`

Free delivery

UK Sales: 0330 1340 230

Key Factors for Firewall Sizing

19/02/2026
by Paul Heritage

Throughput Requirements - Firewall vs threat protection

Concurrent Sessions - Max number of simultaneous connections

New Connections Per Second - Speed in establishing new sessions

Number of Users & Devices -Total internal clients, IoT devices, servers and guest devices

Network Architecture & Segmentation - Number of zones, VLANs, DMZs

Security Services Enabled - DPI, IPS, Anti-malware, application control, SSL/TLS Decryption

Redundancy & High Availability - Active/Passive or Active/Active

VPN & Remote Access Needs - Number Of concurrent remote VPN users

Understanding Throughput Metrics

Firewall Throughput - Routing/switching vs real-world security

Threat Prevention Throughput - Includes all major security services

IPS Throughput - Only IPS/IDS engine is active

TLS/SSL Inspection (DPI-SSL) - Most CPU and memory-intensive operation

IPSec VPN Throughput - Measures data transfer capability tor encrypted site-to-site or client VPNs

Sessions and Connections - Firewall Sizing Considerations

Concurrent Sessions

  • Total number of active sessions at any given time
  • Essential in high user/device density or heavy internal traffic environment
  • Need to account for Internal and external connections (e.g.. LAN Internet. LAN LAN)

New Connections Per Second (CPS)

  • Number of new sessions pet second
  • Important for bursty environments like web servers. application gateways. or VoIP
  • Low CPS capacity can create bottlenecks

Session Table Capacity

  • Tracks every connection's state — once full. new connections are dropped or delayed
  • Need to account for peak usage and expected growth

Session Persistence and Cleanup

  • Long-lived sessions (e.g., VPNs, streaming) consume resources longer
  • Proper timeout settings and idle session cleanup help optimize resource use

Impact of Security Services

  • DPI, AV, SSL Inspection. etc. increase session processing load
  • Must handle session state tracking and inspection concurrently

Check numbers multiple times a day to get an average number,
8am, 1 pm, and 3pm are good times to record the connections and connections per second, compare with SonicWall's datasheet.

User & Application Profiles - Impact on Firewall Sizing


Normal Users
 Power Users Workers
 Guest / BYOD Users
Activities: Web browsing, email, SaaS
apps like 0365 		Activities: Zoom, Teams, cloud storage, file transfer
 Activities: Mixed, often unmanaged
Estimated Sessions: 50—100
 Estimated Sessions: 200—500+ Session Load: Unpredictable
Sizing Impact:
  • Lower memory & CPU demand
  • Most entry/mid-level firewalls can support thousands of such users
  • Prioritize content filtering. AV, and web control
Sizing Impact:
  • Requires higher session capacity and CPS handling
  • Increases DPI load (especially With SSL traffic)
  • Choose firewall with strong threat prevention throughput and headroom.
 Sizing Impact:
  • Must isolate from trusted networks (separate VLAN/zones)
  • Can spike CPS unexpectedly, especially in public Wi-Fi zones
  • Recommend traffic shaping, session limits. and dedicated zones.


Application Usage Impact

  • Applications using real-time traffic (VoIP, video conferencing) are sensitive to latency and need low-lag inspection
  • SaaS-heavy environments generate frequent SSL sessions, requiring DPI-SSL handling capacity
  • Legacy apps using non-standard ports/protocols require flexible inspection and exception handling
  • Firewalls must accommodate both session quantity and throughput demand per application type

Use Case- Small Business

Deployment Overview

  • 30 users
  • 1 Gbps bi-directional fibre internet
  • Moderate web and VPN usage
  • Full security services enabled (except DPI-SSL)

Key Assumptions

  • "Basic firewall + antivirus" is a misnomer — all best-practice security services are considered enabled.
  • Threat throughput should be used as the base for sizing unless DPI-SSL is implemented.
  • VPN adds overhead, similar to attaching a trailer to a car — this impacts performance.
  • SSL VPN is still in use (though ideally offloaded to CSE).

Current Option: TZ380

  • Threat throughput: 1.5 Gbps
  • May be insufficient once VPN overhead is considered.
  • Limited headroom for future growth,

Recommended Upgrade: TZ480

  • Threat throughput: 2 Gbps
  • More powerful CPU for handling VPN load
  • Headroom for growth and consistent performance under full inspection load

Use Case - Mid-Size Org

Deployment Overview

  • 250 users
  • SSL inspection, IPS, cloud applications in use
  • Dual internet links:
    • 1 Gbps fibre (bi-directional)
    • 2 Gbps broadband (200 Mbps upload)

Traffic Calculation

  • 1G up + 1G down + 2G down + 0.2G up = 4.2 Gbps Internet Traffic
  • Additional intra-zone traffic assumed: 4.0 Gbps
  • Total aggregate throughput requirement: —8.2 Gbps
  • SSL inspection traffic: 4.2 Gbps

Sizing Recommendation

  • Smallest model meeting requirements: NSA 3800
  • For 5-year growth projection (I .6x load increase):
    • NSA 4800 (100% capacity)
    • NSA 5800 (75% capacity)
  • Either model could support this use case depending on growth profile

Summary

  • Right-sizing of firewalls is critical for:
    • Preventing performance bottlenecks and limitations on threat inspection capacity
    • Aligning threat protection throughput with security requirements
    • Maintaining cost efficiency.
  • Key factors for sizing go beyond throughput requirements
  • Understand the different throughputs and how they apply to sizing
  • The impact of sessions and connections varies with different types of environments
  • The type of users and application usage must be considered for sizing
  • Plan for user/traffic growth and high availability


Comments

No posts found

New post