Results 1 to 6 of 6
  1. #1
    Join Date
    Mar 2007
    Posts
    41

    Juniper SSG-550 performance

    Does anyone have any experience running Juniper SSG-550 firewalls in a high-traffic hosting environment?

    I run network operations for a hosting provider in Australia. We currently have two J4350s running as border routers, and we are looking at putting two Juniper SSG-550s behind the border routers to do stateful firewalling / NAT.

    We'll be using active/active NSRP on the SSGs for load balancing and failover.

    My concern is that these devices may not be able to handle our traffic load. They have a hard-set limit of 256,000 "concurrent sessions" which may not be enough for us in peak times. Almost all of our traffic is HTTP though, so I would imagine sessions would timeout quite quickly?

    If anyone who has experience using these devices in this environment, I would be most grateful if you could share any guidance.

  2. #2
    Join Date
    Feb 2006
    Location
    Bristol, UK
    Posts
    280
    Hi,

    The SSG 550 definitely does have a lower total number of sessions than competing products (e.g. ASA 5540 and Nokia IP390 / 560), but whether 256,000 sessions is enough for you only you can say really. 256,000 is still quite a lot.

    How many Mbps are you looking to push through them?

    Gavin
    Network EQ
    UK VPS
    , cPanel Hosting, Dedicated Servers and Hosted Exchange

  3. #3
    Join Date
    Jan 2004
    Location
    North Yorkshire, UK
    Posts
    4,163

  4. #4
    Join Date
    Mar 2007
    Posts
    41
    Quote Originally Posted by gavint View Post
    Hi,

    The SSG 550 definitely does have a lower total number of sessions than competing products (e.g. ASA 5540 and Nokia IP390 / 560), but whether 256,000 sessions is enough for you only you can say really. 256,000 is still quite a lot.

    How many Mbps are you looking to push through them?

    Gavin
    We would like to be able to handle up to about 500mbps at peak times. 99% of the traffic will be HTTP.

    I'd rather have to upgrade to ISGs in a few years than deal with Cisco gear. :-)

  5. #5
    Join Date
    Mar 2007
    Posts
    41
    Quote Originally Posted by dkitchen View Post
    We've got a pair behind a customer cluster which is doing 200mbps average, 400mbps peak, 10 web servers. No problems at all...

    Dan
    Thanks Dan, that's exactly what I was looking for. Are you running active/active or active/passive?

    Does everyone agree that active/passive is a better approach?

  6. #6
    I have a Netscreen NS-50 in front of a web cluster with a broad mix of served content. Active "session" count seems to run about 10% higher than the number of packets per second received from the web cluster. So 256,000 sessions would support about 233kpps of typical served content, which (for me) would be about 2gbps.

    Of course, the real question isn't how it handles good traffic, but rather how it handles connect floods from botnets, or even more mundane attacks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •