Fortinet's latest firewall promises hyperscale security while sipping power

Fortinet claims its latest firewall can secure an entire datacenter while consuming about a quarter the power of its competitors.

On Tuesday the security vendor unveiled the FortiGate 7081F, a next-gen firewall (NGFW) targeting hyperscale datacenters that need to inspect large volumes of traffic traveling both in and out and across the datacenter network.

At 12RU in size, the firewall is among Fortinet's largest, and capable of 1.2Tbps of raw firewall throughput, it's also one of their highest performance. Though, we'll note that just like every firewall, the performance figures do drop off rather precipitously to around 310-370Gbps when additional functionality like SSL inspection, IPsec VPN, or threat protection are toggled on.

But according to Fortinet, what really sets the firewall apart from the competition isn't just performance, but efficiency as well. Fortinet says the firewall can achieve this performance while consuming 73 percent less power than its competitors. This is possible because Fortinet, which is no stranger to severe vulnerabilities in its own kit, is one of the few manufacturers of its kind still spinning its own security and networking ASICs.

The modular chassis can be equipped with up to six of the company's own processor modules, each of which incorporates its NP7 network processing and CP co-processing ASICs to offload a variety of workloads like intrusion detection and antivirus from the host CPU.

"CPUs do some things well and other things not well, so if a vendor were to use off the shelf chips, they will get outstanding performance with some things and poor performance with others (like encryption with security). Some vendors will drop a second CPU in there for offload, or perhaps use a DPU," ZK Research analyst Zeus Kerravala tells The Register.

Using ASICs, security vendors can optimize the silicon to their specific workloads, typically achieving higher performance and greater efficiencies, at the expense of rigidity, he explained.

"To add new features, you need to spin a new chip so the R&D investments tend to be a bit higher but the end result is a better performing product at a lower cost," Kerravala said. "It makes acquisitions harder as the new features need to be ported to silicon. This is why Fortinet tends to build things in house."

• It's time to stop fearing CPU power management
• Cloud can reduce greenhouse emissions, but don't assume it's automatic
• Just because on-prem is cheaper doesn't make the cloud a money pit
• AWS wants to cook its datacenter chips with vegetable oil

According to Fortinet's spec sheet, the 7081F is capable of delivering 312Gbps of Threat Projection at 23.4W/Gbps. Its closest competitor, Fortinet claims, is Palo Alto Networks' PA-5450, which actually edges it out in efficiency, but can't keep up in terms of raw performance, at just 200Gbps of raw firewall throughput or 123Gbps with Threat Protection enabled.

But while the FortiGate 7081F might pack higher performance into a modular chassis, it isn't without caveats, with power consumption, ironically, being one of them. Based on Fortinet's numbers, the 7081F should consume somewhere in the neighborhood of 7.3 kilowatts when fully loaded. That's well within the capabilities of the chassis' six 2500W power supplies, but could prove problematic when it comes to rack power delivery.

As we've previously reported, on average most datacenter racks today are under 6kW of capacity, though 10kW and higher racks are becoming more common. Depending on your existing power infrastructure, a single 7081F could conceivably consume the entire rack power budget, unless modifications are made. ®