Dell TZ300P PoE User Manual

Page 1
SonicWall TZ series
Integrated threat prevention and SD-WAN platform for
small/medium organizations and distributed enterprises
The SonicWall TZ series enables small to
mid-size organizations and distributed
enterprises realize the benets of an
integrated security solution that checks all the boxes. Combining high-speed
threat prevention and software-dened wide area networking (SD-WAN) technology with an extensive range of networking and wireless features plus simplied deployment and centralized
management, the TZ series provides a
unied security solution at a low total cost of ownership.
Flexible, integrated security solution
The foundation of the TZ series is
SonicOS, SonicWall’s feature-rich
operating system. SonicOS includes a
powerful set of capabilities that provides organizations with the exibility to tune these Unied Threat Management (UTM) rewalls to their specic network
requirements. For example, creating a
secure high-speed wireless network is simplied through a built-in wireless controller and suppor t for the IEEE
802.11ac standard or by adding our SonicWave 802.11ac Wave 2 access points. To reduce the cost and complexity
of connecting high-speed wireless access points and other Power over Ethernet (PoE)-enabled devices such as IP cameras, phones and printers,
the TZ300P and TZ600P provide
PoE/PoE+ power.
Distributed retail businesses and
campus environments can take
advantage of the many tools in SonicOS to gain even greater benets.
Branch locations are able to exchange
information securely with the central ofce using virtual private networking (VPN). Creating virtual LANs (VLANs) enables segmentation of the network
into separate corporate and customer
groups with rules that determine the level of communication with devices on other VLANs. SD-WAN offers a secure alternative to costly MPLS circuits while delivering consistent application performance and availability. Deploying
TZ rewalls to remote locations is easy
using Zero-Touch Deployment which enables provisioning of the rewall
remotely through the cloud.
Superior threat prevention and
performance
Our vision for securing networks in
today’s continually-evolving cyber threat landscape is automated, real­time threat detection and prevention.
Through a combination of cloud-based
and on-box technologies we deliver protection to our rewalls that’s been
validated by independent third-party
testing for its extremely high security effectiveness. Unknown threats are sent
to SonicWall’s cloud-based Capture
Advanced Threat Protection (ATP) multi-
engine sandbox for analysis. Enhancing Capture ATP is our patent-pending Real-Time Deep Memory Inspection (RTDMI™) technology. The RTDMI engine detects and blocks malware
and zero-day threats by inspecting
directly in memory. RTDMI technology is precise, minimizes false positives, and identies and mitigates sophisticated
Benets:
Flexible, integrated security solution
Secure SD-WAN
Powerful SonicOS operating system
High-speed 802.11ac wireless
Power over Ethernet (PoE/PoE+)
Network segmentation with VLANs
Superior threat prevention and performance
• Patent-pending real-time deep memory inspection technology
Patented reassembly-free deep packet inspection technology
• On-box and cloud-based threat prevention
TLS/SSL decr yption and inspection
Industry-validated security
effectiveness
Dedicated Capture Labs threat research team
Endpoint security with Capture Client
Easy deployment, setup and ongoing management
Zero-Touch Deployment
• Cloud-based and on-premises centralized management
Scalable line of rewalls
Low total cost of ownership
Page 2
attacks where the malware’s weaponry is exposed for less than 100 nanoseconds. In combination, our patented single-pass Reassembly-Free Deep Packet Inspection (RFDPI) engine examines every byte of
every packet, inspecting both inbound
and outbound traf c directly on the rewall. By leveraging Capture ATP with RTDMI technology in the SonicWall Capture Cloud Platform in addition to
on-box capabilities including intrusion
prevention, anti-malware and web/ URL ltering, TZ series rewalls stop malware, ransomware and other threats at the gateway. For mobile devices used outside the rewall perimeter, SonicWall Capture Client provides an added layer of
protection by applying advanced threat protection techniques such as machine learning and system rollback. Capture Client also leverages the deep inspection
of encrypted TLS trafc (DPI-SSL) on
TZ series rewalls by installing and
managing trusted TLS certicates.
The continued growth in the use of
encryption to secure web sessions means it is imperative rewalls are able to scan encrypted traf c for threats.
TZ series rewalls provide complete
protection by performing full decryption and inspection of TLS/SSL and SSH encrypted connections regardless of port or protocol. The rewall searches for
protocol non-compliance, threats, zero-
days, intrusions, and even dened criteria
by looking deep inside every packet.
The deep packet inspection engine
detects and prevents hidden attacks
that leverage cryptography. It also blocks encrypted malware downloads, ceases the spread of infections and thwarts command and control (C&C) communications and data exltration. Inclusion and exclusion rules allow total control to customize which trafc is
subjected to decr yption and inspection
based on specic organizational compliance and/or legal requirements.
Easy deployment, setup and
ongoing management
SonicWall makes it easy to congure and manage TZ series rewalls and
SonicWave 802.11ac Wave 2 access
points no matter where you deploy them.
Centralized management, reporting, licensing and analytics are handled through our cloud-based Capture
Security Center which offers the ultimate
in visibility, agility and capacity to centrally govern the entire SonicWall
security ecosystem from a single pane of glass.
A key component of the Capture Security Center is Zero-Touch Deployment. This cloud-based feature simplies and
speeds the deployment and provisioning
of SonicWall rewalls at remote and branch of ce locations. The process
requires minimal user intervention, and
is fully automated to operationalize rewalls at scale in just a few steps.
This signicantly reduces the time,
cost and complexity associated with installation and conguration, while
security and connectivity occurs instantly and automatically. Together, the
simplied deployment and setup along with the ease of management enable organizations to lower their total cost of ownership and realize a high return
on investment.
* 802.11ac currently not available on SOHO/ SOHO 250 models; SOHO/SOHO 250 models suppor t 802.11a/b/g/n
SonicWave 432i access point
Printer
Bi-directional scanning
SonicWall TZ600P
IP Phone
Camera
802.3at PoE+ Devices
Integrated Security and Power for Your PoE-enabled Devices
Provide power to your PoE-enabled devices without the cost and complexity of a Power over Ethernet switch or injector. TZ300P and TZ600P rewalls integrate IEEE 802.3at technology to power PoE and PoE+ devices such as wireless access points, cameras, IP phones and more. The rewall scans all trafc coming from and going to each
device using deep packet inspection
technology and then removes harmful threats such as malware and intrusions,
even over encrypted connections.
2
Page 3
Capture Cloud Platform
SonicWall's Capture Cloud Platform
delivers cloud-based threat prevention
and network management plus reporting and analytics for organizations of any size. The platform consolidates threat intelligence gathered from multiple sources including our award-winning multi-engine network sandboxing service, Capture Advanced Threat Protection, as well as more than 1 million SonicWall
sensors located around the globe.
If data coming into the network is found
to contain previously-unseen malicious code, SonicWall’s dedicated, in-house
Capture Labs threat research team
develops signatures that are stored in
the Capture Cloud Platform database and deployed to customer rewalls for up-to-date protection. New updates take effect immediately without reboots or
interruptions. The signatures resident
on the appliance protect against wide
classes of attacks, covering tens of thousands of individual threats. In
addition to the countermeasures on
the appliance, TZ rewalls also have
continuous access to the Capture Cloud
Platform database which extends the onboard signature intelligence with tens of millions of signatures.
In addition to providing threat prevention, the Capture Cloud Platform offers single pane of glass management and
administrators can easily create both real-time and historical repor ts on
network activity.
Advanced threat protection
At the center of SonicWall automated,
real-time breach prevention is SonicWall
Capture Advanced Threat Protection
service, a cloud-based multi-engine
sandbox that extends rewall threat
protection to detect and prevent zero-
day threats. Suspicious les are sent to the cloud where they are analyzed using deep learning algorithms with the option to hold them at the gateway
until a verdict is determined. The multi-
engine sandbox platform, which includes Real-Time Deep Memory Inspection, virtualized sandboxing, full system
emulation and hypervisor level analysis technology, executes suspicious code
and analyzes behavior. When a le is identied as malicious, it is blocked
and a hash is immediately created
within Capture ATP. Soon after, a signature is sent to rewalls to prevent follow-on attacks.
The service analyzes a broad range
of operating systems and le types, including executable programs, DLL, PDFs, MS Ofce documents, archives, JAR and APK .
Streaming Data
PDF
Email
Data File
101001001010
010100101101
010010100100
101001010010
110101010010
010100100010
101100100101
Endpoint
Arfact 1
Arfact 2
Arfact 3
Arfact 4
LEARNING
Deep Learning
MACHINE
Algorithms
For complete endpoint protection, the SonicWall Capture Client combines next-generation anti-virus technology
with SonicWall's cloud-based
multi-engine sandbox.
Classified Malware
RANSOMWARE
Locky
RANSOMWARE
UNKNOWN
A
WannaCry
TROJAN
Spartan
B C
BLOCK
unl
VERDICT
GoodBad
BLOCK
CLOUD CAPTURE SANDBOX
Hypervisor
A
D
Emulaon
B
Virtualizaon
C
RTDMI
D
SENT
3
Page 4
Reassembly-Free Deep Packet
Traffic out
Traffic out
Proxy
Scanning
Packet
disassembly
Packet assembly-based process
SonicWall stream-based architectureCompetitive proxy-based architecture
When proxy buffer
becomes full or
content too large,
files bypass
scanning.
Traffic in
Traffic in
TLS/SSL
Reassembly-free Deep Packet Inspection (RFDPI)
Reassembly-free packet
scanning eliminates proxy
and content size limitations.
Inspection time
Less More
Inspection capacity
Min Max
Inspection time
Less More
Inspection capacity
Min Max
CPU 1
CPU 2
CPU 3
CPU 4
CPU n
TLS/SSL
Inspection engine
The SonicWall Reassembly-Free Deep
Packet Inspection (RFDPI) is a single­pass, low latency inspection system that performs stream-based, bi-directional trafc analysis at high speed without proxying or buffering to effectively uncover intrusion attempts and malware downloads while identifying application trafc regardless of port and protocol.
This proprietar y engine relies on
streaming trafc payload inspection to detect threats at Layers 3-7, and takes
network streams through extensive and
repeated normalization and decryption in order to neutralize advanced evasion
techniques that seek to confuse detection
engines and sneak malicious code into
the network.
Once a packet undergoes the necessary
pre-processing, including TLS/SSL
decryption, it is analyzed against a single,
proprietary memory representation of three signature databases: intrusion attacks, malware and applications. The
connection state is then advanced to
represent the position of the stream
relative to these databases until it
encounters a state of attack, or other
“match” event, at which point a pre-set
action is taken.
In most cases, the connection is
terminated and proper logging and
notication events are created. However, the engine can also be congured for inspection only or, in case of application detection, to provide Layer 7 bandwidth management services for the remainder of the application stream as soon as the application is identied.
Centralized management and reporting
For highly regulated organizations
wanting to achieve a fully coordinated
security governance, compliance and risk management strategy, SonicWall
provides administrators a unied, secure and extensible platform to manage SonicWall rewalls, wireless access points and Dell N-Series and X-Series switches through a correlated and auditable workstream
4
process. Enterprises can easily consolidate the management of security
appliances, reduce administrative and troubleshooting complexities, and govern
all operational aspects of the security infrastructure, including centralized policy management and enforcement; real-time event monitoring; user activities; application identications; ow analytics and forensics; compliance and audit reporting; and more. In addition, enterprises meet the rewall’s change
management requirements through
workow automation which provides the agility and condence to deploy the right rewall policies at the right time and in conformance with compliance regulations.
Available on premises as SonicWall
Global Management System and in
the cloud as Capture Security Center,
SonicWall management and reporting
solutions provide a coherent way to manage network security by business
processes and service levels, dramatically
simplifying lifecycle management of your
overall security environments compared to managing on a device-by-device basis.
Page 5
Distributed networks
Because of their exibility, TZ series rewalls are ideally suited for both
distributed enterprise and single site
deployments. In distributed networks like those found in retail organizations, each site has its own TZ rewall which connects to the Internet often through a local provider using a DSL, cable or 3G/4G connection. In addition to Internet access, each rewall utilizes an Ethernet connection to transport packets between remote sites and the
central headquarters. Web services
and SaaS applications such as Ofce 365, Salesforce and others are served up from the data center. Through mesh VPN technology, IT administrators can create a hub and spoke conguration for the safe transpor t of data between
all locations.
The SD-WAN technology in SonicOS
is a perfect complement to TZ rewalls
Distributed Enterprise
Network with SD-WAN
NSsp 12800
IP
PBX
SonicWall Secure
SD-WAN Features
NSS Labs validated high
security efficacy
Zero-touch deployment
WAN load balancing
Dynamic path selection for business-critical applications
Secure AES 256 VPN
Application identification and visibility
Cloud-based central management
deployed at remote and branch sites.
Instead of relying on more expensive legacy technologies such as MPLS and T1, organizations using SD-WAN
Corporate HQ
SD-WAN Enabled
Transport
Remote / Branch Offices
Data Center
NSa 9650
· Anti-malware
· IPS
· Content filtering
· Capture ATP
· VPN
Terminal
Low-Cost Transport Technologies
Ethernet / DSL / Cable / 3G / 4G
IoT Devices – Cameras,
POS
IP Phones, etc.
Web Server Farm
Application Server Farm
Security Center
Cloud Orchestration
and Management
TZ600P Firewall
Capture
Access Point
SonicWave
Wireless
Guest
Corp
WiFi
WiFi
can choose lower-cost public Internet services while continuing to achieve a high level of application availability and predictable performance.
Capture Security Center
Tying the distributed network together
is SonicWall’s cloud-based Capture
Security Center (CSC) which centralizes
deployment, ongoing management
and real-time analytics of the TZ rewalls. A key feature of CSC is Zero-
Touch Deployment. Conguring and
deploying rewalls across multiple
sites is time-consuming and requires
onsite personnel. However Zero-
Touch Deployment removes these
challenges by simplifying and speeding the deployment and provisioning of SonicWall rewalls remotely through
the cloud. Similarly, CSC eases ongoing management by providing cloud-based
single-pane-of-glass management for SonicWall devices on the network. For complete situational awareness of the network security environment, SonicWall
Analytics offers a single-pane view
into all activity occurring inside the
network. Organizations gain a deeper understanding of application usage and performance while reducing the possibility of Shadow IT.
NSa or NSsp
Corporate
Headquarters
$
Sales network
Engineering network
Finance network
Single Sites
For single site deployments, having an
integrated network security solution is highly benecial. TZ series rewalls combine high security effectiveness with options such as built-in 802.11ac wireless and, in the case of the TZ300P and TZ600P, PoE/PoE+ support. The
Capture Security Center
TZ product line
Internet
3G/analog failover
Secure wireless zone
Printers
18-port Dell N-Series/X-Series switch
Protected server network
Storage
PoE cameras
same security engine in our mid-range
NSa series and high-end NSsp series is featured in TZ series rewall along with the broad feature set of SonicOS. Conguration and management is easy using the intuitive SonicOS UI.
Organizations save valuable rack space
due to the compact desktop form factor.
5
Page 6
SonicWall TZ600 series
For emerging enterprises, retail and branch ofces looking for security, performance and options such as 802.3at PoE+ support at a value price, the SonicWall TZ600 secures networks with enterprise-class features and uncompromising performance.
Specication TZ600 series
Firewall throughput 1.9 Gbps
Threat Prevention throughput 800 Mbps
Anti-malware throughput 800 Mbps
IPS throughput 1.2 Gbps
Maximum connections 150,000
New connections/sec 12,000
TZ600P
PoE/PoE+ por ts (4 PoE/PoE+)
Power LED Tes t LE D
USB por t (3G/4G WAN failover)
Link and activity indicator LEDs
Expansion module
Console port
8x1-GbE switch
(congurable)
X0 LAN port X1 WAN port
SonicWall TZ500 series
For growing branch ofces and SMBs, the SonicWall TZ500 series delivers highly effective, no-compromise protection with network productivity and optional integrated 802.11ac dual-band wireless.
Specication TZ500 series
Firewall throughput 1.4 Gbps
Threat Prevention throughput 700 Mbps
Anti-malware throughput 700 Mbps
IPS throughput 1.0 Gbps
Maximum connections 150,000
New connections/sec 8,000
Optional 802 .11ac wireless
12V DC 2A power
Power LED Tes t LE D
USB por t (3G/4G WAN failover)
Link and activity indicator LEDs
Console port
6x1-GbE switch
(congurable)
X0 LAN port X1 WAN port
12V DC 2A power
6
Page 7
SonicWall TZ400 series
For small business, retail and branch ofce locations, the SonicWall TZ400 series delivers enterprise-grade protection. Flexible wireless deployment is available with optional 802.11ac dual-band wireless integrated into the rewall.
Specication TZ400 series
Firewall throughput 1.3 Gbps
Threat Prevention throughput 600 Mbps
Anti-malware throughput 600 Mbps
IPS throughput 900 Mbps
Maximum connections 150,000
New connections/sec 6,000
Optional 802 .11ac wireless
Power LED Tes t LE D 5x1-GbE switch
USB por t (3G/4G WAN failover)
Link and activity indicator LEDs
Console port
(congurable)
X0 LAN port X1 WAN port
12V DC 2A power
SonicWall TZ350/TZ300 series
The SonicWall TZ300 and TZ350 series offer an all-in-one solution that protects networks from advanced attacks. Unlike consumer
grade products, these UTM rewalls combine high-speed intrusion prevention, anti-malware and content /URL ltering plus broad secure mobile access support for laptops, smartphones and tablets along with optional integrated 802.11ac wireless. In addition, the TZ300 offers optional 802.3at PoE+ to power PoE-enabled devices.
Specication TZ350 series TZ300 series
Firewall throughput 1.0 Gbps 750 Mbps
Threat Prevention throughput 335 Mbps 235 Mbps
Anti-malware throughput 335 Mbps 235 Mbps
IPS throughput 400 Mbps 300 Mbps
Maximum connections 100,000 100,000
New connections/sec 6,000 5,000
TZ300P
PoE/PoE+ ports (2 PoE or 1 PoE+)
Optional 802 .11ac wireless
Power LED Tes t LE D
USB por t (3G/4G WAN failover)
Link and activity indicator LEDs
Console port
3x1-GbE switch
(congurable)
X0 LAN port X1 WAN port
12V DC 2A power
7
Page 8
SonicWall SOHO 250/SOHO series
For wired and wireless small and home of ce environments, the SonicWall SOHO 250 and SOHO series deliver the same business­class protection large organizations require at a more affordable price point. Add optional 802.11n wireless to provide employees, customers and guests with secure wireless connectivity.
Specication SOHO 250 series SOHO series
Firewall throughput 600 Mbps 300 Mbps
Threat Prevention throughput 200 Mbps 150 Mbps
Anti-malware throughput 200 Mbps 150 Mbps
IPS throughput 250 Mbps 200 Mbps
Maximum connections 50,000 10,000
New connections/sec 3,000 1,800
Optional 802 .11n wireless
Power LED Tes t LE D
Link and activity indicator LEDs
USB por t (3G/4G WAN failover)
Partner Enabled Services
Need help to plan, deploy or optimize your SonicWall solution? SonicWall Advanced Services Partners are trained to provide you with world class professional services. Learn more at www.sonicwall.com/PES.
Console port
3x1-GbE switch
(congurable)
X0 LAN port X1 WAN port
12V DC 2A power
8
Page 9
Features
RFDPI ENGINE
Feature Description
Reassembly-Free Deep Packet Inspection (RFDPI)
Bi-directional inspection
Stream-based inspection
Highly parallel and scalable
Single-pass inspection
FIREWALL AND NETWORKING
Feature Description
Secure SD-WAN
REST APIs
Stateful packet inspection All network trafc is inspected, analyzed and brought into compliance with rewall access policies.
High availability/clustering
DDoS/DoS attack protection
IPv6 support
Flexible deployment options The TZ series can be deployed in traditional NAT, Layer 2 bridge, wire and network tap modes. WAN load balancing Load-balances multiple WAN interfaces using Round Robin, Spillover or Percentage methods.
Advanced quality of service (QoS)
H.323 gatekeeper and SIP proxy
support
Single and cascaded Dell N-Series and X-Series switch management
Biometric authentication
Open authentication and social login
Wireless Network Security
MANAGEMENT AND REPORTING
Feature Description
Cloud-based and on-premises management
Powerful single device management
IPFIX/NetFlow application ow
reporting
This high-performance, proprietary and patented inspection engine performs stream-based, bi-directional trafc analysis, without proxying or buffering, to uncover intrusion attempts and malware and to identify application trafc regardless of port.
Scans for threats in both inbound and outbound trafc simultaneously to ensure that the network is not used to distribute malware and does not become a launch platform for attacks in case an infected machine
is brought inside.
Proxy-less and non-buffering inspection technology provides ultra-low latency performance for DPI of millions of simultaneous network streams without introducing le and stream size limitations, and can be applied on common protocols as well as raw TCP streams.
The unique design of the RFDPI engine works with the multi-core architecture to provide high DPI throughput and extremely high new session establishment rates to deal with trafc spikes in demanding networks.
A single-pass DPI architecture simultaneously scans for malware, intrusions and application identication, drastically reducing DPI latency and ensuring that all threat information is correlated in a single architecture.
An alternative to more expensive technologies such as MPLS, Secure SD-WAN enables distributed enterprise organizations to build, operate and manage secure, high-performance networks across remote sites for the purpose of sharing data, applications and services using readily-available, low-cost public
internet services.
Allows the rewall to receive and leverage any and all proprietary, original equipment manufacturer and third-party intelligence feeds to combat advanced threats such as zero-day, malicious insider, compromised credentials, ransomware and advanced persistent threats.
SonicWall TZ500 and TZ600 models support high availability with Active/Standby with state synchronization. SonicWall TZ300 and TZ400 models support high availability without Active/Standby synchronization. There
is no high availability on SonicWall SOHO models.
SYN ood protection provides a defense against DoS attacks using both Layer 3 SYN proxy and Layer 2 SYN blacklisting technologies. Additionally, it protects against DoS/DDoS through UDP/ICMP ood
protection and connection rate limiting.
Internet Protocol version 6 (IPv6) is in its early stages to replace IPv4. With SonicOS, the hardware will support ltering and wire mode implementations.
Guarantees critical communications with 802.1p, DSCP tagging, and remapping of VoIP trafc on the network.
Blocks spam calls by requiring that all incoming calls are authorized and authenticated by H.323 gatekeeper or
SIP proxy. Manage security settings of additional ports, including Portshield, HA, PoE and PoE+, under a single pane
of glass using the rewall management dashboard for Dell’s N-Series and X-Series network switch (not available with SOHO model).
Supports mobile device authentication such as ngerprint recognition that cannot be easily duplicated or shared to securely authenticate the user identity for network access.
Enable guest users to use their credentials from social networking services such as Facebook, Twitter, or Google+ to sign in and access the Internet and other guest services through a host's wireless, LAN or DMZ
zones using pass-through authentication.
Available as an integrated option on SonicWall TZ300 through TZ500, IEEE 802.11ac wireless technology can deliver up to 1.3 Gbps of wireless throughput with greater range and reliability. Optional 802.11 a/b/g/n
is available on SonicWall SOHO models.
Conguration and management of SonicWall appliances is available via the cloud through the SonicWall Capture Security Center and on-premises using SonicWall Global Management System (GMS).
An intuitive web-based interface allows quick and convenient conguration, in addition to a comprehensive command-line interface and support for SNMPv2/3.
Exports application trafc analytics and usage data through IPFIX or NetFlow protocols for real-time and historical monitoring and reporting with tools that support IPFIX and NetFlow with extensions.
9
Page 10
VIRTUAL PRIVATE NETWORKING
Feature Description
Auto-provision VPN
IPSec VPN for site-to-site connectivity
SSL VPN or IPSec client remote access
Redundant VPN gateway
Route-based VPN
CONTENT/CONTEXT AWARENESS
Simplies and reduces complex distributed rewall deployment down to a trivial effort by automating the initial site-to-site VPN gateway provisioning between SonicWall rewalls while security and connectivity occurs
instantly and automatically.
High-performance IPSec VPN allows the TZ series to act as a VPN concentrator for thousands of other large sites, branch ofces or home ofces.
Utilizes clientless SSL VPN technology or an easy-to-manage IPSec client for easy access to email, les, computers, intranet sites and applications from a variety of platforms.
When using multiple WANs, a primary and secondary VPN can be congured to allow seamless, automatic failover and failback of all VPN sessions.
The ability to perform dynamic routing over VPN links ensures continuous uptime in the event of a temporary VPN tunnel failure, by seamlessly re-routing trafc between endpoints through alternate routes.
Feature Description
User activity tracking
GeoIP country trafc identication
Regular expression DPI ltering
CAPTURE ADVANCE THREAT PROTECTION
User identication and activity are made available through seamless AD/LDAP/Citrix1/Terminal Services1 SSO integration combined with extensive information obtained through DPI.
Identies and controls network trafc going to or coming from specic countries to either protect against attacks from known or suspected origins of threat activity, or to investigate suspicious trafc originating from the network. Provides the ability to create custom country and Botnet lists to override an incorrect country or Botnet tag associated with an IP address. Eliminates unwanted ltering of IP addresses due to misclassication.
Prevents data leakage by identifying and controlling content crossing the network through regular
expression matching. Provides the ability to create custom country and Botnet lists to override an incorrect
country or Botnet tag associated with an IP address.
Feature Description
Multi-engine sandboxing
Real-Time Deep Memory Inspection (RTDMI)
Block until verdict
Broad le type and size analysis
Rapid deployment of signatures
Capture Client
ENCRYPTED THREAT PREVENTION
The multi-engine sandbox platform, which includes virtualized sandboxing, full system emulation,
and hypervisor level analysis technology, executes suspicious code and analyzes behavior, providing comprehensive visibility to malicious activity.
This patent-pending cloud-based technology detects and blocks malware that does not exhibit any malicious behavior and hides its weaponry via encryption. By forcing malware to reveal its weaponry into memory, the RTDMI engine proactively detects and blocks mass-market, zero-day threats and unknown malware.
To prevent potentially malicious les from entering the network, les sent to the cloud for analysis can be held at the gateway until a verdict is determined.
Supports analysis of a broad range of le types, either individually or as a group, including executable programs (PE), DLL, PDFs, MS Ofce documents, archives, JAR, and APK plus multiple operating systems including Windows, Android, Mac OS X and multi-browser environments.
When a le is identied as malicious, a signature is immediately deployed to rewalls with SonicWall Capture ATP subscriptions and Gateway Anti-Virus and IPS signature databases and the URL, IP and domain reputation databases within 48 hours.
Capture Client is a unied client platform that delivers multiple endpoint protection capabilities, including advanced malware protection and support for visibility into encrypted trafc. It leverages layered protection technologies, comprehensive reporting and endpoint protection enforcement.
Feature Description
Decrypts and inspects TLS/SSL encrypted trafc on the y, without proxying, for malware, intrusions and
TLS/SSL decryption and inspection
SSH inspection
INTRUSION PREVENTION
data leakage, and applies application, URL and content control policies in order to protect against threats hidden in encrypted trafc. Included with security subscriptions for all TZ series models except SOHO. Sold
as a separate license on SOHO.
Deep packet inspection of SSH (DPI-SSH) decrypts and inspect data traversing over SSH tunnel to prevent
attacks that leverage SSH.
Feature Description
Countermeasure-based protection
Automatic signature updates
Tightly integrated intrusion prevention system (IPS) leverages signatures and other countermeasures to scan packet payloads for vulnerabilities and exploits, covering a broad spectrum of attacks and
vulnerabilities.
The SonicWall Threat Research Team continuously researches and deploys updates to an extensive list of IPS countermeasures that covers more than 50 attack categories. The new updates take immediate effect without any reboot or service interruption required.
10
Page 11
INTRUSION PREVENTION CON'T
Feature Description
Intra-zone IPS protection
Botnet command and control (CnC)
detection and blocking
Protocol abuse/anomaly Identies and blocks attacks that abuse protocols in an attempt to sneak past the IPS.
Zero-day protection
Anti-evasion technology
THREAT PREVENTION
Bolsters internal security by segmenting the network into multiple security zones with intrusion prevention, preventing threats from propagating across the zone boundaries.
Identies and blocks command and control trafc originating from bots on the local network to IPs and domains that are identied as propagating malware or are known CnC points.
Protects the network against zero-day attacks with constant updates against the latest exploit methods and techniques that cover thousands of individual exploits.
Extensive stream normalization, decoding and other techniques ensure that threats do not enter the network undetected by utilizing evasion techniques in Layers 2-7.
Feature Description
Gateway anti-malware
Capture Cloud malware protection
Around-the-clock security updates
Bi-directional raw TCP inspection
Extensive protocol support
APPLICATION INTELLIGENCE AND CONTROL
The RFDPI engine scans all inbound, outbound and intra-zone trafc for viruses, Trojans, key loggers and other malware in les of unlimited length and size across all ports and TCP streams.
A continuously updated database of tens of millions of threat signatures resides in the SonicWall cloud servers and is referenced to augment the capabilities of the onboard signature database, providing RFDPI with extensive coverage of threats.
New threat updates are automatically pushed to rewalls in the eld with active security services, and take effect immediately without reboots or interruptions.
The RFDPI engine is capable of scanning raw TCP streams on any port bi-directionally preventing attacks that they to sneak by outdated security systems that focus on securing a few well-known ports.
Identies common protocols such as HTTP/S, FTP, SMTP, SMBv1/v2 and others, which do not send data in raw TCP, and decodes payloads for malware inspection, even if they do not run on standard, well-known ports.
Feature Description
Application control
Custom application identication
Application bandwidth management
Granular control
CONTENT FILTERING
Control applications, or individual application features, that are identied by the RFDPI engine against a continuously expanding database of over thousands of application signatures, to increase network security and enhance network productivity.
Control custom applications by creating signatures based on specic parameters or patterns unique to an application in its network communications, in order to gain further control over the network.
Granularly allocate and regulate available bandwidth for critical applications or application categories while inhibiting nonessential application trafc.
Control applications, or specic components of an application, based on schedules, user groups, exclusion lists and a range of actions with full SSO user identication through LDAP/AD/Terminal Services/Citrix
integration.
Feature Description
Inside/outside content ltering
Enforced Content Filtering Client
Granular controls
Web caching
ENFORCED ANTI-VIRUS AND ANTI-SPYWARE
Enforce acceptable use policies and block access to HTTP/HTTPS websites containing information or images that are objectionable or unproductive with Content Filtering Service and Content Filtering Client.
Extend policy enforcement to block internet content for Windows, Mac OS, Android and Chrome devices located outside the rewall perimeter.
Block content using the predened categories or any combination of categories. Filtering can be scheduled by time of day, such as during school or business hours, and applied to individual users or groups.
URL ratings are cached locally on the SonicWall rewall so that the response time for subsequent access to frequently visited sites is only a fraction of a second.
Feature Description
Multi-layered protection
Automated enforcement option
Automated deployment and
installation option
Next-generation antivirus
Spyware protection
Utilize the rewall capabilities as the rst layer of defense at the perimeter, coupled with endpoint protection to block, viruses entering network through laptops, thumb drives and other unprotected systems.
Ensure every computer accessing the network has the appropriate antivirus software and/or DPI­SSL certicate installed and active, eliminating the costs commonly associated with desktop antivirus
management.
Machine-by-machine deployment and installation of antivirus and anti-spyware clients is automatic across the network, minimizing administrative overhead.
Capture Client uses a static articial intelligence (AI) engine to determine threats before they can execute and roll back to a previous uninfected state.
Powerful spyware protection scans and blocks the installation of a comprehensive array of spyware programs on desktops and laptops before they transmit condential data, providing greater desktop security and performance.
11
Page 12
SonicOS feature summary
Firewall
• Stateful packet inspection
• Reassembly-Free Deep Packet Inspection
• DDoS attack protec tion
(UDP/ICMP/SYN ood)
• IPv4/IPv6 support
• Biometric authentication for remote access
• DNS proxy
• REST APIs
SSL/SSH decryption and inspection¹
• Deep packet inspection for TL S/SSL /SSH
• Inclusion/exclusion of objects, groups or hostnames
• TLS/SSL control
• Granular DPI SSL controls per zone or rule
Capture Advanced Threat Protection1
• Real-Time Deep Memor y Inspection
• Cloud-based multi-engine analysis
• Virtualized sandboxing
• Hyper visor level analysis
• Full system emulation
Broad le type examination
• Automated and manual submission
• Real-time threat intelligence updates
• Block until verdict
• Capture Client
Intrusion prevention1
• Signature-based scanning
• Automatic signature updates
• Bidirectional inspection
• Granular IPS rule capability
GeoIP/Botnet ltering
• Regular expression matching
Anti-malware1
• Stream-based malware scanning
• Gateway anti-virus
• Gateway anti-spyware
• Bi-directional inspection
No le size limitation
• Cloud malware database
2
Application identication1
• Application control
• Application bandwidth management
• Custom application signature creation
• Data leakage prevention
• Application reporting over NetFlow/IPFIX
• Comprehensive application signature database
Trafc visualization and analytics
• User activity
• Application/bandwidth/threat usage
• Cloud-based analytics
HTTP/HTTPS Web content ltering1
URL ltering
• Anti-proxy technology
• Keyword blocking
Policy-based ltering (exclusion/ inclusion)
• HTTP header insertion
• Bandwidth manage CFS rating categories
Unied policy model with app control
• Content Filtering Client
VPN
• Auto-provision VPN
• IPSec VPN for site-to-site connectivity
• SSL VPN and IPSec client remote access
• Redundant VPN gateway
• Mobile Connect for iOS, Mac OS X , Windows, Chrome, Android and Kindle Fire
• Route-based VPN (OSPF, RIP, BGP)
Networking
• Secure SD-WAN
• PortShield
• Enhanced logging
• Layer-2 QoS
• Port security
• Dynamic routing (RIP/OSPF/BGP)
• SonicWall wireless controller
• Policy-based routing (ToS/metric and ECMP)
• Asymmetric routing
• DHCP server
• NAT
• Bandwidth management
• High availability - Active/Standby with state sync
2
• Inbound/outbound load balancing
• L2 bridge mode, NAT mode
• 3G/4G WAN failover
• Common Access Card (CAC) support
VoIP
• Granular QoS control
• Bandwidth management
DPI for VoIP traf c
• H.323 gatekeeper and SIP proxy support
Management and monitoring
• Web GUI
• Command line interface (CLI)
• SNMPv2/ v3
• Centralized management and reporting with SonicWall GMS and Capture Security Center
• Logging
Net ow/IPFix expor ting
Cloud-based conguration backup
• Application and bandwidth visualization
• IPv4 and IPv6 management
• Dell N-Series and X-Series switch management including cascaded switches
2
Integrated Wireless
• Dual-band (2.4 GHz and 5.0 GHz)
• 802.11 a/b/g/n/ac wireless standards
• WIDS/WIPS
• Wireless guest services
• Lightweight hotspot messaging
• Virtual access point segmentation
• Captive portal
• Cloud ACL
2
1
Requires added subscription
2
State sync high availability only on SonicWall TZ500 and SonicWall TZ6 00 models
12
Page 13
SonicWall TZ series system specications
FIREWALL GENERAL SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES
Operating system SonicOS
Interfaces 5x1GbE, 1 USB, 1 Console
Power over Ethernet (PoE) support
5x1GbE, 1 USB,
1 Console
TZ300P - 2 ports
(2 PoE or 1 PoE+) Expansion USB
Management CLI, SSH, Web UI, Capture Security Center, GMS, REST APIs
Single Sign-On (SSO) Users 250 350 500 500 VLAN interfaces 25 Access points supported (maximum) 2 4 8 8
FIREWALL/VPN PERFORMANCE SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES
Firewall inspection throughput
Threat Prevention throughput
Application inspection throughput IPS throughput
2
Anti-malware inspection throughput TLS/SSL inspection and decryption throughput (DPI SSL) IPSec VPN throughput
1
2
2
300 Mbps 600 Mbps 750 Mbps 1.0 Gbps 150 Mbps 200 Mbps 235 Mbps 335 Mbps
275 Mbps 375 Mbps 600 Mbps
200 Mbps 250 Mbps 300 Mbps 400 Mbps
2
2
3
150 Mbps 200 Mbps 235 Mbps 335 Mbps
30 Mbps 50 Mbps 60 Mbps 65 Mbps
150 Mbps 200 Mbps 300 Mbps 430 Mbps
Connections per second 1,800 3,000 5,000 6,000
Maximum connections (SPI) 10,000 50,000 100,000 100,000 Maximum connections (DPI) 10,000 50,000 90,000 90,000 Maximum connections (DPI SSL) 250 25,000 25,000 25,000
VPN SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES
Site-to-site VPN tunnels 10 10 10 15 IPSec VPN clients (maximum) 1 (5) 1 (5) 1 (10) 1 (10) SSL VPN licenses (maximum) 1 (10) 1 (25) 1 (50) 1 (75) Virtual assist bundled (maximum) 1 (30-day trial) 1 (30-day trial) 1 (30-day trial) Encryption/authentication DES, 3DES, AES (128, 192, 256-bit), MD5, SHA-1, Suite B Cryptography Key exchange Dife Hellman Groups 1, 2, 5, 14v Route-based VPN RIP, OSPF, BGP
Certicate support
VPN features
Global VPN client platforms supported
NetExtender
Mobile Connect
Verisign, Thawte, Cybertrust, RSA Keon, Entrust and Microsoft CA for SonicWall-to-
SonicWall VPN, SCEP
Dead Peer Detection, DHCP Over VPN, IPSec NAT Traversal,
Redundant VPN Gateway, Route-based VPN
Microsoft® Windows Vista 32/64-bit, Windows 7 32/64-bit,
Windows 8.0 32/64-bit, Windows 8.1 32/64-bit, Windows 10
Microsoft Windows Vista 32/64-bit, Windows 7, Windows 8.0 32/64-bit, Windows 8.1
32/64-bit, Mac OS X 10.4+, Linux FC3+/Ubuntu 7+/OpenSUSE
Apple® iOS, Mac OS X, Google® Android™, Kindle Fire, Chrome,
Windows 8.1 (Embedded)
SECURITY SERVICES SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES
Deep Packet Inspection services Gateway Anti-Virus, Anti-Spyware, Intrusion Prevention, DPI SSL
Content Filtering Service (CFS)
HTTP URL, HTTPS IP, keyword and content scanning, Comprehensive ltering based
on le types such as ActiveX, Java, Cookies for privacy, allow/forbid lists Comprehensive Anti-Spam Service Supported Application Visualization No Yes Yes Yes Application Control Yes Ye s Yes Ye s Capture Advanced Threat Protection No Ye s Yes Yes
NETWORKING SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES
IP address assignment Static, (DHCP, PPPoE, L2TP and PPTP client), Internal DHCP server, DHCP relay NAT modes 1:1, 1:many, many:1, many:many, exible NAT (overlapping IPs), PAT, transparent mode
Routing protocols
QoS
4
BGP4, OSPF, RIPv1/v2, static routes, policy-based routing
Bandwidth priority, max bandwidth, guaranteed bandwidth, DSCP marking,
802.1e (WMM)
5x1GbE, 1 USB,
1 Console
13
Page 14
SonicWall TZ series specications cont'd
NETWORKING CONT'D SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES
Authentication
LDAP (multiple domains), XAUTH/RADIUS,
SSO, Novell, internal user database
Local user database 150 VoIP Full H.323v1-5, SIP
Standards
Certications
TCP/IP, UDP, ICMP, HTTP, HTTPS, IPSec, ISAKMP/IKE, SNMP, DHCP, PPPoE, L2TP,
PPTP, RADIUS, IEEE 802.3
FIPS 140-2 (with Suite B) Level 2, UC APL, VPNC, IPv6 (Phase 2), ICSA Network
Firewall, ICSA Anti-virus Certications pending Common Criteria NDPP (Firewall and IPS) Common Access Card (CAC) Supported
High availability No Active/standby
HARDWARE SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES
Form factor Desktop
Power supply 24W external
Maximum power consumption (W) 6.4 / 11.3 6.9 / 11.3
Input power 100 to 240 VAC, 50-60 Hz, 1 A
Total heat dissipation 21.8 / 38.7 BTU 23.5 / 38.7 BTU
Dimensions
Weight
WEEE weight
Shipping weight
3.6 x 14.1 x 19 cm
1.42 x 5.55 x 7.48 in
0.34 kg / 0.75 lbs
0.48 kg / 1.06 lbs
0.80 kg / 1.76 lbs
0.94 kg / 2.07 lbs
1.20 kg / 2.64 lbs
1.34 kg / 2.95 lbs
MTBF (in years) 58.9/56.1 (wireless) 56.1
Environment (Operating/Storage) 32°-105° F (0°-40° C)/-40° to 158° F (-40° to 70° C)
Humidity 5-95% non-condensing
REGULATORY SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES
FCC Class B, ICES Class B, CE (EMC, LVD,
Major regulatory compliance (wired models)
RoHS), C-Tick, VCCI Class B, UL, cUL,
TUV/GS, CB, Mexico CoC by UL, WEEE,
REACH, KCC/MSIP
FCC Class B, FCC RF ICES Class B, IC RF
Major regulatory compliance (wireless models)
CE (RED, RoHS), RCM, VCCI Class B, MIC/ TELEC, UL, cUL, TUV/GS, CB, Mexico CoC
by UL, WEEE, REACH
INTEGRATED WIRELESS SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES
Standards
Frequency bands
5
802.11a: 5.180-5.825 GHz; 802.11b/g:
802.11 a/b/g/n
2.412-2.472 GHz; 802.11n: 2.412-2.472
GHz, 5.180-5.825 GHz
LDAP (multiple domains), XAUTH/
RADIUS, SSO, Novell, internal user
database, Terminal Services, Citrix,
Common Access Card (CAC)
24W external
24W external
65W external
(TZ300P only)
6.9 / 12.0 6.9 / 12.0
23.5 / 40.9 BTU 23.5 / 40.9 BTU
3.5 x 13.4 x 19 cm
1.38 x 5.28 x 7.48 in
3.5 x 13.4 x 19 cm
1.38 x 5.28 x 7.48
in
0.73 kg / 1.61 lbs
0.84 kg / 1.85 lbs
1.15 kg / 2.53 lbs
1.26 kg / 2.78 lbs
1.37 kg / 3.02 lbs
1.48 kg / 3.26 lbs
0.73 kg / 1.61 lbs
0.84 kg / 1.85 lbs
1.15 kg / 2.53 lbs
1.26 kg / 2.78 lbs
1.37 kg / 3.02 lbs
1.48 kg / 3.26 lbs
56.1 56.1
FCC Class B, ICES Class B, CE (EMC, LVD,
RoHS), C-Tick, VCCI Class B, UL, cUL,
TUV/GS, CB, Mexico CoC by UL, WEEE,
REACH, KCC/MSIP
FCC Class B, FCC RF ICES Class B, IC
RF CE (RED, RoHS), RCM, VCCI Class B,
MIC/TELEC, UL, cUL, TUV/GS, CB, Mexico
CoC by UL, WEEE, REACH
802.11a/b/g/n/ac (WEP, WPA, WPA2,
802.11i, TKIP, PSK,02.1x, EAP-PEAP, EAP-TTLS
802.11a: 5.180-5.825 GHz; 802.11b/g:
2.412-2.472 GHz; 802.11n: 2.412-2.472
GHz, 5.180-5.825 GHz; 802.11ac: 2.412-
2.472 GHz, 5.180-5.825 GHz
14
Page 15
SonicWall TZ series system specications cont'd
INTEGRATED WIRELESS SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES
Operating Channels
Transmit output power
Transmit power control
Data rates supported
Modulation technology spectrum
802.11a: US and Canada 12, Europe 11,
Japan 4, Singapore 4, Taiwan 4; 802.11b/g:
US and Canada 1-11, Europe 1-13, Japan
1-14 (14-802.11b only); 802.11n (2.4
GHz): US and Canada 1-11, Europe 1-13,
Japan 1-13; 802.11n (5 GHz): US and
Canada 36-48/149-165, Europe 36-48,
Japan 36-48, Spain 36-48/52-64;
Based on the regulatory domain specied by the system administrator
Supported
802.11a: 6, 9, 12, 18, 24, 36, 48, 54 Mbps per channel; 802.11b: 1, 2, 5.5, 11 Mbps
per channel; 802.11g: 6, 9, 12, 18, 24, 36,
48, 54 Mbps per channel; 802.11n: 7.2,
14.4, 21.7, 28.9, 43.3, 57.8, 65, 72.2, 15, 30, 45, 60, 90, 120, 135, 150 Mbps per
channel
802.11a: Orthogonal Frequency Division Multiplexing (OFDM); 802.11b: Direct
Sequence Spread Spectrum (DSSS);
802.11g: Orthogonal Frequency Division Multiplexing (OFDM)/Direct Sequence
Spread Spectrum (DSSS); 802.11n:
Orthogonal Frequency Division Multiplexing
(OFDM)
802.11a: US and Canada 12, Europe 11, Japan 4, Singapore 4, Taiwan 4;
802.11b/g: US and Canada 1-11, Europe 1-13, Japan 1-14 (14-802.11b only);
802.11n (2.4 GHz): US and Canada 1-11, Europe 1-13, Japan 1-13; 802.11n (5
GHz): US and Canada 36-48/149-165, Europe 36-48, Japan 36-48, Spain 36-
48/52-64; 802.11ac: US and Canada 36-
48/149-165, Europe 36-48, Japan 36-48,
Spain 36-48/52-64
802.11a: 6, 9, 12, 18, 24, 36, 48, 54
Mbps per channel; 802.11b: 1, 2, 5.5,
11 Mbps per channel; 802.11g: 6, 9, 12,
18, 24, 36, 48, 54 Mbps per channel;
802.11n: 7.2, 14.4, 21.7, 28.9, 43.3, 57.8,
65, 72.2, 15, 30, 45, 60, 90, 120, 135, 150 Mbps per channel; 802.11ac: 7.2,
14.4, 21.7, 28.9, 43.3, 57.8, 65, 72.2,
86.7, 96.3, 15, 30, 45, 60, 90, 120, 135, 150, 180, 200, 32.5, 65, 97.5, 130, 195,
260, 292.5, 325, 390, 433.3, 65, 130,
195, 260, 390, 520, 585, 650, 780, 866.7
Mbps per channel
802.11a: Orthogonal Frequency Division Multiplexing (OFDM); 802.11b: Direct
Sequence Spread Spectrum (DSSS);
802.11g: Orthogonal Frequency Division Multiplexing (OFDM)/Direct Sequence Spread Spectrum (DSSS);
802.11n: Orthogonal Frequency
Division Multiplexing (OFDM); 802.11ac:
Orthogonal Frequency Division
Multiplexing (OFDM)
*Future use.
1
Testing Methodologies: Maximum per formance based on RFC 2544 (for rewall). Actual performance may vary depending on net work conditions and ac tivated services.
2
Threat Prevention/ GatewayAV/Anti-Spyware/IPS throughput measured using indus try standard Spirent WebAvalanche HT TP perfor mance test and Ixia test tools. Testing done with multiple ows through multiple port pairs. Threat Prevention throughput measured with Gateway AV, Anti-Spy ware, IPS and Applicat ion Control enabled.
3
VPN throughput measured using UDP trafc at 1280 by te packet size adhering to RFC 254 4. All speci cat ions, features and availability are subject to change.
4
BGP is available only on SonicWall TZ400, TZ500 and T Z60 0.
5
All TZ integr ated wireless models can support either 2.4GHz or 5GHz band. For dual-band support, please use SonicWall's wireless access point products
15
Page 16
SonicWall TZ series system specications cont'd
FIREWALL GENERAL TZ400 SERIES TZ500 SERIES TZ600 SERIES
Operating system SonicOS
Interfaces
7x1GbE, 1 USB,
1 Console
8x1GbE, 2 USB,
1 Console
Power over Ethernet (PoE) support
Expansion USB 2 USB Expansion Slot (Rear)*, 2 USB
Management CLI, SSH, Web UI, Capture Security Center, GMS, REST APIs
Single Sign-On (SSO) Users 500 500 500 VLAN interfaces 50 50 50 Access points supported (maximum) 16 16 24
FIREWALL/VPN PERFORMANCE TZ400 SERIES TZ500 SERIES TZ600 SERIES
Firewall inspection throughput
Threat Prevention throughput
Application inspection throughput IPS throughput
2
Anti-malware inspection throughput TLS/SSL inspection and decryption throughput
(DPI SSL)
2
IPSec VPN throughput
1
2
2
1.3 Gbps 1.4 Gbps 1.9 Gbps
600 Mbps 700 Mbps 800 Mbps
1.2 Gbps 1.3 Gbps 1.8 Gbps
900 Mbps 1.0 Gbps 1.2 Gbps
2
600 Mbps 700 Mbps 800 Mbps
180 Mbps 225 Mbps 300 Mbps
3
900 Mbps 1.0 Gbps 1.1 Gbps
Connections per second 6,000 8,000 12,000
Maximum connections (SPI) 150,000 150,000 150,000 Maximum connections (DPI) 125,000 125,000 125,000 Maximum connections (DPI SSL) 25,000 25,000 25,000
VPN TZ400 SERIES TZ500 SERIES TZ600 SERIES
Site-to-site VPN tunnels 20 25 50 IPSec VPN clients (maximum) 2 (25) 2 (25) 2 (25) SSL VPN licenses (maximum) 2 (100) 2 (150) 2 (200) Virtual assist bundled (maximum) 1 (30-day trial) 1 (30-day trial) 1 (30-day trial) Encryption/authentication DES, 3DES, AES (128, 192, 256-bit)/MD5, SHA-1, Suite B Cryptography Key exchange Dife Hellman Groups 1, 2, 5, 14v Route-based VPN RIP, OSPF, BGP
Certicate support
VPN features
Global VPN client platforms supported
NetExtender
Microsoft Windows Vista 32/64-bit, Windows 7, Windows 8.0 32/64-bit, Windows 8.1 32/64-bit,
Verisign, Thawte, Cybertrust, RSA Keon, Entrust and Microsoft CA for
SonicWall-to- SonicWall VPN, SCEP
Dead Peer Detection, DHCP Over VPN, IPSec NAT Traversal,
Redundant VPN Gateway, Route-based VPN
Microsoft® Windows Vista 32/64-bit, Windows 7 32/64-bit,
Windows 8.0 32/64-bit, Windows 8.1 32/64-bit, Windows 10
Mac OS X 10.4+, Linux FC3+/Ubuntu 7+/OpenSUSE Mobile Connect Apple® iOS, Mac OS X, Google® Android™, Kindle Fire, Chrome, Windows 8.1 (Embedded)
SECURITY SERVICES TZ400 SERIES TZ500 SERIES TZ600 SERIES
Deep Packet Inspection services Gateway Anti-Virus, Anti-Spyware, Intrusion Prevention, DPI SSL
Content Filtering Service (CFS)
HTTP URL, HTTPS IP, keyword and content scanning, Comprehensive ltering based on le types
such as ActiveX, Java, Cookies for privacy, allow/forbid lists Comprehensive Anti-Spam Service Supported Application Visualization Yes Yes Yes Application Control Yes Yes Yes Capture Advanced Threat Protection Yes Yes Yes
NETWORKING TZ400 SERIES TZ500 SERIES TZ600 SERIES
IP address assignment Static, (DHCP, PPPoE, L2TP and PPTP client), Internal DHCP server, DHCP relay
NAT modes 1:1, 1:many, many:1, many:many, exible NAT (overlapping IPs), PAT, transparent mode
Routing protocols
4
BGP4, OSPF, RIPv1/v2, static routes, policy-based routing
QoS Bandwidth priority, max bandwidth, guaranteed bandwidth, DSCP marking, 802.1e (WMM)
10x1GbE, 2 USB,
1 Console,
1 Expansion Slot
TZ600P - 4 ports
(4 PoE or 4 PoE+)
16
Page 17
SonicWall TZ series system specications cont'd
NETWORKING TZ400 SERIES TZ500 SERIES TZ600 SERIES
Authentication LDAP (multiple domains), XAUTH/RADIUS, SSO, Novell, internal user database,
Local user database 150 250
VoIP Full H.323v1-5, SIP
Standards TCP/IP, UDP, ICMP, HTTP, HTTPS, IPSec, ISAKMP/IKE, SNMP, DHCP, PPPoE, L2TP, PPTP, RADIUS,
Certications FIPS 140-2 (with Suite B) Level 2, UC APL, VPNC, IPv6 (Phase 2), ICSA Network Firewall, ICSA
Certications pending Common Criteria NDPP (Firewall and IPS)
Common Access Card (CAC) Suppor ted
High availability Active/standby Active/Standby with stateful synchronization
HARDWARE TZ400 SERIES TZ500 SERIES TZ600 SERIES
Form factor Desktop
Power supply 24W external 36W external 60W external
Maximum power consumption (W) 9.2 / 13.8 13.4 / 17.7 16.1
Input power 100-240 VAC, 50-60 Hz, 1 A
Total heat dissipation 31.3 / 47.1 BTU 45.9 / 60.5 BTU 55.1 BTU
Dimensions 3.5 x 13.4 x 19 cm
1.38 x 5.28 x 7.48 in
Weight 0.73 kg / 1.61 lbs
0.84 kg / 1.85 lbs
WEEE weight 1.15 kg / 2.53 lbs
1.26 kg / 2.78 lbs
Shipping weight 1.37 kg / 3.02 lbs
1.48 kg / 3.26 lbs
MTBF (in years) 54.0 40.8 18.4
Environment (Operating/Storage) 32°-105° F (0°-40° C)/-40° to 158° F (-40° to 70° C)
Humidity 5-95% non-condensing
REGULATORY TZ400 SERIES TZ500 SERIES TZ600 SERIES
Major regulatory compliance (wired models) FCC Class B, ICES Class B,
CE (EMC, LVD, RoHS), C-Tick,
VCCI Class B, UL, cUL, TUV/
GS, CB, Mexico CoC by UL,
WEEE, REACH, KCC/MSIP
Major regulatory compliance (wireless models) FCC Class B, FCC RF ICES
Class B, IC RF CE (RED, RoHS),
RCM, VCCI Class B, MIC/
TELEC, UL, cUL, TUV/GS, CB,
Mexico CoC by UL, WEEE,
REACH
Terminal Services, Citrix, Common Access Card (CAC)
IEEE 802.3
Anti-virus
3.5 x 15 x 22.5 cm
1.38 x 5.91 x 8.86 in
0.92 kg / 2.03 lbs
1.05 kg / 2.31 lbs
1.34 kg / 2.95 lbs
1.48 kg / 3.26 lbs
1.93 kg / 4.25 lbs
2.07 kg / 4.56 lbs
FCC Class B, ICES Class B,
CE (EMC, LVD, RoHS), C-Tick,
VCCI Class B, UL, cUL, TUV/
GS, CB, Mexico CoC by UL,
WEEE, REACH, BSMI, KCC/
MSIP
FCC Class B, FCC RF ICES
Class B, IC RF CE (RED, RoHS),
RCM, VCCI Class B, MIC/
TELEC, UL, cUL, TUV/GS, CB,
Mexico CoC by UL, WEEE,
REACH
1.38 x 7.09 x 11.02 in
FCC Class A, ICES Class A,
CE (EMC, LVD, RoHS), C-Tick,
VCCI Class A, UL cUL, TUV/GS,
CB, Mexico CoC by UL, WEEE,
REACH, KCC/MSIP
180W external
(TZ600P only)
3.5 x 18 x 28 cm
1.47 kg / 3.24 lbs
1.89 kg /4.16 lbs
2.48 kg / 5.47 lbs
17
Page 18
SonicWall TZ series system specications cont'd
INTEGRATED WIRELESS TZ400 SERIES TZ500 SERIES TZ600 SERIES
Standards 802.11a/b/g/n/ac (WEP, WPA, WPA2, 802.11i, TKIP, PSK,02.1x,
EAP-PEAP, EAP-TTLS
Frequency bands
5
802.11a: 5.180-5.825 GHz; 802.11b/g: 2.412-2.472 GHz;
802.11n: 2.412-2.472 GHz, 5.180-5.825 GHz; 802.11ac: 2.412-
2.472 GHz, 5.180-5.825 GHz
Operating Channels 802.11a: US and Canada 12, Europe 11, Japan 4, Singapore
4, Taiwan 4; 802.11b/g: US and Canada 1-11, Europe 1-13,
Japan 1-14 (14-802.11b only); 802.11n (2.4 GHz): US and
Canada 1-11, Europe 1-13, Japan 1-13; 802.11n (5 GHz): US
and Canada 36-48/149-165, Europe 36-48, Japan 36-48, Spain
36-48/52-64; 802.11ac: US and Canada 36-48/149-165, Europe
36-48, Japan 36-48, Spain 36-48/52-64
Transmit output power Based on the regulatory domain specied by the system
administrator
Transmit power control Supported
Data rates supported
802.11a: 6, 9, 12, 18, 24, 36, 48, 54 Mbps per channel; 802.11b: 1, 2, 5.5, 11 Mbps per channel; 802.11g: 6, 9, 12, 18, 24, 36, 48,
54 Mbps per channel; 802.11n: 7.2, 14.4, 21.7, 28.9, 43.3, 57.8,
65, 72.2, 15, 30, 45, 60, 90, 120, 135, 150 Mbps per channel;
802.11ac: 7.2, 14.4, 21.7, 28.9, 43.3, 57.8, 65, 72.2, 86.7, 96.3,
15, 30, 45, 60, 90, 120, 135, 150, 180, 200, 32.5, 65, 97.5, 130,
195, 260, 292.5, 325, 390, 433.3, 65, 130, 195, 260, 390, 520,
585, 650, 780, 866.7 Mbps per channel
Modulation technology spectrum
802.11a: Orthogonal Frequency Division Multiplexing (OFDM);
802.11b: Direct Sequence Spread Spectrum (DSSS); 802.11g: Orthogonal Frequency Division Multiplexing (OFDM)/Direct
Sequence Spread Spectrum (DSSS); 802.11n: Orthogonal
Frequency Division Multiplexing (OFDM); 802.11ac: Orthogonal
Frequency Division Multiplexing (OFDM)
18
Page 19
SonicWall TZ Series ordering information
Product SKU
SOHO 250 with 1-year TotalSecure Advanced Edition 02-SSC-1815
SOHO 250 Wireless-AC with 1-year TotalSecure Advanced Edition 02-SSC-1824
TZ300 with 1-year TotalSecure Advanced Edition 01-SSC-1702
TZ300 Wireless-AC with 1-year TotalSecure Advanced Edition 01-SSC-1703
TZ300P with 1-year TotalSecure Advanced Edition 02-SSC-0602
TZ350 with 1-year TotalSecure Advanced Edition 02-SSC-1843
TZ350 Wireless-AC with 1-year TotalSecure Advanced Edition 02-SSC-1851
TZ400 with 1-year TotalSecure Advanced Edition 01-SSC-1705
TZ400 Wireless-AC with 1-year TotalSecure Advanced Edition 01-SSC-1706
TZ500 with 1-year TotalSecure Advanced Edition 01-SSC-1708
TZ500 Wireless-AC with 1-year TotalSecure Advanced Edition 01-SSC-1709
TZ600 with 1-year TotalSecure Advanced Edition 01-SSC-1711
TZ600P with 1-year TotalSecure Advanced Edition 02-SSC-0600
High availability options (each unit must be the same model)
TZ500 High Availability 01-SSC-0439
TZ600 High Availability 01-SSC-0220
Services SKU
For SonicWall SOHO 250 Series
Advanced Gateway Security Suite - Capture ATP, Threat Prevention, Firewall management and reporting, Shadow IT Visibility, and 24x7 Support (1-year)
Capture Advanced Threat Protection for SOHO 250 (1-year) 02-SSC-1732
Gateway Anti-Virus, Intrusion Prevention and Application Control (1-year) 02-SSC-1750
Content Filtering Service (1-year) 02-SSC-1744
Comprehensive Anti-Spam Service (1-year) 02-SSC-1823
24x7 Support (1-year) 02-SSC-1720
For SonicWall TZ300 Series
Advanced Gateway Security Suite - Capture ATP, Threat Prevention, Firewall management and reporting, Shadow IT Visibility, and 24x7 Support (1-year)
Capture Advanced Threat Protection for TZ300 (1-year) 01-SSC-1435
Gateway Anti-Virus, Intrusion Prevention and Application Control (1-year) 01-SSC-0602
Content Filtering Service (1-year) 01-SSC-0608
Comprehensive Anti-Spam Service (1-year) 01-SSC-0632
24x7 Support (1-year) 01-SSC-0620
For SonicWall TZ350 Series
Advanced Gateway Security Suite - Capture ATP, Threat Prevention, Firewall management and reporting, Shadow IT Visibility, and 24x7 Support (1-year)
Capture Advanced Threat Protection for TZ350 (1-year) 02-SSC-1779
Gateway Anti-Virus, Intrusion Prevention and Application Control (1-year) 02-SSC-1797
Content Filtering Service (1-year) 02-SSC-1791
Comprehensive Anti-Spam Service (1-year) 02-SSC-1809
24x7 Support (1-year) 02-SSC-1767
02-SSC-1726
01-SSC-1430
02-SSC-1773
19
Page 20
SonicWall TZ Series ordering information
For SonicWall TZ400 Series
Advanced Gateway Security Suite - Capture ATP, Threat Prevention, Firewall management and reporting, Shadow IT Visibility, and 24x7 Support (1-year)
Capture Advanced Threat Protection for TZ400 (1-year) 01-SSC-1445
Gateway Anti-Virus, Intrusion Prevention and Application Control (1-year) 01-SSC-0534
Content Filtering Service (1-year) 01-SSC-0540
Comprehensive Anti-Spam Service (1-year) 01-SSC-0561
24x7 Support (1-year) 01-SSC-0552
For SonicWall TZ500 Series
Advanced Gateway Security Suite - Capture ATP, Threat Prevention, Firewall management and reporting, Shadow IT Visibility, and 24x7 Support (1-year)
Capture Advanced Threat Protection for TZ500 (1-year) 01-SSC-1455
Gateway Anti-Virus, Intrusion Prevention and Application Control (1-year) 01-SSC-0458
Content Filtering Service (1-year) 01-SSC-0464
Comprehensive Anti-Spam Service (1-year) 01-SSC-0482
24x7 Support (1-year) 01-SSC-0476
For SonicWall TZ600 Series
Advanced Gateway Security Suite - Capture ATP, Threat Prevention, Firewall management and reporting, Shadow IT Visibility, and 24x7 Support (1-year)
Capture Advanced Threat Protection for TZ600 (1-year) 01-SSC-1465
Gateway Anti-Virus, Intrusion Prevention and Application Control (1-year) 01-SSC-0228
Content Filtering Service (1-year) 01-SSC-0234
Comprehensive Anti-Spam Service (1-year) 01-SSC-0252
24x7 Support (1-year) 01-SSC-0246
01-SSC-1440
01-SSC-1450
01-SSC-1460
Regulatory model numbers
SOHO/SOHO Wireless A PL31- 0B9/AP L41-0BA
SOHO 250/SOHO 250 Wireless AP L41-0D6 /A P L41-0B A
TZ300/ TZ300 Wireless/
TZ300P
TZ350/ TZ350 Wireless APL28-0B4/APL28-0B5
TZ400/ TZ400 Wireless APL28-0B4/APL28-0B5
TZ500/ TZ500 Wireless APL29-0B6/APL29-0B7
TZ600/ TZ600P APL30-0B8/APL48-0D3
The Gartner Peer Insights Customers’ Choice logo is a trademark and service mark of Gartner, Inc., and/or its afliates, and is used herein with permission. All rights reser ved. Gartner Peer Insights Customers’ Choice distinctions are determined by the subjective opinions of individual end-user customers based on their own experiences, the number of published reviews on Gartner Peer Insights and overall ratings for a given vendor in the market, as further described here, and are not intended in any way to represent the views of Gartner or its afliates.
SonicWall, Inc.
1033 McCarthy Boulevard | Milpitas, CA 95035 Refer to our website for additional information.
www.sonicwall.com
APL28-0B4/APL28-0B5/ AP L 47- 0 D2
© 2019 SonicWall Inc. ALL RIGHTS RESERVED. SonicWall is a trademark or registered trademark of SonicWall Inc. and/or its
aliates in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.
Datasheet-TZ Series-US-VG-340
SonicWall has been ghting the cybercriminal industry for over 27 years defending small and medium businesses, enterprises and government agencies worldwide. Backed by research from SonicWall Capture Labs, our award- winning, real-time
breach detection and prevention solutions secure more than a
million networks, and their emails, applications and data, in over
215 countries and territories. These organizations run more
effectively and fear less about security. For more information,
visit www.sonicwall.com or follow us on Twit t e r, LinkedIn,
Facebook and Instagram.
About SonicWall
Loading...