TZ 500 versus TZ 570 Network Performance DPI vs SPI vs Tech specs...help
TomGreen
Newbie ✭
Can someone help with this, trying to calculate what the Maximum Packet Size a TZ500 can handle versus TZ570 without security features turned ON versus turned OFF. How can I test this scenario ?
Also is there a way to Turn off DPI for a single PC or IP based and how can we TEST the difference between DPI Settings ON versus OFF for that particular scenario.
We have looked up tech specs for each unit and nothing matches up to reality and performance. Not sure if the Spec sheets are outdated or fit certain test scenario?
Category: Entry Level Firewalls
0
Answers
You can tick "Disable DPI" on an access rule. That should allow you to do a comparative test.
Disabling DPI in the Access Rule did nothing in comparing speed test etc. Is there another metric one can look into it? any other ways to test?
Also what does DPI cover? AV? App Control?
"DPI" should be anything that isn't the basic properties of the packet, ie source/dest IP source/dest port. So would include Content Filtering Service, Gateway AV, Intrusion Prevention, Anti-Spyware, etc.
Try disabling the security services one by one [or even just all at once, speed up your iteration] and re-test.
Is there another metric one can look into it? any other ways to test?
Depends what you're trying to achieve? Only you know what it is you actually intend to do with it. Your testing needs to reflect that.
We have looked up tech specs for each unit and nothing matches up to reality and performance
See the comment on here about multiple port pairs:
https://community.sonicwall.com/technology-and-support/discussion/comment/16938/#Comment_16938
Thanks for the responses, so how do we know if multiple port pairs were tested with the TZ500 vs TZ570? also how do we know how many Packets Per Second a Firewall can handle before its maxed out (i.e. I want to know packets are dropping - because sometimes we see High CPU utilization maxed and internet becomes super slow).
how do we know if multiple port pairs were tested with the TZ500 vs TZ570?
Because that wording I quoted is on the respective datasheets for the two models.
also how do we know how many Packets Per Second a Firewall can handle before its maxed out
As Sonicwall don't appear to have published that metric, then you either need to test it yourself or hope a third party has tested it and published it somewhere.
You can collect the interface packet counters with SNMP.
Thanks again - just so its clear, when they mention "multiple port pairs" is the tech spec suggesting ports were connected to X0, X2 etc on the LAN side and tested at 1GB rate per port ?
I am just guessing here as it is not explicitly stated, but I think they pair "clients" and "servers" across ports until all ports are in use, and publish the aggregate figure of maximum throughput attained. Whilst this figure might be interesting to some people, it doesn't reflect how I deploy firewalls. Out of the hundreds I've deployed or look after, I can count on the fingers of Django Reinhardt's left hand the number of times we've used every port on a firewall. So I would like to see a single port/single connection version of all the metrics published as well.