Types of firewalls

You can rent two types of firewalls:

hardware firewall - a separate device for traffic processing;
virtual firewall - Software that is deployed in a virtualized environment, such as a cloud server. cloud server or in a VMware-based public cloud.

Comparison of hardware and virtual firewalls

	Hardware	Virtual
In what form is it provided	Rack-mounted, public- and LAN-connected firewall	Licensed firewall image. You self-deploy the image in the product of your choice - on a cloud server, public or private cloud based on VMware
FSTEC certification	Type A Certificates (Continent and UserGate models are certified)	Type B certificates
Changing the configuration (number of vCPUs, RAM and disk size)	Order another model and reset the settings	Re-order service again and change the configuration of the server on which the image is deployed. Re-configuration is not required
Connectivity to the protected infrastructure in one private subnetwork	Possible with dedicated servers in the same pool. In other cases it is necessary to use a global router to organize connectivity	Possible with cloud servers in the same pool or virtual machines in the same VMware organization. In other cases, you must use a global router to organize connectivity
What is included in the price	Hardware firewall with a public address	Firewall image with license: on the selected functionality; and additional modules. The infrastructure on which the image is deployed is charged separately

Hardware firewalls

	Selectel	Fortinet FG-100E	Fortinet FG-500E	UserGate C150	UserGate D200	UserGate D500	Cisco 5508	Continent 4 IPC-R550	CheckPoint Quantum Spark 1800
DOE Throughput, Gbps	0,9	7,4	36	3,8	18	20	0,5	6	7,5 17 for 1518 UDP
IPS bandwidth, Gbps	0,9	✗	✗	0,4	1,8	2	0,125	2	5,5
IPSec VPN bandwidth, Gbps	0,9	4	20	3	14	16	0,175	1	4
SSL-VPN throughput, Gbps	0,9	0,25	5	3	14	16	0,125	✗	2
Available interfaces	2×1GE RJ45	16×1GE RJ45	8×1GE RJ45 2×10GE SFP	8×1GE RJ45	5×1GE RJ45 2×1GE SFP	5×1GE RJ45 2×1GE SFP	8×1GE RJ45	4x1GE RJ45 2x10G SFP 2xCombo RJ45 2xCombo SFP	16×1GE RJ45
FSTEC certification	✗	✗	✗	✓	✓	✓	✗	✓	✗

Virtual firewalls

In order for throughput to reach the claimed values, the server on which the image will be deployed must meet the configuration requirements.

	UserGate VE100	UserGate VE250	UserGate VE500	UserGate VE1000	UserGate VE2000	UserGate VE4000	UserGate VE6000
DOE bandwidth, UDP, Gbps	0,8	8	9	10	11	11,5	12
Recommended number of users	Up to 100	Up to 250	Up to 500	Up to 1,000	Up to 2,000	Up to 4,000	Up to 6,000
Simultaneous TCP sessions	2 000 000	2 000 000	5 000 000	8 000 000	16 000 000	20 000 000	24 000 000
New sessions per second	24 000	100 000	120 000	130 000	150 000	155 000	160 000
SSL Inspection, Gbps	0,05	0,3	0,32	0,35	0,6	0,65	0,7
IPS bandwidth, Gbps	0,6	1,3	1,35	1,4	1,8	2,1	2,4
Content filtering (when ordering the optional ATP module ), Gbps	0,15	1,3	1,5	1,8	2,5	2,8	3,1
L7 application control (when the optional ATP module is ordered ), Gbps	0,7	1,5	1,7	1,8	2,5	2,8	3,1
Stream Anivirus (if you order the Stream Anivirus add-on module ), Gbps	0,15	1,3	1,5	1,8	2,5	2,8	3,1
FSTEC certification	✓	✓	✓	✓	✓	✓	✓

Configuration requirements

The required parameters of the server on which the corresponding image will be deployed are specified. The server of the selected configuration is not included in the cost of the virtual firewall and is charged separately.

	UserGate VE100	UserGate VE250	UserGate VE500	UserGate VE1000	UserGate VE2000	UserGate VE4000	UserGate VE6000
10/100/1000Base-T ports	Up to 8	Up to 8	Up to 8	Up to 8	Up to 8	Up to 8	Up to 8
10GBase SFP+ ports	Up to 8 when using VMXNET3 virtual adapters
Number of vCPUs	Up to 2	Up to 4	Up to 6	Up to 8	Up to 16	Up to 24	Up to 32
RAM, GB	8	8	16	16	32	32	64
Disk, GB	100	300	300	300	300	300	500

Additional modules

Additional modules allow you to extend the functionality of UserGate VE firewall to include advanced traffic filtering and protection from external threats.

Optional modules are included in the cost of the firewall image.

If you have already ordered a firewall without additional modules and you want to connect them, cancel the service and reorder the firewall at the new price.

Intrusion Detection and Prevention System (PSB, IPS/IDS)	Detects and blocks malicious activity within the network or from the Internet. The system uses heuristic analysis and pattern analysis of known attack patterns. When malicious activity is detected, the system disconnects the connection, notifies the administrator, and saves a record of the attack
Advanced Threat Protection (ATP)	Content and Internet traffic filtering based on morphological analysis in accordance with the requirements of Russian legislation, blocking advertising and controlling access to social networks
Stream Antivirus (AV)	Checks traffic for malicious code by analyzing the signatures of received files and applications. It allows blocking the bulk of malicious files and has virtually no impact on system performance. Information from various computer incident response centers, including the Bank of Russia's FinCERT and the NCCI's GOV-CERT, is used in developing the rules
Mail Security	Protection of e-mail from spam and viruses. Filtering is performed in several stages - by connections, source address, destination address, and e-mail content. The IP address of the spam sender's SMTP server is blocked at the stage of creating an SMTP connection, which allows to unload other methods of checking e-mail for spam and viruses