Link to home
Create AccountLog in
Avatar of WORKS2020
WORKS2020Flag for United States of America

asked on

SonicWall TZ Series Throughput Using Full DPI Creates Substantial Bandwidth Loss

Working with an ISP that has guaranteed 1Gx1G dedicated fiber for $575/month. I haven't seen anyone else able to touch this, not even close. I wasn't expecting this low a price for another 3-5 years.

Brings up a good question regarding firewalls my clients are using, the SonicWall TZ400. I spoke with my Sonicwall rep and she mentioned the TZ400 will reduce the bandwidth substantially for a 1Gx1G dedicated fiber due to DPI limitations that max out at 300M. We discussed if DPI is needed,  I made the case it's not, mentioned I have it disabled on many networks because it's created too many dropped packets. She didn't exactly say this renders the TZ400 useless but she couldn't come to terms why I would do this or not upgrade to the TZ600. Selling point? The TZ600 is $1000 - $1200 more and only increases the DPI bandwidth 100M to 400M total. Nothing hardly to insist spending the money to upgrade. Further in the conversation she priced me out a firewall that would handle the DPI for a 1Gx1G network and it was over $20k, well over.

TZ400
User generated image
This brings up allot of questions regarding firewalls as bandwidth continues to increase and the limitations they have regarding security and bandwidth limitations.

What are EE's experience / thoughts regarding the following:
- General use of the SonicWall TZ series firewalls with bandwidth over 400M to full 1G.
- Do you feel DPI is needed? Definitely a great feature but is it needed? In my case we have other measures in place to inspect internet threats. Same with SPAM, we don't use the Spam filter on the SonicWall device, we view it as an extra feature not a necessity.
- Please share other firewalls you're using, why, how do they affect bandwidth.

TZ600
User generated image
Thanks in advance.
Avatar of Philip Elder
Philip Elder
Flag of Canada image

We work with SonicWALL and are well aware of the limitations of each model.

We provide the model that suits the connectivity and the security services requirements.

If full DPI is required then spec out a SW unit that will meet those needs.
Also be aware that these quoted throughputs are not set in stone, actual throughput varies depending on the type of traffic, and filtering options chosen. For the quoted specs, it will also be assumed that nothing else is happening on the firewall at the same time. Incoming VPNs can chew up a heap of CPU power as well. In a "real world" situation, you might have a dozen users with VPN connections running a high encryption connection, or as heap of other stuff going on. To make things more complex, some firewalls can copy better with multiple than than others.

300Mbps, as quoted by the manufacturer, is a "best case scenario", possible, but unlikely in the "real world".

The "rule of thumb" I have tending to use is to specify a firewall with around TWICE the listed throughput that I would require. Unfortunately, to keep up with a 1Gb connection, that would require a device specified as being able to handle 2Gbps, in the Sonicwall range, I would probably suggest  NSA 5600 device, specified as being able to inspect at 1.6Gbps.

On the other hand, 300Gbps is fair bit of speed, that would allow a lot heavy users to enjoy a nice fast connection. In most cases, PC hardware, browsers, antivirus software,  the local Telco and whatever server is at the other end won't allow anything to run close to 1Gbps. The cap of a firewall that can "only" manage 300Gbps might not even be noticeable, for most users.
With the amount of emerging malware and ransomware out on the web, I would not feel safe with out DPI services.
Avatar of WORKS2020

ASKER

If full DPI is required then spec out a SW unit that will meet those needs.
Great question Phillip, I personally don't believe it's justified for the substantial decrease in bandwidth or increase in price. When you say required are you like me and believe it's not a definite necessity.

Mal, great info, thank you. Back to the main question, do you feel DPI is worth it for the decrease in performance or increase in price?

J Spoor, so you run DPI on all your networks and you would feel comfortable asking your client to continue using DPI even with a $4,000 - $8,000 firewall upgrade to continue using DPI? I've had it turned off for years and it's fine. I should point out that we have other measures in place that prevent malware and far less the price of DPI.
Back to the main question, do you feel DPI is worth it for the decrease in performance or increase in price?

Tricky question.

In 2019, malicious attacks are everywhere, you ARE almost certainly being attacked right now.

I would at very least have DPI enabled for most non-IT users. The extra bit of security it provides is probably worth the performance hit. 300Mb is still quite a bit of bandwidth, and should keep a lot of users happy.
If you're hauling 12K pounds then buy a truck that can haul that and more if heading to the mountains.
ASKER CERTIFIED SOLUTION
Avatar of WORKS2020
WORKS2020
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer