Great information, thanks for all the input.
Mike On Tue, Dec 22, 2015 at 12:10 PM, Payam Chychi <pchy...@gmail.com> wrote: > Hi Mike, > > Here is what i got so far, from the testing i had done in the past using > the SRX240H, no issues with 800Mbps and 90K pps... also, no issues with 300 > Mbps and 150K pps. > I am Not running it in Packet mode since i have no need to do so. > > I am not doing nay IDS/Anti-Virus/IPSEC. > > As of last year, the 240H was updated with better hardware and more RAM, > really notice the difference. > > Hope this helps. > -Payam > > > > > On 2015-12-22, 8:14 AM, Stepan Kucherenko wrote: > >> Can anyone share real world SRX performance? ?I am looking at the SRX220 >>> or SRX240 for a small website ~150-200Mbps in a co-location environment. >>> The performance charts state the SRX220 can do 300Mbps with a mix of >>> traffic and up to 900Mbps with mostly large packet sizes. >>> >> >> SRX240 can give required bandwidth but it has no redundant power. Anyway, >> I don't think it's a good idea, see below. >> >> > If you go down the path of an SRX240 I’d suggest using the >> > screen features and tuning it for your needs. It can really >> > save the device from dealing with junk / attack traffic at >> > higher levels. Can’t help you with a 100Gbps DDoS but can >> > help deal with SYN floods and other junk. >> >> Um. No. It'll die under SYN flood even faster than a server would. I've >> tested its screen options against SYN floods and it's pathetic, epsecially >> compared to what a Linux box with synproxy can do. Not surprising, SRX CPU >> is very slow compared to Xeons and it can't offload everything. >> >> That "other junk" will probably kill it as well. >> >> Even 550/650 or "datacenter" models are not robust enough because state >> exhaustion attacks are easy and cheap. Magic "screen" is far from a >> panacea. Any stateful firewall in datacenter is just a fragile SPOF that >> will eventually keep over, taking your whole setup with it. >> >> With that said, SRX is a very nice box when it's used correctly. I have >> lots of them in branch offices and some in datacenter, but I wouldn't put >> it before servers expecting them to hold their ground under attack. And >> I'm not bashing SRXes specifically, I'm talking about any stateful firewall >> from any vendor, they all suck. >> >> >> Don't use stateful firewalls before servers. Ever. Grab an l3 switch and >> do stateless filtering at ingress and filter everything else on servers. >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp