TZ-370 DPI-SSL slow performance
mws92
Newbie ✭
Hi,
our customer has an TZ-370 with the newest Firmware. Now he got a faster internet connection with 300 MBit/s download and 50 MBit/s upload and now we noticed that the throughput with activated DPI-SSL and Gateway-AV has gotten very bad.
With activated DPI-SSL, Gateway-AV and IPS, the TZ-370 only manages about 30 MBit/s download and 24 MBit/s upload in the single-stream speed test. In the multi-stream speed test, it is a bit faster with around 80 Mbit/s download and 35 Mbit/s upload.
Are these really "normal" throughput values or is a stronger firewall required here?
Category: Entry Level Firewalls
0
Answers
Consider the data sheet says DPISSL throughput is 500 Mbps, but has a note saying "Threat Prevention/GatewayAV/Anti-Spyware/IPS throughput measured using industry standard Keysight HTTP performance test tools. Testing done with multiple flows through multiple port pairs. Threat Prevention throughput measured with Gateway AV, Anti-Spyware, IPS and Application Control enabled with DEFAULT FIREWALL SETTINGS." (Emphasis mine.)
If you start actually USING the features you won't get that throughput. Two recommendations:
Disabling GAV TCP Stream inspections will drastically increase your Speedtests with DPISSL enabled.
Don't implement all the security features on anything less than the TZ570.
To add to the above, review this doc and select Performance Optimized on your device.
Also, if you want to achieve the published figures then make sure you have use 4 interfaces as LANs and 4 as WANs, and split your traffic evenly across them ;-)