet’s Fastest Next-Generation Firewall?
2022-01-12 | 7 min read
With a rapidly increasing demand for elevated security and terabit speeds driven by the sheer amount of bandwidth hungry applications and newer speeds like 400G, devices need to keep pace with continuously scaling traffic volumes. On top of that, when adding new technologies like 5G and IoT, along with the threat of encrypted attacks, it becomes obvious that testing platforms need to exponentially scale up to validate production devices and to make sure they will perform according to expectations when placed in production environments.
One proven way of addressing this demand is for the network equipment manufacturers (NEMs) to scale up both in terms of raw power and port speed. However, the steady growth of TLS 1.3 standard adoption brings a new dimension to handling these challenges. In this context, it is becoming overwhelmingly difficult to estimate how a next-generation firewall (NGFW) will scale when it is required to inspect terabits of traffic and to protect against threats. To stay on top of this, manufacturers have started to design scalable architectures that are future proof, allowing their customers to allocate resources when and where the pain points arise. The new FortiGate 7121F Series is such a device that delivers high performance NGFW capabilities for large enterprises and service providers.
This is where Keysight’s new BreakingPoint-powered APS-100/400GE Series testing platform comes in to play, helping manufacturers to validate their NGFWs by providing hyperscale speeds and unprecedented TLS performance. Its modular architecture, both in terms of hardware and software, allows it to linearly scale as the need increases or to allocate resources to separate test beds as required.
With the performance of its latest NGFW outpacing its traditional test tools, Fortinet reached out to Keysight for early access to the APS-100/400GE Series - the industry’s highest-scaling application and security test platform. With BreakingPoint, the testbed is able to replicate hyperscale environments in a modular grow-as-you-need approach and to validate the performance and security features of the device under test (DUT) at these speeds.
For this test, we used a full stack of ten APS-ONE-100 appliances to push the FortiGate 7121F Series to its maximum performance. Fortinet test engineers were able to use the same BreakingPoint testing they were familiar with, resulting in a straightforward configuration and simplified validation efforts.
Extensive testing was performed covering multiple scenarios ranging from basic HTTP traffic to maximize bandwidth and connections per second (CPS) while still preventing threats, all the way to complex scenarios using encrypted traffic, security attacks, and a mix of applications.
In this blog, we will focus on the first two test scenarios validated using the BreakingPoint APS-100/400GE Series:
- Application Control with Web Filtering: This is a use case relevant for customers like educational institutions where there is a need to prevent the students from accessing harmful or unauthorized content. The test reached an astonishing 1.13 Tbps while the device was monitoring traffic and logging all URLs to ensure the test goals. It was comprised of HTTP traffic with 64KB object as the payload and randomized URLs used to validate the device capability of handling high CPS while logging all the URLs for full visibility.
- Threat Protection with Security Attacks: This test is relevant for customers like enterprise data centers and service providers who need to strengthen their security to avoid brand damage caused by ransomware and other attacks. The test was able to reach 639 Gbps of bandwidth with all the high security features enabled on the DUT. A number of 448 security attacks were also simulated using BreakingPoint and the device was confirmed as being able to detect and block all of them. HTTP traffic with 64KB object as payload was used this time with threat protection features enabled like application control, intrusion prevention, and antivirus. All of these had logging enabled for visibility and with the added requirement of preventing all the attacks.
The ultimate goal of these tests was to validate the performance and stability of the Fortinet device while pushing it to its upper resource limits while enabling NGFW security features.
We encourage you to explore in more details the execution of the tests in the following video: BreakingPoint Ultra-High Performance Test of FortiGate 7121F Enterprise Security NGFW
Please stay tuned for more updates regarding other interesting test scenarios and their results!
APS-100/400GE Series platform highlights:
- Grow-as-you-need model — a single APS-M1010 controller can manage between one to ten APS-ONE-100 appliances, scaling with the users’ needs
- Flexible use of APS-ONE-100 appliances either in a stacked system (managed by the APS-M1010 controller), or in standalone mode (1U portable form factor)
- Elevated encrypted traffic performance with an order of magnitude improvement – up to 150K TLS CPS and 150 Gbps encrypted throughput per appliance
- Test with hyperscale performance under realistic traffic conditions using Keysight's BreakingPoint industry-leading applications and security test applications
- Future-proof your investment with an upgrade path to multi-speed 400/100/50/40/25/10GE modes
- Unrivaled elephant flow performance of up to 75 Gbps per single TCP connection
- Unified user interface for the whole system – single management IP
- Cloud native underlaying software architecture provides resiliency and reliable scalability