Advanced Application and Infrastructure Security & Availability
Thunder CFW uncovers threats in SSL traffic and blocks access to malicious websites at the enterprise perimeter. It also protects high-value assets in the data center from network and Distributed Denial of Service (DDoS) attacks. A10 Thunder CFW offers the performance and the versatility you need to safeguard your applications, your users and your infrastructure.
The A10 Thunder Convergent Firewall (CFW) is a standalone security product, built on A10 Networks Advanced Core Operating System (ACOS® ) platform. Thunder CFW is the first converged security solution for service providers, cloud providers and large enterprises that includes:
- A powerful Secure Web Gateway that combines URL filtering, A10’s SSL Insight technology, and explicit proxy to increase security efficacy by decrypting SSL traffic at high speed and restricting access to undesirable websites.
- A high-performance Data Center Firewall with an integrated Layer 4 firewall, DDoS protection, and server load balancing. By uniting application delivery control and security on a single platform, Thunder CFW lowers hardware and operating costs.
- A scalable Gi/SGi Firewall with integrated DDoS protection and Carrier Grade Networking (CGN) for mobile carriers. The Gi/SGi Firewall protects mobile infrastructure with advanced policy enforcement.
- High-speed site-to-site IPsec VPN that enables enterprises and service providers to encrypt data at a massive scale and in the cloud.
With its data center efficient design and compact form factor, Thunder CFW provides an integrated security and application networking solution that minimizes rack space, power consumption and cooling costs.
- Stateful L4 network firewall
- Application Layer Gateways (FTP, TFTP, DNS and SIP)
- Web Application Firewall (WAF)
- DNS Application Firewall (DAF)
- Flood attack protection: SYN cookies, TCP/UDP/ICMP flood protection, DNS/HTTP flood protection
- Protocol attack protection: Invalid packets, anomalous TCP flag combinations, packet size validation (ping of death
- Resource attack protection: Slowloris, slow POST, and Sockstress protection, fragmentation
- Rate limiting: IP-based connection, HTTP, DNS request, DNS query, ICMP rate limiting
- Authentication methods: HTTP Basic, NTLM over HTTP, formbased,OCSP, TDS SQL Logon and SAML
- Authentication servers: LDAP, Active Directory, RADIUS, OCSPResponder, NTLM, Kerberos, RSA Secure ID, Entrust Identity Guard and SAML Identity Provider (IdP)
- Authentication relay: Kerberos, form-based, LDAP, WS-Federation, and Microsoft SharePoint and Outlook WebAccess
- Extensive logging for audit
- Advanced Layer 4/Layer 7 server load balancing
- Fast HTTP, full HTTP proxy
- High-performance, template-based L7 switching with header/URL/domain manipulation
- Comprehensive L7 application persistence support
- Comprehensive load-balancing methods - round-robin, weighted round-robin (WRR), least connections (LC), fastest response and more
- Comprehensive IPv4/IPv6 support
- A10 Networks aFleX® TCL-based scripting technology - deep packet inspection and transformation for customizable, application-aware switching
- Global Server Load Balancing (GSLB)
- HTTP acceleration: HTTP connection multiplexing (TCP connection reuse), RAM caching, HTTP compression
- SSL acceleration: Hardware SSL offload, TLS 1.2 and 4096-bit SSL key support, Elliptic Curve Diffie-Hellman Exchange (ECDHE) and other ECC ciphers
- Stateful Layer 4 network firewall
- ALG protocol support for protocols with dynamic ports (including SIP, FTP)
- Integrated DDoS protection for NAT pools
- IP anomaly detection
- Carrier Grade NAT (CGN/CGNAT), Large Scale NAT (LSN), NAT444, NAT44
- Dual stack support, full native IPv6 management and features
- SLB-PT (Protocol Translation), SLB-64 (IPv4<–>IPv6, IPv6<–>IPv4)
- NAT64/DNS64, NAT46, DS-Lite, 6rd, LW4o6
- High-performance SSL decryption and encryption as a forward proxy
- Internet Content Adaptation Protocol (ICAP) support for data loss prevention
- Dynamic port decryption to detect and intercept SSL or TLS traffic regardless of TCP port number
- Forward proxy failsafe to bypass traffic when there is a handshake failure
- SSL Insight bypass based on hostname; bypass list scales up to 1 million Server Name Indication (SNI) values
- Multi-bypass list support
- Decryption of HTTPS, STARTTLS, SMTP, XMPP
- Client certificate detection and optional bypass
- Untrusted certificate handling using the Online Certificate Status Protocol (OCSP)
- TLS alert logging to log flow information from SSL Insight events
- SSL session ID reuse
- Firewall Load Balancing (FWLB)
- URL Classification Service powered by Webroot to selectively bypass trusted websites for SSL decryption**
- Optional monitoring and blocking of malicious or undesirable websites
- Transparent Forward Proxy
- Explicit Forward Proxy
- Proxy chaining
Detection and mitigation capabilities are extremely customizable. With 100% API programmability, SecOps and DevOps can leverage event-triggered scripts for increased operational agility. Thunder TPS also performs application-aware inspection on incoming packets and takes defined actions to protect the application. For example, the system can enforce limits on various DNS query types, apply security checks in many portions of the HTTP header or using regular expression (regex) and Berkeley Packet Filter (BPF) for high-speed pattern matching in policies.
With multiple performance options and flexible deployment models, Thunder TPS may be integrated into any network architecture of any size, including MPLS. And with aXAPI, A10’s RESTful API, Thunder TPS easily integrates into third-party detection solutions. Leveraging open standards like BGP Blackhole functionality, Thunder TPS mitigation integrates easily with any DDoS detection solution. Open APIs and networking standards support enable tight integration with other devices, including A10 threat detection partners, SDN controllers , and other security products.
Thunder TPS supports an industry standard CLI, on-box GUI and the aGalaxy management system. The CLI allows sophisticated operators easy troubleshooting and debugging. The intuitive on-box GUI enables ease of use and basic graphical reporting. aGalaxy offers a comprehensive dashboard with advanced reporting, mitigation console, and policy enforcement for multiple TPS devices.
*Features may vary by appliance
**Additional paid service
Thunder CFW also leverages the A10 Harmony™ architecture to provide open and standards-based programmability, which offers rapid integration with management and orchestration systems, consistent policy enforcement and telemetry. The A10 Networks aGalaxy® Centralized Management System delivers everything that organizations need to configure, monitor and troubleshoot all A10 Thunder solutions, including Thunder CFW.
Model Comparisons
Thunder CFW Hardware Specifications |
Thunder 840 |
Thunder 1030S |
Thunder 3030S |
Thunder 3040 |
Thunder 3230 |
Thunder 3430 |
Thunder 4440 |
Thunder 5330 |
Thunder 5440 |
Thunder 5840 |
Thunder 6440 |
Thunder 7440 |
Data Center Firewall |
|
|
|
|
|
|
|
|
|
|
|
|
DCFW Throughput |
5 Gbps |
10 Gbps |
30 Gbps |
30 Gbps |
25 Gbps |
38 Gbps |
70 Gbps |
70 Gbps |
90 Gbps |
100 Gbps |
150 Gbps |
220 Gbps |
DCFW Layer 4 CPS |
200k |
300k |
500k |
500k |
1.4 million |
2 million |
2.8 million |
2.8 million |
3.5 million |
4.5 million |
4.5 million |
6.5 million |
DCFW Concurrent Sessions |
8 million |
16 million |
32 million |
32 million |
32 million |
64 million |
64 million |
64 million |
128 million |
128 million |
256 million |
256 million |
DCFW Rules |
8k |
8k |
16k |
16k |
16k |
32k |
32k |
32k |
64k |
64k |
128k |
128k |
Secure Web Gateway*1|*2 |
|
|
|
|
|
|
|
|
|
|
|
|
SSLi Throughput |
0.5 Gbps |
1.5 Gbps |
2.5 Gbps |
2.5 Gbps |
3.5 Gbps |
5.5 Gbps |
8 Gbps |
10 Gbps |
15 Gbps |
20 Gbps |
N/A |
N/A |
SSLi CPS |
RSA (1K): 500 RSA (2K): 300 |
RSA (1K): 4K RSA (2K): 3k |
RSA (1K): 8k RSA (2K): 6k |
RSA: 8k ECDHE: 4.5k |
RSA: 12.5k ECDHE: 7k |
RSA: 18k ECDHE: 10k |
RSA: 22k ECDHE: 10k |
RSA: 30k ECDHE: 15k |
RSA: 35k ECDHE: 20k |
RSA: 50k ECDHE: 25k |
N/A |
N/A |
IPsec VPN*2 |
|
|
|
|
|
|
|
|
|
|
|
|
IPsec Throughput |
1.5 Gbps |
6 Gbps |
8 Gbps |
N/A |
15 Gbps |
30 Gbps |
30 Gbps |
35 Gbps |
35 Gbps |
35 Gbps |
N/A |
N/A |
IPsec Tunnels |
50 |
100 |
1k |
1k |
1k |
4k |
4k |
4k |
8k |
8k |
20k |
20k |
Network Interface |
|
|
|
|
|
|
|
|
|
|
|
|
1 GE Copper |
5 |
6 |
6 |
6 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
1 GE Fiber (SFP) |
0 |
2 |
2 |
2 |
4 |
4 |
0 |
0 |
0 |
0 |
0 |
0 |
1/10 GE Fiber (SFP+) |
2 |
2 |
4 |
4 |
4 |
4 |
24 |
8 |
24 |
24 |
48 |
48 |
40 GE Fiber (QSFP+) |
0 |
0 |
0 |
0 |
0 |
0 |
4 |
0 |
4 |
4 |
4 |
4 |
Appliances