Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Real World Performance Numbers? (How does your Control firewall handle high-throughput connections?)
  •  
tbridge

Messages: 51
Karma: 0
Send a private message to this user
Hi everyone,

We've got a client that's currently running a Watchguard XTM firewall for their day to day operations on a pair of 150/50 commodity circuits, and it's doing a fine job, but this winter they're upgrading to a much larger throughput SLA circuit, and we're starting to look around at firewalls that can handle up to a gigabit of traffic.

While I recognize that no one's ever going to get full line speed while proper IDS/IPS is going on, I'd be interested in hearing what peoples' experiences are with Control in high throughout situations.

Is anyone using Control to manage 500mbit or more of traffic? How much of a hit are you seeing with IDS/IPS enabled? Are you willing to share your setup in terms of hardware?

We've got some budget flexibility, as the Watchguard solutions capable of managing high throughput connections are pretty astronomical, but I want to make sure that Control can, at least, handle a 500mbit pipe or better without losing all the circuit speed.

Best,
Tom
  •  
ksnyder

Messages: 557
Karma: 36
Send a private message to this user
Kerio Control 3130 box should get 600Mbps w/ just IDS/IPS enabled. Not sure how close to 1Gbps others have been able to get with IDS/IPS enabled by throwing additional hardware at this.

Anyone with information about real world performance with beefier hardware specs is encouraged to share your experiences (and specs). It will be very useful to Tom, myself, and surely many others!

Ken Snyder
  •  
Kumaresan @ Velirs

Messages: 8

Karma: 1
Send a private message to this user
We were able to pass 400 Mbps with IDS/IPS enabled, on Custom Built Machine on i3 Processor with 4GB RAM.

Kumaresan Pandurangan
Kerio Certified Partner and Cloud Resellerhttps://Velirs.International/partners/kerio
UK: +44(330)822-0322
US: +1(408)75-959-75
India: +91(8882)008-009
Singapore: +65(31)633-255
Canada: +1(438)2280-669
  •  
tbridge

Messages: 51
Karma: 0
Send a private message to this user
Kumaresan - what was the line-speed of the connection? 500mbps?
  •  
silars

Messages: 428
Karma: 59
Send a private message to this user
I'm intrigued to the configurations.

Currently struggling with a VMware appliance that is restricted to about 80Mbps. It would appear to be an issue with the Flexible vNICs included with the appliance.

Are you considering the appliance version or the hardware versions?
  •  
Geek Consult

Messages: 23
Karma: 0
Send a private message to this user
same here there is the following configuration:

VMWare vSphere 6 single VM on

Intel Xeon E3 1230 V2 4x3.30 Ghz
6GB Ram
128 GB Samsung 840 Pro

Internet is down speeded at approx 100Mbit with IPS
any ideas to use 250Mbit without security issues ?

i think it is a appliance issue

[Updated on: Thu, 19 November 2015 21:24]

  •  
blturner

Messages: 26
Karma: 0
Send a private message to this user
I have a gigabit fiber connection on the way for my largest customer. Their current firewall can't keep up with that.(Small Untangle appliance)
I will be installing on a vSphere 5.5 host. I have the demo installed now with our current cable modem. I upgraded the VM hardware version and the virtual nics, gave it 4 cores and 2 GB of ram.
I am not sure how much to give it to keep up with the connection. I wondered if the OP has his 500 Mb connection(s) in yet and how it is going.

Only 20 real users. And a bunch of cell phones. I have done a bunch of speed testing, but I don't want to hijack this thread.
  •  
tbridge

Messages: 51
Karma: 0
Send a private message to this user
I haven't gotten our new circuit in, we're not expecting it in until the Spring, and it looks like we'll be looking elsewhere based on the speeds reported.

This is really disappointing!
  •  
blturner

Messages: 26
Karma: 0
Send a private message to this user
I got my fiber in last week. Kerio is performing better than the speeds reported here. 789/926 with no firewall. 749/825 with Kerio.(Upload is faster on my connection) Speed testing is a rather fickle pursuit so YMMV. I bumped all the specs on the virtual machine before I tested including the Ethernet emulation. I have more testing to do, but so far it appears that enabling Snort (Intrusion Prevention) and the web filter take an additional 10-15% off of my speed. These speeds are also generally true of the other firewall I am testing. I suspect that any firewall that does any real protecting is going to clip 10 to 20% off of my speeds. My page load testing shows that on simple web pages the firewall and the fiber itself have little impact because the latency of the internet and the web server dominate the speed. That means that it will not feel faster to my boss and I may be in some trouble. I need to find something he does that feels much faster to justify the expense. Maybe email attachments.
  •  
blturner

Messages: 26
Karma: 0
Send a private message to this user
BTW I have not found any servers on SpeedTest.net that can keep up with my connection. I have been using DSLreports/speedtest .
  •  
maa1

Messages: 144
Karma: -27
Send a private message to this user
From my experience, Kerio Control is very demanding on the processor frequency:
on VM with one vCPU 2GHz (Intel Xeon) Kerio cause 70% CPU load on 100 Mbit/s traffic (only routing+nat)! It looks like is not very optimized engine.

Mikrotik ROS can do this on 400MHz ARM CPU!

[Updated on: Tue, 16 February 2016 13:51]

Previous Topic: Multi WAN and singe LAN
Next Topic: Kerio VPN client icon on Retina Display
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon May 01 04:25:23 CEST 2017

Total time taken to generate the page: 0.01195 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.