Types of firewalls

Last update: April 04 2024

Types of firewalls

You can rent two types of firewalls:

• hardware firewall — A separate device to handle traffic;
• A virtual firewall is software that is deployed in a virtual environment, such as on a cloud server or in a VMware-based public cloud.

Comparison of hardware and virtual firewalls⁠

	Hardware	Virtual
In what form is provided	Rack-mounted, publicly and locally networked firewall	Licensed firewall image. You deploy the image yourself in the product of your choice — on a cloud server, public or private cloud based on VMware
FSTEC certification	Type A certificates (Continent and UserGate models are certified)	Type B certificates
Change configuration (number of vCPUs, RAM and disk size)	Order another model and reconfigure	Order service again and reconfigure the server on which the image is deployed. No reconfiguration required
Connectivity with protected infrastructure in one private subnet	Possible with dedicated servers in the same pool. In other cases, you must use global router	Possible with cloud servers in the same pool or virtual machines in the same VMware organization to organize connectivity. In other cases, you must use global router
What is included in the price	Hardware firewall with public address	Firewall image with license for selected functionality. Infrastructure on which the image is deployed is charged separately

Hardware firewalls⁠

	Selectel	Fortinet FG-100E	Fortinet FG-500E	UserGate C150	UserGate D200	UserGate D500	Cisco 5508	Continent 4 IPC-R550	CheckPoint Quantum Spark 1800
DOE Throughput, Gbps	4.9	7,4	36	3.8	18	20	0.5	6	7.5 17 for 1518 UDP
IPS throughput, Gbps	0.93	✗	✗	0.4	1.8	2	0.125	2	5.5
IPSec VPN throughput, Gbps	1,96	4	20	3	14	16	0.175	1	4
SSL-VPN throughput, Gbps	2.26	0.25	5	3	14	16	0,125	✗	2
Available interfaces	2×1GE RJ45	16×1GE RJ45	8×1GE RJ45 2×10GE SFP	8×1GE RJ45	5×1GE RJ45 2×1GE SFP	5×1GE RJ45 2×1GE SFP	8×1GE RJ45	4×1GE RJ45 2x10G SFP 2xCombo RJ45 2xCombo SFP	16×1GE RJ45
FSTEC Certification	✗	✗	✗	✓	✓	✓	✗	✓	✗

Virtual firewalls⁠

In order for throughput to reach the advertised values, the server on which the image will be deployed must meet configuration requirements.

	UserGate VE100	UserGate VE250	UserGate VE500	UserGate VE1000	UserGate VE2000	UserGate VE4000	UserGate VE6000
DOE bandwidth, UDP, Gbps	0.8	8	9	10	11	11,5	12
Recommended number of users	up to 100	up to 250	up to 500	up to 1,000	up to 2,000	up to 4,000	up to 6,000
Simultaneous TCPsessions	2 000 000	2 000 000	5 000 000	8 000 000	16 000 000	20 000 000	24 000 000
New sessions per second	24 000	100 000	120 000	130 000	150 000	155 000	160 000
SSL Inspection, Gbps	0.05	0.3	0.32	0,35	0.6	0.65	0.7
IPS throughput, Gbps	0.6	1.3	1.35	1.4	1.8	2.1	2.4
Content filtering (when ordering optional ATP module), Gbps	0.15	1.3	1.5	1.8	2.5	2.8	3.1
L7 Application Control (when ordering optional ATP module), Gbps	0.7	1.5	1.7	1.8	2.5	2.8	3.1
Stream Anivirus (when ordering optional module Stream Anivirus), Gbps	0.15	1.3	1.5	1.8	2.5	2.8	3.1
FSTEC Certification	✓	✓	✓	✓	✓	✓	✓

Configuration requirements⁠

Specifies the required parameters of the server on which the corresponding image will be deployed. The server of the selected configuration is not included in the price of the virtual firewall and is billed separately.

	UserGate VE100	UserGate VE250	UserGate VE500	UserGate VE1000	UserGate VE2000	UserGate VE4000	UserGate VE6000
Ports 10/100/1000Base-T	up to 8	up to 8	up to 8	up to 8	up to 8	up to 8	up to 8
10GBase SFP+ Ports	Up to 8 when using VMXNET3 virtual adapters
vCPU, cores	2	4	6	8	16	24	up to 32
RAM, GB	8	8	16	16	32	32	64
Disk, GB	100	300	300	300	300	300 300	500

UserGate VE add-on modules⁠

Additional modules allow you to extend the functionality of UserGate VE firewall to include advanced traffic filtering and protection from external threats.

Additional modules are not included in the price of the image and are charged extra. You can add them when ordering a firewall, or add them to an existing one by creating a ticket.

Fault-tolerant cluster	Solution for assembling two nodes into a fault-tolerant cluster in Active-Passive mode
Advanced Threat Protection (ATP)	Content and Internet traffic filtering based on morphological analysis in accordance with the requirements of the Russian legislation, blocking advertising and controlling access to social networks
Stream Antivirus (AV)	Checking traffic for malicious code by analyzing signatures of received files and applications. Allows you to block the bulk of malicious files and has virtually no impact on system performance. Information from various computer incident response centers, including the Bank of Russia's FinCERT and the NCCI's GOV-CERT
Mail Security	Protecting email from spam and viruses. Filtering is performed in several stages — by connections, source address, destination address, and email content. The IP address of the spam sender's SMTP server is blocked at the stage of creating an SMTP connection, thus offloading other methods of checking mail for spam and viruses