Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Satyam
New Contributor

General question about firewalls

Hi Guys, I am extreme beginner on firewalls and network. I have a question, which will sound very naive. My brother company has around 500 employees in the same branch where he works. They have two firewalls in HA and then switches and then their servers. They run many web applications in their servers and a large amount of data is uploaded to the internal storages from internal endpoints.

They have multiple 16G and 25G network cards in their server, storage, switches and firewalls and they have 3 ILL line 2x500 Mbps and 1x350 Mbps.

My question is why do they need 25G interfaces in the firewalls? For servers, storage and swithes I can understand, since a lot of data is moved internally. But internal data can be routed through switches and their fastest ILL is 500Mbps. Since internal data dosen't need firewall to move around, so whats the use for 25G interfaces? Even most companies I have seen with fast ILL is 1Gbps, so shouldn't 1Gbps interface on firewall is enough, since data that come and goes through internet cannot be more than their ILL spped ? In general whats the use of firewall interfaces with higher gigabit speed than the ILL ?

6 REPLIES 6
emnoc
Esteemed Contributor III

1st If the traffic going thru the firewall between server(s) and storage and if the nic was at 1g, that would be a bottleneck

 

2nd, the trunks are a share Infrastructure interface, you might have 1-2-3-4 + servers with 10/25gig nic sending data to a server, storage or some other device.

 

btw 25gbps is nothing impression, most medium-big outfits are building 100gbps core and or have 40gig backbone in. LAG bundle for years now. 

 

The prices of 25gb vsr 10gb is dropping every year.

 

YMMV

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Satyam
New Contributor

Hi,

But my question is that if internal data can be routed through switches and doesn't need a firewall for that, then what is the requirement of 25G on a firewall?

emnoc
Esteemed Contributor III

Maybe the switch does not support 1gige, maybe they want to run everything at 25Gbe,  maybe  the only transceiver they have are 25gbe, maybe their's other traffic is going thru this firewall at speeds higher than 1gige , maybe they got reduce $$ rate and decided to buy 25Gbe dual/single port adapters, maybe they have one of those switch that if you want to run mix-speeds on the controller you take a penalty or increased limitations,  etc.....

 

I mean you're asking a question that nobody can really answer except the org that has this setup ;)

 

I personally do not build around 100meg or 1gige interfaces any more, BUT that is mine preference. I think 10gbe will be a minority in the next 4-5 years ( just my guess ) 

 

YMMV 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
lobstercreed
Valued Contributor

I think you're making a very bad assumption that internal traffic would not go through the firewall. In my organisation (college), very little traffic *doesnt* pass through the firewall. The edge (connection to the Internet) has not been the primary attack vector for a very long time. Compromising an internal system and bouncing through it to other systems is the goal of most attackers, so keeping systems that don't need to talk to each other from talking to each other is a very good idea.
eti_andrei
New Contributor III

In the old days, it may have been considered wasteful to route internal traffic through a firewall since firewalls had an inherent performance penalty. So a dedicated router or routing switch would be used and it was considered solid practice. However, you miss out on the cool traffic classification and policy based security that a firewall can provide. I'm generalizing, of course. 

 

One of the benefits of the FortiGate design, particularly on the mid to high tier models, is the offloading architecture designed to minimize the kind of latency that's typically associated with packet inspection.

 

In many of our middle and high tier clients, we will have a FortiGate (often in a cluster) handling all internal routing duties. This gives us some excellent visualization into the kind of traffic flowing within the organization while allowing very granular inter-vlan security policies.

 

For example: a company has a VLAN for staff computers and another VLAN where the building controls reside. Everything is AD-bound and FSSO is set up. I can create a policy that only allows only the "HVAC control operators" group in AD to access resources on the building controls VLAN. We can also have IPS scanning traffic between those two VLANs to find and stop infected computers from attacking internal resources. All without sacrificing performance.

spanz
New Contributor III

Internal traffic, at almost any org, passes through the firewall due to existence of vlans.

When you handle large networks you want to separate your LAN to different vlans, and traffic between vlans has to pass through the firewall and match the corresponding policies.

Labels
Top Kudoed Authors