Forum OpenACS Q&A: Professional firewalls
IMHO the best firewall is one that combines load balancing and failover with firewalling. And to me that means Big/IP. You'll need two. See f5.com. It will cost you $10K or so to deploy but if you really are getting a million hits per day, that should be chump change to you.
If you don't see the point of load balancing or failover, then you'll probably be fine with a cheap Linux box (run Debian, please) doing firewalling.
For my tastes, cheap linux boxes are too cheap and have too many moving parts and require too much maintenance and are too tempting to install software onto. I use a Linksys router (they sell them as cable-modem routers but that's not all they're good for). They do packet forwarding from arbitrary ports to arbitrary systems behind the firewall, so if you feel the need to separate web, mail, dns, and login, you can. The little devices can be configured with lynx, or remotely at slightly increased security risk. They have no fans and no hard drives to break down. They're fantastic, I love them.