Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

BIG-IP SSL orchestrator Throughput vs platform Throughput

DevBabu
Cirrus
Cirrus

Going through the datasheet documents for SSL orchestrator and Platform I see different throughput values for SSL orchestrator Throughput vs Platform L7-L7 traffic processing throughput.

What is the difference between these throughput? Using SSL Orchestrator does the Platform throughput decrease and limited to what SSL orchestrator Maximum Throughput is ?

 

https://www.f5.com/pdf/products/ssl-orchestrator-datasheet.pdf

https://www.f5.com/pdf/products/big-ip-platforms-datasheet.pdf 

   

2 ACCEPTED SOLUTIONS

Kevin_Stewart
F5 Employee
F5 Employee

The platform data sheet is giving you raw throughput for the device. And for SSL (TLS handshake and encryption) these numbers reflect a single decrypt operation. 

SSL Orchestrator throughput differs then in the following ways:

  • SSL is almost always decrypt AND re-encrypt, so would theoretically be half of the platform SSL numbers.
  • SSL forward proxy requires the BIG-IP to forge the server certificate to the client, which is a heavier function. That's why forward proxy and reverse numbers in the SSL Orchestrator data sheet are different.
  • SSL Orchestrator uses CPU (compute) to drive traffic through the service chain, and is thus affected by the number of security devices in the chain. This is why the SSL Orchestrator data sheet provides different throughput numbers for 1, 2, and 3 devices.

 

View solution in original post

Kevin_Stewart
F5 Employee
F5 Employee

It is definitely worthwhile to start with SSLO 9.x (9.3 on BIG-IP 16.1.3 is the latest 9.x release as of Aug 2022).

View solution in original post

6 REPLIES 6

LiefZimmerman
Community Manager
Community Manager

hey @DevBabu - I'll reach out to some SSLO experts and see if they can answer this for you.

DevBabu
Cirrus
Cirrus

Thanks.

Kevin_Stewart
F5 Employee
F5 Employee

The platform data sheet is giving you raw throughput for the device. And for SSL (TLS handshake and encryption) these numbers reflect a single decrypt operation. 

SSL Orchestrator throughput differs then in the following ways:

  • SSL is almost always decrypt AND re-encrypt, so would theoretically be half of the platform SSL numbers.
  • SSL forward proxy requires the BIG-IP to forge the server certificate to the client, which is a heavier function. That's why forward proxy and reverse numbers in the SSL Orchestrator data sheet are different.
  • SSL Orchestrator uses CPU (compute) to drive traffic through the service chain, and is thus affected by the number of security devices in the chain. This is why the SSL Orchestrator data sheet provides different throughput numbers for 1, 2, and 3 devices.

 

@Kevin_Stewart Thanks. 

Reading article Update or upgrade the F5 SSL Orchestrator | BIG-IP update and upgrade guide, sounds like SSL Orchestrator contains significant stability improvements in 16.1.x - 9.x. Since, we haven't provisioned SSL Orchestrator in v15.x devices, would it be wise to upgrade device to 16.1.x and provision/configure SSLO. I think this will help in us doing the workaround mentioned in the article.

Kevin_Stewart
F5 Employee
F5 Employee

It is definitely worthwhile to start with SSLO 9.x (9.3 on BIG-IP 16.1.3 is the latest 9.x release as of Aug 2022).

LiefZimmerman
Community Manager
Community Manager

@DevBabu - If your post was solved it would be helpful to the community if you selected *Accept As Solution* on the relevant reply (or replies). This helps future readers & searchers find answers more quickly and confirms the efforts of those who helped. (Thanks @Kevin_Stewart)

Thank you for being part of our community.
Lief