Firewall types

Last update: May 30 2026

You can rent two types of firewalls:

• hardware firewall — a dedicated device for traffic processing;
• virtual firewall — software deployed in a virtual environment, for example, on a cloud server or in a public VMware-based cloud.

Comparison of hardware and virtual firewalls

	Hardware	Virtual
In what form it is provided	Firewall mounted in a rack and connected to the public and local network	Licensed firewall image. You deploy the image yourself in the selected product — on a cloud server, or in a public or private VMware-based cloud
FSTEC certification	Type A certificates (Continent and UserGate models are certified)	Type B certificates
Changing the configuration (number of vCPUs, amount of RAM, and disk size)	Order a different model and reconfigure it	Order the service again and change the configuration of the server on which the image is deployed. No reconfiguration required
Connectivity with the protected infrastructure in one private subnet	Possible with dedicated servers in one pool. Otherwise, you must use a Global Router to establish connectivity	Possible with cloud servers in one pool or virtual machines in one VMware organization. Otherwise, you must use a Global Router to establish connectivity
What is included in the price	Hardware firewall with a public address	Firewall image with license: for the selected functionality; and additional modules. The infrastructure where the image is deployed is paid for separately

Hardware firewalls

	Selectel	Fortinet FG-100E	Fortinet FG-500E	UserGate C150	UserGate D200	UserGate D500	Cisco 5508	Continent 4 IPC-R550	CheckPoint Quantum Spark 1800
Firewall throughput, Gbit/s	0.9	7.4	36	3.8	18	20	0.5	6	7.5 17 for 1518 UDP
IPS throughput, Gbit/s	0.9	✗	✗	0.4	1.8	2	0.125	2	5.5
IPSec VPN throughput, Gbit/s	0.9	4	20	3	14	16	0.175	1	4
SSL-VPN throughput, Gbit/s	0.9	0.25	5	3	14	16	0.125	✗	2
Available interfaces	2×1GE RJ45	16×1GE RJ45	8×1GE RJ45 2×10GE SFP	8×1GE RJ45	5×1GE RJ45 2×1GE SFP	5×1GE RJ45 2×1GE SFP	8×1GE RJ45	4×1GE RJ45 2x10GE SFP 2xCombo RJ45 2xCombo SFP	16×1GE RJ45
FSTEC certification	✗	✗	✗	✓	✓	✓	✗	✓	✗

Virtual firewalls

To ensure throughput reaches stated values, the server on which the image is deployed must meet the configuration requirements.

	UserGate VE100	UserGate VE250	UserGate VE500	UserGate VE1000	UserGate VE2000	UserGate VE4000	UserGate VE6000
Firewall throughput, UDP, Gbit/s	0.8	8	9	10	11	11.5	12
Recommended number of users	Up to 100	Up to 250	Up to 500	Up to 1 000	Up to 2 000	Up to 4 000	Up to 6 000
Concurrent TCP sessions	2 000 000	2 000 000	5 000 000	8 000 000	16 000 000	20 000 000	24 000 000
New sessions per second	24 000	100 000	120 000	130 000	150 000	155 000	160 000
SSL inspection, Gbit/s	0.05	0.3	0.32	0.35	0.6	0.65	0.7
IPS throughput, Gbit/s	0.6	1.3	1.35	1.4	1.8	2.1	2.4
Content filtering (when ordering additional module ATP), Gbit/s	0.15	1.3	1.5	1.8	2.5	2.8	3.1
L7 application control (when ordering additional module ATP), Gbit/s	0.7	1.5	1.7	1.8	2.5	2.8	3.1
Stream Antivirus (when ordering additional module Stream Antivirus), Gbit/s	0.15	1.3	1.5	1.8	2.5	2.8	3.1
FSTEC certification	✓	✓	✓	✓	✓	✓	✓

Configuration requirements

Specified are the required parameters for the server on which the corresponding image will be deployed. The server of the selected configuration is not included in the virtual firewall price and is paid for separately.

	UserGate VE100	UserGate VE250	UserGate VE500	UserGate VE1000	UserGate VE2000	UserGate VE4000	UserGate VE6000
10/100/1000Base-T ports	Up to 8	Up to 8	Up to 8	Up to 8	Up to 8	Up to 8	Up to 8
10GBase SFP+ ports	Up to 8 when using VMXNET3 virtual adapters
Number of vCPUs	Up to 2	Up to 4	Up to 6	Up to 8	Up to 16	Up to 24	Up to 32
RAM, GB	8	8	16	16	32	32	64
Disk, GB	100	300	300	300	300	300	500

Additional modules

Additional modules allow you to expand the functionality of the UserGate VE firewall: enable deep packet inspection and protection against external threats.

Additional modules are included in the price of the firewall image.

If you have already ordered a firewall without additional modules and want to connect them, cancel the service and order a firewall again at the new price.

Intrusion Detection and Prevention System (IDS/IPS)	Detects and blocks malicious activity inside the network or from the internet. The system uses heuristic analysis and pattern analysis of known attacks. Upon detecting malicious activity, the system terminates the connection, notifies the administrator, and saves an attack record
Advanced Threat Protection (ATP)	Content and internet traffic filtering based on morphological analysis in accordance with RF legal requirements, ad blocking, and social media access control
Stream Antivirus (AV)	Scans traffic for malicious code by analyzing signatures of received files and applications. This allows you to block the majority of malicious files with practically no impact on system performance. Rules are developed using information from various computer incident response centers, including FinCERT of the Bank of Russia and GOV-CERT of the National Coordination Center for Computer Incidents (NCCCI)
Mail Security	Protects email from spam and viruses. Filtering is performed in several stages — by connection, source address, destination address, and email content. The sender's SMTP server IP address is blocked at the SMTP connection creation stage, which helps offload other spam and virus scanning methods