Tataiso ea Theknoloji
Optimize NGFW Performance with
Intel® Xeon® Processors on Public Cloud

Bangodi
Xiang Wang
Jayprakash Patidar
Declan Doherty
Eric Jones
Subhiksha Ravisundar
Heqing Zhu

Selelekela

Li-firewall tsa moloko o latelang (NGFWs) ke tsona tse ka sehloohong tsa tharollo ea ts'ireletso ea marang-rang. Li-firewall tsa setso li etsa tlhahlobo e hlakileng ea sephethephethe, hangata e ipapisitse le boema-kepe le melaoana e ke keng ea itšireletsa khahlanong le sephethephethe se kotsi sa sejoale-joale. NGFWs e fetoha le ho hola holim'a li-firewall tsa setso tse nang le bokhoni bo tsoetseng pele ba ho hlahloba liphutheloana, ho kenyeletsoa lits'ebetso tsa ho lemoha / ho thibela (IDS/IPS), ho lemoha malware, ho tsebahatsa ts'ebeliso le taolo, jj.
NGFWs ke mosebetsi o boima oa komporo, mohlalaample, ts'ebetso ea cryptographic bakeng sa encryption ea sephethephethe sa marang-rang le ho hlakola le ho tsamaisana le melao e boima bakeng sa ho lemoha liketso tse lonya. Intel e fana ka mahlale a mantlha ho ntlafatsa tharollo ea NGFW.
Li-processor tsa Intel li na le li-architecture tse fapaneng tsa litaelo (ISAs), ho kenyelletsa le Intel® Advanced Encryption Standard New Instructions (Intel® AES-NI) le Intel® QuickAssist Technology (Intel® QAT) e potlakisang ts'ebetso ea crypto haholo.
Intel e boetse e tsetela ho ntlafatso ea software ho kenyelletsa le tsa Hyperscan. Hyperscan ke mohala o sebetsang hantle haholo le laeborari e tšoanang ea polelo (regex). E sebelisa theknoloji e le 'ngoe ea litaelo tse ngata (SIMD) ho li-processor tsa Intel ho matlafatsa ts'ebetso ea ho bapisa mohlala. Ho kopanngoa ha Hyperscan ho litsamaiso tsa NGFW IPS tse kang Snort li ka ntlafatsa ts'ebetso ka ho fihla ho 3x ho li-processor tsa Intel.
Hangata li-NGFW li fanoa e le sesebelisoa sa ts'ireletso se sebelisoang sebakeng sa demilitarized zone (DMZ) ea litsi tsa data tsa khoebo. Leha ho le joalo, ho na le tlhokahalo e matla ea lisebelisoa tsa sebele tsa NGFW kapa liphutheloana tsa software tse ka fetisetsoang ho leru la sechaba, litsing tsa data tsa khoebo, kapa libakeng tsa marang-rang. Mokhoa ona oa phepelo ea software o lokolla khoebo ea IT ho tsoa lits'ebetsong le tlhokomelong e amanang le lisebelisoa tsa 'mele. E ntlafatsa scalability ea sistimi mme e fana ka likhetho tse feto-fetohang tsa ho reka le ho reka.
Palo e ntseng e eketseha ea likhoebo e amohela ho romelloa ha maru sechabeng sa tharollo ea NGFW. Lebaka le ka sehloohong la sena ke advan ea litšenyehelotage ea ho tsamaisa lisebelisoa tse fumanehang marung.
Leha ho le joalo, kaha li-CSP li fana ka mefuta e mengata ea mehlala e nang le litšobotsi tse fapaneng tsa likhomphutha le litheko, ho khetha mohlala ka TCO e ntle ka ho fetisisa bakeng sa NGFW ho ka ba thata.
Pampiri ena e hlahisa ts'ebetsong ea litšupiso tsa NGFW ho tsoa ho Intel, e ntlafalitsoeng ka mahlale a Intel, ho kenyeletsoa Hyperscan. E fana ka bopaki bo ka tšeptjoang bakeng sa sebopeho sa ts'ebetso ea NGFW ho li-platform tsa Intel. E kenyelelitsoe e le karolo ea sephutheloana sa Intel's NetSec Reference Software. Re boetse re fana ka Multi-Cloud Networking Automation Tool (MCNAT) ka har'a sephutheloana se le seng ho iketsetsa phepelo ea ts'ebetso ea litšupiso tsa NGFW ho bafani ba maru ba sechaba ba khethiloeng. MCNAT e nolofatsa tlhahlobo ea TCO bakeng sa maemo a fapaneng a khomphutha le ho tataisa basebelisi ho ea ho mohlala o nepahetseng oa khomphutha bakeng sa NGFW.
Ka kopo ikopanye le bangoli ho ithuta haholoanyane ka sephutheloana sa NetSec Reference Software.

Nalane ea Phetoho ea Litokomane

Khatiso	Letsatsi	Tlhaloso
001	Hlakubele 2025	Tokollo ea pele.

1.1 Mareo
Lethathamo la 1. Terminology

Kgutsufatso	Tlhaloso
DFA	Deterministic Finite Automaton
DPI	Tekolo ea Pakete e Tebileng
HTTP	Hypertext Transfer Protocol
IDS/IPS	Mokhoa oa ho lemoha le ho thibela ho kenella
ISA	Taelo Set Architecture
MCNAT	Multi-Cloud Networking Automation Tool
NFA	Non-deterministic Finite Automaton
NGFW	Moloko o latelang oa Firewall
PCAP	Pokello ea Pakete
PCRE	Perl Compatible Regular Expressions Library
Regex	Mantsoe a Kamehla
SASE	Secure Access Service Edge
SIMD	Taelo e le 'Ngoe Multiple Data Technology
TCP	Tsamaiso ea Tsamaiso ea Phetiso
URI	Sesupo sa Mohlodi o Uniform
WAF	Web Sesebelisoa sa Firewall

1.2 Litokomane tsa Litšupiso
Lethathamo la 2. Litokomane tsa Litšupiso

Referense	Mohloli
Intel® Xeon® Scalable Platform e Hahiloe Bakeng sa Meroalo e Bohlokoa ka ho Fetisisa ea Mosebetsi	https://www.intc.com/news-events/press-releases/detail/1423/intel-xeon-scalable-platform-built-for-most-sensitive
Ho korotla	https://www.snort.org/
Snort Talos Melao	https://www.snort.org/downloads#rules
Hyperscan	https://www.intel.com/content/www/us/en/developer/articles/technical/introduction-to-hyperscan.html
Ho kopanya ha Hyperscan le Snort	https://www.intel.com/content/www/us/en/developer/articles/technical/hyperscan-and-snort-integration.html
Hyperscan: A Fast Multi-Pattern Regex Matcher bakeng sa li-CPU tsa Kajeno	https://www.usenix.org/conference/nsdi19/presentation/wang-xiang
Teddy: Enjene e sebetsang ea Literal Matching Enjene e sebetsang hantle ea SIMD bakeng sa Tlhahlobo ea Pakete e tebileng ea Scalable	https://dl.acm.org/doi/10.1145/3472456.3473512
Intel® 64 le IA-32 Architectures Software Developer Manuals	https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html
Intel® Intrinsics Guide	https://www.intel.com/content/www/us/en/docs/intrinsics-guide/index.html
Ho Potlakisa Ts'ebetso ea Suricata ka ho Sebelisa Software ea Hyperscan Pattern-Matching	https://www.intel.com/content/dam/www/public/us/en/documents/solution-briefs/hyperscan-scalability-solution-brief.pdf
Suricata	https://suricata.io/
Hyperscan ho Suricata: Naha ea Union	https://suricon.net/wp-content/uploads/2016/11/SuriCon2016_GeoffLangdale.pdf
Potlakisa Ts'ebetso ea Snort ka Hyperscan le Intel® Xeon® processors ho Maru a Sechaba	https://networkbuilders.intel.com/solutionslibrary/accelerate-snort-performance-with-hyperscan-and-intel-xeon-processors-on-public-clouds
Next Generation Firewall – Optimizations with 4th Gen Intel® Xeon® Scalable Processor	https://networkbuilders.intel.com/solutionslibrary/next-generation-firewall- optimizations-solution-brief
Ntlafatsa Ts'ebetso le Matla a Matla bakeng sa Li-firewall tsa Moloko o latelang	https://www.intel.com/content/www/us/en/products/docs/processors/xeon-accelerated/network/xeon6-firewall-solution-brief.html
NetSec Software Package	https://www.intel.com/content/www/us/en/secure/design/confidential/software-kits/kit-details.html?kitId=853965

Semelo le Tšusumetso

Kajeno, boholo ba barekisi ba NGFW ba ekelitse mehato ea bona ho tloha lisebelisoa tsa 'mele tsa NGFW ho ea ho tharollo ea NGFW e ka sebelisoang marung a sechaba. Phatlalatso ea leru la NGFW e ntse e eketseha ka lebaka la melemo e latelang:

• Scalability: Ho nyolla habonolo kapa ho theola lisebelisoa tsa khomphutha tsa cross-geo ho fihlela litlhoko tsa ts'ebetso.
• Katleho ea litšenyehelo: peeletso e feto-fetohang ho lumella moputso ka tšebeliso e ngoe le e ngoe. E felisa litšenyehelo tsa lichelete (capex) le ho fokotsa litšenyehelo tsa ts'ebetso tse amanang le lisebelisoa tsa sebele.
• Khokahano ea matsoalloa le lits'ebeletso tsa maru: ho kopanngoa ka mokhoa o se nang moeli le lits'ebeletso tsa maru a sechaba joalo ka marang-rang, taolo ea phihlello le lisebelisoa tsa AI/ML.
• Tšireletso ea mesebetsi e mengata ea maru: ho sefa sephethephethe sa lehae bakeng sa mesebetsi e mengata ea likhoebo e tsamaisoang ke leru la sechaba.

Litsenyehelo tse fokotsehileng tsa ho tsamaisa mosebetsi oa NGFW marung a sechaba ke tlhahiso e khahlang bakeng sa linyeoe tsa ts'ebeliso ea likhoebo.
Leha ho le joalo, ho khetha mohlala ka ts'ebetso e ntle ka ho fetisisa le TCO bakeng sa NGFW ho thata, ha ho fanoe ka mefuta e mengata ea mehlala ea maru e fumanehang ka li-CPU tse sa tšoaneng, boholo ba memori, IO bandwidth, 'me e' ngoe le e 'ngoe e theko e fapaneng. Re thehile NGFW Reference Implementation ho thusa ka ts'ebetso le tlhahlobo ea TCO ea maemo a fapaneng a maru a sechaba a ipapisitseng le li-processor tsa Intel. Re tla bonts'a ts'ebetso le ts'ebetso ka dollar ka 'ngoe e le tataiso ea ho khetha maemo a nepahetseng a thehiloeng ho Intel bakeng sa tharollo ea NGFW litšebeletsong tsa maru a sechaba joalo ka AWS le GCP.

NGFW Reference Kemplementation

Intel e hlahisitse sephutheloana sa NetSec Reference Software (e sa tsoa lokolloa 25.05) e fanang ka litharollo tse ntlafalitsoeng tsa li-ISA le li-accelerator tse fumanehang ho li-Intel CPU tse ncha le li-platform ho bonts'a ts'ebetso e ntlafalitsoeng litsing tsa motheo tsa khoebo le marung. Software ea litšupiso e fumaneha tlas'a Intel Proprietary License (IPL).
Lintlha tse ka sehloohong tsa sephutheloana sena sa software ke:

• E kenyelletsa li-portfolio tse pharalletseng tsa tharollo ea litšupiso bakeng sa marang-rang le ts'ireletso, meralo ea AI bakeng sa litsi tsa data tsa maru le tsa khoebo le libaka tse haufi.
• E lumella nako ea ho rekisa le ho amoheloa ka potlako ha mahlale a Intel.
• Khoutu ea mohloli e teng e lumellang ho pheta-pheta maemo a thomello le maemo a liteko ho li-platform tsa Intel.

Ka kopo ikopanye le bangoli ho ithuta haholoanyane mabapi le ho fumana tokollo ea morao-rao ea NetSec Reference Software.
Joalo ka karolo ea bohlokoa ea sephutheloana sa NetSec Reference Software, ts'ebetsong ea litšupiso tsa NGFW e tsamaisa litšobotsi tsa ts'ebetso ea NGFW le tlhahlobo ea TCO ho li-platform tsa Intel. Re fana ka kopanyo e se nang moeli ea mahlale a Intel joalo ka Hyperscan ts'ebetsong ea litšupiso tsa NGFW. E theha motheo o tiileng oa tlhahlobo ea NGFW ho li-platform tsa Intel. Kaha li-platform tse fapaneng tsa Intel hardware li fana ka bokhoni bo fapaneng ho tloha ho compute ho ea ho IO, ts'ebetsong ea litšupiso tsa NGFW e fana ka tlhaloso e hlakileng haholoanyane. view ea bokhoni ba sethala bakeng sa mesebetsi e mengata ea NGFW mme e thusa ho bonts'a papiso ea ts'ebetso lipakeng tsa meloko ea li-processor tsa Intel. E fana ka leseli le felletseng ka metrics, ho kenyelletsa ts'ebetso ea komporo, bandwidth ea memori, bandwidth ea IO, le ts'ebeliso ea matla. Ho ipapisitsoe le liphetho tsa liteko tsa ts'ebetso, re ka tsoela pele ho etsa tlhahlobo ea TCO (ka ts'ebetso ka dollar) ho li-platform tsa Intel tse sebelisetsoang NGFW.

Phatlalatso ea morao-rao (25.05) ea ts'ebetsong ea litšupiso tsa NGFW e kenyelletsa lintlha tse latelang tsa bohlokoa:

• Li-firewall tsa motheo tsa stateful
• Sistimi ea Thibelo ea ho Thibela (IPS)
• Ts'ehetso ea li-processor tsa morao-rao tsa Intel tse kenyelletsang li-processor tsa Intel® Xeon® 6, Intel Xeon 6 SoC, joalo-joalo.

Litokollo tsa nakong e tlang li reretsoe ho kenya tšebetsong likarolo tse ling tse latelang:

• Tlhahlobo ea VPN: IPsec decryption ea sephethephethe bakeng sa tlhahlobo ea litaba
• Tlhahlobo ea TLS: Moemeli oa TLS ho felisa likhokahano lipakeng tsa moreki le seva ebe o etsa tlhahlobo ea litaba ho sephethephethe sa mongolo o hlakileng.

3.1 Tsamaiso ea Mehaho

Setšoantšo sa 1 se bonts'a meralo ea kakaretso ea sistimi. Re sebelisa software e bulehileng e le motheo oa ho aha sistimi:

• VPP e fana ka tharollo ea sefofane sa data se sebetsang hantle se nang le mesebetsi ea mantlha ea li-firewall, ho kenyeletsoa le li-ACL tse hlakileng. Re hlahisa likhoele tse ngata tsa VPP tse nang le kamano ea mantlha e hlophisitsoeng. Khoele e 'ngoe le e 'ngoe ea basebetsi ba VPP e kentsoe motheong oa CPU o inehetseng kapa khoele ea ts'ebetso.
• Snort 3 e khethiloe e le IPS, e tšehetsang mekhoa e mengata. Likhoele tsa Snort worker li tlanngoe ho li-CPU cores tse inehetseng kapa likhoele tsa ts'ebetso.
• Snort le VPP li kopantsoe ho sebelisoa Snort plugin ho VPP. Sena se sebelisa sehlopha sa lipara tsa mela bakeng sa ho romella lipakete lipakeng tsa VPP le Snort. Lipara tsa mela le lipakete ka botsona li bolokiloe mohopolong o arolelanoeng. Re hlahisitse karolo e ncha ea Data Acquisition (DAQ) bakeng sa Snort, eo re e bitsang VPP Zero Copy (ZC) DAQ. Sena se kenya tshebetsong mesebetsi ya Snort DAQ API ho amohela le ho fetisa dipakete ka ho bala le ho ngolla meleng e amehang. Hobane moputso o le mohopolong o arolelanoeng, re nka sena e le ts'ebetsong ea Zero-Copy.

Kaha Snort 3 ke mosebetsi o boima haholo o hlokang lisebelisoa tse ngata tsa komporo ho feta ts'ebetso ea sefofane sa data, re leka ho hlophisa kabo ea mantlha e ntlafalitsoeng ea processor le ho leka-lekana lipakeng tsa palo ea likhoele tsa VPP le likhoele tsa Snort3 ho fumana ts'ebetso e phahameng ka ho fetisisa ea sistimi ho sethala sa lisebelisoa tse sebetsang.
Setšoantšo sa 2 (leqepheng la 6) se bonts'a node ea kerafo ka har'a VPP, ho kenyelletsa le tseo e leng karolo ea ACL le Snort. plugins. Re thehile li-graph node tse peli tse ncha tsa VPP:

• snort-enq: e etsa qeto ea ho leka-lekanya mojaro mabapi le hore na khoele ea Snort e lokela ho sebetsa pakete efe ebe e kenya pakete moleng o tsamaisanang le eona.
• snort-deq: e kenngoa ts'ebetsong e le mokhoa oa ho kenya likhetho ho tsoa meleng e mengata, e le 'ngoe ka khoele ea basebetsi ba Snort.

3.2 Lintlafatso tsa Intel
Ts'ebetsong ea rona ea litšupiso tsa NGFW e nka nakotage ea tse latelang optimizations:

• Snort e phahamisa laeborari ea tšebetso e phahameng ea regex ea Hyperscan ho fana ka matlafatso e kholo ts'ebetsong ha e bapisoa le enjine ea ho batla ea kamehla ho Snort. Setšoantšo sa 3 se totobatsa ho kopanngoa ha Hyperscan le Snort ho
  potlakisa ts'ebetso ea machng ea 'nete le ea regex. Snort 3 e fana ka kopanyo ea tlhaho le Hyperscan moo basebelisi ba ka bulelang Hyperscan ebang ke ka config file kapa likhetho tsa mela ea taelo.

• VPP e tsoela peletage ea Receive Side Scaling (RSS) ho Intel® Ethernet Network Adapter ho aba sephethephethe ho pholletsa le likhoele tse ngata tsa basebetsi ba VPP.
• Litaelo tsa Intel QAT le Intel AVX-512: Litokollo tsa nako e tlang tse tšehetsang IPsec le TLS li tla nka peletage ea mahlale a ho potlakisa crypto ho tsoa ho Intel. Intel QAT e potlakisa ts'ebetso ea li-crypto, haholo-holo senotlolo sa sechaba se sebelisoang haholo ho theha likhokahano tsa marang-rang. Intel AVX-512 e boetse e matlafatsa ts'ebetso ea li-cryptographic, ho kenyelletsa le VPMADD52 (mesebetsi ea ho ikatisa le ho bokella), vector AES (vector version ea litaelo tsa Intel AES-NI), vPCLMUL (vectorized carry-less multiply, e sebelisetsoang ho ntlafatsa AES-GCM), le Intel® Secure Hash Algorithm - New Intels (Intel®-Intel®).

Cloud Deployment of NGFW Reference Implementation

4.1 Tlhophiso ea Sistimi
Letlapa la 3. Litlhophiso tsa liteko

Metric	Boleng
Sebelisa Taba	Tlhahlobo e hlakileng ea mongolo (FW + IPS)
Sephethephethe Profile	HTTP 64KB GET (1 GET ka Khokahano)
Litsenyehelo tsa ho ba VPP ACLs	Ho joalo (li-ACL tse 2 tse hlakileng)
Snort Melao	Lightspd (~49k melawana)
Leano la Snort	Tshireletso (~21k melao e lumelletsoe)

Re shebana le maemo a tlhahlobo ea mongolo o hlakileng o ipapisitseng le linyeoe tsa ts'ebeliso le li-KPI ho RFC9411. Jenereithara ea sephethephethe e ka etsa litšebelisano tsa 64KB HTTP ka kopo e le 'ngoe ea GET ka khokahanyo. Li-ACL li lokiselitsoe ho lumella li-IP ho li-subnet tse boletsoeng. Re amohetse melao ea Snort Lightspd le leano la ts'ireletso ho tsoa ho Cisco bakeng sa benchmarking. Ho ne ho boetse ho e-na le seva se inehetseng ho fana ka likopo tse tsoang ho lijenereithara tsa sephethephethe.

Joalokaha ho bontšitsoe setšoantšong sa 4 le sa 5, topology ea tsamaiso e kenyelletsa li-node tse tharo tse ka sehloohong: mofani, seva le moemeli bakeng sa ho tsamaisoa ha maru sechabeng. Ho boetse ho na le node ea bastion ho sebeletsa likhokahano ho tsoa ho basebelisi. Ka bobeli moreki (e tsamaisang WRK) le seva (e tsamaisang Nginx) e na le sehokelo se le seng se inehetseng sa marang-rang a sefofane, mme proxy (e tsamaisang NGFW) e na le likhokahano tse peli tsa marang-rang tsa data bakeng sa tlhahlobo. Likhokahano tsa marang-rang tsa data li hokeletsoe ho subnet A (client-proxy) le subnet B (proxy-server) tse bolokang ho itšehla thajana ho mohlala oa sephethephethe sa tsamaiso. Liaterese tsa IP tse inehetseng li hlalosoa ka litsela tse tsamaellanang le melao ea ACL e hlophisitsoeng molemong oa ho lumella sephethephethe.

4.2 Tsamaiso ea Tsamaiso
MCNAT ke sesebelisoa sa software se ntlafalitsoeng ke Intel se fanang ka boiketsetso bakeng sa thomello ea mosebetsi oa marang-rang ka har'a maru a sechaba mme e fana ka litlhahiso mabapi le ho khetha mohlala o motle ka ho fetisisa oa maru o ipapisitseng le ts'ebetso le litšenyehelo.
MCNAT e hlophisitsoe ka letoto la litsebifiles, e 'ngoe le e' ngoe e hlalosa mefuta le litlhophiso tse hlokahalang bakeng sa ketsahalo ka 'ngoe. Mofuta o mong le o mong oa mohlala o na le pro ea oonafile e ka fetisetsoang ho sesebelisoa sa MCNAT CLI ho tsamaisa mofuta oo oa mohlala ho mofani oa litšebeletso tsa maru (CSP). Example tšebeliso ea mola oa taelo e bontšitsoe ka tlase le ho Lethathamo la 4.

Letlapa la 4. Tšebeliso ea Mola oa Taelo oa MCNAT

Khetho	Tlhaloso
- tsamaisa	E laela sesebelisoa ho theha phepelo e ncha
-u	E hlalosa hore na ke lintlha life tsa mosebelisi tse lokelang ho sebelisoa
-c	CSP ho theha thomello ho (AWS, GCP, joalo-joalo)
-s	Scenario ea ho tsamaisa
-p	Profile ho sebelisa

Sesebelisoa sa mola oa taelo oa MCNAT se ka theha le ho tsamaisa maemo ka mohato o le mong. Hang ha mohlala o kentsoe, mehato ea tlhophiso ea poso e theha tlhophiso e hlokahalang ea SSH ho lumella mohlala hore o fihleloe.
4.3 Tsamaiso ea Benchmarking
Hang ha MCNAT e se e sebelisitse maemo, liteko tsohle tsa ts'ebetso li ka sebetsa ho sebelisoa MCNAT sesebelisoa sa lisebelisoa.
Taba ea pele, re hloka ho lokisa linyeoe tsa liteko ho tools/mcn/applications/configurations/ngfw-intel/ngfw-intel.json joalo ka tlase:

Joale re ka sebelisa example laela ka tlase ho qala tlhahlobo. DEPLOYMENT_PATH ke moo ho bolokoang boemo ba phepelo ea tikoloho, mohlala, lisebelisoa/mcn/infrastructure/infrastructure/ex.amples/ngfw-ntel/gcp/terraform.tfstate. d/tfws_default.

E tsamaisa NGFW ka melao e fanoeng ho http sephethephethe se hlahisoang ke WRK ho moreki, ha e ntse e penya mefuta e mengata ea li-CPU, ho bokella palo e feletseng ea linomoro tsa tshebetso bakeng sa mohlala o tlas'a teko. Ha liteko li phethiloe, data eohle e hlophisoa joalo ka csv ebe e khutlisetsoa ho mosebelisi.

Tlhahlobo ea Ts'ebetso le Litšenyehelo

Karolong ena, re bapisa lipehelo tsa NGFW maemong a fapaneng a maru a thehiloeng ho li-processor tsa Intel Xeon ho AWS le GCP.
Sena se fana ka tataiso ea ho fumana mofuta o loketseng oa mohlala oa maru bakeng sa NGFW ho ipapisitse le ts'ebetso le litšenyehelo. Re khetha maemo a nang le li-vCPU tse 4 joalo ka ha li khothaletsoa ke barekisi ba bangata ba NGFW. Liphetho ho AWS le GCP li kenyelletsa:

• Ts'ebetso ea NGFW mefuteng e menyenyane e amohelang li-vCPU tse 4 tse nang le Intel® Hyper-Threading Technology (Intel® HT Technology) le Hyperscan e lumelletsoeng.
• Melemo ea ts'ebetso ea moloko ho isa molokong ho tloha ho 1st Gen Intel Xeon Scalable processors ho isa ho 5th Gen Intel Xeon Scalable processors.
• Ts'ebetso ea moloko ho isa molokong o mong ka dolara e 'ngoe e fumana ho tsoa ho li-processor tsa 1st Gen Inte® Xeon Scalable ho isa ho li-processor tsa 5th Gen Intel Xeon Scalable.

5.1 Tšebeliso ea AWS
5.1.1 Lethathamo la Mofuta oa Boemo
Letlapa la 5. Maemo a AWS le Litefiso tsa Hora tse Batlang

Mofuta oa Mohlala	Mohlala oa CPU	vCPU	Memori (GB)	Tshebetso ya netweke (Gbps)	Ka tlhokeho hourly sekhahla ($)
c5-kholo	Li-processor tsa 2nd Gen Intel® Xeon® Scalable	4	8	10	0.17
c5n-kholo	Li-processor tsa 1st Gen Intel® Xeon® Scalable	4	10.5	25	0.216
c6i-kholo	Li-processor tsa 3rd Gen Intel® Xeon® Scalable	4	8	12.5	0.17
c6in-xlarge	Li-processor tsa 3rd tsa Intel Xeon Scalable	4	8	30	0.2268
c7i-kholo	Li-processor tsa 4th Gen Intel® Xeon® Scalable	4	8	12.5	0.1785

Lethathamo la 5 le bontša ho qetelaview ea maemo a AWS ao re a sebelisang. Ka kopo sheba Platform Configuration bakeng sa lintlha tse ling tsa sethala. E boetse e thathamisa on-demand hourly reiti (https://aws.amazon.com/ec2/pricing/on-demand/) bakeng sa liketsahalo tsohle. E ka holimo e ne e le sekhahla sa litlhoko nakong ea ho hatisa pampiri ena 'me e shebane le lebōpo le ka bophirimela la US.
The on-demand hourly sekhahla se ka fapana ho ea ka sebaka, ho fumaneha, liakhaonto tsa khoebo, le lintlha tse ling.

5.1.2 Liphetho

Setšoantšo sa 6 se bapisa ts'ebetso le ts'ebetso ka sekhahla sa hora ho mefuta eohle ea mehlala e boletsoeng ho tla fihlela joale:

• Ts'ebetso e ntlafalitsoe ka maemo a ipapisitseng le meloko e mecha ea li-processor tsa Intel Xeon. Ntlafatso ho tloha ho c5.xlarge (e thehiloeng ho 2nd Gen Intel Xeon Scalable processor) ho ea ho c7i.xlarge (e thehiloeng ho 4th Gen Intel Xeon Scalable processor)
  e bonts'a ntlafatso ea ts'ebetso ea 1.97x.
• Ts'ebetso ka dolara e 'ngoe e ntlafalitsoe ka maemo a thehiloeng melokong e mecha ea li-processor tsa Intel Xeon. Ho ntlafatsa ho tloha ho c5n.xlarge (e thehiloeng ho 1st Gen Intel Xeon Scalable processor) ho ea ho c7i.xlarge (e thehiloeng ho 4th Gen Intel Xeon Scalable processor) e bontša ntlafatso ea 1.88x ea ts'ebetso/hora.

5.2 Phaliso ea GCP
5.2.1 Lethathamo la Mofuta oa Boemo
Letlapa la 6. Maemo a GCP le Litefiso tsa Lihora tse Batloang

Mofuta oa Mohlala	Mohlala oa CPU	vCPU	Memori (GB)	bandwidth ea kamehla ea egress (Gbps)	Ka tlhokeho hourly sekhahla ($)
n1-std-4	1st Gen Intel® Xeon® Scalable processors	4	15	10	0.189999
n2-std-4	3rd Gen Intel® Xeon® Scalable processors	4	16	10	0.194236
c3-std-4	4th Gen Intel® Xeon® Scalable processors	4	16	23	0.201608
n4-std-4	5th Gen Intel® Xeon® Scalable processors	4	16	10	0.189544
c4-std-4	5th Gen Intel® Xeon® Scalable processors	4	15	23	0.23761913

Lethathamo la 6 le bontša ho qetelaview ea maemo a GCP ao re a sebelisang. Ka kopo sheba Platform Configuration bakeng sa lintlha tse ling tsa sethala. E boetse e thathamisa on-demand hourly reiti (https://cloud.google.com/compute/vm-instance-pricing?hl=en) bakeng sa liketsahalo tsohle. E ka holimo e ne e le sekhahla sa tlhokahalo nakong ea ho hatisa pampiri ena 'me e shebane le lebōpo le ka bophirimela la US. The on-demand hourly sekhahla se ka fapana ho ea ka sebaka, ho fumaneha, liakhaonto tsa khoebo, le lintlha tse ling.

5.2.2 Liphetho

Setšoantšo sa 7 se bapisa ts'ebetso le ts'ebetso ka sekhahla sa hora ho mefuta eohle ea mehlala e boletsoeng ho tla fihlela joale:

• Ts'ebetso e ntlafalitsoe ka maemo a ipapisitseng le meloko e mecha ea li-processor tsa Intel Xeon. Ho ntlafatsa ho tloha ho n1-std-4 (e thehiloeng ho 1st Gen Intel Xeon Scalable processor) ho ea ho c4-std-4 (e thehiloeng ho 5th Gen Intel Xeon Scalable processor) e bonts'a ntlafatso ea ts'ebetso ea 2.68x.
• Ts'ebetso ka dolara e 'ngoe e ntlafalitsoe ka maemo a thehiloeng melokong e mecha ea li-processor tsa Intel Xeon. Ho ntlafatsa ho tloha ho n1-std-4 (e thehiloeng ho 1st Gen Intel Xeon Scalable processor) ho ea ho c4-std-4 (e thehiloeng ho 5th Gen Intel Xeon Scalable processor) e bonts'a ntlafatso ea 2.15x ea ts'ebetso / hora.

Kakaretso

Ka keketseho e ntseng e eketseha ea mekhoa ea phepelo ea maru a mangata le a nyalisitsoeng, ho fana ka litharollo tsa NGFW marung a sechaba ho fana ka ts'ireletso e tsitsitseng ho pholletsa le tikoloho, scalability ho fihlela litlhoko tsa ts'ireletso, le bonolo ka boiteko bo fokolang ba tlhokomelo. Barekisi ba ts'ireletso ea marang-rang ba fana ka litharollo tsa NGFW ka mefuta e fapaneng ea mehlala ea maru holim'a maru a sechaba. Ho bohlokoa ho fokotsa litšenyehelo tsohle tsa botho (TCO) le ho eketsa phaello ho matsete (ROI) ka mohlala o nepahetseng oa maru. Lintlha tsa bohlokoa tse lokelang ho nahanoa li kenyelletsa lisebelisoa tsa compute, marang-rang a marang-rang, le theko. Re sebelisitse ts'ebetso ea litšupiso tsa NGFW joalo ka moemeli oa mosebetsi le ho matlafatsa MCNAT ho tsamaisa thomello le liteko mefuteng e fapaneng ea mehlala ea maru a sechaba. Ho ipapisitsoe le li-benchmarking tsa rona, mehlala e nang le li-processor tsa morao-rao tsa Intel Xeon Scalable ho AWS (e tsamaisoang ke 4th Intel Xeon Scalable processors) le GCP (e tsamaisoang ke 5th Intel Xeon Scalable processors) e fana ka ts'ebetso le ntlafatso ea TCO. Ba ntlafatsa ts'ebetso ka ho fihla ho 2.68x le sekhahla sa ts'ebetso ka hora ho fihla ho 2.15x ho feta meloko e fetileng. Tlhahlobo ena e hlahisa litšupiso tse tiileng mabapi le ho khetha maemo a Intel a thehiloeng marung a sechaba bakeng sa NGFW.

Sehlomathiso A Platform Configuration

Liphetoho tsa sethala
c5-xlarge – “Tlhahlobo ka Intel ho tloha ka 03/17/25. 1-node, 1x Intel(R) Xeon(R) Platinum 8275CL CPU @ 3.00GHz, 2 cores, HT On, Turbo On, Total Memory 8GB (1x8GB DDR4 2933 MT, BIOSs / MT, known 1.0x0, 5003801x Elastic Network Adapter (ENA), 1x 1G Amazon Elastic Block Store, Ubuntu 32 LTS, 22.04.5-6.8.0-aws, gcc 1024, NGFW 11.4, Hyperscan 24.12“
c5n-xlarge – “Teko ka Intel ho tloha 03/17/25. 1-node, 1x Intel(R) Xeon(R) Platinum 8124M CPU @ 3.00GHz, 2 cores, HT On, Turbo On, Kakaretso ea Memori 10.5GB (1×10.5GB 4GB 2933GB 1.0, MT0GB DDR2007006) MT microcode 1x1, 32x Elastic Network Adapter (ENA), 22.04.5x 6.8.0G Amazon Elastic Block Store, Ubuntu 1024 LTS, 11.4-24.12-aws, gcc 5.6.1, NGFW XNUMX, Hyperscan XNUMX”
c6i-xlarge – “Tlhahlobo ka Intel ho tloha ka 03/17/25. 1-node, 1x Intel(R) Xeon(R) Platinum 8375C CPU @ 2.90GHz, 2 cores, HT On, Turbo On, Total Memory 8GB (1x8GB DDR4 3200MT, microcode 1.0GB [BIOS] e tsejoang. 0xd0003f6, 1x Elastic Network Adapter (ENA), 1x 32G Amazon Elastic Block Store, Ubuntu 22.04.5 LTS, 6.8.0-1024-aws, gcc 11.4, NGFW 24.12, Hyperscan 5.6.1“
c6in-xlarge – “Teko ka Intel ho tloha ka 03/17/25. 1-node, 1x Intel(R) Xeon(R) Platinum 8375C CPU @ 2.90GHz, 2 cores, HT On, Turbo On, Total Memory 8GB (1x8GB DDR4 3200MT) e tsebahalang 1.0xd0f0003, 6x Elastic Network Adapter (ENA), 1x 1G Amazon Elastic Block Store, Ubuntu 32 LTS, 22.04.5-6.8.0-aws, gcc 1024, NGFW 11.4, Hyperscan 24.12”
c7i-xlarge – “Teko ka Intel ho tloha ka 03/17/25. 1-node, 1x Intel(R) Xeon(R) Platinum 8488C CPU @ 2.40GHz, 2 cores, HT On, Turbo On, Total Memory 8GB (1x8GB DDR4 4800MT) e tsejoang 1.0x0b2, 000620x Elastic Network Adapter (ENA), 1x 1G Amazon Elastic Block Store, Ubuntu 32 LTS, 22.04.5-6.8.0-aws, gcc 1024, NGFW 11.4, Hyperscan 24.12”
n1-std-4 – “Teko ka Intel ho tloha ka 03/17/25. 1-node, 1x Intel(R) Xeon(R) CPU @ 2.00GHz, 2 cores, HT On, Turbo On, Total Memory 15GB (1x15GB RAM []), BIOS Google, microcode 0xffx Disk 1 sesebediswa sa Ubuntu 1 LTS, 32-22.04.5gcp, gcc 6.8.0, NGFW 1025, Hyperscan 11.4“
n2-std-4 - Teko ea Intel ho tloha ka 03/17/25. 1-node, 1x Intel(R) Xeon(R) CPU @ 2.60GHz, 2 cores, HT On, Turbo On, Total Memory 16GB (1x16GB RAM []), BIOS Google, microcode 0xffffffff, 1x device, 1x 32G PersistentDisk, Ubuntu 22.04.5cg6.8.0 LTS. gcc 1025, NGFW 11.4, Hyperscan 24.12”
c3-std-4 - Teko ea Intel ho tloha ka 03/14/25. 1-node, 1x Intel(R) Xeon(R) Platinum 8481C CPU @ 2.70GHz @ 2.60GHz, 2 cores, HT On, Turbo On, Total Memory 16GB (1x16GB RAM []), BIOS Google, microcode 0xffffffff, 1x Compute Engine 1VIC Ethernet 32GIC 22.04.5 Virtual Engine nvme_card-pd, Ubuntu 6.8.0 LTS, 1025-11.4-gcp, gcc 24.12, NGFW 5.6.1, Hyperscan XNUMX”
n4-std-4 - Teko ea Intel ho tloha ka 03/18/25. 1-node, 1x Intel(R) Xeon(R) PLATINUM 8581C CPU @ 2.10GHz, 2 cores, HT On, Turbo On, Kakaretso ea Memory 16GB (1x16GB RAM []), BIOS Google, microcode 0xffffffff, 1x Compute Engine Virtual Ethernet, 1x Compute Engine Virtual Ethernet] nvd 32GX22.04.5 Ubuntu card Ethernet, nvx 6.8.0GB nv 1025 LTS, 11.4-24.12-gcp, gcc 5.6.1, NGFW XNUMX, Hyperscan XNUMX”
c4-std-4 - Teko ea Intel ho tloha ka 03/18/25. 1-node, 1x Intel(R) Xeon(R) PLATINUM 8581C CPU @ 2.30GHz, 2 cores, HT On, Turbo On, Kakaretso ea Memory 15GB (1x15GB RAM []), BIOS Google, microcode 0xffffffff, 1x Compute Engine Virtual Ethernet, 1x Compute Engine Virtual Ethernet] nvd 32 karete ea Ubuntu Ethernet, nvx 22.04.5, GPIC6.8.0, ​​GPIC_GVN1025 11.4 LTS, 24.12-5.6.1-gcp, gcc XNUMX, NGFW XNUMX, Hyperscan XNUMX”

Sehlomathiso B Intel NGFW Reference Software Configuration

Sebopeho sa Software	Software Software
Host OS	Ubuntu 22.04 LTS
Kernel	6.8.0-1025
Mokopanyi	GCC 11.4.0
LEBOKO	74eb9437
WRK2	44a94c17
VPP	24.02
Ho korotla	3.1.36.0
DAQ	3.0.9
LuaJIT	2.1.0-beta3
Libpcap	1.10.1
PCRE	8.45
ZLIB	1.2.11
Hyperscan	5.6.1
LZMA	5.2.5
NGINX	1.22.1
DPDK	23.11

Ts'ebetso e fapana ho latela ts'ebeliso, tlhophiso le lintlha tse ling. Ithute haholoanyane ho www.Intel.com/PerformanceIndex.
Liphetho tsa ts'ebetso li ipapisitse le liteko ho tloha matsatsing a bontšitsoeng ho litlhophiso 'me li kanna tsa se hlahise lintlafatso tsohle tse fumanehang phatlalatsa. Sheba bekapo bakeng sa lintlha tsa tlhophiso. Ha ho sehlahisoa kapa karolo e ka bolokehang ka botlalo.
Intel e latola litiisetso tsohle tse hlakileng le tse boletsoeng, ho kenyeletsoa ntle le meeli, litiisetso tse boletsoeng tsa thekiso, ho phela hantle bakeng sa morero o itseng, le ho se tlole molao, hammoho le tiisetso efe kapa efe e hlahisoang ke ts'ebetso, khoebo, kapa ts'ebeliso ea khoebo.
Mahlale a Intel a ka hloka lisebelisoa tse thata tsa software, software kapa ts'ebetso.
Intel ha e laole kapa ha e hlahlobe data ea motho oa boraro. U lokela ho sheba mehloli e meng ho hlahloba ho nepahala.
Lihlahisoa tse hlalositsoeng li ka ba le mathata a moralo kapa liphoso tse tsejoang e le errata tse ka etsang hore sehlahisoa se khelohe ho latela litlhaloso tse hatisitsoeng. Liphetoho tsa hajoale tse tsebahalang li fumaneha ka kopo.
© Intel Corporation. Intel, logo ea Intel, le matšoao a mang a Intel ke matšoao a khoebo a Intel Corporation kapa lithuso tsa eona. Mabitso a mang le mabitso a mang a ka nkoa e le thepa ea ba bang.
0425/XW/MK/PDF 365150-001US

Litokomane / Lisebelisoa

Intel Optimize Next Generation Firewalls [pdf] Bukana ea Mosebelisi Ntlafatsa li-firewall tsa Next Generation, Optimize, Next Generation Firewalls, Generation Firewalls, Firewalls

Litšupiso

• Bukana ea Mosebelisi