We announced the availability of the five Application Firewall appliances on the NetScaler MPX platform today. We tested the appliances for performance of the Application Firewall module for a custom website as well as benchmark tests (to show the maximum achievable results). The full report is available here.

Test results – Basic defaults

 The custom website is an set of pages created for test purposes and hosted on the testing tool. Details of the URLs and page sizes are included in the appendix. The Application Firewall was configured with basic default security settings (roughly request side security checks that do not require session creation).

Analysis of results

•    In Basic mode, NetScaler Application Firewall inspects only the content of HTTP requests. The higher end platforms (10500/12500) are limited by the Request/Sec that NetScaler Application Firewall can process, so there is no difference in the throughput of the 10500 and 12500.
•    The rated throughput limits on the 5500 and 7500 were reached.
•    A 5KB average response size is quite low for web sites today.  As seen below, the higher end platforms are capable of much higher throughputs.

 Note: The results are from two independent tests. For instance, the 5500 cannot simultaneously achieve 24K requests per second while handling 550 Mbps of traffic.

To maximize the request-per-second values, Citrix used a single request URL that generated a valid one byte HTTP response. Citrix used a single request that generated a 100KB HTTP response to maximize the throughput. Citrix reused the same TCP connection to send multiple requests. These benchmark tests are useful in determining the maximum performance achievable through the device and are extensively used in internal performance optimizations. All tests are CPU-bound and do not test the memory usage. These are extreme results and real-world results would be lesser than these numbers.

Analysis of results

•    The 7500 and 9500 have the same hardware platform (same number of CPU cores) as the 10500 and 12500, so the maximum requests-per-second (column 2) is identical for similar platforms.
•    The throughput results match the rated throughput of the NetScaler platforms. The Basic default configuration is set to request side checks only. The throughput numbers are limited by the platform limits and not by Application Firewall processing.

For Advanced protection features and other discussion, check out the full report