Datasheet

Forcepoint
Next Generation Firewall
FORCEPOINT NEXT GENERATION FIREWALL (NGFW) CONNECTS AND PROTECTS
DISTRIBUTED ENTERPRISE NETWORKS – DATA CENTERS, EDGE, BRANCHES, AND
THE CLOUD – WITH THE HIGHEST EFFICIENCY, AVAILABILITY AND SECURITY.
WITH FORCEPOINT NGFWS, ORGANIZATIONS CAN CUT TCO BURDENS, ELIMINATE
PRACTICALLY ALL NETWORK DOWNTIME, AND SLASH THEFT WITHOUT
COMPROMISING PERFORMANCE.

Forcepoint Next Generation Firewall (NGFW) combines fast, KEEP PACE WITH CHANGING SECURITY NEEDS
flexible networking with industry-leading security to connect A unified software core enables Forcepoint NGFW to easily
and protect people and the data they use throughout diverse, change security roles, from firewall/VPN to IPS to layer 2
evolving enterprise networks. Designed from the ground up for firewall, in dynamic business environments. Forcepoint NGFWs
high availability and scalability as well as centralized management can be deployed in a variety of ways – as physical, virtual, and
with full 360° visibility, Forcepoint NGFWs provide consistent cloud appliances – all managed together.
capabilities, performance and manageability across physical,
virtual and cloud systems. HIGH SCALABILITY AND AVAILABILITY SECURES YOUR
BUSINESS-CRITICAL APPLICATIONS
Forcepoint’s unique Intelligence Inspection Engine tailors Today’s businesses demand fully resilient network security
access control and deep inspection to each connection to solutions. Forcepoint NGFW builds high scalability and
provide high performance as well as high security. It brings availability in at all levels:
together granular application control, intrusion prevention
system (IPS) defenses, and built-in virtual private network (VPN) Active-active, mixed clustering: Up to 16 nodes, of
control and mission-critical application proxies all in an efficient, different models running different versions, can be
extensible, and highly scalable design. Our powerful anti-evasion clustered together, providing superior performance
technologies decode and normalize network traffic – before and resiliency for demanding security applications,
inspection and across all protocol layers – to expose and block such as deep packet inspection and VPNs.
the most advanced attack methods.
Transparent session failover: Provides industry-leading
BLOCK SOPHISTICATED DATA BREACH ATTACKS
availability and serviceability of security systems. Policy
Large data breaches continue to plague businesses and
updates and even software upgrades can be pushed to a
organizations across industries. Now you can fight back with
cluster seamlessly without interrupting service.
application-layer exfiltration protection. Forcepoint NGFWs can
selectively and automatically block network traffic originating
from PCs, laptops, servers, file shares, and other endpoint Multi-Link network clustering: Extends high availability
devices based on highly granular endpoint contextual data. It coverage to network and VPN connections. Provides the
goes beyond typical firewalls to prevent attempted ex-filtration confidence of non-stop security that can take advantage
of sensitive data from endpoints via unauthorized programs, of local broadband connections to complement or replace
web applications, users, and communications channels. expensive leaded lines like MPLS.

www.forcepoint.com 1
 Forcepoint Next Generation Firewall (NGFW)

Forcepoint Management Center

UNMATCHED PROTECTION KEEPS YOUR BUSINESS IN BUSINESS

Every day attackers get better at penetrating enterprise
networks, applications, data centers, and endpoints. Once inside, KEY BENEFITS
they can steal intellectual property, customer information, and
• The best protection for your business and digital assets
other sensitive data, causing irreparable damage to businesses
and reputations. • Blocks endpoint data exfiltration attempts

• Adapts easily to your security needs

Increasingly, attackers are using advanced evasion techniques
(AETs) that are able to bypass most of today’s security network • Scales effortlessly as your business grows
devices. AETs deliver malware piecemeal across network layers
• Optimizes productivity of employees and customers
or protocols using techniques such as masking and obfuscation.
Once inside networks, threats are reassembled where they can • Lowers TCO for security and network infrastructure
hide, exfiltrating sensitive data for days, months, or even years.

Forcepoint NGFW applies layered threat discovery techniques

to network traffic, identifying applications and users at a KEY FEATURES
granular level so that security policies can be applied according
• High-performance decryption with granular privacy controls
to business rules. Then it performs specialized deep packet
inspection, including advanced techniques such as full stack • Application layer exfiltration protection
normalization and horizontal data stream-based inspection.
• Advanced evasion prevention
These techniques fully normalize traffic flows, enabling
Forcepoint NGFW to properly inspect all protocols and layers • Unified software core design
to expose AETs and traffic anomalies that evade other next-
• Many options for security and network infrastructure
generation firewalls.
• Powerful centralized management
In addition, Forcepoint NGFW provides high-performance
• Built-in IPsec and SSL VPN
decryption of encrypted traffic such as HTTPS web connections,
combined with granular privacy controls that keep your business • Sidewinder security proxies for mission-critical applications
– and your users – safe in a rapidly changing world.

www.forcepoint.com 2
 Forcepoint Next Generation Firewall (NGFW)

FORCEPOINT NEXT GENERATION FIREWALL (NGFW) SPECIFICATIONS

SUPPORTED PLATFORMS

Appliances Multiple hardware appliance options, ranging from branch office to data center installations

Cloud Infrastructure Amazon Web Services

Virtual Appliance x86 64-bit based systems; VMware ESXi and KVM virtualized environment

Supported Roles Firewall/VPN (layer 3), IPS mode (layer 2), and Layer 2 Firewall

Virtual Contexts Virtualization to separate logical contexts (FW, IPS, or L2FW) with separate interfaces, addressing, routing, and policies

FIREWALL/VPN
FUNCTIONAL ROLE
Stateful and stateless packet filtering, transparent deep packet inspection, advanced application level proxies for HTTP
General
and SSH, generic application level proxies for TCP and UDP

User Authentication Internal user database, LDAP, Microsoft Active Directory, RADIUS, TACACS+

• Active-active/active-standby firewall clustering up to 16 nodes

• Stateful failover (including VPN connections)
High Availability • Server load balancing
• Link aggregation (802.3ad)
• Link failure detection

Multi-Link network clustering: high availability and load balancing between multiple ISPs, including VPN connections,
ISP Multi-Homing
Multi-Link VPN link aggregation, QoS-based link selection

• FW clusters: static, IPv4, IPv6

IP Address Assignment • FW single nodes: IPv4 static, DHCP, PPPoA, PPPoE; IPv6 static, SLAAC, DHCPv6
• Services: DHCP Server for IPv4 and DHCP relay for IPv4

• IPv4, IPv6
Address Translation
• Static NAT, source NAT with port address translation (PAT), destination NAT with PAT

Routing Static IPv4 and IPv6 routes, policy-based routing, static multicast routing

Dynamic Routing IGMP proxy, RIPv2, RIPng, OSPFv2, OSPFv3, BGP, PIM-SM, PIM-SSM

IPv6 Dual stack IPv4/IPv6, ICMPv6, DNSv6

Allows RTP media streams dynamically, NAT traversal, deep inspection, interoperability
SIP
with RFC3261-compliant SIP devices

CIS Redirection HTTP, FTP, SMTP protocols redirection to content inspection server (CIS)

Geo-Protection Control access by source/destination country or continent

IP Address List Control access by predefined IP categories or using custom IP address list

URL List Control access by custom URL list

Sidewinder Security Proxies TCP, UDP, HTTP, SSH

Forcepoint Web Security Redirect HTTP/HTTPS traffic to the Forcepoint Cloud Web Security via IPSec tunnel for
Redirect inbound and outbound web content inspection

www.forcepoint.com 3
 Forcepoint Next Generation Firewall (NGFW)

FORCEPOINT NEXT GENERATION FIREWALL (NGFW) SPECIFICATIONS continued

IPsec VPN

Protocols IKEv1, IKEv2, and IPsec with IPv4 and IPv6

Encryption AES-128, AES-256, AES-GCM-128, AES-GCM-256, Blowfish, DES, 3DES

Message Digest Algorithms AES-XCBC-MAC, MD5, SHA-1, SHA-2-256, SHA-2-512

Diffie-Hellman DH group 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21

Authentication RSA, DSS, ECDSA signatures with X.509 certificates, pre-shared keys, hybrid, XAUTH, EAP

• IPCOMP deflate compression

• NAT-T
Other
• Dead peer detection
• MOBIKE

• Policy-based VPN, flexible route-based VPN

• Hub and spoke, full mesh, partial mesh topologies
Site-to-Site VPN
• Forcepoint NGFW Multi-Link fuzzy-logic-based dynamic link selection
• Forcepoint NGFW Multi-Link modes: load sharing, active/standby, link aggregation

• VPN client for Microsoft Windows

• Automatic configuration updates from gateway
Mobile VPN • Automatic failover with Multi-Link
• Client security checks
• Secure domain logon

SSL VPN

Client-Based Access Supported platforms: Android 4.0, Mac OS X 10.7, and Windows Vista SP2 (and newer versions)

Clientless Access
Web Portal access to HTTP-based services via predefined services and free form URLs
(Not available for 110 and 115 models)

www.forcepoint.com 4
 Forcepoint Next Generation Firewall (NGFW)

FORCEPOINT NEXT GENERATION FIREWALL (NGFW) SPECIFICATIONS continued

INSPECTION
• Decryption-based detection
Anti-Botnet
• Message length sequence analysis

Dynamic Context Detection Protocol, application, file type

Ethernet, H.323, GRE, IPv4, IPv6, ICMP, IP-in-IP, IPv6 encapsulation, UDP, TCP, DNS, FTP, HTTP, HTTPS, IMAP,
Protocol-Specific Normalization/
IMAPS, MGCP, MSRPC, NetBIOS Datagram, OPC Classic, OPC UA, Oracle SQL Net ,POP3, POP3S, RSH, RSTP,
Inspection/Traffic Handling
SIP, SMTP, SSH, SunRPC, NBT, SCCP, SMB, SMB2, SIP, TCP Proxy, TFTP

Protocol-Independent Fingerprinting Any TCP/UDP protocol

• Multilayer traffic normalization

• Vulnerability-based fingerprints
Evasion and Anomaly Detection
• Fully upgradable software-based inspection engine
• Evasion and anomaly logging

• Protocol-independent fingerprint matching

Custom Fingerprinting • Regular expression-based fingerprint language
• Custom application fingerprinting

• HTTPS client and server stream decryption and inspection

TLS Inspection • TLS certificate validity checks
• Certificate domain name-based exemption list

Correlation Local correlation, log server correlation

• SYN/UDP flood detection

DoS/DDoS Protection • Concurrent connection limiting, interface-based log compression
• Protection against slow HTTP request methods

Reconnaissance TCP/UDP/ICMP scan, stealth, and slow scan detection in IPv4 and IPv6

Blocking Methods Direct blocking, connection reset, blacklisting (local and distributed), HTML response, HTTP redirect

Traffic Recording Automatic traffic recordings/excerpts from misuse situations

• Automatic dynamic updates through Forcepoint Security Management Center (SMC)

Updates
• Current coverage of approximately 4,700 protected vulnerabilities

www.forcepoint.com 5
 Forcepoint Next Generation Firewall (NGFW)

FORCEPOINT NEXT GENERATION FIREWALL (NGFW) SPECIFICATIONS continued

URL FILTERING

URL Categorization Classify the URL in HTTP and HTTPS with the Forcepoint cloud service

Custom URL Lists Match locally own URL sets

Protocols HTTP, HTTPS

Forcepoint URL categorization Control access using category-based URL filtering updated from the Forcepoint cloud

• More than 280 million top-level domains and sub-pages (billions of URLs)
Database
• Support for more than 43 languages, 82 categories

Safe Search Safe search usage enforcing for Google, Bing, Yahoo, DuckDuckGo web searches

ADVANCED MALWARE DETECTION

AND FILE CONTROL

Protocols FTP, HTTP, HTTPS, POP3, IMAP, SMTP

Policy-based file filtering with efficient down selection process. Over 200 supported file types in 19 file
File Filtering
categories

High speed cloud based Malware reputation checking and blocking. Optionally reputation checks from McAfee
File Reputation
TIE over DxL bus.

Anti-Virus Local antivirus scan engine*

Zero-Day Sandboxing Forcepoint Advanced Malware Detection cloud service. Optionally file sandboxing with McAfee ATD appliance

MANAGEMENT & MONITORING

• Enterprise-level centralized management system with log analysis, monitoring and reporting capabilities
Management Interfaces
• See the Forcepoint Security Management Center datasheet for details.

SNMP Monitoring SNMPv1, SNMPv2c, and SNMPv3

Traffic Capturing Console tcpdump, remote capture through Forcepoint Security Management Center

High Security Management Communication 256-bit security strength in engine-management communication

Common Criteria Network Devices Protection Profile with Extended Package Stateful Traffic Filter Firewall,
Security Certifications
FIPS 140-2 crypto certificate, CSPN by ANSSI, (First Level Security Certification USGv6)

*Local anti-malware scan is not available with 110/115 appliances.

CONTACT ABOUT FORCEPOINT

www.forcepoint.com/contact © 2017 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. Raytheon is a registered trademark of Raytheon
Company. All other trademarks used in this document are the property of their respective owners.
[DATASHEET_FORCEPOINT_NGFW_EN] 100033.032417

www.forcepoint.com 6