HOW To SELL HILLSTONE 404. Firewall Competitive Analysis V3.0

FIREWALL COMPETITIVE ANALYSIS
August 2021
Hillstone Networks Confidential | 1

Hillstone Confidential, For Internal Training Only!
1 Introduction 7 SonicWall
2 Fortinet 8 Huawei
3 Palo Alto Networks 9 Sophos
4 Juniper 10 Forcepoint
5 Cisco 11 WatchGuard
6 Checkpoint 12 Sangfor
2
Introduction
3
Introductions
qThere are many firewall vendors on the market, they all exist for a reason. Each one of them has their
own strength and weakness.
qIt is the same for Hillstone. Hillstone is NOT an almighty firewall. But the two major innovations Hillstone
offers are intelligent NGFW, and CloudEdge/CloudHive solutions.
qIn order to compete effectively in the market, we need to have:
qExtensive understanding of Hillstone products and technologies
qDeep knowledge of what is the customer’s pain and real need
qAbility to steer customer’s attention to what Hillstone is good at, the true value that matches the
customer’s most important needs.
qKnowledge of our competitors and how to win against them
qEach project/customer/vertical is different, there is no single weapon for all.
qPrice and discount structure of our competitors varies from region to region, it is advised to work out your
regional price analysis. The least efficient way is to only complete in price.
4
For All Competitors
Key Value Propositions to Present
q T-Series Intelligent functions such as unknown malware detection without signature, abnormal behavior
detection for internal threat and risk index, threat auto-mitigation, etc.
q I-Series NTA product extracts Layer 7 metadata and applies clustering, an unsupervised learning
algorithm, to identify deviation from normal activity. sBDS also includes an IPS and an antivirus engine.
It also implements deception.
q X-Series data center firewall with its scalable/upgradable performance, high session ramp up rate, huge
capacity, and modular IO configurations. It also supports ISSU.
q CloudHive micro-segmentation solution is not available at all for other firewall vendors
q CloudEdge availability in all three major public cloud service providers (Amazon, Microsoft and Ali), and
also available in both China and out of China. We had many cases that international companies uses
AliCloud in China as its cloud service provider, Hillstone is the only option of the virtual firewall in this
case.
q Many unique software features that are widely used and liked by Hillstone customers, such as rich NAT
feature set, IPv6 dual stack, intelligent LLB/iQoS/Application routing, bandwidth management
tools, intelligent ransomware solutions, HA Peer Mode and Twin Mode, etc.
The devil is in the detail as always, there is no one magic bullet for all.
5
Fortinet
6
How to win Fortinet with A-Series
7
How to win - Hardware
Hardware
q Built-in Redundant Dual Power Supply – Fortinet doesn’t offer build in dual power option for all
hardware models. From 80F they start to offer dual power supply as optional.
q WAN Interface Limitation – Fortinet’s 200E and below products have limitation on number of WAN
interfaces, can only have one or two WAN interfaces, which is not flexible and cannot be used for multi-
WAN scenarios (80E and 80F don’t specify WAN or LAN in DS description).
q USB Ports – Fortinet 200F and below models don’t support more than 1 USB port, and just in 80F
specify about 3.0
q Lightning Surge Immunity – Fortinet hardware is not designed for lighting and surge immunity
q Local Storage – Fortinet’s 80F and below products don’t support more than 128G. We can have in
desktop models 256GB SSD.
q Bypass Module – Only Fortinet 80F-BYPASS has it. We can have even on desktop models.
8
How to win - Performance 9
Performance
q A1000 vs 40F: much better app layer performance (3-4 times), better New session/s, lower concurrent
sessions.
q A1100 vs 60E/80E: better app layer performance (~8 times), higher new session, lower concurrent
sessions.
q A1100 vs 60F: better app layer performance (2-3 times), higher new session, lower concurrent
sessions.
q A2000/2600 vs 100E: much better app layer performance (6-9 times), better New session.
q A2000/2600 vs 60F: much better app layer performance (2-3 times), better New session.
q A3000/3600 vs 100F: better app layer performance (~3 times),
q A3000/3600 vs 200E: better app layer performance (~4 times), higher sessions
q A3700 vs 400E: better app layer performance, lower New session/s, higher Concurrent sessions
q A3800 vs 600E: better app layer performance, lower new session
9
How to win - NGFW Software 10
Category Function (5.5R8) Fortinet (OS6.4)
Network Services Support application based routing, be able to route applications like P2P/online video and No
etc. applications with dynamic port numbers to selected WAN link
Able to operate in layer 3 mode (routing), online mode (bridge) and layer 2 (port mirroring) No
simultaneously (without the need to virtualize the equipment)
Firewall Support policy hit count in WebUI No
Support to configure the aggregate policy, you can add some policy rules with the same No
effect or the same attributes to the aggregation policy. If the administrator adjusts the
position of an aggregate policy, the positions of all its members will be adjusted
accordingly, so as to manage policy rules in bulk
Endpoint Indentification Support Radius dynamic authorization function. No
QoS (Quality of Service) Support flexible and prioritized allocation of unused remaining bandwidth No
Support two levels of traffic shaping which enables traffic shaping in different dimensions No
such as users and applications.
Support at least four tunnels per level which provides a hierarchy of traffic control.
SLB (Server Load Balancing) Support weighted hashing, weighted least-connection, and weighted round-robin server No
load balancing algorithms.
Support session protection, session persistence and session status monitoring. No
Support server health check, session monitoring and session protection No
10
Category Function (5.5R8) Fortinet (OS6.4)
LLB (Link Load Balancing) Support outbound link load balancing includes PBR (Policy Based Routing), ECMP and No
weighted, embedded ISP routing and dynamic link quality detection.
Support automatic link switching based on bandwidth, latency, jitter, connectivity and No
application
Support link overload protection, the traffic would switch to other links when the current No
link is overload; the system will keep monitoring the bandwidth of the links and will block
new sessions to the link which is overload according to the threshold settings.
HA (High Availability) Support peer-mode HA, to avoid asymmetric routing issues in the Active-Active HA No
deployment
Support twin-mode HA, to support two HA pairs in the active-active datacenters, with No
session, firewall policy sync, support application migration from one active data center to
another and avoid asymmetric routing issues.
CloudView Support to send logs to Hillstone’s Cloud, and monitor from an app mobile No
sBDS connection Support to integrate with a device listed on NDR products of Gartner Market Guide in No
order to add signatures and new policies to block advanced malware and abnormal
behavior
Architecture Parallel processing architecture, in order to allow future firmware and feature expansions No
on the same hardware
We can add more performance with expansion modules (scalabilty) No
4G/5G access capability No
Extra features Twin-mode (AA3000/A3600/A3700/A3800)
11
What (not) to avoid 12
What to Avoid
q Avoid the competition in performance, especially the small packet performance (pps)
ü [NOW]: We can beat them on performance, specially on IPS TP
q Avoid the fixed number of interfaces in hardware, some Fortinet products have very high port
density fixed in hardware
ü [NOW]: We have bypass interfaces and more USB ports. For regular interfaces we can beat
them on some models
q Avoid large local storage for syslog. Hillstone will have to use T series to compete. But
Hillstone will start to offer SSD storage options for selected E series products in Q2, 2017
ü [NOW]: We can have storage, even larger than Fortigates
q Avoid Anti-spam feature. Most enterprise need more dedicated anti-spam tool, rather than
build it into firewall. Hillstone plan to add anti-spam support in Q3, 2017
ü [NOW]: We have anti-spam feature
12
Comparison with A-Series, E-
Series, X-Series and CloudEdge
13
Product Hardware Specs - SMB
FG-40F E1100 E1600 E1606 FG-60E FG-60F A1000 A1100 FG-80E FG-80F E1700
14
Throughput 5G 1G 1G 1G 3G 10G 4 5 4G 10G 1.5/2G
VPN Throughput 4.4G 600M 600M 600M 2G 6.5G TBD TBD 2.5G 6.5G 700M
IPS Throughput 1G 400M 400M 400M 400M 1.4G 3.4G 3.7G 450M 1.4G 600M
NGFW Throughput 800M 350M 350M 350M 250M 1G 1.2G 1.2G 360M 1G 450M
Threat Protection
600M 300M 300M 300M 200M 700M 800M 800M 250M 900M 400M
Concurrent 600K/
700K 100K 200K 400K 1.3M 700K 300K 300K 1.3M 1.5M
Connections 1M
New Connections
35,000 10,000 10,000 12,000 30,000 35,000 48K 48K 30,000 45,000 25,000
Per second
14GE 8GE
Interface 5GE 9GE 9GE 9GE 10GE 10GE 4GE 8GE 9GE
2Combo 2Combo
Expansion Slot - - - - - - - - - - -
Local Storage(SSD) - - - - 128G 128G 256G 256G 128G 128G -
Power Supply single single single single/dual single single single single single single single/dual
Dimensions desktop desktop desktop desktop desktop desktop desktop desktop desktop desktop 1U
14
Product Hardware Specs - Enterprise
FG-100E A2000 A2600 FG-100F A3000 A3600 FG-200E E2300 E2800 E2860/2868 E3660 E3662/3668 A3700 A3800 FG-200F FG400E 15
Throughput 7.4G 5G 5G 20G 20G 20G 20G 2.5/4G 4.5/6G 6G 8G 8G 40G 40G 27G 32G
VPN
4G TBD TBD 11.5G TBD TBD 7.2G 1G 3G 3G 3G 3G TBD TBD 13G 20G
Throughput
IPS
500M 3.2G 4.5G 2.6G 8.3G 8.5G 2.2G 1G 1.8G 1.8G 3G 3G 8.6G 17.5G 3G 7.8G
Throughput
NGFW
360M 1.2G 1.8G 1.6G 1.8G 1.8G 1.8G 650M 850M 1.0G 1.0G 1.2G 1.8G 3.7G 3.5G 6G
Throughput
Threat
250M 800M 1.6G 1G 1.6G 1.6G 1.2G 500M 700M 800M 900M 900M 1.6G 2.8G 3G 5G
Protection
Concurrent 1M/ 1M/ 1M/ 1M/
2M 1M 1.2M 1.5M 2M 3M 2M 3M 6M 8M 3M 4M
Connections 2M 2M 2M 2M
New
Connections 30K 48K 120K 56K 140K 140K 135K 50K 80K 80K 120K 120K 140K 310K 280K 450K
Per second
2SFP+ 1MGT、 1MGT、
2SFP+ 2SFP+ 2SFP+ 2SFP+ 4SFP+
20GE 8SFP 18GE 5GE 5GE 6GE 1HA 1HA 16SFP
Interface 8GE 8GE 8SFP 8SFP 8SFP 8SFP 8SFP
2Combo 18GE 4SFP 4Combo 4Combo 4SFP 、6GE、、6GE、 18GE
16GE 16GE 16GE 16GE 18GE
4Combo 4SFP 4SFP
Expansion Slot - - - - - - - - - 2 2 2 - - - 2
-/128G or -/128G or
Local Storage 480G 1.92T 1.92T 480G 1.92T 1.92T 480G - - 256G or - 256G or 1.92T 1.92T 480G SSD 480G SSD
512G 512G
single/ single/
single/du single/ single/ single／ single／ single／ single／
Power Supply external single/dual single/dual dual single/dual single/dual external single/dual dual
al dual dual dual dual dual dual
dual dual
High 1U 1U 1U 1U 1U 1U 1U 1U 1U 1U １Ｕ１Ｕ 1U 1U １Ｕ１Ｕ
15
E3960/3968 E3965/E5168 E5260/5268 FG-600E FG-1000D FG-1100E E5568 E5660 FG-1500D E5760 E5960 FG-1800F 16
Throughput 10G 10G 16G 36G 52G 80G 20G 25G 80G 32G 40G 198G
VPN Throughput 4G 6G 8G 20G 25G 48G 12G 15G 50G 18G 25G 55G
IPS Throughput 4G 4G 5G 10G 6G 12.5G 7G 12G 13G 15G 18G 13G
NGFW
1.5G 3G 3.5G 9.5G 5G 9.8G 5G 7G 7G 8G 9.5G 11G
Throughput
Threat Protection 1.1G 2G 2.2G 7G 4G 7.1G 3G 4.5G 5G 5G 6G 9.1G
Concurrent
4M 6M 6M 8M 11M 8M 10M 10M 12M 12M 15M 12M
Connections
New Connections
150K 170K 200K 450K 280,000 500K 300,000 300,000 300K 300,000 500,000 750K
Per second
2QSFP+ 4QSFP+
１MGT １MGT １MGT
1MGT、1HA、 1MGT、1HA、 1MGT、1HA、 2SFP+ 2SFP+ 4SFP28 1MGT、1HA、 18GE 12SFP28
1HA 1HA 1HA
Interface 4GE、2Bypass、 2GE、2Bypass、 2GE、2Bypass、 10GE 16GE 4SFP+ 2GE、2Bypass、 16SFP 2SFP+
4GE 4GE 4GE
4SFP、2SFP+ 4SFP、2SFP+ 4SFP、2SFP+ 8SFP 18SFP 8GE 4SFP、2SFP+ 8SFP+ 8GE
4SFP 4SFP 4SFP
18SFP 18SFP
Expansion Slot ２ 4 ４ - - - ４４ - ４ 4 -
-/128G or 256G
Local Storage -/256G or 512G -/256G or 512G 480G 256G 980G 256G/512G - 480G - - 2T
or 512G
Power Supply single／dual dual dual single/dual single/dual dual dual dual dual dual dual dual
High １Ｕ 2U 2U 1U 2U 2U ２Ｕ 2Ｕ 2U 2Ｕ 2U 2U
16
E6160 E6168 FG-2000E FG-2200E FG-2600F FG-3300E FG-3400E E6360 E6368
17
Throughput 60G 60G 90G 158G 198G 160G 240G 80G 80G
VPN Throughput 35G 35G 65G 98G 55G 98G 140G 50G 50G
IPS Throughput 25G 25G 11.5G 16.5G 24G 27G 44G 27G 27G
NGFW Throughput 16G 16G 9G 13.5G 19G 23G 34G 24G 24G
Threat Protection 12G 12G 5.4G 11G 17G 17G 25G 18G 18G
Concurrent
20M 20M 20M 24M 24M 50M 50M 30M 30M
Connections
New Connections Per

800K 800K 500K 500K 1M 700K 850K 1.1M 1.1M
second
4QSFP28
4QSFP28
16SFP28 4QSFP28
12SFP+、32GE 16SFP28 2MGT、8SFP+、 2MGT、8SFP+、
Interface 8SFP+, 2GE 8SFP+, 2GE 6SFP+, 32GE 16x10GE 24SFP28
4x10GE 2GE, 2QSFP+ 2GE, 2QSFP+
2SFP+ 2GE
14GE
2GE
2xGeneric+1 2xGeneric+1 2xGeneric+1 2xGeneric+1
Expansion Slot - - - - -
BYPASS BYPASS BYPASS BYPASS
Local Storage - 512G 480G 2TB 2TB 2TB 4TB - 512G
Power Supply dual dual dual dual dual dual dual dual dual
High 2U 2U 2U 2U 2U 2U 2U 2U 2U
17
Product Hardware Specs – Data Center
18
FG- FG-
FG-3600E FG-3960E FG-3980E X7180 X8180 X9180 X10800
5001E/5144C 7030/7040/7060E
Throughput 124G 620G 1.05T 80G/1.12T 680G 450G 600G 155G/315G/630G 1.2T
VPN Throughput 140G 280G 400G 45G 90G TBD 250G 40G/100G/100G 500G
IPS Throughput 55G 30G 32G 216G 100G 180G 200G 60G/60G/120G 400G
NGFW Throughput 40G 22G 28G 15G 90G TBD 140G 50G/50G/100G 280G
Threat Protection 30G 13.5G 20G 13.5G - TBD 100G 30G/40G/80G 200G
Concurrent Connections 50M 160M 160M 40M 240M 130M 200M 160M/160M/320M 480M
New Connections Per second 950K 720K 800K 640K 4.8M 2.5M 4M 900K/950K/1800K 10M
6QSFP28 6QSFP28 10QSFP28

(2GE,2SFP+,2QSFP Multiple modules: Multiple modules: Multiple modules:
Interface 32SFP28 16SFP+ 16SFP+ 4GE/SFP 3/4/6
+)X12- 100G, 10G 100G, 40G, 10G 100G, 40G, 10G
2GE 2GE 2GE
Expansion Slot - - - 12 10 5 (2 for MGT) 10 (4 for MGT) 4/4/8 14 (4 for MGT)
Local Storage 4T - - 480G - - - - -
Power Supply dual 3PS 3PS dual 2+2 4PS 4PS 3/3/4 8PS
High 2U 5U 5U 14U 5U 3U 7U 6U/6U/8U 18U
18
Product Hardware Specs – Virtualization
19
FortiGate- FortiGate-
FortiGate- FortiGate- FortiGate- FortiGate-
VM02 VM01 VM02 VM04 VM04 VM08
VM01/01V/01S VM08/08V/08S VM16/16V VM32/32V
/02V/02S /04V/04S
Support Core
1/1 1/2 2 2 1/4 4 1/8 8 1/16 1/32
Number
RAM 2GB 2G 2G 4G 2G 8G 2G 16G 2G 2G
Throughput (UDP
Packets, SR-IOV 12Gbps 13.7G 10G 20G 19.1G 30G 30.8G 80G 36G 50G
Enabled)
Concurrent
- - 100K 500K - 5M - 10M - -
Connections
New Sessions Per

85K 100K 30K 50K 125K 100K 150K 200K - -
second
IPS Throughput 1G 2G 3G 5G 3.6G 7G 7.2G 14G 12G 19G
IPSec Throughput 1G 1.5G 400M 800M 3G 2G 5.5G 7G 6.5G 7G
IPSec VPN Tunnel 2K 2K 100 500 2K 10K 40K 20K - -
SSL Concurrent
1,000 2,000 100 500 4,500 2K 10,000 4K - -
Users
19
A-Series vs Fortigate
60E, 40F, 80E, 80F, 100E, 100F, 200E, 200F, 400E, 600E
20
A vs Fortinet: Desktop Models
Platform FG-60E FG-80E FG-40F A1000 A1100 FG-60F FG-80F Net Price to Distributor
Firewall Throughput $2,500
3 4 5 4 5 10 10 $2,338
(1518 Byte) Gbps
IPS Throughput Gbps 0.4 0.45 1 3.4 3.7 1.4 1.4
NGFW Throughput 250M 360M 800M 1.2G 1.2G 1G 1G

$2,000
Threat Protection 200M 250M 600M 800M 800M 700M 900M
$1,623 $1,625
Maximum Concurrent
1,300,000 1,300,000 700,000 300,000 300,000 700,000 1,500,000 $1,467 $1,520 $1,528
Sessions
$1,500
New Sessions/s (HTTP
30,000 30,000 35,000 48,000 48,000 35,000 45,000
traffic) $1,175
$1,185 $1,157
Form Factor Desktop Desktop Desktop Desktop Desktop Desktop Desktop $1,073 $1,055 $1,128
$1,000 $908 $911
8× 8x GE
$779 $803
GE(RJ45) 10x GE RJ45, 2x
Fixed I/O 10 *GE 16 * GE 5*GE 4 × GE $660
(1 bypass RJ45 Shared Port $590 $599$631
pair) Pairs $520
$406 $449
$500 $429 $400$459
$327 $327
256 GB 256 GB
128 G 128 G 128 G 128 G $165 $140
Storage (GB) N/A SSD, SSD, $143 $100
optional optional
optional optional
optional optional
$65 $104 $118
$57
$-
1-yr base net FW T hroughpu t IPS Throughput 1-yr HWBDL 3-yr HWBDL 5-yr HWBDL
price Price/G Price/G Price Price Price
FG-60E FG-80E FG-40F A1000 A1100 FG-60F
• A1000 vs 40F: Higher NGFW Throughput, much better app layer performance (3-4 times), better New session/s, lower concurrent sessions, optional SSD storage;
competitive price in IPS cost/G and 5-year HWBDL
• A1100 vs 60E/80E: Higher NGFW Throughput, better app layer performance (~8 times), higher new session, lower concurrent sessions, less GE interface but has
bypass and large storage expansion capability; competitive in price
• A1100 vs 60F: Higher NGFW Throughput, better app layer performance (2-3 times), higher new session, lower concurrent sessions, less GE interface but has
bypass and large storage expansion capability; competitive in price 21
A vs Fortinet: 5-10G Rackmount Models
Platform FG-60F (Desktop) FG-80F(Desktop) A2000 A2600 FG-100E Net Price to Distributor
Firewall Throughput
10 10 5 5 7.4 $5,000
(1518 Byte) Gbps
$4,675
IPS Throughput $4,500
1.4 1.4 3.2 4.5 0.5
Gbps
$4,000
NGFW Throughput 1G 1G 1.2G 1.8G 1.6G
$3,500
$3,245
Threat Protection 700M 900M 800M 1.6G 1G
$3,000
Maximum $2,640 $2,586
Concurrent 700,000 1,500,000 1,000,000 1,200,000 2,000,000 $2,500
Sessions $2,233
$2,005
New Sessions/s $2,000
35,000 45,000 48,000 120,000 30,000 $1,815 $1,732
(HTTP traffic)
Form Factor Desktop Desktop 1U 1U 1U
$1,625
$1,500 $1,320 $1,319
8x GE RJ45, 2x 8 × GE(RJ45) 8 × GE(RJ45) 20x GE RJ45, 2x $1,128
$1,000 $880 $1,139
Fixed I/O 10x GE RJ45 Shared Port (1 bypass pair) (1 bypass pair) Shared $760
Pairs MGT(RJ45) MGT(RJ45) Port Pairs $406
$500 $176 $237 $631
$459
$152 $171 $195
480 GB / 960 GB / 480 GB / 960 GB $- $57
Storage (GB) 128 G optional 128 G optional 480 G optional
1.92 TB SSD / 1.92 TB SSD 1-yr base net FW T hroughpu t IPS Throughput 1-yr HWBDL 3-yr HWBDL 5-yr HWBDL
FG-60F A2000 A2600 FG-100E
• A2000/2600 vs 100E, much better app layer performance (6-9 times), better New session, larger storage expansion
capability but less interface, absolutely competitive price
• A2000/2600 vs 60F, Higher NGFW Throughput, much better app layer performance (2-3 times), better New session, bypass
interface and larger storage expansion capability; competitive price in IPS cost/G
22
A vs Fortinet: 20G Rackmount Models
Platform A3000 A3600 FG-100F FG-200E
Firewall Throughput Net Price to Distributor
20 20 20 20
(1518 Byte) Gbps $12,000
IPS Throughput Gbps 8.3 8.5 2.6 2.2
$10,583
NGFW Throughput 1.8G 1.8G 1.6G 1.8G
$10,000
Threat Protection 1.6G 1.6G 1G 1.2G
Maximum Concurrent $8,207 $8,231 $8,415
2,000,000 3,000,000 1,500,000 2,000,000
Sessions $8,000
New Sessions/s (HTTP
140,000 140,000 56,000 135,000 $6,383 $6,545
traffic)
Form Factor 1U 1U 1U 1U $5,841
$6,000 $5,399
$4,543
$4,199
2x 10 GE SFP+, $3,600
2 × 10GE(SFP+) 2 × 10GE(SFP+) $4,000
18x GE RJ45, $3,267
8 × GE(SFP) 8 × GE(SFP) 18x GE RJ45, $2,800
Fixed I/O 4x Shared Port $2,541
16 × GE(RJ45) 16 × GE(RJ45) 4x GE SFP $2,376
Pairs,
(2 bypass pair) (2 bypass pair) $1,848
8x GE SFP $2,000
$1,080
$711
$423
$337
$180
$140 $119
$92
$-
480 GB / 960 GB / 1.92 480 GB / 960 GB / 1.92 1-yr base net FW T hroughpu t IPS Throughput 1-yr HWBDL 3-yr HWBDL 5-yr HWBDL
Storage (GB) 480 G optional 480 G optional
TB SSD TB SSD price Price/G Price/G Price Price Price
A3000 A3600 FG-100F FG-200E
• A3000/3600 vs 100F, Higher NGFW Throughput, better app layer performance (~3 times), large storage expansion
capability
• A3000/3600 vs 200E, Higher NGFW Throughput, better app layer performance (~4 times), higher sessions, SFP+
interface and larger storage expansion
• Better price/performance for IPS cost/G, A3000 is more competitive in price for 5-yr HWBDL 23
Platform A3700
A vs Fortinet: 20G+ Rackmount Models
A3800 FG-200F FG-400E FG-600E
Firewall Throughput
20 / 40 20 / 40
(40G with IOC-A-4SFP+ (40G with IOC-A-4SFP+ 27 32 36
Net Price to Distributor
(1518 Byte) Gbps
module) module)
$25,000
IPS Throughput Gbps 8.6 17.5 5 7.8 10
NGFW Throughput 1.8G 3.7G 3.5G 6G 9.5G $20,000 $19,168

$18,815
Threat Protection 1.6G 2.8G 3G 5G 7G

$14,591 $14,726
$15,000 $13,305
Maximum Concurrent
6,000,000 8,000,000 3,000,000 4,000,000 8,000,000 $11,876
Sessions
New Sessions/s (HTTP $10,222
140,000 310,000 28,000 450,000 450,000 $9,599 $9,210
traffic) $10,000
Form Factor 1U 1U 1U 1U 1U $7,442
$6,400 $6,059$5,717
$5,412
$5,000 $4,040$4,158
2 × 10GE(SFP+) 2 × 10GE(SFP+) 4x 10 GE 2x 10 GE
8 × GE(SFP) 8 × GE(SFP) SFP+, 18x GE RJ45, SFP+, 10x GE
Fixed I/O $320 $470 $533
$366 $541
16 × GE(RJ45) 16 × GE(RJ45) 18x GE RJ45, 16x GE SFP RJ45, $202 $150
$130
(2 bypass pair) (2 bypass pair) 8x GE SFP 8x GE SFP $-
1-yr base net FW T hroughpu t IPS Throughput 1-yr HWBDL 3-yr HWBDL 5-yr HWBDL
A3700 A3800 FG-400E FG-600E

480 GB / 960 GB / 1.92 480 GB / 960 GB / 1.92 480 G 480 G
Storage (GB) 480 G optional
TB SSD TB SSD optional optional
• A3700 vs 400E, better app layer performance, lower New session/s, higher Concurrent sessions, less SFP interface but
has SFP+ and large storage expansion capability; competitive price in IPS cost and 3-year/5-year HWBDL
• A3800 vs 600E, better app layer performance, lower new session, more GE interface and large storage expansion
capability; competitive price in IPS cost and 3/5 year HWBLD
• And more 40G A-series models will be released in Q2 24
How to win Fortinet with E-Pro
Series
25
How to win - Hardware
Hardware
q Slots for Expansion Modules: – Scalability, Flexibility and offering the possibility of mixing different
interface options . (E3662P and higher models)
What to avoid
What to Avoid
q Avoid the competition in Ipsec performance.
q Avoid Anti-spam feature.
26
How to win - Performance
27
Performance
q E1600P/E1600WP vs 40F: higher IPS performance, lower concurrent sessions, lower new sessions
q E2800P vs 60F/80F: higher NGFW performance, better concurrent sessions (60F), better new sessions
(2 times)
q E3662P vs 100F: lower NGFW performance, better concurrent sessions (2 times), better new sessions
(2 times)
q E3960P vs 100F: higher IPS performance, better concurrent sessions (2 times), better new sessions (3
times)
q E3968P vs 101F: higher IPS performance, better concurrent sessions (2 times), better new sessions (3
times)
q E5560P vs 400E: higher IPS performance , better concurrent sessions (2 times), lower new sessions
q E5568P vs 401E: higher IPS performance , better concurrent sessions (2 times), lower new sessions
q E5560P vs 600E: better IPS performance (~2 times), better concurrent sessions (1.5 times), higher new
sessions
q E5960P vs 1100E: higher NGFW performance (1.5 times), better concurrent sessions (~2 times), higher
new sessions
q E6368P vs 2201E: higher NGFW performance (2 times), better concurrent sessions, higher new
sessions (2 times)
27
How to win - Hillstone Featured Function 28
Category Function (5.5R8)
Support application based routing, be able to route applications like P2P/online video and etc. applications with dynamic port numbers to selected
WAN link
Network Services
Able to operate in layer 3 mode (routing), online mode (bridge) and layer 2 (port mirroring) simultaneously (without the need to virtualize the
equipment)
Firewall and NAT policy monitoring Hit count and Session Detail on Firewall Policy. Hit count on NAT Policy.
Automated User Policy Deployment: Radius Dynamic Authorization Automatically Issue User Policy via CoA message
Policy Redundancy Check: Discover Redundant policies
Policy life cycle management Policy Analysis: Adjust the policies by Observing the hit counts and hit trends
Aggregate Policy : A Set of Policies ACT as One single Policy
Policy Assistant: Refine a General Policy into detailed policy
Endpoint Indentification Support Radius dynamic authorization function.
Support flexible and prioritized allocation of unused remaining bandwidth

QoS (Quality of Service) Support two levels of traffic shaping which enables traffic shaping in different dimensions such as users and applications.
Support weighted hashing, weighted least-connection, and weighted round-robin server load balancing algorithms.
SLB (Server Load Balancing) Support session protection, session persistence and session status monitoring.
Support server health check, session monitoring and session protection
Support peer-mode HA, to avoid asymmetric routing issues in the Active-Active HA deployment
HA (High Availability) Support twin-mode HA, to support two HA pairs in the active-active datacenters, with session, firewall policy sync, support application migration
from one active data center to another and avoid asymmetric routing issues.
28
Comparison between E-pro Series
and Fortinet
29
30
E1600P E1600WP FG-40F E1700P FG-60F/61F E2800P FG-80F/81F
Throughput 4.7G 4.7G 5G 4.75G 10G 8G 10G
VPN
850M 850M 4.4G 850M 6.5G 3G 6.5G
Throughput
IPS Throughput 1.2G 1.2G 1G 1.2M 1.4G 3.3G 1.4G
NGFW
470M 470M 800M 470M 1G 1.25G 1G
Throughput
Threat
Protection 360M 360M 600M 400M 700M 860M 900M
Concurrent
200K 200K 700K 600K 700K 1M 1.5M
Connections
New
Connections Per 27,000 27,000 35,000 28,000 35,000 80,000 45,000
second
5GE 8GE
Interface 9GE 9GE 5GE 9GE 10GE
4Combo 2Combo
Expansion Slot - - - - - - -
Local
- - - - -/128G - -/128G
Storage(SSD)
Power Supply single single single single single dual single
Dimensions desktop desktop desktop 1U desktop 1U desktop
30
E3662P FG-100F E3668P FG-101F E3960P E3968P E5260P FG-200F E5268P FG-201F
31
Throughput 10G 20G 10G 20G 10G 10G 20G 27G 20G 27G
VPN
3G 11.5G 3G 11.5G 4G 4G 8.4G 13G 8.4G 13G
Throughput
IPS
3.3G 2.6G 3.3G 2.6G 3.9G 3.9G 8.9G 5G 8.9G 5G
Throughput
NGFW
1.25G 1.6G 1.25G 1.6G 1.5G 1.5G 3.9G 3.5G 3.9G 3.5G
Throughput
Threat
900M 1G 900M 1G 1.1G 1.1G 2.2G 3G 2.2G 3G
Protection
Concurrent
3M 1.5M 3M 1.5M 3.2M 3.2M 6M 3M GM 3M
Connections
New
Connections 120K 56K 120K 56K 150K 150K 200K 280K 200K 280K
Per second
2SFP+ 2SFP+
6GE(1bypass) 6GE (1bypass) 4GE (1bypass) 4SFP+ 4GE (1bypass) 4SFP+
6GE 8SFP 6GE 8SFP
Interface 4SFP 4SFP 4SFP 8SFP 4SFP 8SFP
4SFP 18GE 4SFP 18GE
2SFP+ 2SFP+ 2SFP+ 18GE 2SFP+ 18GE
4Combo 4Combo
Expansion
2 - 2 - 2 2 2 - 2 -
Slot
Local
- - 256G 480G - 256G - - 256G 480G
Storage
Power
dual dual dual dual dual dual dual dual dual dual
Supply
High 1U 1U 1U 1U 1U 1U 2U １Ｕ 2U １Ｕ
31
E5560P FG400E E5568P FG401E E5760P FG-600E E5960P FG1100E E6368P FG-2201E 32
Throughput 20G 32G 20G 32G 40G 36G 40G 80G 90G 158G
VPN
12G 20G 12G 20G 18.8G 20G 25.6G 48G 64G 98G
Throughput
IPS
9.3G 7.8G 9.3G 7.8G 18.5G 10G 18.8G 12.5G 37G 16.5G
Throughput
NGFW
5.6G 6G 5.6G 6G 8.9G 9.5G 14G 9.8G 26G 13.5G
Throughput
Threat
2.2G 5G 2.2G 5G 5.2G 7G 8.2G 7.1G 18G 11G
Protection
Concurrent
10M 4M 10M 4M 12M 8M 15M 8M 30M 24M
Connections
New
Connections 300K 450K 300K 450K 500K 450K 600K 500K 1.1M 500K
Per second
4GE(1Bypas 2QSFP+
4GE(1Bypas
s) 2SFP+ 4GE 4SP28 2QSFP+ 4QSFP+
s) 16SFP 16SFP 4GE
Interface 4SFP 10GE 4SFP 4SFP+ 8SFP+ 20SFP28
4SFP 18GE 18GE 4SFP
2SFP+ 8SFP 8GE SFP 2GE 14GE
2SFP+
16GE
2xGeneric
Expansion Slot 4 - ４ - ４ - 4 - -
1 Bypass
Local Storage - - - 480G - - - - 512G 2T
single／ single／
Power Supply dual dual dual single/dual dual dual dual dual
dual dual
High 2Ｕ 1Ｕ 2Ｕ１Ｕ 2Ｕ 1U 2U 2U 2.5U 2U
32
E-Pro-Series vs Fortigate
33
E-pro – Fortigate Desktop Models
Net Price to Distributor USD
6000
5499
5107
5000
3928
4000
3543
2723
2954
3000 2723
1945
2357
1980 2050 2104
1945
2000 1460
1571 1167
778 1200 1167 1147
1000 778 817
695
495
0
Base System 1Yr U TM BDL 3Yr U TM BDL 5Yr U TM BDL
E1600P E1700P FG-40F FG-60F E2800P FG-80F
• E1600P, E1700P: • E2800P:

• Big improvement in FW Throughput/NGFW • Improvement in FW/NGFW Throughput and
Throughput/TP/New Session. Threat Protection.
• More I/O Interface than Fortinet. • More flexible I/O, e.g. more Combo
interface than Fortinet.
• Better price for 3YR and 5YR NGFW BDL • Higher NGFW throughput and new sessions.
after discount. Better price for 3YR and 5YR NGFW BDL 34
after discount.
E-pro – Fortigate 1U Models
Net Price to Ditributor USD

18000
16150 16293
16000
14427
14000 12149 13549
11638 11900
12000 11210
10305
9678
10000
8678
8260
8000 6270 6982
6182
5807
6000 4122 5207
3871 4655 4620
3471 3800
4000 2800
2000
0
E3662P FG-100F E3668P FG-101F E3960P E3968P
• E3662P, E3668P, E3960P, E3968P:

• Higher concurrent session and new sessions
per second than Fortigate.
• Much better price for NGFW BDL after
discount, for 3YR and 5YR BDL
35
E-pro – Fortigate 1U Models
35000 30436
31025
30000 28102
21740 26775
25000 23314
21535 21445 20855
20073
20000
13044 16653 18585 16599
15318
14469
15000
8696 12044 12045 11516
9991 10395
3899 4899 9191
10000 8029 8083
6661 7300
6127 6300 6434
5000
0
E5260P FG-200F E5268P FG-201F E5560P FG-400E E5568P FG-401E
• E5260P, E5268P: • E5560P, E5568P:

• More GE and SFP interface than Fortigate.
• More 10GE and Vendor A has no 10GE
• Higher concurrent session and NGFW interface.
throughput than Fortigate. • Much higher concurrent session than
• Better price for NGFW BDL after discount Fortigate and thus can support more users.
than Fortigate, for 3YR and 5YR BDL.
36
E-pro – Fortigate
250000
204000
200000 184800
141600
150000
132000
102424
106250
79200 73160
100000
79200
52800 73750
43896
28529
29264 48000 20378
50000 41250
12227 34850
8151 25000 24190
8200 13530
0
E5760P FG-600E E5960P FG1100E E6368P FG-2201E
• E5760P:
• More 10GE、GE and SFP interface than • E5960P, E6368P:
Fortigate. • Higher NGFW throughput, TP, concurrent
• Higher FW throughput and concurrent session and new session than Fortigate.
session than Fortigate. • Better price than Fortigate in 3YR and 5YR
• Better price than Fortigate after discount, for NGFW BDL after discount.
3YR and 5YR NGFW BLD.
37
Palo Alto Networks
38
39
How to Win Palo Alto
1. Excellent Access Capability and Storage Expansion
2. Bypass pairs on most A-Series models help ensure business continuity.
3. Very large hard disk storage up to 2 TB. With more storage the system can save more logs and data for longer time (allows the system to provide richer
reports with far more information, including visualized results and actionable recommendations. )
4. Real-time detection and protection across the full lifecycle of network attacks and malwares.
Key Focus
5. Management and operation across the full policy lifecycle, from deployment to management, optimization and operation.
6. Innovative policy assistant analyzes traffic patterns and recommends refined policies for faster, easier and more accurate policy management.
7. Induce Hillstone intelligent function such as unknown threat prevention, abnormal behavior detection, risk management, risk correlation analysis.
8. Induce Hillstone advanced threat detection, abnormal behavior detection, machine learning, correlation about threat logs and reporting. All in one box.
9. The cost is low compared to PAN, even with T-Series.
Hillstone:
1. Positioned in Gartner Magic Quadrant for Enterprise Network Firewalls for 4 years and also in IPS Quadrant, which PAN is not.
2. IPv6 Phase II certification (Gold)
Overview PAN:
1. The pricelist is released on Internet
2. You need to buy premium services to receive support (not included on hardware), so more expensive
3. SKU not includes bundles, you need GP, TP, URL, WF, PREM
PAN:
1. Do not support LLB and SmartDNS for multi-exit scenario
2. Do not support NAT port expansion, not apply when public IP is limited
3. Do not support P2P application steering or URL steering
Functions
4. Do not support 2 levels on iQoS (and each level 4 sub-levels)
5. Do not support PBR based on applications
6. Do not support Botnet and C&C Prevention
7. Do not support mobile application to monitor (CloudView)
PAN:
Hardware 1. Do not have IEC/EN61000-4-5 Power Surge Protection, Hillstone supports.
2. Do not support extra modules to upgrade the devices, Hillstone supports from E2000.
PAN:
Architecture &
1. Concurrent sessions lower than Hillstone
Performance
2. New sessions per second lower than Hillstone
1. Avoid SSL Throughput and functionalities
2. Avoid reporting, they are more powerful here
Avoiding
3. Avoid storage with RAID
4. Integration with other platforms and also full technology partners 39
40
Software Beating Points to PAN

1. No support on NAT port expansion function, have limited 64512 ports on single public IP.
2. No support for LLB， not applied for multi-exit scenario based on Applications.
3. No support effectively discover intranet bots and prevent further attacks of advanced threats through comparison
of information obtained with the C&C address database.
4. Not able to identify and control application based routing, be able to route applications like P2P/online video and etc.
applications with dynamic port numbers to selected WAN link QoS.
5. Not support twin-mode HA, to support two HA pairs in the active-active datacenters, with session, firewall policy sync,
support application migration from one active data center to another and avoid asymmetric routing issues.
6. Not support CloudView, or an APP in end-devices (phones) to monitor multiple devices.
7. Not support 8 layer o sublayer in iQoS.
8. Excellent Access Capability and Storage Expansion
9. Bypass pairs on most A-Series models help ensure business continuity.
10. Very large hard disk storage up to 2 TB. With more storage the system can save more logs and data for longer time
(allows the system to provide richer reports with far more information, including visualized results and actionable
recommendations. )
11. Real-time detection and protection across the full lifecycle of network attacks and malwares.
12. Management and operation across the full policy lifecycle, from deployment to management, optimization and
operation. 40
45
PAN Weakness in Basic Network Functions

Hillstone NGFW PAN NGFW Description
VPN Dial-up/GRE/L2TP VPN GRE In hub-spoke scenario, Dial-up VPN can expand
amount of branches quickly without bulk
configuration changes on hub site.
Support L2TP VPN, which can assess Hub network
via virtual dial-in remotely
High HA Yes Hillstone support HA in AP、AA、Peer、and Twin
Availability mode；Support synchronization for configuration
and RDO（including session、 IPSec VPN 、SCVPN 、
L2TP、DNS catch mapping entry、ARP table、PKI、
DHCP、MAC table、Web authentication）
Host tracking Only support PING and DNS Track host by HTTP、PING、TCP、DNS、ARP etc.，
can be used to track HA switchover or interface
switchover
45
46
PAN Weakness in Basic Network Functions

Others Support 5 methods to No Support 5 methods to track link availability in
track link availability in parallel, including ARP/HTTP/DNS/PING/TCP
parallel customized port. Multiple monitor methods can
reduce the risk of misjudgment and ensure the
stability of links
Port Mirroring Decryption Port Mirroring Mirror the traffic from any other interface to one
interface in device, to capture packet and trouble
shoot the issues
SmartDNS No For inbound traffic, the system will resolve domains

to different IPs based on the sources of DNS
requests, and return IPs for different ISPs to the
corresponding users who initiate the requests
46
47
PAN Weakness in NGFW Functions

Application NBC No Keyword filtering、Web content filtering、Email filtering、IM
control etc.
iQoS two levels 8 Traffic shapping is bind to Can not fulfill complicated scenario.
layers pipe nesting for policy rules, it limits the iQoS is used to provide different priorities to different traffic,
traffic fine-grained usage. in order to control the delay and flapping, and decrease the
control packet loss rate. iQoS can assure the normal transmission of
critical business traffic when the network is overloaded or
congested.
Usability debug Yes Offer the debug function for troubleshooting

OS upgrade OS upgrade Import the image directly to device via WebUI, and support
to store two OS in device. Also support upgrade via FTP
47
48
PAN has no Full Intelligent Function

Hillstone iNGFW PAN NGFW Description
Proactive Detection No Support real-time inspection on system resources, network nodes

reachability and availability, business services node availability
Fault Diagnosis No Support visible Fault diagnosis, detect network incident in advance, locate
root cause quickly and modify policy configurations
Abnormal Behavior No There are various threat attacks in networks, such as Web server
Detection attacks ,DoS attacks, application layer attacks , port/server scan attacks ,
amplification attacks, SSL attacks etc. When one detected object has
multiple abnormal parameters, the system will analyze
the relationship among the abnormal parameters to see whether an
abnormal behavior formed. If there is an abnormal behavior, the system
will send the alarm message and generate the threat logs.
Advanced Threat Total bundle: Basic + DLP Advanced Threat Detection , is on the basis of learning advanced threat
Detection +APT + TDR detection signatures, to analysis the suspicious traffic of host, detect
malicious behavior to identify APT (Advanced Persistent Threat) attack
and generate the threat logs.
Risk Management No Provide Comprehensive view from risk to threat, including network risk
index, risky host, and the detailed information of specific threat through
multilevel and stereoscopic display
48
49
PAN has no Layer Security Function

Hillstone PAN Description
Micro-segmentation Just with NSX Micro-segmentation to secure each virtual machine (VM) in the cloud. It
with/without NSX provides comprehensive visibility of East-West traffic and provides
complete protection to stop lateral attacks between VMs. In addition, the
CloudHive security service can scale easily to meet demand without
business interruption.
IPS dedicated No Appliance operates in-line, and at wire speed, performing deep packet
inspection, and assembling inspection of all network traffic. It also applies
rules based on several methodologies, including protocol anomaly
analysis and signature analysis to block threats.
CloudView No Service empowers security administrators to take swift action with real-
time centralized monitoring of multiple devices, traffic and threat
analytics, real-time alarms, as well as comprehensive reporting and log
retention. With the 24/7 mobile and web access from anywhere on any
devices, it delivers optimal customer experience along with optimized
security management and operational efficiencies.
X-Series Not higher than HS Supports large-capacity virtual firewalls, providing flexible security
services for virtualized environments, and features such as application
identification, traffic management, intrusion prevention, and attack
prevention to fully protect data center network security.
49
How to Win PAN – Smart Policy Operation (Policy Lifecycle
Management)
Category Function PAN 50
Smart Policy Operation Automated User Policy Deplyment: No
Radius Dynamic Authorization
Automatically Issue User Policy via CoA message
Policy Redundancy Check: No

Discover Redundant policies for detection
Policy Analysis: No
Adjust the policies by Observing the hit counts and hit trends
Policy Group: No
Efficient Policy Management based on business requirement
Aggregate Policy : No
A Set of Policies ACT as One single Policy
Policy Assistant: No
Refine a General Policy into detailed policy
50
50
51
Hardware Model and Spec Comparison

1. PAN does not have too many products in mid to smb companies.
2. PAN does not support expansion slot for interface expansion most of models.
3. The highest FW Throughput is 720G, Hillstone can reach 1T
4. The concurrent sessions number is too low compared with Hillstone. Even in
PA7080 vs X-Series.
5. New sessions per second number is too low compared with Hillstone. Even in
PA7080 vs X-Series.
6. Provide less number of I/O interfaces.
7. The number of vsys is too low compared with Hillstone
8. Not support bypass interface
51
How to Win Palo Alto – Business and What to Avoid
Business and Others 52
q Palo Alto is famous for it super high price, Hillstone T series have similar feature to PAN, but much cheaper, good alternative solution.
q Palo Alto price is FIVE times more expensive than Hillstone in terms of protected Mbps.
q Hillstone offers certain number of free SSLVPN users so that customers can try it out first. All SSLVPN licenses need to be purchased for Palo Alto.
What to Avoid
q Device identification – hillstone stoneos 5.5r4 and later supports the device identification.
q Avoid to compare the ips performance. they way palo alto benchmarks the performance is different from other firewall vendors, it creates
an illusion of a premier product so that it can sell at a much higher price, but that is not an apple to apple comparison. the nsslab test
report is a better and quantitative way to compare the actual tco and security effectiveness.
avoid the local sandbox solution – hillstone offers cloud based sandbox with 5.5r3 release.
q Enables agentless integration with microsoft® active directory® and terminal services, ldap, novell® edirectory™ and citrix®
q anti-spyware
q multicast: pim-sm, pim-ssm.
q Certification like :
1. Common criteria
2. Service organizations control 2 (soc2)"quality and comprehensiveness of security controls put in place to manage the data sent to
wildfire and aperture. this certification applies to the global cloud for wildfire and aperture." ,
3. Fips 140-2 "validated modules can be accepted by us federal agencies using cryptographic-based security to protect sensitive
information in computer and telecommunication systems.“
4. Usgv6 "provides proof of compliance to ipv6 specifications outlined in current industry standards for common network products. "
52
52
How to Win Palo Alto – Business and What to Avoid
What to Avoid 53
qLogging: real-time log filtering facilitates rapid forensic investigation into every session traversing
your network. complete context of the application, the content – including malware detected by
wildfire – and the user can be used as a filter criteria, and the results can be exported to a csv file
or sent to a syslog server for offline archiving or additional analysis.
qLogs that have been aggregated by panorama can also be sent to a syslog server for added
analysis or archival purposes.
qReporting and logging capabilities provided by the Palo alto networks next-generation security
platform, integration is available with third-party SIEM tools, such as Splunk® for Palo alto
networks. these tools provide further reporting and data visualization capabilities, and they enable
you to correlate security events across multiple systems in your enterprise
qMigration tool 3.0 "3rd party migration . adopting app-id + user-id
qOptimization : clean policies,objects,reduce overall account
qCentralized management with panorama
qAuto-zoning : allow configuration not supported and adopt security like cisco
asa/pix/fwsm,checkpoint,fortinet,mcafee sidewinder,juniper srx / net screen
53
53
Hillstone Counterattack Palo Alto
APP-ID
Hillstone already supports full application identification, by application, application group, sub-group,
technology, risk and characteristics and etc.
User-ID
Hillstone already has full user-ID capability.
Content-ID
Hillstone already supports unified threat management policy with profile-policy interaction. Also Hillstone
can even further simplify the threat configuration by a simple checkbox in each policy, without complicated
profile configuration.
54
54
Palo Alto Product Overview
55
PA200-220 PA500 PA820-850 PA3020-3050- PA5020-5050- PA5220-5250-
3060 5060 5260 PA750 PA780
MSSP √ √ √ √ √ √ √ √
Service Provider √ √ √ √ √
Data Center √ √ √ √ √
Enterprise √ !Branch" √!Branch" √!Branch" √ √!Campus" √!Campus" √ √!Campus"

!Branch/Campu !Campus"
s"
Distributed Enterprise √ √ √ √ √ √ √ √
SMB √ √ √
Product Level Desktop Middle End High End
Hardware Option PoE#high PoE#high PoE#high High destiny GE High destiny GE High destiny GE High destiny GE port
destiny GE port destiny GE port destiny GE port port port port
55
55
PA 200 PA 220 PA 500 PA 820
E1100
Series
E1600 E1606 PA 850 E1700 E1600P E1600WP E1700P E2300 A1000 56
A1100
Throughput 100M 500M 250M 940M 1G 1G 1G 1.9G 1.5/2G 4.7 Gbps 4.7 Gbps 4.75 Gbps 2.5/4G 4GB 5GB
VPN
50M 100M 50M 50M 600M 600M 600M 500M 700M 850 Mbps 850 Mbps 850 Mbps 1G N/A N/A
Throughput
TP
50M 150M 100M 610M 300M 300M 300M 780M 400M 360 Mbps 360 Mbps 400 Mbps 500M 800M 800M
Throughput
NGFW
Not info Not info Not info Not info 350M 350M 350M Not info 450M 470 Mbps 470 Mbps 470 Mbps 650M 1.2G 1.2G
Throughput
Concurrent 600K/ 1M/

64K 64k 64K 128K 100K 200K 400K 192K 0.2M 0.2M 0.6M 300,000 300,000
Connections 1M 2M
New
Connections 1000 4200 7500 8300 10,000 10,000 12,000 9500 25,000 27,000 27,000 28,000 50K 48,000 48,000
Per second
8 × GE
5GE
Interface 4GE 8GE 8GE 4GE, 8SFP 9GE 9GE 9GE 4GE, 4SFP 9GE 9 x GE 9 x GE 9 x GE 4 × GE (including 1
4Combo
bypass pair)
Expansion N/A N/A N/A N/A N/A N/A N/A N/A
N/A Yes N/A N/A N/A 8GB 8GB
Slot
Local 16G N/A N/A N/A N/A N/A 256 GB SSD, 256 GB SSD,
32G EMMC 160G SSD 240G SSD 240G SSD N/A N/A N/A
Storage SSD optional optional
Power single single single
Single Single/dual Single Single single single Single/dual Single/dual single/dual single/dual single single
Supply
1.75” H 1.62”H X
1U 1U 1U
High x 7”D x 6.29”D X 1U 1U desktop desktop 1U 1U 1U 1U Desktop Desktop
9.25”W 8.07”W
56
PA
PA
3020
3050/30 A2000
60
E2800 E2800P E3662P E3668P E3960P E3968P A2600 PA 3220 PA 5020
E2860/2
868
PA 3250 PA 3260
E3662/3
668
T1860 T2860
968 57
E3960/3 E3965/E
5168
Throughput 2G 4G 5G 4.5/6G 8 Gbps 10 Gbps 10 Gbps 10 Gbps 10 Gbps 5G 4.6G 5G 6G 6/7G 8.4/10G 8G 8G 10G 10G 10G
VPN
500M 740M N/A 3G 3 Gbps 3 Gbps 3 Gbps 4 Gbps 4 Gbps N/A 2.5G 2G 3G 3.2G 4.8G 3G 3G 3.8G 4G 6G
Throughput
TP
1G 2G 800M 700M 860 Mbps 900 Mbps 900 Mbps 1.1 Gbps 1.1 Gbps 1.6G 2.2G 2G 800M 3G 4.7G 900M 600M 900M 1.1G 2G
Throughput
NGFW Not 1.25 1.25 1.25

Not info 1.2G 850M 1.5 Gbps 1.5 Gbps 1.8G Not info Not info 1.0G Not info Not info 1.2G 1.2G 1.5G 1.5G 3G
Throughput info Gbps Gbps Gbps
Concurrent 1M/ 1M/

250k 500K 1M 1M 3M 3M 3,2M 3,2M 1.2M 1M 1M 2M 3M 3M 1.5M 3M 4M 6M
Connections 2M 2M
New
Connections 50k 50k 48,000 80K 80,000 120,000 120,000 150,000 150,000 120,000 57k 120k 80K 84k `118k 120K 80K 100K 150K 170K
Per second
6 × GE(1 1MGT、 1MGT、
8 × GE 6 x GE (1 6 x GE (1 8 × GE
12GE, 1MGT、 pair 1HA、 1HA、
(includin bypass bypass (includin 12GE 12GE
12GE, 8SFP/8G 5GE 5 x GE, 4 6 x GE, 4 6 x GE, 4 12GE 6GE 12GE 1HA 6 × GE, 4 bypass 4GE、 2GE、
Interface g1 pair), 4 x pair), 4 x g1 4SFP 8SFP+
8SFP E, 8SFP, 4Combo x Combo x SFP x SFP 8SFP 4SFP 8SFP+ 、6GE、 × SFP port), 4 × 2Bypass、2Bypass、
bypass SFP, 2 x SFP, 2 x bypass 4SFP+ 4QSFP+
2SFP+ 4SFP SFP, 2 × 4SFP、 4SFP、
pair) SFP+ SFP+ pair)
SFP+ 2SFP+ 2SFP+
480 GB / 480 GB /
2x 2x 2x 2x
Expansion 960 GB / 960 GB /
- - - N/A Generic Generic Generic Generic - - 2 - - 2 2 2 ２ 4
Slot 1.92 TB
Slot Slot Slot Slot
1.92 TB
SSD SSD
480G SSD 480G SSD
-/128G or -/128G or -/128G or
120G 120G 256G 256G 240G 120/240G (960G (960G -/256G or
Local Storage 8GB - N/A N/A N/A 8GB 256G or 240G SSD 240G SSD 256G or 256G or
SSD SSD SSD SSD SSD SSD SSD SSD 512G
512G 512G 512G
Optional) Optional)
Power Single/du single/du single/ single/ single/ single/ single/ single/ single/du Single/du Single/du single/ Single/du Single/du single／ single／ single／ single／
57
single dual
Supply al al dual Dual dual dual dual dual al al al dual al al dual dual dual dual
High 1U 1U/1.5U 1U 1U 1U 1U 1U 1U 1U 1U 2U 2U 1U 2U 2U 1U 1U 1U 1U 2U
58
PA 5020 E5260/5268 E5260P E5268P A3000 A3600
Throughput 10G 16G 20 Gbps 20 Gbps 20G 20G
VPN Throughput 4G 8G 8.4 Gbps 8.4 Gbps N/A N/A
TP Throughput 5G 2.2G 2.2 Gbps 2.2 Gbps 1.6G 1.6G
NGFW Throughput Not info 3.5G 3.9 Gbps 3.9 Gbps 1.8G 1.8G
Concurrent 2M 6M 6M 6M 2M 3M
Connections
New Connections Per 120k 200K 200,000 200,000 140,000 140,000

second
2 × SFP+, 8 × SFP, 16 × GE 2 × SFP+, 8 × SFP, 16 × GE

1MGT、1HA、2GE、 4 x GE (1 bypass pair), 4 x 4 x GE (1 bypass pair), 4 x
Interface 12GE 8SFP 4SFP+
2Bypass、4SFP、2SFP+ SFP, 2 x SFP+ SFP, 2 x SFP+
(including (including
2 bypass pairs) 2 bypass pairs)
Expansion Slot - 4 4 x Generic Slot 4 x Generic Slot - -
Local Storage 120/240G SSD -/256G or 512G N/A 256G SSD 8GB 8GB
Power Supply Single/dual dual dual dual single/dual single/dual
High 2U 2U 2U 2U 1U 1U
58
PA
PA 5060 E5568 A3700 A3800 T3860 E5560P E5568P T5060 E5660 E5760 E5760P PA 5250 E5960 T5860 E5960P
5220
Throughpu 18G 20G 20G 20G / 40G 20G / 40G 20G 20 Gbps 20 Gbps 25G 25G 32G 40 Gbps 39G 40G 40G 59
40 Gbps
t
VPN
Throughpu 8G 4G 12G N/A N/A 12G 12 Gbps 12 Gbps 15G 15G 18G 18.8 Gbps 16G 25G 28G 25.6 Gbps
t
TP
Throughpu 9G 10G 3G 1.6G 2.8G 2.5G 3.1 Gbps 3.1 Gbps 4G 4.5G 5G 5.2 Gbps 20G 6G 6G 8.2 Gbps
t
NGFW
Throughpu Not info Not info 5G 1.8G 3.7G 7.5G 5.6 Gbps 5.6 Gbps 8G 7G 8G 8.9 Gbps Not info 9.5G 12G 14 Gbps
t
Concurrent
Connectio 4M 4M 10M 6M 8M 4M 10M 10M 5M 10M 12M 25M 8M 15M 6M 15M
ns
New
Connectio
150k 120k 300,000 140,000 310,000 400,000 300,000 300,000 450,000 300,000 300,000 500,000 348k 500,000 500,000 600,000
ns Per
second
2 × SFP+, 2 × SFP+,
1MGT、1HA、 4x GE (1 4x GE (1
8 × SFP, 8 × SFP, 1MGT １MGT １MGT １MGT １MGT １MGT
4GE 2GE、 bypass bypass 4 10GEcu
12GE 8SFP 16 × GE 16 × GE 1HA 1HA 1HA 1HA 4 x GE, 4x 1HA 1HA 4 x GE, 4x
Interface 16SFP+
4SFP+
2Bypass、
(including (including ２GE
pair), 4 x pair), 4 x
２GE 4GE 4GE SFP
16 SFP+
4GE ２GE SFP
4QSFP+ 4SFP、 SFP, 2 x SFP, 2 x 4 QSFP28
2 bypass 2 bypass 4SFP 4SFP 4SFP 4SFP 4SFP 4SFP
2SFP+ SFP+ SFP+
pairs) pairs)
Expansion - - 4 1 1 2
4 x Generic 4 x Generic
4 4 4 4 - 4 4 4
Slot Slot Slot
Local 240G SSD

120/240G
256G/512G 8GB 8GB 500G/1T N/A 256G SSD 500G/1T - - N/A 240 SSD - 500G/1T N/A
Storage SSD
Power Single/du
Single/dual dual single/dual dual dual dual dual dual dual dual dual dual dual dual dual
Supply al
59
High 3U 2U 2U 1U 1U 2U 2U 2U 2U 2U 2U 2U 3U 2U 2U 2Ｕ
E6160 E6168 PA 5260 PA 5280 E6360 E6368 E6368P 60
Throughput 60G 60G 68G 68G 80G 80G 90 Gbps
VPN Throughput 35G 35G 24G 24G 50G 50G 64 Gbps
TP Throughput 12G 12G 30G 30G 18G 18G 18 Gbps
NGFW Throughput 16G 16G Not info Not info 24G 24G 26 Gbps
Concurrent
20M 20M 32M 64M 30M 30M 30M
Connections
New Connections Per

800K 800K 462K 462K 1.1M 1.1M 1.1M
second
4 10GEcu 4 10GEcu
2MGT、8SFP+、2GE, 2MGT、8SFP+、2GE, 2 x GE, 8 x SFP+,
Interface 2MGT、8SFP+、2GE 2MGT、8SFP+、2GE 16 SFP+ 16 SFP+
2QSFP+ 2QSFP+ 2×QSFP+
4 QSFP28 4 QSFP28
Expansion Slot 2xGeneric+1 BYPASS 2xGeneric+1 BYPASS - - 2xGeneric+1 BYPASS 2xGeneric+1 BYPASS 4
Local Storage - 512G 240G 240G - 512G 512G SSD
Power Supply dual dual dual dual dual dual dual
High 2U 2U 3U 3U 2U 2U 2.5Ｕ
60
Product Hardware Specs – Carrier Class
PA 7050 PA 7080 X7180 X8180 X9180 X10800 61
Throughput 380/430G 630/720G 680G 450G 600G 1.2T
VPN Throughput 144G 240G 90G 250G 500G
TP Throughput 210G 350G N/A 100GB 200GB

50 Gbps
NGFW Throughput Not info Not info 70GB Not info 140GB 280GB
Concurrent Connections 192M 320M 240M 240M 130M 240M
New Connections Per

2.9M 4.8M 4.8M 4.8M 2.5M 5.4M
second
2 Gigabit optical 2 Gigabit optical 2 Gigabit optical

Up to 12 QSFP+ Up to 20 QSFP+ 4 x GE Combo slot (1 x interfaces (2 HA interfaces (2 HA interfaces (2 HA
Interface
72 SFP+ 120 SFP+ M GT+3 x HA) interfaces, single interfaces, single interfaces, single
SCM-260 module) SCM-280 module) SCM-300 module)
6 universal expansion 12 universal
10 x Generic Slot, 2 x slots, 2 security expansion slots, 2
3 universal expansion
System Control control module system control
slots, 2 security
Expansion Slot - - Module Slot, 1 x SD expansion slots, module expansion
control module
Card Slot, 2 x USB 2.0 2 switching module slots, 2 switching
expansion slots
Port expansion slots, 1 USB module expansion
2.0 port slots
Local Storage 2T 2T - - - -
2+ 2 redundant,
N+M (Max 4)
Power Supply dual dual Max.1300W ; 3+1 2+2 / 3+1 redundant Dual
redundant
redundant, Max.1950W
61
VM-Series SERIES VIRTUAL FIREWALL
62
VM-100 (2 Cores) VM-300 (4 cores) VM-500 (8 cores) VM-700 (16 cores)
MSSP
√ √ √ √
Service Provider
√ √ √
Entry Level √ √
Product Level SMB & BRANCHES Middle End Middle End High End
62
62
VM-Series SERIES
63
VM01 VM02 VM08
VM-100 (2 Cores) VM-300 (4 cores) VM-500 (8 cores) VM-700 (16 cores)
Hypervisor: KVM, VMware Hypervisor: KVM, VMware Hypervisor: KVM, VMware

ESXi, Xen, AMI (AWS), ESXi, Xen, AMI (AWS), ESXi, Xen, AMI (AWS),
Hyper-VCloud Hyper-VCloud Hyper-VCloud
Management Platform: Management Platform: Management Platform:
VMware vSphere 6.5, 6.7 VMware vSphere 6.5, 6.7 VMware vSphere 6.5, 6.7 VMware vSphere 6.5, 6.7
Openstack Liberty and Openstack Liberty and Openstack Liberty and
Supported Hypervisors VMware NSX-T Manager 2.4, VMware NSX-T Manager VMware NSX-T Manager VMware NSX-T Manager
above versions, VMware above versions, VMware above versions, VMware
2.5 2.4, 2.5 2.4, 2.5 2.4, 2.5
vCenter 5.5 and above vCenter 5.5 and above vCenter 5.5 and above
versions etc. • Array AVX versions etc. • Array AVX versions etc. • Array AVX
Series Network Functions Series Network Functions Series Network Functions
Platform Platform Platform
2 2, 4 2, 4, and 8 2,4,8,
Max Supported vCPUs 2 2 2 2,4 2,4,8 8
and 16
Interface Count (ESXi/Hyper- VMware paravirtual drivers VMware paravirtual VMware paravirtual VMware paravirtual
10 10 8
V/KVM) (vmxnet3, e1000) drivers (vmxnet3, e1000) drivers (vmxnet3, e1000) drivers (vmxnet3, e1000)
Min Memory 6.5 GB 2GB 4GB 9 GB 16 GB 56 GB 16GB
Minimum Storage 60 GB / 2 TB 4GB 4GB 60 GB / 2 TB 60 GB / 2 TB 60 GB / 2 TB 4GB
Firewall Inspection 9 Gbps

2 Gbps 2 Gbps / 10 Gbps 4 Gbps / 20 Gbps 4 Gbps 9 Gbps 10 Gbps / 80 Gbps
Throughput
5GB
IPS Throughput 1GB 1 Gbps / 3 Gbps 2 Gbps / 5 Gbps 2GB 5GB 6 Gbps / 14 Gbps
63
Juniper
64
How to Win Juniper – Hardware
65
Hardware
❑ Power Consumption – For the same performance level, the Juniper product power
consumption is almost 2 times more than Hillstone product. The data center firewall SRX5800
is of 5015W, while Hillstone X7180 is only 1300W. (Even in Small Enterprise models, Juniper
firewall power consumption is 122W & 150W respectively).
❑ Gigabit Interfaces – Some of the lower end Juniper models are still with 100M Ethernet
interfaces, while all Hillstone products including lowest end are with Gigabit Ethernet or SFP.
(All are gigabit interfaces now)
2
65
How to Win Juniper – Performance
66
Performance
❑ Concurrent Sessions – Hillstone hardware models have much more concurrent sessions
than Juniper models. With more and more complicated applications and Web pages, one
single user can easily use up to 2000 sessions at one time, for example, to service the 10K
students in one university, easily we will need 20M concurrent sessions in the firewall.
❑ New Session Per Second – Another key performance metrics. Take above example, when
10K students get online at the same time, the firewall needs to create new sessions at a rapid
rate, to service such huge load. Otherwise, some of the users will feel the long delay and slow
network, though the network bandwidth may not 100% be used.
❑ IPS and AV Performance – For the same class of the products, Hillstone offers much higher
IPS and AV performance.
❑ Latency –Juniper products have much higher latency than Hillstone, average 10 times more
lantency.
3
66
How to Win Juniper – NGFW Software
Category Function (5.5R7) Juniper (JunOS) 67
NAT NAT Port Expansion / NAT46 / NAT64 / NAT444 No
NAT Address Availability Track No
Transparent NAT / Full Clone NAT / STUN No
LLB Intelligent LLB No
Bidirectional Forwarding Detection (BFD) Yes
DNS Proxy Yes
Application and Scheduled PBR Yes
ISP Routing No
Application and URL Steering (Application Routing) No
Other SmartDNS No
iQoS No
App Based Session Limiting No
Policy Search and Policy Hit Count No
Three System Administration Roles No
VPN PnPVPN No
SSLVPN Yes
4
67
How to Win Juniper – iNGFW Software
Category Function (5.5R3) Juniper (JunOS)
68
Intelligent NGFW Global Fault Detection No
Packet Path Detection No
Threat Indexing No
Cyber Kill Chain Mapping No
Abnormal Behavior Detection No
Advanced Threat Detection No
Auto Risk Mitigation No
Forensic Analysis No
5
68
How to Win Juniper – Business and What to Avoid
69
Business and Others
❑ According to NSSlab testing, Juniper’s real TCO is way to expensive with the same protected
Mbps benchmark ($97 v.s. $6)
❑ Switching from Netscreen’s award winning ScreenOS based NS/SSG product line to JunOS
based SRX product line, Juniper wasted many years trying to catch up with latest security
technology. SRX was not stable for a long time, and Juniper lost many loyal Netscreen
customers, and they switched to Hillstone.
What to Avoid
6
69
Hillstone Counterattack Juniper
IPS Signature Size
❑ Juniper – Juniper claims it can support 7000+ IPS attack signatures database
❑ Hillstone Strategy – Larger signature database doesn’t necessarily mean better security. In
NSSLab security effectiveness testing, Hillstone performances better in both static testing and
live testing.
Routing Functions
❑ Juniper – Juniper products support MPLS VPN and lots of other routing features which are
normally only available in core routers.
❑ Hillstone Strategy – JunOS itself is a core routing OS, not a security OS. Juniper just
leverages its routing features already in the JunOS. Most of these MPLS and routing features
are not useful in actual firewall deployment. Also with so many unnecessary software features,
it is one of the reason JunOS based SRX products are not stable and very hard to
manage/sustain. But Hillstone’s abundant routing and networking features were developed
purposely to solve customer’s real pain, it is very targeted, and well liked by most of Hillstone’s
customers.
70
70
Hillstone Counterattack Juniper
Key Points
❑ Juniper has built-in SD-WAN feature but if this feature is under use, the performance of firewall is
compromised at a very high level.
❑ Juniper is offering Advance Threat Protection / Prevention technology through third party cloud “SecIntel
to provide threat intelligence”.
❑ The built-in threat intelligence function of Juniper is only for logs feed (no file processing).
❑ Juniper is still using ASIC based technology whereas Hillstone is using Multi-core Parallel Processing
Architecture. Which far better that old ASIC technology as it lower the throughput while processing large
data packets but Hillstone’s Multi-core Parallel Processing Architecture ensure same throughput either for
small or large packets processing.
❑ Juniper does not has its own Antivirus methodology or technology rather it uses Sophos and Avira as
their antivirus signatures database.
71
71
Juniper Product Overview (Small-Enterprise)
72
11
72
Hardware Specs – Small Enterprise
73
12
73
Hardware Specs – Small Enterprise
74
13
74
Juniper Product Overview (Mid-Enterprise)
75
14
75
Hardware Specs – Mid Enterprise
76
15
76
77
16
77
78
17
78
79
18
79
80
19
80
81
20
81
Juniper Product Overview (Large-Enterprise)
82
21
82
Hardware Specs – Large Enterprise
83
22
83
84
23
84
85
24
85
86
SRX300 / SRX340 /
A1000 A1100 A2000 A2600 SRX380
SRX320 SRX345
Throughput 4Gbps 5Gbps 5Gbps 1 Gbps 5Gbps 3G / 5G 10G
Concurrent
300K 300K 1M 64K 1.2M 256K / 375K 380K
Connections
New
Connections Per 48K 48K 48K 5K 120K 10K / 15K 50K
second
IPS Throughput 3.4Gbps 3.7Gbps 3.2Gbps 0.2G 4.5Gbps 0.4G / 0.6G 2G
AV Throughput 1.8Gbps 2Gbps 2Gbps 85Mbps 3.7Gbps 300M 350M
Desktop
Form Factor Desktop Desktop 1U 1U 1U 1U
Model
27
86
87
SRX4100 /
SRX550 SRX1500 A3000 A3600 A3700 A3800
SRX4200
Throughput 7G 9G 20G 20G 20 / 40G 40G / 80G 20 / 40G
Concurrent
Connections
375K 2M 2M 3M 6M 5M / 10M 8M
New
250K /
Connections 27K 90K 140K 140K 140K
500K
310K
Per second
IPS 17.5Gbp
0.8G 4G 8.3G 8.5G 8.6G 15G / 30G
Throughput s
AV
Throughput
0.3G 4.8G 5G 5.2G 9.4Gbps
Form Factor 2U 1U 1U 1U 1U 1U 2U
28
87
E1600 E1606 E1700
SRX300 /
SRX320 E2300 E2800 E2860
SRX340 /
SRX345
SRX380 E3660 E3662 T1860 T2860 88
Throughput 1Gbps 1.5/2Gbps 1.5/2Gbps 1 Gbps 2.5/4Gbps 4.5/6Gbps 6G 3G / 5G 10G 8G 8G 8G 10G
VPN 0.6G /
600Mbps 700Mbps 700Mbps 300Mbps 1Gbps 3Gbps 3G 3.5G 3G 3G 3G 3.8G
Throughput 0.8G
Concurrent 256K /
200K 400K 600K/1M 64K 1/2M 1/2M 2M 380K 1/2M 3M 1.5M 3M
Connections 375K
New
Connections 8K 12K 15K 5K 30k 40k 80K 10K / 15K 50K 80K 120K 80,000 100,000
Per second
IPS 0.4G /
400Mbps 600Mbps 600Mbps 0.2G 1Gbps 1.8Gbps 1.8G 2G 3G 3G 3Gbps 3.8Gbps
Throughput 0.6G
AV
300Mbps 400Mbps 400Mbps 85Mbps 700Mbps 1.2Gbps 1.2G 300M 350M 2G 1.6G 1.6Gbps 2Gbps
Throughput
Expansion 4 x Mini- 4 x Mini-

— — — 0 — — 2 2 2 2 2
Slot PIM PIM
IPSec 1024 /
512 1000 2000 256 4000 4000 4,000 2048 6,000 6,000
Tunnels 2048
Maximum
1000 2000 1000 2000 2000 8,000 2K / 4K 4K 8,000 8,000
Policies
1MGT
1MGT
16 x GE 4 1HA
Fixed I/O 5 x GE 5 x GE 6 x GE 8 x 1GE 6 x GE 6 x GE 1HA
9 x GE 9 x GE 9 x GE 8 x 1 GE x 10G 4GE、2Bypass
port 4 x Combo 4 x Combo 4 x SFP 8 x SFP 4 x SFP 4 x SFP 6GE
、4SFP、
SFP 4SFP
2SFP+
Desktop
High Desktop 1U 1U 1U 1U 1U 1U 1U 1U 1U 1U 1U
Model
29
88
E1600P E1600WP E1700P
SRX300 /
SRX320 E2800P E3662P
SRX340 /
SRX345
SRX380 E3668P E3960P T1860 T2860 89
Throughput 4.7Gbps 4.7Gbps 4.75Gbps 1 Gbps 8Gbps 10Gbps 3G / 5G 10G 10Gbps 10Gbps 8G 10G
VPN 0.6G /
850Mbps 850Mbps 850Mbps 300Mbps 3Gbps 3Gbps 3.5G 3Gbps 4Gbps 3G 3.8G
Throughput 0.8G
Concurrent 256K /
0.2M 0.2M 0.6M 64K 1M 3M 380K 3M 3.2M 1.5M 3M
Connections 375K
New
Connections 27K 27K 28K 5K 80k 120k 10K / 15K 50K 120k 150K 80,000 100,000
Per second
IPS 0.4G /
1.2Gbps 1.2Gbps 1.2Gbps 0.2G 3.3Gbps 3.3Gbps 2G 3.3Gbps 3.9Gbps 3Gbps 3.8Gbps
Throughput 0.6G
AV
890Mbps 890Mbps 890Mbps 85Mbps 2.1Gbps 2.1Gbps 300M 350M 2.1Gbps 2.2Gbps 1.6Gbps 2Gbps
Throughput
Expansion 2xGeneric 4 x Mini- 4 x Mini-

— — — 0 — 2 2 2 2
Slot Slots PIM PIM
IPSec 1024 /
512 512 2000 256 2000 6000 2048 6,000 6,000
Tunnels 2048
Maximum
1000 1000 2000 1000 2000 8,000 2K / 4K 4K 8,000 8,000
Policies
1MGT
1MGT
16 x GE 4 1HA
Fixed I/O 5 x GE 6 x GE 8 x 1GE 6 x GE 6 x GE 1HA
9 x GE 9 x GE 9 x GE 8 x 1 GE x 10G 4GE、2Bypass
port 4 x Combo 4 x SFP 8 x SFP 4 x SFP 4 x SFP 6GE
、4SFP、
SFP 4SFP
2SFP+
Desktop
High Desktop 1U 1U 1U 1U 1U 1U 1U 1U 1U 1U
Model
29
89
SRX550 SRX1500 E3968P E5260P E5268P
SRX4100 /
T3860 T5060 E5560P SRX4600 E5568P E5760P T5860
90
SRX4200
Throughput 7G 9G 10G 20G 20G 40G / 80G 20G 25G 20G 95G 20G 40G 40G
VPN
Throughput
1G 4.5G 4Gbps 6.4G 6.4G 4.8G 12G 15G 12G 55G 12G 18.8G 28G
Concurrent
Connections
375K 2M 3.2M 6M 6M 5M / 10M 4M 5M 10M 60M 10M 12M 6M
New
250K /
Connections 27K 90K 150K 200K 200K
500K
250,000 300,000 300K 600K 300K 500K 450,000
Per second
IPS
Throughput
0.8G 4G 3.9Gbps 8.9G 8.9G 15G / 30G 8Gbps 12Gbps 9.3G 65G 9.3G 18.5G 18Gbps
AV
Throughput
0.3G 2.2G 3.8G 3.8G 6Gbps 7Gbps 4.9G 4.9G 7.9G 10Gbps
Expansion Slot 2 x Mini-PIM 2 x PIM Slots 2 4 4 0 2 4 4 0 4 4 4
IPSec Tunnels 2000 2K 10,000 20,000 20,000 7,500 20,000 7,500 20,000 20,000
Maximum
8K 16K 12,000 40,000 40,000 60K 40,000 80K 40,000 40,000
Policies
1MGT １MGT 24x1GbE/1 １MGT
16 x 1GE 8 x 1GE、
6 x 1GE 6GE、4SFP 4GE、4SFP 4GE、4SFP 1HA 1HA 4GE+4SF 0GbE – 1HA
Fixed I/O port 4 x 10GE 8 x 10G 4GE+4SFP 4GE+4SFP
4 x SFP 、2SFP+ 、2SFP+ 、2SFP+ ２GE ２GE P 4x40GbE/1 ２GE
SFP+ SFP+
4SFP 4SFP 00GbE 4SFP
Form Factor 2U 1U 1U 2U 2U 1U 2U 2U 2U 1U 2U 2U 2U
30
90
E5960P E6368P SRX5400 X7180 X8180 X9180 X10800 SRX5600 SRX5800 91
Throughput 40Gbps 90Gbps 270G 680G 450G 600Gbps 1T 480G 1T
VPN Throughput 25.6Gbps 64Gbps 140G 90G - 250Gbps 300G 280G 530G
IPS Throughput 18.8Gbps 37Gbps 230G 100G - 200Gbps 400G 460G 860G
AV Throughput 14Gbps 28Gbps - - - -
Concurrent
15M 30M 91M 240M 130M 200M 480M 182M 338M
Connections
New Connections Per
600,000 1.1M 1.7M 4.8M 2.5M 4M 10M 3.4M 6.3M
second
1MGT、 1MGT、8SFP+
Interface - 4GE/SFP - - - -
8SFP+、2GE 、2GE,2QSFP+
6 Universal, 2 12 Universal, 2
2 x Generic
2 x Generic Slot, Switching Switching
Expansion Slot Slot, 1 x 2 12 - 5 11
1 x Bypass Slot Control, 2 System Control, 2 System
Bypass Slot
Control Control
Local Storage - - - - - - -
Power Supply dual dual 1 2+2 - 2+2 4+4 DUAL
Form Factor 2.5U 2.5U 5U 5U - 7U 18U 8U 16U
31
91
Product Specs – Virtualization
vSRX-VMware vSRX-KVM
Container SRX,
cSRX Firewall SG6000-VM01 SG6000-VM02 SG6000-VM04
92
SG6000-VM08
(Virtual)
Support Core
2 / 5 / 9 / 17 2 / 5 / 9 / 17 2 1/1 2/2 4 8
Number
4 / 8 / 16 / 32 / 64 4 / 8 / 16 / 32 / 64
RAM 4GB 1 GB / 1GB 2 GB / 2 GB 8 GB 16 GB
GB GB
Throughput 9.5 / 14 / 73 / 81 G 14 / 39 / 68 / 98 G 13.5Gbps 2Gbps 4Gbps 8Gbps 10Gbps
Concurrent 512K / 2 / 4 / 12 / 28 512K / 2 / 4 / 12 / 28

512K 100K 500K 5M 10M
Connections M M
New Connections 55K / 166250 / 69K / 239380 / 360K

30K 10K 20K 80K 160K
Per second 351250 / 537660 / 612660
IPS 2.3 / 7.1 / 18 / 39 G 3 / 10 / 19 / 36 G 2.6Gbps N/A N/A 4Gbps 6Gbps

Throughput
IPSec Throughput 2.2 / 4.2 / 12 / 13 G 1.1 / 7 / 10 / 16 G 200Mbps 400Mbps 2.8Gbps 4.2Gbps
IPSec VPN 50 500 50 500

Tunnel
SSL Concurrent
500 500 5/50 5/250 50 250
Users
32
92
Cisco
93
How to Win CISCO
1. Intelligence function , such as advanced threat detection, abnormal behavior detection, risk management, risk mitigation,
auto packet capture etc.
2. Operation management function, such as packet path detection
3. The graphical statistics of traffic and TOP 10 on Web UI
Key Focus 4. QOS nesting function
5. Enable the IPS and AV function together (ASA5500-X series do not have AV engine, only have WEB security detection)
6. Twin-mode solution
7. Virtualized security solution
1. Does Not support LLB and SmartDNS, not applied for multiple links scenario
2. Does Not support server load balancing.
3. Not support security management platform and security auditing platform. (HSM&HSA)
Function 4. No real-time traffic display
5. Not support GRE and GRE over IPSec, limited for non-ip network, broadcast, dynamic routing scenarios
6. Cisco no offer scalable Data Center firewall, the ASA5585-X is EOS
Beating 1. Does not have enough interfaces

Points 2. Except the 5585-X series, all other devices do not support 10G。
3. Does Not support hardware bypass
Hardware 4. ASA5512/15/25-X do not support dual-power
5. The board exchanging function, max concurrent connections and VPN performance is lower than same model level of
Hillstone.
Architecture+ 1. ASA architecture is on x86, you need add SSP module to provide additional IPS、CX function. And those two functions can
not be enabled together
Performance 2. Cisco NGFW require Firepower software to install on FW and was a lot of problems with detections by Firepower module
1. SSL decryption function

Avoiding 2. Cluster deployment
94
Hillstone Network Strong Points
• Broad line of firewalls from 1Gbps desktop do data centers up to 1,2 TBbps
• Patented technology of Abnormal Traffic Detection and Abnormal Behavior Detections based
traffic learning and behavior modeling
• Prevent Botnet C&C, DNS sinkhole, DGA
• Cloud intelligence – StoneShield
• T-series intelligent NGFW witch kill chain mapping, forensic analysis and mitigation options
95
Hillstone Network Strong Points
• More ports and expansion modules to appliances than other vendor has
• Line of Virtual FW appliances (CloudEdge)
• Five lines of FW products – A, E, E-pro T and X in order to meet all business needs
• Broad portfolio others products – Appliaction Delivery Controller (AX), NTA&NDR (I-series), NIPS (S-series), SD-
WAN and micro segmentations
• Line of FWs for Cloud – CloudEdge, CloudHive
• Central management od FW products from cloud and central on-premise FW management or mobile
• Own operation systems StoneOS based on structured configuration and rollback, can be done by Web or CLI
• A lot of appliance certifications
• GDPR compliance of cloud data
• Patented clustering mechanism – TWIN MODE
• Clear performance from Datasheets to real production
• Cooperation with word-class sandbox - Lastline
• Positioned in Gartner Magic Quadrat.
• TAC in EUROPE and other parts of World
• Fast delivery time from Brno to EU
• Comprehensive support
• Dedicated Presales team for EU
• Awards and recommended by Gartner customers
• Good stability and ongoing product development
• Good price/performance and per functionality
96
Hillstone Network featured functionalities
• 12000+ IPS signatures (99,6% attacks blacked in NSS Labs tests),AV, URL categorization IP
reputations, Users risk scoring, content visibility SSL-decryption, Sandbox, Geolocation, 4500+ In-
depth Applications visibility ( possibility to detect custom applications by traffic capture and add to
FW list)
• Anti-spam based on real email traffic
• Build-in policy analysis, shadowed, unused etc
• Policy templates for fast implementations
• Automatic policy suggestion based on network traffic
• Netflow monitoring
• Granular security policies
• Comprehensive reports
• Virtual instance of firewalls, policy based routing, QOS for applications
• Patented PnPVPN technology,
• Deployment mode : transparent, inline, span/tap
• DNS64/NAT64 for Ipv6, NAT46, NAT64,NAT444
• Server and link load balancing
• Identify files based on network traffic
• Bypass mode
97
Software Beating Points
98
1. Does not support LLB, does not applied to multi-link scenario
2. Does not support SmartDNS, not able to do DNS intelligent resolution for
WAN users, not able to return the fastest accessing IP
3. Does not support server load balancing, not applied for server cluster
defense and load balance scenario.
4. Does not support security auditing platform (HSA)
5. QoS do not support IP/APP nesting, not applied for complex bandwidth
control
6. Not support GRE and GRE over IPSec, limited for non-ip network, broadcast,
dynamic routing scenarios
7. ASA5585-X do not support DS-Lite, not applied for IPv4/IPv6 connection
8. Not support IVI (IPv4 and IPv6 interaction)
9. Not support DGA detecting engine, not able to detect botnet network.
10. Relying too much on IPS module for threat detection and integration with
Cisco AMP to mitigate the missing AV function
11. Does Not provide cyber kill-chain mapping
98
Cisco ASA and FTD (Firepower)
CISCO ASA CISCO FTD 99
• Traditional/Stateful L3-L4 Firewall • Next Gen Firewall and IPS (NGFW,NGIPS)

• Remote Access VPN Headend: • Advanced Malware Protection (AMP)
• Clientless VPN EzVPN/L2TP/3rd Party Clients • True multi-tenancy with Multi-Instance
• DAP/Hostscan • Advanced network visibility and threat analytics o
• VPN Load balancing Correlation Rules
• Local Authentication/TACACS/Kerberos • Custom IPS Rules
• Multi-Certificate Authentication • Firepower Recommendations
• Multi-context firewall • Incident response and threat investigation
• TLS decryption
99
CISCO ASA Management 10
Features CSM (Cisco Security Manager) ASDM (Adaptive Security Device CDO (Cisco Defense
Manager ) Orchestrator)
0
Location and type of manager On premise and multi-device On-box local device Cloud, multi-device, multi-platform
Firewall Deployment Modes Active/Standby, Active/Active, Active/Standby, Active/Active, Active/Standby

Cluster, VPN Load Balancing Cluster, VPN Load Balancing
Remote Access VPN GUI based configuration for IPSEC, GUI based configuration for IPSEC, CLI Based configuration for
Management SSL and Clientless VPN, Hostscan SSL and Clientless VPN, Hostscan Remote Access VPN and Clientless
VPN
HostScan or DAP not supported
Firewall Management Rule Optimization, Shared Hit counts and Configuration Object Conflicts, Rule
Automation Configuration, Usage reports Wizards Optimization,
Configuration templates
Logging and Event Storage Event Viewer and Report manager, Event Viewer manager, Syslog, Event Viewer and VPN monitoring,
Syslog, Netflow to external logging Netflow to external logging servers SAL Cloud integration with Cross
servers , SAL cloud integration SAL cloud integration using SEC Launch
using SEC
100
Cisco Has No Intelligence Function
Key Point Cisco Explanation
Proactive No Support the real time monitor for device resources、reliability and usability of network node、usability of
detection service node.
Fault Diagnosis No Support visualized fault diagnosis, find out the network fault point and locate the root cause rapidly. Then
modify the configuration.
Abnormal Support Abnormal Behavior engine continuously monitors the network to learn what normal network traffic looks like
Behavior （Need add AMP and for that particular day, time, and month; providing alerts when network activity exceeds calculated thresholds. It
Detection authorization by uses a 50+ dimensional array to calculate normal network traffic from layer L4-L7, called “behavior modeling.”
management center） In addition, it has been trained with real hacking tools to ensure that it will readily recognize malicious activity.
Advanced Support Each known malware sample has been classified and characterized based on multiple dimensions that describe
Threat its actions, assets and attributes. When new malware is encountered, it is also analyzed, characterized and
Detection (Need add AMP and classified. Then it is compared to the database of known malware samples that have already been analyzed. The
authorization by closer the unknown sample matches a known sample - the higher the confidence level that it is a variant of a
management center） known malware sample. This process is called “statistical clustering” and provides an accurate method for
identifying new malware.
Risk Mitigation No These features consist of pre-defined templates that automatically slow-down or block an attack if suspicious
behavior is detected. The administrator can modify the templates to limit the bandwidth or the number of
sessions available to the attacker. He can also adjust the constraints he places on network resources based on
the type of attack and the severity level. Action includes: session limit, bandwidth limit and block.
Risk Support Visualization for risk and threat, including network risk index、risky host and the detailed information of specific
Management threat. Admin can understand the entire network security status and the threat source.
(Need add AMP and
authorization by
management center）
101
CISCO NGFW Talking Points and Hillstone Strategy
NGIPS of Cisco ASA
【CISCO】FirePOWER Services (NGIPS function): Cisco ASA provides efficient threat prevention and full
situational awareness of users、infrastructure 、applications and contents, thus providing various threat
detection and auto defense.
【Strategy】Firstly, this function requires separate license, and needs to install software at separate device, cost
is increased; secondly, IPS function had been integrated to Hillstone NGFW already for few years, the
technology is mature and we have complete signature database; we also have attack defense function against
SQL injection、XSS attacks; thirdly, Sourcefire and Cisco technology is now in merging stage, the commands of
FirePOWER Services is different with Cisco, you have to go to the function module to configure, which is not
easy to use and manage by customer. Finally, FirePOWER Services management platform requires separate
software/hardware platform to support, which increasing the cost.
102
Reputation and category based URL filter
【CISCO】 FirePOWER Services URL filter function: Reputation and category based URL filtering
offers comprehensive alert and control for suspicious network traffic, and executes policy rules for
hundreds ofMs of URLs in more than 80 categories.
【Strategy】Firstly, Sourcefire and Cisco technology is now in merging stage, the commands of
FirePOWER Services is different with Cisco, you have to go to the function module to configure,
which is not easy to use and manage by customer; Secondly, FirePOWER Services management
platform requires separate software/hardware platform to support, which increasing the cost.
103
Cisco Firepower Management Center (Secure Firewall Threat Defense Manager)
【CISCO】Manage events and policy for Firepower NGFW, ASA with FirePower,
NGIPS, FirePOWER Threat Defense for ISR, AMP
• See the users, hosts, applications, files, mobile devices, virtual environments, threats, and vulnerabilities that
exist in your constantly changing network.
• Control access to network, control application use, and defend against known attacks
• Automatically correlates security events with the vulnerabilities
• Threat Intelligence Director ingests intelligence from multiple sources. It then facilitates the appropriate
monitoring and containment actions. It correlates observations with third-party sources to reduce the total
number of alerts you need to review.
• Multitenancy management and policy inheritance
• Secure boot - is a mechanism to validate the integrity of Cisco software running on the FMC hardware as
• system boot
104
Cisco Firepower Management Center (Secure Firewall Threat Defense Manager)
Category Cisco Firepower Management Center Typical IPS Typical Next-Generation Firewall
【CISCO】 Threats Yes Yes Yes
Users Yes Yes Yes
Web applications Yes No Yes
Application protocols Yes No Yes
File transfers Yes No Yes
Malware Yes No No
Command-and-control servers Yes No No
Client applications Yes No No
Network servers Yes No No
Operating systems Yes No No
Routers and switches Yes No No
Mobile devices Yes No No
Printers Yes No No
VoIP phones Yes No No
Virtual machines Yes No No
Vulnerability information Yes No No
105
The Difference for Similar Points in HS and Cisco
Function Analysis
The CISCO NGFW is Cisco ASA with FirePOWER Services, FirePOWER Services technology is from Sourcefire which
is acquired by Cisco, for the model under ASA5585, FirePOWER Services is sold as software, for ASA5585 it is sold
as extension card, security functions is offered by the linkage between ASA and software. Such as AV、URL filter、
NGIPS、malware protections, APP filter and control.
The Hillstone NGFW already supported all those functions in 5.5 firmware. For Cisco NGFW you need to buy
separate license for each function or bundle, the cost will be higher. Hillstone’s iNGFW can do advanced
threat detection、abnormal behavior detection、risk evaluation、risk mitigation、packet capture, which
Cisco NGFW can’t do.
106
Virtual Firewall comparison (on-premise)
Model 100M (ASAv5) 1G (ASAv10) 2G (ASAv30) 10G (ASAv50) 20G (ASAv100) CLoudEdge VM01 CLoudEdge VM02 CLoudEdge VM04 CLoudEdge VM08
FW Throughput 100 Mbps 1G 2G 10G 20G 2G / 10G 4G / 20G 8G / 30G 10G / 80G
NGFW Throughput - - - - - 700 Mbps / 1.5G 1.4G / 2.5G 2.8G / 3.5G 4.2G / 7G
IPS Throughput
- - - - - 1G / 3G 2G / 5G 4G / 7G 6G / 14G
[440 byte HTTP2]
Max concurrent
50,000 100,000 500,000 2M 4M 100,000 500,000 5M 10 M
sessions
New Sessions/s
(Cisco – 8000 20,000 60,000 120,000 250,000 20,000 / 30,000 40,000 / 50,000 80,000 / 100,000 160,000 / 200,000
connections)
Core (Cisco CPU) 1 2 4 8 16 2 (min) 2 (min) 4 (min) 8 (min)
Memory 2 GB 4 GB 8 GB 16 GB 32 GB 2 GB (min) 4 GB (min) 8 GB (min) 16 GB (min)
Storage 8 GB 8 GB 8 GB 8 GB 8 GB 4 GB 4 GB 4 GB 4 GB
Network Interfaces - - - - - 10 10 10 10
107
Virtual NGFW comparison (on-premise)
Model NGFWv 4 vCPU NGFWv 8 vCPU NGFWv 12 vCPU CLoudEdge VM01 CLoudEdge VM02 CLoudEdge VM04 CLoudEdge VM08
FW Throughput - - - 2G / 10G 4G / 20G 8G / 30G 10G / 80G
NGFW Throughput 1G 2G 3G 700 Mbps / 1.5G 1.4G / 2.5G 2.8G / 3.5G 4.2G / 7G
IPS Throughput [440

- - - 1G / 3G 2G / 5G 4G / 7G 6G / 14G
byte HTTP2]
Max concurrent
250,000 500,000 100,000 500,000 5M 10 M
sessions 100,000
New Sessions/s
20,000 20,000 40,000 20,000 / 30,000 40,000 / 50,000 80,000 / 100,000 160,000 / 200,000
(Cisco – connections)
Core (Cisco CPU) 4 8 12 2 (min) 2 (min) 4 (min) 8 (min)
108
Hardware Model and Specification Analysis
1. 2U products is Limited to support 2 slot expansion
2. Less supported Interface and expansion capability
3. Under 10G products do not support dual-power redundancy
4. 10G and above products do not support individual HA interface,10G interface need
additional license
5. Not support ISSU (In-Service Software Upgrade), Hillstone X series can support.
6. Lesser concurrent connection
7. Lesser new connection number: under the same throughput or bandwidth, the higher the
new connection number is, the more users can be supported, it will also able to prevent
bigger attacks
109
SMB and Branches-Product Specifications
ASA-5506-X ASA-5508-X ASA-5516-X
ASA-5506W-X ASA-5506H-X
w/ w/ ASA-5512-X w/ w/
Model w/ FirePOWER w/ FirePOWER E1100 E1600 E1606 E1700 A1000 A1100 E1600P E1600WP E1700P
FirePOWER FirePOWER FirePOWER Services FirePOWER
Services Services
Services Services Services
FW Throughput 750M 750M 750M 1G 1G 1.8G 1G 1G 1G 1.5G/2G 4G 5G 4.7G 4.7G 4.75G
IPS Throughput 1.2G 1.2G 1.2G

[440 byte 125M 125M 125M 250M 150M 450M 400M 400M 400M 600M 3.4G 3.7G
HTTP2]
Max 200,000 200,000 600,000

20,000-
concurrent 20,000-50,000 50,000 100,000 100,000 250,000 200,000 200,000 400,000 600,000-1M 300,000 300,000
50,000
sessions
27,000 27,000 28,000
New
5000 5000 5000 10,000 10,000 20,000 8000 8000 12,000 15,000 8,000 8,000
Sessions/s
8 × GE
4GE
1 MGT
Fixed I/O Ports 8GE 8GE 4GE 8GE 6GE 8GE 9GE 9GE 9GE 9GE (including 1 9 x GE 9 x GE 9 x GE
(including 1
bypass pair)
bypass pair)
Available Slots ╳ ╳ ╳ ╳ 1 ╳ ╳ ╳ ╳ ╳ ╳ ╳ ╳ ╳ ╳
Expansion 6GE/6SFP (micro hot

╳ ╳ ╳ ╳ ╳ ╳ ╳ ╳ ╳ ╳ ╳ ╳ ╳ ╳
Module plug card）
√
WiFi ╳ √ ╳ ╳ ╳ ╳ √ ╳ ╳ ╳ ╳ ╳ x x
3G ╳ ╳ ╳ ╳ ╳ ╳ √ ╳ ╳ ╳ x x x x x
117
Small & Medium Enterprises-Product Specifications
ASA-5525- ASA-5545- ASA-5555-
X w/ X w/ X w/
Model FPR2110 FPR2120 FPR2130 FPR2140 E2300 E2800 E2860 E3660 E3662 T1860 A2000 A2600
FirePOWER FirePOWER FirePOWER
FW
Throughpu 2G 3G 4G 2.5G 4.5-6G 6G 8G 8G 8G 5G 5G
t
IPS
Throughpu
650M 1G 1.25G 2G 3G 4.75G 8.5G 1G 1.8G 1.8G 3G 3G 3G 3.2 G 4.5 G
t [440 byte
HTTP2]
Max
concurre
500,000 750,000 1M 1M 1.2M 2M 3M 1-2M 1-2M 2M 1-2M 3M 1.5M 1M / 2M 1.2M / 2M
nt
sessions
New
Sessions 20,000 30,000 50,000 16,000 24,000 40,000 68,000 30,000 60,000 60,000 80,000 80,000 80,000 48,000 120,000
/s
Fixed I/O 12 GE 12 GE 12 GE 12 GE 8 × GE 8 × GE
8GE 8GE 8GE 5GE+4comb 5GE+4comb 6GE+4SFP 6GE+4SFP 6GE+4SFP 6GE+4SFP
Ports 4 SFP 4 SFP 4 SFP 4 SFP 1 MGT 1 MGT
Available
1 1 1 0 0 1 1 2 2 2 2 x x
Slots
FPR-NM- FPR-NM-
8X10G) 8 x 8X10G) 8 x
10 Gigabit 10 Gigabit IOC-4GE-B- IOC-4GE-B- IOC-4GE-B-
Ethernet Ethernet M、IOC- M、IOC- M、IOC-
IOC-4GE-B-
Enhanced Enhanced 8GE-M、 8GE-M、 8GE-M、
Expansion M、IOC-
6GE/6SFP 6GE/6SFP 6GE/6SFP x x Small Form- Small Form- x x IOC-8SFP-M IOC-8SFP-M IOC-8SFP-M x x
Module 8GE-M、
Factor Factor 、、、
IOC-8SFP-M
Pluggable Pluggable IOC-4GE- IOC-4GE- IOC-4GE-
(SFP+) (SFP+) POE POE POE
network network
module module
Up to 24 Up to 24
total total
Up to 16 Up to 16 118
Ethernet Ethernet
total total
ports ports
Ethernet Ethernet
(12x1G RJ- (12x1G RJ-
Max port 14GE/8GE+ 14GE/8GE+ 14GE/8GE+ ports ports
45, 4x10G 45, 4x10G x x 22GE/20SFP 22GE/20SFP 22GE/20SFP 22GE/20SFP ╳ ╳
number 6SFP 6SFP 6SFP (12x1G RJ- (12x1G RJ-
SFP+, and SFP+, and
45, 4x1G 45, 4x1G
network network
SFP) SFP)
module module
with 8x10G with 8x10G
SFP+) SFP+)
Small & Medium Enterprises-Product Specifications
ASA-5525-X w/ ASA-5545-X w/ ASA-5555-X w/
Model FirePOWER FirePOWER FirePOWER FPR2110 FPR2120 FPR2130 FPR2140 E2800P E3662P E3668P E3960P E3968P
FW Throughput 2G 3G 4G 8G 10G 10G 10G 10G
IPS Throughput
650M 1G 1.25G 2G 3G 4.75G 8.5G 3.3 G 3.3 G 3.3 G 3.9 G 3.9 G
[440 byte HTTP2]
Max
concurrent 500,000 750,000 1M 1M 1.2M 2M 3M 1M 3M 3M 3.2M 3.2M
sessions
New
20,000 30,000 50,000 16,000 24,000 40,000 68,000 80,000 120,000 120,000 150,000 150,000
Sessions/s
6 x GE (1 bypass 6 x GE (1 bypass
5 x GE, 4 x
12 GE 12 GE 12 GE 12 GE 6 x GE, 4 x SFP 6 x GE, 4 x SFP pair), 4 x SFP, 2 pair), 4 xSFP, 2 x
Fixed I/O Ports 8GE 8GE 8GE Combo
4 SFP 4 SFP 4 SFP 4 SFP x SFP+ SFP+
Available Slots 1 1 1 0 0 1 1 x 2 2 2 2
FPR-NM-8X10G) FPR-NM-8X10G)
8 x 10 Gigabit 8 x 10 Gigabit
IOC-4GE-B-P, IOC-4GE-B-P, IOC-4GE-B-P, IOC-4GE-B-P,
Ethernet Ethernet
Expansion IOC-8GE-P, IOC- IOC-8GE-P, IOC- IOC-8GE-P, IOC- IOC-8GE-P, IOC-
6GE/6SFP 6GE/6SFP 6GE/6SFP x x Enhanced Small Enhanced Small x
Module 8SFP-P 8SFP-P 8SFP-P 8SFP-P
Form-Factor Form-Factor
Pluggable (SFP+)Pluggable (SFP+)
network module network module
Up to 24 total Up to 24 total
Up to 16 total Up to 16 total Ethernet ports Ethernet ports
Ethernet ports Ethernet ports (12x1G RJ-45, (12x1G RJ-45, 119
18GE/12SFP/2SF 18GE/12SFP/2SF
Max port number 14GE/8GE+6SFP 14GE/8GE+6SFP 14GE/8GE+6SFP (12x1G RJ-45, (12x1G RJ-45, 4x10G SFP+, 4x10G SFP+, 9GE/4SFP 18GE/12SFP 28GE/12SFP
P+ P+
4x1G SFP) 4x1G SFP) and network and network
module with module with
8x10G SFP+) 8x10G SFP+)
Medium & Large Enterprises-Product Specifications
Firepower Firepower Firepower Firepower
Model 4110 4112 4115 4120
E3960 E3965 T2860 E5260 T3860 E5660 T5060 E5760 A3000 A3600
FW
Throughpu 13G 14G 27G 22G 10G 10G 10G 16G 20G 25G 25G 32G 20G 20G
t
IPS
Throughpu 6G 6.5G 8G 10G 4G 4G 4G 5G 8G 12G 12G 15G 8.3G 8.5G
t [440 byte
HTTP2]
Max
concurre 10M 10M 15M 15M 4M 6M 3M 6M 4M 10M 5M 12M 2M / 3.2M 3M / 4.8M
nt
sessions
New
Sessions 150,000 400,000 848K 250,000 100,000 120,000 100,000 150,000 250,000 300,000 300,000 350,000 140K 140K
/s
8 x 10 8 x 10 8 x 10 8 x 10
Gigabit Gigabit Gigabit Gigabit
Ethernet Ethernet Ethernet Ethernet
Enhanced Enhanced Enhanced Enhanced
Small Form- Small Form- Small Form- Small Form-
Factor Factor Factor Factor
Pluggable Pluggable Pluggable Pluggable
(SFP+) (SFP+) (SFP+) (SFP+)
network network network network
modules modules modules modules
● 4 x 40 ● 4 x 40 ● 4 x 40 ● 4 x 40
Gigabit Gigabit Gigabit Gigabit
Ethernet Quad Ethernet Quad Ethernet Quad Ethernet Quad
SFP+ network SFP+ network SFP+ network SFP+ network
modules modules modules modules
● 8-port ● 8-port ● 8-port ● 8-port
1Gbps copper, 1Gbps copper, 1Gbps copper, 1Gbps copper, 2 × SFP+ 2 × SFP+
6GE（include 4GE（include 6GE（include 4GE（include
FTW (fail to FTW (fail to FTW (fail to FTW (fail to 8 ×SFP 8 ×SFP
Fixed I/O wire) Network wire) Network wire) Network wire) Network
1 pare Bypass 1 pare Bypass 1 pare Bypass 1 pare Bypass
2GE+4SFP 4GE+4SFP 2GE+4SFP 4GE+4SFP 16 × GE 16 × GE
Ports Module Module Module Module
ports） ports） ports） ports）
1 x MGT 1 x MGT
+4SFP+2SFP+ +4SFP+2SFP+ +4SFP+2SFP+ +4SFP+2SFP+
◦ 6-port 1G ◦ 6-port 1G ◦ 6-port 1G ◦ 6-port 1G 1 x HA 1120
x HA
SX Fiber FTW SX Fiber FTW SX Fiber FTW SX Fiber FTW
(fail to wire) (fail to wire) (fail to wire) (fail to wire)
Network Network Network Network
Module Module Module Module
◦ 6-port ◦ 6-port ◦ 6-port ◦ 6-port
10Gbps SR 10Gbps SR 10Gbps SR 10Gbps SR
Fiber FTW (fail Fiber FTW (fail Fiber FTW (fail Fiber FTW (fail
to wire) to wire) to wire) to wire)
Network Network Network Network
Module Module Module Module
◦ 6-port ◦ 6-port ◦ 6-port ◦ 6-port
Medium & Large Enterprises-Product Specifications
Model Firepower 4110 Firepower 4112 Firepower 4115 Firepower 4120 E5260P E5268P E5560P E5568P
IPS Throughput 6G 6.5G 8G 10G 8.4G 8.4G 12G 12G

[440 byte HTTP2]
Max concurrent
10M 10M 15M 15M 6M 6M 8M 8M
sessions
New Sessions/s 150,000 400,000 848K 250,000 200,000 200,000 300,000 300,000
8 x 10 Gigabit Ethernet 8 x 10 Gigabit Ethernet 8 x 10 Gigabit Ethernet 8 x 10 Gigabit Ethernet

Enhanced Small Form- Enhanced Small Form- Enhanced Small Form- Enhanced Small Form-
Factor Pluggable (SFP+) Factor Pluggable (SFP+) Factor Pluggable (SFP+) Factor Pluggable (SFP+)
network modules network modules network modules network modules
● 4 x 40 Gigabit ● 4 x 40 Gigabit ● 4 x 40 Gigabit ● 4 x 40 Gigabit
Ethernet Quad SFP+ Ethernet Quad SFP+ Ethernet Quad SFP+ Ethernet Quad SFP+
network modules network modules network modules network modules
● 8-port 1Gbps copper, ● 8-port 1Gbps copper, ● 8-port 1Gbps copper, ● 8-port 1Gbps copper,
FTW (fail to wire) FTW (fail to wire) FTW (fail to wire) FTW (fail to wire) 4 x GE (1 bypass pair), 4
4 x GE (1 bypass pair), 4 4 x GE (1 bypass pair), 4 4 x GE (1 bypass pair), 4
Fixed I/O Ports Network Module Network Module Network Module Network Module
x SFP, 2 x SFP+
x SFP, 2 x SFP+
x SFP, 2 x SFP+ x SFP, 2 x SFP+
◦ 6-port 1G SX Fiber ◦ 6-port 1G SX Fiber ◦ 6-port 1G SX Fiber ◦ 6-port 1G SX Fiber
FTW (fail to wire) FTW (fail to wire) FTW (fail to wire) FTW (fail to wire)
Network Module Network Module Network Module Network Module
◦ 6-port 10Gbps SR ◦ 6-port 10Gbps SR ◦ 6-port 10Gbps SR ◦ 6-port 10Gbps SR
Fiber FTW (fail to wire) Fiber FTW (fail to wire) Fiber FTW (fail to wire) Fiber FTW (fail to wire)
◦ 6-port 10Gbps LR ◦ 6-port 10Gbps LR ◦ 6-port 10Gbps LR ◦ 6-port 10Gbps LR
Fiber FTW (fail to wire) Fiber FTW (fail to wire) Fiber FTW (fail to wire) Fiber FTW (fail to wire)
Available Slots 2 2 2 2 4 4 4 4
Up to 24 x 10 Gigabit Up to 24 x 10 Gigabit Up to 24 x 10 Gigabit Up to 24 x 10 Gigabit

IOC-4GE-B-P IOC-8GE- IOC-4GE-B-P IOC-8GE- IOC-4GE-B-P IOC-8GE- IOC-4GE-B-P IOC-8GE-
Ethernet (SFP+) Ethernet (SFP+) Ethernet (SFP+) Ethernet (SFP+)
P IOC-8SFP-P IOC- P IOC-8SFP-P IOC- P IOC-8SFP-P IOC-
121
P IOC-8SFP-P IOC-
interfaces; up to 8 x 40 interfaces; up to 8 x 40 interfaces; up to 8 x 40 interfaces; up to 8 x 40
Expansion Module Gigabit Ethernet Gigabit Ethernet Gigabit Ethernet Gigabit Ethernet
4SFP+-P IOC-8SFP+-P 4SFP+-P IOC-8SFP+-P 4SFP+-P IOC-8SFP+-P 4SFP+-P IOC-8SFP+-P
IOC-2SFP+-Lite-P IOC-2SFP+-Lite-P IOC-2SFP+-Lite-P IOC-2SFP+-Lite-P
(QSFP+) interfaces with (QSFP+) interfaces with (QSFP+) interfaces with (QSFP+) interfaces with
2 network modules 2 network modules 2 network modules 2 network modules
16-port 10/100/1000, 12-port 10/100/1000,8-

4-port 10 Gigabit port 10 Gigabit
Max port number Ethernet*** SFP+ (with Ethernet SFP+ (with 2
16GE/12SFP/16SFP+ 16GE/12SFP/16SFP+ 16GE/12SFP/16SFP+ 16GE/12SFP/16SFP+
2 modules per chassis) modules per chassis)
Large Enterprises-Product Specifications
Model Firepower 4125 Firepower 4140 Firepower 4145 Firepower 4150 Firepower 4125 T5860 E5960 E6160 E6360 A3700 A3800
FW Throughput 40G 32G 53G 45G 40G 40G 40G 60G 80G 20G/40G* 20/40G*
IPS Throughput
[440 byte 14G 13G 18G 14G 14G 18G 18G 25G 35G 18G 18G
HTTP2]
Max
concurrent 25M 25M 40M 35M 25M 6M 15M 20M 30M 6M / 10M 8M / 10M
sessions
New
1.1M 350,000 1.5M 800,000 1.1M 450,000 500,000 700,000 900,000 140,000 310,000
Sessions/s
8 x 10 Gigabit 8 x 10 Gigabit 8 x 10 Gigabit 8 x 10 Gigabit 8 x 10 Gigabit
Ethernet Ethernet Ethernet Ethernet Ethernet
Enhanced Small Enhanced Small Enhanced Small Enhanced Small Enhanced Small
Form-Factor Form-Factor Form-Factor Form-Factor Form-Factor
Pluggable Pluggable Pluggable Pluggable Pluggable
(SFP+) network (SFP+) network (SFP+) network (SFP+) network (SFP+) network
modules modules modules modules modules
● 4 x 40 Gigabit ● 4 x 40 Gigabit ● 4 x 40 Gigabit ● 4 x 40 Gigabit ● 4 x 40 Gigabit

Ethernet Quad Ethernet Quad Ethernet Quad Ethernet Quad Ethernet Quad
SFP+ network SFP+ network SFP+ network SFP+ network SFP+ network
2 × SFP+ 2 × SFP+
● 8-port 1Gbps ● 8-port 1Gbps ● 8-port 1Gbps ● 8-port 1Gbps ● 8-port 1Gbps 8 ×SFP 8 ×SFP
2GE + 8SFP+ +
Fixed I/O Ports copper, FTW (fail copper, FTW (fail copper, FTW (fail copper, FTW (fail copper, FTW (fail 2GE+4SFP 4GE+4SFP 2GE + 8SFP+ 16 × GE 16 × GE
2QSFP+
to wire) Network to wire) Network to wire) Network to wire) Network to wire) Network 1 x MGT 1 x MGT
Module Module Module Module Module 1 x HA 1 x HA
◦ 6-port 1G SX ◦ 6-port 1G SX ◦ 6-port 1G SX ◦ 6-port 1G SX ◦ 6-port 1G SX
Fiber FTW (fail to Fiber FTW (fail to Fiber FTW (fail to Fiber FTW (fail to Fiber FTW (fail to
wire) Network wire) Network wire) Network wire) Network wire) Network
Module Module Module Module Module
◦ 6-port ◦ 6-port ◦ 6-port ◦ 6-port ◦ 6-port
10Gbps SR Fiber 10Gbps SR Fiber 10Gbps SR Fiber 10Gbps SR Fiber 10Gbps SR Fiber
FTW (fail to wire) FTW (fail to wire) FTW (fail to wire) FTW (fail to wire) FTW (fail to wire)
Network Module Network Module Network Module Network Module Network Module 122
◦ 6-port ◦ 6-port ◦ 6-port ◦ 6-port ◦ 6-port
10Gbps LR Fiber 10Gbps LR Fiber 10Gbps LR Fiber 10Gbps LR Fiber 10Gbps LR Fiber
Network Module Network Module Network Module Network Module Network Module
2 x Generic Slot, 2 x Generic Slot,
Available Slots 2 2 2 2 2 4 4 1 1
1 x Bypass Slot 1 x Bypass Slot
Up to 24 x 10 Up to 24 x 10 Up to 24 x 10 Up to 24 x 10 Up to 24 x 10
IOC-4XFP、IOC-
Gigabit Ethernet Gigabit Ethernet Gigabit Ethernet Gigabit Ethernet Gigabit Ethernet IOC-4GE-B-M、
4GE-B-M、
(SFP+) (SFP+) (SFP+) (SFP+) (SFP+) IOC-8GE-M、
IOC-8GE-M、
Large Enterprises-Product Specifications
Model Firepower 4125 Firepower 4140 Firepower 4145 Firepower 4150 Firepower 4125 E5760P E5960P E6368P
IPS Throughput [440

14G 13G 18G 14G 14G 18.8G 25.6G 64G
byte HTTP2]
Max concurrent
25M 25M 40M 35M 25M 12M 15M 30M
sessions
New Sessions/s 1.1M 350,000 1.5M 800,000 1,1M 500,000 600,000 1,1M

Ethernet Enhanced Ethernet Enhanced Ethernet Enhanced Ethernet Enhanced Ethernet Enhanced
Small Form-Factor Small Form-Factor Small Form-Factor Small Form-Factor Small Form-Factor
Pluggable (SFP+) Pluggable (SFP+) Pluggable (SFP+) Pluggable (SFP+) Pluggable (SFP+)
network modules network modules network modules network modules network modules
● 4 x 40 Gigabit ● 4 x 40 Gigabit ● 4 x 40 Gigabit ● 4 x 40 Gigabit ● 4 x 40 Gigabit

Ethernet Quad SFP+ Ethernet Quad SFP+ Ethernet Quad SFP+ Ethernet Quad SFP+ Ethernet Quad SFP+
network modules network modules network modules network modules network modules
● 8-port 1Gbps ● 8-port 1Gbps ● 8-port 1Gbps ● 8-port 1Gbps ● 8-port 1Gbps 2 x GE, 8 x SFP+,
Fixed I/O Ports copper, FTW (fail to copper, FTW (fail to copper, FTW (fail to copper, FTW (fail to copper, FTW (fail to 4 x GE, 4x SFP 4 x GE, 4x SFP
2×QSFP+
wire) Network Module wire) Network Module wire) Network Module wire) Network Module wire) Network Module
◦ 6-port 1G SX Fiber ◦ 6-port 1G SX Fiber ◦ 6-port 1G SX Fiber ◦ 6-port 1G SX Fiber ◦ 6-port 1G SX Fiber
◦ 6-port 10Gbps SR ◦ 6-port 10Gbps SR ◦ 6-port 10Gbps SR ◦ 6-port 10Gbps SR ◦ 6-port 10Gbps SR
Fiber FTW (fail to wire) Fiber FTW (fail to wire) Fiber FTW (fail to wire) Fiber FTW (fail to wire) Fiber FTW (fail to wire)
◦ 6-port 10Gbps LR ◦ 6-port 10Gbps LR ◦ 6-port 10Gbps LR ◦ 6-port 10Gbps LR ◦ 6-port 10Gbps LR
Fiber FTW (fail to wire) Fiber FTW (fail to wire) Fiber FTW (fail to wire) Fiber FTW (fail to wire) Fiber FTW (fail to wire)
2,
Available Slots 2 2 2 2 2 4 4
1 x Bypass Slot
123
Up to 24 x 10 Gigabit Up to 24 x 10 Gigabit Up to 24 x 10 Gigabit Up to 24 x 10 Gigabit Up to 24 x 10 Gigabit
Ethernet (SFP+) Ethernet (SFP+) Ethernet (SFP+) Ethernet (SFP+) Ethernet (SFP+)
IOC-4GE-B-P IOC-8GE-P IOC-4GE-B-P IOC-8GE-P
interfaces; up to 8 x 40 interfaces; up to 8 x 40 interfaces; up to 8 x 40 interfaces; up to 8 x 40 interfaces; up to 8 x 40
IOC-8SFP-P IOC-4SFP+- IOC-8SFP-P IOC-4SFP+- IOC-8GE-P, IOC-8SFP-P
Expansion Module Gigabit Ethernet Gigabit Ethernet Gigabit Ethernet Gigabit Ethernet Gigabit Ethernet
P IOC-8SFP+-P IOC- P IOC-8SFP+-P IOC-
(QSFP+) interfaces (QSFP+) interfaces (QSFP+) interfaces (QSFP+) interfaces (QSFP+) interfaces
2SFP+-Lite-P 2SFP+-Lite-P
with 2 network with 2 network with 2 network with 2 network with 2 network
Data Center-Product Specifications
Model FPR-C9300 with 1 SM-24 Module FPR-C9300 with 1 SM-36 Module FPR-C9300 with 1 SM-44 Module FPR-C9300 with 3 SM-44 Module X7180
FW Throughput 75G 80G 80G 234G 20G-360G
IPS Throughput [440

24G 34G 53G 133G 90G
byte HTTP2]
Max concurrent
55M 60M 60M 70M 10M-120M
sessions
New Sessions/s 800,000 1.2M 1.8M 4M 300,000-2.4M
Fixed I/O Ports 8SFP+ 8SFP+ 8SFP+ 8SFP+ 4GE+4SFP

Available Slots 2 2 2 2 10
● 8 x 10 Gigabit Ethernet Enhanced

● 8 x 10 Gigabit Ethernet Enhanced ● 8 x 10 Gigabit Ethernet Enhanced ● 8 x 10 Gigabit Ethernet Enhanced
Small Form-Factor Pluggable (SFP+)
Small Form-Factor Pluggable (SFP+) Small Form-Factor Pluggable (SFP+) Small Form-Factor Pluggable (SFP+)
network module
network module network module network module IOM-16SFP-100，IOM-4XFP-100，
● 4 x 40 Gigabit Ethernet Quad
● 4 x 40 Gigabit Ethernet Quad SFP+ ● 4 x 40 Gigabit Ethernet Quad SFP+ ● 4 x 40 Gigabit Ethernet Quad SFP+ IOM-2MMBE，
Expansion Module SFP+ network module
network module network module network module IOM-2SM-BE，IOM-2Q8SFP+，
● 2 x 100 Gigabit Ethernet Quad
● 2 x 100 Gigabit Ethernet Quad ● 2 x 100 Gigabit Ethernet Quad ● 2 x 100 Gigabit Ethernet Quad IOM-8SFP+
SFP28 network module (double-
SFP28 network module (double-wide, SFP28 network module (double-wide, SFP28 network module (double-wide,
wide, occupies both network module
occupies both network module bays) occupies both network module bays) occupies both network module bays)
bays)
24 x 10 Gigabit Ethernet (SFP+) 24 x 10 Gigabit Ethernet (SFP+) 24 x 10 Gigabit Ethernet (SFP+) 24 x 10 Gigabit Ethernet (SFP+)
Max port number interfaces; 8 x 40 Gigabit Ethernet interfaces; 8 x 40 Gigabit Ethernet interfaces; 8 x 40 Gigabit Ethernet interfaces; 8 x 40 Gigabit Ethernet 144SFP/72SFP+/8*2Q8SFP+
(QSFP+) (QSFP+) (QSFP+) (QSFP+)
124
Data Center-Product Specifications
*Throughput measured with 1500B User Datagram Protocol (UDP) traffic measured under
ideal test conditions.
FirePower 9300 FirePower 9300 FirePower 9300 FirePower 9300 FirePower 9300
FirePower 9300 FirePower 9300 FirePower 9300
Model SM-44 3xSM-44 SM-48 SM-56 3x SM-56 X7180 X8180 X9180 X10800
SM-24 SM-36 SM-40
FW 235G* -up to 1
Through 75G* 80G* 80G* 80G* 234G* 80G* 80G* Tb with 20G-360Gbps 150-450 Gpbs Up to 600G Up to 1,2 Tb
put clustering
IPS
Through
250G 400G
put [440 13.5G 16G 20G 17G 51G 25G 27G 81G 90G 180G
byte
HTTP2]
Max
concu
rrent 30M 30M 35M 30M 63M 35M 35M 60M 10M-120M 130M 200M 480M
sessio
ns
New
Sessio 130K 185K 380K 295K 850K 450K 490K 1.1M 300,000-2.4M 2.5M 4M 10M
ns/s
1 Console port, 1 Console port, 1 Console port,
1 MGT 1 AUX port, 1 1 AUX port, 1
management, 1 MGT MGT
USB 2.0 port management, 1 management, 1
(single SCM- USB 2.0 port USB 2.0 port
260 module), 2 (single SCM- (single SCM-
Fixed I/O 8 x SFP+ on- 8 x SFP+ on- Gigabit optical 280 module), 2 300 module), 2
8 x SFP+ on- 8 x SFP+ on- 8 x SFP+ on- 8 x SFP+ on- 8 x SFP+ on- 8 x SFP+ on- 4GE+4SFP
Ports chassis chassis interfaces (2 Gigabit optical Gigabit optical
chassis chassis chassis chassis chassis chassis
HA interfaces, interfaces (2 interfaces (2
single SCM-260 HA interfaces, HA interfaces,
module) single SCM-280 single SCM-300
module) module)
6 universal
expansion slots, 12 universal
2 system expansion slots,
3 universal control module 2 system
Available expansion slots, expansion control module
Slots 2 2 2 2 2 2 2 2 10 2 security slots, 2 expansion slots,
Network control module switching 2 switching
expansion slots module module125
expansion slots, expansion slots
1 USB 2.0 port

8 x 10 Gigabit 8 x 10 Gigabit
Ethernet Ethernet Ethernet Ethernet Ethernet
Ethernet Ethernet
Enhanced Small Enhanced Small Enhanced Small Enhanced Small Enhanced Small
Enhanced Small Enhanced Small
Form-Factor Form-Factor Form-Factor Form-Factor Form-Factor
Form-Factor Form-Factor
Pluggable Pluggable Pluggable Pluggable Pluggable
Pluggable Pluggable
(SFP+) network (SFP+) network (SFP+) network (SFP+) network (SFP+) network
(SFP+) network (SFP+) network IOM-P40-300,
modules modules modules modules modules SSM-300,
modules modules IOM-P100-300,
● 4 x 40 Gigabit ● 4 x 40 Gigabit ● 4 x 40 Gigabit ● 4 x 40 Gigabit ● 4 x 40 Gigabit QSM-300,
Checkpoint
126
How to Win Checkpoint – Hardware 12
7
Hardware
q Power Consumption – For the same performance level, the Checkpoint product power
consumption is much more than Hillstone product.
q Port Density – Most Hillstone models come with upgradable IOC modules, the port density
can be much higher than Checkpoint, with both fixed IO ports, and optional IO modules.
q Bypass Module – Checkpoint models don’t support internal bypass interface modules, while
most Hillstone E/T/X models support optional hardware bypass modules.
q QSFP+ Interface - There is no QSFP+ option in Checkpoint firewall, while Hillstone supports
it in E6360 and X7180 products.
127
127
How to Win Checkpoint – Performance 12
Performance 8
q Latency – Checkpoint products have much higher latency than Hillstone, average 10 times
more latency.
q IPSec Throughput - Hillstone IPSec throughput are better than Checkpoint, for the same
firewall performance models.
q Concurrent IPSec Tunnels – Hillstone products offer much more concurrent IPSec tunnels
than corresponding Checkpoint models.
q Concurrent Session and New Session Rate – Generally Hillstone products perform much
better than corresponding Checkpoint models in these two performance metrics. Requiring
more concurrent session or new session rate will force Checkpoint to use a higher end model
and more expensive.
128
128
How to Win Checkpoint – NGFW Software 12
Category Function (5.5R8)
NAT NAT Port Expansion No 9
NAT444 No
Bidirectional Forwarding Detection (BFD) No
DNS Proxy No
Application and Scheduled PBR No
ISP Routing No
Application and URL Steering (Application Routing) No
Other SmartDNS No
iQoS No
Policy Assistant to improve the integrity, accuracy
No
and speed of policy configuration.
Support to deploy batch rules (Policy Operation) No
Support Policy Group and Aggregrated Policy Only Support Policy Group
Policy Search and Policy Hit Count No
VPN PnPVPN No
GRE No
L2TP over IPSec No
129
129
How to Win Checkpoint – iNGFW Software 13
Category Function (5.5R8) 0
Threat Indexing No
130
130
Hillstone Counterattack Checkpoint
Application Control
q Checkpoint– Checkpoint claims it can support more than 6,600 applications and 260,000
social network widgets
Hillstone Strategy – Larger Application database doesn’t necessarily mean better security. In
NSSLab Application Control testing, Hillstone determined the correct application and took the
appropriate action based on the policy.
User / Group Identity
q Checkpoint– Checkpoint claims it can implement policies based on users or groups
q Hillstone Strategy – Hillstone already supports Users/Groups. In NSSLab verified that
identity aware polices successfully identified the users and groups
Advanced Threat Defense
q Checkpoint– Checkpoint claims that they have excellent advanced threat defense with
SandBlast (Threat Emulation)
q Hillstone Strategy – Hillstone also have Threat Emulation based on Cloud Sandbox
131
131
CheckPoint Product Overview
13
1530/1550/1600
16200/26000/ 28000
2
1570R Series 1570/1590 /1800/3600/3800 6000/7000 Series 44000/64000 Series
Series
Series
MSSP √ √
Service Provider √
Data Center √ √ √
√（Branch）
Enterprise √（Branch） √（Branch） √（Campus）
(Rugged)
Distributed
√ √
Enterprise
SMB √ √ √
Product Level Desktop Desktop Mid-High
High destiny
Hardware Option Industrial Rugged Embedded 4G/LTE Wifi (Certain Storage,
Storage, Flexible GE,40GE port, DC
/ Special Series, AC/DC Modem, Wifi 802.11 Models), Low End 25/40/100 GbE,
IO options, LOM power, Scalable
Features power b/g/n/ac wave II High Throughput DC power, LOM
Platform
132
132
Product Portfolio High-Level Comparison
Highlighted in Red is NGFW throughput (App Control, IPS turned on)
13
20-40 Gbps
3
A3800
/ 3.7 Gbps
20-40 Gbps
A3700
/ 1.8 Gbps
20 Gbps / 1.2 Tbps /
A3600 X10800
1.8 Gbps 280 Gbps
A2600 5 Gbps / 20 Gbps / 600 Gbps /
A3000 X9180
(New) 1.8 Gbps 1.8 Gbps 140 Gbps
A2000 5 Gbps / 16 Gbps / 680 Gbps / 880 Gbps /
E5260 X7180 64000
(New) 1.2 Gbps 3.5 Gbps 70 Gbps 408 Gbps
A1100 5 Gbps / 10Gbps / 80Gbps / 395 Gbps /
T2860 E6360 44000
(New) 1.2 Gbps 1.5 Gbps 24 Gbps 204 Gbps
A1000 4 Gbps / 10 Gbps / 18 Gbps / 60Gbps / 145 Gbps /
E3965 6600 E6160 28600
(New) 1.2 Gbps 3 Gbps 6.2 Gbps 16 Gbps 52.5 Gbps
4/6 Gbps / 4.8 Gbps / 10 Gbps / 12 Gbps / 40 Gbps / 145 Gbps /
E2800 1600 E3960 6400 E5960 28000
850 Mbps 3.2 Gbps 1.5 Gbps 5.5 Gbps 9.5 Gbps 51.5 Gbps
2.5/4 Gbps 2.8 Gbps / 8.0 Gbps / 9 Gbps / 40 Gbps / 106.2 Gbps
E2300 1590 T1860 6200 T5860 26000
/ 650 Mbps 1.3 Gbps 1 Gbps 3.72 Gbps 12 Gbps / 40.5 Gbps
1.5/2 Gbps 2.8 Gbps / 8.0 Gbps / 7.5 Gbps / 32 Gbps / 78.3 Gbps /
E1700 1570 E3662 1800 E5760 16200
/ 450 Mbps 970 Mbps 1.2 Gbps 5 Gbps 8 Gbps 27 Gbps
1Gbps / 1570 1.9 Gbps / 6 Gbps / 4.8 Gbps / 25 Gbps / 39 Gbps /
E1606 E2860 1600 E5660 7000
350 Mbps (Rugged) 700 Mbps 1 Gbps 3.2 Gbps 7 Gbps 22 Gbps
1Gbps / 1 Gbps / 4/6 Gbps / 2.8 Gbps / 25 Gbps / 37 Gbps /
E1600 1550 E2800 1590 T5060 6900
350 Mbps 800 Mbps 850 Mbps 1.3 Gbps 8 Gbps 17 Gbps
E1100W/ 1Gbps / 1 Gbps / 2.5/4 Gbps / 2.8 Gbps / 20 Gbps / 26 Gbps /

1530 E2300 1570 T3860 6700
WG3W 350 Mbps 600 Mbps 650 Mbps 970 Mbps 5 Gbps 13.4 Gbps
Hillstone CheckPoint Hillstone CheckPoint Hillstone CheckPoint
1G-5G (Branch Office) 2G-20G (Mid Enterprise) 20G-Above
133
133
(Hillstone E-Pro Series)
Highlighted in Red is NGFW throughput (App Control, IPS turned on)
13
64000
880 Gbps / 4
408 Gbps
395 Gbps /
44000
204 Gbps
18 Gbps / 145 Gbps /
6600 28600
6.2 Gbps 52.5 Gbps
4.8 Gbps / 12 Gbps / 145 Gbps /
1600 6400 28000
3.2 Gbps 5.5 Gbps 51.5 Gbps
2.8 Gbps / E5560P/ 20 Gbps / 9 Gbps / 90 Gbps / 106.2 Gbps
1590 6200 E6368P 26000
1.3 Gbps E5568P 5.6 Gbps 3.72 Gbps 26 Gbps / 40.5 Gbps
2.8 Gbps / E5260P/ 20 Gbps / 7.5 Gbps / 40 Gbps / 78.3 Gbps /
1570 1800 E5960P 16200
970 Mbps E5268P 3.9 Gbps 5 Gbps 14 Gbps 27 Gbps
1570 1.9 Gbps / E3960P/ 10 Gbps / 4.8 Gbps / 40 Gbps / 39 Gbps /
1600 E5760P 7000
(Rugged) 700 Mbps E3968P 1.1 Gbps 3.2 Gbps 8.9 Gbps 22 Gbps
4.75 Gbps 1 Gbps / E3662P 10 Gbps / 2.8 Gbps / E5560P/ 20 Gbps / 37 Gbps /
E1700P 1550 1590 6900
/ 470 Mbps 800 Mbps /E3668P 900 Mbps 1.3 Gbps E5568P 5.6 Gbps 17 Gbps
E1600P 4.7 Gbps / 1 Gbps / 8 Gbps / 2.8 Gbps / E5260P/ 20 Gbps / 26 Gbps /
1530 E2800P 1570 6700
/WP 470 Mbps 600 Mbps 860 Mbps 970 Mbps E5268P 3.9 Gbps 13.4 Gbps
Hillstone CheckPoint Hillstone CheckPoint Hillstone CheckPoint
1G-5G (Branch Office) 2G-20G (Mid Enterprise) 20G-Above
134
134
Hardware Specs Comparison I –
SMB/Branch Offices
13
CheckPoint Hillstone CheckPoint Hillstone CheckPoint Hillstone Checkpoint Hillstone
Models 1530 E1100W/WG3W E1600 E1606 1550 E1700 1570 1590 E2300 E2800 A1000 1600 A1100 A2000 A2600 5
FW Throughput
1Gbps 1Gbps 1Gbps 1Gbps 1Gbps 1.5/2Gbps 2.8Gbps 2.8Gbps 2.5Gbps/4Gbps 4Gbps/6Gbps 4Gbps 4.8Gbps 5Gbps 5Gbps 5Gbps
(Maximum)
IPSec
970Mbps 600Mbps 600Mbps 600Mbps 500Mbps 700Mbps 1.95Gbps 2.6Gbps 1Gbps 3Gbps 1.108Gbps 3.2Gbps 1.097Gbps 1.099Gbps 2.996Gbps
Throughput
AV Throughput No Data 300Mbps 300Mbps 300Mbps No Data 400Mbps No Data No Data 700 Mbps 1.2 Gbps 1.8 Gbps No Data 2.0 Gbps 2.0 Gbps 3.7 Gbps
IPS Throughput 670Mbps 400Mbps 400Mbps 400Mbps 900Mbps 600Mbps 1.05Gbps 1.4Gbps 1Gbps 1.8 Gbps 3.4 Gbps 3.5Gbps 3.7 Gbps 3.2 Gbps 4.5 Gbps
Threat
Prevention 340Mbps 300Mbps 300Mbps 300Mbps 450Mbps 400Mbps 500Mbps 660Mbps 500Mbps 700Mbps 800Mbps 1.5Gbps 800Mbps 800Mbps 1.6 Gbps
(Mbps)
New Sessions/s 10,500 10,000 12,000 10,000 14,000 25,000 15,750 21,000 50,000 80,000 48,000 55,000 48,000 48,000 120,000
Maximum
Concurrent
Sessions 500,000 200,000 400,000 200,000 500,000 600K/1M 500,000 500,000 1M/2M 1M/2M 300,000 2.4M 300,000 1M 1.2M
(Standard/
Maximum)
IPSec Tunnel
No Data 512 512 1000 No Data 2000 No Data No Data 2,000 2,000 No Data No Data No Data No Data No Data
Number
SSL VPN
100/ 8/128 8/128 8/500 100/ 8/500 200/ 200/ 8/1000 8/1000 8/1000 500/ 8/1000 8/1000 8/1000
Users(free/MAX)
8 × GE 8 × GE 8 × GE
9 x GE, 1 x 9 x GE, 1 x 5 x GE, 4 x 5 x GE, 4 x 16 x GE, 2 x
Fixed I/O Ports 6GE 9GE 9GE 9GE 6GE 9GE 4 × GE (including 1 (including 1 (including 1
Combo Combo Combo Combo SFP
bypass pair) bypass pair) bypass pair)
480 GB / 960 480 GB / 960
Storage 256 GB SSD 256 GB SSD GB / 1.92 TB GB / 1.92 TB
SSD SSD
Available Slots
for Extension
NA NA NA NA NA NA Micro-SD slot Micro-SD slot NA NA NA Micro-SD slot NA NA NA
Modules
Embedded Embedded
Integrated 3G/4G/LTE 3G/4G/LTE
NA Yes NA NA NA NA NA NA NA NA NA NA NA
Wireless modem (Wifi modem (Wifi
Model) Model)
135
135
Hardware Specs Comparison I –
SMB/Branch Offices (E-Pro Series)
13
CheckPoint Hillstone Checkpoint
Models 1530 1550 1570 1590

E1600P/
E1600WP
E1700P 1600
6
FW Throughput
1Gbps 1Gbps 2.8Gbps 2.8Gbps 4.7Gbps 4.75Gbps 4.8Gbps
(Maxim um )
IPSec
970Mbps 500Mbps 1.95Gbps 2.6Gbps 850Mbps 850Mbps 3.2Gbps
Throughput
AV Throughput No Data No Data No Data No Data 890Mbps 890Mbps No Data
IPS Throughput 670Mbps 900Mbps 1.05Gbps 1.4Gbps 1.2Gbps 1.2Gbps 3.5Gbps

Threat
Prevention 340Mbps 450Mbps 500Mbps 660Mbps 360Mbps 400Mbps 1.5Gbps
(Mbps )
New Ses s ions /s 10,500 14,000 15,750 21,000 27,000 28,000 55,000
Maxim um
Concurrent
Ses s ions 500,000 500,000 500,000 500,000 200,000 600,000 2.4M
(Standard/
Maxim um )
IPSec Tunnel
No Data No Data No Data No Data 512 2,000 No Data
Num ber
SSL VPN
100/ 100/ 200/ 200/ 8/128 8/500 500/
Us ers (free/MAX)
9 x GE, 1 x 9 x GE, 1 x 16 x GE, 2 x
Fixed I/O Ports 6GE 6GE 9 x GE 9 x GE
Com bo Com bo SFP
Storage No No No No No No No
Available Slots
for Extens ion NA NA Micro-SD s lot Micro-SD s lot NA NA Micro-SD s lot
Modules
Em bedded Em bedded
Integrated 3G/4G/LTE 3G/4G/LTE
NA NA NA NA NA
Wireles s m odem (Wifi m odem (Wifi
Model) Model)
136
136
Hardware Specs Comparison II –
Mid-Range Enterprises
13
Hillstone CheckPoint Hillstone CheckPoint Hillstone CheckPoint Hillstone
Models E2860 1800 E3662 T1860 6200 E3960 E3965 T2860 E5260 6400 6600 T3860 A3000 A3600 A3700 A3800 7
FW
Throughput 6Gbps 7.5Gbps 8Gbps 8Gbps 9Gbps 10Gbps 10Gbps 10Gbps 16Gbps 12Gbps 18Gbps 20Gbps 20Gbps 20Gbps 20/40Gbps 20/40Gbps
(Maximum)
IPSec
3Gbps 4Gbps 3Gbps 3Gbps 2.57Gbps 4Gbps 6Gbps 3.8Gbps 8Gbps 2.73Gbps 4.9Gbps 12Gbps 3.25Gbps 3.28Gbps 3.32Gbps 6.14Gbps
Throughput
AV
1.2 Gbps No Data 1.6Gbps 1. 6Gbps No Data 2.5Gbps 3Gbps 2Gbps 3.5Gbps No Data No Data 6Gbps 4.8Gbps 5.0Gbps 5.2Gbps 9.4Gbps
Throughput
IPS
1.8Gbps 5Gbps 3Gbps 3Gbps 4.65Gbps 4Gbps 4Gbps 4Gbps 5Gbps 6.5Gbps 10.14Gbps 8Gbps 8.3Gbps 8.5Gbps 8.6Gbps 17.5Gbps
Throughput
Threat
800Mbps 2Gbps 900Mbps 600Mbps 1.8Gbps 1.1gbps 2Gbps 900Mbps 2.2Gbps 2.5Gbps 3.7Gbps 2.5Gbps 1.6Gbps 1.6Gbps 1.6Gbps 2.8Gbps
Prevention
NGFW
1Gbps 5Gbps 1.2Gbps 1Gbps 3.72Gbps 1.5Gbps 3Gbps 1.5Gbps 3.5Gbps 5.5Gbps 6.2Gbps 5Gbps 1.8Gbps 1.8Gbps 1.8Gbps 3.7Gbps
throughput
New
80,000 66,000 120,000 80,000 67,000 150,000 170,000 100,000 200,000 90,000 116,000 250,000 140,000 140,000 140,000 310,000
Sessions/s
Maximum
Concurrent 2/4/8M (Can 2/4/8M (Can 2/4/8M (Can
Sessions 2M 2.4M 3M 1.5M Upgrade 3.2M 6M 3M 6M Upgrade Upgrade 4M 2M 3M 6M 8M
(Standard/ Memory) Memory) Memory)
Maxinum)
IPSec Tunnel
4000 No Data 6000 6000 No Data 10000 10000 10000 20000 No Data No Data 20000 No Data No Data No Data No Data
Number
SSL VPN
Users(free/ma 8 / 2,000 500 8 / 4,000 8 / 4,000 No Data 8 / 6,000 8 / 8,000 8 / 6,000 8/10000 No Data No Data 128 / 10,000 No Data No Data No Data No Data
x)
2 x 2.5GbE, 6 X GE (1 2 × SFP+, 8 × 2 × SFP+, 8 × 2 × SFP+, 8 × 2 × SFP+, 8 ×
16x GE, 2 x 6 x GE, 4 x 4 x GE, 4 x pair bypass 4 GE, 4 x SFP, 16 × GE SFP, 16 × GE SFP, 16 × GE SFP, 16 × GE
6 x GE, 4 x 6 x GE, 4 x 2 x GE, 4 x
Fixed I/0 Ports Combo 6 GE, 4 x SFP 8 x 1GE SFP, 2 X SFP, 2 X port), 4 x SFP, 2 X 8 x 1GE 8 x 1GE (including (including (including (including
SFP SFP SFP,
(SFP), 1 x SFP+ SFP+ SFP, 2 x SFP+ 2 bypass 2 bypass 2 bypass 2 bypass
Combo SFP+ pairs) pairs) pairs) pairs)
256GB SSD
and Micro-SD 480 GB / 960 480 GB / 960 480 GB / 960 480 GB / 960
120G+480G
Storage No slot with 32 No 480GB 240GB No No 480GB No 240GB 240GB GB / 1.92 TB GB / 1.92 TB GB / 1.92 TB GB / 1.92 TB
(Dual
and 64 GB SSD SSD SSD SSD
card options
Available
Slots for 2 x Generic 2 x Generic 2 x Generic 1 x Expansion 2 x Generic 4 x Generic 2 X Generic 4 x Generic 1 x Expansion 1 x Expansion 2 x Generic 1 x Generic 1 x Generic
No No No
Extension Slot Slot Slot Slot Slot Slot Slot Slot Slot Slot Slot Slot Slot
Modules
137
137
Hardware Specs Comparison II –
Mid-Range Enterprises (E-Pro Series)
Che ckPoint Hillstone Che ckPoint Hillstone Che ckPoint Hillstone
13
Models
FW
1800 E2800P 6200
E3962P
/E3668P
E3960P/
E3968P
6400 6600
E5260P/
E5268P
E5560P/
E5568P 8
Throughput 7.5Gbps 8Gbps 9Gbps 10Gbps 10Gbps 12Gbps 18Gbps 20Gbps 20Gbps
(Maximum)
IPSec
4Gbps 3Gbps 2.57Gbps 4Gbps 6Gbps 2.73Gbps 4.9Gbps 8.4Gbps 12Gbps
Throughput
AV
No Data 1.2 Gbps No Data 2.5Gbps 3Gbps No Data No Data 3.8Gbps 4.9Gbps
Throughput
IPS
5Gbps 1.8Gbps 4.65Gbps 4Gbps 4Gbps 6.5Gbps 10.14Gbps 8.9Gbps 9.3Gbps
Throughput
Threat
2Gbps 800Mbps 1.8Gbps 1.1gbps 2Gbps 2.5Gbps 3.7Gbps 2.2Gbps 3.1Gbps
Prevention
NGFW
5Gbps 1Gbps 3.72Gbps 1.5Gbps 3Gbps 5.5Gbps 6.2Gbps 3.9Gbps 5.6Gbps
throughput
New
66,000 80,000 67,000 150,000 170,000 90,000 116,000 200,000 300,000
Sessions/s
Maximum
Concurrent 2/4/8M (Can 2/4/8M (Can 2/4/8M (Can
Sessions 2.4M 2M Upgrade 3.2M 6M Upgrade Upgrade 6M 10M
(Standard/ Memory) Memory) Memory)
Maxinum)
IPSec Tunnel
No Data 4000 No Data 10000 10000 No Data No Data 20000 20000
Number
SSL VPN
Users(free/ma 500 8 / 2,000 No Data 8 / 6,000 8 / 8,000 No Data No Data 8 / 10,000 8 / 10,000
x)
2 x 2.5GbE,
16x GE, 2 x 4 x GE (1 4 x GE (1
6 x GE, 4 x 4 x GE, 4 x
Combo 6 x GE, 4 x bypass pair), bypass pair),
Fixed I/0 Ports 8 x 1GE SFP, 2 X SFP, 2 X 8 x 1GE 8 x 1GE
(SFP), 1 x SFP 4 x SFP, 4 x SFP,
SFP+ SFP+
Combo 2 x SFP+ 2 x SFP+
(SFP+)
256GB SSD
and Micro-SD
E3668P had E3968P had E5268P had E5568P had
Storage slot with 32 No 240GB 240GB 240GB
256G SSD 256G SSD 256G SSD 256G SSD
and 64 GB
card options
Available
Slots for 2 x Generic 1 x Expansion 2 x Generic 2 x Generic 1 x Expansion 1 x Expansion 4 x Generic 4 x Generic
No
Extension Slot Slot Slot Slot Slot Slot Slot Slot
Modules
138
138
Hardware Specs Comparison III –
Mid to Large Enterprise
CheckPoint Hillstone CheckPoint Hillstone CheckPoint Hillstone CheckPoint Hillstone CheckPoint
13
Models 6700 T5060 E5660 E5760 6900 T5860 E5960 7000 E6160 16200 E6360 26000 28000
28600
(Scalable
9
up to 52)
FW
Throughput 26Gbps 25 Gbps 25Gbps 32Gbps 37Gbps 40 Gbps 40Gbps 48Gbps 60Gbps 78.3Gbps 80Gbps 106.2Gbps 145Gbps 145Gbps
(Maximun)
IPSec
4.61Gbps 15Gbps 15Gbps 18Gbps 9.81Gbps 28Gbps 25Gbps 11.9Gbps 35Gbps 20Gbps 50Gbps 40.1Gbps 49Gbps 44Gbps
Throughput
AV
No Data 7Gbps 7Gbps 8Gbps No Data 10Gbps 10Gbps No Data 20Gbps No Data 27Gbps No Data No Data No Data
Throughput
IPS
19Gbps 12Gbps 12Gbps 15Gbps 19Gbps 18Gbps 18Gbps 25Gbps 25Gbps 35Gbps 35Gbps 43Gbps 52.2Gbps 52.2Gbps
Throughput
Threat
5.8gbps 4Gbps 4.5Gbps 5Gbps 7.4Gbps 6Gbps 6Gbps 9.5Gbps 12Gbps 15Gbps 18Gbps 24Gbps 30Gbps 30Gbps
Prevention
NGFW
13.4Gbps 8Gbps 7Gbps 8Gbps 17Gbps 12Gbps 9.5Gbps 22Gbps 16Gbps 27Gbps 24Gbps 40.5Gbps 51.5Gbps 51.5Gbps
Throughput
New
164,000 300,000 400,000 500,000 230,000 450,000 600,000 330,000 800,000 435,000 1.1M 550,000 615,000 590,000
Sessions/s
Maximum
2/4/8M 4/8/16M 4/8/16M 8/16/32M 10/20/32M 10/20/32M
Concurrent
(Can (Can (Can (Can (Can (Can
Sessions 5M 10M 12M 6M 15M 20M 30M 49M
Upgrade Upgrade Upgrade Upgrade Upgrade Upgrade
(Standard/
Memory) Memory) Memory) Memory) Memory) Memory)
Maximum)
IPSec
Tunnel No Data 20000 20,000 20,000 No Data 20000 20,000 No Data 20,000 No Data 20,000 No Data No Data No Data
Number
SSL VPN
Users(free/ No Data 128 / 10,000 8/10,000 8/10, 000 No Data 128 / 10,000 8/10, 000 No Data 8/10,000 No Data 8/10,000 No Data No Data No Data
MAX)
2 GE, 8 x
Fixed I/0 2 x GE, 4 X 4 x GE, 4x 4 GE, 4x 2 X GE, 4 X 4 GE, 4 x 2 x GE, 8 x 2 x 100GbE
8 x 1GE 8 x 1GE 8 x 1GE 2 x 1GE SFP+, 2 x 1GE 2 x 1GE
Ports SFP SFP SFP SFP SFP SFP+ QSFP28
2XQSFP+
480GB/960 480GB/960
Storage 480GB No No 480GB No 480GB No 480GB No 480GB 480GB 480GB
GB GB
Available
1x 2x 2x 2 Generic 4x 2 Generic 8x 8x
Slots for 4 x Generic 4 x Generic 4 x Generic 4 x Generic 4 Generic
Expansion Expansion Expansion Slot 1 Expansion Slot 1 Expansion Expansion No
Extension Slot Slot Slot Slot Slot
Slot Slot Slot Bypass Slot Slot Bypass Slot Slot Slot
Modules
139
139
Hardware Specs Comparison III –
Mid to Large Enterprise (E-Pro Series)
CheckPoint CheckPoint Hillstone Hillstone CheckPoint CheckPoint Hillstone CheckPoint CheckPoint CheckPoint
14
Models 6700 6900 E5760P E5960P 7000 16200 E6368P 26000 28000
28600
(Scalable
0
up to 52)
FW
Throughput 26Gbps 37Gbps 40Gbps 40Gbps 48Gbps 78.3Gbps 90Gbps 106.2Gbps 145Gbps 145Gbps
(Maximun)
IPSec
4.61Gbps 9.81Gbps 18.8Gbps 25.6Gbps 11.9Gbps 20Gbps 64Gbps 40.1Gbps 49Gbps 44Gbps
Throughput
AV
No Data No Data 7.9Gbps 14Gbps No Data No Data 28Gbps No Data No Data No Data
Throughput
IPS
19Gbps 19Gbps 18.5Gbps 18.8Gbps 25Gbps 35Gbps 37Gbps 43Gbps 52.2Gbps 52.2Gbps
Throughput
Threat
5.8gbps 7.4Gbps 5.2Gbps 8.2Gbps 9.5Gbps 15Gbps 18Gbps 24Gbps 30Gbps 30Gbps
Prevention
NGFW
13.4Gbps 17Gbps 8.9Gbps 14Gbps 22Gbps 27Gbps 26Gbps 40.5Gbps 51.5Gbps 51.5Gbps
Throughput
New
164,000 230,000 500,000 600,000 330,000 435,000 1.1M 550,000 615,000 590,000
Sessions/s
Maximum
2/4/8M 4/8/16M 4/8/16M 8/16/32M 10/20/32M 10/20/32M
Concurrent
(Can (Can (Can (Can (Can (Can
Sessions 12M 15M 30M 49M
Upgrade Upgrade Upgrade Upgrade Upgrade Upgrade
(Standard/
Memory) Memory) Memory) Memory) Memory) Memory)
Maximum)
IPSec
Tunnel No Data No Data 20,000 20,000 No Data No Data 20,000 No Data No Data No Data
Number
SSL VPN
Users(free/ No Data No Data 8/10, 000 8/10, 000 No Data No Data 8/10,000 No Data No Data No Data
MAX)
2 x GE, 8 x
Fixed I/0 4 x GE, 4 x 4 x GE, 4 x 2 x 100GbE
8 x 1GE 8 x 1GE 8 x 1GE 2 x 1GE SFP+, 2 x 2 x 1GE 2 x 1GE
Ports SFP SFP QSFP28
QSFP+
Storage 480GB 480GB No No 480GB 480GB 512GB 480GB 480GB 480GB
Available
1x 2x 2x 4x 2 x Generic 8x 8x
Slots for 4 x Generic 4 x Generic
Expansion Expansion Expansion Expansion Slot, 1 x Expansion Expansion No
Extension Slot Slot
Slot Slot Slot Slot Bypass Slot Slot Slot
Modules
140
140
Hardware Spec Comparisons IV-
DataCenter
14
Checkpoint Hillstone 1
44000 64000 X7180 X8180 X9180 X10800
FW Throughput
335Gbps 800Gbps 680Gbps 450Gbps 600Gbps 1.2Tbps
(Maximum)
IPSec Throughput 161Gbps 323Gbps 90Gbps 100Gbps 250Gbps 500Gbps
NGFW Throughput 204Gbps 408Gbps 70Gbps 75Gbps 140Gbps 280Gbps
Threat Prevention
90Gbps 180Gbps 50Gbps 70Gbps 100Gbps 200Gbps
Throughput
New Sessions/s 2.46Million 4.92Million 4.8Million 2.5Million 4Million 10Million
Maximum
55.2Million 110.4Million 240Million 130Million 200Million 480Million
Concurrent Sessions
IPSec Tunnel
No Data No Data 30000 30000 30000 30000
Number
SSL VPN
No Data No Data 128 / 20,000 128 / 20,000 128 / 20,000 128 / 20,000
Users(free/MAX)
Storage No No No No No No
141
141
Product Specs – Virtualization
*Based on VMWARE VMXnet3*
14
2
vSEC-2core vSEC-4core vSEC-6core SG6000-VM01 SG6000-VM02 SG6000-VM04 SG6000-VM08
Support Core
2 4 6 2 2 4 8
Number
RAM 2/12GB 2 /12GB 2/12GB 2 GB 4 GB 8 GB 16 GB
Throughput 7.5Gbps 10Gbps 10Gbps 2Gbps 4Gbps 8Gbps 10Gbps
Concurrent
Connections 1.1/5.4M 1.1/5.4M 1.1/5.4M 100K 500K 5M 10M
New
Connections 40k 70K 140K 20K 40K 80K 160K
Per second
IPS Throughput
4Gbps 6Gbps 10Gbps 1Gbps 2Gbps 4Gbps 6Gbps
NGFW
Throughput 2.8Gbps 4.6Gbps 9Gbps 700Mbps 1.4Gbps 2.8Gbps 4.2Gbps
IPSec VPN
No Data No Data No Data 50 500 50 500
Tunnel
SSL
Concurrent No Data No Data No Data 50 250 50 250
Users
142
142
SonicWall
143
How to Win SonicWall – Hardware 14
4
Hardware
q No Inline System Service Upgrade (ISSU) which is critical for DC
q Very little expansion slots (mix and match port density)
q High security performance, expansion as needed, complete advanced threat detection and
prevention, and smart and automated policy operation.
q All rackmount models feature front and rear ventilation to assist in heat dissipation, which is a
concern in networks of almost any size
q Excellent Access Capability and Storage Expansion
q Bypass pairs on most A-Series models help ensure business continuity.
144
144
How to Win SonicWall – Performance 14
Performance 5
q Very large hard disk storage up to 2 TB. With more storage the system can save more logs
and data for longer time (allows the system to provide richer reports with far more information,
including visualized results and actionable recommendations. )
q Real-time detection and protection across the full lifecycle of network attacks and malwares.
q Hillstone offers much higher (2 to 4 times) New Sessions/s and Max. Concurrent Sessions –
meet today’s business environment where a single website visit or a transaction could cost
tens of concurrent sessions;
q Hillstone offers ten times more IPsec Tunnel – can support many more mobile workers,
secure connections to HQ, b/w offices and its cloud services;
q Hillstone up to 680Gbps vs. Sonicwall: up to 120.3Gbps
145
145
How to Win SonicWall – Performance 14
SonicWall Hillstone 6
Category
Min Max Min Max
L/4 Throughput 300 Mbps 120.3 Gbps 1Gbps 1,2TB
Full protection / NGFW Throughput 150 Mbps 67.5 Gbps 350Mbps 280Gbps
Maximum Connections 10 K 80 M 200 K 480M
New connections/sec 1.8 K 860 K 10 K 10M
146
146
How to Win SonicWall – NGFW Software 14
Category Function Sonicwall 7
NAT NAT Port Expansion No
NAT444 No
Bidirectional Forwarding Detection (BFD) No
DNS Proxy Yes
Application and Scheduled PBR Yes
ISP Routing Yes
Application and URL Steering (Application Routing) Yes
Other SmartDNS No
iQoS No
Policy Search and Policy Hit Count Yes
Active/Active HA Yes, Only NSA3650 and above
VPN PnPVPN No
VSYS Virtual System No
147
147
How to Win SonicWall – NGFW Software 14
Network Route controlled by URL and/or user // only protocol & service (L/4) Yes
Built-in NTP and DNS Server No
loopback interface No
Firewall mixed deployment mode Yes
Application Level Gateways Yes
Security policy redundancy inspection No
IP Reputation global IP reputation database Yes
Data Security File type Control Yes
Content filtering for HTTP-GET, HTTP-POST, FTP and SMTP protocols No
Anti-Virus single/multiple Compressed file virus scanning No
URL Filtering Filter Java Applet, ActiveX or Cookie No
HA Twin-mode HA No
148
148
How to Win SonicWall – iNGFW Software 14
Threat Indexing No
149
149
How to Win SonicWall – Smart Policy Operation (Policy
Lifecycle Management) 15
Category Function Sonicwall
0
Smart Policy Operaion Automated User Policy Deplyment: No
Radius Dynamic Authorization
Automatically Issue User Policy via CoA message
Policy Redundancy Check: No

Discover Redundant policies for detection
Policy Analysis: No
Adjust the policies by Observing the hit counts and hit trends
Policy Group: No
Efficient Policy Management based on business requirement
Aggregate Policy : No
A Set of Policies ACT as One single Policy
Policy Assistant: No
Refine a General Policy into detailed policy
150
150
How to Win SonicWall – Business and What to Avoid
15
Business and Others
1
q Hillstone proven an Enterprise Firewall player vs. SonicWall viewed as a low-end UTM player
q TCO/Protected Mbps - Hillstone offers much better TCO for the real world processing power ($6/Mbps vs. SonicWall
$24/Mbps), don’t be misled by the cheap price of SonicWall;
q Malware Detection - spend to much time researching false alarm , Highest rated detection technology identifies
threats others miss and eliminates the need.
q Complete Indicator of Compromises- IOCs events are threat events detected during the post breach attack. They
are identified among large numbers of the threat attacks in the network that are directly associated with the protected
server or host
q Subscription - Price is higher than Hillstone. Renewal subscription price is Higher. Total TCO is high.
What to Avoid
q Wireless Controller Requirement
q Multicast Requirement
q Authentication on Citrix, Terminal Services
q Netflow Reporting
151
151
Hillstone Counterattack SonicWall
Virtual System & SECaaS
SonicWall does not support virtual system on the same hardware , where is a mandatory feature for :
- ISP
- Multi Tenant solution
User Identity
SonicWall does not support the following :
- Global User based policy Control // only for App, URL
- 802.1X, SSO Proxy
- Agentless AD SSO (AD Polling)
- Client probing
Protection
SonicWall does not support the following :
- Abnormal Behavior Detection (NTA) – On T-Series
- Threat Mitigration – On T-Series
- Advanced Threat Detection
152
152
Sonicwall Product Overview
15
3
SOHO TZ300/TZ30 TZ350/TZ35 TZ400/TZ40 TZ500/TZ50 TZ600/TZ60 TZ270/TZ27 TZ370/TZ37 TZ470/TZ47 TZ570/TZ57 TZ670
250/SOHO 0P/TZ300W 0W 0W 0W 0P 0W 0W 0W 0P/TZ570W
250W
Soho √ √ √ √ √ √ √ √ √ √ √
SMB √ √ √ √ √ √ √
Entry Level √ √ √
Product Level SMB & BRANCHES
153
153
Soho & Tz SERIES
SOHO
15
TZ300/TZ300P TZ350/TZ350
250/SOHO E1600 E1606 E1700 E1600P E1600WP E1700P E2300 A1000 A1100
/TZ300W W E1100 Series
250W
Throughput
VPN Throughput
600Mb
200Mbps
750Mb
300Mbps
1Gb
430Mbps
1Gb
600Mbps
1G
600Mbps
1G
600Mbps
1.5/2G
700Mbps
4.7 Gbps
850 Mbps
4.7 Gbps
850 Mbps
4.75 Gbps
850 Mbps
2.5/4G
1G
4GB
N/A
5GB
N/A
4
IPS Throughput 250Mpbs 300Mbps 400Mbps 400Mbps 400Mbps 400Mbps 600Mbps 1.2 Gbps 1.2 Gbps 1.2 Gbps 1G 3.4G 3.7G
Threat Prevention
200Mpbs 235Mpbs 335Mpbs 300Mpbs 300Mpbs 300Mpbs 400Mpbs 360 Mbps 360 Mbps 400 Mbps 500Mpbs 1.2Gbps 1.2Gbps
Throughput
150 Mbps/200 235 Mbps/335 235 Mbps/335
AV Throughput 300Mbps 300Mbps 350Mbps 400Mbps 890 Mbps 890 Mbps 890 Mbps 700M 1.8G 2G
Mbps Mbps Mbps
Concurrent 1M/
50,000 100,000 100,000 200k 200Mbps 200Mbps 600K/1M 470 Mbps 470 Mbps 470 Mbps 300,000 300,000
Connections 2M
New Connections
3,000 5,000 6,000 10k 10K 10K 25K 0.2M 0.2M 0.6M 50K 48,000 48,000
Per second
8 × GE
5 GE copper 5 GE copper 5 GE copper 5GE
Interface 9GE 9GE 9GE 9GE 27,000 27,000 28,000 4 × GE (including 1
4Combo
bypass pair)
802.11a/b/g/n/
802.11a/b/g/n/
ac (WEP,
ac (WEP,
WPA, WPA2,
WPA, WPA2,
802.11 a/b/g/n 802.11i, TKIP, N/A N/A N/A N/A N/A N/A
Wireless support 802.11 a/b/g/n 802.11i, TKIP, 9 x GE 9 x GE 9 x GE
PSK,02.1x,
PSK,02.1x,
EAP-PEAP,
EAP-PEAP,
EAP-TTLS
EAP-TTLS
Local Storage N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 8GB 8GB
Expansion Storage 256 GB SSD, 256 GB SSD,

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
optional optional
24W external
single single single single/dual single/dual
Power Supply 24W external 65W external 24W external single single single single single
(TZ300P only)
Desktop Desktop 1U 1U 1U Desktop Desktop
High Desktop Desktop Desktop 1U 1U 1U
154
Soho & Tz SERIES
TZ400/TZ400W TZ500/TZ500W TZ600/TZ600P TZ270/TZ270W TZ370/TZ370W E2800 E2800P A2000 A2600 15
Throughput 1.3Gb 1.4Gb 1.9Gb 2Gb 3Gb 4.5/6G 8 Gbps 5G 5G 5
VPN Throughput 900Mbps 1Gb 1,1Gb 1Gb 1,3Gb 3Gb 3 Gbps N/A N/A
IPS Throughput 900Mbps 1Gb 1,2Gb 1Gb 1,5Gb 1.8G 3.3 Gbps 3.2G 4.5G
Threat Prevention 860 Mbps
600Mpbs 700Mpbs 800Mpbs 750Mpbs 1Gb 700Mpbs 1.2Gbps 1.8Gbps
Throughput
AV Throughput 600 Mbps 700 Mbps 800 Mbps 750 Mbps 1 Gbps 1,2Gb 2.1 Gbps 2G 3.7G
1M/
Concurrent Connections 150,000 150,000 150,000 750,000 900,000 1.25 Gbps 1M 1.2M
2M
New Connections Per
6,000 8,000 12,000 6,000 9,000 80K 1M 48,000 120,000
second
10 GE copper
5GE 8 × GE (including 1 8 × GE (including 1
Interface 7 GE copper 8 GE copper 4 POE 8 GE copper 8 GE copper 80,000
4Combo bypass pair) bypass pair)
2x2 802.11ac Wave 2 2x2 802.11ac Wave 2 N/A N/A N/A

Wireless support N/A N/A N/A 5 x GE, 4 x Combo
(TZ270W) (TZ270W)
N/A
Local Storage N/A N/A N/A Optional up to 256GB Optional up to 256GB N/A 8GB 8GB
Expansion Storage 480 GB / 960 GB / 480 GB / 960 GB /

N/A N/A N/A N/A N/A N/A N/A
1.92 TB SSD 1.92 TB SSD
60W external 180W

single/dual single/
Power Supply 24W external 36W external external (TZ600P 36W external 36W external single/dual single/dual
Dual
only)
1U
High Desktop Desktop Desktop Desktop Desktop 1U 1U 1U
155
Soho & Tz SERIES
E2860 E2868 E3662P E3668P E3960P E3968P
TZ470/TZ470W TZ570/TZ570P/TZ570
15
TZ670
5Gb 6
W
Throughput 6G 6G 10 Gbps 10 Gbps 10 Gbps 10 Gbps 3,5Gb 4Gb
VPN Throughput 3Gb 3Gb 3 Gbps 3 Gbps 4 Gbps 4 Gbps 1,5Gb 1,8Gb 2,1Gb
IPS Throughput 1.8G 1.8G 3.3 Gbps 3.3 Gbps 3.9 Gbps 3.9 Gbps 2Gb 2,5Gb 3Gb
Threat Prevention
800Mpbs 800Mpbs 900 Mbps 900 Mbps 1.1 Gbps 1.1 Gbps 1,5Gb 2Gb 2,5Gb
Throughput
AV Throughput 1,2Gb 1,2Gb 2.1 Gbps 2.1 Gbps 2.2 Gbps 2.2 Gbps 1.5 Gbps 2 Gbps 2.5 Gbps
1M/ 1M/
Concurrent Connections 3M 3M 3,2M 3,2M 1M 1,2M 1,5M
2M 2M
New Connections Per
80K 80K 120,000 120,000 150,000 150,000 12,000 16,000 25,000
second
6 x GE (1 bypass 6 x GE (1 bypass 8 GE copper 8 GE copper

5GE 6GE 8 GE copper
Interface 6 x GE, 4 x SFP 6 x GE, 4 x SFP pair), 4 x SFP, 2 x pair), 4 x SFP, 2 x 2x2,5GE 2x10GE
4Combo 4SFP 2x2,5GE
SFP+ SFP+ 2SFP+ 2SFP+
N/A N/A N/A N/A N/A 2x2 802.11ac Wave 2 2x2 802.11ac Wave 2 2x2 802.11ac Wave 2
Wireless support N/A
(TZ270W) (TZ270W) (TZ270W)
N/A -/256G or 512G SSD Optional up to 256GB,

Local Storage N/A 256G SSD N/A 256G SSD Optional up to 256GB Optional up to 256GB
32GB included
Expansion Storage N/A N/A

N/A N/A N/A N/A N/A N/A N/A
60W external
single/dual single/dual single/dual single/dual single/dual single/dual (TZ570/570W), 180W
Power Supply 36W external 60W externa
external (TZ570P
only)
High 1U 1U 1U 1U 1U 1U Desktop Desktop 156

Desktop
Sonicwall Product Overview
15
7
NSa 2650 NSa 2700 NSa 3650 NSa 4650 NSa 5650 NSa 6650 NSa 9250 NSa 9450 NSa 9650
MSSP √ √ √ √ √ √ √ √ √
Service Provider √ √ √ √ √ √ √ √ √
Entry Level √ √ √ √ √ √ √ √ √
Product Level Mid-Range
157
157
Nsa SERIES
A1000 A1100
E3662/36 E3960/39 E3965/E5
A2000 A2600 A3000 A3600 E5260P E5268P
15
NSa 2600
68 68 168
NSa 2700 NSa 3650 NSa 4650 NSa 5650
8
Throughput 3,0Gb 4GB 5GB 8G 10G 10G 5,5Gb 5G 5G 3,75Gb 20G 20G 20 Gbps 20 Gbps 6,0Gb 6,25Gb
VPN
1,3Gb N/A N/A 3G 4G 6G 2,1Gb N/A N/A 1,5Gb N/A N/A 8.4 Gbps 8.4 Gbps 2,3Gb 3,5Gb
Throughput
IPS Throughput 1,4Gb 3.4G 3.7G 3G 4G 4G 3,4Gb 3.2G 4.5G 1,8Gb 8.3G 8.5G 8.9 Gbps 8.9 Gbps 2,3Gb 3,4Gb
Threat
Prevention 1,2Gb 1.2Gbps 1.2Gbps 900MBPS 1,1GB 2GB 3Gb 1.2Gbps 1.8Gbps 1,75Gb 1.8Gbps 1.8Gbps 2.2 Gbps 2.2 Gbps 2,5Gb 3,4Gb
Throughput
AV Throughput 13GB 1.8G 2G 1.6G 2.5G 3G 15GB 2G 3.7G 15GB 4.8G 5G 3.8 Gbps 3.8 Gbps 2,45GB 2,8GB
IMIX
N/A N/A N/A 2 Gbps 3 Gbps 4 Gbps N/A N/A N/A N/A N/A N/A 15.5 Gbps 15.5 Gbps N/A N/A
Throughput
Concurrent
1M 300,000 300,000 3M 3.2M 6M 1,5M 1M 1.2M 2M 2M 3M 6M 6M 3M 4M
Connections
New
Connections 14,000 48,000 48,000 120,000 150,000 170,000 21,500 48,000 120,000 14,000 140,000 140,000 200,000 200,000 40,000 40,000
Per second
2x10GE 2 × SFP+, 2 × SFP+, 2x10GE 2x10GE
6 x GE (one 4 x GE (one 4 x GE (1 4 x GE (1
4x2,5GE SFP+ 8 × SFP, 8 × SFP, SFP+ SFP+
8 × GE pair bypass), pair bypass), 8 × GE 8 × GE bypass bypass
4SFPx2,5G 6 x GE, 4 x 3x10GE 8x2,5GE 16 × GE 16 × GE 8x2,5GE 2x10GE
Interface 4 × GE (including 1 4x 4x (including 1 (including 1 pair), 4 x pair), 4 x
E SFP 16x1GE SFP (including (including SFP 4x2,5GE
bypass pair) SFP, 2 X SFP, 2 X bypass pair) bypass pair) SFP, 2 x SFP, 2 x
12x1GE 4x2,5GE 2 bypass 2 bypass 4x2,5GE 4x2,5GE
SFP+ SFP+ SFP+ SFP+
12x1GE pairs) pairs) 12x1GE 16x1GE
-/256G or -/256G or -/256G or
Local Storage 16GB 8GB 8GB 32GB 8GB 8GB 32GB 8GB 8GB N/A 256G SSD 32GB 64GB
512G SSD 512G SSD 512G SSD
Dual, Dual, Dual, Dual, Dual,
redundant redundant redundant redundant redundant
Power Supply single single single/dual single/dual dual single/dual single/dual single/dual single/dual dual dual
120W (one 120W (one 120W (one 350W (one 350W (one
included) included) included) included) included)
1U Rack 1U Rack 1U Rack 1U Rack 1U Rack
High Desktop Desktop １Ｕ１Ｕ 2U 1U 1U 1U 1U 2U 2U
Mountable Mountable Mountable Mountable Mountable
158
Nsa SERIES Cont…
E5260/5268 A3000 A3600 E5568 E5660 A3700 E5560P E5568P A3800 E5760 E5960 E5760P E5960P
15
NSa 6650 NSa 9250 NSa 9450
NSa 9650
9
Throughput 16G 20G 20G 20G 25G 20G / 40G 20 Gbps 20 Gbps 20G / 40G 32G 40G 40 Gbps 12Gb 12Gb 40 Gbps 17,1Gb 17,1Gb
VPN
5G N/A N/A 7Gbps 12Gbps N/A 12 Gbps 12 Gbps N/A 15Gbps 18Gbps 18.8 Gbps 6Gb 6,75Gb 25.6 Gbps 10Gb 10Gb
Throughput
IPS
3.5G 8.3G 8.5G 7G 12G 8.6G 9.3 Gbps 9.3 Gbps 17.5G 15G 18G 18.5 Gbps 6Gb 7,2Gb 18.8 Gbps 10,2Gb 10,3Gb
Throughput
Threat
5.2 Gbps 8.2 Gbps
Prevention 2Gbps 1.8Gbps 1.8Gbps 3Gbps 4.5Gbps 1.8Gbps 3.1 Gbps 3.1 Gbps 3.7Gbps 5Gbps 6Gbps 5,5Gb 6,5Gb 9Gb 9,4Gb
Throughput
AV
3.5G 4.8G 5G 5G 7G 5.2G 4.9 Gbps 4.9 Gbps 9.4G 8G 10G 7.9 Gbps 5,4GB 6,5GB 14GB 8GB 8,5GB
Throughput
IMIX
6Gbps N/A N/A 8Gbps 12Gbps N/A 20 Gbps 20 Gbps N/A 16Gbps 16Gbps 36.5 Gbps N/A N/A 40gb N/A N/A
Throughput
Concurrent
6M 2M 3M 10M 10M 6M 10M 10M 8M 12M 15M 25M 5M 750,000 15M 10M 12,5M
Connections
New
Connections 200,000 140,000 140,000 300,000 400,000 140,000 300,000 300,000 310,000 500,000 600,000 500.000 90,000 90,000 600.000 130,000 130,000
Per second
2 × SFP+, 2 × SFP+, 2 × SFP+, 2 × SFP+, 6x10GE
4 x GE (one 4 x GE 4x GE (1 4x GE (1 10x10GE 10x10GE 10x10GE
8 × SFP, 8 × SFP, 8 × SFP, 8 × SFP, SFP+
pair (one pair bypass bypass SFP+ SFP+ SFP+
16 × GE 16 × GE 4 x GE, 4x 16 × GE 16 × GE 4 x GE, 4x 4 x GE, 4x 4 x GE, 4x 2x10GE 4 x GE, 4x
Interface bypass), 4 x bypass), 4 pair), 4 x pair), 4 x 2x10GE 2x10GE 2x10GE
(including (including SFP (including (including SFP SFP SFP 4x2,5GE SFP
SFP, 2 X SFP+ x SFP, 2 SFP, 2 x SFP, 2 x 8x2,5GE 8x2,5GE 8x2,5GE
2 bypass 2 bypass 2 bypass 2 bypass 8x2,5GE
X SFP+ SFP+ SFP+ 8x1GE 8x1GE 8x1GE
pairs) pairs) pairs) pairs) 8x1GE
-/256G or 512G
256G/512G N/A N/A N/A 1TB, 128 1TB, 128 1TB, 256
Local Storage SSD 8GB 8GB 8GB N/A 256G SSD 8GB N/A 64GB N/A
SSD GB GB GB
Dual,
Dual, Dual, Dual,
dual redundant
Power Supply single/dual single/dual dual dual single/dual dual dual dual dual dual dual redundant, dual redundant, redundant,
350W (one
350W 350W 350W
included)
2U 1U Rack 1U Rack 1U Rack 1U Rack
High 1U 1U ２Ｕ 2Ｕ 1U 2U 2U 1U 2Ｕ 2U 2U 2Ｕ
Mountable Mountable Mountable Mountable
159
Sonicwall Product Overview - High End
16
0
NSsp 15700 NSsp 12800 NSsp 12400
Service Provider √
Data Center √ √
Enterprise √ √
Product Level High End
160
160
NSsp SERIES
E6368P E6160 E6168 E6360 E6368 X7180 X8180 X9180 X10800
NSsp 12400 NSsp 12800 NSsp 15700 16
1
Throughput 90 Gbps 58,4Gb 120.3Gb 105Gb 60G 60G 80G 80G 680G 450G 600G 1.2T
VPN Throughput 64 Gbps 24,5Gb 47Gb 32Gb 35G 35G 50G 50G 90G 250G 500G
IPS Throughput 36,8Gb 73Gb 76,5Gb 25G 25G 35G 35G 100G 180G 200G 400G
Threat Prevention 18 Gbps

33,5Gb 67,5Gb 82Gb 12Gbps 12Gbps 18Gbps 18Gbps 50 Gbps N/A 100GB 200GB
Throughput
N/A N/A N/A N/A
AV Throughput 33,5Gb 67,5GB 86,GB 20G 20G 27G 27G
IMIX Throughput 14,8GB 29GB 28,5GB 400GB N/A 300GB 600GB

Concurrent 30M
40M 80M 80M 20M 20M 30M 30M 240M 130M 240M 480M
Connections
New Connections 1.1M
430,000 860,000 860,000 800,000 800,000 1.1M 1.1M 4.8M 2.5M 5.4M 10M
Per second

6X100GE QSFP
2 x GE, 8 x SFP+, 4x40GE QSFP+ 4x40GE QSFP+ 2 x GE, 8 x 2 x GE, 8 x 4 x GE Combo interfaces (2 HA interfaces (2 HA interfaces (2 HA
28 4x40GE QSFP+ 2 x GE, 8 x 2 x GE, 8 x
Interface 2×QSFP+ 16x10GE SFP+ 16x10GE SFP+ SFP+, SFP+, slot (1 x M interfaces, interfaces, interfaces,
16x10GE SFP+ SFP+ SFP+
2×QSFP+ 2×QSFP+ GT+3 x HA) single SCM-260 single SCM-280 single SCM-300
module) module) module)
6 universal
12 universal
expansion slots,
10 x Generic expansion slots,
3 universal 2 security
Slot, 2 x System 2 system control
expansion slots, control module
512G SSD Control Module module
Local Storage 2 x 480 GB 2 x 480 GB 2 x 480 GB SSD N/A 512G SSD N/A 512G SSD 2 security expansion slots,
Slot, 1 x SD expansion slots,
control module 2 switching
Card Slot, 2 x 2 switching
expansion slots module
USB 2.0 Port module
expansion slots,
expansion slots
1 USB 2.0 port
Dual, Redundant, Dual, Redundant, Dual, Redundant,

1,200W 1,200W 1,200W 2+2 / 3+1 N+M (Max 4) N+M (Max 8)
Power Supply dual dual dual dual dual Dual
100-240 VAC, 50- 100-240 VAC, 50- 100-240 VAC, 50- redundant redundant redundant
60 Hz 60 Hz 60 Hz
4U Rack 4U Rack 2U Rack
Mountable Mountable Mountable 161
High 2.5Ｕ 2.5U 2.5U 2.5U 2.5U 5U 3U 7U 18U
24.0 x 16.9 x 7.1 in 24.0 x 16.9 x 7.1 in 24.0 x 16.9 x 7.1 in
(61 x 43 x 18 cm) (61 x 43 x 18 cm) (61 x 43 x 18 cm)
NSv SERIES VIRTUAL FIREWALL
16
2
NSv 10 NSv 25 NSv 50 NSv 100 NSv 200 NSv 270 NSv 300 NSv 400 NSv 470 NSv 800 NSv 870 NSv 1600
MSSP
√ √ √ √ √ √ √ √ √ √ √ √
Service
Provider √ √ √ √ √ √ √ √
Entry Level √ √ √ √ √ √ √
SMB & SMB & SMB &

SMB & Mid-
Product Level BRANCH BRANCH BRANCH High End High End High End High End High End High End High End
BRANCHES Range
ES ES ES
162
162
Nsa SERIES
16
VM01 VM02
3
NSv 10 NSv 25 NSv 50 NSv 100
Hypervisor: KVM, VMware ESXi, Hypervisor: KVM, VMware ESXi,
VMware ESXi v5.5 / v6.0 / v6.5 / VMware ESXi v5.5 / v6.0 / v6.5 / Xen, AMI (AWS), Hyper-VCloud VMware ESXi v5.5 / v6.0 / v6.5 / Xen, AMI (AWS), Hyper-VCloud
VMware ESXi v5.5 / v6.0 / v6.5 /
v6.7, Microsoft Hyper-V Win v6.7, Microsoft Hyper-V Win Management Platform: v6.7, Microsoft Hyper-V Win Management Platform:
v6.7, Microsoft Hyper-V Win 2012 /
2012 / 2016, KVM Ubuntu 16.04 2012 / 2016, KVM Ubuntu 16.04 Openstack Liberty and above 2012 / 2016, KVM Ubuntu 16.04 Openstack Liberty and above
Supported Hypervisors 2016, KVM Ubuntu 16.04 / CentOS
/ CentOS 7, Nutanix AHV (AOS / CentOS 7, Nutanix AHV (AOS versions, VMware vCenter 5.5 / CentOS 7, Nutanix AHV (AOS versions, VMware vCenter 5.5
7, Nutanix AHV (AOS 5.15
5.15 LTS/Prism Central 5.15 LTS/Prism Central and above versions etc. • Array 5.15 LTS/Prism Central and above versions etc. • Array
LTS/Prism Central 5.16.1.2)9
5.16.1.2)9 5.16.1.2)9 AVX Series Network Functions 5.16.1.2)9 AVX Series Network Functions
Platform Platform
Supported Public Cloud Platforms AWS (c5.large), Azure (Std D2 AWS (c5.large), Azure (Std D2 Public Cloud: AWS, Azure, AWS (c5.large), Azure (Std D2 Public Cloud: AWS, Azure,
AWS (c5.large), Azure (Std D2 v2)
(Instance Type v2) v2) AliCloud etc v2) AliCloud etc
Max Supported vCPUs 2 2 2 2 2 2
Interface Count (ESXi/Hyper-
8/8/8 8/8/8 8/8/8 10 8/8/8 10
V/KVM)
Min Memory 4 GB 4 GB 4 GB 2GB 4 GB 4GB
Minimum Storage 60 GB 60 GB 60 GB 4GB 60 GB 4GB
Supported IP/Nodes 10 25 50 25 100 126
Firewall Inspection Throughput 2GB 2,5GB 3GB 2 Gbps / 10 Gbps 3,5GB 4 Gbps / 20 Gbps
IPS Throughput 1GB 1,25GB 1,5GB 1 Gbps / 3 Gbps 1,75GB 2 Gbps / 5 Gbps
AV Throughput 450MBPS 550MBPS 650MBPS 800 Mbps / 1 Gbps 750MBPS 1.6 Gbps / 2 Gbps
750MBPS 850MBPS 950MBPS 1100MBPS

IMIX Throughput 550 Mbps / 1.6 Gbps 1.3 Gbps / 2.1 Gbps
500MBPS 550MBPS 600MBPS 650MBPS

VPN Throughput 200 Mbps / 400 Mbps 400 Mbps / 800 Mbps
SSL VPN Clients Maximum 50 50 50 100 50 500
163
Nsa SERIES
VM04 VM08
16
NSv 200 NSv 270 NSv 300 NSv 400 NSv 470 4
Hypervisor: KVM, VMware Hypervisor: KVM, VMware
ESXi, Xen, AMI (AWS), ESXi, Xen, AMI (AWS),
VMware ESXi v5.5 / v6.0 / VMware ESXi v5.5 / v6.0 /
VMware ESXi v5.5 / v6.0 / VMware ESXi v5.5 / v6.0 / VMware ESXi v5.5 / v6.0 / Hyper-VCloud Hyper-VCloud
v6.5 / v6.7, Microsoft v6.5 / v6.7, Microsoft
v6.5 / v6.7, Microsoft Hyper- v6.5 / v6.7, Microsoft Hyper- v6.5 / v6.7, Microsoft Hyper- Management Platform: Management Platform:
Hyper-V Win 2012 / 2016, Hyper-V Win 2012 / 2016,
V Win 2012 / 2016, KVM V Win 2012 / 2016, KVM V Win 2012 / 2016, KVM Openstack Liberty and Openstack Liberty and
Supported Hypervisors KVM Ubuntu 16.04 / KVM Ubuntu 16.04 /
Ubuntu 16.04 / CentOS 7, Ubuntu 16.04 / CentOS 7, Ubuntu 16.04 / CentOS 7, above versions, VMware above versions, VMware
CentOS 7, Nutanix AHV CentOS 7, Nutanix AHV
Nutanix AHV (AOS 5.15 Nutanix AHV (AOS 5.15 Nutanix AHV (AOS 5.15 vCenter 5.5 and above vCenter 5.5 and above
(AOS 5.15 LTS/Prism (AOS 5.15 LTS/Prism
LTS/Prism Central 5.16.1.2)9 LTS/Prism Central 5.16.1.2)9 LTS/Prism Central 5.16.1.2)9 versions etc. • Array AVX versions etc. • Array AVX
Central 5.16.1.2)9 Central 5.16.1.2)9
Series Network Functions Series Network Functions
Platform Platform
Supported Public Cloud AWS (c5.large), Azure (Std AWS (c5.large), Azure (Std AWS (c5.large), Azure (Std Public Cloud: AWS, Azure, AWS (c5.large), Azure (Std AWS (c5.large), Azure (Std Public Cloud: AWS, Azure,
Platforms (Instance Type D2 v2) D2 v2) D2 v2) AliCloud etc D2 v2) D2 v2) AliCloud etc
Max Supported vCPUs 2 2 3 4 4 8 8
Interface Count (ESXi/Hyper-

8/8/8/2/2 8/8/8/-/- 8/8/8/4/4 10 8/8/8/4/4 8/8/8/4/4 10
V/KVM)
Min Memory 6 GB 6 GB 6 GB 8GB 8 GB 8 GB 16GB
Minimum Storage 60 GB 60 GB 60 GB 4GB 60 GB 60 GB 4GB
Supported IP/Nodes 500 500 5,000 1200 10,000 10,000 2000
Firewall Inspection Throughput 4,1GB 4,1GB 5,9GB 8 Gbps / 30 Gbps 7,8GB 7,8GB 10 Gbps / 80 Gbps
IPS Throughput 2,3GB 2,3GB 3,4GB 4 Gbps / 7 Gbps 4,1GB 4,1GB 6 Gbps / 14 Gbps
AV Throughput 900MBPS 900MBPS 1,6GB 3.2 Gbps / 4 Gbps 2,2GB 2,2GB 6 Gbps / 10 Gbps
IMIX Throughput 1,5GB 1,5GB 2,3GB 1.3 Gbps / 2.6 Gbps 2,8GB 2,8GB 1.6 Mbps / 3.2 Gbps
750MBPS 750MBPS
VPN Throughput 1,4GB 800 Mbps / 2 Gbps 1,9GB 1,9GB 3 Gbps / 5 Gbps
SSL VPN Clients Maximum 100 100 150 2,000 200 200 4,000
164
Nsa SERIES
VM08
16
NSv 800 NSv 870 NSv 1600 5
Hypervisor: KVM, VMware ESXi, Xen, AMI
VMware ESXi v5.5 / v6.0 / v6.5 / v6.7, VMware ESXi v5.5 / v6.0 / v6.5 / v6.7, VMware ESXi v5.5 / v6.0 / v6.5 / v6.7, (AWS), Hyper-VCloud Management
Microsoft Hyper-V Win 2012 / 2016, KVM Microsoft Hyper-V Win 2012 / 2016, KVM Microsoft Hyper-V Win 2012 / 2016, KVM Platform: Openstack Liberty and above
Supported Hypervisors
Ubuntu 16.04 / CentOS 7, Nutanix AHV Ubuntu 16.04 / CentOS 7, Nutanix AHV Ubuntu 16.04 / CentOS 7, Nutanix AHV versions, VMware vCenter 5.5 and above
(AOS 5.15 LTS/Prism Central 5.16.1.2)9 (AOS 5.15 LTS/Prism Central 5.16.1.2)9 (AOS 5.15 LTS/Prism Central 5.16.1.2)9 versions etc. • Array AVX Series Network
Functions Platform
Supported Public Cloud Platforms (Instance Type AWS (c5.large), Azure (Std D2 v2) AWS (c5.large), Azure (Std D2 v2) AWS (c5.large), Azure (Std D2 v2) Public Cloud: AWS, Azure, AliCloud etc
Max Supported vCPUs 8 8 16 8
Interface Count (ESXi/Hyper-V/KVM) 8/8/8/4/4 8/8/8/4/4 8/8/8/8/8 10
Min Memory 10 GB 10 GB 12 GB 16GB

Minimum Storage 60 GB 60 GB 60 GB 4GB
Supported IP/Nodes 15,000 15,000 20,000 2000
Firewall Inspection Throughput 13,9GB 13,9GB 17,2GB 10 Gbps / 80 Gbps
IPS Throughput 5,5GB 5,5GB 6,7GB 6 Gbps / 14 Gbps
AV Throughput 4GB 4GB 6,6GB 6 Gbps / 10 Gbps
IMIX Throughput 4,2GB 4,2GB 5,3GB 1.6 Mbps / 3.2 Gbps
VPN Throughput 4,2GB 4,2GB 8,4GB 3 Gbps / 5 Gbps
SSL VPN Clients Maximum 300 300 400 4,000
165
Huawei
166
167
How to Win Huawei
1. USG 6100/6300/6500/6600/9500 series are already EOM, new products with less models. Select better model to
compete.
2. Induce Hillstone P2P traffic steering and domain traffic steering for Internet multi exists
3. Induce device redundancy for asymmetrical traffic scenario
Key Focus 4. Induce iQoS
5. Induce NTLM and portal redirection for web authentication function.
6. Induce micro-segment security solution and vFW solution.
7. Induce compatibility requirement and test with multiple virtualized platform.
1. Security product is only a small part of Huawei business, no focus and not important compared to other
Corporate businesses. Hillstone is fully focusing on security sector, which will be more professional than Huawei.
Certifications /
Huawei:
1. No enough support for smart link load balance under multi-exit scenario, no support on P2P traffic steering and
domain traffic steering.
Beating Functions
2. Poor QoS capacity, not able to do multi layer bandwidth management for IPs and applications.
3. Data center FW requires special card to support IPS, cost is higher.
Points 4. Do not support CPU virtualization in vsys.
5. Do not support HA cluster for asymmetrical traffic scenario
6. Poor Web authentication support, no support for NTLM and portal redirection.
1. USG 6100/ 6300/ 6500/6600/9500 series are already EOM.

Hardware 2. USG 6000E/6000F/12000 series are the main stream products, but cannot cover all previous products
Architecture &
/
Performance
1. Avoid Anti-spam, 6000+ application signatures, extendable hard disk, number of VSYS on NGFW.
2. Avoid LLDP, DSVPN, MPLS
Avoiding 3. Avoid Flow sensor function
4. Avoid 7 layers SLB
5. Avoid AI features and performance competition
167
168
Software Beating Points to Huawei

1. No enough support for smart link load balance under multi-exit scenario, no support on P2P traffic steering and URL
traffic steering.
3. No support for Geo-location based policy
4. Poor QoS capacity, not able to do multi layer bandwidth management for IPs and applications.
5. Data center FW requires special card to support IPS, cost is higher.
6. Do not support CPU virtualization in VSYS.
7. Do not support HA cluster for asymmetrical traffic scenario (twin mode)
8. Poor Web authentication support, no support for NTLM and portal redirection.
9. Do not support Botnet C&C detection.
10. Do not support IP reputation.
11. DO not support packet path detection
12. Do not support share access
13. Do not support policy assistant
168
Function Compare - Detail
16
Function item Function description Huawei USG Hillstone E Series Hillstone X Series 9
Interface Modes L2, L3,
No Virtual Wire √ √
Tap, Virtual Wire
Modes OSPF, RIP, BGP, Static √ √ √
ISP route √ √ √
Routing Policy-based forwarding √ √ √
Point-to-Point Protocol over Ethernet (PPPoE) Supported √ √ √
Jumbo frames Supported, 9210 bytes Supported √ Support to 1800 Support to 1800
Modes Active/Active Active/Passive √ √ √
Configuration and session synchronization √ √ √
HA Interface and IP tracking √ √ √
Link and path failure monitoring √ √ √
Management and Visibility Tools √ √ √
169
17
Function item Function description Huawei USG Hillstone E Series Hillstone X Series
0
NAT Modes 1:1 NAT, n:n NAT, m:n NAT √ √ √
NAT/PAT Extended NAT (Over 65535 ports/ip) √ √ √
NAT 444 √ √ √
VLANs √ √ √
Virtual Wire X √ √
IGMP √ √ √
Address Assignment DHCP server/DHCP relay √ √ √
Modes L2, L3, Tap, Virtual Wire No Virtual Wire √ √
IPv6 APP identify √ √ √
SSL Decryption √ √ X
Active Directory, LDAP, eDirectory √ √ √
Auth Citrix and Microsoft Terminal Services, XML API (User-ID) √ X X
Radius √ √ √
170
17
Policy-based control over applications, users and content √ √ √
WebAuth √ √ √
Fragmented packet protection √ √ √

FIREWALL
Reconnaissance scan protection √ √ √
Denial of Service (DoS)/

√ √ √
Distributed Denial of Services (DDoS)protection
Decryption: SSL (inbound and outbound), SSH √ √ √
Key Exchange: Manual key, IKE v1 √ √ √
Encryption: 3DES, AES (128-bit, 192-bit, 256-bit) √ √ √
PnP VPN X √ √
IPSEC VPN (SITE-TO-
SITE)/SSLVPN
GRE √ √ √
L2tp over Ipsec √ √ √
Authentication: SHA1, MD5 √ √ √
171
17
2
Control unauthorized data transfer (data patterns and file
√ √ X
types)
DATA FILTERING
Drive-by download protection √ √ X
Integrated web interface, CLI or central management
√ √ √
(Panorama)
Syslog and SNMPv2 √ √ √
XML-based REST API √ √ √

MANAGEMENT, REPORTING,
VISIBILITY TOOLS Graphical summary of applications, URL categories, threats
√ √ √
and
View, filter, export traffic, threat, URL, and data filtering logs √ √ √
Fully customizable reporting √ √ √
Transport: IPSec with SSL fall-back √ √ √
Host-Security Check √ √ √
NETCONNECT SSL VPN
Authentication: LDAP, SecurID, or local DB √ √ √
(REMOTE ACCESS)
Authentication: USB-KEY √ √ √
Client OS: Macintosh, Windows XP, Windows Vista (32 and 64
√ √ √
bit),Windows 7 (32 and 64 bit)
172
17
3
Application, operating system vulnerability exploit protection X √ √
Stream-based protection against viruses (including those
THREAT PREVENTION
embeddedin HTML, Javascript, PDF and compressed), X √ X
(SUBSCRIPTION REQUIRED)
spyware, worms
Behavioral botnet detection X √ √
Policy-based traffic shaping by application, user, source,
√ √ √
destination, interface, IPSec VPN tunnel and more
Policy-based traffic policing X √ √
8 traffic classes with guaranteed, maximum and priority
X √ √
bandwidth parameters
QUALITY OF SERVICE (QOS) Real-time bandwidth monitor √ √ √
Per policy diffserv marking √ √ √
Two level QoS X √ √
APP Based Session limit √ √ √

Bidirectional control over the unauthorized transfer of more
√ √ X
than 100 file types
File and Data Filtering （DLP）
Bidirectional control over the transfer of Social Security
X X X
Numbers, Credit Card Numbers, custom data patterns
173
17
64 categories, over 140 Milion URLs √ √ √
Dynamic URL filtering (1M URL cache on device) √ √ √
Custom block pages and URL categories √ √ √

URL FILTERING (SUBSCRIPTION
REQUIRED)
On-box customizable URL filtering database P √ √ √
Customizable categories, allow, block lists and block
√ √ √
pages P
Safe search (Google, Bing, Yahoo) √ √ √
Sand box-based detection of unknown malware hidden in
√ √ X
PS, PDF, all Office file types, Java and Android APK P
WildFire Modern Malware
Automated signature generation and delivery for
Protection (Subscription √ √ X
discovered malware
Required)
Inline control of malware infection and command/control
√ √ X
traffic
174
17
5
Effectively discover intranet bots and prevent further attacks
Botnet C&C detection of advanced threats through comparison of information X √ X
obtained with the C&C address database
Identify and filter the traffic from risky IPs, including Bots、
IP Reputation X √ √
Anti-spam sender、Tor node、Breach Host、Brute force
Real-time Spam Classification and Prevention. Protection
Anti-Spam √ √ (T series) X
regardless of the language, format, or content of the message.
175
Huawei Product Overview - NGFW
Firewall Platforms 17
p Datacenter/ISP 6
USG12004/1200
8
p Enterprise USG9520 USG956 USG958
0 0
USG6680/6670/6660/6650
EOM: 30/6/2021
USG6630/6620 EOS: 30/6/2026
USG6390/6380/637
0
Most of the products are:
USG6360/6350/633
EOM: 30/6/2021
0
EOS: 30/6/2026
USG6320
• The USG 9500/USG 6600/USG 6300 series were EOM at 30/6/2021 1.92 176
• New high-end DC firewall USG12000 series were released
T
Huawei Product Overview – AI FW!New"
Firewall Platforms 17
p Datacenter/Big Enterprise 7
USG6700
E
USG6600E
USG6600F
p Enterprise (SMB)
New products
USG6600F series
USG6500
E
USG6500
E
(Desktop)
• Innovative Chip - New dedicated security chip and built-in acceleration engine improve processing performance to double the industry average.
• Intelligent - Advanced threat detection based on AI technology associated with the cloud provides accuracy greater than 99%. 177
• High Density - High integration doubles the number of interfaces and allows flexible access at a low cost.
17
8
• Highlighted in Red is NGFW throughput (App Control, IPS turned on)

178
Product Specifications Compare - Enterprise
17
Huawei 9
p USG 6100/ 6300/ 6500/6600/9500 series are already EOM;
p USG 6000E/6000F/12000 series are the main stream products
p HA （AP/AA）mode use VRRP/HRP，can not apply to asymmetric traffic scenario ;
p QoS function does not support multi-layer management based on IP and Application ;
p IPSEC VPN function is not free ;
p AI FW - New dedicated security chip and built-in acceleration engine, improving processing performance to
double the industry average ;
p AI FW - Advanced threat detection based on AI technology associated with the cloud
Hillstone
p Product provide high reliability, middle and high end product support redundant power supply. High scalability,
support varies expansion card ;
p INGFW Support Advanced Threat Detection (ATD) and Abnormal Behavior Detection (ABD), improved the ability
to defense the advanced security threat ;
p Web authentication support NTLM and portal page redirection ;
179
Product Specifications Compare - Datacenter
18
Huawei 0
p Data center firewall USG9520/9560/9580 are already EOM；
p USG 12004/12008 are the main stream products;
p Data center product throughput support from 120G to 9.6T, have very high new connections
and concurrent connections；
p Data center product support varies expansion board cards, but the cost is high；
p Data center product support varies interface type, such as 100G,OC-192c/STM-64c；
p High energy consumption；
Hillstone
p Data center product support SFP Bypass interface ;
p Vsys of Data Center product support CPU virtualization ;
p Data center product support HA cluster in asymmetric traffic scenario (Twin mode) ;
p Data center product provide abundant report and statistics, support customized statistics ;
p Low energy consumption ;
180
Hardware & Performance Specs Comparison - SMB
18
E1100W E1600
E1600P
E1600WP
E1606 USG6510E USG6530E E1700 E2300 USG6525E USG6555E E1700P A1000 A1100 1
Throughput 1G 1G 4.7G 1G 1.2G 4G 1.5/2G 2.5/4G 2G 4G 4.75G 4G 5G
VPN Throughput 600M 600M 850M 600M 1G 3G 700M 1G 2G 4G 850M 1.1G 1.1G
IPS Throughput 400M 400M 1.2G 400M 600M 1.5G 600M 1G 1.5G 2.1G 1.2G 3.2G 3.2G
NGFW Throughput 350M 350M 470M 350M 600M 1.5G 450M 650M 1.5G 2.0G 470M 1.2G 1.2G
Threat Protection 300M 300M 360M 300M 450M 1.1G 400M 500M 1.1G 1.6G 400M 800M 800M
Concurrent 600K/ 1M/
100K 200K 200K 400K 300K 500K 3M 4M 600K 300K 300K
Connections 1M 2M
New Connections
10,000 10K 27K 12K 20K 30K 25K 50K 70K 78K 28K 48K 48K
Per second
2 x 10GE 2 x 10GE
2 x GE (SFP) 2 x 10GE (SFP+) 5GE (SFP+) + 8 x (SFP+) + 8 x
Interface 9GE 9GE 9GE 9GE 9GE 9GE 4 GE 8GE
+10 x GE + 10x GE 4Combo GE Combo + GE Combo +
2 x GE WAN 2 x GE WAN
Expansion Slot - - - - - - - - - - - - -
IEEE802.11a/
WiFi - - - - - - - - - - -
b/g/n
3G/4G - - - - - - - - - - - -
Optional,
Optional, Optional, Optional,
SSD 240/960 8G + 8G +
Local Storage(SSD) - - - - 64G/128G 64G/128G - - SSD 64 -
GB /HDD 256G SSD 256G SSD
Micro-SD Micro-SD GB/240 GB
1TB
Power Supply single single Single single single Single single/dual single/dual Single/dual Single/dual single single single
Dimensions Desktop Desktop Desktop Desktop Desktop Desktop 1U 1U 1U 1U 1U 1U 1U
• Huawei keep a few NGFW model for SMB

181
Hardware & Performance Specs Comparison– Mid-Range Enterprise
USG6565E USG6585E T1860
E2860/
E2868
E3662/
E3668
E3662P/
E3668P
E3960/
E3968
E3960P/
E3968P
E3965/E5168 T2860 USG6615F
E5260/
E5268
E5260P/
E5268P 18
Throughput 6G 9G 8G 6G 8G 10G 10G 10G 10G 10G 15G 16G 20G 2
VPN Throughput 6G 6G 3G 3G 3G 3G 4G 4G 6G 3.8G 15G 8G 8.4G
IPS Throughput 2.2G 2.2G 3G 1.8G 3G 3.3G 4G 3.9G 4G 4G 10G 5G 8.9G
NGFW
2.2G 2.2G 1.2G 1.0G 1.2G 1.25G 1.5G 1.5G 3G 1.5G 10G 3.5G 3.9G
Throughput
Threat
1.7G 1.8G 900M 800M 900M 900M 1.1G 1.1G 2G 1.2G NA 2.2G 2.2G
Protection
Concurrent
4M 4M 1.5M 2M 3M 3M 4M 3.2M 6M 3M 10M 6M 6M
Connections
New
Connections Per 80K 80K 80K 80K 120K 120K 150K 150K 170K 100K 250K 200K 200K
second
2 x 10GE 6 x 10GE (SFP+)
2 x 10GE 6 × GE(1 pair
(SFP+) + 8 x 1MGT、1HA、 + 4 x GE (SFP) +
(SFP+) + 8 x 6 × GE, 4 × 6GE 1MGT、1HA 1MGT、1HA、4GE、 bypass port), 4 × 1MGT、1HA、2GE、2Bypass、
Interface GE Combo + 2GE、2Bypass、 4
GE Combo + SFP 4SFP 、6GE、4SFP 2Bypass、4SFP、2SFP+ SFP, 2 × SFP+ 4SFP、2SFP+
2 x GE WAN 4SFP、2SFP+ x GE (RJ45)+
2 x GE WAN
8*GE(COMBO)
Expansion Slot - - 2 2 2 ２ 4 2 - ４
Optional 256G SSD 256G SSD

-/(128G / - / (128G / - / (128G / 480G SSD (960G Optional, 256G SSD
Optional, Optional, 480G/ (only (only - / 256G or 512G - / 256G or
Local Storage 256G / 256G / 512G 256G / 512G SSD Optional) SSD 240 (only E5268P)
SSD 240 GB SSD 240 GB 960G SSD E3668P) E3968P) SSD 512G
512G SSD) SSD) SSD) GB/HDD 1TB
Power Supply single/dual single/dual Single/dual single/dual Single/dual Single/dual dual Single/dual single/dual dual
High 1U 1U １Ｕ 1U １Ｕ１Ｕ 2U １Ｕ 1U 2U
• Huawei keep a few NGFW model for Mid-Range Enterprise.

182
Hardware & Performance Specs Comparison – Mid to Large Enterprise
E5660 T5060 USG6625F USG6630E USG6635F USG6650E E5760 E5760P T5860 USG6655F E6168 USG6680E E6368 E6368P USG6712E USG6716E
18
Throughput
VPN
25G 25G 25G 30G 35G 40G 32G 40G 40G 50G 60G 80G 80G 90G 120G 160G
3
15G 15G 25G 20G 30G 30G 18G 18.8G 28G 30G 35G 70G 50G 64G 100G 120G
Throughput
IPS
Throughput
NGFW
Throughput
Threat
4.5G 6G 10G 11G 5G 5.2G 8G 12G 22G 18G 18G 33G 36G
Protection
Concurrent
10M 5M 10M 12M 20M 12M 12M 12M 6M 12M 20M 25M 30M 30M 35M 50M
Connections
New
Connections 300K 450K 250K 400K 500K 400K 300K 500K 500K 500K 800K 800K 1.1M 1.1M 1.4M 1.6M
Per second
2*100G 2*100G
(QSFP28) + (QSFP28) +
6 x 10GE 4*40GE
１MGT 2*40G 10 x 10GE 2*40G 2 x 40GE 2*40G 2*40G
１MGT (SFP+) + 4 x １MGT １MGT 2MGT、 (QSFP+)
1HA (QSFP+) + (SFP+) + 4 (QSFP+) + (QSFP+) + 2MGT、8SFP+、2GE, (QSFP+) + (QSFP+) +
1HA GE (SFP) + 4 1HA 1HA 8SFP+、 + 28*10GE
Interface 4GE
x GE (RJ45)+
12*10GE x GE (RJ45)+ 12*10GE 12 x 10GE
(SFP+)
2QSFP+ 20*10GE 20*10GE
２GE 4GE ２GE 2GE
4SFP (SFP+) + 8*GE(COMB (SFP+) + (SFP+) (SFP+) + (SFP+) +
4SFP 8*GE(COMB 4SFP 4SFP 2*10GE (SFP+)
12*GE O) 12*GE + 16 x GE* 2*10GE 2*10GE
O) HA
(SFP+) (SFP+)
HA HA
2xGeneric
Expansion Slot 4 ４ - - - - ４４ - - 2xGeneric+1 BYPASS - -
+1 BYPASS
Dual Dual
Storage: Optional, Storage:
128G/ Optional, Optional, Optional, SSD240G/SS 128G/480 Optional, Optional, Optional, Optional,
512G SSD 512G SSD
Local Storage - 480G / SSD 240 GB/ SSD 240G/ SSD 240 GB/ D - G/ SSD 240 G/ SSD240G/ SSD 240G/ SSD, 240G/
960G SSD HDD 1TB HDD 1TB HDD 1TB 240G/ 960G SSD HDD 1TB HDD 1TB HDD 1TB HDD 1TB
+480G HDD 1TB +1T HDD
/960G SSD /960G SSD
Power Supply Dual AC Dual AC Dual AC Dual AC Dual AC Dual AC Dual AC Dual AC Dual AC Dual AC Dual AC Dual AC Dual AC Dual AC
High 2U 2U 1U 1U 1U 1U 2U 2U 1U 2U １Ｕ 2U １Ｕ１Ｕ
• Huawei keep rich NGFW model for Mid to Large Enterprise.

• Huawei products are more compact, support up to 160G through put with 1U
183
Hardware & Performance Specs Comparison – Data Center
18
Specification (Max)
HiSecEngine
USG12004
HiSecEngine
USG12008 X7180 X9180 X10800
4
FW Throughput 600G 2.4T 680G 600G 1T (7T in future)
VPN Throughput 600G 1.4T 90G 250G 300G
IPS Throughput 320G 640G 100G 200G 400G
NGFW Throughput 256G 512G 70G 140G 280G
Threat Protection NA NA 50G 100G 200G
Concurrent Connections 600M 1200M 240M 240M 480M
New Connections Per second 10M 25M 4.8M 5.4M 10M

4*100G/40*10GE per 4*100G/40*10GE/18*
Interface
slot 100GE per slot
Expansion Slot 4 8 10 6 12
Local Storage
Power Supply 6+6 10+10 2+2 N+M (Max 4) N+M (Max 8)
High 9.8U 15.8U 5U 7U 18U
184
Hardware & Performance Specs Comparison – Virtual NGFW
18
5
VM01 VM02 VM04 USG6000V1 USG6000V2 USG6000V4 USG6000V8
Core (Min) 2 2 4 1 2 4 8
Memory (Min) 2G 4G 8G 2G 4G 8G 12G
Storage (Min.) 4 GB 4 GB 4 GB 4 GB 4 GB 4 GB 4 GB
Network Interfaces
10 10 10 2/11 2/11 2/11 2/11
(Min/Max)
Firewall Throughput
2G/10G 4G/20G 8G/30G 8G/10G 8G/20G 8G/40G 8G/80G
(vNIC/SR-IOV)
IPsec VPN
Throughput 200M/400M 400M/800M 800M/2G 1G/1.5G 1.5G/2G 3G/4G 5G/7G
(vNIC/SR-IOV)
New Sessions /
20K/30K 40K/50K 80K/100K 15K 30K 50K/100K 60K/280K
Second(vNIC/SR-IOV)
Maximum
100K 500K 5M 500K 2M 4M 8M
Concurrent
185
Hardware & Performance Specs Comparison– Next Generation IPS
18
NIP6610 NIP6330 S600 S1060 NIP6620 S1560 NIP6650 S2160 S2660 S3560 NIP6680 S3860 S5560 6
IPS Throughput 500M 1G 1G 3G 2G 4G 6G 10G 14G 16G 15G 21G 50G
Bypass Support - - 4/8 4/8 - 4/8 - 4/20 4/20 6/22 - 6/22 0/32
Concurrent
- - 0.6M 1M - 1M - 2M 2M 4M - 4M 8M
Connections
New Connections
- - 9K 35K - 41K - 92K 120K 150K - 200K 485K
Per second
4SFP+
4GE 8GE 8GE 8GE
Interface 4GE 4GE 4GE 4GE 4GE 6GE 16GE 6GE -
2Combo 4SFP 4SFP 4SFP
8SFP
Expansion Slot - - 1 1 - 1 - 2 2 2 - 2 4
Optional. Optional. Optional. Optional. Optional.
Supports Supports Supports Supports Supports
Local Storage single 300 single 300 1T 1T single 300 1T single 300 1T 1T 1T single 300 GB 1T 1T
GB HDD (hot GB HDD (hot GB HDD (hot GB HDD (hot RAID1 (hot
swappable) swappable) swappable) swappable) swappable)
Power Supply single/dual single/dual single single single/dual single dual dual dual dual dual dual dual
High 1U 1U 1U 1U 1U 1U 1U １Ｕ１Ｕ 2Ｕ 3U 2Ｕ 2Ｕ
186
Sophos
187
How to Win Sophos– Hardware 18
Hardware 8
q High Performance DCFW– Sophos only offer three NGFW model with around 100G FW throughput
which is not fullfill the real DC requirements.
q 100G Interface – Sophos don’t support QSFP28 100GE interfaces
q Lightning Surge Immunity – Sophos hardware is not designed for lighting and surge immunity. No
IEC/EN61000-4-5 Power Surge Protection
188
188
How to Win Sophos – Performance 18
Performance 9
q Number of Users - Have limitation for number of users it can support. Hillstone can support
much more number of users, giving the same datasheet performance benchmark.
q IPS and AV Performance – Hillstone offers much higher IPS and AV performance.
q VPN Performance – Hillstone offers much higher VPN performance.
q New Sessions/s – Hillstone offers much higher new sessions/s.
q Resistance to Evasion Techniques - Evasion techniques are a means of disguising and
modifying attacks at the point of delivery in order to avoid detection by security products.
q Deep Content Inspection – Doesn't have the Deep Content Inspection, a unique isolation
and inspection environment that simulates an entire host (including the CPU, system
memory, and all devices) to analyze malware.
q Delivers full attack chain visibility - Appliances not understand the nature of the attack
incident, response take several time to understand the attack need add additional services
like Sandstorm
189
189
How to Win Sophos – Business and What to Avoid
19
Business and Others
0
q Security Effectiveness - Very weak at security, not a real security device -> NSS Lab report, less than 70% percentage
block rate, cheap, but trash
q Malware Detection - spend hours researching false alarm , Highest rated detection technology identifies threats others
miss and eliminates the need.
q Subscription - Price is higher than Hillstone. 3Y to 5Y renewal subscription price is Higher. Total TCO is high.
What to Avoid
q Avoid DLP feature. Most enterprise need more dedicated DLP tool, rather than build it into firewall.
q Language. available 9 options languages to manage.
q Supported Browsers Latest version of Firefox (recommended), latest version of Safari
190
190
How to Compete? 19
Among three internal network breach detection technologies, Hillstone sBDS can win with the following advantages: 1
a) Multiple detection technologies covering both known and unknown threats
b) Advanced threat correlation analytics enhance the threat detection efficacy and lower the false-positive
c) Unique server behavior modeling and profiling fit into the internal server assets protection more
Hillstone sBDS IDS Sandbox Intercept

Multiple Detection Yes No No No
Technologies
• Advanced Threat
Yes No Yes No
Detection
• Intrusion Detection Yes Yes No Yes
• Virus Scan Yes No No Yes
Threat Correlation Analytics Yes No No Yes
Server Type Identification Yes No No No

Cloud intelligence Yes Yes No Yes
Conjunction with NGFW/IPS Yes IPS only Yes No
191
191
192
Software Beating Points to Sophos

2. No support for Intelligent LLB，not applied for multi-exit scenario
3. No support on SmartDNS，not able to do the DNS intelligent resolution for WAN users, not able to return the fastest
accessing IP
4. No support on P2P application steering and URL steering functions, not able to fully utilize bandwidth of high quality
link and not good to increase the efficiency of user access.
5. HA Function only support AP/AA mode, No support for peer mode and twin mode
6. QoS do not support multi layer nesting, not applied for complex bandwidth control
7. No support on Botnet C&C Prevention function
8. No support on Hot Threat Intelligence function
9. No support on vsys function
192
193
Sophos Software Weakness

Category Feature Hillstone Sophos
WebAuth and AAA Framework supports IPv6 protocol stack √ X
Support ALIcloud SMS gateway √ X
Support the Telecom SMS gateway of ACC service protocol (CEP2.0). √ X
User Identity Support Radius dynamic authorization function (CoA). √ X
Support IPv6 Radius authentication √ X
Support Terminal Server: Windows agent √ X
Support Terminal Service Agent √ X
Support IPv6 static Route √ X
Support aggregate policy √ X
Support policy assistant function to further analyze the unknown traffic
and configure refined policies quickly and automatically via generating
√ X
user-defined service, and setting replacement and aggregation
Firewall
conditions
Support to directly configure the protocol type and port configuration
√ X
of the service in policy
Support to configure the schedule based on seconds. √ X
Application layer security functions support one click bypass function √ X
193
194

IPS log records complete URLs and restore SQL injection statements √ X
Intrusion Prevention
IPS template supports rule credibility √ X
Support manually add or delete MD5 signature to the AV database √ X
Antivirus
Support virus scanning for files transmitted by SMB protocol √ X
C&C address library supports custom IP and domain √ X
Botnet C&C Prevention
Support DNS sinkhole √ X
Quality of Service (QoS) VSYS support QoS √ X
Supports batch import of domain names √ X
Link Load Balancing Support the link detection for a specified domain name √ X
Link state monitoring supports active detection method √ X
Support to enable or disable the SSL VPN login via Web. √ X
VPN L2TPv3 supports IPV6 √ X
VTEP for VxLAN static unicast tunnel √ X
194
195

Support to configure the IPv6 address at HA link interface. √ X
High Availability (HA)
Support to specify two physical interfaces as the HA data link interface. √ X
Two groups of HA devices are supported to form Twin-mode HA √ X
Configuration and session synchronization between two groups of HA
√ X
Twin-Mode HA devices
Twin-mode HA supports AA and AP √ X
Twin-mode AP mode supports IPv6 √ X
System resource allocation to each VSYS √ X
Support CPU virtualization √ X
Non-root VSYS support firewall, IPsec VPN,
SSL VPN, IPS, URL filtering, app monitoring, IP √ X
reputation, QoS
Vsys
VSYS monitoring and statistic √ X
Support to specify the maximum quota and reserved quota of SCVPN
√ X
user number in VSYS.
support to import and export configuration files of all VSYS. √ X
Simple-switch supports ipv6 √ X
Support to monitor hot threat intelligence and system provides
Hot Threat Intelligence √ X
solutions to help users quickly prevent hot threat.
195
Sophos Product Overview – SG Series UTM
19
6
SG 105(w) SG 210 SG 310 SG 430 SG 550 SG 650

SG 115(w) SG 230 SG 330 SG 450
SG 125(w)
SG 135(w)
MSSP √ √ √ √ √ √
Service Provider √ √ √
Data Center √ √ √ √ √
Enterprise √ √!Branch" √!Branch" √!Campus" √!Campus" √!Campus"
Distributed Enterprise √ √ √ √ √ √
SMB √ √ √ √
Hardware Option PoE#Switch# PoE#high High destiny GE High destiny 10GE,40GE port
WIFI destiny GE port port GE,10GE port
196
196
E1100 E1600 E1606 E1700 SG 105(W) SG 115(W) SG 125(W) A1000 A1100 E2300 19
FW Throughput 1G 1G 1G 1.5/2G 2.5G 2.7G 3.1G 4G 5G 2.5/4G 7
IPSec Throughput 600M 600M 600M 700M 325M 425M 500M 1,108 M 1,097 M 1G
IPS Throughput 400M 400M 400M 600M 350M 500M 750M 3.2G 3.2G 1G
AV Throughput 300M 300M 300M 400M 280M 500M 650M 1.8G 2G 700M
NGFW Throughput 350M 350M 350M 450M 1.2G 1.2G 650M
1M/
Concurrent Sessions 200,000 200,000 400,000 600,000/1M 1M 1M 2M 300,000 300,000
2M
New Sessions/s 10,000 10,000 12,000 25,000 17,000 21,000 25,000 48,000 48,000 50,000
2 x USB 2.0 2 x USB 2.0 2 x USB 2.0

1 × Console Port, 2
1 x Console Port 1 x Console Port 1 x Console Port 1 x Console Port 1 x Micro-USB 1 x Micro-USB 1 x Micro-USB 1 × Console Port, 2 1 x Console Port
Management Ports × USB3.0 Port, 1
1 x USB Port 1 x USB Port 1 x USB Port 1 x USB Port 1 x COM (RJ45) 1 x COM (RJ45) 1 x COM (RJ45) × USB3.0 Port 1 x USB Port
× MGT Port (RJ45)
1 x HDMI 1 x HDMI 1 x HDMI
4 GbE copper 4 GbE copper

8 GbE copper 8 × GE (including 1 5 × GE
Fixed I/O Ports 9 x GE 9 x GE 9 x GE 9 x GE 1 GbE SFP 1 GbE SFP 4 × GE
1 GbE SFP bypass pair) 4 × Combo
(shared) * (shared) *
Expansion Slot - - - - - - - - - -
Local Storage - - - - integrated SSD integrated SSD integrated SSD 8GB 8GB -
256 GB SSD, 256 GB SSD,

Expansion Storage - - - - - - - -
optional optional
External auto External auto External auto

ranging DC. ranging DC. ranging DC.
Power Supply single single single single/dual single single single/dual
Redundant PSU Redundant PSU Redundant PSU
optional (external)optional (external) optional (external)
High Desktop Desktop 1U 1U Desktop Desktop Desktop Desktop Desktop 1U
197
E2800 SG 135(W) A2000 A2600 E2860/2868 E3662/3668 E3960/3968 E3965/E5168 SG 210 SG 230 E5260/5268 19
FW Throughput 4.5/6G 6G 5G 5G 6G 8G 10G 10G 12G 14.5G 16G 8
IPSec Throughput 3G 1G 1,099 M 2,996 M 3G 3G 4G 6G 1G 1G 8G
IPS Throughput 1.8G 1.5G 3.2G 4.5G 1.8G 3G 4G 4G 2G 3G 5G
AV Throughput 1.2G 1.4G 2G 3.7G 1.2G 1.6G 2.5G 3G 500M 800M 3.5G
NGFW Throughput 850M 1.2G 1.8G 1G 1.2G 1.5G 3G 3.5G
1M/
Concurrent Sessions 2M 1M 1.2M 2M 3M 3.2M 6M 4M 4M 6M
2M
New Sessions/s 80,000 36,000 48,000 120,000 80,000 120,000 150,000 170,000 60,000 70,000 200,000
2 x USB 3.0 2 x USB 3.0
1 x Console Port, (front) (front) 1 x Console Port,
2 x USB 2.0 1 × Console 1 × Console 1 x Console Port, 1 x Console Port,
1 x Console Port, 1 1 x Micro USB 1 x Micro USB 1
1 x Micro-USB Port, 2 × Port, 2 × 1 x AUX 1 x AUX
1 x Console Port, 1 x AUX Port, 1 x x AUX Port, 1 x (front) (front) x AUX Port, 1 x
Management Ports 1 x COM USB3.0 Port, 1 USB3.0 Port, 1 Port, 1 x USB Port, 1 x USB Port,
USB 1 x USB 3.0 (rear) 1 x USB 3.0 (rear) USB
1×USB port USB Port, 1 x HA,
(RJ45) × MGT Port × MGT Port Port, 1 x HA, 1 1 x HA, 1
1 x MGT Port, 1 x HA, 1 x 1 x COM (RJ45) 1 x COM (RJ45) Port, 1 x HA, 1 x
1 x HDMI (RJ45) (RJ45) x MGT x MGT
MGT (front) (front) MGT
1 x HDMI (rear) 1 x HDMI (rear)
8 × GE 8 × GE 6 x GE (one pair 4 x GE (one pair 4 x GE (one pair
5 x GE 8 GbE copper (incl. 2 bypass (incl. 2 bypass
Fixed I/O Ports (including 1 (including 1 6 x GE, 4 x SFP 6 x GE, 4 x SFP bypass), 4 x bypass), 4 x bypass), 4 x SFP, 2
4 × Combo 1 GbE SFP pairs) pairs)
bypass pair) bypass pair) SFP, 2 X SFP+ SFP, 2 X SFP+ X SFP+
2 GbE SFP 2 GbE SFP
Expansion Slot - - - - 2 2 ２ 4 1 1 ４
integrated -/256G or 512G -/256G or 512G -/256G or 512G -/256G or 512G -/256G or 512G
Local Storage - 8GB 8GB integrated SSD integrated SSD
SSD SSD SSD SSD SSD SSD
480 GB / 960 480 GB / 960
Expansion Storage - - GB / 1.92 TB GB / 1.92 TB - - - - - - -
SSD SSD
External auto Internal auto- Internal auto-
ranging DC. ranging. ranging.
Power Supply single/dual Redundant single/dual single/dual single/dual single/dual single/dual dual Redundant PSU Redundant PSU dual
PSU optional optional optional
(external) (external) (external)
High 1U Desktop 1U 1U 1U １Ｕ１Ｕ 2U 1U 1U 2U
198
SG 310 A3000 A3600 SG 330 E5568 E5660 SG 430 SG 450 A3700 A3800 E5760 19
E5960
FW Throughput 19G 20G 20G 22G 20G 25G 28G 30G 20G / 40G 20G / 40G 32G 40G
IPSec Throughput 3G 3,250 M 3,288 M 4G 12G 15G 4G 5G 3,321 M 6,143 M 18G 25G 9
IPS Throughput 5G 8.3G 8.5G 6G 7G 12G 7G 8G 8.6G 17.5G 15G 18G
AV Throughput 1.2G 4.8G 5G 1.5G 5G 7G 2G 2.5G 5.2G 9.4G 8G 10G
NGFW Throughput 1.8G 1.8G 5G 7G 1.8G 3.7G 8G 9.5G
Concurrent Sessions 6M 2M 3M 6M 10M 10M 8M 8M 6M 8M 12M 15M
New Sessions/s 100,000 140,000 140,000 120,000 300,000 400,000 130,000 130,000 140,000 310,000 500,000 600,000
2 x USB 3.0
2 x USB 3.0 2 x USB 3.0 2 x USB 3.0
(front)
(front) 1 × Console 1 × Console (front) (front) 1 × Console 1 × Console
1 x Console Port, 1 x Console Port, 1 x Micro USB 1 x Console 1 x Console
1 x Micro USB Port, 2 × Port, 2 × 1 x Micro USB 1 x Micro USB Port, 2 × Port, 2 ×
1 1 (front) Port, 1 Port, 1
(front) USB3.0 Port, USB3.0 Port, (front) (front) USB3.0 Port, USB3.0 Port,
x AUX, Port, 1 x x AUX, Port, 1 x 1 x USB 3.0 x AUX, Port, 1 x AUX, Port, 1 x
Management Ports 1 x USB 3.0 1 × MGT Port 1 × MGT Port 1 x USB 3.0
USB USB
1 x USB 3.0 (rear) 1 × MGT Port 1 × MGT Port
x USB USB
(rear)
(rear) (RJ45), 1 × HA (RJ45), 1 × HA (rear) 1 x COM (RJ45) (RJ45), 1 × HA (RJ45), 1 × HA
Port, 1 x HA, 1 x Port, 1 x HA, 1 x 1 x COM (RJ45) Port, 1 x HA, 1 Port, 1 x HA, 1
1 x COM (RJ45) Port Port 1 x COM (RJ45) (front) Port Port
MGT MGT (front) x MGT x MGT
(front) (RJ45) (RJ45) (front) 1 x IPMI (front) (RJ45) (RJ45)
1 x IPMI (front)
1 x HDMI (rear) 1 x HDMI (rear) 1 x HDMI (rear)
1 x HDMI (rear)
2 × SFP+, 8 × 2 × SFP+, 8 × 4 x GE (one pair 8 GbE copper 8 GbE copper 2 × SFP+, 8 × 2 × SFP+, 8 ×
(incl. 2 bypass (incl. 2 bypass
SFP, 16 × GE SFP, 16 × GE bypass), 4 x SFP, (incl. 2 bypass (incl. 2 bypass SFP, 16 × GE SFP, 16 × GE
Fixed I/O Ports pairs) pairs) 4 x GE, 4x SFP 4 x GE, 4x SFP 4 x GE, 4x SFP
(including (including 2 pairs) pairs) (including (including
2 GbE SFP 2 GbE SFP
2 bypass pairs) 2 bypass pairs) X SFP+ 2 10 GbE SFP+ 2 10 GbE SFP+ 2 bypass pairs) 2 bypass pairs)
2 10 GbE SFP+ 2 10 GbE SFP+
Expansion Slot 1 - - 1 ４４ 2 2 1 1 ４ 4
integrated SSD
Local Storage integrated SSD 8GB 8GB integrated SSD 256G/512G SSD - integrated SSD 8GB 8GB - -
x2
480 GB / 960 480 GB / 960 480 GB / 960 480 GB / 960
Expansion Storage - GB / 1.92 TB GB / 1.92 TB - - - - - GB / 1.92 TB GB / 1.92 TB - -
SSD SSD SSD SSD
Internal auto- Internal auto- Internal auto- Internal auto-

ranging. ranging. ranging. ranging.
Power Supply Redundant single/dual single/dual Redundant PSU dual dual Redundant PSU Redundant PSU single/dual dual dual dual
PSU optional optional optional optional
(external) (external) (external) (external)
High 1U 1U 1U 1U ２Ｕ 2Ｕ 1U 1U 1U 1U 2Ｕ 2U 199
SG 550 SG 650 E6160 E6168 E6360 E6368 20
FW Throughput 45G 65G 60G 60G 80G 80G
0
IPSec Throughput 8G 10G 35G 35G 50G 50G
IPS Throughput 12G 16G 25G 25G 35G 35G
AV Throughput 3.5G 5G 20G 20G 27G 27G
NGFW Throughput 16G 16G 24G 24G
Concurrent Sessions 12M 20M 20M 20M 30M 30M
New Sessions/s 100,000 160,000 800,000 800,000 1.1M 1.1M

2 x USB 2.0 (front) 2 x USB 2.0 (front)
1 x USB 3.0 (rear) 1 x USB 3.0 (rear)
1 x Console Port, 1 x AUX Port, 1 x Console Port, 1 x AUX Port, 1 x Console Port, 1 x AUX 1 x Console Port, 1 x AUX Port,
2 x Mgmt Port 2 x Mgmt Port
Management Ports (eth0/eth1, front) (eth0/eth1, front)
1x 1x Port, 1 x 1x
USB Port, 1 x HA, 1 x MGT USB Port, 1 x HA, 1 x MGT USB Port, 1 x HA, 1 x MGT USB Port, 1 x HA, 1 x MGT
1 x COM (RJ45) (front) 1 x COM (RJ45) (front)
1 x VGA (rear) 1 x VGA (rear)
Fixed I/O Ports 8 GbE copper 8 GbE copper 2 x GE, 8 x SFP+ 2 x GE, 8 x SFP+ 2 x GE, 8 x SFP+, 2×QSFP+ 2 x GE, 8 x SFP+, 2×QSFP+
2 x Generic Slot 2 x Generic Slot 2 x Generic Slot 2 x Generic Slot

Expansion Slot 4 6
1 x Bypass Slot 1 x Bypass Slot 1 x Bypass Slot 1 x Bypass Slot
2 x integrated hot- 2 x integrated hot-

Local Storage - 512G SSD - 512G SSD
swap SSD (RAID) swap SSD (RAID)
Expansion Storage - - - - - -
2 x hot-swap internal 2 x hot-swap internal
Power Supply dual dual dual dual
auto-ranging auto-ranging
High 2U 2U 2.5U 2.5U 2.5U 2.5U
200
Sophos Product Overview – XG Series NGFW
20
1
XG 86/86W XG 106/106w XG 125/125w XG 210 XG 310 XG 430 XG 550 XG 750
XG 115/115w XG 135/135w XG 230 XG 330 XG 450 XG 650
MSSP √ √ √ √ √ √ √ √
Service Provider √ √ √ √
Data Center √ √ √ √ √ √
Enterprise √ √ √!Branch" √!Branch" √!Campus" √!Campus" √!Campus" √
Distributed √ √ √ √ √ √ √ √
Enterprise
SMB √ √ √ √ √
Product Level Desktop Desktop Middle End High End
Hardware PoE# PoE#Switch# PoE# High destiny High destiny GE,10GE 10GE,40GE port
Option Switch# WIFI high GE port port
WIFI desti
ny
GE
port
201
201
E1100 E1600 E1606 E1700 XG 86(W) XG 106(W) XG 115(W) A1000 A1100 E2300 20
FW Throughput 1G 1G 1G 1.5/2G 3.1G 3.55G 4G 4G 5G 2.5/4G 2
IPSec Throughput 600M 600M 600M 700M 225M 330M 560M 1,108 M 1,097 M 1G
IPS Throughput 400M 400M 400M 600M 480M 490M 950M 3.2G 3.2G 1G
AV Throughput 300M 300M 300M 400M 1.8G 2G 700M
NGFW Throughput 350M 350M 350M 450M 350M 400M 1G 1.2G 1.2G 650M
1M/
Concurrent Sessions 200,000 200,000 400,000 600,000/1M 1.57M 1.57M 1.57M 300,000 300,000
2M
New Sessions/s 10,000 10,000 12,000 25,000 14,500 14,700 19,400 48,000 48,000 50,000
2 x USB 2.0 2 x USB 2.0

2 x USB 2.0 1 × Console Port, 2
1 x Console Port 1 x Console Port 1 x Console Port 1 x Console Port 1 x Micro-USB 1 x Micro-USB 1 × Console Port, 2 1 x Console Port
Management Ports 1 x Micro-USB × USB3.0 Port, 1
1 x USB Port 1 x USB Port 1 x USB Port 1 x USB Port 1 x COM (RJ45) 1 x COM (RJ45) × USB3.0 Port 1 x USB Port
1 x COM (RJ45) × MGT Port (RJ45)
1 x HDMI 1 x HDMI

8 × GE (including 1 5 × GE
Fixed I/O Ports 9 x GE 9 x GE 9 x GE 9 x GE 4 GbE copper 1 GbE SFP 1 GbE SFP (shared) 4 × GE
bypass pair) 4 × Combo
(shared) * *
Expansion Slot - - - - - - - - - -
Local Storage - - - - 16GB integrated SSD integrated SSD 8GB 8GB -
256 GB SSD, 256 GB SSD,

optional optional
External auto External auto

External auto ranging DC. ranging DC.
Power Supply single single single single/dual single single single/dual
ranging DC Redundant PSU Redundant PSU
optional (external) optional (external)
High Desktop Desktop 1U 1U Desktop Desktop Desktop Desktop Desktop 1U
202
E2800 A2000 A2600 E2860/2868 XG 125(W) XG 135(W) E3662/3668 E3960/3968 E3965/E5168 E5260/5268 20
FW Throughput 4.5/6G 5G 5G 6G 7G 7.5G 8G 10G 10G 16G 3
IPSec Throughput 3G 1,099 M 2,996 M 3G 1.5G 1.7G 3G 4G 6G 8G
IPS Throughput 1.8G 3.2G 4.5G 1.8G 1.53G 1.9G 3G 4G 4G 5G
AV Throughput 1.2G 2G 3.7G 1.2G 1.6G 2.5G 3G 3.5G
NGFW Throughput 850M 1.2G 1.8G 1G 1.27G 1.8G 1.2G 1.5G 3G 3.5G
1M/
Concurrent Sessions 1M 1.2M 2M 1.57M 4.2M 3M 3.2M 6M 6M
2M
New Sessions/s 80,000 48,000 120,000 80,000 29,300 37,200 120,000 150,000 170,000 200,000
1 × Console Port, 1 × Console 1 x Console Port, 1 1 x Console Port, 1 x

1 x Console Port, 1 x 2 x USB 2.0 2 x USB 2.0 1 x Console Port, 1 1 x Console Port, 1
2 × USB3.0 Port, Port, 2 × USB3.0 x AUX AUX
1 x Console Port, AUX Port, 1 x 1 x Micro-USB 1 x Micro-USB x AUX Port, 1 x USB x AUX Port, 1 x USB
Management Ports 1 Port, 1 Port, 1 x USB Port, Port, 1 x USB Port, 1
1×USB port USB Port, 1 x HA, 1 x 1 x COM (RJ45) 1 x COM (RJ45) Port, 1 x HA, 1 x Port, 1 x HA, 1 x
× MGT Port × MGT Port 1 x HA, 1 x HA, 1
MGT 1 x HDMI 1 x HDMI MGT MGT
(RJ45) (RJ45) x MGT x MGT
8 × GE 8 × GE 6 x GE (one pair 4 x GE (one pair 4 x GE (one pair

5 x GE 8 GbE copper 8 GbE copper
Fixed I/O Ports (including 1 (including 1 6 x GE, 4 x SFP 6 x GE, 4 x SFP bypass), 4 x bypass), 4 x bypass), 4 x SFP, 2 X
4 × Combo 1 GbE SFP 1 GbE SFP
bypass pair) bypass pair) SFP, 2 X SFP+ SFP, 2 X SFP+ SFP+
Expansion Slot - - - 2 - - 2 ２ 4 ４
-/256G or 512G
Local Storage - 8GB 8GB -/256G or 512G SSD integrated SSD integrated SSD -/256G or 512G SSD -/256G or 512G SSD -/256G or 512G SSD
SSD
480 GB / 960
480 GB / 960 GB
Expansion Storage - GB / 1.92 TB - - - - - - -
/ 1.92 TB SSD
SSD
External auto External auto
ranging DC. ranging DC.
Power Supply single/dual single/dual single/dual single/dual Redundant PSU Redundant PSU single/dual single/dual dual dual
optional optional
(external) (external)
High 1U 1U 1U 1U Desktop Desktop １Ｕ１Ｕ 2U 2U
203
A3000 A3600 E5568 E5660 XG 210 XG 230 XG 310 XG 330 A3700 A3800 E5760 20
E5960
FW Throughput
IPSec Throughput
20G
3,250 M
20G
3,288 M
20G
12G
25G
15G
29G
1.92G
32G
2.1G
35G
3G
38G
3.9G
20G / 40G
3,321 M
20G / 40G
6,143 M
32G
18G
40G
25G
4
IPS Throughput 8.3G 8.5G 7G 12G 4.2G 4.9G 7.2G 10G 8.6G 17.5G 15G 18G
AV Throughput 4.8G 5G 5G 7G 5.2G 9.4G 8G 10G
NGFW Throughput 1.8G 1.8G 5G 7G 3.2G 4.5G 5.3G 9.3G 1.8G 3.7G 8G 9.5G
Concurrent Sessions 2M 3M 10M 10M 6.57M 6.57M 10M 10M 6M 8M 12M 15M
New Sessions/s 140,000 140,000 300,000 400,000 88,900 108,900 138,000 140,000 140,000 310,000 500,000 600,000
2 x USB 3.0 2 x USB 3.0 2 x USB 3.0 2 x USB 3.0
1 × Console 1 × Console (front) (front) (front) (front)
1 x Console 1 x Console 1 × Console Port, 1 × Console Port, 1 x Console 1 x Console Port,
Port, 2 × Port, 2 × 1 x Micro USB 1 x Micro USB 1 x Micro USB 1 x Micro USB
Port, 1 Port, 1 2 × USB3.0 Port, 2 × USB3.0 Port, Port, 1 1
USB3.0 Port, USB3.0 Port, (front) (front) (front) (front)
x AUX, Port, 1 x AUX, Port, 1 1 × MGT Port 1 × MGT Port x AUX, Port, 1 x x AUX, Port, 1 x
Management Ports 1 × MGT Port 1 × MGT Port
x USB x USB
1 x USB 3.0 1 x USB 3.0 1 x USB 3.0 1 x USB 3.0
(RJ45), 1 × HA (RJ45), 1 × HA USB USB
(RJ45), 1 × HA (RJ45), 1 × HA (rear) (rear) (rear) (rear)
Port, 1 x HA, 1 Port, 1 x HA, 1 Port Port Port, 1 x HA, 1 Port, 1 x HA, 1 x
Port Port 1 x COM (RJ45) 1 x COM (RJ45) 1 x COM (RJ45) 1 x COM (RJ45)
x MGT x MGT (RJ45) (RJ45) x MGT MGT
(RJ45) (RJ45) (front) (front) (front) (front)
1 x HDMI (rear) 1 x HDMI (rear) 1 x HDMI (rear) 1 x HDMI (rear)
4 x GE (one 8 GbE copper 8 GbE copper

2 × SFP+, 8 × 2 × SFP+, 8 × 6 GbE copper 6 GbE copper 2 × SFP+, 8 × 2 × SFP+, 8 ×
pair (incl. 2 bypass (incl. 2 bypass
SFP, 16 × GE SFP, 16 × GE (incl. 2 bypass (incl. 2 bypass SFP, 16 × GE SFP, 16 × GE
Fixed I/O Ports bypass), 4 x 4 x GE, 4x SFP pairs) pairs) 4 x GE, 4x SFP 4 x GE, 4x SFP
(including (including pairs) pairs) (including (including
SFP, 2 2 GbE SFP * 2 GbE SFP *
2 bypass pairs) 2 bypass pairs) 2 GbE SFP 2 GbE SFP 2 bypass pairs) 2 bypass pairs)
X SFP+ 2 10 GbE SFP+ 2 10 GbE SFP+
Expansion Slot - - ４４ 1 1 1 1 1 1 ４ 4
256G/512G
Local Storage 8GB 8GB - integrated SSD integrated SSD integrated SSD integrated SSD 8GB 8GB - -
SSD
480 GB / 960 480 GB / 960

480 GB / 960 GB 480 GB / 960 GB
Expansion Storage GB / 1.92 TB GB / 1.92 TB - - - - - - - -
/ 1.92 TB SSD / 1.92 TB SSD
SSD SSD
Internal auto- Internal auto- Internal auto- Internal auto-
ranging. ranging. ranging. ranging.
Power Supply single/dual single/dual dual dual Redundant Redundant Redundant Redundant single/dual dual dual dual
PSU optional PSU optional PSU optional PSU optional
(external) (external) (external) (external)
High 1U 1U ２Ｕ 2Ｕ 1U 1U 1U 1U 1U 1U 2Ｕ 2U
204
XG 430 XG 450 E6160 E6168 E6360 E6368 XG 550 XG 650 20
5
IPSec Throughput 5G 6G 35G 35G 50G 50G 8.5G 9G
IPS Throughput 10G 14.7G 25G 25G 35G 35G 17G 20G
AV Throughput 20G 20G 27G 27G
NGFW Throughput 10G 13.9G 16G 16G 24G 24G 15G 18G
Concurrent Sessions 13M 13M 20M 20M 30M 30M 15.7M 30M
New Sessions/s 146,000 187,000 800,000 800,000 1.1M 1.1M 213,000 220,000
1 x Micro USB (front) 1 x Micro USB (front) 1 x Console Port, 1 x 1 x Console Port, 1 x 1 x Console Port, 1 x 1 x Console Port, 1 x
2 x Mgmt Port 2 x Mgmt Port
1 x USB 3.0 (rear) 1 x USB 3.0 (rear) AUX Port, 1 x AUX Port, 1 x AUX Port, 1 x AUX Port, 1 x
Management Ports 1 x COM (RJ45) (front)1 x COM (RJ45) (front)
(eth0/eth1, front) (eth0/eth1, front)
USB Port, 1 x HA, 1 x USB Port, 1 x HA, 1 x USB Port, 1 x HA, 1 x USB Port, 1 x HA, 1 x
1 x COM (RJ45) 1 x COM (RJ45)
1 x IPMI (front) 1 x IPMI (front) MGT MGT MGT MGT
(front) (front)
1 x HDMI (rear) 1 x HDMI (rear)
1 x VGA (rear) 1 x VGA (rear)
8 GbE copper (incl. 2 8 GbE copper (incl. 2
2 x GE, 8 x SFP+, 2 x GE, 8 x SFP+,
Fixed I/O Ports bypass pairs) bypass pairs) 2 x GE, 8 x SFP+ 2 x GE, 8 x SFP+ 8 GbE copper 8 GbE copper
2×QSFP+ 2×QSFP+
2 10 GbE SFP+ 2 10 GbE SFP+
2 x Generic Slot 2 x Generic Slot 2 x Generic Slot 2 x Generic Slot

Expansion Slot 2 2 4 6
1 x Bypass Slot 1 x Bypass Slot 1 x Bypass Slot 1 x Bypass Slot
2 x integrated 2 x integrated
Local Storage integrated SSD 2 x integrated SSD - 512G SSD - 512G SSD hot-swap SSD hot-swap SSD
(RAID) (RAID)
Internal auto- Internal auto-
2 x hot-swap 2 x hot-swap
Ranging. Ranging.
Power Supply dual dual dual dual internal auto- internal auto-
Redundant PSU Redundant PSU
ranging ranging
optional (external) optional (external)
High 1U 1U 2.5U 2.5U 2.5U 2.5U 2U 2U

205
Specification (Max) XG 750 X7180 X8180 X9180 X10800 20
FW Throughput 100G 680G 450G 600G 1.2T 6
IPSec Throughput 12.5G 90G 100G 250G 500G
IPS Throughput 23G 100G 180G 200G 400G
NGFW Throughput 19G 70G 75G 140G 280G
Concurrent Sessions 30M 240M 130M 240M 480M
New Sessions/s 223,500 4.8M 2.5M 5.4M 10M

2 x USB 2.0 (front)
1 x USB 3.0 (rear)
1 Console port, 1 MGT 1 Console port, 1 AUX port, 1 1 Console port, 1 AUX port, 1
2 x Mgmt Port (eth0/eth1, 1 x Console Port, 1 x AUX
Management Interfaces Port
management, 1 USB 2.0 port MGT management, 1 USB 2.0 MGT management, 1 USB 2.0
front)
(single SCM-260 module) port (single SCM-280 module) port (single SCM-300 module)
1 x COM (RJ45) (front)
1 x VGA (rear)
2 Gigabit optical interfaces (2 2 Gigabit optical interfaces (2 2 Gigabit optical interfaces (2 HA

4 x GE Combo slot (1 x M
Network Interfaces 8 GbE copper
GT+3 x HA)
HA interfaces, single SCM-260 HA interfaces, single SCM-280 interfaces, single SCM-300
6 universal expansion slots, 2

10 x Generic Slot, 2 x 12 universal expansion slots, 2
3 universal expansion slots, 2 security control module
System Control Module system control module
Expansion Slot 8 security control module expansion slots,
Slot, 1 x SD Card Slot, 2 x expansion slots, 2 switching
expansion slots 2 switching module expansion
USB 2.0 Port module expansion slots
slots, 1 USB 2.0 port
2 x hot-swap external auto

Power Supply ranging
2+2 / 3+1 redundant Dual N+M (Max 4) redundant N+M (Max 8) redundant
High 2U 5U 3U 7U 18U
206
Sophos 2021 New – XGS Series NGFW
20
Sophos Firewall and the XGS Series appliances with dedicated Xstream Flow Processors enable 7
the ultimate in application acceleration, high-performance TLS inspection, and powerful threat
protection.
207
207
A200 E1600P E1600WP E1700P XGS 87(W) XGS 107(W) XGS 116(W) E2800P A1000 A1100 A2000 20
A2600
FW Throughput 1G 4.7G 4.7G 4.75G 3.7G 7G 7.7G 8G 4G 5G 5G 5G 8
IPSec Throughput 620M 850M 850M 850M 750M 900M 1,100M 3G 1,108 M 1,097 M 1,099 M 2,996 M
IPS Throughput 610M 1.2G 1.2G 1.2G 1,015M 1,355M 2,000M 3.3G 3.2G 3.2G 3.2G 4.5G
AV Throughput 550M 890M 890M 890M 2.1G 1.8G 2G 2G 3.7G
NGFW Throughput 300M 470M 470M 470M 1.25G 1.2G 1.2G 1.2G 1.8G
Concurrent Sessions 300,000 200,000 200,000 600,000 1.6M 1.6M 1.6M 1M 300,000 300,000 1M 1.2M
New Sessions/s 15,000 27,000 27,000 28,000 35,700 44,400 61,500 80,000 48,000 48,000 48,000 120,000
1 x COM RJ45
1 x COM RJ45 1 x COM RJ45 1 × Console 1 × Console 1 × Console
1 x Micro-USB
1 × Console 1 x Console 1 x Console 1 x Console 1 x Micro-USB 1 x Micro-USB 1 x Console 1 × Console Port, 2 × Port, 2 × USB3.0 Port, 2 × USB3.0
(cable incl.)
Management Ports Port, 2 x USB Port Port Port (cable incl.) (cable incl.)
1 x USB 2.0
Port, 1×USB Port, 2 × USB3.0 Port, 1 Port, 1 Port, 1
2.0 Ports 1 x USB Port 1 x USB Port 1 x USB Port 1 x USB 2.0 (front) 1 x USB 2.0 (front) port USB3.0 Port × MGT Port × MGT Port × MGT Port
(front)
1 x USB 3.0 (rear) 1 x USB 3.0 (rear) (RJ45) (RJ45) (RJ45)
1 x USB 3.0 (rear)
8 × GE 8 × GE 8 × GE
4 x GbE copper 8 x GbE copper 8 GbE copper 5 x GE
Fixed I/O Ports 1×SFP, 5×GE 9 x GE 9 x GE 9 x GE 4 × GE (including 1 (including 1 (including 1
1 x SFP fiber 1 x SFP fiber 1 GbE SFP 4 × Combo
bypass pair) bypass pair) bypass pair)
Expansion Slot - - - - - - 1 - - - - -
Integrated 64G Integrated 64G
Local Storage 4 GB - - - 16GB - 8GB 8GB 8GB 8GB
SSD SSD
256 GB SSD, 256 GB SSD, 480 GB / 960 GB 480 GB / 960 GB

optional optional / 1.92 TB SSD / 1.92 TB SSD
External auto- External auto-

ranging AC-DC. ranging AC-DC.
External auto-
Power Supply single single single single Optional second Optional second dual single single single/dual single/dual
ranging AC-DC
redundant power redundant
supply power supply
High Desktop Desktop 1U 1U Desktop Desktop Desktop 1U Desktop Desktop 1U 1U
208
XGS 126(W) XGS 136(W) E3662P E3668P E3960P E3968P E5260P E5268P 20
FW Throughput 10.5G 11.5G 10G 10G 10G 10G 20G 20G 9
IPSec Throughput 1.8G 2.5G 3G 3G 4G 4G 8.4G 8.4G
IPS Throughput 2.6G 3.3G 3.3G 3.3G 3.9G 3.9G 8.9G 8.9G
AV Throughput 2.1G 2.1G 2.2G 2.2G 3.8G 3.8G
NGFW Throughput 1.25G 1.25G 1.5G 1.5G 3.9G 3.9G
Concurrent Sessions 5M 6.4M 3M 3M 3.2M 3.2M 6M 6M
New Sessions/s 69,900 74,500 120,000 120,000 150,000 150,000 200,000 200,000
1 x Console Port, 1 x Console Port, 1 x Console Port, 1 x Console Port, 1 x Console Port, 1 x Console Port,
2 x USB 2.0 2 x USB 2.0
1 x AUX Port, 1 x AUX Port, 1 x AUX Port, 1 x AUX Port, 1 x AUX Port, 1 x AUX Port,
1 x Micro-USB 1 x Micro-USB
Management Ports 1 x USB Port, 1 x USB Port, 1 x USB Port, 1 x USB Port, 1 x USB Port, 1 x USB Port,
1 x COM (RJ45) 1 x COM (RJ45)
1 x HA, 1 x HA, 1 x HA, 1 x HA, 1 x HA, 1 x HA,
1 x HDMI 1 x HDMI
1x MGT 1x MGT 1x MGT 1x MGT 1x MGT 1x MGT
1 x COM RJ45 1 x COM RJ45

4 x GE ( 1 bypass
1 x Micro-USB (cable 1 x Micro-USB (cable 6 x GE (one pair 6 x GE (one pair 4 x GE ( 1 bypass pair ),
pair ),
Fixed I/O Ports incl.) incl.) 6 x GE, 4 x SFP 6 x GE, 4 x SFP bypass), 4 x bypass), 4 x 4 x SFP,
4 x SFP,
1 x USB 2.0 (front) 1 x USB 2.0 (front) SFP, 2 X SFP+ SFP, 2 X SFP+ 2 x SFP+
2 x SFP+
Expansion Slot 1 1 2 2 ２２４４
Local Storage Integrated 64G SSD Integrated 64G SSD - -/256G or 512G SSD - -/256G or 512G SSD - -/256G or 512G SSD
External auto-ranging External auto-ranging

AC-DC. AC-DC.
Power Supply Optional second Optional second dual dual dual dual dual dual
redundant power redundant power
supply supply
High Desktop Desktop １Ｕ１Ｕ１Ｕ１Ｕ 2U 2U
209
A3000 A3600 E5560P E5568P XGS 2100 XGS 2300 XGS 3100 A3700 A3800 21
FW Throughput
IPSec Throughput
20G
3,250 M
20G
3,288 M
20G
12G
20G
12G
30G
3G
35G
3.5G
38G
5.2G
20G / 40G
3,321 M
20G / 40G
6,143 M
0
IPS Throughput 8.3G 8.5G 9.3G 9.3G 5.8G 7G 9.8G 8.6G 17.5G
AV Throughput 4.8G 5G 4.9G 4.9G 5.2G 9.4G
NGFW Throughput 1.8G 1.8G 5.6G 5.6G 1.8G 3.7G
Concurrent Sessions 2M 3M 10M 10M 6.5M 6.5M 12.26M 6M 8M
New Sessions/s 140,000 140,000 300,000 300,000 134,700 148,000 186,500 140,000 310,000
1 × Console Port, 1 x RJ45 MGMT 1 x RJ45 MGMT 1 x RJ45 MGMT

1 × Console Port, 1 x Console Port, 1 x Console Port, 1 × Console Port, 2 × 1 × Console Port, 2 ×
2 × USB3.0 Port, 1 x COM RJ45 1 x COM RJ45 1 x COM RJ45
2 × USB3.0 Port, 1 x AUX Port, 1 x AUX Port, USB3.0 Port, USB3.0 Port,
1 × MGT Port 1 x Micro-USB 1 x Micro-USB 1 x Micro-USB
Management Ports 1 × MGT Port
(RJ45), 1 × HA
1 x USB Port, 1 x USB Port,
(cable incl.) (cable incl.) (cable incl.)
1 × MGT Port (RJ45), 1 × MGT Port (RJ45),
(RJ45), 1 × HA Port 1 x HA, 1 x HA, 1 × HA Port 1 × HA Port
Port 2 x USB 3.0 (front) 2 x USB 3.0 (front) 2 x USB 3.0 (front)
(RJ45) 1x MGT 1x MGT (RJ45) (RJ45)
(RJ45) 1 x USB 2.0 (rear) 1 x USB 2.0 (rear) 1 x USB 2.0 (rear)
2 × SFP+, 8 × SFP, 4 x GE ( 1 bypass 4 x GE ( 1 bypass 8 x GE copper

2 × SFP+, 8 × SFP, 2 × SFP+, 8 × SFP, 2 × SFP+, 8 × SFP,
16 × GE pair ), pair ), 8 x GbE copper 8 x GbE copper 2 x SFP fiber *
Fixed I/O Ports 16 × GE (including 16 × GE (including 16 × GE (including
(including 4 x SFP, 4 x SFP, 2 x SFP fiber 2 x SFP fiber 2 x SFP+ 10 GbE
2 bypass pairs) 2 bypass pairs) 2 bypass pairs)
2 bypass pairs) 2 x SFP+ 2 x SFP+ fiber
Expansion Slot - - ４４ 1 1 1 1 1
Integrated min. 120 Integrated min. 120 Integrated min. 240
Local Storage 8GB 8GB - 256G/512G SSD 8GB 8GB
GB SATA-III SSD GB SATA-III SSD GB SATA-III SSD
480 GB / 960 GB / 480 GB / 960 GB / 480 GB / 960 GB / 480 GB / 960 GB /

Expansion Storage - - - -
1.92 TB SSD 1.92 TB SSD 1.92 TB SSD 1.92 TB SSD
Internal auto- Internal auto- Internal auto-

ranging DC. ranging DC. ranging DC.
Power Supply single/dual single/dual dual dual single/dual dual
External Redundant External Redundant External Redundant
PSU Option PSU Option PSU Option
High 1U 1U ２Ｕ２Ｕ 1U 1U 1U 1U 1U
210
XGS 3300 E5760P E5960P XGS 4300 XGS 4500 E6368P 21
FW Throughput 40G 40G 40G 75G 80G 90G
1
IPSec Throughput 6.5G 18.8G 25.6G 9.8G 16G 64G
IPS Throughput 13.4G 18.5G 18.8G 25G 35.6G 37G
AV Throughput 7.9G 14G 28G
NGFW Throughput 8.9G 14G 26G
Concurrent Sessions 13.7M 12M 15M 16.6M 17.2M 30M
New Sessions/s 257,800 500,000 600,000 368,000 450,000 1.1M
1 x RJ45 MGMT 1 x Console Port, 1 x Console Port, 1 x Console Port,

1 x RJ45 MGMT 1 x RJ45 MGMT
1 x COM RJ45 1 x AUX Port, 1 x AUX Port, 1 x AUX Port,
Management Ports 1 x Micro-USB (cable incl.) 1 x USB Port, 1 x USB Port, 1 x USB Port,
1 x Micro-USB (cable incl.) 1 x Micro-USB (cable incl.)
2 x USB 3.0 (front) 1 x HA, 1 x HA, 1 x HA,
1 x USB 2.0 (rear) 1x MGT 1x MGT 1x MGT
8 x GE copper 4 x GbE copper 4 x GbE copper

Fixed I/O Ports 2 x SFP fiber * 4 x GE, 4x SFP 4 x GE, 4x SFP 4 x 2.5 GbE copper 4 x 2.5 GbE copper 2 x GE, 8 x SFP+, 2×QSFP+
2 x SFP+ 10 GbE fiber 4 x SFP+ 10 GbE fiber 4 x SFP+ 10 GbE fiber
2 x Generic Slot
Expansion Slot 1 ４ 4 2 2
1 x Bypass Slot
Integrated min. 240 GB 1 x min. 240 GB SATA-III 2 x min. 240 GB

Local Storage - - 512G SSD
SATA-III SSD SSD SATA-III SSD (SW RAID-1)
Expansion Storage - - - - -
Internal Hot Swappable
Internal auto-ranging DC. Internal auto-ranging DC.
auto-ranging DC.
Power Supply External Redundant PSU dual dual External Redundant PSU dual
External Redundant PSU
Option Option
Option
High 1U 2Ｕ 2U 1U 1U 2.5U
211
Specification (Max) XGS 5500 XGS 6500 X7180 X8180 X9180 X10800 21
FW Throughput 100G 115G 680G 450G 600G 1.2T 2
IPSec Throughput 21.6G 26G 90G 100G 250G 500G
NGFW Throughput 70G 75G 140G 280G
Concurrent Sessions 32.4M 39.9M 240M 130M 240M 480M
New Sessions/s 468,000 496,000 4.8M 2.5M 5.4M 10M

1 x RJ45 MGMT 1 x RJ45 MGMT
1 Console port, 1 MGT 1 Console port, 1 AUX port, 1 Console port, 1 AUX port,
1 x Console Port, 1 x AUX management, 1 USB 2.0 1 MGT management, 1 USB 1 MGT management, 1 USB
Management Interfaces 1 x Micro-USB (cable 1 x Micro-USB (cable
Port port (single SCM-260 2.0 port (single SCM-280 2.0 port (single SCM-300
incl.) incl.)
8 x GbE copper 2 Gigabit optical interfaces 2 Gigabit optical interfaces 2 Gigabit optical interfaces
8 x GbE copper 4 x GE Combo slot (1 x M
Network Interfaces 8 x SFP+ 10 GbE fiber
12 x SFP+ 10 GbE
GT+3 x HA)
(2 HA interfaces, single (2 HA interfaces, single (2 HA interfaces, single
fiber SCM-260 module) SCM-280 module) SCM-300 module)
6 universal expansion slots,

12 universal expansion
10 x Generic Slot, 2 x 2 security control module
3 universal expansion slots, slots, 2 system control
System Control Module expansion slots,
Expansion Slot 2+1 2+2 2 security control module module expansion slots, 2
Slot, 1 x SD Card Slot, 2 x 2 switching module
expansion slots switching module
USB 2.0 Port expansion slots, 1 USB 2.0
expansion slots
port
2 x min. 480 GB
2 x min. 480 GB SATA-III
SATA-III SSD
Storage SSD
HW RAID built into
1T / 2T SSD
HW RAID built into CPU
CPU
2 x hot-swap internal 2 x hot-swap internal
Power Supply auto-ranging auto-ranging
2+2 / 3+1 redundant Dual N+M (Max 4) redundant N+M (Max 8) redundant
212
Forcepoint
213
Vendor profile
q Forcepoint is a Raytheon and Vista Equity Partners joint venture formed in 2015 through the merger of
Websense and Raytheon products. Raytheon owns a majority share of Forcepoint. In 2016, Forcepoint
acquired the Stonesoft NGFW and Sidewinder firewall assets from Intel Security. In 2017, it added the
Skyfence CASB business from Imperva to its portfolio.
q ForcePoint offers several different products, each of them specializing in one specific area and capable
of seamlessly working with other ones. All of those products can be split in three different groups:
• Insider threat;
• Data & IP;
• Cloud & Network.
Source: https://www.forcepoint.com/
214
214
Vendor profile
Competitor Strengths and Weakness
Strengths:
• Comprehensive product portfolio – The ForcePoint portfolio offers cloud, web and email security, CASB,
NGFW and DLP
• Powerful detection engines – With a historical focus on building detection engines resistant to evasion
techniques, Forcepoint generally achieves good detection scores in independent tests
Weakness:
• Not targeted at the SMB market in terms of price or management experience. For example – the
management console is not feature-complete, forcing customers to buy and learn other solutions.
• Not a full-featured UTM – lacks many features, especially around web and email protection.
215
215
6
Category Function (5.5R8) ForcePoint
Network Services Support application based routing, be able to route applications like P2P/online video and No
etc. applications with dynamic port numbers to selected WAN link
Able to operate in layer 3 mode (routing), online mode (bridge) and layer 2 (port mirroring) No
simultaneously (without the need to virtualize the equipment)
Firewall Support policy hit count in WebUI No
Endpoint Indentification Support Radius dynamic authorization function. No
QoS (Quality of Service) Support flexible and prioritized allocation of unused remaining bandwidth No
Support two levels of traffic shaping which enables traffic shaping in different dimensions No
such as users and applications.
SLB (Server Load Balancing) Support weighted hashing, weighted least-connection, and weighted round-robin server No
load balancing algorithms.
Support session protection, session persistence and session status monitoring. No
Support server health check, session monitoring and session protection No
216
7
Category Function (5.5R8) ForcePoint
LLB (Link Load Balancing) Support outbound link load balancing includes PBR (Policy Based Routing), ECMP and No
weighted, embedded ISP routing and dynamic link quality detection.
Support automatic link switching based on bandwidth, latency, jitter, connectivity and No
application
Support link overload protection, the traffic would switch to other links when the current No
link is overload; the system will keep monitoring the bandwidth of the links and will block
new sessions to the link which is overload according to the threshold settings.
HA (High Availability) Support peer-mode HA, to avoid asymmetric routing issues in the Active-Active HA No
deployment
Support twin-mode HA, to support two HA pairs in the active-active datacenters, with No
session, firewall policy sync, support application migration from one active data center to
another and avoid asymmetric routing issues.
CloudView Support to send logs to cloud, and monitor from an app mobile No
Intelligent NGFW ABD, ATD, Forensic analysis, autorisk mitigation. No
Architecture Parallel processing architecture, in order to allow future firmware and feature expansions No
on the same hardware
We can add more performance with expansion modules (scalabilty) No
4G/5G access capability Yes
Extra features Twin-mode
217
Detailed comparison
ForcePoint Hillstone
Easy management/configuration Forcepoint has two different management consoles:

On-box user interface (UI) – to locally manage the
Hillstone has two different management consoles:
StoneOS WebUI– to locally manage the NGFW and
NGFW Security Management Center (SMC) – the Hillstone Security Management Center (HSM/vHSM).
central management solution, to be purchased
separately All device configurations can be done without problem
through the WebUI and CLI. Additionally, the
Limitations of On-box Web UI: Some of the security monitoring offered from the web interface is very
policies can configure using the SMC, but not with the complete: users, apps, URLs, iQoS.
Web UI include IPS, Web & Application filter, AV and
Anti-spam. Additionally, it is possible to use the HSM to
complement the monitoring and administration, as
SMC Limitations: SMC installation requires Java and well as the collection of logs and advanced reports.
Server-grade hardware on the destination machine. The vHSM is compatible with multiple platforms, easy
Forcepoint recommends installing 3 components on to deploy and install.
separate machines.
All features on all boxes Forcepoint does not provide all features in all of its
appliances. Forcepoint 110 and 115 NGFWs lack:
Hillstone provides all its features in the same box, the
functions can be activated or deactivated through the
AV, HA. In addition, since most Forcepoint NGFWs use of licenses on the same hardware. The new A-
come with limited storage – logs, reports, email series models even include Antispam functions.
quarantine etc. must all be stored off the appliance.
It is possible to generate reports in the same box, and
advanced monitoring of apps, URLs, users, etc.
218
218
Detailed comparison
Policy management Forcepoint does not offer unified policy model. It

lacks: Policy management for security policies like
Hillstone includes intelligent management and
operation across the full policy lifecycle, from
Web filter, App filter and IPS from the Firewall Rule deployment to management, optimization and
page, Cloning of existing firewall rules and security operation. The system features automated user policy
policies, User-based firewall rules. Cloning of existing deployment using RADIUS dynamic authorization.
firewall rules and security policies. Policy management is made far more efficient
through policy groupings based on business
requirements. In addition, policies can be aggregated
to allow a set of policies to act as a single policy. An
innovative policy assistant analyzes traffic patterns
and recommends refined policies for faster, easier
and more accurate policy management. Policy
operation is made more efficient and precise through
policy redundancy checks, which identify redundant
policies for deactivation or deletion, and policy hit
count analysis, that helps further refine and adjust
policies.
User-level Insight User Behavior Risk Scoring Engine, available with

purchase of Forcepoint Insider Threat product, does
Hillstone is optimized for content analysis of Layer 7
applications, providing fine-grained control of web
provide some insights into risky users. It lacks: applications regardless of port, protocol, or evasive
Customers need to manually define behaviors that action. It can identify and prevent potential threats
they understand to be risky, based on a set or associated with high-risk applications while providing
sequence of activities. Forcepoint Insider Threat policy-based control over applications, users, and
requires a separate purchase and does not integrate user-groups. Security Policies can be defined that
with the NGFW. guarantee bandwidth to mission-critical applications
219 while restricting or blocking unauthorized or malicious
applications 219
Detailed comparison
Logging and reporting Limited on-box reports Forcepoint on-box UI does not
offer much in the way of on-box reporting, with just 4
From the firewalls it is possible to export reports of the
main functions of the fws such as: traffic, threats,
in-built reports that can be stored for fixed times. device health.
Deploying/Managing SMC is a tedious task SMC Hillstone can store logs on the same device for
deployment is a complex process, requiring periods of time but can be complemented with other
installation of several different components on server- Hillstone or third party solutions to store for much
grade machines. longer. Hillstone Cloudview allows you to monitor logs
and generate reports for the last 7 days free.
No visibility of generic HTTP apps: Since Forcepoint
does not have a feature equivalent to Sync Security, it
does not have a report like Synchronization
Application to provide visibility into custom.
Central Management Configuring and Managing the software appliance is

complex – the customer needs to manually setup a
Hillstone’s Security Manager allows the primary
administrator to segment security management into
Management Server, Log Server and a Java-based multiple virtual domains. It provides the security,
Management Client, the user interface for SMC. visibility, and control required by organizations while
Forcepoint does not offer cloud-based management reducing management costs, simplifying
for partners configuration, and accelerating deployment cycles.
The primary administrator can download global

policies, security updates, and policy updates, while
local administrators provide policies for local devices,
users, and groups.
220
220
Competing Products
Product Description Hillstone
NGFW Series 50, 120, 300, Small business UTM Series E1000/E1000P,
1100 platforms for retail, E2000/E2000P, A1000
branch/remote offices or
home office.
NGFW Series 2100, 3300, NGFWs for small to medium Series E3000/E3000P,
3400 size corporate environments, E5000/E5000P,
distributed networks and E6000/E6000P, A2000, T-
large corporate central site Series
environments.
NGFW Series 6200 Chassis based appliances Series X
for data centers,
telecommunication and cloud
service providers.
221
221
ForcePoint Product Overview
50 Series 120 Series 300 Series 1100 Series 2100 Series 3300 Series 3400 Series 6200 Series
Service √ √ √ √
Provider
Data Center √ √
Enterprise √ √!Branch" √!Branch" √!Campus" √ √ √ √

!Campus" !Campus"
Distributed √ √ √ √
Enterprise
SMB √ √ √ √ √
GE ports! GE ports! GE ports! GE ports,10GE GE ports,10GE port GE ports,QSFP+ GE ports,10GE GE
Hardware WIFI(Wireless WIFI(Wireless WIFI(Wireless port port ports,QSFP+
Option models) models) models)
222
222
How to win (Focused on A-Series) – Hardware/Performance 22
3
Performance
q A1000 vs N51/N51LTE: much better performance (Firewall Throughput x 2 times), better New
session/s, better concurrent sessions, Hillstone support storage.
q A1100/2000/2600 vs 120W/N330/N331: better performance (Firewall Throughput ), better hardware:
greater number of interfaces, Hillstone support storage.
q A3000/3500 vs N335/335W: better performance (Firewall Throughput x 3 times), higher new session,
greater and better number/type of interfaces, Hillstone support storage.
q A3700/3800 vs N1101/N1105: Better New session and concurrent sessions, greater and better
number/type of interfaces, Hillstone support storage.
q Others ForcePoint models should be compared with E/T Series
223
How to win (Focused on EPro-Series) – Hardware/Performance 22
4
Performance
q E1600P/WP/1700P vs N51/N51LTE: much better performance (Firewall Throughput x 2,5 times), better
New session/s, better concurrent sessions.
q E2800P vs 120W/N330/N331: better performance (Firewall Throughput ), better new sessions/s
q E3660P/3668P/3960P/3968P vs N335/335W: better performance (Firewall and NGFW Throughput),
higher new session, greater and better number/type of interfaces, Hillstone support storage in some
models.
q E6368P vs N1101/N1105/N2101/N2105: Better performance (Firewall, Threat prevention and NGFW
throughput), new session and concurrent sessions, greater and better number/type of interfaces,
Hillstone support storage in some models.
q Others ForcePoint models should be compared with X Series.
224
Comparison with A-Series, EPro-
Series, T-Series, X-Series
225
Hardware Specs Comparison SMB/Branch Offices
ForcePoint Hillstone Hillstone Hillstone ForcePoint Hillstone Hillstone
A1000 (new
N51/N51LTE E1600WP E1600P E1700P E2800P 120W N330 N331 A2000( new model) A2600 (new model)
model)
FW Throughput (Maximum) 1.9Gbps 4Gbps 4.7Gbps 4.7Gbps 4.75 Gbps 8 Gbps 4Gbps 4Gbps 5Gbps 5Gbps 5Gbps
IPSec Throughput 1Gbps 3Gbps 850 Mbps 850 Mbps 850 Mbps 3 Gbps 1.8Gbps 1.4Gbps 2Gbps No Data No Data
AV Throughput No Data 1.8 Gbps 890 Mbps 890 Mbps 890 Mbps 2.1 Gbps No Data No Data No Data 2.0 Gbps 3.7 Gbps
IPS Throughput No Data 3.4 Gbps 1.2 Gbps 1.2 Gbps 1,2 Gbps 3.3 Gbps No Data No Data No Data 3.2 Gbps 4.5 Gbps
Threat Prevention (Mbps)** 900Mbps 800Mbps 360 Mbps 360 Mbps 400 Mbps 860 Mbps 800 Mbps 1Gbps 1.8 Gbps 800Mbps 1.6Gbps
New Sessions/s No Data 48,000 27,000 27,000 28,000 80,000 48,000 40,000 70,000 48,000 120,000
Maximum Concurrent
Sessions (Standard/ 100,000 300,000 200,000 200,000 600,000 1M 3.2M 2,9M 7M 1M 1.2M
Maximum)
IPSec Tunnel Number No Data No Data 512 512 2000 2,000 No Data No Data No Data No Data No Data
SSL VPN Users(free/MAX) 25/ 8/1000 8/128 8/128 8/500 8/1000 25 Unlimited Unlimited 8/1000 8/1000
5 x GE, 4 x 8 × GE (including 1 8 × GE (including 1

Fixed I/O Ports 4 x GE 4 × GE 9GE 9GE 9GE 8GE 8GE 8GE
Combo bypass pair) bypass pair)
480 GB / 960 GB / 1.92 480 GB / 960 GB /

Storage - 256 GB SSD - - - - - - -
TB SSD 1.92 TB SSD
Available Slots for

Extension NA NA NA NA NA NA NA NA NA NA NA
Modules
IEEE 802.11
Integrated Wireless LTE (Wifi Model) NA Wifi Model NA NA NA NA NA NA NA
ac/a/b/g/n
226
226
Hardware Specs Comparison Mid-Range
Enterprises
ForcePoint Hillstone Hillstone Hillstone Hillstone Hillstone Hillstone Hillstone Hillstone Hillstone Hillstone ForcePoint ForcePoint
N335/335 E3662P/E3 E3960P/E3 E5260P/E5 A3000(new A3600(new A3700(new A3800(new
T1860 T2860 T3860 N1101 N1105
W 668P 968P 268P model) model) model) model)
FW Throughput
7Gbps 8Gbps 10Gbps 10Gbps 10Gbps 20Gbps 20Gbps 20Gbps 20Gbps 20/40Gbps 20/40Gbps 50Gbps 60Gbps
(Maximum)
IPSec Throughput 3Gbps 3Gbps 3.8Gbps 3Gbps 4Gbps 8.4 Gbps 12Gbps No Data No Data No Data No Data 4.5Gbps 8.5Gbps
AV Throughput No Data 1. 6Gbps 2Gbps 2.1 Gbps 2.2Gbps 3.8 Gbps 6Gbps 4.8Gbps 5.0Gbps 5.2Gbps 9.4Gbps No Data No Data
IPS Throughput No Data 3Gbps 4Gbps 3.3 Gbps 3.9Gbps 8.9 Gbps 8Gbps 8.3Gbps 8.5Gbps 8.6Gbps 17.5Gbps No Data No Data
Threat Prevention 2.5Gbps 600Mbps 900Mbps 900 Mbps 1.1 Gbps 2.2 Gbps 2.5Gbps 1.6Gbps 1.6Gbps 1.6Gbps 2.8Gbps 3Gbps 6Gbps
NGFW throughput 1000Mbps 1Gbps 1.5Gbps 1.25 Gbps 1.5 Gbps 3.9 Gbps 5Gbps 1.8Gbps 1.8Gbps 1.8Gbps 3.7Gbps 1.5Gbps 3Gbps
New Sessions/s 80,000 80,000 100,000 120,000 150,000 200,000 250,000 140,000 140,000 140,000 310,000 No Data No Data
Maximum
Concurrent
Sessions 7M 1.5M 3M 3M 3.2M 6M 4M 2M 3M 6M 8M 500K 1M
(Standard/
Maxinum)
IPSec Tunnel
No Data 6000 10000 6000 6000 20000 20000 No Data No Data No Data No Data No Data No Data
Number
SSL VPN 128 /
Unlimited 8 / 4,000 8 / 6,000 8 / 4,000 8 / 6,000 8/10000 No Data No Data No Data No Data Unlimited Unlimited
Users(free/max) 10,000
6 X GE (1
2 × SFP+, 8 × 2 × SFP+, 8 × 2 × SFP+, 8 × 2 × SFP+, 8 ×
pair bypass 6 GE, 4 4 GE, 4 x
6 x GE, 4 x 6 GE, 4 x 2 x GE, 4 x SFP, 16 × GE SFP, 16 × GE SFP, 16 × GE SFP, 16 × GE
Fixed I/0 Ports 8GE port), 4 x SFP, 2 SFP, 2 X 8GE, 2XSFP+ 8GE, 2XSFP+
SFP SFP SFP, (including (including (including (including
SFP, 2 x SFP+ SFP+
2 bypass pairs) 2 bypass pairs) 2 bypass pairs) 2 bypass pairs)
SFP+
480 GB / 960 480 GB / 960 480 GB / 960 480 GB / 960
120G+480G
Storage No 480GB 480GB -/256G -/256G -/256G GB / 1.92 TB GB / 1.92 TB GB / 1.92 TB GB / 1.92 TB NA NA
(Dual
SSD SSD SSD SSD
Available Slots for 2x Generic 2 x Generic 2 X Generic 2 x Generic 2 x Generic 4 x Generic 2 x Generic 1 x Generic
No No 1 x Generic Slot 1x Generic Slot 1x Generic Slot
Extension Modules Slot Slot Slot Slot Slot Slot Slot Slot
227
227
Hardware Specs Comparison Mid to Large
Enterprise
Hillstone Hillstone Hillstone Hillstone Hillstone ForcePoint Hillstone ForcePoint
E5560P/E5568
T5060 E5760P T5860 E5960P N2101 E6368P N2105 N3301 N3305 N3401 N3405 N3410
P
FW Throughput
25 Gbps 20Gbps 40Gbps 40 Gbps 40Gbps 60Gbps 90Gbps 80Gbps 80Gbps 160Gbps 200Gbps 240Gbps 300Gbps
(Maximun)
IPSec Throughput 15Gbps 12Gbps 18.8 Gbps 28Gbps 25.6 Gbps 25Gbps 64 Gbps 30Gbps 18Gbps 20Gbps 75Gbps 100Gbps 150Gbps
AV Throughput 7Gbps 4.9Gbps 7.9 Gbps 10Gbps 14 Gbps No Data 28 Gbps No Data No Data No Data No Data No Data No Data
IPS Throughput 12Gbps 9.3Gbps 18.5 Gbps 18Gbps 18.8 Gbps No Data 37 Gbps No Data No Data No Data No Data No Data No Data
Threat Prevention** 4Gbps 3.1Gbps 5.2 Gbps 6Gbps 8.2 Gbps 3Gbps 18 Gbps 4Gbps 23Gbps 27Gbps 26Gbps 40Gbps 50Gbps
NGFW Throughput 8Gbps 5.6Gbps 8.9 Gbps 12Gbps 14 Gbps 5Gbps 26 Gbps 7.5Gbps 9Gbps 15Gbps 15Gbps 30Gbps 35Gbps
New Sessions/s 300,000 300,000 500,000 450,000 600,000 300,000 1.1M 400,000 No Data No Data 750,000 1M 2M
Maximum Concurrent
Sessions (Standard/ 5M 10M 12M 6M 15M 18M 30M 20M 12M 15M 70M 100M 200M
Maximum)
IPSec Tunnel Number 20000 20,000 20,000 20000 20,000 30,000 20,000 40,000 200,000 200,000 200,000 230,000 280,000
SSL VPN
128 / 10,000 8/10,000 8/10, 000 128 / 10,000 8/10, 000 Unlimited 8/10,000 Unlimited Unlimited Unlimited Unlimited Unlimited Unlimited
Users(free/MAX)
2 GE, 8 x
2 x GE, 4 X 4 x GE, 4x 2 X GE, 4 X 12GE,2SFP+
Fixed I/0 Ports 4 GE, 4x SFP 4 GE, 4 x SFP 12GE,2SFP+ SFP+, 2GE 2GE,1QSFP+ 1GE,2SFP+ 1GE,2SFP+ 1GE,2SFP+
SFP SFP, 2 X SFP+ SFP
2XQSFP+
Storage 480GB/960GB -/256G No 480GB/960GB No NA No NA NA NA NA NA NA
Available Slots for 4 x Generic 4 x Generic 4 x Generic 4 x Generic 2 Generic Slot

4 Generic Slot 2 Generic Slot 2 Generic Slot 4 Generic Slot 4 Generic Slot 8xGeneric Slot 8xGeneric Slot 8xGeneric Slot
Extension Modules Slot Slot Slot Slot 1 Bypass Slot
228
228
Hardware Spec Comparisons -
DataCenter
N6205 X7180 X8180 X9180 X10800
FW Throughput
240Gbps 680Gbps 450Gbps 600Gbps 1.2Tbps
(Maximum)
IPSec Throughput 22Gbps 90Gbps No Data 250Gbps 500Gbps
NGFW Throughput 22Gbps 70Gbps No Data 140Gbps 280Gbps
Threat Prevention
33Gbps 50Gbps No Data 100Gbps 200Gbps
Throughput**
New Sessions/s No Data 4.8Million 2.5Million 4Million 10Million
Maximum Concurrent
15M 240Million 130Million 200Million 480Million
Sessions
IPSec Tunnel Number 200,000 30000 No Data 30000 30000
SSL VPN Users(free/MAX) Unlimited 128 / 20,000 No Data 128 / 20,000 128 / 20,000
Storage No No No No No
229
229
**For ForcePoint Threat Prevention Throughput, we are using Forcepoint Inspection Throughp
WatchGuard
230
231
How to Win Watchguard

1. We are good at most of the Specs, from Throughput to AV/IPS performance, as well as the Concurrent
Connections and new connections per seconds.
Key Focus 2. We have more flexible hardware choice, like Optional Hard Disk, Dual Power, more I/O interface, etc.
3. We are better in malware detection in NSS lab test and better position in Gartner MQ.
Hillstone:
1. Positioned in Gartner Magic Quadrant for Enterprise Network Firewalls for 7 years.
Certifications 2. IPv6 Phase II certification (Gold)
Watchguard:
1. Watchguard TCO per Mbps $18, in Hillstone is $6
Watchguard:
2. Do not support NAT port expansion, not apply when public IP is limited
Functions 3. Do not support P2P application steering or URL steering
4. Do not support 2 levels on iQoS
5. Do not support PBR based on applications
Watchguard:
1. Product under 40G do not support dual-power redundancy
Hardware 2. Less interface and10G interface only supported on M470 and higher model
3. No SSD harddisk.
4. Most models only support single AC power.
Watchguard:
Architecture & 1. Concurrent sessions lower than Hillstone
Performance 2.
3.
New sessions per second lower than Hillstone
UTM/NGFW Throughput max is 11G, Hillstone can reach 25G
1. Avoid Data Loss Prevention, they have more features here
2. Avoid Anti-Spam, they do with Cyren. Hillstone is testing, and now can do on T-Series
Avoiding 3. The reporting tool (Dimension) is more advanced than Hillstone
4. HTTP Proxy based, App Proxy. 231
232
Software Beating Points to Watchguard
2. No support for LLB，not applied for multi-exit scenario based on Applications.
accessing IP.
5. Not able to identify and control application based on Technology、Risk dimensions
7. Poor IPSEC VPN connection with other vendors, not using standard VPN protocol (but using private ipsec vpn protocol) ,
also no support of L2TP VPN
8. No support for NAT444.
9. No support for smart policy operations, including
232
233
Watchguard Weakness in Basic Network Functions

Hillstone NGFW Watchguard Description
UTM
NAT SNAT port No To solve the public IP address resource limitation, it must support NAT
expansion port expansion technology, to breakthrough the bottleneck of 64512 ports
on single public IP, thus increasing the port number of a public IP and
saving the Public IP address
NAT address No Sometimes, the public IPs offered by ISP may not reachable, if the
availability detection gateway device is not able to automatically detect the unavailable public
IP, it will cause some LAN users fail to access Internet.
NAT address alert No One public IP supports 64512 ports, if all ports are occupied due to larger
number of sessions, system should provide alert to Admin.
NAT feature： No Apply to diversification network scenario of ISP

transparent NAT、
Full-Cone NAT
Link Load Detect link latency No Link dynamic detection, switch the link based on link latency and flow;
Balance dynamically and support load algorithm such as round robin, Bandwidth ratio allocation,
forward packets to weighted least flow and for multiple exists scenario.
the optimal link
Multi-Exit based No Bind DNS server to corresponding Egress interface, reducing accesses
DNS transparent across ISPs when link switchover.
proxy
233
234

Hillstone NGFW Watchguard UTM Description
VPN Dial-up/GRE/L2TP VPN No In hub-spoke scenario, Dial-up VPN can expand
High HA Yes Hillstone support HA in AP、AA、Peer、and Twin
Availability mode；Support synchronization for configuration
and RDO（including session、 IPSec VPN 、SCVPN 、
L2TP、DNS catch mapping entry、ARP table、PKI、
DHCP、MAC table、Web authentication）
switchover
Routing BFD（Bidirectional No Rapid detection of network connectivity to improve
Forwarding Detection） network performance
Virtualization Vrouter、Vswitch、Vsys Not sure Support for Virtual router, Virtual Switch, Virtual
system etc.
234
235

Others Support 5 methods to No Support 5 methods to track link availability in
track link availability in parallel, including ARP/HTTP/DNS/PING/TCP
parallel customized port. Multiple monitor methods can
stability of links
Port Mirroring Not sure Mirror the traffic from any other interface to one
shoot the issues
Policy Assistant and policy No • Security policy redundancy inspection, policy
cleanup group, policy configuration rollback, aggregate
policy；
• Policy Assistant for easy detailed policy
deployment
• Policy analyzing and invalid policy cleanup
235
236
Watchguard Weakness in NGFW Functions

User/Role RBNS Yes Security policy control and traffic management based on
roles
Application Application No Classify application based on Technology、Risk etc.
classification • No support policy
based on app.
NBC No Keyword filtering、Web content filtering、Email filtering、IM
control etc.
Monitor No Besides the application、user monitor, also support Risk
monitoring.
iQoS two levels 8 Traffic shapping is bind to Can not fulfill complicated scenario.
layers pipe nesting for policy rules, it limits the iQoS is used to provide different priorities to different traffic,
traffic fine-grained usage. in order to control the delay and flapping, and decrease the
control packet loss rate. iQoS can assure the normal transmission of
critical business traffic when the network is overloaded or
congested.
Usability debug Yes Offer the debug function for troubleshooting
OS upgrade OS upgrade Import the image directly to device via WebUI, and support
to store two OS in device. Also support upgrade via FTP
236
237

1. Watchguard still developing UTM.
2. Watchguard does not have too many models in mid enterprise.
3. Watchguard does not have local storage.
4. Watchguard does not support expansion slot for interface expansion in low size.
5. The highest UTM Throughput is 11G(M5800), While Hillstone can reach 24G as NGFW.
6. The concurrent sessions number is too low compared with Hillstone.
7. New sessions per second number is too low compared with Hillstone.
8. Provide less number of I/O interfaces.
9. Most of the models have only single AC power, while Hillstone has more choices.
237
238
Better position in Gartner MQ
238
239
Watchguard Firewall Portfolio
239
Watchguard Firewall Hardware Specs
WG Firebox WG Firebox WG Firebox WG Firebox Firebox Firebox Firebox Firebox Firebox Firebox Firebox 24
T15/T15-W T20/T20-W T40/T40-W T80 M270 M370 M470 M570 M670 M4800 M5800
Throughput
0
400M 1.7G 3.4G 4.7G 4.9G 8G 19.6G 26.6G 34G 49.6G 87G
(UDP 1518)
VPN Throughput 150M 485M 880M 1.4G 1.6G 4.6G 5.2G 5.8G 7.6G 16.4G 18.8G
AV Throughput 120M 328M 586M 1.15G 2.1G 3.0G 3.5G 5.4G 6.2G 12.5G 22G
IPS Throughput 160M 271M 510M 909M 2.3G 4.8G 5.7G 8.0G 10.4G 8.1G 12.5G
NGFW/UTM*
90M* 154M* 300M* 631M 1.6G 2.6G 3.1G 4.4G 5.4G 5.2G 11.3G
Throughput
Concurrent
100K 100K 500K 500k 2M 3.3M 3.3M 8.3M 8.5M 15M 30.8M
Connections
New Connections
2.4K 8.5K 18K 25K 40K 51K 82K 115K 140K 750K 1M
Per second
Interface 3GE 5GE 5GE 8GE 8GE 8GE 8GE 8GE 8GE 8GE 8GE；4SFP+
Expansion Slot - - - - - - 1 1 1 2 2
8GE; 8SFP 8GE; 8SFP 8GE; 8SFP 4SFP+; 8SFP 4SFP+; 8SFP
Expansion Card - - - - - -
4SFP+ 4SFP+ 4SFP+ 8GE; 2*40GE 8GE; 2*40GE
Local Storage(SSD) - - - - - - - - - - -
Power Supply Single AC Single AC Single AC Single AC Single AC Single AC Single AC Single AC Single AC Dual AC Dual
Dimensions Desktop Desktop Desktop Desktop 1U 1U 1U 1U 1U 1U 1U
240
Product Hardware Specs - SMB(1G-5G)
WG Firebox WG Firebox WG Firebox WG Firebox Hillstone Hillstone Hillstone Hillstone 24
T15/T15-W T20/T20-W T40/T40-W T80 E1600P/WP E1700 A1000 A1100
Throughput
400M 1.7G 3.4G 4.7G 4.7G 4.7G 4G 5G
1
(UDP 1518)
VPN 1.1G 1.1G
150M 485M 880M 1.4G 850M 850M
Throughput
AV 890M 890M
120M 328M 586M 1.15G 1.8G 2G
Throughput
IPS
160M 271M 510M 909M 1.2M 1.2M 3.4G 3.7G
Throughput
NGFW/UTM*
90M 154M 300M 631M 470M 470M 1.2G 1.2G
Throughput
Concurrent
100K 100K 500K 500k 200K 600K 300K /600K 300K /600K
Connections
New
Connections 2.4K 8.5K 18K 25K 27K 28K 48K 48K
Per second
Interface 3GE 5GE 5GE 8GE 9GE 9GE 4GE 8GE; 1MGT
Expansion
- - - - - - - -
Slot
Expansion
- - - - - - - -
Card
Local 256GB 256GB
- - - - - -
Storage(SSD) Optional Optional
Power Supply Single AC Single AC Single AC Single AC Single AC Single AC Single AC Single AC
Dimensions Desktop Desktop Desktop Desktop desktop 1U Desktop Desktop
241
Product Hardware Specs - Enterprise(5G-10G)
WG Firebox WG Firebox Hillstone Hillstone Hillstone Hillstone Hillstone 24
M270 M370 E2800P A2000 A2600 E3662P/3668P E3960P/3968P
Throughput 4.9G 8G 8G 5G 5G 10G 10G

2
VPN Throughput 1.6G 4.6G 3G 1.1G 3G 3G 4G
AV Throughput 2.1G 3.0G 2.1G 2G 3.7G 2.1G 2.2G
IPS Throughput 2.3G 4.8G 3.3G 3.2G 4.5G 3.3G 3.9G
NGFW/UTMThrough
1.6G 2.6G 1.25G 1.2G 1.8G 1.25G 1.5G
put
Concurrent 1M / 2M 1.2M / 2M
2M 3.3M 1M 3M 3.2M
Connections
New Connections Per 48K 120K

40K 51K 80K 120K 150K
second
6GE
5GE 8 × GE 8 × GE 6GE
Interface 8GE 8GE 1 MGT 1 MGT 4SFP
4Combo 4SFP
2SFP+
Expansion Slot - - - - - 2 2
Expansion Card - - - -
500GB/1TB/2TB 500GB/1TB/2TB
Local Storage(SSD) - - - SATA SSD, SATA SSD, None/256G SSD None/256G SSD
Optional Optional
Single AC, Single AC,
Power Supply Single AC Single AC Single/Dual Single DC, Single DC, Single/Dual Single/Dual
Dual AC. Dual AC.
Dimensions 1U 1U 1U １Ｕ１Ｕ 1U １Ｕ
242
Product Hardware Specs - Enterprise (10G-20G)
24
WG Firebox Hillstone Hillstone Hillstone Hillstone
M470 E5260P/5268P E5560P/5568P A3700 A3800 3
Throughput 19.6G 20G 20G 20G / 40G 20G / 40G
VPN Throughput 5.2G 8.4G 12G 3.2G 6G
AV Throughput 3.5G 3.8G 4.9G 5.2G 9.4G
IPS Throughput 5.7G 8.9G 9.3G 8.6G 17.5G
NGFW/UTMThroughput 3.1G 3.9G 5.6G 1.8G 3.7G
Concurrent Connections 3.3M 6M 10M 6M / 10M 8M / 10M
New Connections Per

82K 200K 300K 140K 310K
second
1 x MGT； 1 x HA 1 x MGT； 1 x HA
1MGT, 1HA, 4GE, 4SFP, 1MGT, 1HA, 4GE, 4SFP,
Interface 8GE 8 ×SFP；16 × GE 8 ×SFP；16 × GE
2SFP+ 2SFP+
2 × SFP+； 2 × SFP+；
Expansion Slot 1 ４４ 1 1
IOC-4GE-B-M IOC-4GE-B-M
IOC-8GE-M IOC-8GE-M
IOC-A-4SFP+ IOC-A-4SFP+
8GE; 8SFP IOC-8SFP-M IOC-8SFP-M
Expansion Card IOC-4SFP+ IOC-4SFP+
IOC-A-2MM-BE IOC-A-2MM-BE
4SFP+ IOC-A-2SM-BE IOC-A-2SM-BE
IOC-8SFP+ IOC-8SFP+
IOC-2SFP+Lite IOC-2SFP+Lite
500GB/1TB/2TB SATA 500GB/1TB/2TB SATA
Local Storage(SSD) - None/256G SSD None/256G SSD
SSD, Optional SSD, Optional
Dual AC, Dual AC,
Power Supply Single AC Dual DC. Dual DC.
Single DC, Single DC,
Dual AC. Dual AC.
Dimensions 1U 2U ２Ｕ 1U 1U
243
24
WG Firebox
M570
WG Firebox
M670
Hillstone
E5760P
Hillstone
E5960P
Hillstone
A3700
Hillstone
A3800 4
Throughput 26.6G 34G 40G 40G 20G / 40G 20G / 40G
VPN Throughput 5.8G 7.6G 18.8G 25.6G 3.2G 6G
AV Throughput 5.4G 6.2G 7.9G 14G 5.2G 9.4G
IPS Throughput 8.0G 10.4G 18.5G 18.8G 8.6G 17.5G
NGFW/UTMThroughput 4.4G 5.4G 8.9G 14G 1.8G 3.7G
Concurrent Connections 8.3M 8.5M 12M 15M 6M / 10M 8M / 10M
New Connections Per

115K 140K 500K 600K 140K 310K
second
1 x MGT； 1 x HA 1 x MGT； 1 x HA
１MGT, 1HA １MGT, 1HA
Interface 8GE 8GE 8 ×SFP；16 × GE 8 ×SFP；16 × GE
4GE, 4SFP 4GE, 4SFP 2 × SFP+； 2 × SFP+；
Expansion Slot 1 1 ４ 4 1 1
IOC-4GE-B-M IOC-4GE-B-M
IOC-8GE-M IOC-8GE-M
IOC-A-4SFP+ IOC-A-4SFP+
8GE; 8SFP 8GE; 8SFP IOC-8SFP-M IOC-8SFP-M
Expansion Card IOC-4SFP+ IOC-4SFP+
IOC-A-2MM-BE IOC-A-2MM-BE
4SFP+ 4SFP+ IOC-A-2SM-BE IOC-A-2SM-BE
IOC-8SFP+ IOC-8SFP+
IOC-2SFP+Lite IOC-2SFP+Lite
500GB/1TB/2TB SATA 500GB/1TB/2TB SATA
Local Storage(SSD) - - - -
SSD, Optional SSD, Optional
Dual AC, Dual AC,
Power Supply Single AC Single AC Dual DC. Dual DC.
Single DC, Single DC,
Dual AC. Dual AC.
Dimensions 1U 1U 2Ｕ 2U 1U 1U
244
24
WG Firebox WG Firebox Hillstone
5
M4800 M5800 E6368P
Throughput 49.6G 87G 90G
VPN Throughput 16.4G 18.8G 64G
AV Throughput 12.5G 22G 28G
IPS Throughput 8.1G 12.5G 37G
NGFW/UTMThroughput 5.2G 11.3G 26G
Concurrent Connections 15M 30.8M 30M
New Connections Per

750K 1M 1.1M
second
1MGT, 1HA, 8SFP+, 2GE,
Interface 8GE 8GE；4SFP+
2QSFP+
Expansion Slot 2 2 2xGeneric+1 BYPASS
4SFP+; 8SFP 4SFP+; 8SFP IOC-8GE-P

Expansion Card
8GE; 2*40GE 8GE; 2*40GE IOC-8SFP-P
Local Storage(SSD) - - 512G SSD
Power Supply Dual AC Dual AC Dual AC/DC
Dimensions 1U 1U 2.5U
245
Sangfor
246
How to Win Sangfor
1. Induce Hillstone intelligent function such as unknown threat prevention, abnormal behavior detection, risk
Key Focus management, risk correlation analysis.
2. Induce Hillstone system maintenance function such as packet path detection
1. R&D investment of Hillstone NGFW is one time more than Sangfor NGAF.
Corporate 2. Sangfor had less customer base in ISP and financial industry.
Hillstone:
Certifications 1. Positioned in Gartner Magic Quadrant for Enterprise Network Firewalls for 7 years.
2. IPv6 Phase II certification (Gold)
Sangfor:
Beating 2. Do not support policy hit count, not able to analyze the effective utilization of policy rules
Points Functions 3. Do not support NAT port expansion, not apply when public IP is limited
4. Do not support P2P application steering or URL steering.
5. Do not support Security Management Platform and Security Auditing Platform solution
6. Do not support to turn on IPS/AV/vulnerability scan functions at same time in single policy
Sangfor:
1. Product under 10G do not support dual-power redundancy
Hardware 2. Do not support slot expansion, 10G interface only supported on AF-8020 and higher model.
3. No support for ISSU（In-Service Software Upgrade）, Hillstone X series do support
Architecture & Sangfor:

1. Performance dropped by 50% when NAT enabled, Hillstone only drop no more than 10%
Performance 2. Lower-end model has poor performance on management, not able to manage device when CPU busy
1. Avoid Web protection functions, because NGAF developed with lots of WAF functions. It is integrated
NGFW+WAF
Avoiding 2. Avoid to compete on performance testing with NGAF to turn on AV，IPS，APP identification at same time.
Sangfor NGAF has less performance drop on that. 247
Software Beating Points to Sangfor
2. No support for LLB，not applied for multi-exit scenario
accessing IP
4. No support for Policy hit count，not able to realize the policy utilization effectively.
6. No support for Security Management Platform and Security Auditing Platform solution
7. HA Function only support AP mode, No VPN synchronization
8. Not able to identify and control application based on Technology、Risk dimensions
10. SSLVPN need to buy, no free SSLVPN users
11. Poor IPSEC VPN connection with other vendors, not using standard VPN protocol (but using private ipsec vpn protocol) ,
also no support of L2TP VPN
12. No support for DDNS，poor DNS proxy function.
248
Sangfor Weakness in Basic Network Functions
Hillstone NGFW Sangfor NGAF Description
NAT SNAT port No To solve the public IP address resource limitation, it must support NAT
expansion port expansion technology, to breakthrough the bottleneck of 64512 ports
on single public IP, thus increasing the port number of a public IP and
saving the Public IP address
NAT address No Sometimes, the public IPs offered by ISP may not reachable, if the
availability detection gateway device is not able to automatically detect the unavailable public
IP, it will cause some LAN users fail to access Internet.
NAT address alert No One public IP supports 64512 ports, if all ports are occupied due to larger
number of sessions, system should provide alert to Admin.
NAT feature： No Apply to diversification network scenario of ISP

transparent NAT、
Full-Cone NAT
Link Load Detect link latency No Link dynamic detection, switch the link based on link latency and flow;
Balance dynamically and support load algorithm such as round robin, Bandwidth ratio allocation,
forward packets to weighted least flow and for multiple exists scenario.
the optimal link
Multi-Exit based No Bind DNS server to corresponding Egress interface, reducing accesses
DNS transparent across ISPs when link switchover.
proxy
249
VPN Dial-up/GRE/L2TP VPN No In hub-spoke scenario, Dial-up VPN can expand
High HA Only support A/P mode. Hillstone support HA in AP、AA、Peer、and Twin
Availability Only support to synchronize mode；Support synchronization for configuration
configuration、session、user and RDO（including session、 IPSec VPN 、SCVPN 、
authentication info. No VPN L2TP、DNS catch mapping entry、ARP table、PKI、
synch, VPN will disconnect DHCP、MAC table、Web authentication）
when HA switchover
switchover
Routing BFD（Bidirectional No Rapid detection of network connectivity to improve
Forwarding Detection） network performance
Virtualization Vrouter、Vswitch、Vsys Support Vsys, BUT need to Support for Virtual router, Virtual Switch, Virtual
install special image. system etc.
250
Others Support 5 methods to Only support PING and DNS Support 5 methods to track link availability in
track link availability in tracking, one track per interface. parallel, including ARP/HTTP/DNS/PING/TCP
parallel More easily to misjudge customized port. Multiple monitor methods can
stability of links
Port Mirroring No Mirror the traffic from any other interface to one
shoot the issues

STP No Layer 2 deployment need the STP support
DDNS No Dynamic domain name service for PPPOE dial-up

users to manage equipment remotely
251
Sangfor Weakness in NGFW Functions
User/Role RBNS No Security policy control and traffic management based on
roles
Application Application No Classify application based on Technology、Risk etc.
classification
NBC No Keyword filtering、Web content filtering、Email filtering、IM
control etc.
Monitor No Besides the application、user monitor, also support Risk
monitoring.
iQoS two levels 8 Do not support nesting: Can not fulfill complicated scenario.
layers pipe nesting for • Support bandwidth iQoS is used to provide different priorities to different traffic,
traffic fine-grained limit based on signal IP in order to control the delay and flapping, and decrease the
control but no support for packet loss rate. iQoS can assure the normal transmission of
bandwidth reservation critical business traffic when the network is overloaded or
• No bandwidth control congested.
for applications
Usability debug No Offer the debug function for troubleshooting
OS upgrade OS is so difficult for Import the image directly to device via WebUI, and support
customer to upgrade, to store two OS in device. Also support upgrade via FTP
and only one OS stored
in Device
252
Sangfor Has no Intelligent Function
Hillstone iNGFW Sangfor NGAF Description
Proactive Detection No Support real-time inspection on system resources, network nodes

reachability and availability, business services node availability
Fault Diagnosis No Support visible Fault diagnosis, detect network incident in advance, locate
root cause quickly and modify policy configurations
Abnormal Behavior Detect based on static There are various threat attacks in networks, such as Web server
Detection threshold. No periodic attacks ,DoS attacks, application layer attacks , port/server scan attacks ,
learning and auto tuning of amplification attacks, SSL attacks etc. When one detected object has
the behavior baseline multiple abnormal parameters, the system will analyze
threshold the relationship among the abnormal parameters to see whether an
abnormal behavior formed. If there is an abnormal behavior, the system
will send the alarm message and generate the threat logs.
Advanced Threat Need to work with cloud Advanced Threat Detection , is on the basis of learning advanced threat
Detection sandbox detection signatures, to analysis the suspicious traffic of host, detect
malicious behavior to identify APT (Advanced Persistent Threat) attack
and generate the threat logs.
Risk Mitigation No The system can identify the potential risks and network attacks
dynamically, and take action (session limit, bandwidth limit or block) on
the risk that hits the mitigation rules
Risk Management No Provide Comprehensive view from risk to threat, including network risk
index, risky host, and the detailed information of specific threat through
253
multilevel and stereoscopic display
Sangfor NGAF Advantage & How to Cope
Web Attack Defense and Anti-tamper (WAF function)
【Sangfor】The use of NGFW for web attack defense has better effect than WAF. The product had passed NSS LABS
test and got the recommended rating for WAF. NGAF is the world first fully integrated NGFW+WAF.
【Hillstone】
1、Normally, NGFW will be deployed as network gateway, but WAF is deployed before web server. The performance
pressure for both products is totally different.
2、For the technology part, NGFW is using packet forwarding technology, while WAF is using proxy technology. The
NGFW throughput will be limited by using proxy technology. If use packet forwarding technology to develop WAF, it
will have huge impact on the security protection capability of WAF. It is not good idea to integrate them together.
3、WAF function on Sangfor NGAF is developed by adopting“content filter + IPS + URL filter module”, WAF
signature database is loaded based on IPS engine.
4、We need to offer professional product for different requirement, not mix NGFW and WAF together.
254
1. Sangfor had no support for 3G、WiFi
2. Sangfor do not support expansion slot for interface expansion
3. Poor HA in power module, no dual power redundancy support for model
under 25G
4. Sangfor NGAF do not support ISSU
5. Must ask for real traffic testing, Sangfor device is unstable when actual traffic
over 1G
6. Sangfor device do not support SaaS, which Hillstone can support to monitor
device status via Mobile App (CloudView)
255
AF-1000- E1100
E1600 E1606 E1700
AF-1000-
M4500-F-I M5100-F-I M5150-F-I E2300 A1000 M5200-F-I A1100
25
B1080 Series B1120
6
Throughp
1.05 Gbps 1G 1G 1G 1.5/2G 1.75 Gbps 2G 2.8G 3.5G 2.5/4G 4G 4.9G 5G
ut
VPN
Throughp 100M 600M 600M 600M 700M 100M 250M 250M 250M 1G NA 375M NA
ut
IPS
Throughp - 400M 400M 400M 600M 700M 1.2G 1.4G 1.4G 1G 3.4G 2.1G 3.7G
ut
AV
Throughp - 300M 300M 300M 400M - - - - 700M 1.8G - 2G
ut
NGFW
Throughp 800M 350M 350M 350M 450M 1G 1.4G 2.5G 2.5G 650M 1.2G 350M 1.2G
ut
Concurren
t 600K/ 1M/
800K 100K 200K 400K 800K 250K 750K 1M 300,000 1.2M 300,000
Connectio 1M 2M
ns
New
Connectio
15,000 10,000 10,000 12,000 25,000 15,000 10,000 25,000 25,000 50,000 48,000 30,000 48,000
ns Per
second
8 × GE
5GE
Interface 4GE 9GE 9GE 9GE 9GE 4GE 4GE 4GE 6GE 4 × GE 6GE (including 1
4Combo
bypass pair)
Expansion
- - - - - - - - - - - - -
Slot
Local
Storage(S - - - - - - 32G 32G 32G - 8GB 32G 8GB
SD)
Power
single single single single single/dual single single Single single single/dual single Single single
Supply
Dimensio desktop
desktop desktop 1U 1U 1U desktop 1U 1U 1U Desktop 1U Desktop
256
ns
M5250-
F-I
E2800 A2000 A2600 E2860/E2868 E3662/E3668 E3960/E3968 E3965/E5168 M5300-F-I E5260/E5268 25
Throughput 5.5G 4.5/6G 5G 5G 6G 8G 10G 10G 12G 16G 7
VPN Throughput 375M 3G NA NA 3G 3G 4G 6G 1G 8G
IPS Throughput 2.1G 1.8G 3.2G 4.5G 1.8G 3G 4G 4G 3.85G 5G
AV Throughput - 1.2G 2G 3.7G 1.2G 1.6G 2.5G 3G - 3.5G
NGFW
Throughput
2.8G 850M 1.2G 1.8G 1.0G 1.2G 1.5G 3G 5G 3.5G
Concurrent 1M/ 1M/

Connections
1.8M 2M
12M 20M
2M
3M 4M 6M 2M 6M
New Connections
Per second
50,000 80K 100,000 160,000 80K 120K 150K 170K 80K 200K
8 × GE 8 × GE 1MGT、1HA、 1MGT、1HA、 1MGT、1HA、

5GE 6GE 1MGT、1HA 4GE
Interface 6GE 4Combo
(including 1 (including 1
4SFP 、6GE、4SFP
4GE、2Bypass、
2GE、2Bypass、
2SFP
2GE、2Bypass、
bypass pair) bypass pair) 4SFP、2SFP+ 4SFP、2SFP+ 4SFP、2SFP+
Expansion Slot - - 8GB 8GB 2 2 ２ 4 ４
480 GB / 960 480 GB / 960
- / 256G or - / 256G or - / 256G or -/256G or - / 256G or
Local Storage 32G - GB / 1.92 TB GB / 1.92 TB
512G 512G 512G 512G
SSD 64 GB
512G
SSD SSD
single/ single/
Power Supply single dual
single/dual single/dual
dual
single／dual single／dual dual single dual
High 1U 1U 1U 1U 1U １Ｕ１Ｕ 2U 1U 2U
257
M5400-F-I A3000 A3600 E5568 E5500-F-I E5760 A3700 A3800 E5960
25
8
Throughput 20G 20G 20G 20G 25G 32G 20G / 40G 20G / 40G 40G
VPN Throughput 1.25G 12G 15G 18G NA NA 25G
IPS Throughput 5.6G 8.3G 8.5G 7G 12G 15G 8.6G 17.5G 18G
AV Throughput - 4.8G 5G 5G - 8G 5.2G 9.4G 10G
NGFW
8.4G 1.8G 1.8G 5G 7G 8G 1.8G 3.7G 9.5G
Throughput
Concurrent
2.5M 1M 1.2M 10M 10M 12M 6M 8M 15M
Connections
New Connections
110K 48,000 120,000 300,000 300,000 300,000 140,000 310,000 500,000
Per second
１MGT １MGT １MGT
1MGT、1HA、2GE、 2 × SFP+, 8 × SFP, 2 × SFP+, 8 × SFP,
8 × GE (including 1 8 × GE (including 1 1HA 1HA 1HA
Interface 8GE 2Bypass、4SFP、 16 × GE (including 16 × GE (including
bypass pair) bypass pair) 4GE 4GE 4GE
2SFP+ 2 bypass pairs) 2 bypass pairs)
4SFP 4SFP 4SFP
Expansion Slot - - - - - 1 1 -
Expansion Slot SSD 128 GB 8GB 8GB ４４４ 8GB 8GB 4
480 GB / 960 GB / 480 GB / 960 GB / 480 GB / 960 GB / 480 GB / 960 GB /

Local Storage single 256G/512G - - -
1.92 TB SSD 1.92 TB SSD 1.92 TB SSD 1.92 TB SSD
Power Supply 1U single/dual single/dual dual dual dual single/dual dual dual
High 1U 1U ２Ｕ 2Ｕ 2Ｕ 1U 1U 2U
258
25
M5600-F-I E6160 E6168 M5800-F-I E6360 E6368
9
Throughput 50G 60G 60G 67G 80G 80G
VPN Throughput 3G 35G 35G 3.75G 50G 50G
27G
AV Throughput - 20G 20G - 27G
NGFW Throughput 23G 16G 16G 26.5G 24G 24G
Concurrent Connections 4M 20M 20M 8M 30M 30M
New Connections Per second 300K 800K 800K 330,000 1.1M 1.1M
10GE 8GE 2MGT、8SFP+、2GE, 2MGT、8SFP+、2GE,

Interface 2MGT、8SFP+、2GE 2MGT、8SFP+、2GE
4SFP 4SFP 2QSFP+ 2QSFP+
Expansion Slot - 2xGeneric+1 BYPASS 2xGeneric+1 BYPASS 2xGeneric+1 BYPASS 2xGeneric+1 BYPASS
1 TB
Local Storage - 512G - 512G
+4G CF
Power Supply 1 TB dual dual dual dual dual
High dual 2U 2U ２Ｕ 2U 2U
259
Product Hardware Specs - Data Center
Specification
26
M5900-F-I M6000-F-I AF-2000-B3100 AF-2000-B3200 AF-2000-B3300 X7180 X8180 X9180 X10800
(Max) 0
FW Throughput 105G 140G 140G 180G 240G 680G 450G 600G 1.2T
VPN Throughput 5G 5G 7G 10G 15G 90G 250G 500G
IPS Throughput 42G 56G 63G 84G 126G 100G 180G 200G 400G
NGFW Throughput 56G 84G 90G 120G 140G 70G 140G 280G
Concurrent
12M 16M 20M 30M 35M 240M 130M 240M 480M
Connections
New Connections Per

450,000 600K 650K 800K 900K 4.8M 2.5M 5.4M 10M
second
1 Console port, 1 1 Console port, 1 1 Console port, 1

MGT AUX port, 1 MGT AUX port, 1 MGT
4GE 8GE
Management 1 x Console Port, management, 1 management, 1 management, 1
4SFP 8SFP NA NA NA
Interfaces 1 x AUX Port USB 2.0 port USB 2.0 port USB 2.0 port
2SFP+ 4SFP+
(single SCM-260 (single SCM-280 (single SCM-300
4 x GE Combo interfaces (2 HA interfaces (2 HA interfaces (2 HA
Network Interfaces NA NA NA NA NA slot (1 x M GT+3 interfaces, single interfaces, single interfaces, single
x HA) SCM-260 SCM-280 SCM-300
6 universal
12 universal
expansion slots,
10 x Generic Slot, expansion slots,
3 universal 2 security
2 x System 2 system control
expansion slots, control module
Control Module module
Expansion Slot - - - - - 2 security expansion slots,
Slot, 1 x SD Card expansion slots,
control module 2 switching
Slot, 2 x USB 2.0 2 switching
expansion slots module 260
Port module
expansion slots,
expansion slots
1 USB 2.0 port
2+2 / 3+1 N+M (Max 4) N+M (Max 8)
Power Supply dual dual dual dual dual Dual
redundant redundant redundant
High 2Ｕ 2U 2U 2U 2U 5U 3U 7U 18U
•Vs. E Pro Series
AF vs E-Pro 26
2
AF-1000- AF-1000- M4500 M5100 M5150 E1600P E1600WP E1700P M5200

B1080 B1120
FW Throughput 1.05 Gbps 1.75 Gbps 2 Gbps 2.8 Gbps 3.5 Gbps 4.7 Gbps 4.7 Gbps 4.75 Gbps 4.9 Gbps
IPS + WAF N/A 700 Mbps 1.2 Gbps 1.4 Gbps 1.4 Gbps 2.1 Gbps
Throughput
Threat Protection 600 Mbps 800 Mbps 1 Gbps 1.8 Gbps 1.8 Gbps 360 Mbps 360 Mbps 400 Mbps 2.1 Gbps
Throughput
NGFW Throughput 800 Mbps 1 Gbps 1.4 Gbps 2.5 Gbps 2.5 Gbps 470 Mbps 470 Mbps 470 Mbps 2.8 Gbps
IPSec Throughput 100 Mbps 100 Mbps 250 Mbps 250 Mbps 250 Mbps 850 Mbps 850 Mbps 850 Mbps 375 Mbps
IPsec Tunnel Number 100 100 300 300 300 512 512 2000 500
Maximum Conccurent 800,000 800,000 250,000 750,000 1,000,000 200,000 200,000 600,000 1,200,000
Sessions
New Sessions 15,000 18,000 10,000 20,000 25,000 27,000 27,000 28,000 30,000
262
AF vs E-Pro 26
3
M5250 E2800P E3662P E3668P E3960P E3968P M5300

FW Throughput 5.5 Gbps 8 Gbps 10 Gbps 10 Gbps 10 Gbps 10 Gbps 12 Gbps
IPS + WAF Throughput 2.1 Gbps 3.85 Gbps
Threat Protection 2.1 Gbps 860 Mbps 900 Mbps 900 Mbps 1.1 Gbps 1.1 Gbps 4.2 Gbps
Throughput
NGFW Throughput 2.8 Gbps 1.25 Gbps 1.25 Gbps 1.25 Gbps 1.5 Gbps 1.5 Gbps 5 Gbps
IPSec Throughput 375 Mbps 3 Gbps 3 Gbps 3 Gbps 4 Gbps 4 Gbps 1 Gbps
IPsec Tunnel Number 500 2,000 6,000 6000 6,000 6,000 1,000
Maximum Conccurent 1,800,000 1,000,000 3,000,000 3,000,000 3,200,000 3,200,000 2,000,000
Sessions
New Sessions 50,000 80,000 120,000 120,000 150,000 150,000 80,000
263
AF vs E-Pro 26
4
E5260P E5268P E5560P E5568P M5400 M5500 E5760P E5960P M5600

FW Throughput 20 Gbps 20 Gbps 20 Gbps 20 Gbps 20 Gbps 50 Gbps 40 Gbps 40 Gbps 50 Gbps
IPS + WAF 5.6 Gbps 14 Gbps 14 Gbps
Throughput
Threat Protection 2.2 Mbps 2.2 Mbps 3.1 Mbps 3.1 Mbps 5.6 Gbps 18 Gbps 5.2 Gbps 8.2 Gbps 18 Gbps
Throughput
NGFW Throughput 3.9 Gbps 3.9 Gbps 5.6 Gbps 5.6 Gbps 8.4 Gbps 23 Gbps 8.9 Gbps 14 Gbps 23 Gbps
IPSec Throughput 8.4 Gbps 8.4 Gbps 12 Gbps 12 Gbps 1.25 Gbps 3 Gbps 18.8 Gbps 25.6 Gbps 3 Gbps
IPsec Tunnel Number 20,000 20,000 20,000 20,000 1500 4,000 20,000 20,000 3,000
Maximum 6,000,000 6,000,000 10,000,00 10,000,00 2,500,000 4,000,000 12,000,000 15,000,000 3,000,000
Conccurent 0 0
Sessions
New Sessions 200,000 200,000 300,000 300,000 110,000 300,000 500,000 600,000 220,000
264
AF vs E-Pro 26
5
M5800 E6368P M5900 M6000 AF-2000- AF-2000- AF-2000-B33--

B3100 B3200
FW Throughput 67 Gbps 90 Gbps 105 Gbps 140 Gbps 140 Gbps 180 Gbps 240 Gbps
IPS + WAF Throughput 21 Gbps 42 Gbps 56 Gbps 63 Gbps 84 Gbps 126 Gbps
Threat Protection 26.5 Gbps 18 Mbps 50.4 Gbps 67.2 Gbps 79.4 Gbps 91.2 Gbps 105 Gbps
Throughput
NGFW Throughput 31 Gbps 26 Gbps 56 Gbps 84 Gbps 90 Gbps 120 Gbps 140 Gbps
IPSec Throughput 3.75 Gbps 64 Gbps 5 Gbps 5 Gbps 7 Gbps 10 Gbps 15 Gbps
IPsec Tunnel Number 5,000 20,000 10,000 10,000 15,000 20,000 30,000
Maximum Conccurent 8,000,000 30,000,000 12,000,000 16,000,000 20,000,000 32,000,000 35,000,000
Sessions
New Sessions 330,000 1,100,000 450,000 600,000 650,000 800,000 900,000
265
+1 408 508 6750
inquiry@hillstonenet.com
5201 Great America Pkwy, #420
Santa Clara, CA 95054
www.hillstonenet.com
266

HOW To SELL HILLSTONE 404. Firewall Competitive Analysis V3.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HOW To SELL HILLSTONE 404. Firewall Competitive Analysis V3.0

Uploaded by

Copyright:

Available Formats

FIREWALL COMPETITIVE ANALYSIS

Hillstone Networks Confidential | 1

3 Palo Alto Networks 9 Sophos

Support server health check, session monitoring and session protection No

4G/5G access capability No

Extra features Twin-mode (AA3000/A3600/A3700/A3800)

Local Storage(SSD) - - - - 128G 128G 256G 256G 128G 128G -

IPS Throughput 4G 4G 5G 10G 6G 12.5G 7G 12G 13G 15G 18G 13G

Threat Protection 1.1G 2G 2.2G 7G 4G 7.1G 3G 4.5G 5G 5G 6G 9.1G

New Connections Per

Local Storage - 512G 480G 2TB 2TB 2TB 4TB - 512G

6QSFP28 6QSFP28 10QSFP28

Expansion Slot - - - 12 10 5 (2 for MGT) 10 (4 for MGT) 4/4/8 14 (4 for MGT)

Local Storage 4T - - 480G - - - - -

High 2U 5U 5U 14U 5U 3U 7U 6U/6U/8U 18U

RAM 2GB 2G 2G 4G 2G 8G 2G 16G 2G 2G

New Sessions Per

IPS Throughput 1G 2G 3G 5G 3.6G 7G 7.2G 14G 12G 19G

IPSec Throughput 1G 1.5G 400M 800M 3G 2G 5.5G 7G 6.5G 7G

IPSec VPN Tunnel 2K 2K 100 500 2K 10K 40K 20K - -

NGFW Throughput 250M 360M 800M 1.2G 1.2G 1G 1G

FG-60E FG-80E FG-40F A1000 A1100 FG-60F

FG-60F A2000 A2600 FG-100E

A3000 A3600 FG-100F FG-200E

NGFW Throughput 1.8G 3.7G 3.5G 6G 9.5G $20,000 $19,168

Threat Protection 1.6G 2.8G 3G 5G 7G

A3700 A3800 FG-400E FG-600E

q Avoid Anti-spam feature.

Policy Redundancy Check: Discover Redundant policies

Aggregate Policy : A Set of Policies ACT as One single Policy

Policy Assistant: Refine a General Policy into detailed policy

Endpoint Indentification Support Radius dynamic authorization function.

Support flexible and prioritized allocation of unused remaining bandwidth

Support server health check, session monitoring and session protection

Throughput 4.7G 4.7G 5G 4.75G 10G 8G 10G

IPS Throughput 1.2G 1.2G 1G 1.2M 1.4G 3.3G 1.4G

Power Supply single single single single single dual single

Dimensions desktop desktop desktop 1U desktop 1U desktop

Local Storage - - - 480G - - - - 512G 2T

E1600P E1700P FG-40F FG-60F E2800P FG-80F

• E1600P, E1700P: • E2800P:

Net Price to Ditributor USD

E3662P FG-100F E3668P FG-101F E3960P E3968P

• E3662P, E3668P, E3960P, E3968P:

E5260P FG-200F E5268P FG-201F E5560P FG-400E E5568P FG-401E

• E5260P, E5268P: • E5560P, E5568P:

E5760P FG-600E E5960P FG1100E E6368P FG-2201E

Software Beating Points to PAN

PAN Weakness in Basic Network Functions

PAN Weakness in Basic Network Functions

SmartDNS No For inbound traffic, the system will resolve domains

PAN Weakness in NGFW Functions

Usability debug Yes Offer the debug function for troubleshooting

PAN has no Full Intelligent Function

Proactive Detection No Support real-time inspection on system resources, network nodes

PAN has no Layer Security Function

Policy Redundancy Check: No

Hardware Model and Spec Comparison

Enterprise √ !Branch" √!Branch" √!Branch" √ √!Campus" √!Campus" √ √!Campus"

Product Level Desktop Middle End High End

Concurrent 600K/ 1M/

NGFW Not 1.25 1.25 1.25

Concurrent 1M/ 1M/