Discover the benefits of a next generation firewall. There’s a lot to keep track of, but we’ve captured all of it in this comprehensive list. Read through this must-know material before you invest.

General requirements

• The vendor of the gateway software must have at least 20 years of experience in the security market
• The vendor must exclusively provide Internet security solutions.
• The vendor must provide evidence of year over year leadership positions in enterprise firewall, UTM firewalls and intrusion prevention based on independent security industry data.
• The vendor must be capable of serving the entire scope of security gateway requirements, including throughput, connection rate and next generation security application enablement for all network deployments, from small office to data center in a single hardware appliance.

The vendor must have a virtualized security gateway solution that can support the enablement of all next generation firewall security applications, including intrusion protection, application control, URL filtering, Anti-Bot, Anti-Virus, Sandboxing all managed from a central platform.

The next generation gateway must be capable of supporting these next generation security applications on a unified platform:

• Stateful Inspection Firewall
  Intrusion Prevention System
• User Identity Acquisition
• Application Control and URL filtering
• Anti – Bot and Anti – Virus
• Threat Emulation (Sandboxing)
• Threat Extraction (scrubbing)
• Anti – Spam and Email Security
• IPSec VPN
• Data Loss Prevention
• Mobile Access
• Logging and Status
• Event Correlation and Reporting
• These applications must be exclusively supplied by and managed by the vendor.
• The vendor solution must provide a mechanism to constantly educate end users of the security policy in real time.
• The vendor must supply all industry certifications of the solution.

Vendor must have the capability to mitigate Distributed Denial of Service attacks

Requirements for Next Generation Firewall

• The security gateway must use Stateful Inspection based on granular analysis of communication and application state to track and control the network flow.
• The security gateway must be capable of supporting throughput, connection rate, and concurrent connections requirements of the customer
• Solution must support access control for at least 150 predefined services/protocols
  Must provide security rule hit count statistics to the management application.
• Must allow security rules to be enforced within time intervals to be configured with an expiry date/time.
• The communication between the management servers and the security gateways must be encrypted and authenticated with PKI Certificates.
• The firewall must support user, client and session authentication methods.
• The following user authentication schemes must be supported by the security gateway and VPN module: tokens (ie -SecureID), TACACS, RADIUS and digital certificates
  Solution must include a local user database to allow user authentication and authorization without the need for an external device
• Solution must support DHCP, server and relay
• Solution must support HTTP & HTTPS proxy
• Solution must include the ability to work
• Transparent/Bridge mode

Solution must support gateway high availability and load sharing with state synchronization

IPv6 Support

• Solution must support Configuration of dual stack gateway on a bond interface, OR on a sub-interface of a bond interface
  Solution must support IPv6 traffic handling on IPS and APP module, Firewall, Identity Awareness, URL Filtering, Antivirus and Anti-Bot
• Solution must Support 6 to 4 NAT, or 6 to 4 tunnel
• Solution must support AD integration using ipv6 traffic
• Solution must support Smart view tracker / smart log able to show ipv6 traffic

Platform shall support ability to display IPv6 routing table separated per customer security context in CLI and GUI (EMS/Portal)

Solution shall support the following Ipv6 RFCs:

• RFC 1981 Path Maximum Transmission Unit Discovery for IPv6
• RFC 2460 IPv6 Basic specification
• RFC 2464 Transmission of IPv6 Packets over Ethernet Networks
• RFC 3596 DNS Extensions to support IPv6
• RFC 4007 IPv6 Scoped Address Architecture
• RFC 4193 Unique Local IPv6 Unicast Addresses
• RFC 4213 Basic Transition Mechanisms for IPv6 Hosts and Routers – 6in4 tunnel is supported.
• RFC 4291 IPv6 Addressing Architecture (which replaced RFC1884)
• RFC 4443 ICMPv6
• RFC 4861 Neighbor Discovery
• RFC 4862 IPv6 Stateless Address Auto-configuration

Intrusion Prevention System

• Vendor must provide evidence of year over year leadership position of Gartner Magic Quadrant for Intrusion Prevention solutions and/or Enterprise network Firewall Gartner Magic Quadrant
• IPS must be based on the following detection mechanisms: exploit signatures, protocol anomalies, application controls and behavior-based detection
• IPS and firewall module must be integrated on one platform.
• The administrator must be able to configure the inspection to protect internal hosts only
• IPS must have options to create profiles for either client or server based protections, or a combination of both
• IPS must provide at least two pre-defined profiles/policies that can be used immediately
• IPS must have a software based fail-open mechanism, configurable based on thresholds of security gateways CPU and memory usage
• IPS must provide an automated mechanism to activate or manage new signatures from updates
• IPS must support network exceptions based on source, destination, service or a combination of the three
• IPS must include a troubleshooting mode which sets the in use profile to detect only, with one click without modifying individual protections
• IPS application must have a centralized event correlation and reporting mechanism
• The administrator must be able to automatically activate new protections, based on configurable parameters (performance impact, threat severity, confidence level, client protections, server protections)
• IPS must be able to detect and prevent the following threats: Protocol misuse, malware communications, tunneling attempts and generic attack types without predefined signatures
• For each protection the solution must include protection type (server-related or client related), threat severity, performance impact, confidence level and industry reference
• IPS must be able to collect packet capture for specific protections
• IPS must be able to detect and block network and application layer attacks, protecting at least the following services: email services, DNS, FTP, Windows services (Microsoft Networking)
• Vendor must supply evidence of leadership in protecting Microsoft vulnerabilities
• IPS and/or Application Control must include the ability to detect and block P2P & evasive applications
• The administrator must be able to define network and host exclusions from IPS inspection
  Solution must protect from DNS Cache Poisoning, and prevents users from accessing blocked domain addresses
  Solution must provide VOIP protocols protections
• IPS and/or Application Control must detect and block remote controls applications, including those that are capable tunneling over HTTP traffic
• IPS must have SCADA protections
• IPS must have a mechanism to convert SNORT signatures
• Solution must enforce Citrix protocol enforcement
• Solution must allow the administrator to easily block

Inbound and/or outbound traffic based on countries, without the need to manually manage the IP ranges corresponding to the country

User Identity Acquisition

• Must be able to acquire user identity by querying Microsoft Active Directory based on security events
• Must have a browser based User Identity authentication method for non-domain users or assets
• Must have a dedicated client agent that can be installed by policy on users” computers that can acquire and report identities to the Security Gateway
• The solution should integrate seamlessly with directory services, IF-MAP and Radius
  CPU usage impact on the domain controllers must be less than 3%.
• The identity solution should support terminal and citrix servers
• The Solution should allow identification through a proxy (example: X-forwarded headers)
• Must be able to acquire user identity from Microsoft Active Directory without any type of agent installed on the domain controllers
• Must support Kerberos transparent authentication for single sign on
• Must support the use of LDAP nested groups
• Must be able share or propagate user identities between multiple security gateways
• Must be able to create identity roles to be used across all security applications
• Identity Tags support the use of tags defined by an external source to enforce users, groups or machines in Access Roles matching
• Improved SSO Transparent Kerberos Authentication for Identity Agent, LDAP groups are extracted from the Kerberos ticket
• Two Factor Authentication for Browser-Based Authentication (support for RADIUS challenge/response in Captive Portal and RSA SecurID next Token/Next PIN mode)

Identity Collector

• Support for Syslog Messages – ability to extract identities from syslog notifications
• Support for NetIQ eDirectory LDAP Servers.
• Additional filter options – “Filter per Security Gateway” and “Filter by domain”
• Improvements and stability fixes related to Identity Collector and Web API
• New configuration container for Terminal Servers Identity Agents.
• Active Directory cross-forest trust support for Terminal Servers Agent
• Identity Agent automatic reconnection to prioritized PDP gateways
• Support for Captive Portal integration with SAML 2.0 and third party Identity Providers.
• Support for Identity Broker for scalable and granular sharing of identity information between PDPs, as well as cross-domain sharing.
• Enhancements to Terminal Servers Agent for better scaling and compatibility.

Application Control and URL Filtering

• Application control database must contain more than 6000 known applications.
• Solution must have a URL categorization that exceeds 200 million URLs and covers more than 85% of Alexa’s top 1M sites
• Solution must be able to create a filtering rule with multiple categories
• The Solution can inspect HTTPS based URL Filtering without requiring SSL decryption
• Solution must be able to create a filtering for single site being supported by multiple categories.
• Solution must have users and groups granularity with security rules
• The security gateway local cache must give answers to 99% of URL categorization requests within 4 weeks in production
  The solution must have an easy to use, searchable interface for applications and URLs
• The solution must categorize applications and URLs and applications by Risk Factor
• The application control and URLF security policy must be able to be defined by user identities
• The application control and URLF database must be updated by a cloud based service
• The solution must have unified application control and URLF security rules
• The solution must provide a mechanism to inform or ask users in real time to educate them or confirm actions based on the security policy
• The solution must provide a mechanism to limit application usage based on bandwidth consumption
• The solution must allow network exceptions based on defined network objects
• The solution must provide the option to modify the Blocking Notification and to redirect the user to a remediation page
• Solution must include a Black and White lists mechanism to allow the administrator to deny or permit specific URLs regardless of the category
• Solution must provide an override mechanism on the categorization for the URL database
• Improved scalability and resilience.
• Extended troubleshooting capabilities.
• Improved performance, diagnostics and monitoring tools.
• Enhancement to Server Name Indicators (SNI) classifications.

Anti-Bot and Anti-Virus

• Vendor must have an integrated Anti-Bot and Anti-Virus application on the next generation firewall
• Anti-bot application must be able to detect and stop suspicious abnormal network behavior
• Anti-Bot application must use a multi-tiered detection engine, which includes the reputation of IPs, URLs and DNS addresses and detect patterns of bot communications
• Anti-Bot protections must be able to scan for bot actions
  The solution should support detection & prevention of Cryptors & ransomware viruses and variants (e.g. Wannacry, Cryptlocker , CryptoWall…) through use of static and/or dynamic analysis
• The solution should have mechanisms to protect against spear phishing attacks

DNS based attacks – The solution should have detection and prevention capabilities for C&C DNS hideouts:

• Look for C&C traffic patterns, not just at their DNS destination
• Reverse engineer malware in order to uncover their DGA (Domain Name Generation)
• DNS trap feature as part of our threat prevention, assisting in discovering infected hosts generating C&C communication
• The solution should have detection and prevention capabilities for DNS tunneling attacks
• Anti-Bot and Anti-Virus policy must be administered from a central console
• Anti-Bot and Anti-Virus application must have a centralized event correlation and reporting mechanism
• Anti-virus application must be able to prevent access to malicious websites
• Anti-virus application must be able to inspect SSL encrypted traffic
• Anti-Bot and Anti-Virus must be have real time updates from a cloud based reputation services
• Anti-Virus must be able to stop incoming malicious files
• Anti-Virus must be able to scan archive files
• Anti-Virus and Anti-Bot policies must be centrally managed with granular policy configuration and enforcement
• The Anti-Virus should support scanning for links inside emails

The Anti-Virus should Scan files that are passing on CIFS protocol

Threat Emulation (sandboxing)

The solution must provide the ability to Protect against zero-day & unknown malware attacks before static signature protections have been created:

• Real-Time Prevention-unknown malware patient-0 in web browsing
• Real-Time Prevention-unknown malware patient-0 in email

Deployment Topologies:

• The solution should be part of a complete multi-layered threat prevention architecture (with IPS,AV,AB,URLF,APP FW)
• The solution should support Network based Threat emulation
• The solution should support Host based Threat emulation
• The solution should provide both onsite and cloud based implementations
• Pure cloud solution
• The solution should support 3rd party integration (public API)
• The solution should support deployment in inline mode
• The solution should support deployment in MTA (Mail Transfer Agent) mode
• The solution should support deployment in TAP/SPAN port mode
• The solution should not require separate infrastructure for email protection & web protection
  Device must support cluster installation.

Files Supported – The solution should be able to emulate executable, archive files ,documents, JAVA and flash specifically:

7z
cab
csv
doc
docm
docx
dot
dotm
dotx
exe
jar
pdf
potx
pps
ppsm
ppsx
ppt
pptm
pptx
rar
rtf
scr
swf
tar
xla
xls
xlsb
xlsm
xlsx
xlt
xltm
xltx
xlw
zip
pif
com
gz
bz2
tgz
apk (android)
ipa (iphone)
ISO
js
cpl
vbs
jse
vba
vbe
wsf
wsh

Protocols – The solution should be able to emulate executable, archive files, documents, JAVA and flash specifically within various protocols:

HTTP
HTTPS
FTP
SMTP
CIFS (SMB)
SMTP TLS

OS support:

The emulation engine should support multiple OS”s such as XP and Windows7, 8,10 32/64bit including customized images
The solution must support prepopulated LICENSED copies of Microsoft windows and office images through an agreement with Microsoft
The engine should detect API calls, file system changes, system registry, network connections, system processes
The solution should support static analysis for windows, mac OS-X, Linux or any x86 platform

Sandboxing Technology

• The emulation engine should be able to inspect, emulate, prevent and share the results of the sandboxing event into the anti-malware infrastructure
• The solution should be able to perform pre-emulation static filtering the solution would enable emulation of file sizes larger than 10 Mb in all types it supports
• The solutions should support automated machine learning based detection engines
• The solution should detect the attack at the exploitation stage – i.e. before the shell-code is executed and before the malware is downloaded/executed.
• The solution should be able to detect ROP and other exploitation techniques (e.g. privilege escalation) by monitoring the CPU flow
• The solution must be able to support scanning links inside emails for 0-days & unknown malware
• The solution must be able to scan history URLs recorded from emails last X days and check if rating changed (example: from clean to malicious rating)
• Average Emulation time of a suspected malware verdict as benign should be no more than 1 minute
• Average Emulation time of a suspected malware verdict as malware should be no more than 3 minutes
• The threat emulation solution should allow for “Geo Restriction” which enables emulations to be restricted to a specific country
• The solution must provide the ability to Increase security with automatic sharing of new attack information with other gateways in means of signature updates etc.
• The emulation engine should exceed 90% catch rate on Virus Total tests where known malicious pdf”s and exe”s are modified with “unused” headers in order to demonstrate the solutions capability to detect new, unknown malware
• The solution should detect C&C traffic according to dynamic ip/url reputation
• The solution should be able to emulate and extract files embedded in documents
• The solution should be able to scan documents containing URLs

System Activity Detection
The solution should monitor for suspicious activity in:

• API calls
• File system changes
• System registry
• Network connections
• System processes
• File creation and deletion
• File modification
• Kernel code injection
• Detect Privilege escalation attempts
• Kernel modifications (memory changes performed by kernel code, not the fact that a driver is loaded – this is covered by the item above)
• Kernel code behavior (monitor activity of non user-mode code)
• Direct physical CPU interaction
• UAC(user access control) bypass detection
• Anti-Evasion Technology
• The solution should have anti-evasion capabilities detecting sandbox execution
• Solution should be resilient to cases where the shell-code or malware would not execute if they detect the existence of virtual environment. (proprietary hypervisor)
• Solution should be resilient to delays implemented at the shell code or malware stages.
• Solution should be resilient to cases where the shell-code or malware would execute only upon a restart or a shutdown of the end point.
• Solution should be resilient to delays implemented at the shell code or malware stages.

Solution should be resilient to cases where the shell-code or malware would execute only upon a restart or a shutdown of the end point.

User interaction

• Human Emulation: Solution should emulate real user activities such as mouse clicks, key strokes etc.
• Icon similarity: the solution should be able to identify icon that are similar to popular application documents
• Evasion within flash file (swf)

Management & Reporting

• The solution must provide the ability to be centrally managed
• Upon malicious files detection, a detailed report should be generated for each one of the malicious files.The detailed report must include:
  
• Screen shots
• Time lines
• Registry key creation/modifications
• File and processes creation

Network activity detected

Threat Extraction (File Scrubbing/Flattening)

• The solution should Eliminate threats and remove exploitable content, including active content and embedded objects
• The solution should be able to Reconstruct files with known safe elements
• The solution should Provide ability to convert reconstructed files to PDF format

The solution should Maintain flexibility with options to maintain the original file format and specify the type of content to be removed

Anti-Spam & Email Security

• Anti-Spam and Email security application must be content and language agnostic
• Anti-Spam and Email security application must have real-time classification and protections based on detected spam outbreaks which are based on patterns and not content
• The Anti-Spam and Email security application must include IP reputation blocking based on an online service to avoid false positives
• Solution must include a Zero-hour protection mechanism for new viruses spread through email and spam without relying solely in heuristic or content inspection
• Enhanced Support for POP3 and IMAP protocols – Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail over the POP3 protocol and improve inspection of e-mail over the IMAP protocol.
• Improved Threat Emulation inspection for files behind shortened links (requires an enabled Anti-Virus blade).
  Enhanced Protection against BaseStriker – MTA Gateways now protect against maliciouse mails with URLs that use the BaseStriker technique.
• Bounce Messages Behavior Change – modifies the configuration of the MTA so that it tries to send bounce messages only once whether it reaches its destination or not.
• Enhanced Support for Files behind Bitly Links – the body of an email sometimes includes customized Bitly links that point to files.
• [Beta] Click-Time URL Protection – the MTA gateway can now re-write links in incoming emails. When users click on them, the resources (web sites or files) behind the links have inspections again. This prevents delayed attacks where attackers replace the resource behind the link after the email delivery.

[Beta] Anti-Phishing Engine – the MTA gateway introduces a new State of the Art Anti-Phishing engine. This design alerts against and prevents sophisticated phishing, spear phishing, and targeted phishing attacks.

Other Threat Prevention

• Dynamic, Domain and Updatable Objects can be used in Threat Prevention and HTTPS Inspection Policies.

IPsec VPN

• Internal CA and External third party CA must be supported
• Solution must support 3DES and AES-256 cryptographic for IKE Phase I and II IKEv2 plus “Suite-B-GCM-128” and “Suite-B-GCM-256” for phase II
• Solution must support at least the following Diffie-Hellman Groups: Group 1 (768 bit), Group 2 (1024 bit), Group 5 (1536 bit), Group 14 (2048 bit), Group 19 and Group 20
• Solution must support data integrity with md5, sha1 SHA-256, SHA-384 and AES-XCBC
• Create and seamlessly work with a Large Scale VPN (LSV) environment with the help of LSV profiles.
• Remote Access VPN – Use machine certificate to distinguish between corporate and non-corporate assets and to set apolicy enforcing the use of corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication).
• Enhancements to OSPF and BGP allow to reset and restart OSPF neighboring for each CoreXL Firewall instance without the need to restart the routed daemon.
• Enhancing route refresh for improved handling of BGP routing inconsistencies.
• Solution must support the VPN configuration with a GUI using drag and drop object addition to VPN communities
• Solution must support clientless SSL VPNs for remote access.
• Solution must support L2TP VPNs, including support for iPhone L2TP client
• Solution must allow the administrator to apply security rules to control the traffic inside the VPN
• Solution must support domain based VPNs and route based VPNs using VTI’s and dynamic routing protocols
• Solution must include the ability to establish VPNs with gateways with dynamic public IPs

Solution must include IP compression for client-to-site and site-to-site VPNs

Solution must include support for site-to-site VPN in the following topologies:

• Full Mesh (all to all),
• Star (remote offices to central site)
• Hub and Spoke (remote site through central site to another remote site)

Security Management

• Solution must be able to segment the rule base in a sub-policy structure in which only relevant traffic is being forwarded to relevant policy segment for an autonomous system
• Solution must be able to segment the rule base in favor of delegation of duties in which changes in one segment will not affect other segments on the same autonomous system
• Solution must be able to segment the rule base in a layered structure
• Solution must be able to segment the rule base to allow structure flexibility to align with dynamic networks
• Solution must be able to re-use segment of the rule base (e.g. use same segment of rules on different policy packages)
• Solution must have the granularity of administrators that works on parallel on same policy without interfering each other
• Solution must integrate logs, audit logs in one console to have context while working on the security policy
• Solution must be able to install threat related protections and access related rules separately in order to allow managing it by separate teams
• Security management application must support role based administrator accounts. For instance roles for firewall policy management only or role for log viewing only
• Solution must include a Certificate-based encrypted secure communications channel among all vendor distributed components belonging to a single management domain
• Solution must include an internal x.509 CA (Certificate Authority) that can generate certificates to gateways and users to allow easy authentication on VPNs
• Solution must include the ability to use external CAs, that supports PKCS#12, CAPI or Entrust standards
• All security applications must be managed from the central console
• The management must provide a security rule hit counter in the security policy
• Solution must include a search option to be able to easily query which network object contain a specific IP or part of it
• Solution must include the option to segment the rule base using labels or section titles to better organize the policy
• Solution must provide the option to save the entire policy or specific part of the policy
• Solution must have a security policy verification mechanism prior to policy installation
• Solution must have a security policy revision control mechanism with the option to compare revisions.
• Solution must provide the option to add management high availability, using a standby management server that is automatically synchronized with the active one, without the need for an external storage device
• Solution must include the ability to centrally distribute and apply new gateway software versions
• Solution must include a tool to centrally manage licenses of all gateways controlled by the management station
• Solution must have the capabilities for multi-domain management and support the concept of global security policy across domains
• The management GUI should have the ability to easily exclude IP address from the IPS signature definition
• The Log Viewer should have the ability to easily exclude IP address from the IPS logs when detected as false positive
• The management GUI should have the ability to easily get to IPS signature definition from the IPS logs
• The Log Viewer should have the ability view all of the security logs (fw,IPS ,urlf…) in one view pane (helpful when troubleshooting connectivity problem for one IP address )
• The Log Viewer should have the ability to create filter using the predefined object names (hosts ,network, groups, users…)
• The Log Viewer should have the ability to create custom multiple “saved filter” for use at a later time
• Solution must combine policy configuration and log analysis in a single pane, in order to avoid mistakes and achieve confidence of the change.
• Policy management solution must provide logs of similar rules to the user as he creates or modifies rules
• Solution GUI must provide one-click navigation between policies.
• Solution GUI must provide quick jumps between sub-policies and section titles.
• Solution GUI must provide a comprehensive search across all policies.
• Policy management must provide search of rules by packets, even without having logs of that packet in the system. Search should be integrated in the same pane as the policy configuration and return all results within few seconds.
• Security management solution must provide lookup of all references to any given network object in all of its policies and settings (= where used).
• Solution must provide built-in ticket management. A set of changes on the security policy must be automatically associated to a session in order to achieve proper accountability and documentation.
• Security management server must self-contain all validations, triggers and business processes in order to provide stable and reliable service for any user-defined client that is operating through its API.
• Security management must provide set of built-in security best practices which provide automatic score for various security regulations (= within compliance blade).
• Security management must have option to alert users on possible misconfiguration in a central place, while still provide them a way to add exceptions to these possible misconfigurations (= compliance blade)
• User should provide NAT details for a network object in the scope of the network object. The inferred NAT rules should be added automatically to the NAT policy.
• User should be able to seamlessly treat IPV4, IPV6 and dynamic network objects in the same policy
• Security gateway should inspect network traffic, application context and data & content within 1 rule.
• IPS system should provide automatic actions on IPS Protections based on the user’s definitions of his critical assets
• IPS system should provide several intelligent profiles in the axis of security vs. throughput.
• Security management GUI must have same design language and capabilities in its single-domain as well as its multi-domain deployment.
• Security management must support automatic live synchronizations of its domains in high-availability deployment.
• Built-in SIEM system should have complete customization of overviews and reports generation for every logged event in every security field (access, threat prevention)
• Built-in SIEM system must have drill-down from the high-level security event to the granular logs that composed it.
• Solution must provide a one-click way to replace one object with another in all its database references
• Policy window should contain a detailed history for every rule including who changed it.
• Solution must support copy-pasting between security policies.
• Automatic download of IPS updates by the Security Gateway
• Support for multiple Threat Emulation Private Cloud Appliances
• Support for blocking archives containing prohibited file typesMulti-Domain Server
• Back up and restore an individual Domain Management Server on a Multi-Domain Server.
• Migrate a Domain Management Server on one Multi-Domain Server to a different Multi-Domain Security Management.
• Migrate a Security Management Server to become a Domain Management Server on a Multi-Domain Server.
• Migrate a Domain Management Server to become a Security Management Server.

Revert a Domain on a Multi-Domain Server, or a Security Management Server to a previous revision for further editing.

SmartTasks and API

• New Management API authentication method that uses an auto-generated API Key.
• New Management API commands to create cluster objects.
  SmartTasks – Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy.

Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel.

Advanced Threat Prevention

• Advanced forensics details for Threat Prevention logs
• Ability to import Cyber Intelligence Feeds to the Security Gateway using custom CSV and Structured Threat Information Expression (STIX)
• FTP protocol inspection with Anti-Virus and SandBlast Threat Emulation
• Consolidated Threat Prevention dashboard provides full threat visibility across networks, mobile devices and endpoints
• Automatic updates to Threat Extraction Engine.
• Dynamic, Domain and Updatable Objects in Threat Prevention and HTTPS Inspection policies.
• Anti-Virus now uses SHA-1 and SHA-256 threat indications to block files based on their hashes. Import the new indicators from the SmartConsole Threat Indicators view or the Custom Intelligence Feed CLI.
• Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail traffic over the POP3 protocol, as well as improved inspection of e-mail traffic over the IMAP protocol.
• Anti-Virus and SandBlast Threat Emulation now use the newly introduced SSH inspection feature to inspect files transferred over the SCP and SFTP protocols.
• Anti-Virus and SandBlast Threat Emulation now provide an improved support for SMBv3 inspection (3.0, 3.0.2, 3.1.1), which includes inspection of multi-channel connections. Check Point is now the only vendor to support inspection of a file transfer through multiple channels (a feature that is on-by-default in all Windows environments). This allows customers to stay secure while working with this performance enhancing feature.
• Support layer sharing within Threat Prevention policy

Support setting different administrator permissions per Threat Prevention layer

MTA Enforcement

• Replacing malicious links in an email with a configurable template
• Configurable format for textual attachments replacement
• Ability to add a customized text to malicious e-mails’ body or subject
• Tagging malicious-mails using X-header
• Sending a copy of the malicious e-mail to a predefined recipients list

Threat Prevention Updates

• Vendor must provide the details of its threat prevention update mechanism and its ability to handle zero day attacks across all next generation threat prevention applications including IPS, Application Control, URL filtering, Anti-Bot and Anti-Virus
• Vendor must provide details on the re-categorization of URL, under the circumstances that a website has been comprised and possibly distributing malware
• Vendor should have the capability to provide incident handling

Logging & Monitoring

• The central logging must be part of the management system. Alternatively administrators can install dedicated Log Servers
• Solution must provide the option to run on the management server or on a dedicated server
• Solution must be able to run on an X86 based open servers listed on a hardware compatibility list
• Solution must have the ability to log all rules (+100k logs/sec)
• Log viewer must have a free text search capability
• Solution must have the ability to log all integrated security applications on the gateway and including IPS, Application Control, URL Filtering, Anti-Virus, Anti-Bot, Anti – Spam, User Identity, Data Loss Prevention, Mobile Access
• Solution must include an automatic packet capture mechanism for IPS events to provide better forensic analysis
• Solution must provide different logs for regular user activity and management related logs
• Solution must be able to move from security log record to the policy rule with one mouse click.
• For each match rule or type of event Solution must provide at least the following event options: Log, alert, SNMP trap, email and execute a user defined script
• The logs must have a secure channel to transfer logging to prevent eavesdropping, Solution must be authenticated and encrypted
• The logs must be securely transferred between the gateway and the management or the dedicated log server and the log viewer console in the administrator’s PC
• Solution must include the option to dynamically block an active connection from the log graphical interface without the need to modify the rule base
• Solution must support exporting and importing logs in database format
• Solution must support automatic switch of the log file, based on a scheduled time or file size
• Solution must support adding exceptions to IPS enforcement from the log record
• Solution must be able to associate a username and machine name to each log record
• Solution must include a graphical monitoring interface that provides an easy way to monitor gateways status
• Solution must provide graphical system information for each gateway: OS, CPU usage, memory usage, all disk partitions and % of free hard disk space
• Solution must provide the status of each gateway components (i.e. firewall, vpn, cluster, antivirus, etc)
  Solution must include the status of all VPN tunnels, site-to-site and client-to-site
• Solution must include customizable threshold setting to take actions when a certain threshold is reached on a gateway. Actions must include: Log, alert, send an SNMP trap, send an email and execute a user defined alert
• Solution must include preconfigured graphs to monitor the evolution in time of traffic and system counters: top security rules, top P2P users, vpn tunnels, network traffic and other useful information.
• Solution must provide the option to generate new customized graphs with different chart types
• Solution must include the option to record traffic and system views to a file for later viewing at any time
• Solution must be able to recognize malfunctions and connectivity problems, between two points connected through a VPN, and log and alert when the VPN tunnel is down.

Event Correlation and Reporting

• Solution must be fully integrated in the management application
• Solution must include a tool to correlate events from all the gateway features and third party devices
• Solution must allow the creation of log filters based on any characteristic of the event such as security application, source and destination IP, service, event type, event severity attack name, country of origin and destination, etc.
• The application must have a mechanism to assign these filters to different graph lines that are updated in regular intervals showing all events that matches that filter. Allowing the operator to focus on the most important events
• The event correlation application must supply a graphical view events based on time
• Solution must show the distribution of events per country on a map
• Solution must allow the administrator to group events based on any of its characteristics, including many nesting levels and export to PDF
• Solution must include the option to search inside the list of events, drill down into details for research and forensics.
• The event list view Solution must include the option to automatically generate small graphs or tables with the event, source and destination distribution
• Solution must detect Denial of Service attacks correlating events from all sources
• Solution must detect an administrator login at irregular hour
• Solution must detect credential guessing attacks
• Solution must report on all security policy installations
• Solution must include predefined hourly, daily, weekly and monthly reports. Including at least Top events, Top sources, Top destinations, Top services, Top sources and their top events, Top destinations and their top events and Top services and their top events
• The reporting tool must support at least 25 filters that allow to customize a predefined report to be closest to administrator’s needs
• Solution must support automatic reports scheduling for information that is needed on a regular basis (daily, weekly, and monthly). Solution must also allow the administrator to define the date and time that reporting system begins to generate the scheduled report
• Solution must support the following reports formats: HTML, CSV and MHT
• Solution must support automatic report distribution by email, upload to FTP/Web server and an external custom report distribution scriptThe reporting system must provide consolidated information about:
• The volume of connections that were blocked by security rule.
• Top sources of blocked connections, their destinations and services
• Top Rules used by the security policy
• Top security attacks detected by enforcement point (perimeter) determining their the top sources and destinations
• Number of installed and uninstalled policies in the enforcement point
• Top networking services
• Web activity by user detailing the top visited sites and top web users
• Top services that created most load for encrypted traffic

Top VPN users performing the longest duration connections

Management Portal

• Solution must include a browser based access to view in read-only the security policies, manage firewall logs and users providing access to managers and auditors without the need to use the management application
• Solution must include SSL support and configurable port

Data Loss Prevention (DLP)

• Vendor must have an option to add a fully integrated Data Loss Prevention application
• DLP policy must be centrally managed with all other security applications
• DLP application must have a mechanism for end user self-incident handling
• DLP application must have over 500 pre-defined data types
• DLP must have an open scripting language to create customer data types relevant to any organization
• DLP must alert the data owner when an incident occurs
• DLP application must cover transport types SMTP, HTTP/HTTPS, and FTP TCP protocols

Mobility

• The vendor should have an option to provide a fully integrated secure mobility solution on the next generation firewall
• The solution must support both managed and unmanaged access devices, such as BYOD

Best Practice Governance Risk and Compliance (GRC)

• Vendor must have an option to provide a fully integrated Governance Risk and Compliance application
• Vendor must have an option for Real Time Compliance Monitoring across all security services in the product
• Vendor must have an option to Deliver real-time assessment of compliance with major regulations (PCI-DSS,HiPPA,SOX…)
• Vendor must have an option for Instant notification on policy changes impacting compliance
• Vendor must have an option to Provide actionable recommendations to improve compliance
• Vendor must have an option to recommend Security Best Practices
• Vendor must have an option to Translate regulatory requirements into actionable security best practices
• Vendor must have an option to Monitor constantly gateway configuration with the security best practices
• Vendor must have an option to Generate automated assessment reports for compliance rating with top regulations
• Vendor must have an option to Fully Integrate into Software Architecture & Management infrastructure

Vendor must have an option to Check compliance with every policy change for all Network Security Software Blades

SSL Inspection (inbound / outbound)

• The Solution offers support for SSL Inspection/Decryption with leading performance across all threat mitigation technologies
• The solution should support Perfect Forward Secrecy (PFS , ECDHE cipher suites)
• The solution should support AES-NI,AES-GCM for improved throughput
• Threat emulation/sandboxing should be integrated with SSL Inspection
• The Solution should leverage the URL filtering data base to allow administrator to create granular https inspection policy
• Check Point’s Security Gateway now support HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol.
• Support is for both clear and SSL encrypted traffic and is fully integrated with HTTPS Inspection capabilities.
  HTTPS Inspection layer Provides these new capabilities:
  A new Policy Layer in SmartConsole dedicated to HTTPS Inspection.
• Different HTTPS Inspection layers can be used in different policy packages.
• Sharing of a HTTPS Inspection layer across multiple policy packages.

API for HTTPS Inspection operations

Security Gateway Sizing and Recommendations

• Vendor must have a dedicated hardware solution to meet all next generation requirements of the customer
  Vendor must be able to supply a recommended hardware configuration based on the criteria of real world traffic and next generation security applications provided by the customer.

Vendor must be able to supply the recommended platform for any combination of these next generation firewall application, with supporting evidence that the appliance will perform as expected.

Sizing Internet Bandwidth Requirements should include: 

• Total Throughput requirements
  Security gateway with 100 security rules
• Network Address Translation enabled
• Logging Enabled
• Maximum Users
• IMIX traffic blend of HTTP, SMTP, DNS

Sizing should be measured with the following Next Generation Firewall engines and configurations enabled:

• Firewall
• Intrusion Prevention
• Application Control and URL filtering
• Anti-Bot
• Anti-Virus
• Threat Emulation & Extraction
• IPsec VPN
• Data Loss Prevention
• Anti-Spam
• Local or remote management
• Clustering or high availability

Network Interface requirements

IoT Security

• The solution should be able to collect IoT devices and traffic attributes from certified IoT discovery engines (Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM and Armis.
• The solution should be able to configure a new IoT dedicated policy layer in policy management.
• The solution should be able to configure and manage security rules that are based on the IoT devices’ attributes.

Zero Touch

Solution should be Plug & Play – setup process for installing an appliance- eliminating the need for technical expertise and having to connect to the appliance for initial configuration.

Endpoint Security

• The solution should support BitLocker encryption for Full Disk Encryption.
• The solution should support external Certificate Authority certificates for Endpoint Security client
• Policy should control level of notifications to end users
• The solution should support Persistent VDI environments in Endpoint Policy Management
• The solution must provide the ability to protect against zero-day and unknown malware attacks before static signature protections have been created
• The solution should support Real-Time prevention for ransomware
• The solution should support real-time prevention for script and macro-based malware
• Ransomware prevention should include:
  • Ransomware prevention
  • Behavioral analysis on the device
  • Offline protection
  • Integration with forensics
  • Support for pure screen lockers
  • Support for file encryptions
  • Support for disk encryptions (pre-boot, MB. Ex:Petya)
  • Machine learning
  • Evasion proof
• Data restoration should be supported and support:
  • Network share
  • Intelligent backups (low impact on performance)
  • Support for multiple file types via policies
  • Backup size limitation
  • Backup is stored and protected – can’t be encrypted
  • Automatic restoration
  • Dedicated agent backup solution
    • Manual restoration
    • The solution should support Zero Phishing
    • The solution should support credentials reused prevention
    • The solution should have forensics capabilities that include:
      • Automated incident response
      • Integration with SiEM
      • Reveal full attack damage
      • Provide information for C&C type attacks
      • Automated remediation
      • In-depth manual search- Threat Hunting
      • Automated incident analysis
      • Process sensors
      • Registry sensors
      • URL sensors
      • File data sensors
      • Kernel level sensors
      • Show the differences across books
      • Events highlights
      • Suspicious events
      • Integration with 3rd parties
      • Entry points reports
      • The solution should have the ability for additional security components
        • URLF
        • Firewall
        • Application Control
        • Full disk encryption
        • Media encryption