Why Firewall Throughput Numbers Don’t Tell the Whole Story

When choosing a new vehicle, most people consider fuel economy as one of their criteria. Now imagine a new car manufacturer began running ads stating their large SUV achieved 60 mpg (or 25.5 km/l, if you prefer).

That sounds pretty impressive, right? If you found out that that estimate was achieved in a in lab with no simulated wind resistance or road friction, using an engine bolted to a bare chassis — no seats, no upholstery, steering wheels, lights, etc. — you’d probably be much less excited, and rightly so!

Unlike with vehicles and the EPA, however, when it comes to firewalls, there is no one set standard for evaluation. Vendors use a variety of deployments and conditions to collect metrics, with one of the most frequently used in NGFW evaluations being “firewall throughput.”

Firewall Throughput vs. Threat Prevention Throughput

A next-generation firewall (NGFW) is a security device that protects an organization from external as well as internal threats, both known and zero-day. When choosing a firewall for an organization, it is essential to consider the expected network traffic volume and the required security features, ensuring that the selected firewall can handle the network’s current and future demands effectively.

For this reason, a NGFW’s “stats” are often a crucial factor when choosing a NGFW vendor. But some are more useful to the decision-making process than others, as we see when we compare “firewall throughput” and “threat prevention throughput.”

Firewall throughput is the rate at which a stateful packet inspection (SPI) firewall can process and inspect network traffic while maintaining the stateful connection tracking information. SPI is a firewall technology that keeps track of the state of network connections and allows or denies traffic based on the context of those connections.

On the other hand, threat prevention throughput is the packet rate measured with all the security services like Intrusion Prevention (IPS), Anti-Virus, Anti-Spyware and Application Control turned ON.

(For best results, it is essential to actually check the threat inspection throughput, as opposed to just looking at the stated firewall throughput or threat inspection throughput numbers. Load testing and performance evaluations should also be performed to verify that the firewall’s throughput meets your organization’s requirements.)

How SonicWall Measures Up to Other Vendors Under Real-World Conditions

In situations in which other vendors’ threat prevention throughput numbers drop dramatically, SonicWall maintains its threat prevention throughput at a healthy number.

For instance, Vendor A’s threat prevention numbers dropped by 88% on their “Model B,” compared to a drop of 63% on the SonicWall TZ270. Please see below table for more info:

Comparison chart showing SonicWall's superior threat prevention performance.*Based on data publicly published by Vendor A, current as of 9/1/2023

Similarly, Vendor B’s threat prevention numbers dropped by 96% on their “Model A,” compared to a drop of 63% on a TZ270, as outlined in the table below:

Firewall throughput graph illustrating SonicWall's consistent performance.*Based on data publicly published by Vendor B, current as of 9/1/2023

How SonicWall Helps Solve Threat Inspection Requirements

Unlike other proxy-based firewalls, the SonicOS architecture is at the core of every SonicWall physical and virtual firewall, including the TZ, NSa, NSv and NSsp Series.

SonicOS leverages its patented, single-pass, low-latency, Reassembly-Free Deep Packet Inspection (RFDPI) and Real-Time Deep Memory Inspection (RTDMI™) technologies to deliver industry-validated high security effectiveness, SD-WAN, real-time visualization, high-speed virtual private networking (VPN) and other robust security features.

How Does Reassembly-Free Deep Packet Inspection® (RFDPI) Work?

Reassembly-Free Deep Packet Inspection (RFDPI) is a high-performance, proprietary inspection engine that performs stream-based, bi-directional traffic analysis. Best of all, it does so without proxying or buffering, to uncover intrusion attempts and malware and to identify application traffic regardless of port. This architecture includes:

  • Bi-directional inspection
    Scans for threats in both inbound and outbound traffic simultaneously to ensure that the network is not being used to distribute malware. It also ensures that the network does not become a launch platform for attacks in case an infected machine is brought inside.
  • Stream-based inspection:
    Proxy-less and non-buffering inspection technology provides ultra-low latency performance for deep-packet inspection of millions of simultaneous network streams without introducing file and stream size limitations. It can be applied on common protocols as well as raw TCP streams.
  • Highly parallel and scalable single-pass inspection
    The unique design of the RFDPI engine works with the multi-core architecture to provide high DPI throughput and extremely high new session establishment rates to deal with traffic spikes in demanding networks. A single-pass DPI architecture simultaneously scans for malware, intrusions and application identification, drastically reducing DPI latency and ensuring that all threat information is correlated in a single architecture.

How a Packet Passes Through a Competing NGFW with Proxy-Based Architecture vs. a SonicWall NGFW

The file limitations on other NGFWs can create dangers, because in some cases not all files are being scanned (see Fig. 1).

Stream-based inspection diagram explaining SonicWall's RFDPI technology.


SonicWall’s technology is designed to ensure files are scanned regardless of size (See Fig. 2).

Another stream-based inspection diagram explaining SonicWall's RFDPI technology.

Read the tech brief on RFDPI to learn more about this stream-based inspection technology.


When evaluating firewall vendors, keep in mind the importance of evaluating threat performance with all the security services turned ON. Threat prevention for firewalls is essential to maintain continuous network protection and reduce the risks of potential security incidents. With SonicWall’s NGFWs, threat prevention is enabled and threat prevention throughput numbers are maintained without the huge drops seen with other vendors.

A Record-Breaking Year for SonicWall’s Boundless Future

SonicWall experiences a fantastic year of accomplishments and growth – right in the middle of a global cybersecurity crisis!

Crisis often brings about growth in intuition, knowledge and skill. The cybersecurity industry has made tremendous strides over the past year amid record-breaking network breaches worldwide and a dramatic increase in cybercrime. But SonicWall in particular has proven itself more than equal to the challenges at hand, growing its product line, winning media recognition and earning third-party certifications and awards.

30 Years and More Boundless than Ever

2021 marked SonicWall’s 30th year as a major cybersecurity solutions provider. When the company — then called Sonic Systems — entered the firewall market, it had fewer than 40 employees. Today, the company serves more than 500,000 customers in more than 215 countries, including government agencies, organizations and enterprises.

During the year, SonicWall completed the rollout of a number of new solutions, including new NGFWs. These products represented the latest additions in the “Boundless” cybersecurity platform, designed to provide deployment choices to the customer while solving real-world use cases faced by SMBs, enterprises, governments and MSSPs.

SonicWall in the News

The Mid-Year Update to the SonicWall 2021 Cyber Threat Report, released in July, also made waves — and not just within the cybersecurity community. The update was cited in a number of news outlets, such as CNN and PBS News Hour. The Wall Street Journal drew on SonicWall’s threat data for a story about the record rise in ransomware and another about the arrest and extradition of a known criminal hacker. U.S. senators also used SonicWall threat data in their proposal for cybersecurity legislation.

As we noted recently in our weekly Cybersecurity News blog, these reports continue to be cited even months after their release, highlighting SonicWall’s role as an authority in cybersecurity research.

Certification with Flying Colors

During a year of unprecedented threats and attacks, SonicWall’s products have also earned their share of coverage, proving themselves more than capable of handling the increase in cybercriminal activity. Third-party evaluators conducted several tests during the year and found that SonicWall’s newly released NGFWs, combined with SonicWall protection software, are more efficient at keeping networks safe and stopping malware.

For example, in a recent Tolly Report, the SonicWall NSa 2700 showed a three-year total cost of ownership less than two-thirds of our nearest competitor’s model. In addition, the SonicWall NGFW was found to have three times the threat protection throughput and a “dramatically lower” cost per Gbps processed.

During testing by ICSA Labs, SonicWall TZ, NSa, NSsp and NSv firewalls flew through all testing certifications for enterprise firewalls and anti-malware protection. Additionally, SonicWall Capture Advanced Threat Protection (ATP) surpassed the lab’s Advanced Threat Defense testing regimen with a perfect score for the third time in a row.

Third-party testing also highlighted SonicWall’s patented RTDMI (Real-Time Deep Memory Inspection) technology, which can be found in our cloud-based ATP service. As reported in SonicWall threat reports, not only did RTDMI uncover 307,516 never-before-seen malware variants during the first three quarters of 2021, but the data also revealed that, during that time, cybercriminals released an average of 1,126 new malware versions per day. This sharp increase in variants has many security analysts worried about the rate at which cybercriminals have learned to diversify software and deploy new attacks.

An Award-Winning Year

SonicWall also racked up numerous awards during the year. For example, at the Globee 17th Annual 2021 Cybersecurity Global Excellence Awards, SonicWall received top honors from 10 technology categories, including advanced persistent threats, best security hardware, enterprise network firewalls and security management.

CRN recognized several SonicWall executives and managers in 2021, and it ultimately placed the company on its 2021 Edge Computing 100 list. This recognition is reserved for companies that excel in providing channel partners with the technology needed to build next-generation, intelligent edge cybersecurity solutions. Selection criteria include feedback from partner solution providers on the impact of cybersecurity companies, as well as these companies’ influence on the market and the types of technology and services they make available.

And to top off all, Frost & Sullivan recently analyzed the global network firewall market and awarded SonicWall its 2021 Global Competitive Strategy Leadership Award for “Best Practices.”

Meeting the Boundless Future

The challenges from the past are where we accumulate our best understanding of where we must go in the future. However, the middle part between the past and the future is where we face our most significant challenges.

Today, even as the number of distributed workforces grow and hybrid cloud environments become a greater fixture in the network schema, SonicWall is helping businesses build around the blind spots found in conventional office-centric networks. If our year of accomplishment and growth is any indication, we’ve successfully embarked on a path that delivers more efficient and effective solutions.

Learn more about our shared boundless future, and let’s prosper together.

Non-Standard Ports Are Under Cyberattack

If you like watching superhero movies, at some point you’ll hear characters talk about protecting their identities through anonymity. With the exception of Iron Man, hiding their true identities provides superheroes with a form of protection. Network security is similar in this respect.

‘Security through obscurity’ is a phrase that’s received both praise and criticism. If you drive your car on side streets instead of the freeway to avoid potential accidents, does that make you safer? Can you get to where you need to go as efficiently? It’s possible, but it doesn’t mean you can evade bad things forever.

Difference between standard and non-standard ports

Firewall ports are assigned by the Internet Assigned Numbers Authority (IANA) to serve specific purposes or services.

While there are over 40,000 registered ports, only a handful are commonly used. They are the ‘standard’ ports. For example, HTTP (web pages) uses port 80, HTTPS (websites that use encryption) uses port 443 and SMTP (email) uses port 25.

Firewalls configured to listen on these ports are available to receive traffic. Cybercriminals know this too, so most of their attacks target the commonly used ports. Of course, companies typically fortify these ports against threats.

In response to the barrage of attacks aimed at standard ports, some organizations have turned to using ‘non-standard’ ports for their services. A non-standard port is one that is used for a purpose other than its default assignment. Using port 8080 instead of port 80 for web traffic is one example.

This is the ‘security through obscurity’ strategy. While it may keep cybercriminals confused for a while, it’s not a long-term security solution. Also, it can make connecting to your web server more difficult for users because their browser is pre-configured to use port 80.

Attacks on non-standard ports

Data in the 2019 SonicWall Cyber Threat Report indicates that the number of attacks directed at non-standard ports has grown. In 2017, SonicWall found that over 17.7% of malware attacks came over non-standard ports.

In comparison, that number was 19.2% in 2018, an increase of 8.7 percent. December 2018 alone hit an even higher number at 23%.

How do I protect non-standard ports?

The best defense against cyberattacks targeting services across both standard and non-standard ports is to have a layered security strategy.

Using ‘security through obscurity’ is just one layer. Relying on it too heavily, however, won’t provide the level of security you need. It may help against port scans, but it won’t stop cyberattacks that are more focused.

You’ll also want to take some other actions, such as changing passwords frequently, using two-factor authentication, and applying patches and updates. And, you’ll want to use a firewall that can analyze specific artifacts instead of all traffic (i.e., proxy-based approach).

Connecting and Protecting the Remote Islands of Corporate IT – BYOD and Mobility

How Dell and SonicWall’s SMA and Next-Generation Firewall solution builds secure virtual bridges for today’s fragmented environments

As employees are no longer restricted to the physical structures of their company headquarters, what and how they connect to their corporate network presents a multitude of challenges. Corporate IT environments consist of a seemingly uncontrollable combination of devices, operating systems, and geographic locations. Securely connecting all of these is one of the most crucial IT initiatives companies are faced with as Gartner reports that 70% of mobile professionals will conduct their work on personal smart devices by 2018.

As we are all well aware, all endpoints pose significant threats to network security. Specifically, BYOD consumer devices are usually the most difficult to manage and secure. Data loss or leakage and unauthorized access or transmission are a constant concern. Mobile devices can also retain sensitive or proprietary data while wirelessly connected to the corporate network. White-listing apps for distribution on IOS and Android platforms help lock down mobile devices, but unmanaged laptops require greater endpoint control via the VPN.

What can you do to protect it all?

Dell and SonicWall’s VPN and Next-Generation Firewall solution delivers a layered defense strategy to ensure employees have the access they need while providing the security the company requires.

Components of a VPN and Next-Generation Firewall Solution:

  • Secure Mobile Access (SMA) Appliances – Provide mobility and secure access for up to 20,000 concurrent users from a single, powerful, and granular access control engine.
  • Next-Generation Firewalls – Network security, control, and visibility through sandboxing, SSL inspection, intrusion prevention, anti-malware, application identification, and content filtering.
  • Remote Access Management & Reporting – Powerful, web-based remote IT management platform to streamline appliance management and provide extensive reporting.
  • VPN Clients/Mobile Connect – Simple, policy-enforced secure access to mission-critical applications and data for iOS, OS X, Android, Chrome OS, Kindle Fire, and Windows mobile devices.

Deploying a SonicWall VPN and Next-Generation Firewall solution provides multi-layered protection that can authorize, decrypt, and remove threats from SSL VPN traffic before it enters the network environment. The dual protection of a SonicWall SMA and Next-Generation Firewall is critical to ensuring the security of both VPN access and traffic. SonicWall’s remote access management and reporting also allows organizations to view, define, and enforce how application and bandwidth assets are used.

Securely connecting your workforce, partners, and customers has never been more important. Reach out today to your Dell and SonicWall contacts today to learn what implementing a SonicWall VPN and Next-Generation Firewall solution can mean for the future of your company.