Data Center Firewall
DCFW 2017 Comparative Report: Performance

DCFW 2017 Comparative Report: Performance


Thomas Skybakmoen, Keith Bormann, Jason Brvenik



NSS Labs defines a firewall as a mechanism used to protect a trusted network from an untrusted network, while allowing authorized communications to pass from one side to the other. Performance metrics, while important in any firewall, become critical in a data center deployment. Data center firewalls (DCFWs) handle multiple application traffic mixes for hundreds of thousands of users, and thus must support higher data rates.  


Implementation of DCFW solutions can be a complex process, with multiple factors affecting the system’s overall performance. This Comparative Report provides data on factors affecting a DCFW’s ability to perform, including:

  • Predominant traffic mix
  • Concurrency and connection rates
  • Connections per second and capacity with different traffic profiles
  • Latency and application response times ?



The following products were evaluated:

  • Cisco Systems Firepower 9300 v9.6.2.5 (one SM-36 security module)
  • F5 i5600 v12.1.2 Build 0.0.248
  • Fortinet FortiGate 1500D FortiOS v5.4.1 GA Build7386
  • Fortinet FortiGate 3700D FortiOS v5.4.1 GA Build 7386
  • Huawei Eudemon 8000E X16 v500R001C30
  • Huawei USG9580 v500R001C30
  • Juniper Networks SRX5400 15.1X49-D60


To learn how each vendor performed, download a copy of each individual Test Report. NSS clients can also download the DCFW Comparative Reports on Security and Total Cost of Ownership.


As with all NSS Labs group tests, there was no fee for participation. In addition, the test methodology applied is in the public domain to provide transparency and to help enterprises understand the results.

As with all NSS Labs group tests, there was no fee for participation. All testing was conducted independently and was not paid for by any vendor.