DATA$CENTER$FIREWALL$PRODUCT$ANALYSIS$$

Transcription

1 DATA$CENTER$FIREWALL$PRODUCT$ANALYSIS$$ $ $ Fortinet$FortiGate$1500D$v5.0,build0252 $ 2014$ $Ryan$Liles,$Chris$Thomas$ $ $

2 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D Overview NSSLabsperformedanindependenttestoftheFortinetFortiGate1500Dv5.0,build0252.Theproductwas subjectedtothoroughtestingatthenssfacilityinaustin,texas,basedonthedatacenterfirewallmethodology v1.0availableonwww.nsslabs.com.thistestwasconductedfreeofchargeandnssdidnotreceiveany compensationinreturnforfortinet sparticipation. WhilethecompanionComparativeAnalysisReports(CAR)onsecurity,performance,andtotalcostofownership (TCO)willprovidecomparativeinformationaboutalltestedproducts,thisindividualProductAnalysisReport(PAR) providesdetailedinformationnotavailableelsewhere. Firewalldevicesdeployedwithinadatacentertypicallywillbesubjectedtosignificantlyhighertrafficlevelsthana firewallornextgenerationfirewall(ngfw)deployedatthecorporatenetworkperimeter.furthermore,data centertrafficmixeswillbecompletelydifferentfromatypicalcorporatenetworkperimeter;whereperimeter deviceswillbeexpectedtoprotectawiderangeofendruserapplications,adatacenterdevicemaybedeployedto protectasingletypeofserversupportingfarfewernetworkprotocolsandapplications.thedatacenterfirewall testingmethodologyfocusesontheseaspects. Product Fortinet$FortiGate$1500D$$ v5.0,build0252 Stability&Reliability PASS NSSITested$Throughput$ 39,667Mbps FirewallPolicyEnforcement PASS Figure$1$ $Overall$Test$Results$ Thedevicepassedallstabilityandreliabilitytests.Thedevicealsopassedallfirewallpolicyenforcementtests. TheFortinetFortiGate1500DisratedbyNSSat39,667Mbps,whichisinlinewiththevendorRclaimed performance(fortinetratesthisdeviceat40gbps).nssrtestedthroughputiscalculatedasanaverageofallthe "RealRWorld ProtocolMixesandthe21KBHTTPresponseRbasedcapacitytests. 2014NSSLabs,Inc.Allrightsreserved. 2

3 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D Table$of$Contents$ $ Overview$...$2 Security$Effectiveness$...$5 Performance$...$7 RawPacketProcessingPerformance(UDPThroughput)...7 Latency UDP...8 ConnectionDynamics ConcurrencyandConnectionRates...8 HTTPConnectionsperSecondandCapacity...10 ApplicationAverageResponseTime HTTP...10 HTTPConnectionsperSecondandCapacity(withDelays)...11 RealRWorldTrafficMixes...11 Stability$&$Reliability$...$13 Management$&$Configuration$...$15 Total$Cost$of$Ownership$(TCO)$...$16 Installation(Hours)...16 PurchasePriceandTotalCostofOwnership...17 Value:TotalCostofOwnershipperProtectedRMbps...17 Detailed$Product$Scorecard$...$18 Test$Methodology$...$20 Contact$Information$...$20 $ $ 2014NSSLabs,Inc.Allrightsreserved. 3

4 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D Table$of$Figures$ $ Figure1 OverallTestResults...2 Figure2 FirewallPolices...6 Figure3 RawPacketProcessingPerformance(UDPTraffic)...7 Figure4 UDPLatencyinMicroseconds...8 Figure5 ConcurrencyandConnectionRates...9 Figure6 HTTPConnectionsperSecondandCapacity...10 Figure7 AverageApplicationResponseTimeinMilliseconds...10 Figure8 HTTPConnectionsperSecondandCapacity(withDelays)...11 Figure9 RealWorldDataCenterTrafficMixes...12 Figure10 Stability&ReliabilityResults...13 Figure11 HighAvailabilityResults...14 Figure12 SensorInstallationTimeinHours...16 Figure13 3RYearTCO...17 Figure14 TotalCostofOwnershipperProtectedRMbps...17 Figure15 DetailedScorecard NSSLabs,Inc.Allrightsreserved. 4

5 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D SecurityEffectiveness ThissectionverifiesthattheDUTiscapableofenforcingaspecifiedsecuritypolicyeffectively. Firewall$Policy$Enforcement Policiesarerulesthatareconfiguredonafirewalltopermitordenyaccessfromonenetworkresourcetoanother, basedonidentifyingcriteriasuchas:source,destination,andservice.atermtypicallyusedtodefinethe demarcationpointofanetworkwherepolicyisappliedisademilitarizedzone(dmz).policiesaretypicallywritten topermitordenynetworktrafficfromoneormoreofthefollowingzones: Untrusted$ Thisistypicallyanexternalnetworkandisconsideredto beunknownandnonrsecure.anexampleofanuntrustednetwork wouldbetheinternet. DMZ$ Thisisanetworkthatisbeingisolatedbythefirewallrestricting networktraffictoandfromhostscontainedwithintheisolated network. Trusted$ Thisistypicallyaninternalnetwork;anetworkthatis consideredsecureandprotected. TheNSSfirewalltestsverifyperformanceandtheabilitytoenforcepolicy betweenthefollowing: TrustedtoUntrusted UntrustedtoDMZ TrustedtoDMZ Note:FirewallsmustprovideataminimumoneDMZinterfaceinorderto provideadmzor transitionpoint betweenuntrustedandtrusted networks. 2014NSSLabs,Inc.Allrightsreserved. 5

6 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D Test$Procedure$ BaselinePolicies SimplePolicies ComplexPolicies StaticNAT(NetworkAddressTranslation) Dynamic/HideNAT SYNFloodProtection AddressSpoofingProtection Results$ PASS PASS PASS PASS PASS PASS PASS Figure$2$ $Firewall$Polices$ $ 2014NSSLabs,Inc.Allrightsreserved. 6

7 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D Performance ThereisfrequentlyatradeRoffbetweensecurityeffectivenessandperformance.BecauseofthistradeRoff,itis importanttojudgeaproduct ssecurityeffectivenesswithinthecontextofitsperformance(andviceversa).this ensuresthatnewsecurityprotectionsdonotadverselyimpactperformanceandsecurityshortcutsarenottaken tomaintainorimproveperformance. Raw$Packet$Processing$Performance$(UDP$Throughput)$ ThistestusesUDPpacketsofvaryingsizesgeneratedbytestequipment.Aconstantstreamoftheappropriate packetsize withvariablesourceanddestinationipaddressestransmittingfromafixedsourceporttoafixed destinationport istransmittedbirdirectionallythrougheachportpairofthedut. Eachpacketcontainsdummydata,andistargetedatavalidportonavalidIPaddressonthetargetsubnet.The percentageloadandframespersecond(fps)figuresacrosseachinrlineportpairareverifiedbynetwork monitoringtoolsbeforeeachtestbegins.multipletestsarerunandaveragestakenwherenecessary. Thistrafficdoesnotattempttosimulateanyformof realrworld networkcondition.notcpsessionsarecreated duringthistest,andthereisverylittleforthestateenginetodo.theaimofthistestispurelytodeterminethe rawpacketprocessingcapabilityofeachinrlineportpairofthedut,anditseffectivenessatforwardingpackets quicklyinordertoprovidethehighestlevelofnetworkperformanceandlowestlatency. 90,000 8 Megabits per Second 80,000 70,000 60,000 50,000 40,000 30, ,000 79,000 79,500 80, , , Latency (µs) 20, , Byte Packets 128 Byte Packets 256 Byte Packets 512 Byte Packets 1024 Byte Packets 1514 Byte Packets Mbps 43,000 75,000 78,000 79,000 79,500 80,000 Latency (µs) Figure$3$ $Raw$Packet$Processing$Performance$(UDP$Traffic)$ - $ TheFortiGate1500DshowedexceptionallatencyatallpacketsizesforUDPtraffic. 2014NSSLabs,Inc.Allrightsreserved. 7

8 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D Latency$ $UDP$ Datacenterfirewallsthatintroducehighlevelsoflatencyleadtounacceptableresponsetimesforusers,especially wheremultiplesecuritydevicesareplacedinthedatapath.theseresultsshowthelatency(inmicroseconds)as recordedduringtheudpthroughputtestsat90%ofmaximumload. Latency$I$UDP$ Microseconds$ 64BytePackets 4 128BytePackets 4 256BytePackets 4 512BytePackets BytePackets BytePackets 7 Figure$4$ $UDP$Latency$in$Microseconds$ Connection$Dynamics$ $Concurrency$and$Connection$Rates$ TheuseofsophisticatedtestequipmentappliancesallowsNSSengineerstocreatetrue realworld trafficat multirgigabitspeedsasabackgroundloadforthetests. TheaimofthesetestsistostresstheinspectionengineanddeterminehowithandleshighvolumesofTCP connectionspersecond,applicationlayertransactionspersecond,andconcurrentopenconnections.allpackets containvalidpayloadandaddressdata,andthesetestsprovideanexcellentrepresentationofalivenetworkat variousconnection/transactionrates. Notethatinallteststhefollowingcritical breakingpoints wherethefinalmeasurementsaretaken areused: Excessive$concurrent$TCP$connections UnacceptableincreaseinopenconnectionsontheserverRside Excessive$response$time$for$HTTP$transactions Excessivedelaysandincreasedresponsetimetoclient Unsuccessful$HTTP$transactions Normally,thereshouldbezerounsuccessfultransactions.Theiroccurrence indicatesthatexcessivelatencyiscausingconnectionstotimeout. 2014NSSLabs,Inc.Allrightsreserved. 8

9 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D 8,000,000 3,000,000 7,000,000 6,829,697 6,979,895 2,565,000 2,500,000 6,000,000 2,000,000 Concurrent Connections 5,000,000 4,000,000 3,000,000 1,500,000 Connections / Second 1,000,000 2,000, ,000 1,000, , ,150 0 without data with data TCP Connections/Sec 273,600 HTTP Connections/Sec 282,150 HTTP Transactions/Sec 2,565,000 Concurrent TCP Conns 6,829,697 6,979,895 Figure$5$ $Concurrency$and$Connection$Rates$ $ NSSLabs,Inc.Allrightsreserved. 9

10 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D HTTP$Connections$per$Second$and$Capacity$ TheaimofthesetestsistostresstheHTTPdetectionengineanddeterminehowtheDUTcopeswithnetwork loadsofvaryingaveragepacketsizeandvaryingconnectionspersecond.bycreatinggenuinesessionrbasedtraffic withvaryingsessionlengths,thedutisforcedtotrackvalidtcpsessions,thusensuringahigherworkloadthanfor simplepacketrbasedbackgroundtraffic.thisprovidesatestenvironmentthatisascloseto realworld asitis possibletoachieveinalabenvironment,whileensuringabsoluteaccuracyandrepeatability. EachtransactionconsistsofasingleHTTPGETrequestandtherearenotransactiondelays(i.e.thewebserver respondsimmediatelytoallrequests).allpacketscontainvalidpayload(amixofbinaryandasciiobjects)and addressdata.thistestprovidesanexcellentrepresentationofalivenetwork(albeitonebiasedtowardshttp traffic)atvariousnetworkloads. 45,000 40,000 40,000 40, , ,000 35,000 Megabits per Second 30,000 25,000 20,000 15,000 29,000 14, , , , ,000 Connections / Sec 10,000 7,450 5,000 50, KB Response 21 KB Response 10 KB Response 4.5 KB Response 1.7 KB Response CPS 100, , , , ,000 Mbps 40,000 40,000 29,000 14,700 7,450 Figure$6$ $HTTP$Connections$per$Second$and$Capacity$ 0 Application$Average$Response$Time$ $HTTP$ Application$Average$Response$Time$I$HTTP$(at$90%$Maximum$Load)$ Milliseconds$ 2,500ConnectionsPerSecond 44KBResponse 0.4 5,000ConnectionsPerSecond 21KBResponse ,000ConnectionsPerSecond 10KBResponse ,000ConnectionsPerSecond 4.5KBResponse ,000ConnectionsPerSecond 1.7KBResponse 0.3 Figure$7$ $Average$Application$Response$Time$in$Milliseconds$ 2014NSSLabs,Inc.Allrightsreserved. 10

11 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D HTTP$Connections$per$Second$and$Capacity$(with$Delays)$ Typicaluserbehaviorintroducesdelaysbetweenrequestsandresponses,e.g. thinktime, asusersreadweb pagesanddecidewhichlinkstoclicknext.thisgroupoftestsisidenticaltothepreviousgroupexceptthatthese includea5seconddelayintheserverresponseforeachtransaction.thishastheeffectofmaintainingahigh numberofopenconnectionsthroughoutthetest,thusforcingthesensortoutilizeadditionalresourcestotrack thoseconnections. 45,000 40,000 40,000 40, , ,000 35,000 Megabits per Second 30,000 25,000 20,000 15,000 29,000 29, , , , ,000 Connections / Sec 10,000 5,000 50, KB Response 21 KB Response w/ Delay 10 KB Response Figure$8$ $HTTP$Connections$per$Second$and$Capacity$(with$Delays)$ 10 KB Response w/ Delay CPS 200, , , ,000 Mbps 40,000 40,000 29,000 29,000 0 RealIWorld$Traffic$Mixes$ Thistestmeasurestheperformanceofthedeviceundertestina realworld environmentbyintroducing additionalprotocolsandrealcontent,whilestillmaintainingapreciselyrepeatableandconsistentbackground trafficload.differentprotocolmixesareutilizedbasedontheintendedlocationofthedeviceundertest(network coreorperimeter)toreflectrealusecases.fordetailsaboutrealworldtrafficprotocoltypesandpercentages,see thenssnetworkfirewalldatacentertestmethodology,availableatwww.nsslabs.com. 2014NSSLabs,Inc.Allrightsreserved. 11

12 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D 45,000 40,000 35,000 40,000 40,000 38,000 40,000 40,000 30,000 25,000 Mbps 20,000 15,000 10,000 5,000 0 Real World Protocol Mix (Data center - Financial) Real World Protocol Mix (Data center - Virtualization Hub) Real World Protocol Mix (Data center - Mobile Applications) Figure$9$ $Real$World$Data$Center$Traffic$Mixes$ Real World Protocol Mix (Data center - Web Apps) Real World Protocol Mix (Data center - ISP) Mbps 40,000 40,000 38,000 40,000 40,000 TheFortiGate1500DperformedinRlinewiththethroughputclaimedbythevendorwithallmixesexceptformobile applications,whereitperformedslightlybelowitsratedthroughputanditsvendorrclaimedthroughput. 2014NSSLabs,Inc.Allrightsreserved. 12

13 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D Stability&Reliability LongRtermstabilityisparticularlyimportantforaninRlinedevice,wherefailurecanproducenetworkoutages. ThesetestsverifythestabilityoftheDUTalongwithitsabilitytomaintainsecurityeffectivenesswhileunder normalloadandwhilepassingmalicioustraffic.productsthatarenotabletosustainlegitimatetraffic(orthat crash)whileunderhostileattackwillnotpass. TheFortiGate1500Disrequiredtoremainoperationalandstablethroughoutthesetests,andtoblock100%of previouslyblockedtraffic,raisinganalertforeach.ifanynonrallowedtrafficpassessuccessfully,causedbyeither thevolumeoftrafficorthedutfailingopenforanyreason,thiswillresultinafail. Test$Procedure$ BlockingUnderExtendedAttack PassingLegitimateTrafficUnderExtendedAttack ProtocolFuzzing&Mutation PowerFail Redundancy PersistenceofData Result$ PASS PASS PASS PASS YES PASS Figure$10$ $Stability$&$Reliability$Results$ 2014NSSLabs,Inc.Allrightsreserved. 13

14 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D HighAvailability(HA)(Optional)$ Highavailability(HA)isimportanttomanyenterprisecustomers,andthistablerepresentsthevendorsHAfeature set.ifnohaofferingwassubmittedfornsstovalidate,allresultsinthissectionwillbemarkedas N/A. Description$ Failover LegitimateTraffic TimetoFailover StatefulOperation Active/ActiveConfiguration Results$ PASS 0.1seconds PASS PASS Figure$11$ $High$Availability$Results$ 2014NSSLabs,Inc.Allrightsreserved. 14

15 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D Management&Configuration Securitydevicesarecomplicatedtodeploy;essentialsystemssuchascentralizedmanagementconsoleoptions,log aggregation,andeventcorrelation/managementsystemsfurthercomplicatethepurchasingdecision. Understandingkeycomparisonpointswillallowcustomerstomodeltheoverallimpactonnetworkservicelevel agreements(slas),estimateoperationalresourcerequirementstomaintainandmanagethesystems,andbetter evaluaterequiredskill/competenciesofstaff. Enterprisesshouldincludemanagement&configurationduringtheirevaluationfocusingthefollowingat minimum: General$Management$and$Configuration$ howeasyisittoinstallandconfiguredevices,anddeploymultiple devicesthroughoutalargeenterprisenetwork? Policy$Handling$ howeasyisittocreate,edit,anddeploycomplicatedsecuritypoliciesacrossanenterprise? Alert$Handling$ howaccurateandtimelyisthealerting,andhoweasyisittodrilldowntolocatecritical informationneededtoremediateasecurityproblem? Reporting$ $howeffectiveisthereportingcapability,andhowreadilycanitbecustomized? 2014NSSLabs,Inc.Allrightsreserved. 15

16 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D TotalCostofOwnership(TCO) Implementationofsecuritysolutionscanbecomplex,withseveralfactorsaffectingtheoverallcostofdeployment, maintenanceandupkeep.alloftheseshouldbeconsideredoverthecourseoftheusefullifeofthesolution. Product$Purchase$ Thecostofacquisition. Product$Maintenance$ Thefeespaidtothevendor(includingsoftwareandhardwaresupport,maintenance andotherupdates.) Installation$ Thetimerequiredtotakethedeviceoutofthebox,configureit,putitintothenetwork,apply updatesandpatches,andsetupdesiredloggingandreporting. Upkeep$ Thetimerequiredtoapplyperiodicupdatesandpatchesfromvendors,includinghardware, software,andotherupdates. Management$ DayRtoRdaymanagementtasksincludingdeviceconfiguration,policyupdates,policy deployment,alerthandling,andsoon. Forthepurposesofthisreport,capitalexpenditure(CAPEX)itemsareincludedforasingledeviceonly(thecostof acquisitionandinstallation.) Installation$(Hours)$ Thistabledetailsthenumberofhoursoflaborrequiredtoinstalleachdeviceusinglocaldevicemanagement optionsonly.thiswillreflectaccuratelytheamountoftimetakenfornssengineers,withthehelpofvendor engineers,toinstallandconfiguretheduttothepointwhereitoperatessuccessfullyinthetestharness,passes legitimatetrafficandblocks/detectsprohibited/malicioustraffic.thiscloselymimicsatypicalenterprise deploymentscenarioforasingledevice. Costsarebaseduponthetimerequiredbyanexperiencedsecurityengineer(assumed$75perhourforthe purposesofthesecalculations)allowingnsstoholdconstantthetalentcostandmeasureonlythedifferencein timerequiredforinstallation.readersshouldsubstitutetheirowncoststoobtainaccuratetcofigures. Product$ Fortinet$FortiGate$1500D$$ v5.0,build0252 Installation$(Hours)$ 8 Figure$12$ $Sensor$Installation$Time$in$Hours$ 2014NSSLabs,Inc.Allrightsreserved. 16

17 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D Purchase$Price$and$Total$Cost$of$Ownership$ CalculationsarebasedonvendorRprovidedpricinginformation.Wherepossible,the24/7maintenanceand supportoptionwith24rhourreplacementisutilized,sincethisistheoptiontypicallyselectedbyenterprise customers.pricesareforsingledevicemanagementandmaintenanceonly;costsforcentraldevicemanagement (CDM)solutionsmaybeextra.ForadditionalTCOanalysis,includingCDM,refertotheTCOCAR. Product$ Fortinet$FortiGate$ 1500D$$ v5.0,build0252 Purchase$ Maintenance$ /$year$ Year$1$ Cost$ Year$2$ Cost$ Year$3$ Cost$ 3IYear$$ TCO$ $24,998 $5,649 $31,067 $6,369 $6,369 $43805 Figure$13$ $3IYear$TCO$ Year$1$Costiscalculatedbyaddinginstallationcosts($75USDperhourfullyloadedlaborxinstallationtime)+ purchaseprice+firstryearmaintenance/supportfees. Fortinetmaintenancefeesarecalculatedwiththe3RyearcostofanupRfrontpurchasedividedevenlyoverthe3R yearterm. Year$2$Cost$consistsonlyofmaintenance/supportfees.$ Year$3$Cost$consistsonlyofmaintenance/supportfees.$ ThisprovidesaTCOfigureconsistingofhardware,installationandmaintenancecostsforasingledeviceonly.TCO calculationsformultipledevicesaremodeledextensivelyinthetcocar. Value:$Total$Cost$of$Ownership$per$ProtectedIMbps$ Thereisacleardifferencebetweenpriceandvalue.Theleastexpensiveproductdoesnotnecessarilyofferthe greatestvalueifitofferssignificantlylowerperformancethanonlyslightlymoreexpensivecompetitors.thebest valueisaproductwithalowtcoandhighlevelofthroughput. Figure14depictstherelativecostperunitofworkperformed,describedasTCOperProtectedRMbps. Product$ Fortinet$FortiGate$1500D$$ v5.0,build0252 NSSITested$ Throughput$ 3IYear$TCO$ TCO$Per$ProtectedI Mbps$ 39,667Mbps $43,805 $1.10 Figure$14$ $Total$Cost$of$Ownership$per$ProtectedIMbps$ TCOperProtectedRMbpswascalculatedbytakingthe3RYearTCOanddividingitbytheNSSRTestedThroughput. Therefore3RYearTCO/NSSRTestedThroughput=TCOperProtectedRMbps. TCOisforsingledevicemaintenanceonly;costsforcentraldevicemanagement(CDM)solutionsmaybeextra.For additionaltcoanalysis,refertothetcocar. 2014NSSLabs,Inc.Allrightsreserved. 17

18 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D DetailedProductScorecard Thefollowingchartdepictsthestatusofeachtestwithquantitativeresultswhereapplicable. SecurityEffectiveness FirewallPolicyEnforcement BaselinePolicy PASS SimplePolicy PASS ComplexPolicy PASS StaticNAT PASS Dynamic/HideNAT PASS SynFloodProtection PASS AddressSpoofingProtection PASS Performance UDPThroughput Mbps 64BytePackets BytePackets BytePackets BytePackets BytePackets BytePackets LatencyRUDP Microseconds 64BytePackets BytePackets BytePackets BytePackets BytePackets BytePackets 7.0 ConnectionDynamics ConcurrencyandConnectionRates TheoreticalMax.ConcurrentTCPConnections 6,829,697 TheoreticalMax.ConcurrentTCPConnectionsw/Data 6,979,895 MaximumTCPConnectionsPerSecond 273,600 MaximumHTTPConnectionsPerSecond 282,150 MaximumHTTPTransactionsPerSecond 2,565,000 HTTPCapacityWithNoTransactionDelays 2,500ConnectionsPerSecond 44KBResponse 100,000 5,000ConnectionsPerSecond 21KBResponse 200,000 10,000ConnectionsPerSecond 10KBResponse 290,000 20,000ConnectionsPerSecond 4.5KBResponse 294,000 40,000ConnectionsPerSecond 1.7KBResponse 298,000 ApplicationAverageResponseTimeRHTTP(at90%MaxLoad) Milliseconds 2,500ConnectionsPerSecond 44KBResponse 0.4 5,000ConnectionsPerSecond 21KBResponse ,000ConnectionsPerSecond 10KBResponse ,000ConnectionsPerSecond 4.5KBResponse ,000ConnectionsPerSecond 1.7KBResponse 0.3 HTTPCPS&CapacityWithTransactionDelays 21KBResponseWithDelay 280,000 10KBResponseWithDelay 348, NSSLabs,Inc.Allrightsreserved. 18

19 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D RealWorld Traffic RealWorld ProtocolMix(DatacenterRFinancial) 40,000 RealWorld ProtocolMix(DatacenterRVirtualizationHub) 40,000 RealWorld ProtocolMix(DatacenterRMobileApplications) 38,000 RealWorld ProtocolMix(DatacenterRWebApps) 40,000 RealWorld ProtocolMix(DatacenterRISP) 40,000 Stability&Reliability BlockingUnderExtendedAttack PASS PassingLegitimateTrafficUnderExtendedAttack PASS ProtocolFuzzing&Mutation PASS PowerFail PASS Redundancy PASS PersistenceofData PASS FailoverRLegitimateTraffic PASS FailoverRTimetoFailover.1Seconds StatefulOperation PASS ActiveRActiveConfiguration PASS TotalCostofOwnership EaseofUse InitialSetup(Hours) 8 ExpectedCosts InitialPurchase(hardwareastested) $24,998 InstallationLaborCost(@$75/hr) $600 AnnualCostofMaintenance&Support(hardware/software) $6,369 InitialPurchase(enterprisemanagementsystem) SeeCAR AnnualCostofMaintenance&Support(enterprisemanagementsystem) SeeCAR TotalCostofOwnership Year1 $31,067 Year2 $6,369 Year3 $6,369 3RYearTotalCostofOwnership $43,805 Figure$15$ $Detailed$Scorecard$ Mbps 2014NSSLabs,Inc.Allrightsreserved. 19

20 NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D TestMethodology Methodology$Version:NetworkFirewall DataCenterv1.0 AllTestIDsinthisreportrefertothemethodologydocument,notnecessarilytosectionsinthisreport. AcopyofthetestmethodologyisavailableontheNSSLabswebsiteatwww.nsslabs.com. ContactInformation NSSLabs,Inc. 206WildBasinRd BuildingA,Suite200 Austin,TX (512)961R Thisandotherrelateddocumentsavailableat: 2014NSSLabs,Inc.Allrightsreserved.Nopartofthispublicationmaybereproduced,photocopied,storedonaretrieval system,ortransmittedwithouttheexpresswrittenconsentoftheauthors. Pleasenotethataccesstooruseofthisreportisconditionedonthefollowing: 1.TheinformationinthisreportissubjecttochangebyNSSLabswithoutnotice. $ 2.TheinformationinthisreportisbelievedbyNSSLabstobeaccurateandreliableatthetimeofpublication,butisnot guaranteed.alluseofandrelianceonthisreportareatthereader ssolerisk.nsslabsisnotliableorresponsibleforany damages,losses,orexpensesarisingfromanyerrororomissioninthisreport. 3.NOWARRANTIES,EXPRESSORIMPLIEDAREGIVENBYNSSLABS.ALLIMPLIEDWARRANTIES,INCLUDINGIMPLIED WARRANTIESOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSE,ANDNONRINFRINGEMENTAREDISCLAIMEDAND EXCLUDEDBYNSSLABS.INNOEVENTSHALLNSSLABSBELIABLEFORANYCONSEQUENTIAL,INCIDENTALORINDIRECT DAMAGES,ORFORANYLOSSOFPROFIT,REVENUE,DATA,COMPUTERPROGRAMS,OROTHERASSETS,EVENIFADVISEDOFTHE POSSIBILITYTHEREOF. 4.Thisreportdoesnotconstituteanendorsement,recommendation,orguaranteeofanyoftheproducts(hardwareor software)testedorthehardwareandsoftwareusedintestingtheproducts.thetestingdoesnotguaranteethatthereareno errorsordefectsintheproductsorthattheproductswillmeetthereader sexpectations,requirements,needs,or specifications,orthattheywilloperatewithoutinterruption. 5.Thisreportdoesnotimplyanyendorsement,sponsorship,affiliation,orverificationbyorwithanyorganizationsmentioned inthisreport. 6.Alltrademarks,servicemarks,andtradenamesusedinthisreportarethetrademarks,servicemarks,andtradenamesof theirrespectiveowners. 2014NSSLabs,Inc.Allrightsreserved. 20