TLSStress.Art¶
NGFW performance test bench — NetSecOPEN-aligned, sustainability-aware, open-source. Place any hardware firewall in the data path and measure its real TLS decryption capacity, throughput, latency and concurrent-session ceiling under HTTP/2 + HTTP/3 load. Produces reports in the exact 16-table cert format published by Cisco, Palo Alto, Fortinet, Check Point and Keysight/Viavi.
Read in your language: English · Português · Español
⚠️ Licensing & usage — read before cloning¶
License: PolyForm Noncommercial 1.0.0 with Appendix A — Additional Use Restrictions.
Audience: Cisco Systems, Inc. employees and pre/post-sales engineers of Cisco's officially certified commercial partners. Use outside that audience requires prior written authorization from the author (
agallon@Cisco.com).Permitted: lab work, internal demonstrations, customer-facing PoV / PoC engagements.
Prohibited (regardless of "noncommercial" status): use in any procurement process — public OR private — including public tenders, "pregões", "editais públicos", private tenders, "editais privados", RFPs / RFQs / RFIs / RFTs that evaluate products competing with Cisco; sale or SaaS-style hosting; any commercialization without prior written authorization.
Why TLSStress.Art¶
The commercial NGFW performance market is locked between two vendors (Keysight CyPerf + BreakingPoint, Viavi/Spirent CyberFlood), priced $2.0–2.5M / 100 Gbit/s of test capacity (~$21–25k per Gbit/s). TLSStress.Art delivers the same methodology + report format at ~$5k / Gbit/s — 78% cheaper average, 88% cheaper at the 1 Gbit/s SMB tier.
| Differentiator | Detail |
|---|---|
| NetSecOPEN-aligned | RFC 9411 §7 test sections + 16-table cert report layout, byte-for-byte compatible with Cisco / Palo Alto / Fortinet / Check Point published certs |
| Sustainability-aware | Live SNMP / IPMI / Redfish power polling, kWh + kg CO2 + trees-per-year per test, "if you ran on AWS, you would have paid $X" callout |
| Production realism | PURE — Production URL Replay Engine — replays real customer URL streams (HAR + Syslog + PCAP + SPAN ingest) through the DUT with PIE-PA isolation (3-layer pod-scale-to-0 + BGP withdraw + DNS sanity) |
| 17 patent claims | DOM + OOBI + GATEWAY + RELAY family · PURE + Discovery Hub · Cloud Endpoint Service · SPAN.Art · TREX.Art · OBP proxy — single coherent moat |
| Open-core | License-protected for Cisco + certified partners; full source-code transparency; reproducible builds with Sigstore Cosign keyless signing |
Architecture at a glance — 37 MÓDULOs in 3 planes¶
The TLSStress.Art platform is organized as 37 MÓDULO X.Art components distributed across 3 administrative planes (per project_module_planes_classification_2026_05_10):
| Plane | Count | Examples |
|---|---|---|
| DATA | 18 | PW.Art (browser engine) · K6.Art · TREX.Art · HAR.Art · SPAN.Art · PERSONAS.Art (20 Synthetic + 10 Cloned) · DoYour.Art · KALI.Art |
| CONTROL | 5 | BGP-{1..12}.Art · OSPF.Art · SDWAN/CoR-{1..10}.Art · VXLAN-{1..3}.Art · ISP.Art |
| MGMT | 8 + 1 hybrid | VALIDATOR.Art · GATEWAY.Art · RELAY.Art · CLONER.Art · FLOW.Art · SYSLOG.Art · SNMP.Art · API INFRA.Art · CLI.Art |
All MÓDULOs share the immutable OOBI fabric (VXLAN VNI 254254, UDP/4789, ULA fd5a:7c5e:a72:0::/64) — operator entry via GATEWAY.Art (slot .250), customer-MGMT bridging via RELAY.Art (slot .240/.241 HA). DUTs and switches never join the overlay.
📐 Full architecture: ARCHITECTURE.md · ADR index: ADR/README.md
Test Kinds — 7 categories¶
| # | Kind | Purpose |
|---|---|---|
| 1 | PW (browser engine) | Real browser navigation — Chromium loads HTML/CSS/JS/images/fonts, measures production-grade latency |
| 2 | synthetic-load engine | High-scale HTTP load test — ~128 MB / agent, percentiles p50/p95/p99, datasheet-grade synthetic |
| 3 | TREX (Cisco TRex) | DPDK kernel-bypass stateful traffic — line-rate TCP/UDP/IPSec, 30 Mpps/core, 40M flows |
| 4 | HAR replay | L7 byte-accurate replay of captured browser sessions — 10k sessions/host vs PW 50/host |
| 5 | Combinatorial | Test plan with modifiers + inspection_profile + 10 NGFW components — 5 presets + custom mode |
| 6 | DoYour (Art Studio) | Operator-built custom tests via Scapy + Go embed + PCAP replay (3 modes, premium tier) |
| 7 | PURE | Production URL Replay — real customer URLs ingested from Syslog/PCAP/HAR/Curated/SPAN/Cloud sources, replayed with PIE-PA isolation |
📐 Combinatorial design: TEST_PLANS.md · Inspection profiles (5 named): INSPECTION_PROFILE.md
NetSecOPEN compliance¶
Produces customer-facing cert reports byte-for-byte identical to those published by Cisco / Palo Alto / Fortinet / Check Point with Keysight or Viavi/Spirent tooling. The 22-PR Wave NSO (Phase A — Technical Readiness — complete 2026-05-11) delivers:
| Module | RFC 9411 § / Appendix |
|---|---|
| Schema + Healthcare/Education mixes + 16 object sizes | §3-§7 |
| Cipher enforcer (4 TLS 1.2 + 4 TLS 1.3, session_tickets off) | §4.3.1.4 |
| DUT class XS/S/M/L → 65/120/230/560 ACL rules | §4.2 + Appendix B |
| 16-check preflight (8 RECOMMENDED + 4 OPTIONAL features) | §4.3.2 |
| 11-state orchestrator FSM with phase rule enforcement | §4.3.4 |
| §7.1-§7.9 runners + Appendix A.2/A.3 (Detection Rate + Under Load) | §7 + A |
| 16-table KPI aggregator (cert layout) | §5 + Appendix C |
| Stability graph SVG (sustain-window visualization) | §4.3.4 |
| Pie chart SVG (Figures 2 + 3 — traffic mix) | §7.1 |
| Report renderer (cert + lab × md + html, PDF-ready) | §5 reporting |
| SHA-256 audit chain + Cosign-keyless signature | §5.1 traceability |
📐 Operator primer: NETSECOPEN_PRIMER.md (also .pt-BR.md · .es.md) · Vocabulary mapping: NETSECOPEN_ALIGNMENT.md · Sample cert-format report: sample-reports/cisco-1220cx/
Status: NetSecOPEN-aligned (not yet an "Approved Tool"). 5-phase roadmap (Technical Readiness → Independent Validation via EANTC → Licensing → Membership → Approval Campaign), 24-36 month timeline.
Sustainability MVP¶
The 14-PR Wave SUS (2026-05-11) makes every test produce a sustainability report alongside the performance report:
| Component | Output |
|---|---|
| SNMP/IPMI/Redfish power collectors (PDU + server + 10 NGFW vendor MIBs + Cisco Nexus / Catalyst / Arista / Juniper) | Live Watts/device, 5-second sampling |
| Energy aggregator (trapezoidal Wh integration) | kWh + kg CO2 with regional emission factors (15 regions from IEA 2024) |
| Trees-per-year + carbon credit converter | USDA reference (21 kg CO2/tree-year) + Ecosystem Marketplace VCM blended ($15/ton) |
| Plain-language equivalences | km of car driving (EPA) + Netflix HD hours (Netflix ESG 2024) + smartphone full-charges (EPA) |
| AWS IaaS cost calculator | Compute + egress + CloudWatch logs + EBS storage at AWS public list — 7 NGFW VM-Series SKUs supported |
| Competitor TCO comparison | Spirent / Keysight / Ixia 5-year amortized, 78%+ savings vs vendor avg |
📐 Operator primer: SUSTAINABILITY_PRIMER.md (also .pt-BR.md · .es.md) · Sample report: sample-reports/sustainability-cisco-1220cx/ · Real-world calibration: a 5-min Cisco 1220CX test in São Paulo, BR emits ~27 g CO2 (~0.001 tree-years); same workload would have cost ~$5.74 on AWS vs ~$0.03 on-prem = 99.4% savings.
DUT catalog — 10 NGFW vendor families¶
Locked scope per project_dut_catalog_scope:
| # | Vendor | SKU families | Mgmt plane |
|---|---|---|---|
| 1 | Cisco FTD (Firepower) | 1220, 3105, 1010, 3000, 4200, FTDv | FMC + FDM + SCC |
| 2 | Cisco Secure Router | 8200 / 8300 / 8400 / 8500 (non-MX, non-EoS) | vManage REST |
| 3 | Palo Alto | PA-220 → PA-7080, PA-VM, Prisma Access | Panorama + PAN-OS REST |
| 4 | Fortinet | FortiGate FG-40F → FG-7060F + FortiGate-VM | FortiManager + REST |
| 5 | Check Point | Quantum 3600 → 28000 + CloudGuard | Gaia REST + Multi-Domain |
| 6 | HPE Juniper SRX | SRX300 → SRX5800 + vSRX | Junos Space + RESTCONF |
| 7 | Sophos | XGS series + XG (estimated power) | Sophos Central |
| 8 | Forcepoint | NGFW 1100 → 6205 (estimated power) | SMC |
| 9 | WatchGuard | Firebox M270 → M5800 (estimated power) | Dimension |
| 10 | Huawei | USG-series + AntiDDoS | iMaster (triple-presence: NGFW + server + switch catalogs) |
Exclusion rules (locked): G1 — no TLS decryption → not a DUT. G2 — no EoS-announced models. Meraki MX excluded (no TLS decrypt). IOS-XE autonomous mode excluded (no NGFW). ISR + 8000V + uCPE excluded.
📐 Vendor reference: NGFW_CONFIGURATION_REFERENCE.en.md · DUT API: DUT_API_INTEGRATION.md
Deployment topologies¶
Configuration via platform/topology.yaml in 3 independent axes (per ADR 0011):
| Axis | Values | Controls |
|---|---|---|
deployment_nodes |
single · dual · tri · multi |
Number of UCS + role distribution |
l2_fabric |
nexus · none (future: arista, catalyst, generic) |
External L2 switch (or absence) |
dut_type |
cisco-ftd · cisco-secure-router (future: 8 more) |
DUT vendor — gates apply/verify scripts |
| Mode | UCS | Layout |
|---|---|---|
| Single-node | 1 | All on one host. l2_fabric: none recommended for dev/lab (UCS NICs cabled direct into NGFW, multi-NIC 802.1q trunk per NIC). First-class supported. |
| Dual-node | 2 | UCS-1 = agents (PW + synthetic-load engine); UCS-2 = personas + services + observability |
| Tri-node | 3 | UCS-1 = browser engine; UCS-2 = synthetic-load engine; UCS-3 = personas + services + observability |
| Multi-node | 4 | UCS-1 ngfw-dut · UCS-2 playwright · UCS-3 k6 · UCS-4 infra |
OOBI (eth0) is mandatory on every UCS in every mode — k3s flannel + Prometheus scrape run over it.
📐 Quick-start per mode: single · dual · tri · multi · Split-stack dev: SPLIT_STACKS.md
One-command install¶
# Dev mode (Linux/macOS)
curl -fsSL https://raw.githubusercontent.com/nollagluiz/AI_forSE/main/scripts/install.sh | bash
# Production (Ubuntu + k3s)
sudo ./scripts/k8s-install.sh
Detects OS, installs Docker if needed, generates host-aware .env, brings the stack up, applies migrations, prints admin credentials. For production multi-UCS, see deployment guides above.
Container images¶
Multi-arch (amd64 + arm64), Cosign-signed (keyless OIDC), SBOM-attested:
docker pull ghcr.io/nollagluiz/web-agent-agent:latest # PW.Art + K6.Art agents
docker pull ghcr.io/nollagluiz/web-agent-dashboard:latest # Next.js cockpit
docker pull ghcr.io/nollagluiz/web-agent-k6agent:latest # K6 load generator
docker pull ghcr.io/nollagluiz/web-agent-cloner:latest # CLONER.Art (9 functions)
📐 Self-upgrade Meraki-style (Recommended / RC / Beta channels + auto-rollback 60s): RELEASE_CHANNELS.md
Quick links — documentation map¶
Architecture & design¶
ARCHITECTURE.md·SYSTEM_OVERVIEW.md·TECH_STACK.mdADR/README.md— 25+ architecture decision records
NetSecOPEN compliance (Wave NSO)¶
NETSECOPEN_PRIMER.md· pt-BR · es — operator how-toNETSECOPEN_ALIGNMENT.md— RFC 9411 §6 coverage matrix + vocabularyTEST_PLANS.md· pt-BR · es — 15 catalog-ready load patternsINSPECTION_PROFILE.md· pt-BR · es — 5 named profilesPREFLIGHT_CHECKS.md· pt-BR · es — 16-check feature auditTLS_DECRYPT_MODE_VERIFICATION.en.md· pt-BR · es — ground-truth checkTLS_INSPECTION_TRAPS.md· pt-BR · es — vocab hygiene (never "SSL Inspection")
Sustainability (Wave SUS)¶
SUSTAINABILITY_PRIMER.md· pt-BR · es — operator how-to + math + sources- Sample sustainability report:
sample-reports/sustainability-cisco-1220cx/
Test reports¶
REPORTS.md· pt-BR · es — HTML + PDF + Cosign-signed- Sample NetSecOPEN cert-format report:
sample-reports/cisco-1220cx/
Fleet operations¶
K6_FLEET.md— synthetic-load fleet (1-1,000 agents)CLONER.md· pt-BR · es — Public Website Cloner architectureCLONER_OPERATIONS.md· pt-BR · es — jobs + monitoring
DUT test-bed¶
DUT_TESTBED.md— physical NGFW setupNGFW_CONFIGURATION_REFERENCE.en.md· pt-BR · es — VLANs + IPs + PKI + vendor examplesQUICKSTART_DUT_CHECKLIST.en.md· pt-BR · es — cable → install → PKI → test → resultsDUT_API_INTEGRATION.md· pt-BR · es — 3-tier vendor API integrationDUT_API_OPERATIONS.md— runtime operations
Network & isolation¶
L2_ISOLATION.md· pt-BR · es — BPDU 3-layer defenseNEXUS9K_TUNING.md— Nexus 9000 trunk tuningBRANCH_OFFICE.md· pt-BR · es — asymmetric WAN testingNAT_TESTING_MODES.md· pt-BR · es — SDWAN + Cloud On-Ramp scenarios
Observability & operations¶
MONITORING_TEST_VALIDITY.md· pt-BR · es — bench-not-DUT bottleneck alertsTRACING.md· pt-BR · es — distributed tracingSYSLOG_CORRELATION.md· pt-BR · es — Discovery Hub sourceSYSLOG_OPERATIONS.md· pt-BR · es — operator guideTIME_SYNC.md· pt-BR · es — NTP via Cloner Fn 2TIME_SYNC_FALLBACKS.md— air-gap fallbacks
Compliance & DR¶
AUDIT_LOG.md— query + handover proceduresBACKUP_DR_OPERATOR_GUIDE.md— RTO < 30 min / RPO < 5 minPRIVACY_POLICY.md· pt-BR · es — licence-acceptance dataIP_PROTECTION.md· pt-BR · es — intellectual property protectionACCESS_REQUEST.md· pt-BR · es — request outside-audience use
Installation & migration¶
AIRGAP_INSTALL.md· pt-BR · es — air-gap deploymentPRIVATE_REPO_SETUP.md· pt-BR · es — private deploymentRUNBOOK_FIRST_INSTALL.md· pt-BR — first installCLONE_FOR_INSTALL.md· pt-BR · es — clone-for-install workflowMIGRATION_v1_to_v2.md— v1 → v2 migration
Performance¶
PERFORMANCE_TUNING.md— sysctls + BBR + QUIC tuningPERFORMANCE_TUNING_HOST.md— host-levelPOST_RELEASE_CHECKLIST.md— release engineering
Plain-language project intros¶
- What it does · Para que serve · Para qué sirve
BRAND.md· pt-BR · es — brand tokens + voice
Roadmap & future¶
GNMI_ROADMAP.md· pt-BR · es — gNMI streaming telemetry roadmapAPI_FEATURE_CATALOG.md· pt-BR · es — feature inventoryRELEASE_CHANNELS.md— Recommended / RC / Beta + Cosign auto-rollback
Contributing¶
See CONTRIBUTING.md, the Code of Conduct and the Security policy.
© 2026 André Luiz Gallon — Distributed under PolyForm Noncommercial 1.0.0 with Additional Use Restrictions (Appendix A).