Types of firewalls

Last update: September 26 2024

Types of firewalls

You can rent two types of firewalls:

• hardware firewall — a separate device for handling traffic;
• virtual firewall — software that is deployed in a virtualized environment, such as on a cloud server or in VMware-based public cloud.

Comparison of hardware and virtual firewalls⁠

	Hardware	Virtual
In what form is it provided	Rack-mounted, public and LAN-connected firewall	Licensed firewall image. You self-deploy the image in the product of your choice — on a cloud server, public or private cloud based on VMware
FSTEC certification	Type A Certificates (Continent and UserGate models are certified)	Type B certificates
Changing the configuration (number of vCPUs, RAM and disk size)	Order another model and reset the setting	Order service again and reconfigure the server on which the image is deployed. Re-configuration is not required
Connectivity to the protected infrastructure in one private subnetwork	Possible with dedicated servers in the same pool. In other cases it is necessary to use the following to organize connectivity global router	Possible with cloud servers in the same pool or virtual machines in the same VMware organization. In other cases, you must use the following to organize connectivity global router
What is included in the price	Hardware firewall with a public address	A firewall image with a license for the selected functionality. The infrastructure on which the image is deployed is charged separately

Hardware firewalls⁠

	Selectel	Fortinet FG-100E	Fortinet FG-500E	UserGate C150	UserGate D200	UserGate D500	Cisco 5508	Continent 4 IPC-R550	CheckPoint Quantum Spark 1800
DOE Throughput, Gbps	4,9	7,4	36	3,8	18	20	0,5	6	7,5 17 for 1518 UDP
IPS bandwidth, Gbps	0,93	✗	✗	0,4	1,8	2	0,125	2	5,5
IPSec VPN bandwidth, Gbps	1,96	4	20	3	14	16	0,175	1	4
SSL-VPN throughput, Gbps	2,26	0,25	5	3	14	16	0,125	✗	2
Available interfaces	2×1GE RJ45	16×1GE RJ45	8×1GE RJ45 2×10GE SFP	8×1GE RJ45	5×1GE RJ45 2×1GE SFP	5×1GE RJ45 2×1GE SFP	8×1GE RJ45	4x1GE RJ45 2x10G SFP 2xCombo RJ45 2xCombo SFP	16×1GE RJ45
FSTEC certification	✗	✗	✗	✓	✓	✓	✗	✓	✗

Virtual firewalls⁠

In order for throughput to reach the claimed values, the server on which the image will be deployed must be compliant with the configuration requirements.

	UserGate VE100	UserGate VE250	UserGate VE500	UserGate VE1000	UserGate VE2000	UserGate VE4000	UserGate VE6000
DOE bandwidth, UDP, Gbps	0,8	8	9	10	11	11,5	12
Recommended number of users	up to 100	up to 250	up to 500	up to 1,000	up to 2,000	up to 4,000	up to 6,000
Simultaneous TCP sessions	2 000 000	2 000 000	5 000 000	8 000 000	16 000 000	20 000 000	24 000 000
New sessions per second	24 000	100 000	120 000	130 000	150 000	155 000	160 000
SSL Inspection, Gbps	0,05	0,3	0,32	0,35	0,6	0,65	0,7
IPS bandwidth, Gbps	0,6	1,3	1,35	1,4	1,8	2,1	2,4
Content filtering (if ordered add-on module ATP), Gbps	0,15	1,3	1,5	1,8	2,5	2,8	3,1
Application control L7 (when ordered add-on module ATP), Gbps	0,7	1,5	1,7	1,8	2,5	2,8	3,1
Streaming antivirus (when ordering add-on module Stream Anivirus), Gbps	0,15	1,3	1,5	1,8	2,5	2,8	3,1
FSTEC certification	✓	✓	✓	✓	✓	✓	✓

Configuration requirements⁠

The required parameters of the server on which the corresponding image will be deployed are specified. The server of the selected configuration is not included in the cost of the virtual firewall and payable Separately.

	UserGate VE100	UserGate VE250	UserGate VE500	UserGate VE1000	UserGate VE2000	UserGate VE4000	UserGate VE6000
10/100/1000Base-T ports	up to 8	up to 8	up to 8	up to 8	up to 8	up to 8	up to 8
10GBase SFP+ ports	Up to 8 when using VMXNET3 virtual adapters
Number of vCPUs	2	4	6	8	16	24	up to 32
RAM, GB	8	8	16	16	32	32	64
Disk, GB	100	300	300	300	300	300	500

UserGate VE add-on modules⁠

Additional modules allow you to extend the functionality of the UserGate VE firewall to include advanced traffic filtering and protection from external threats.

Additional modules are not included in the price of the image and are charged extra. You can add them when ordering a firewall or add to an existing one by file a ticket.

Fault tolerance cluster	Solution for assembling two nodes into a fault-tolerant cluster in Active-Passive mode
Advanced Threat Protection (ATP)	Content and Internet traffic filtering based on morphological analysis in accordance with the requirements of Russian legislation, blocking advertising and controlling access to social networks
Stream Antivirus (AV)	Checks traffic for malicious code by analyzing the signatures of received files and applications. It allows blocking the bulk of malicious files and has virtually no impact on system performance. Information from various computer incident response centers, including the Bank of Russia's FinCERT and the NCCI's GOV-CERT, is used in developing the rules
Mail Security	Protection of e-mail from spam and viruses. Filtering is performed in several stages — by connections, source address, destination address, and e-mail content. The IP address of the spam sender's SMTP server is blocked at the stage of creating an SMTP connection, which allows to unload other methods of checking e-mail for spam and viruses