Document authors and owners: REAL security d.o.o.
Meljska cesta 1
2000 Maribor
Slovenija
This publication and the information contained herein is furnished “AS IS” and is a property of
REAL security. The content is based on the content of the appropriate appliance documentation provided by the vendor. The intended receiver should treat it as such and in the scope of an agreement between REAL security and the receiver. This document may not be shown to a third party without a prior notice and consent of REAL security.
Parts of this document are copied directly from the IronPort Systems documentation.
The IronPort logo, IronPort Systems, SenderBase, and AsyncOS are all trademarks or registered trademarks of IronPort Systems, Inc. All other trademarks, service marks, trade names, or company names referenced herein are used for identification only and are the property of their respective owners.
IronPort Systems is a part of Cisco Systems. Cisco, the Cisco logo, Cisco Systems, IronPort and all IronPort’s trademarks or registered trademarks are therefore registered trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document are the property of their respective owners.
Chapter 1
– IronPort S-Series Appliance Basics
Web Proxy
L4 Traffic Monitor
Management
Chapter 2 – IronPort S-Series Deployment Basics
Management
Web Proxy
L4 Traffic Monitor
Chapter 3
– IronPort S-Series Network Interfaces
M interfaces
P interfaces
T interfaces
Example deployment scenario
Chapter 4 – IronPort S-Series Evaluation planning
Recommendations
Additional reporting an logging
Chapter 5
– IronPort S-Series S360 Appliance Data
S360 physical data
Performance basics
Performance table
An IronPort S-Series appliance is not merely a web filtering appliance, it is a web security appliance, which has two separate and independent services – Web Proxy is one, L4 Traffic Monitor is another. The
Web Proxy and the L4 Traffic Monitor are independent services. They are enabled and configured separately to provide the highest level of protection against a broad range of web based malware threats.
The Web Proxy and L4 Traffic Monitor use data that is stored in filtering tables to evaluate and match
URL request attributes such as domain names, and IP address path segments with locally maintained database records. If a match occurs, Access Policy settings determine an action to block or monitor the traffic. If no match occurs, processing continues.
Understanding this two components is very important for a successful deployment and evaluation and eventual use of an S-Series appliance.
Web Proxy is a primary function / component of the appliance, which takes care of traditional web proxy/cache functions and advanced web security functions. The Web Security appliance Web Proxy can be configured in all the usual different proxy modes (explicit, transparent) and supports the following security features:
• Policy groups — Policy groups allow administrators to create groups of users and apply different levels of category-based access control to each group.
• IronPort URL Filtering Categories — You can configure how the appliance handles each web transaction based on the URL category of a particular HTTP request.
• Web Reputation Filters — Reputation filters analyze web server behaviour and characteristics to identify suspicious activity and protect against URL-based malware threats.
• Anti-Malware Services — The IronPort DVS™ engine in combination with the Webroot and McAfee scanning engines identify and stop a broad range of web-based malware threats.
The Web Proxy is usually turned on at the initial setup as this is a ‘primary feature’ of an S-Series appliance; but, if desired, it can also be turned off. Web Proxy security features might or might not be turned on immediately, some of the features can be configured to work in Monitoring mode only, everything can be turned on and off and action mode can be changed between monitor and block later, after initial setup.
The L4 Traffic Monitor is an optional configurable service that listens and monitors network ports for rogue activity and blocks malware attempts to infect your corporate network. Additionally, the L4 Traffic
Monitor detects infected clients and stops malicious activity from going outside the corporate network. L4
Traffic Monitors listens to all the traffic on all TCP ports, or, more appropriate, to all the traffic that is visible on the network interfaces it is connected to.
In terms of understanding the appliance and planning a deployment we can think of Appliance
Management as a third major feature / component.
An IronPort S appliance is initially configured using a computer (laptop) and a browser based management tool (System Setup Wizard). This is done either before an appliance is deployed in the network with a laptop connected directly to the appliance management interface, or an appliance can already be fully connected in the network and then configured. Additionally, an appliance can be configured by an experienced administrator using CLI.
An S-Series appliance has a special network interface for management, it is market as M1. This can be used only for management, or for other purposes too, depending on the network deployment plan. One possible ‘extreme’ deployment is using only this one interface for all the necessary communications
(Management and Web Proxy, with L4 Monitoring disabled), this is a must in case a network is not divided in subnets, because, if more interfaces are used, each of them must be in a separate IP subnet.
When you deploy the Web Security appliance, you can enable one or both of the two main features. By default, both the L4 Traffic Monitor and Web Proxy are enabled in the System Setup Wizard. If you need to disable both or one of these features, you can do so after initial setup from the web interface.
Initial setup is done, as mentioned, using System Setup Wizard, which is usually done just once. It can be run later too, but this will clear all the configuration! Every feature of the appliance can be reconfigured later, which is perfect for an evaluation process
– a customer can start with a limited subset of features and clients and do an evaluation of different features at different times, and turn them on one by one, the next one only after the previous one is working and approved.
IronPort S-Series Web Proxy can be deployed in an explicit forward proxy mode or as a transparent proxy .
EXPLICIT FORWARD PROXY
Client applications, such as web browsers, are aware of the Web Proxy and must be configured to point to a single Web Security appliance. This deployment requires a connection to a standard network switch.
When you deploy the Web Proxy in explicit forward mode, you can place it anywhere in the network.
Client applications configuration can be:
• Manual : Configure each client application to point the appliance Web Proxy by specifying the appliance host name or IP address and the port number, such as 3128, used for listening to data traffic.
• Automatic : Configure each client application to use a PAC file to detect the appliance Web Proxy automatically. Then you can edit the PAC file to specify the appliance Web Proxy information. PAC files work with web browsers only.
TRANSPARENT PROXY
When the appliance is configured as a transparent proxy, client applications are not aware that their traffic gets redirected to the appliance, and they do not need to be configured to point to the appliance.
To deploy the appliance in this mode, you need one of the following types of hardware to transparently redirect web traffic to the appliance:
• WCCP v2 router : When you specify a WCCP router, you need to configure additional settings on the
S-Series appliance.
•
Layer 4 switch : When you specify an L4 switch, you only need to specify that the appliance is connected to an L4 switch when you configure the appliance. You do not need to configure anything else on the S-Series appliance.
WEB PROXY GENERAL
IronPort S-Series appliances have special network interfaces marked as P1 and P2, which are meant to be used for Web Proxy data traffic. But they are optional, instead interface M1 can be used for management and web proxy if there are not enough IP subnets in the network; of course using P interface(s) can boost performance, reliability and security. Only one or both of them can be used; if both
P1 and P2 are used, then one should be connected to the internal network and another toward internet, both must be on different IP subnets which are also different from the subnet used for M1 interface.
Tip 1: Appliance can always accept explicitly forwarded requests, even if it is used primarily in a transparent mode.
Tip 2: You can change between modes later after initial configuration. This is perfect for an evaluation process. You can choose option “L4 or no device” (which means explicit mode or transparent mode with L4 redirection) at the initial configuration and then you can use explicit forwarding to test the Web Proxy function in the first phase evaluation with a limited set of users. Later, after initial phase is successful, if you want to test transparent mode with L4 redirection, you just reconfigure your L4 router to send requests to SSeries appliance, which doesn’t need to be reconfigured. But if in the second phase you want to test WCCP transparent mode, you change the Web Proxy mode to WCCP and you also have to configure at least one WCCP service on an appliance.
Important: Does the network have an existing proxy? If yes, it is recommended you deploy the Web
Security appliance downstream from an existing proxy server, meaning closer to the clients.
The System Setup Wizard refers to this as an upstream proxy configuration. Also you may need to enable IP spoofing (and configure other aspects of appliance / network accordingly) if an upstream proxy needs client IPs (for identification, logging or other purposes).
INTERFACES AND ACTION MODES
L4 Traffic Monitor (L4TM) deployment is independent of the Web Proxy deployment. IronPort S-Series appliance uses special network interfaces marked as T1 and T2 for traffic monitoring; only T1, or both T1 and T2 can be used (see later about simplex and duplex modes). L4TM can work in Monitor only or in
Monitor and Block mode. When in Monitoring and Blocking mode, other configured network interface(s)
(M1, P1, P2) are being used to block clients initiating inappropriate communication. Therefore all the clients of which traffic is seen on T ports must be accessible through one of other ports for L4TM to be able to perform blocking. Ports T1 and T2 don’t have IP parameter assigned to them, they are used by an appliance only for listening and not for sending data, and it is unimportant whether they are in the same or different IP subnets as any other M or P port (as long as the clients can be accessed used any of the configured routes).
SIMPLEX OR DUPLEX MODE
When listening to the network traffic, there are two possibilities of what is seen on a single network port:
• Simplex: This communication type uses two cables/ports - one cable for all traffic between clients and the appliance, and one cable for all traffic between the appliance and external connections. Connect port T1 to the network tap so it receives all outgoing traffic (from the clients to the Internet), and connect port T2 to the network tap so it receives all incoming traffic (from the Internet to the clients).
• Duplex: This mode uses one cable/port only for all incoming and outgoing traffic. You can use half- or full-duplex Ethernet connections. Connect port T1 to the network tap so it receives all incoming and outgoing traffic.
IronPort recommends using simplex when possible because it can increase performance and security.
But this is possible only if your incoming and outgoing traffic/ports are separated, which might not be in your case.
PHYSICAL CONNECTION
Traffic monitoring can be done using three types of devices / network ports connected to appliances T port(s):
• Network tap device : When you use a network tap device, you can choose both communication types, so you can use either T1 or T1 and T2, depending on your preferences and tap device features.
• Span/mirror port of an L2 switch : Connecting is similar to a simplex or duplex network tap, depending on whether the connection uses two separate devices or one device.
• Hub : Choose duplex L4TM mode when you connect the L4 Traffic Monitor to a hub and connect T1 to appropriate hub port, because hub always mirrors all incoming and outgoing traffic.
There are almost limitless variations of IronPort S-Series appliance deployment:
• Appliance Management is of course always enabled and is always done using M1 network interface, thus:
- it is possible to have appliance connected to a network using M1 interface only and have every other feature disabled; it is accessible for management, but performers none of the other features, it has no impact on network or traffic;
- M1 port can be configured to ignore forwarded proxy requests.
• Web Proxy is usually enabled, but can be disabled; it can use M1, P1, P2 interfaces for data traffic, thus:
- in a simplest deployment, an appliance can be managed on M1 interface, Web Proxy is enabled in explicit forward mode using M1 interface too;
- explicit or transparent deployment can be done using either M1 only, P1 only, or both P1 and P2 interfaces;
- transparent mode is a next logical step during evaluation process and can be done using either
WCCP or L4 redirection;
- when in transparent mode the appliance can still accept explicitly forwarded proxy requests;
- almost all of the Web Proxy Security features can be licensed and enabled separately and some of them can also work in Monitor Only or Monitor and Block modes.
• L4 Traffic Monitor is independent of whether Web Proxy is enabled and in which mode / configuration
Web Proxy and Web Proxy Security Services are; this gives us a lot of variations on L4TM / Web
Proxy combinations, also, L4TM by itself has deployment variations depending on:
- hardware device it is connected to, can be either hub or L2 switch with span/mirror port or network tap;
- cable / port mode can be simplex or duplex;
- mode of operation can be either only monitoring or monitoring and blocking.
• All of these features and modes can be combined in a lot of different ways, independent of each other, so it is best to think of Web Proxy and L4TM deployment separately.
The IronPort S-Series Web Security appliance usually includes six physical Ethernet ports on the back of the system. Each Ethernet port corresponds to a different network interface. The Ethernet ports are appropriately marked and are grouped into three types of network interfaces. They can be used in different combinations, but it is important to know that if T and P interfaces are used, they must be in different IP subnets, which is not always possible, in that case only a few or even only one of them is used.
The appliance has two management interfaces marked as M1 and M2, however, only the M1 interface is enabled. Use M1 to administer the appliance. Optionally, you can also configure the M1 interface instead of P1 and / or P2 to handle Web Proxy data traffic. You might want to use the M1 interface for data traffic if your organization does not use a separate management network. When M1 handles Web Proxy data traffic, neither of the data interfaces are enabled.
You can restrict M1 port to appliance management services only, which means it will ignore other traffic.
If Web Proxy is working in transparent mode and port M1 is not restricted to management traffic, it can still receive explicitly forwarded proxy requests and appliance will process them accordingly.
The Data interfaces include P1 and P2, use them for Web Proxy data traffic if you want / can separate it from management. You can enable and use just the P1 port or both the P1 and P2 ports for data traffic. If the Management and Data interfaces are all configured, each must be assigned IP addresses on different subnets. When you configure the Web Proxy in transparent mode, you can connect the P1 port or both the P1 and P2 ports to an L4 switch or WCCP router using an Ethernet cable.
P1 only enabled : When only P1 interface is enabled, connect it to the network for both incoming and outgoing traffic.
P1 and P2 enabled : When both P1 and P2 are enabled, you must connect P1 to the internal network and
P2 toward the Internet. Note
— You can only enable and configure the P1 interface for data traffic in the System Setup Wizard; if you want to enable the P2 interface, you must do so after system setup in the web interface or using the ifconfig command. You can use the Data interface for Web Proxy monitoring and optional L4 traffic monitoring. You can also configure this interface to support outbound services, such as DNS, software upgrades, NTP, and traceroute data traffic.
If another proxy is in the network, it should be upstream from the S-Series appliance, it should be connected to the network closer to the clients, between them and another proxy.
The L4 Traffic Monitor interfaces include T1 and T2. Use these interfaces for monitoring and blocking L4
Traffic Monitor traffic. The appliance uses the T1 and T2 interfaces for listening to traffic on all TCP ports.
You can connect just T1 or both T1 and T2 using an Ethernet cable, depending on whether you use simplex or duplex communication.
T1 only connected (duplex) : When you configure the appliance to use duplex communication, connect
T1 to the network so it receives all incoming and outgoing traffic.
T1 and T2 connected (simplex) : When you configure the appliance to use simplex communication, connect T1 to the network so it receives all outgoing traffic (from the clients to the Internet), and connect T2 to the network so it receives all incoming traffic (from the Internet to the clients).
For L4TM to function the interface(s) should be connected to the network before any NAT is done, that is closer to the clients than any appliance that performs Network Address Translation.
This is an example of a ‘almost full’ IronPort Web Security appliance deployment with both the main features enabled - Web Proxy and L4 Traffic Monitor are enabled and appliance is appropriately connected to support both these features. In this example, the Web Proxy is deployed in transparent mode, but only the P1 port is connected to either a L4 switch or a WCCP router; if both P1 and P2 would be used, then we’d say it’s a ‘full’ deployment instead of ‘almost full’. The Web Proxy ports are closer to the clients, that is before any other proxy, which should be upstream. The T1 and T2 ports are used for
L4TM (this is simplex mode), they are connected to the network tap device which is between clients and internet, but should be before any NAT is performed. Appliance management in this scenario is done using only one directly connected laptop. But this could also be a special management network, separated from the network which is seen on the upper part of this picture (since M and T interfaces can’t be on the same IP subnet).
Again, lots of variations are possible, we could do all this using only one – M1 – interface; but that could have an impact on performance, security and reliability. In another case both P1 and P2 could be used if we could connect the appliance so that P1 is connected to the clients only and P2 points to the internet only. Maybe L4Tm would not be used, in that case ports T1 and T2 wouldn’t be connected, or we would use only T1, and this both cases are completely independent of Management and Web Proxy deployments.
Variations, could for instance be described like following – first we will take care of Web Proxy feature, and then L4 Traffic Monitoring. Choose 1 of 3 possibilities for A if you will start with Web Proxy immediately (or when you will start using Web Proxy later) and 1 of 2 possibilities for B if you will start using L4 Traffic Monitoring immediately (or when you will start using L4TM later):
A) Management / Proxy interfaces (M1, P1, P2):
- possibility 1 – only interface M1 is used, for both appliance management and proxy functions (in either explicit or transparent mode);
- possibility 2 – interfaces M1 and P1 are used, they MUST be in different subnets, M1 is used for management only, and P1 for all the proxy communication;
- possibility 3 – all three interfaces used, they MUST ALL be in separate subnets, M1 is used for management only, P1 and P2 for all the proxy communication, you must connect P1 to the internal network and P2 toward the Internet.
B) L4 Traffic Monitoring interfaces (T1, T2):
- this is independent of everything in section A;
- but it is dependant on the type and configuration of the device used ‘provide’ traffic data (hub, network tap, span/mirror port);
- possibility 1 – Simplex Tap, both interfaces are used, T1 interface receives all outgoing traffic (from the clients to the Internet), and T2 interface receives all incoming traffic (from the Internet to the clients);
- possibility 2 – Duplex Tap, only interface T1 is used, connect port T1 to the network tap so it receives all incoming and outgoing traffic;
- if L4TM performs blocking to, then all the clients, that might be blocked, must be accessible through at least one of the other configured ports.
This are some recommendations for the evaluation of IronPort S-Series appliances. This is our opinion only, professionals, who have used this appliances before and know them very well, might do things differently. We do not take any responsibility for any damage caused through inappropriate evaluation either following or not following this recommendations.
1. Prepare and plan for your deployment. Basic points are
- Decide whether you will deploy the Web Security appliance as a transparent proxy or an explicit forward proxy? For an explicit proxy plan your manual or automated client application setup.
- Will you use L4 redirection for your transparent proxy? Learn about your L4 router configuration.
- If you need transparent proxy with WCCP learn about your WCCP router configuration and
WCCP services configuration on IronPort appliance.
- Does the network have an existing proxy? Learn all the possible impacts of this and plan your deployment.
- Will you enable the L4 Traffic Monitor? Check your traffic monitoring devices and thus possibilities for T1 / T2 interface connections.
- Plan where you will connect all the needed interfaces of your IronPort S appliance, think about where NAT is happening, if there is another proxy, if the traffic can get to the device from all your clients, in case of L4TM blocking if the device can access all the clients and in case of L4TM if you can really see all the traffic on your T1 / T2 interface(s).
- Collect all your needed network data like IPs planned for M1 and other interfaces, gateways, subnets, DNSs, NTPs, static routes etc. Use prepared tables from IronPort S-Series appliance user guide and from Quickstart Guide.
2.
Install the device in your communications rack, connect all it’s needed interfaces to where you planned, plug in electricity and boot up your appliance.
3. Connect your laptop to the device either directly or through the management network, use your web browser to perform the initial appliance configuration. The initial configuration consists of System
Setup Wizard and any additional configuration procedures needed for the device to start working as you planned for the first working phase of your evaluation. You can do this either before or after you actually connected your appliance to the network as planned. It should not have any impact on the network before it is configured and before you enable any major functions, but if you need to be sure, you can do the configuration first and connecting later;
- If ‘L4 or no device’ is used and your L4 router is not yet configured to redirect to S360, no proxying is being done even if your appliance has Web Proxy enabled, so it still has no impact on your network.
4. Start with both major features (Web Proxy, L4TM) disabled, or Web Proxy enabled but in ‘L4 or no device’ mode without actual redirection from L4 router - now regardless of how and where the appliance is connected, it has no impact on the rest of the network. A tip – in System Setup Wizard chose ‘L4 or no device’, which means ‘Explicit proxy or L4 redirection’, you can switch to WCCP later if needed. Get to know your appliance, learn about web user interface, read manual, experiment, check your licences, if you want or need to, you can also start learning about Command
Line Interface (CLI).
5. When you are familiar enough with your appliance, you can start experimenting with its Web Proxy feature. First - enable explicit proxy and use it on limited set of manually configured clients, experiment. Learn about manual / PAC file client configuration if you will use explicit mode.
Experiment, what happens if you change you proxy port setting, learn about the Monitor menu of your appliance web management interface.
6. When done with testing explicit forward proxy and if the next phase is approved, and if planned for production use, enable transparent proxy mode. Still nothing changes; clients, that have explicitly defined proxy, are still using it, others not.
- If you have a possibility you can (we recommend it) test the transparent proxy mode on a limited number of users too, of course, if you have the ability to redirect only a small subnet of your network through your proxy appliance.
- If you will use L4 redirection, all you need to do is have ‘L4 or no device’ Web Proxy mode enabled on IronPort appliance, and of course have your router reconfigured to forward appropriate traffic to your IronPort appliance.
- In case of WCCP transparent mode you first need to configure at least one WCCP service on your IronPort appliance and then reconfigure your WCCP router. But before that, know what you are doing – learn about WCCP, check your router manual’s WCCP section, learn about WCCP from IronPort manual.
- After either one of two things above is done, the traffic from all your clients (or only those who go through the reconfigured L4 / WCCP devices) should go to the IronPort S appliance. After a while a big difference should be seen in Monitor menu of your appliance management interface (or not if the number of transparently redirected clients is still very limited). No you can learn about all that, maybe even experiment with configuration settings etc. (recommended only on the limited number of users).
7. If you will use it, learn about authentication, configure and test it.
8. Now you have just a basic Web Proxy performing traditional proxy / cache functions, but still no security features. It is recommended that you enable Web Proxy Security Features (URL filtering and others), one by one, learn about them, experiment, etc. Configure them, if possible, first in monitoring only mode, then after you have done some testing and have good results, turn on blocking.
9. Turn on FTP Proxy and experiment with it, if it will be needed in the production. FTP Proxy is used for native FTP, FTP over HTTP is handled by Web Proxy.
10. Turn on, experiment and learn everything about HTTPS, if it will be needed in the production.
11. In the last phase configure your L4 Traffic Monitoring feature and experiment with it. Use monitoring only mode first, later you can turn on blocking too.
If you are interested in advanced reporting possibilities, you want to use an off-appliance reporting tool either by IronPort – Sawmill , or other third party reporting tool which is capable of reading data provided by IronPort S-Series appliance.
IronPort appliance supports a large number of different logs and log formats and of course also offloading these loads in more than one way from your appliance for use in third party log analyzing tools.
Chassis
Form Factor 2RU
Dimensions 3.5” (h) x 17.5” (w) x 29.5” (d)
Power Supply 750 watts, 100/240 volts
Redundant Power Supply Yes
Processor, Memory and Disk
CPUs 1x4 (1 Quad Core) XeONs
Speed 2.33 Ghz
Memory 4 gB (4 x 300 gB SAS)
Disk Space 1.2 TB
Hot Swappable Hard Drives Yes
Interfaces
RAID RAID 10, battery-backed 256MB cache
Ethernet 6xgigabit NICs, RJ-45
Serial 1xRS-232 (DB-9) Serial
Fiver No
Configuration, Logging and Monitoring
Web Interface gUI-based (HTTP or HTTPS)
Command Line Interface SSH or Telnet (Configuration Wizard or command-based)
Logging Squid, Apache, syslog
Centralized Reporting Supported
File Transfer SCP, FTP
Configuration Files XML-based
Centralized Configuration Supported
Monitoring SNMPv1-3, email alerts
REQUESTS PER SECOND
The usual key question is – how many users can be handled by one s360 appliance? Well, an appliance has it’s own specifications, which do not change, so it depends on the users. It is estimated as an average that about 5% of all users generate a request in a timespan of a secon d, and we’ve seen a maximum rate of this at 10%.
An S360 appliance can handle 3500 request/second in a simplest mode (proxy/caching only), 750 req/s with all Web Proxy functions turned on (all these rates are in a table on the following page). And turning on Level 4 Traffic Monitor decreases performance per 10-15%. So lets calculate the number of users:
Num.users. = (100 / user.activity.rate.percentage) x s360.req.rate.
Num.users.with.L4TM = (100 / user.activity.rate.percentage) x s360.req.rate. x 9/10
Proxy / cache only:
Proxy / cache with L4TM:
Proxy / cache + url filt. + web.rep.fil:
70.000 users (35.000 in an internet active environment)
63.000 users (31.500)
54.000
users (27.000)
Proxy / cache + url filt. + web.rep.fil + L4TM: 48.600
users (24.300)
All Web Proxy feature turned on: 15.000
users (7500)
All Web Proxy feature turned on with L4TM: 13.500
users (6750)
Underlined are some of the most important numbers - 70.000 users in a most lightweight setup, 54.000 with full web filtering (no security), 24.300 with full filtering and L4TM and 6750 users in a most demanding environment.
THROUGHPUT
We’ve already said that L4TM has an about 10-15% impact on s360 performance, it has no direct impact on traffic. What remains is HTTP throughput, which doesn’t depend so much on an appliance as on where users are surfing, what they are viewing. Why? Because a web security appliance handles requests, not traffic itself, and each requests represents one http object (html, jpeg picture, mpeg file). So we could say the throughput is: throughput (objects/sec) = s360.req.rate. (req/sec) average.throughput (Mbits) = s360.req.rate. (req/sec) x average.http.object.size (Mbits)
Some estimates:
- an average object size is 80-90kbps, which translates roughly into 315Mps of sustained throughput in a most lightweight setup, 234Mbps with full web filtering, 218Mbps with full filtering and L4TM and
61Mps under a full load;
- each Mbps of HTTP traffic translates to ~10 requests/second, again we come around to a similar estimate that an s360 appliance which can handle 3500 req/s in a most lightweight setup sustains a
350Mbps throughput, or 270Mbps with full web filtering, 243Mbps with full filtering and L4TM and
75Mbps under full load.
The following table shows:
- the left part of the table shows s360 appliance functions, they might be turned on (dot) or not (no dot),
- how many requests per second one s360 appliance can handle at different load levels (i.e. with different functions turned on),
- a number of users one appliance can handle estimating that either 5% (average) or 10% (expected maximum) users are initiating connections at a given time,
- this is without L4TM, if L4 Traffic Monitor is turned on to, it has a 10-15% impact on performances.