Concurrent Connection and Connection Per Second Testing

Firewalls are stateful inline network devices. Unlike a switch/router, a firewall caches TCP session state information in a session table and tracks the session until the session ends.

Different firewalls have different capacities for concurrent TCP connections (TCP CC) due to the finite space in the memory, so this is an important test criterion. Establishing a TCP connection is usually costlier than tearing it down because the firewall must register a new entry into the session table. Thus, how fast a firewall can establish TCP connections (TCP CPS) is another important performance index to test. Firewalls are inline devices – they inspect and forward incoming packets to their intended destinations. If a firewall can’t process all the traffic it receives, it will be a performance bottleneck or point of failure on the network. Verifying throughput is therefore also critical when it comes to firewall performance testing.

This Application Note describes how to test these three critical performance parameters for a firewall: TCP CC, TCP CPS, and throughput against different packet sizes.