Our flexible networking architecture includes Layer 1, switching, routing and VPN connectivity. Along with our zone-based model, and virtual systems and routers capability, you can easily deploy our next-generation firewalls into nearly any networking environment while supporting granular segmentation and control.

Our integration options and network features support use cases from the network edge to the data center core. A variety of interface types are supported across our firewall portfolio, along with a host of networking features and protocols to support performance, scale, visibility, segmentation, and QoS.

Integrate Into Any Network Topology

Our Virtual Wire feature provides a true transparent mode by logically binding two interfaces together without switching or routing, enabling firewall capability with no impact on your surrounding devices and no network protocol configuration required.

For Layer 2, switching is provided, along with 802.1Q VLAN support. For Layer 3, the firewall routes traffic between multiple interfaces using a built-in virtual router. Static routes and common routing protocols are supported, including RIP, OSPF and BGP (including multi-protocol BGP).

An interface Tap Mode is also supported for evaluations and use cases where advanced visibility is desired (without inline deployment and, thereby, control of session traffic).

Advanced Networking Capabilities

Our next-generation firewall portfolio provides a range of interface options (up to 100 Gbps) and densities, including those provided by high-capacity chassis platforms. Scaling is supported via link aggregation (LACP) and multipathing (ECMP). Visibility is provided by LLDP, and QoS supported via bi-directional DSCP.

Multicast is supported via PIM-SM, PIM-SSM and IGMP, and several Network Address Translation (NAT) options are also supported for a variety of use cases. NAT is controlled by policy in our next-generation firewalls (the number of NAT rules allowed varies by firewall). Our firewall also supports DHCP server capability, including user-defined DHCP options (RFC 2132).


Tunnel Content Inspection

The firewall can inspect the traffic content of cleartext tunnel protocols: Generic Routing Encapsulation (GRE) and non‐encrypted IPSec traffic. This enables you to enforce Security, DoS Protection, and QoS policies on traffic in these types of tunnels and traffic nested within another cleartext tunnel (for example, Null Encrypted IPSec inside a GRE tunnel).