early version of the next generation firewall from Positive Technologies
Technical characteristics of stand components
We used the demo sample PT-NGFW-GW-HW-3010-X-NIC as the PT NGFW server
Server, Positive Technologies Next Generation Firewall security gateway GW-3010, 2U case, network interfaces 1 Gbps RJ-45 and 10 Gbps SFP+, additional hardware card PT-NGFW-NIC-4X, network card 4 x 10Gbps, SFP+ (for demonstration purposes the SR650 platform from Lenovo was used).
What else was included in the stand:
PT NGFW control system server Virtual machine running VMware ESXi hypervisor, 7.0.3, 20328353 | 8 vCPU, 64GB RAM, 130 Gb Store Operating system: Debian 11.4 |
Traffic generator server (Tgen) | Dell PowerEdge R840 Server 4 x 24 Cores, Intel Xeon Gold 6252 2.1Ghz, 2TB RAM, 250GB store Ports: – 4 x 10Gbe (SFP+) (Intel based) – 1 x 1Gbe (Rj45) Operating system: Debian 11.4 |
Administrator's workstation (Wstation) | 2 core Intel Xeon Gold 5218R 2.1Ghz, 2GB RAM Operating system: Windows Server 2022 Standard |
Test workstation (Ustation1) | Intel Core i7-9700 3.0Ghz, 16GB RAM, 1TB, store Operating system: Windows 10 Pro |
Test workstation (Ustation2) | Intel Core i5-8400 2.8Ghz, 16GB RAM, 1TB, store Operating system: Windows 10 Pro |
Host victim (Victim) | 4vCPU, 4GB RAM, 30GB store Operating system: Debian 11.7 |
Attacker host | 4vCPU, 4GB RAM, 30GB store Operating system: Debian 11.7 |
Switch (QTECH) | Qtech QSW-6300-32F Firmware: 12.5(4)B0101, Release 09152511 |
Switch (Extreme) | Extreme Networks 3626GTS Firmware: 6.1.0.0 Software: 6.4.2.007 |
Corporate Firewall (Corporate NGFW) | CheckPoint |
Stand diagrams
For functional load tests, we organized the following bench layout:
To carry out load tests:
And for functional testing:
Test results
To begin with, I will give a list of functional and load tests that PT NGW underwent during testing.
Load checks:
Bandwidth in IPS mode: at least 10 Gbit/s.
Simultaneous sessions: at least 10,000,000.
Support for extended VLAN ID range: no less than 4096.
Maximum number of active VLANs: at least 4096.
Functional tests:
Web interface for equipment management.
Configurable logging of individual access list lines.
The system for managing device settings and security policies is centralized (filtering, IPS).
Create, distribute and store security policies using a hierarchical model.
Support for system management using API.
At least 4 contextual firewall operating modes.
Application detection and banning.
Traffic filtering function with connection state monitoring.
Traffic filtering function based on source and destination IP addresses.
Function of filtering traffic by protocol (encapsulated in IP) and by port.
Function for creating object groups to simplify access lists.
Function for adjusting the system configuration in real time without stopping processing.
Analysis of traffic transmitted over the IPv4 protocol.
Support for HTTPs inspection, TLS decryption, certificate spoofing.
Detection of intrusions in traffic using signatures.
Tested operating modes:
An open standard that describes a procedure for tagging traffic to convey VLAN membership information. Since 802.1Q does not change the frame headers, network devices that do not support this standard can transmit traffic without regard to its VLAN membership. 802.1Q places a tag inside the frame that conveys information about the traffic's VLAN membership.
Static routing support.
Throughput in firewall mode is at least 30 Gbit/s when using 85,000 rules
IPS throughput of at least 10 Gbps when using 85,000 rules
The number of rules does not affect the firewall throughput
Additional checks:
When you create an object, you can bind a port to a protocol at the application level.
Example: when opening access via TCP port 80 and binding it at the http application level, only http traffic should pass, if they try to generate a request on this port that is not http traffic, then the request should be blocked (inspection protocol on firewall)
For an early version, the list of supported functions is already significant. In addition, the vendor promises to release the next two versions in 2024: in May and November. For example, in May 2024 there will be:
Create your own IPS signatures, create IPS profiles, and expand the available intrusion prevention system settings.
GeoIP support (we are really looking forward to this feature, tricky tests have already been prepared)
URL filtering.
Failover cluster support.
NAT support.
Also in May 2024, the guys from Positive Technologies promise to present their own hardware platforms for a Russian-made firewall. Our team will definitely retest them.
Results of load testing of ITU PT NGFW
Now comes the fun part. How true are the throughput figures that the vendor actively publishes in its materials? We share the results of load tests in the table below.
Functional | Parameter | 85,000 in each of 4 ME rule contexts (simple rules consisting of 1 source and destination (address with the /32 prefix) and one service, there is no traffic for all 85k rules, there is traffic for the last allowing rule), Gbps | 85,000 in each of 4 ME rule contexts (rules of medium complexity, consisting of 5 sources and 5 destinations (subnets with the /32 prefix), groups of services (5 services with one port/protocol in each), there is traffic according to the last allowing rule) , Gbps | A comment |
FW+APP CONTROL | Throughput on Emix traffic, Gbit/s | Rx 36 / Tx 35.8 / CPU 16.5% | Rx 36.1 / Tx 35.9 / CPU 15.6% | Application Control (L7) was enabled during testing |
FW+APP CONTROL+IPS | Throughput on Emix traffic profile, Gbit/s | Rx 29.5 / Tx 29.3 / CPU 86% | Rx 29.5 / Tx 29.3 / CPU 85% | Application Control (L7) was enabled during testing |
FW+APP CONTROL | Throughput on UDP traffic with packet size 64 bytes, Gbit/s | Rx 8.47 / Tx 8.47 / CPU 8.6% | Rx 8.71 / Tx 8.71 / CPU 9.4% | Application Control (L7) was enabled during testing |
FW+APP CONTROL+IPS | Throughput on UDP traffic with packet size 64 bytes, Gbit/s | Rx 8.45 / Tx 8.45 / CPU 12.4% | Rx 8.64 / Tx 8.64 / CPU 12.3% | Application Control (L7) was enabled during testing |
FW+APP CONTROL | Throughput on UDP traffic with packet size 512 bytes, Gbit/s | Rx 37.5 / Tx 37.5 / CPU 5% | Rx 37.4 / Tx 37.4 / CPU 4.6% | Application Control (L7) was enabled during testing |
FW+APP CONTROL+IPS | Throughput on UDP traffic with packet size 512 bytes, Gbit/s | Rx 37.4 / Tx 37.4 / CPU 11.8% | Rx 37.4 / Tx 37.4 / CPU 12.6% | Application Control (L7) was enabled during testing |
FW+APP CONTROL | Throughput on UDP traffic with packet size 1500 bytes, Gbit/s | Rx 40 / Tx 40 / CPU 1.2% | Rx 39.8 / Tx 39.8 / CPU 1.2% | Application Control (L7) was enabled during testing |
FW+APP CONTROL+IPS | Throughput on UDP traffic with packet size 1500 bytes, Gbit/s | Rx 39.9 / Tx 39.9 / CPU 5.1% | Rx 40 / Tx 40 / CPU 5.2% | Application Control (L7) was enabled during testing |
FW+APP CONTROL | Maximum number of sessions for TCP protocol | Rx 7.49 / Tx 7.79 / CC 12.6M / CPU 11.3% | Rx 7.52 / Tx 7.82 / 12.6M CC / CPU 10.4% | Application Control (L7) was enabled during testing |
FW+APP CONTROL+IPS | Maximum number of sessions for TCP protocol | Rx 7.51 / Tx 7.81 / CC 12.6M / CPU44.6% | Rx 7.49 / Tx 7.79 / CC 12.6M / CPU45% | Application Control (L7) was enabled during testing |
FW+APP CONTROL | Maximum number of new sessions per second CPS | Rx 11 / Tx 11.4 / CPS 711k / CPU 21% | Rx 11.1 / Tx 11.5 / CPS 711k / CPU 20.2% | Application Control (L7) was enabled during testing |
FW+APP CONTROL+IPS | Maximum number of new sessions per second CPS | CPS 712 K / Rx 11.5Gb / Tx 11.1 / CPU 70.8% | CPS 711 K / Rx 11 / Tx 11.4 / CPU 69.3% | Application Control (L7) was enabled during testing |
FW+APP CONTROL | Throughput for HTTP traffic at a response size of 64KB, Gbit/s | Rx 39.4 / Tx 38.5 / CPU 6.4% | Rx 39.4 / Tx 38.5 / CPU 5.6% | Application Control (L7) was enabled during testing |
FW+APP CONTROL+IPS | Throughput for HTTP traffic at a response size of 64KB, Gbit/s | Rx 29.2 / Tx 28.6 / CPU 14.3% | Rx 27.2 / Tx 26.6 / CPU 14% | Application Control (L7) was enabled during testing |
FW+APP CONTROL | Throughput for HTTP traffic at a response size of 256KB, Gbit/s | Rx 37.8 / Tx 37.8 / CPU 6.4% | Rx 36 / Tx 36 / CPU 5.4% | Application Control (L7) was enabled during testing |
FW+APP CONTROL+IPS | Throughput for HTTP traffic at a response size of 256KB, Gbit/s | Rx 32.1 / Tx 31.9 / CPU 19% | Rx 29.5 / Tx 29.3 / CPU 20% | Application Control (L7) was enabled during testing |
FW+APP CONTROL+IPS | HTTP connection setup speed per second | Rx 11.5 / Tx 11.1 / CPU 70.8% | Rx 11 / Tx 11.4 / CPU 69.3% | Application Control (L7) was enabled during testing |
Conclusions:
Overall, our technical team was pleased with the test results.
Pros:
hierarchical model of security policy management. This approach should be especially convenient for our clients with extensive divisional structures. You can create groups and subgroups of devices in which rules are inherited;
flexibility in setting up the rules themselves and the results of their work (you can not only drop packets, but also, for example, close a session);
the presence of virtual contexts, which we frankly missed in Russian solutions. You can divide one box into 100-150 logical ones and build complex logical topologies.
the speed of applying policies is practically independent of the load on the firewall. We loaded 85,000 filtering rules under a 30 Gbps load and all the rules were applied in less than two minutes;
open API. As you can imagine, we would be especially sad to load 85,000 rules without it;
really fast IPS (the vendor didn’t deceive us here). We compared performance with IPS on and off and found no more than a 10% difference (for most domestic solutions, our tests showed a difference many times greater);
support for a large number of rules and a weak impact of the number of rules on performance.
Minuses:
lack of NAT and dynamic routing in a modern firewall (Positive Technologies promises to add it in the next version, and we will definitely follow the updates);
lack of product documentation. We, of course, understand that we received the solution before the official release, but we would like to have at least some instructions for setting it up. To be fair, Positive Technologies was ready to advise us on every issue, but the lack of documentation greatly delayed our tests.