A10 Thunder Convergent Firewall

Thunder CFW
Convergent Firewall

A10 Networks® Thunder® Convergent Firewall (CFW) is a high-performance, all-inclusive and flexible security solution featuring a Secure Web Gateway, Data Center Firewall, Gi/SGi Firewall and site-to-site IPsec VPN for enterprises and service providers.

  • Firewall
  • DDoS Protection
  • URL Filtering
  • IPsec VPN
Thunder CFW

Advanced Application and Infrastructure Security & Availability

Thunder CFW uncovers threats in SSL traffic and blocks access to malicious websites at the enterprise perimeter. It also protects high-value assets in the data center from network and Distributed Denial of Service (DDoS) attacks. A10 Thunder CFW offers the performance and the versatility you need to safeguard your applications, your users and your infrastructure.

The A10 Thunder Convergent Firewall (CFW) is a standalone security product, built on A10 Networks Advanced Core Operating System (ACOS® ) platform. Thunder CFW is the first converged security solution for service providers, cloud providers and large enterprises that includes:

  • A powerful Secure Web Gateway that combines URL filtering, A10’s SSL Insight technology, and explicit proxy to increase security efficacy by decrypting SSL traffic at high speed and restricting access to undesirable websites.
  • A high-performance Data Center Firewall with an integrated Layer 4 firewall, DDoS protection, and server load balancing. By uniting application delivery control and security on a single platform, Thunder CFW lowers hardware and operating costs.
  • A scalable Gi/SGi Firewall with integrated DDoS protection and Carrier Grade Networking (CGN) for mobile carriers. The Gi/SGi Firewall protects mobile infrastructure with advanced policy enforcement.
  • High-speed site-to-site IPsec VPN that enables enterprises and service providers to encrypt data at a massive scale and in the cloud.

With its data center efficient design and compact form factor, Thunder CFW provides an integrated security and application networking solution that minimizes rack space, power consumption and cooling costs.

  • Stateful L4 network firewall
  • Application Layer Gateways (FTP, TFTP, DNS and SIP)
  • Web Application Firewall (WAF)
  • DNS Application Firewall (DAF)
  • Flood attack protection: SYN cookies, TCP/UDP/ICMP flood protection, DNS/HTTP flood protection
  • Protocol attack protection: Invalid packets, anomalous TCP flag combinations, packet size validation (ping of death
  • Resource attack protection: Slowloris, slow POST, and Sockstress protection, fragmentation
  • Rate limiting: IP-based connection, HTTP, DNS request, DNS query, ICMP rate limiting
  • Authentication methods: HTTP Basic, NTLM over HTTP, formbased,OCSP, TDS SQL Logon and SAML
  • Authentication servers: LDAP, Active Directory, RADIUS, OCSPResponder, NTLM, Kerberos, RSA Secure ID, Entrust Identity Guard and SAML Identity Provider (IdP)
  • Authentication relay: Kerberos, form-based, LDAP, WS-Federation, and Microsoft SharePoint and Outlook WebAccess
  • Extensive logging for audit
  • Advanced Layer 4/Layer 7 server load balancing
    • Fast HTTP, full HTTP proxy
    • High-performance, template-based L7 switching with header/URL/domain manipulation
    • Comprehensive L7 application persistence support
  • Comprehensive load-balancing methods - round-robin, weighted round-robin (WRR), least connections (LC), fastest response and more
  • Comprehensive IPv4/IPv6 support
  • A10 Networks aFleX® TCL-based scripting technology - deep packet inspection and transformation for customizable, application-aware switching
  • Global Server Load Balancing (GSLB)
  • HTTP acceleration: HTTP connection multiplexing (TCP connection reuse), RAM caching, HTTP compression
  • SSL acceleration: Hardware SSL offload, TLS 1.2 and 4096-bit SSL key support, Elliptic Curve Diffie-Hellman Exchange (ECDHE) and other ECC ciphers
  • Stateful Layer 4 network firewall
  • ALG protocol support for protocols with dynamic ports (including SIP, FTP)
  • Integrated DDoS protection for NAT pools
  • IP anomaly detection
  • Carrier Grade NAT (CGN/CGNAT), Large Scale NAT (LSN), NAT444, NAT44
  • Dual stack support, full native IPv6 management and features
  • SLB-PT (Protocol Translation), SLB-64 (IPv4<–>IPv6, IPv6<–>IPv4)
  • NAT64/DNS64, NAT46, DS-Lite, 6rd, LW4o6
  • High-performance SSL decryption and encryption as a forward proxy
  • Internet Content Adaptation Protocol (ICAP) support for data loss prevention
  • Dynamic port decryption to detect and intercept SSL or TLS traffic regardless of TCP port number
  • Forward proxy failsafe to bypass traffic when there is a handshake failure
  • SSL Insight bypass based on hostname; bypass list scales up to 1 million Server Name Indication (SNI) values
  • Multi-bypass list support
  • Decryption of HTTPS, STARTTLS, SMTP, XMPP
  • Client certificate detection and optional bypass
  • Untrusted certificate handling using the Online Certificate Status Protocol (OCSP)
  • TLS alert logging to log flow information from SSL Insight events
  • SSL session ID reuse
  • Firewall Load Balancing (FWLB)
  • URL Classification Service powered by Webroot to selectively bypass trusted websites for SSL decryption**
  • Optional monitoring and blocking of malicious or undesirable websites
  • Transparent Forward Proxy
  • Explicit Forward Proxy
  • Proxy chaining

Detection and mitigation capabilities are extremely customizable. With 100% API programmability, SecOps and DevOps can leverage event-triggered scripts for increased operational agility. Thunder TPS also performs application-aware inspection on incoming packets and takes defined actions to protect the application. For example, the system can enforce limits on various DNS query types, apply security checks in many portions of the HTTP header or using regular expression (regex) and Berkeley Packet Filter (BPF) for high-speed pattern matching in policies.

With multiple performance options and flexible deployment models, Thunder TPS may be integrated into any network architecture of any size, including MPLS. And with aXAPI, A10’s RESTful API, Thunder TPS easily integrates into third-party detection solutions. Leveraging open standards like BGP Blackhole functionality, Thunder TPS mitigation integrates easily with any DDoS detection solution. Open APIs and networking standards support enable tight integration with other devices, including A10 threat detection partners, SDN controllers , and other security products.

Thunder TPS supports an industry standard CLI, on-box GUI and the aGalaxy management system. The CLI allows sophisticated operators easy troubleshooting and debugging. The intuitive on-box GUI enables ease of use and basic graphical reporting. aGalaxy offers a comprehensive dashboard with advanced reporting, mitigation console, and policy enforcement for multiple TPS devices.

*Features may vary by appliance
**Additional paid service

Thunder CFW also leverages the A10 Harmony architecture to provide open and standards-based programmability, which offers rapid integration with management and orchestration systems, consistent policy enforcement and telemetry. The A10 Networks aGalaxy® Centralized Management System delivers everything that organizations need to configure, monitor and troubleshoot all A10 Thunder solutions, including Thunder CFW.

Model Comparisons

Thunder CFW Hardware Specifications Thunder
Data Center Firewall                        
DCFW Throughput 5 Gbps 10 Gbps 30 Gbps 30 Gbps 25 Gbps 38 Gbps 70 Gbps 70 Gbps 90 Gbps 100 Gbps 150 Gbps 220 Gbps
DCFW Layer 4 CPS 200k 300k 500k 500k 1.4 million 2 million 2.8 million 2.8 million 3.5 million 4.5 million 4.5 million 6.5 million
DCFW Concurrent Sessions 8 million 16 million 32 million 32 million 32 million 64 million 64 million 64 million 128 million 128 million 256 million 256 million
DCFW Rules 8k 8k 16k 16k 16k 32k 32k 32k 64k 64k 128k 128k
Secure Web Gateway*1|*2                        
SSLi Throughput 0.5 Gbps 1.5 Gbps 2.5 Gbps 2.5 Gbps 3.5 Gbps 5.5 Gbps 8 Gbps 10 Gbps 15 Gbps 20 Gbps N/A N/A
SSLi CPS RSA (1K): 500
RSA (2K): 300
RSA (1K): 4K
RSA (2K): 3k
RSA (1K): 8k
RSA (2K): 6k
RSA: 8k
ECDHE: 4.5k
RSA: 12.5k
RSA: 18k
ECDHE: 10k
RSA: 22k
ECDHE: 10k
RSA: 30k
ECDHE: 15k
RSA: 35k
ECDHE: 20k
RSA: 50k
ECDHE: 25k
IPsec VPN*2                        
IPsec Throughput 1.5 Gbps 6 Gbps 8 Gbps N/A 15 Gbps 30 Gbps 30 Gbps 35 Gbps 35 Gbps 35 Gbps N/A N/A
IPsec Tunnels 50 100 1k 1k 1k 4k 4k 4k 8k 8k 20k 20k
Network Interface                        
  1 GE Copper 5 6 6 6 0 0 0 0 0 0 0 0
  1 GE Fiber (SFP) 0 2 2 2 4 4 0 0 0 0 0 0
  1/10 GE Fiber (SFP+) 2 2 4 4 4 4 24 8 24 24 48 48
  40 GE Fiber (QSFP+) 0 0 0 0 0 0 4 0 4 4 4 4


Thunder CFW Models