Technical Specifications for Firewall

Compliance
Sl.No Item Description Technical Specification Remark
(Yes/No)
1 Make To be mentioned by the bidder/ Vendor
2 Model No. To be mentioned by the bidder/ Vendor
3 Country of Origin To be mentioned by the bidder/ Vendor
Proposed vendor should have ICSA Labs' Certification for Firewall and Related
Technologies
The proposed vendor must have more than of 94% Security Effectiveness as
Product per latest NSS Labs Next Generation Firewall report
4 Accreditation and
Should be present in the latest Gartner Magic Quadtrant for Network Firewalls
Test Reports
Should be present in the latest Forrester Wave report for Enterprise Firewalls
Manufacturer should be ISO 14001 accredited.
Next Generation Firewall Hardware Appliance Specifications for Hub Firewall at Headquarters (HQ Perimeter Appliance)
The proposed firewall vendor should be ICSA Certified for Next Generation
Appliance Firewall, and Advance Threat Protection
5 Accreditation & Should have FIPS 140-2 (with Suite B) Level 2 Certification for Firewall
Reports Must comply to regulatory certifications & standards CB, CE, CE RoHS, FCC,
VCCI, UL, REACH, BSMI, MSIP, ANATEL
The proposed hardware based firewall should not consume more than 1RU
Rack-mountable space
Proposed Firewall should not be proprietary ASIC based in nature & should be
multi-core cpu's based architecture to protect latest security threats.

The proposed firewall should not use a proprietary ASIC hardware for any kind
of performance Improvement. If option to disable ASIC is there then OEM must
mention the performance numbers in datasheet or related documents.
Hardware
6 Appliance must have one Console port, dedicated one GbE management Port,
Architecture
two USB 3.0 for WWAN USB card support (5G/LTE/4G/3G) and should support
dual power supply.
Storage should be integrated with minimum 64 GB SSD.
Minimum Storage capacity of 64 GB with option to upgrade for storage
expansion.
Storage facilities must be integrated in order to avoid mechanical failures.
Proposed firewall must be rack mountable and all rack mounting accessories
should be included.
Minimum 15 x 1G Copper ports from day one
Minimum 2 x 10G SFP+ Interfaces
Interface
7 1 x 1GbE Management Port
Requirement
1 x Console Port
2 x USB 3.0 Ports (Front Panel)
Appliance shall support 5 Gbps or more Firewall throughput & 3.2 Gbps or
more IPS throughput.
Appliance should support Application Inspection throughput of 3.2 Gbps or
more.
Appliance shall support 3 Gbps or more Threat Protection throughput with
Gateway AV, Anti-Spyware, IPS and Application Control enabled.
The device shall support Concurrent Sessions: 1.2 Million or higher.
Performance & The device shall support New connection/Sec: 20,000 or higher.
8
Scalability Firewall shall support at least 2.0 Gbps or more IPSec VPN throughput and
1000 IPSec Site-to-Site VPN tunnels.
Proposed firewall should be able to support 500 or more remote access/IPSec
VPN (Concurrent) Users.
Proposed firewall solution shall provide remote VPN connectivity for at least 40
IPSec VPN clients.
Firewall should support 750 Mbps or more SSL/TLS throughput and 120K
SSL/TLS connections.
Next Generation Firewall Hardware Appliance Specifications for Branch Firewall at Branch-Level (Branch Perimeter Appliance)
The proposed firewall vendor should be ICSA Certified for Advance Threat
Appliance
Protection.
9 Accreditation &
Must comply to regulatory certifications & standards CB, CE, CE RoHS, FCC,
Reports
VCCI, UL, REACH, BSMI, ANATEL
The proposed hardware based firewall appliance preferably should be Desktop
Form Factor.
Proposed Firewall should not be proprietary ASIC based in nature & should be
multi-core cpu's based architecture to protect latest security threats.
Hardware
10 The proposed firewall should not use a proprietary ASIC hardware for any kind
Architecture
of performance Improvement. If option to disable ASIC is there then OEM must
mention the performance numbers in datasheet or related documents.
Appliance must have one Console port, dedicated one GbE management Port,
two USB 3.0 for WWAN USB card support (5G/LTE/4G/3G) and should support
dual power supply.
Minimum 4 x 1G Copper ports from day one
 At least 1 x 1G SFP Interface
Interface
11 1 x Micro-USB Console Port
Requirement
1 x USB Type-A Port
1 x USB Type-C Port
Appliance should support Anti-malware Inspection throughput of 750 Mbps or
more.
Appliance shall support 750 Mbps or more Threat Protection throughput with
Gateway AV, Anti-Spyware, IPS and Application Control enabled.
The device shall support Concurrent Sessions: 280,000 or higher.
The device shall support New connection/Sec: 7400 or higher.
Firewall shall support at least 650 Gbps or more IPSec VPN throughput and 30
IPSec Site-to-Site VPN tunnels.
Proposed firewall should be able to support at least 3 or more remote access
IPSec VPN (Concurrent) Users.
Firewall should support 200 Mbps or more SSL/TLS throughput and 9K SSL/TLS
connections.
Next Generation Firewall Security, Protection & Feature Specification for Hub & Branch Firewalls (Perimeter Appliances)
Solution must support Security policy conifguration, Bandwidth mangement,
policy based routing & SDWAN.
It should support application bandwidth management granularly allocates and
regulates available bandwidth for critical applications (or application
categories), while inhibiting nonessential application traffic.
Should have capability to define user-based traffic quotas on upload/download
and cyclical or non-cyclical.
Should support BGP, OSPF, RIP v1/v2 routing protocol and IPv4 & IPv6
functionality.
Should detect and prevent hidden attacks that leverage cryptography, blocks
encrypted malware downloads, ceases the spread of infections, and thwarts
command and control (C&C) communications and data exfiltration
Should have Layer 2 bridge or transparent mode, Wire mode, Sniffer mode /Tap mode.
Should support Zero-Touch provisioning in order to facilitate mass deployment
and auto-synchronization.
Solution should support policy based routing, Application based routing and
also Multi Path routing.
Firewall should support static routing, Dynamic Routing and WAN
loadbalancing for redundant or backup Internet connections.
Should support Redundant VPN gateway when primary and secondary VPN can
be configured to allow seamless, automatic failover and failback.

Should support Route-based VPN that allow dynamic routing over VPN links to
General Firewall ensure continuous uptime in the event of a temporary VPN tunnel failure, by
13
Features seamlessly re-routing traffic between endpoints through alternate routes.
Solution should support Dead Peer Detection, DHCP Over VPN, IPSec NAT
Traversal, Route-based VPN over OSPF, RIP, BGP.
Should have SD-WAN feature to choose lower-cost public Internet services
while continuing to achieve a high level of application availability and
predictable performance. Vendors not having SD-WAN features integrated in
their firewall should provide additional device to provide this feature support
from day 1.
Proposed appliance should support SD WAN features without adding any
additonal hardware components & Necessary licenses, if required, need to be
provisioned from day 1.
Should have support to enable guest users to use their credentials from social
networking services such as Facebook, Twitter, or Google+ to sign in and access
the Internet and other guest services through a host's wireless, LAN or DMZ
zones using pass-through authentication. Necessary licenses, if required, need
to be provisioned from day 1.
Proposed solution must have Mac IP Spoof Prevention, Jumbo frames support
& IP Helper for other than DHCP.
Firewall sholud have pictorial view of a particular access rule, NAT and Routing
rule which helps in finding real-time statistics. Displays the rules which are
actively used or not being used & enabled or disabled.

Should support Rest-API integration with third-party intelligence feeds to

combat advanced threats such as zero-day, malicious insider, compromised
credentials, ransomware and advanced persistent threats.
Firewall should scan for threats in both inbound and outbound and intra-zone
traffic for malware in files of unlimited length and size across all ports and TCP
streams by GAV & Cloud AV.
The proposed firewall should support Bi-directional raw TCP inspection that
scans raw TCP streams on any port .
Firewall Inspection Engine should perform proxy-less/non-buffering inspection
to scan threats in both inbound and outbound traffic simultaneously.
 Should performs stream-based, bi-directional traffic analysis, without proxying
or buffering, to uncover intrusion attempts and malware and to identify
application traffic regardless of port.
Should support Proxy-less and non-buffering inspection of network streams
without introducing file and stream size limitations, and can be applied on
common protocols as well as raw TCP streams.
Solution must be able to perform stream-based traffic inspection on all analysis
engines (Threat Prevention, Anti-Malware, Anti-Spyware, IPS, Application
Control and Content Filtering Service).
The firewall should have single pass, low latency inspection system that
performing stream-based, bi-directional traffic analysis at high speed without
proxying or buffering to effectively uncover intrusion attempts and malware
downloads while identifying application traffic regardless of port and protocol.

Firewall must support Proxy-less and non-buffering inspection technology for

DPI scanning without introducing file and stream size limitations.
Firewall must have integrated IPS shall be able to scan packet payloads for
vulnerabilities and exploits, covering a broad spectrum of attacks and
vulnerabilities.
Should protect against DDoS/DoS attack using both Layer 3 SYN proxy and
Layer 2 SYN blacklisting technologies.It protects against DOS/DDoS through
UDP/ICMP flood protection and connection rate limiting.
Firewall Security
14
Features Should have facility to block the URL's based on categories, granualar control
like Allow/Block, Bandwidth Management, Passphrase override, Notify
Shall be able to configure traffic shaping on a per policy basis for specific
application/ Specific networks and should be able to define guaranteed
bandwidth and maximum bandwidth per policy.
Should have advanced QoS that guarantees critical communications with
802.1p, DSCP tagging, and remapping of VoIP traffic on the network.
Should support deep packet SSL to decrypt HTTPS traffic for scanning (IPS,
Gateway Antivirus, Content Filtering, Application control) transparently for
future requirement and then re-encrypt and send to destination if no threat
found.
The firewall must support cloud & appliance based Sandbox technology and
OEM must have own Advanced Threat Protection solutions.
The cloud or appliance Sandbox should have technology that detects and
blocks malware that does not exhibit any malicious behavior and hides its
weaponry via encryption. Should detect and block mass-market, zero-day
threats and unknown malware.
The Firewall should have the capability to block/prevent from Side Channel
attacks like Meltdown, Spectre, Foreshadow, Foreshadow-NG, Portsmash etc.

Should support both for analysis of a broad range of file types, either
individually or as a group, including executable programs (PE), DLL, PDFs, MS
Office documents, archives, JAR, and APK plus multiple operating systems
including Windows, Android, Mac OS X and multi-browser environments.
Should have ability to prevent potentially malicious files from entering the
network and those files sent to the sandbox for analysis to be held at the
gateway until a verdict is determined.
Should support min 20K DPI signatures, 60 millions Cloud AV signatures and
3500+ Application Signatures from day one.
Proposed Solution should support Hardware redundancy for High-Availability
when required in the future.
Proposed solution should support Active/Passive with option for Stateful
Synchronization for future purpose.
15 High Availability
The proposed solution should support Hardware redundancy using only single
security license shared between primary & secondary appliances for both hub
firewall appliances and the branch firewalls appliances.
The appliance or cloud sandbox should proactively detects and blocks unknown
zero days malware via deep memory inspection in real time.
Sandbox must detect and block mass market, zero-day threats and unknown
malware by inspecting directly in memory.
Should identifies and mitigate sophisticated attacks where weaponry is
exposed for less than 100 nanoseconds.
Should prevent potentially malicious and suspicious files from entering the
network, files sent to the cloud for detonation and analysis should not be
released from the gateway level until a verdict is determined.
Advanced Threat
16
Protection (ATP) Solution must be able to hold zero-patient malicious and suspicious files from
entering the network until sandbox response/conclusion is determined.
The Firewall should support multi-engine sandboxing architecture to prevent
unknown and zero day attack.
 Supports analysis of a broad range of file types, including executable programs
(PE), DLL, PDFs, MS Office documents, archives, JAR and APK plus multiple
operating systems including Windows, Android, Mac OS and multi-browser
environments.
The firewall should inspection decodes payloads for malware, even if they do
not run on standard, well-known ports.
Must be able to decrypts and inspects TLS/SSL encrypted traffic on the fly,
without proxying, for malware, intrusions and data leakage, and applies
application, URL and content control policies in order to protect against threats
hidden inside of encrypted traffic.
Shouold provide SSH inspection Deep packet inspection of SSH (DPI-SSH)
SSL/SSH decrypts and inspects data traversing over SSH tunnels to prevent attacks that
17
Decryption leverage SSH
The NGFW shall support the ability to have a SSL inspection policy differentiate
between personal SSL
SSL decryption must be supported on any port used for SSL i.e. SSL decryption
must be supported on non-standard SSL port as well
Should support TLS 1.3
The VPN should be Firewall integrated and support following protocols,
DES,3DES, MD5, SHA-1, SHA-256, MD5, Diffie-Hellman Group 1, Group 2,
Group 5, IKE v1/2, AES 128/192/256
It should have redundant VPN gateway, IPSec VPN for site-to-site connectivity,
Virtual Private SSL VPN and IPSEC client remote access
18 The system should support IPSEC site-to-site VPN and remote user VPN in
Networks
transparent mode
Should support Hub and Spoke VPN topology, Route-based VPN (OSPF, RIP
etc.)
Should support PPTP or L2TP over IPSec VPN protocols
Should support NAT within IPSec/SSL VPN tunnels
Propose solution should have SDWAN Controller and WAN -EDGE router
Propose solution should handle by SD-WAN Controller and WAN EDGE router
and scan all traffic by AV-Engine, IPS Engine
Solution should be able to lower the costs by replacing expensive MPLS
connections with cost-effective broadband options such as Ethernet, DSL and
3G/4G/LTE.
Solution should be able to achieve consistent performance and availability of
business-critical and SaaS applications
Solution should Secure traffic from advanced threats across the entire network
Solution must have simplify deployment and ongoing management through
19 SD-WAN
centralized administration feature.
Solution should support informed policy decisions with application-level
visualization and traffic graphs
Solution should support secure connectivity between locations using AES
encryption standards, and support dedicated SDWAN grouping options

Solution should support Multi-WAN Group Load-balancing WAN connections

Solution must support in-depth application security, intelligence and control,
SDWAN traffic monitoring option.
SDWAN should support, at least following option to monitor the link – jittering,
packet loss and latency
The proposed firewall must be able to operate in static NAT
The proposed firewall must be able to support Network Address Translation
Network Address (NAT)
20
Translation
The proposed firewall must be able to support Port Address Translation (PAT)
The proposed firewall shall support Dual Stack IPv4 / IPv6 (NAT64)
The proposed firewall must support the following routing protocols:
Static
OSPF
BGP
The proposed solution must support Policy Based forwarding based on:
- Zone
- Source or Destination Address
Routing and
21 - Source or destination port
Multicast Support
- Services or ports
The proposed solution should support the ability to create QoS.
- by source address
- by destination address
- by application
- by port and services
PIM, IGMP
Should support the following authentication protocols:
Local
LDAP
Radius (vendor specific attributes)
The proposed firewall’s SSL VPN shall support the following authentication protocols
22 Authentication Local
 LDAP
Radius
- Any combination of the above
Proposed solution must have a browser based user identity authentication
method for identity awareness of staff members.
Should have integrated category-based URL filtering which capable of filtering
HTTP and HTTPS-based URLs.
URL ratings are cached locally on the firewall.
Should be able to block different categories/sites based on users for at least 20
million sites under 50 categories
Should be able to enforce acceptable use policies and block access to
HTTP/HTTPS websites containing information or images that are objectionable
or unproductive.
Should have configurable options to allow/deny access to web sites in case if
the URL rating service is unavailable.
23 Web Security Block content using the predefined categories or any combination of
categories. Ability to schedule filtering by time of day, such as during school or
business hours, and applied to individual users or groups.
Should have facility to configurable policy options to block web sites based on
banned words.
Should have options to customize the block message information send to end-
users.
Should have configurable parameters to block/allow unrated sites.
Firewall should support manual content as well as URL filtering support and
also support user-based policies in addition to IP address-based policies.
Should support split DNS servers.
DNS Security should have protections against DNS Rebinding Attacks.
Should be able to quickly detect command-and-control or data theft employing
24 DNS Security DNS tunnelling.
Should support DNS Proxy to redirect the DNS queries selectively to specific
DNS servers
Should support the ability to white list domains .
Should support anti-spam security through Advanced IP-Reputation based and
cloud-based detection methods.
Anti-spam feature must include the following detection and prevention
methodologies and techniques:
Complete inbound anti-spam protection
Anti-phishing protection
Anti-malware protection
IP Reputation
Anti-Spam Advanced Content Management
25 Features and Should use advanced anti-spam techniques that utilize advanced filtering and
Services machine-learning capabilities.
Should utilize advanced filtering capabilites, image analysis and gibberish detetion
Anti-spam feature must be able to stop smap, phishing and virus attacks
Anti-spam service should use advanced detection and prevention methods
such as reputation checks based on IP, content, structure, links, images &
attachements
Should include real-time threat intelligence and threat network.
Should inlcude built-in allow and block lists.
Should provide real-time monitoring and visualization provides a graphical
representation of top applications, top address, top users and intrusion by
sessions for granular insight into traffic across the network.
The system should provide GUI panels and actionable dashboards with general
Visibility and
26 information, system status, system usage, network interface status, security
Monitoring
services status.
Solution should support granular network visibility of network topology along
with host info.
Solution should have real-time visibility of infected hosts,critical
attacks,encrypted traffic information & observed threats.
The management platform must be accessible via a web-based interface and
without any additional client software.
Firewall should support management via CLI, SSH, GUI and support for
SNMPv2/3.
The solution should support Cloud-based configuration backup.
Should support out of box reporting.
Faliure of the storage of the proposed firewall solution must not affect the
availablity of reporting data.
Management & Proposed solution reporting system should be cloud-based.
27 Reporting Proposed management solution should be sperate solution to not impact on
Feature performance of NGFW appliances.
Proposed reporting solution should be sperate solution to not impact on
performance of NGFW appliance.
Proposed solution should be able to provide retention period for all reporting
data upto a week.
Propose system should support exporting reports to a Microsoft® Excel
spreadsheet, portable document format (PDF) file.
 Proposed solution should support configuration cloud backup/local
backup/recovery and firmware upgrades.
Proposed Solution should have support 24x7 telephone, email and web-based
technical support.
OEM should have TAC and R&D centers
Manufacturer’s warranty should be mentioned minimum 01 (one) year
warranty including all services like GAV, IPS, Antispyware or antimalware, CFS,
28 Application control, DNS Security & Filtering, BoT protection, Advance Threat
Protection, Patch & Firmware upgrade.
Original equipment manufacturer should maintain all required spare parts in
an independent in country parts depot or distributor warehouse.
Bidder must carry out on site installation, testing and commissioning.
Original Manufacturer Authorization Certificate to be submitted along with the
29 Authorization bid. We reserves the right to reject in case deviation on the basis of technical
compliance as submitted in the tender document.