Menu

Firewall Performance Issues

Stateful firewalls often perform at a slower rate than the link capacity of their network interfaces. This causes a problem when a host with a network interface that is faster than the firewall's internal processor attempts to send data through the firewall (TCP bursts typically occur at or near the maximum data rate of the sending host's interface). Since the firewall must buffer the traffic bursts sent to it by the data transfer host until it can process all the packets in the burst, input buffer size is critical. Unfortunately firewalls often have small input buffers, since they are typically designed to scale to large numbers of low-speed flows, rather than a few high-speed data flows. If the firewall's input buffers are too small to hold the bursts from the data transfer host, packet loss will result -- often causing severe performance problems.

Additional information on firewall issues can be found here and here.