Logo
Get A Demo

As modern networks grow in size and complexity, performance and network security must scale together. One of the most important, and often misunderstood, measurements in this equation is firewall throughput. At its simplest, firewall throughput describes the volume of traffic, measured in megabits per second (Mbps) or gigabits per second (Gbps), that a firewall can process. But raw numbers from a datasheet rarely tell the full story. Real-world throughput is shaped by traffic types, enabled security features, and even how your router and routing policies are designed.

This guide explores the nuances of firewall throughput, how it differs from bandwidth, and why organizations should look beyond marketing specs when choosing or optimizing a firewall.

Firewall Throughput vs. Bandwidth

A common misconception is that throughput and bandwidth are the same. In reality:

  • Bandwidth is the maximum data transfer rate of a network connection—the size of the pipe.
  • Firewall throughput measures how much of that traffic the firewall can actually inspect and allow through while applying security controls.

For example, a 1Gbps firewall throughput rating doesn’t mean your network can pass 1 Gbps of usable traffic if your ISP plan only provides 500 Mbps of bandwidth. Conversely, if you do have a full gigabit connection but the firewall’s inspection throughput drops under load, your network can bottleneck at the firewall, impacting both performance and network security.

How Firewall Throughput Is Calculated

Firewall throughput is generally measured in a lab environment by testing how many bytes a firewall can process per unit of time. Vendors may measure with different packet sizes or use unidirectional UDP traffic to show “maximum firewall throughput” under ideal conditions.

In practice, throughput is affected by:

  • Concurrent sessions / concurrent connections – The number of open TCP/UDP connections can stress memory and CPU.
  • Traffic type – IPSec VPN tunnels, VoIP, and streaming traffic have different performance impacts.
  • Security services enabled – Running IPS, antivirus, application control, or SSL/TLS inspection requires additional processing power.
  • Packet size – Larger packets (e.g., 1518-byte UDP) are easier to process than thousands of fragmented 64-byte packets, which increases latency and the chance of a bottleneck.

Because of these variables, datasheet numbers rarely reflect actual enterprise performance.

Max Firewall Throughput vs. Threat-Focused Metrics

Datasheets often list several related but very different values:

  • Max firewall throughput: The raw, unhindered processing speed when no advanced services are enabled.
  • Threat protection throughput/threat prevention throughput: The realistic performance when features like IPS, application control, and malware detection are running.
  • NGFW throughput: Performance of a next-generation firewall (often abbreviated next-gen or NGFW) with deep packet inspection and application awareness enabled.
  • SSL VPN throughput: Capacity while running encrypted remote-access VPN services; vendors also publish SSL VPN throughput separately from site-to-site VPN figures.

These figures are typically far lower than the max throughput number but give a better sense of real-world capacity. A device might advertise 10 Gbps max throughput, but only 2 Gbps threat protection throughput once IPS and SSL decryption are enabled. That gap can create major surprises if teams size their firewalls solely on the biggest number.

What Really Impacts NGFW Throughput

Modern NGFW platforms combine stateful inspection with advanced controls like sandboxing, user identity awareness, and automation. Each feature consumes resources and reduces throughput.

  • Intrusion prevention throughput (IPS) reflects performance with deep packet inspection enabled.
  • SSL inspection and SSL VPN throughput show how much encrypted traffic a firewall can handle while decrypting/re-encrypting flows.
  • VPN throughput matters when many tunnels are active, which is common for SMB and enterprise remote work.
  • Access point management and integrated WiFi controllers can add overhead on branch devices.

While these numbers are sometimes buried deep in vendor specs, they matter far more than max throughput in day-to-day cybersecurity operations.

Vendor Datasheets: Reading Apples-to-Apples

Different vendors publish metrics in different ways:

  • Fortinet devices such as FortiGate branch models often show separate NGFW throughput, threat protection throughput, and SSL VPN throughput; packet-size notations (e.g., 1518B vs 64B) explain why values differ. Many FortiGate models also list recommended users and access point counts—guidance, not hard limits.
  • Cisco and Palo Alto datasheets may emphasize application-layer controls and encrypted-traffic performance; always verify which services were enabled during testing.
  • SonicWall frequently contrasts raw firewall throughput with threat prevention numbers and highlights how deep packet inspection changes the picture.

Comparing like-for-like (same services on, similar packet sizes) is the only reliable way to evaluate true performance, especially across AWS or hybrid deployments.

Capacity Planning for Branch, SMB, and Campus

When sizing for a branch office or SMB network:

  • Start with your real upstream/downstream bandwidth.
  • Add headroom for growth and peak usage (often 2×).
  • Choose a platform whose threat prevention and SSL VPN throughput meet that target with all required features on.
  • Consider peripherals—number of access points, PoE budgets, and redundant power supply options on campus-class appliances.

For campus or data-center edges, also check connections per second, maximum sessions, and specialized inspection (e.g., DNS security, DLP) that can further constrain throughput.

Throughput Isn’t Only About Speed—It’s About Security & Compliance

Compliance frameworks like PCI DSS, HIPAA, and NIST require inspection and logging of flows. If your effective throughput drops too low, packets may bypass inspection, creating blind spots that undermine compliance and overall network security.

Optimizing Firewall Throughput with Tufin

Firewall performance isn’t just about raw horsepower—it’s about how effectively rules and policies are managed. Bloated or conflicting rulebases waste throughput by forcing firewalls to evaluate unnecessary policies.

Tufin Orchestration Suite helps maximize throughput and security by:

  • Firewall configuration analysis – Identifies rule bloat, shadow rules, and redundant policies that slow inspection.
  • Automating firewall changes – Keeps rulesets consistent across vendors (e.g., FortiGate, Cisco, Palo Alto, SonicWall) and clouds such as AWS.
  • Centralized visibility – One place to monitor performance, compliance, and security posture across hybrid environments.

By streamlining rule bases and automating change management, Tufin customers often see improvements in effective throughput without touching hardware.

FAQs

How is firewall throughput calculated?

It’s the number of bytes a firewall can process per unit of time, typically measured under controlled conditions. Real-world throughput is lower when IPS, SSL inspection, or VPN are active, and when packet sizes are small.

What is max firewall throughput?

The vendor’s highest published performance number, measured without advanced services enabled. It’s useful for comparison but not for capacity planning.

What is threat protection / threat prevention throughput?

The throughput when key security services (IPS, antivirus, and application control) are enabled. This number reflects the real-world performance most organizations experience.

What is NGFW throughput?

The capacity of a next-gen firewall with deep packet inspection and application awareness enabled, often the most realistic single metric for everyday use.

What about hardware considerations?

Check CPU class, memory, interface options, and redundant power supply choices. These directly influence stability and high-performance operation under load.

Wrapping Up

Firewall throughput is more than just a number on a datasheet. Between max throughput, threat prevention metrics, NGFW throughput, and live variables like concurrent connections, it’s easy to overestimate what your firewall can truly handle. Pair sound sizing (including SSL VPN throughput) with rigorous policy hygiene to keep performance and cybersecurity strong.

Ready to optimize your environment and reclaim effective throughput? Schedule a Tufin demo to see how smarter policy orchestration boosts performance without sacrificing protection.

  1. Home
  2. Blog
  3. Cybersecurity
  4. Understanding Firewall Throughput: An In-Depth Guide
Ready to Learn More

Get a Demo

In this post:

Don't miss out on more Tufin blogs

Subscribe to our weekly blog digest

Related Posts

SD-WAN for Education Explained
SD-WAN for Education Explained
What Is SD-WAN as a Service? Guide for Enterprise IT
What Is SD-WAN as a Service? Guide for Enterprise IT
Public Cloud Firewall: How It Works + Key Risks
Public Cloud Firewall: How It Works + Key Risks
How to Choose the Right Cloud Firewall for Your Stack
How to Choose the Right Cloud Firewall for Your Stack

Top Posts

How to Perform a Firewall Audit – Policy Rules Review Checklist
How to Perform a Firewall Audit – Policy Rules Review Checklist
Understanding AWS Route Table: A Practical Guide
Understanding AWS Route Table: A Practical Guide
What is a Firewall Ruleset? How can it help me?
What is a Firewall Ruleset? How can it help me?
Inbound vs Outbound Firewall Rules: Simplifying Network Security
Inbound vs Outbound Firewall Rules: Simplifying Network Security
English
Close