Throughput inspection
To measure large packets and streaming speed, I use two very useful tools: netperf and wget. Lets see TZ100 results with various features enabled:
TCP_SENDFILE, TCP_STREAM, and UDP_STREAM are upload-bond tests, as the client machine send data to the server using various methods and underlying protocols (eg: TCP vs UDP).
We can see that, while using only stateful inspection we get about 90 Mbit/sec, enabling UTM features has an obvious impact on throughput (note: UDP performance remains the same in each test, so I did not repeat them in the graph Well, after some more though, I realized that, due to packet buffering, UDPSTREAM scores can be skewed on some UTM-enabled firewalls. So, pay attention to the only UDPSTREAM values pictured above: the "firewall only" ones). An interesting thing to note is that, even in the incoming-UTM-only scenario, TCP throughput values are lower: this means that the UTM engine, while not forcing / detecting anything, is active and packets are passing inside it. Enabling incoming and outgoint UTM results in even lower values, with throughput between 30 Mb/s and 10 Mb/s. This is more or less in-line with the advertised value (20 Mb/sec, probably based on 5.6.x firmware branch).
When working inside VPN, maximum (non-UTM) throughput is at ~27 Mb/s. While more then adequate, this is far cry from the expected 75 Mb/sec. Enabling UTM inside a VPN impose a bigger load on the small appliance, with throughput that in the worst case (TCP_SENDFILE) is at about ~7.6 Mb/s.
What about the wget (http and ftp) results? Lets see:
Wget shown us a picture in-line with netperf's one: note the very good firewall / VPN speed (~ 7 MB/sec = 48 Mbit/sec) and the much lower but surely adequate UTM speed (1.5 MB/s = 12 Mbit/s).