Gateway Firewalls

• Country: Jordan
• Summary: Gateway Firewalls
• JOT Ref No: 53693976
• Deadline: 09 Jun 2021
• Financier: Self Financed
• Purchaser Ownership: Government
• Tender Value: Refer Document
• Notice Type: Tender
• Document Ref. No.: 2021/02
• Purchaser's Detail:
  Login to see full purchaser details. Login to see full purchaser details. Login to see full purchaser details. Login to see full purchaser details. Login to see full purchaser details. Login to see full purchaser details. Login to see full purchaser details. Login to see full purchaser details. Login to see full purchaser details.

  Login to see details
• Description:
• Tenders are invited for Gateway Firewalls. Performance Specifications: 1. The proposed solution must be recognized as a Leader in the latest Gartner Magic Quadrant for Enterprise Firewalls. 2. The proposed solution must be from a family of products that achieves "Recommended" rating from NSS Labs for NGFW testing 3. Firewall throughput of the device for all packet size (1500 bytes, 512 bytes, 64 bytes) should be above 35/ 35 / 25 Gbps 4. The Maximum Concurrent sessions should be: 8 Million 5. The New sessions per second should be 450,000 6. The latency of the Firewall should be below 1.6 μs for all packet sizes. 7. It should support IPsec VPN throughput of 20 Gbps 8. It should have inbuilt SSL VPN capability to support up to 10,000 concurrent users. If this is a licensed component, the equivalent of 5,000 user licenses should be quoted. 9. The device should support Firewall Throughput with Application control enabled: 15 Gbps 10. The device should support an IPS throughput of 10 Gbps 11. The device should also support a NGFW Throughput (FW + IPS + Application control) of 9 Gbps as minimum. 12. The device should also support Threat Protection Throughput (FW + IPS + Application Control + Antimalware) of 7 Gbps as minimum. Hardware Specifications 13. The device should have RJ45 Console Port, 2x GE RJ45 Management Ports, 8 x 1 Gig copper ports, 8 x 1 Gig SFP slots, and 2 x 10 Gig SFP+ slots for fiber connectivity. 14. The device is to be quoted in High Availability active/active AND active/passive with required licenses and identical features on both units 15. Each device should be equipped with 2x10 Gig SFP+ Transceivers Multi Mode 17. Each device should have 2x240 GB SSD local storage minimum. Technical Specifications 18. Should be provided with licenses for IPS, Antispam Service, Advanced Malware Protection (AMP) (Antivirus, Mobile Malware, Botnet, CDR, Virus Outbreak Protection and Sandbox Cloud Service) and Web and Video Filtering Service, Application Control. 19. Should be supplied with 10 Virtual System, Security context licenses 20. It should have inbuilt feature of Two-Factor Authentication (2FA) for SSL-VPN and for Admin login, without needing a separate software/hardware to deploy the solution. 21. The NGFW proposed should be NSS recommended for Next Generation Firewall 2019 22. The NGFW appliance should be able to scan HTTP traffic and intercept HTTPS/SSL web traffic without requiring additional appliance 23. The NGFW appliance should be able to send logs to the Centralized Logging and Reporting Appliance supplied along with this solution. OS 24. Upgradeable via Web UI or TFTP 25. The configurations on the device shall: 26. Be easily backup or restored via GUI and CLI to/from local PC, remote centralized management or USB disk 27. Provide CLI command configuration file that is readable by Windows Notepad 28. Have option for encrypted backup file 29. Have revisions listed on GUI for ease of use. The display shall allow revert to selected revision and configuration diff between 2 selected revisions. Administrators shall be able to add comments for each revision. 30. The proposed system shall minimally provide management access through: 31. GUI using HTTP or HTTPs access which administration service port can be configured, example via tcp port 8080 32. CLI console using console port, SSHv2, telnet or on GUI-s dashboard 33. The proposed system shall offer option to automatically redirect HTTP management access to HTTPS 34. The proposed system shall have option to implement local administrator password policy enforcement 35. The administrator authentication shall be facilitated by local database, PKI & remote services such as Radius, LDAP and TACACS+ 36. The proposed system shall support profile base login account administration, offering gradual access control such as only to Policy Configuration & Log Data Access 37. From certain trusted network or host with corresponding administrator account 38. The proposed system should be able to facilitate administration audits by logging detailed activities to event log - management access and also configuration changes. Integration 39. Identity Systems - Active Directory service, RADIUS, NAC system, endpoint management system 40. External threat feeds: URL list, IP list, domain name list and malware file hash. Network 41. Administrators shall be able to adjust the maximum transmission unit (MTU) of the packets that the proposed system transmits to improve network performance 42. Administrators shall be able to configure physical interfaces on the proposed system for one-armed sniffer 43. Administrators shall be able to combine two or more physical interfaces to provide link redundancy. This feature allows administrators to connect to two or more switches to ensure connectivity if one physical interface, or the equipment on that interface, fails. In a redundant interface, traffic travels only over one interface at a time. 44. The proposed system shall support multiple virtual wire pairs that logically bind two physical interfaces so that all traffic from one of the interfaces can exit only through the other interface if allowed by firewall policy. 45. The proposed system shall support wildcard VLANs for a virtual wire pair. Doing this allows all VLAN-tagged traffic to pass through a virtual wire pair if a virtual wire pair firewall policy allows the traffic. 46. The proposed system shall support various enterprise DNS settings, including: 47. Support for both IPv4 and IPv6 routes 48. Ability to define static routes with administrative distance and priority. Priority, which will artificially weight the route during route selection. The higher the priority number, the less likely the route is to be selected over other routes. 49. Ability to define destinations in static routes using IP subnet, firewall address (including FQDN type) objects, and Internet service objects. Internet service objects are IP lists mapped to popular Internet services and are residing on a dynamically updated database. 50. The proposed system shall support blackhole routing. Blackhole routes are used to dispose of packets instead of responding to suspicious inquiries. This provides added security since the originator won't discover any information from the target network. 51. The proposed system shall support reverse path lookup (anti-spoofing). This feature can be disabled to enable asymmetric routing. 52. The proposed system shall support IPv4 policy routing 53. The proposed system shall support Open Shortest Path First (OSPF), OSPFv2 and OSPFv3 routing protocols. 54. The proposed system shall support BGP4 and BGP4+ routing protocols. HA Thex proposed system shall support high availability with industry-standard VRRP with the following characteristics: 55. Be able to function as a primary (master) or backup Virtual Router Redundancy Protocol (VRRP) device and can be quickly and easily integrated into a network that has already deployed VRRP 56. Be able integrated into a VRRP group with any third-party VRRP devices 57. Supports IPv4 and IPv6 VRRP 58. The proposed system shall support high availability by setting up a cluster with the following characteristics: 59. Supports up to 4 cluster members 60. Supports 2 HA modes; active-passive (failover HA) and active-active (load balancing HA) 61. Cluster units communicate with each other through their heartbeat interfaces. SDWAN SD-WAN 62. The proposed system shall support aggregation of up to 255 interfaces to create a virtual WAN link. 63. The proposed system shall support performance SLA (also known as health checks) settings which are used to monitor WAN interfaces link quality and to detect link failures. They can be used to remove routes, and to reroute traffic when an SD WAN member cannot detect the server. The settings should include: 64. Predefined performance SLA profiles such as Office 365, AWS and Gmail 65. Health check probes using IPv4/IPv6 Ping and HTTP 66. Selection of multiple destinations( or servers) to probe 67. Interfaces relating to the performance SLA profile 68. The proposed system shall allow SLA targets to be created. These are a set of constraints that are used in SD-WAN rules to control the paths that traffic take. These constraints should include: 69. Latency threshold 70. Jitter threshold 71. Packet loss threshold 72.The proposed system shall provide settings to the charactistics of probes, including check interval, link failure and restoration considerations. 73. The proposed system shall provide option to disable the implicated static route when an interface is inactive. 74. The proposed system shall allow organizations to define SD-WAN rules that are used to control how sessions are distributed to SD-WAN interfaces. The definition of these rules shall include: 75. Source: address and/or user group 76. Destination: address, applications and/or dynamic IP database 77. Path control strategies 78. The proposed system shall provide the following path control strategies: 79. The proposed system shall provide implicit an SD-WAN rule for sessions that do not meet the conditions of defined rules. This implicit rule shall offer the following load balancing algorithms with the ability to assign weight on each member interfaces: 80. Source IP: The system divides traffic equally between the interfaces. However, sessions that start at the same source IP address use the same path 81. Sessions: The system distributes the workload based on the number of sessions that are connected through the interfaces. 82. Spillover: If the amount of traffic bandwidth on an interface exceeds the ingress or egress thresholds that organization set for that interface, the system sends additional traffic through one of the other member interfaces. 83. Source-Destination IP: Sessions that start at the same source IP address and go to the same destinatio
• Documents:

 Tender Notice