Dell TZ300P PoE User Manual

SonicWall TZ series

Integrated threat prevention and SD-WAN platform for

small/medium organizations and distributed enterprises

The SonicWall TZ series enables small to

mid-size organizations and distributed

enterprises realize the benets of an

integrated security solution that checks
all the boxes. Combining high-speed

threat prevention and software-dened
wide area networking (SD-WAN)
technology with an extensive range of
networking and wireless features plus
simplied deployment and centralized

management, the TZ series provides a

unied security solution at a low total
cost of ownership.

Flexible, integrated security solution

The foundation of the TZ series is

SonicOS, SonicWall’s feature-rich

operating system. SonicOS includes a

powerful set of capabilities that provides
organizations with the exibility to
tune these Unied Threat Management
(UTM) rewalls to their specic network

requirements. For example, creating a

secure high-speed wireless network is
simplied through a built-in wireless
controller and suppor t for the IEEE

802.11ac standard or by adding our
SonicWave 802.11ac Wave 2 access
points. To reduce the cost and complexity

of connecting high-speed wireless
access points and other Power over
Ethernet (PoE)-enabled devices such
as IP cameras, phones and printers,

the TZ300P and TZ600P provide

PoE/PoE+ power.

Distributed retail businesses and

campus environments can take

advantage of the many tools in
SonicOS to gain even greater benets.

Branch locations are able to exchange

information securely with the central
ofce using virtual private networking
(VPN). Creating virtual LANs (VLANs)
enables segmentation of the network

into separate corporate and customer

groups with rules that determine the
level of communication with devices on
other VLANs. SD-WAN offers a secure
alternative to costly MPLS circuits
while delivering consistent application
performance and availability. Deploying

TZ rewalls to remote locations is easy

using Zero-Touch Deployment which
enables provisioning of the rewall

remotely through the cloud.

Superior threat prevention and

performance

Our vision for securing networks in

today’s continually-evolving cyber
threat landscape is automated, real­time threat detection and prevention.

Through a combination of cloud-based

and on-box technologies we deliver
protection to our rewalls that’s been

validated by independent third-party

testing for its extremely high security
effectiveness. Unknown threats are sent

to SonicWall’s cloud-based Capture

Advanced Threat Protection (ATP) multi-

engine sandbox for analysis. Enhancing
Capture ATP is our patent-pending
Real-Time Deep Memory Inspection
(RTDMI™) technology. The RTDMI
engine detects and blocks malware

and zero-day threats by inspecting

directly in memory. RTDMI technology
is precise, minimizes false positives, and
identies and mitigates sophisticated

Benets:

Flexible, integrated security solution

• Secure SD-WAN

• Powerful SonicOS operating system

• High-speed 802.11ac wireless

• Power over Ethernet (PoE/PoE+)

• Network segmentation with VLANs

Superior threat prevention
and performance

• Patent-pending real-time deep
memory inspection technology

• Patented reassembly-free deep
packet inspection technology

• On-box and cloud-based threat
prevention

• TLS/SSL decr yption and inspection

• Industry-validated security

effectiveness

• Dedicated Capture Labs threat
research team

• Endpoint security with Capture Client

Easy deployment, setup and
ongoing management

• Zero-Touch Deployment

• Cloud-based and on-premises
centralized management

• Scalable line of rewalls

• Low total cost of ownership

attacks where the malware’s weaponry is
exposed for less than 100 nanoseconds.
In combination, our patented single-pass
Reassembly-Free Deep Packet Inspection
(RFDPI) engine examines every byte of

every packet, inspecting both inbound

and outbound traf c directly on the
rewall. By leveraging Capture ATP with
RTDMI technology in the SonicWall
Capture Cloud Platform in addition to

on-box capabilities including intrusion

prevention, anti-malware and web/
URL ltering, TZ series rewalls stop
malware, ransomware and other threats
at the gateway. For mobile devices used
outside the rewall perimeter, SonicWall
Capture Client provides an added layer of

protection by applying advanced threat
protection techniques such as machine
learning and system rollback. Capture
Client also leverages the deep inspection

of encrypted TLS trafc (DPI-SSL) on

TZ series rewalls by installing and

managing trusted TLS certicates.

The continued growth in the use of

encryption to secure web sessions
means it is imperative rewalls are able
to scan encrypted traf c for threats.

TZ series rewalls provide complete

protection by performing full decryption
and inspection of TLS/SSL and SSH
encrypted connections regardless of
port or protocol. The rewall searches for

protocol non-compliance, threats, zero-

days, intrusions, and even dened criteria

by looking deep inside every packet.

The deep packet inspection engine

detects and prevents hidden attacks

that leverage cryptography. It also
blocks encrypted malware downloads,
ceases the spread of infections and
thwarts command and control (C&C)
communications and data exltration.
Inclusion and exclusion rules allow total
control to customize which trafc is

subjected to decr yption and inspection

based on specic organizational
compliance and/or legal requirements.

Easy deployment, setup and

ongoing management

SonicWall makes it easy to congure
and manage TZ series rewalls and

SonicWave 802.11ac Wave 2 access

points no matter where you deploy them.

Centralized management, reporting,
licensing and analytics are handled
through our cloud-based Capture

Security Center which offers the ultimate

in visibility, agility and capacity to
centrally govern the entire SonicWall

security ecosystem from a single pane
of glass.

A key component of the Capture Security
Center is Zero-Touch Deployment. This
cloud-based feature simplies and

speeds the deployment and provisioning

of SonicWall rewalls at remote and
branch of ce locations. The process

requires minimal user intervention, and

is fully automated to operationalize
rewalls at scale in just a few steps.

This signicantly reduces the time,

cost and complexity associated with
installation and conguration, while

security and connectivity occurs
instantly and automatically. Together, the

simplied deployment and setup along
with the ease of management enable
organizations to lower their total cost
of ownership and realize a high return

on investment.

* 802.11ac currently not available on SOHO/ SOHO 250 models; SOHO/SOHO 250 models suppor t 802.11a/b/g/n

SonicWave 432i
access point

Printer

Bi-directional
scanning

SonicWall TZ600P

IP Phone

Camera

802.3at PoE+ Devices

Integrated Security and Power for
Your PoE-enabled Devices

Provide power to your PoE-enabled
devices without the cost and complexity
of a Power over Ethernet switch or
injector. TZ300P and TZ600P rewalls
integrate IEEE 802.3at technology to
power PoE and PoE+ devices such as
wireless access points, cameras, IP
phones and more. The rewall scans all
trafc coming from and going to each

device using deep packet inspection

technology and then removes harmful
threats such as malware and intrusions,

even over encrypted connections.

2

Capture Cloud Platform

SonicWall's Capture Cloud Platform

delivers cloud-based threat prevention

and network management plus reporting
and analytics for organizations of any
size. The platform consolidates threat
intelligence gathered from multiple
sources including our award-winning
multi-engine network sandboxing service,
Capture Advanced Threat Protection, as
well as more than 1 million SonicWall

sensors located around the globe.

If data coming into the network is found

to contain previously-unseen malicious
code, SonicWall’s dedicated, in-house

Capture Labs threat research team

develops signatures that are stored in

the Capture Cloud Platform database
and deployed to customer rewalls for
up-to-date protection. New updates take
effect immediately without reboots or

interruptions. The signatures resident

on the appliance protect against wide

classes of attacks, covering tens of
thousands of individual threats. In

addition to the countermeasures on

the appliance, TZ rewalls also have

continuous access to the Capture Cloud

Platform database which extends the
onboard signature intelligence with tens
of millions of signatures.

In addition to providing threat prevention,
the Capture Cloud Platform offers
single pane of glass management and

administrators can easily create both
real-time and historical repor ts on

network activity.

Advanced threat protection

At the center of SonicWall automated,

real-time breach prevention is SonicWall

Capture Advanced Threat Protection

service, a cloud-based multi-engine

sandbox that extends rewall threat

protection to detect and prevent zero-

day threats. Suspicious les are sent
to the cloud where they are analyzed
using deep learning algorithms with
the option to hold them at the gateway

until a verdict is determined. The multi-

engine sandbox platform, which includes
Real-Time Deep Memory Inspection,
virtualized sandboxing, full system

emulation and hypervisor level analysis
technology, executes suspicious code

and analyzes behavior. When a le is
identied as malicious, it is blocked

and a hash is immediately created

within Capture ATP. Soon after, a
signature is sent to rewalls to prevent
follow-on attacks.

The service analyzes a broad range

of operating systems and le types,
including executable programs, DLL,
PDFs, MS Ofce documents, archives,
JAR and APK .

Streaming Data

PDF

Email

Data File

101001001010

010100101101

010010100100

101001010010

110101010010

010100100010

101100100101

Endpoint

Arfact 1

Arfact 2

Arfact 3

Arfact 4

LEARNING

Deep Learning

MACHINE

Algorithms

For complete endpoint protection, the
SonicWall Capture Client combines
next-generation anti-virus technology

with SonicWall's cloud-based

multi-engine sandbox.

Classified Malware

RANSOMWARE

Locky

RANSOMWARE

UNKNOWN

A

WannaCry

TROJAN

Spartan

B C

BLOCK

unl

VERDICT

GoodBad

BLOCK

CLOUD CAPTURE
SANDBOX

Hypervisor

A

D

Emulaon

B

Virtualizaon

C

RTDMI

D

SENT

3

Reassembly-Free Deep Packet

Traffic out

Traffic out

Proxy

Scanning

Packet

disassembly

Packet assembly-based process

SonicWall stream-based architectureCompetitive proxy-based architecture

When proxy buffer

becomes full or

content too large,

files bypass

scanning.

Traffic in

Traffic in

TLS/SSL

Reassembly-free Deep Packet Inspection (RFDPI)

Reassembly-free packet

scanning eliminates proxy

and content size limitations.

Inspection time

Less More

Inspection capacity

Min Max

Inspection time

Less More

Inspection capacity

Min Max

CPU 1

CPU 2

CPU 3

CPU 4

CPU n

TLS/SSL

Inspection engine

The SonicWall Reassembly-Free Deep

Packet Inspection (RFDPI) is a single­pass, low latency inspection system that
performs stream-based, bi-directional
trafc analysis at high speed without
proxying or buffering to effectively
uncover intrusion attempts and malware
downloads while identifying application
trafc regardless of port and protocol.

This proprietar y engine relies on

streaming trafc payload inspection to
detect threats at Layers 3-7, and takes

network streams through extensive and

repeated normalization and decryption
in order to neutralize advanced evasion

techniques that seek to confuse detection

engines and sneak malicious code into

the network.

Once a packet undergoes the necessary

pre-processing, including TLS/SSL

decryption, it is analyzed against a single,

proprietary memory representation of
three signature databases: intrusion
attacks, malware and applications. The

connection state is then advanced to

represent the position of the stream

relative to these databases until it

encounters a state of attack, or other

“match” event, at which point a pre-set

action is taken.

In most cases, the connection is

terminated and proper logging and

notication events are created. However,
the engine can also be congured for
inspection only or, in case of application
detection, to provide Layer 7 bandwidth
management services for the remainder
of the application stream as soon as the
application is identied.

Centralized management
and reporting

For highly regulated organizations

wanting to achieve a fully coordinated

security governance, compliance and
risk management strategy, SonicWall

provides administrators a unied,
secure and extensible platform to
manage SonicWall rewalls, wireless
access points and Dell N-Series
and X-Series switches through a
correlated and auditable workstream

4

process. Enterprises can easily
consolidate the management of security

appliances, reduce administrative and
troubleshooting complexities, and govern

all operational aspects of the security
infrastructure, including centralized
policy management and enforcement;
real-time event monitoring; user
activities; application identications; ow
analytics and forensics; compliance and
audit reporting; and more. In addition,
enterprises meet the rewall’s change

management requirements through

workow automation which provides the
agility and condence to deploy the right
rewall policies at the right time and in
conformance with compliance regulations.

Available on premises as SonicWall

Global Management System and in

the cloud as Capture Security Center,

SonicWall management and reporting

solutions provide a coherent way to
manage network security by business

processes and service levels, dramatically

simplifying lifecycle management of your

overall security environments compared
to managing on a device-by-device basis.

Distributed networks

Because of their exibility, TZ series
rewalls are ideally suited for both

distributed enterprise and single site

deployments. In distributed networks
like those found in retail organizations,
each site has its own TZ rewall which
connects to the Internet often through
a local provider using a DSL, cable
or 3G/4G connection. In addition to
Internet access, each rewall utilizes
an Ethernet connection to transport
packets between remote sites and the

central headquarters. Web services

and SaaS applications such as Ofce
365, Salesforce and others are served
up from the data center. Through mesh
VPN technology, IT administrators can
create a hub and spoke conguration
for the safe transpor t of data between

all locations.

The SD-WAN technology in SonicOS

is a perfect complement to TZ rewalls

Distributed Enterprise

Network with SD-WAN

NSsp 12800

IP

PBX

SonicWall Secure

SD-WAN Features

•

NSS Labs validated high

security efficacy

•

Zero-touch deployment

•

WAN load balancing

•

Dynamic path selection for
business-critical applications

•

Secure AES 256 VPN

•

Application identification and visibility

•

Cloud-based central management

deployed at remote and branch sites.

Instead of relying on more expensive
legacy technologies such as MPLS
and T1, organizations using SD-WAN

Corporate HQ

SD-WAN Enabled

Transport

Remote / Branch Offices

Data Center

NSa 9650

· Anti-malware

· IPS

· Content filtering

· Capture ATP

· VPN

Terminal

Low-Cost Transport Technologies

Ethernet / DSL / Cable / 3G / 4G

IoT Devices – Cameras,

POS

IP Phones, etc.

Web Server Farm

Application Server Farm

Security Center

Cloud Orchestration

and Management

TZ600P Firewall

Capture

Access Point

SonicWave

Wireless

Guest

Corp

WiFi

WiFi

can choose lower-cost public Internet
services while continuing to achieve a
high level of application availability and
predictable performance.

Capture Security Center

Tying the distributed network together

is SonicWall’s cloud-based Capture

Security Center (CSC) which centralizes

deployment, ongoing management

and real-time analytics of the TZ
rewalls. A key feature of CSC is Zero-

Touch Deployment. Conguring and

deploying rewalls across multiple

sites is time-consuming and requires

onsite personnel. However Zero-

Touch Deployment removes these

challenges by simplifying and speeding
the deployment and provisioning of
SonicWall rewalls remotely through

the cloud. Similarly, CSC eases ongoing
management by providing cloud-based

single-pane-of-glass management for
SonicWall devices on the network. For
complete situational awareness of the
network security environment, SonicWall

Analytics offers a single-pane view

into all activity occurring inside the

network. Organizations gain a deeper
understanding of application usage
and performance while reducing the
possibility of Shadow IT.

NSa or NSsp

Corporate

Headquarters

$

Sales network

Engineering network

Finance network

Single Sites

For single site deployments, having an

integrated network security solution
is highly benecial. TZ series rewalls
combine high security effectiveness
with options such as built-in 802.11ac
wireless and, in the case of the TZ300P
and TZ600P, PoE/PoE+ support. The

Capture
Security Center

TZ product line

Internet

3G/analog failover

Secure wireless zone

Printers

18-port Dell N-Series/X-Series switch

Protected server network

Storage

PoE
cameras

same security engine in our mid-range

NSa series and high-end NSsp series
is featured in TZ series rewall along
with the broad feature set of SonicOS.
Conguration and management is
easy using the intuitive SonicOS UI.

Organizations save valuable rack space

due to the compact desktop form factor.

5

SonicWall TZ600 series

For emerging enterprises, retail and branch ofces looking for security, performance and options such as 802.3at PoE+ support at a
value price, the SonicWall TZ600 secures networks with enterprise-class features and uncompromising performance.

Specication TZ600 series

Firewall throughput 1.9 Gbps

Threat Prevention throughput 800 Mbps

Anti-malware throughput 800 Mbps

IPS throughput 1.2 Gbps

Maximum connections 150,000

New connections/sec 12,000

TZ600P

PoE/PoE+ por ts (4 PoE/PoE+)

Power LED Tes t LE D

USB por t
(3G/4G WAN
failover)

Link and
activity
indicator LEDs

Expansion
module

Console
port

8x1-GbE
switch

(congurable)

X0 LAN port
X1 WAN port

SonicWall TZ500 series

For growing branch ofces and SMBs, the SonicWall TZ500 series delivers highly effective, no-compromise protection with
network productivity and optional integrated 802.11ac dual-band wireless.

Specication TZ500 series

Firewall throughput 1.4 Gbps

Threat Prevention throughput 700 Mbps

Anti-malware throughput 700 Mbps

IPS throughput 1.0 Gbps

Maximum connections 150,000

New connections/sec 8,000

Optional
802 .11ac
wireless

12V DC 2A
power

Power LED Tes t LE D

USB por t
(3G/4G WAN
failover)

Link and
activity
indicator LEDs

Console
port

6x1-GbE switch

(congurable)

X0 LAN port
X1 WAN port

12V DC 2A
power

6

SonicWall TZ400 series

For small business, retail and branch ofce locations, the SonicWall TZ400 series delivers enterprise-grade protection. Flexible
wireless deployment is available with optional 802.11ac dual-band wireless integrated into the rewall.

Specication TZ400 series

Firewall throughput 1.3 Gbps

Threat Prevention throughput 600 Mbps

Anti-malware throughput 600 Mbps

IPS throughput 900 Mbps

Maximum connections 150,000

New connections/sec 6,000

Optional
802 .11ac
wireless

Power LED Tes t LE D 5x1-GbE switch

USB por t
(3G/4G WAN
failover)

Link and
activity
indicator
LEDs

Console
port

(congurable)

X0 LAN port
X1 WAN port

12V DC
2A power

SonicWall TZ350/TZ300 series

The SonicWall TZ300 and TZ350 series offer an all-in-one solution that protects networks from advanced attacks. Unlike consumer

grade products, these UTM rewalls combine high-speed intrusion prevention, anti-malware and content /URL ltering plus broad
secure mobile access support for laptops, smartphones and tablets along with optional integrated 802.11ac wireless. In addition,
the TZ300 offers optional 802.3at PoE+ to power PoE-enabled devices.

Specication TZ350 series TZ300 series

Firewall throughput 1.0 Gbps 750 Mbps

Threat Prevention throughput 335 Mbps 235 Mbps

Anti-malware throughput 335 Mbps 235 Mbps

IPS throughput 400 Mbps 300 Mbps

Maximum connections 100,000 100,000

New connections/sec 6,000 5,000

TZ300P

PoE/PoE+ ports (2 PoE or 1 PoE+)

Optional
802 .11ac
wireless

Power LED Tes t LE D

USB por t
(3G/4G WAN
failover)

Link and
activity
indicator LEDs

Console
port

3x1-GbE switch

(congurable)

X0 LAN port
X1 WAN port

12V DC 2A
power

7

SonicWall SOHO 250/SOHO series

For wired and wireless small and home of ce environments, the SonicWall SOHO 250 and SOHO series deliver the same business­class protection large organizations require at a more affordable price point. Add optional 802.11n wireless to provide employees,
customers and guests with secure wireless connectivity.

Specication SOHO 250 series SOHO series

Firewall throughput 600 Mbps 300 Mbps

Threat Prevention throughput 200 Mbps 150 Mbps

Anti-malware throughput 200 Mbps 150 Mbps

IPS throughput 250 Mbps 200 Mbps

Maximum connections 50,000 10,000

New connections/sec 3,000 1,800

Optional
802 .11n
wireless

Power LED Tes t LE D

Link and
activity
indicator LEDs

USB por t
(3G/4G WAN
failover)

Partner Enabled Services

Need help to plan, deploy or optimize your SonicWall
solution? SonicWall Advanced Services Partners are
trained to provide you with world class professional
services. Learn more at www.sonicwall.com/PES.

Console
port

3x1-GbE switch

(congurable)

X0 LAN port
X1 WAN port

12V DC 2A
power

8

Features

RFDPI ENGINE

Feature Description

Reassembly-Free Deep Packet
Inspection (RFDPI)

Bi-directional inspection

Stream-based inspection

Highly parallel and scalable

Single-pass inspection

FIREWALL AND NETWORKING

Feature Description

Secure SD-WAN

REST APIs

Stateful packet inspection All network trafc is inspected, analyzed and brought into compliance with rewall access policies.

High availability/clustering

DDoS/DoS attack protection

IPv6 support

Flexible deployment options The TZ series can be deployed in traditional NAT, Layer 2 bridge, wire and network tap modes.
WAN load balancing Load-balances multiple WAN interfaces using Round Robin, Spillover or Percentage methods.

Advanced quality of service (QoS)

H.323 gatekeeper and SIP proxy

support

Single and cascaded Dell N-Series and
X-Series switch management

Biometric authentication

Open authentication and social login

Wireless Network Security

MANAGEMENT AND REPORTING

Feature Description

Cloud-based and on-premises
management

Powerful single device management

IPFIX/NetFlow application ow

reporting

This high-performance, proprietary and patented inspection engine performs stream-based, bi-directional
trafc analysis, without proxying or buffering, to uncover intrusion attempts and malware and to identify
application trafc regardless of port.

Scans for threats in both inbound and outbound trafc simultaneously to ensure that the network is not
used to distribute malware and does not become a launch platform for attacks in case an infected machine

is brought inside.

Proxy-less and non-buffering inspection technology provides ultra-low latency performance for DPI of
millions of simultaneous network streams without introducing le and stream size limitations, and can be
applied on common protocols as well as raw TCP streams.

The unique design of the RFDPI engine works with the multi-core architecture to provide high DPI
throughput and extremely high new session establishment rates to deal with trafc spikes in demanding
networks.

A single-pass DPI architecture simultaneously scans for malware, intrusions and application identication,
drastically reducing DPI latency and ensuring that all threat information is correlated in a single architecture.

An alternative to more expensive technologies such as MPLS, Secure SD-WAN enables distributed
enterprise organizations to build, operate and manage secure, high-performance networks across remote
sites for the purpose of sharing data, applications and services using readily-available, low-cost public

internet services.

Allows the rewall to receive and leverage any and all proprietary, original equipment manufacturer and
third-party intelligence feeds to combat advanced threats such as zero-day, malicious insider, compromised
credentials, ransomware and advanced persistent threats.

SonicWall TZ500 and TZ600 models support high availability with Active/Standby with state synchronization.
SonicWall TZ300 and TZ400 models support high availability without Active/Standby synchronization. There

is no high availability on SonicWall SOHO models.

SYN ood protection provides a defense against DoS attacks using both Layer 3 SYN proxy and Layer
2 SYN blacklisting technologies. Additionally, it protects against DoS/DDoS through UDP/ICMP ood

protection and connection rate limiting.

Internet Protocol version 6 (IPv6) is in its early stages to replace IPv4. With SonicOS, the hardware will
support ltering and wire mode implementations.

Guarantees critical communications with 802.1p, DSCP tagging, and remapping of VoIP trafc on the
network.

Blocks spam calls by requiring that all incoming calls are authorized and authenticated by H.323 gatekeeper or

SIP proxy.
Manage security settings of additional ports, including Portshield, HA, PoE and PoE+, under a single pane

of glass using the rewall management dashboard for Dell’s N-Series and X-Series network switch (not
available with SOHO model).

Supports mobile device authentication such as ngerprint recognition that cannot be easily duplicated or
shared to securely authenticate the user identity for network access.

Enable guest users to use their credentials from social networking services such as Facebook, Twitter, or
Google+ to sign in and access the Internet and other guest services through a host's wireless, LAN or DMZ

zones using pass-through authentication.

Available as an integrated option on SonicWall TZ300 through TZ500, IEEE 802.11ac wireless technology
can deliver up to 1.3 Gbps of wireless throughput with greater range and reliability. Optional 802.11 a/b/g/n

is available on SonicWall SOHO models.

Conguration and management of SonicWall appliances is available via the cloud through the SonicWall
Capture Security Center and on-premises using SonicWall Global Management System (GMS).

An intuitive web-based interface allows quick and convenient conguration, in addition to a comprehensive
command-line interface and support for SNMPv2/3.

Exports application trafc analytics and usage data through IPFIX or NetFlow protocols for real-time and
historical monitoring and reporting with tools that support IPFIX and NetFlow with extensions.

9

VIRTUAL PRIVATE NETWORKING

Feature Description

Auto-provision VPN

IPSec VPN for site-to-site connectivity

SSL VPN or IPSec client remote access

Redundant VPN gateway

Route-based VPN

CONTENT/CONTEXT AWARENESS

Simplies and reduces complex distributed rewall deployment down to a trivial effort by automating the initial
site-to-site VPN gateway provisioning between SonicWall rewalls while security and connectivity occurs

instantly and automatically.

High-performance IPSec VPN allows the TZ series to act as a VPN concentrator for thousands of other
large sites, branch ofces or home ofces.

Utilizes clientless SSL VPN technology or an easy-to-manage IPSec client for easy access to email, les,
computers, intranet sites and applications from a variety of platforms.

When using multiple WANs, a primary and secondary VPN can be congured to allow seamless, automatic
failover and failback of all VPN sessions.

The ability to perform dynamic routing over VPN links ensures continuous uptime in the event of a
temporary VPN tunnel failure, by seamlessly re-routing trafc between endpoints through alternate routes.

Feature Description

User activity tracking

GeoIP country trafc identication

Regular expression DPI ltering

CAPTURE ADVANCE THREAT PROTECTION

User identication and activity are made available through seamless AD/LDAP/Citrix1/Terminal Services1
SSO integration combined with extensive information obtained through DPI.

Identies and controls network trafc going to or coming from specic countries to either protect against
attacks from known or suspected origins of threat activity, or to investigate suspicious trafc originating
from the network. Provides the ability to create custom country and Botnet lists to override an incorrect
country or Botnet tag associated with an IP address. Eliminates unwanted ltering of IP addresses due to
misclassication.

Prevents data leakage by identifying and controlling content crossing the network through regular

expression matching. Provides the ability to create custom country and Botnet lists to override an incorrect

country or Botnet tag associated with an IP address.

Feature Description

Multi-engine sandboxing

Real-Time Deep Memory Inspection
(RTDMI)

Block until verdict

Broad le type and size analysis

Rapid deployment of signatures

Capture Client

ENCRYPTED THREAT PREVENTION

The multi-engine sandbox platform, which includes virtualized sandboxing, full system emulation,

and hypervisor level analysis technology, executes suspicious code and analyzes behavior, providing
comprehensive visibility to malicious activity.

This patent-pending cloud-based technology detects and blocks malware that does not exhibit any
malicious behavior and hides its weaponry via encryption. By forcing malware to reveal its weaponry into
memory, the RTDMI engine proactively detects and blocks mass-market, zero-day threats and unknown
malware.

To prevent potentially malicious les from entering the network, les sent to the cloud for analysis can be
held at the gateway until a verdict is determined.

Supports analysis of a broad range of le types, either individually or as a group, including executable
programs (PE), DLL, PDFs, MS Ofce documents, archives, JAR, and APK plus multiple operating systems
including Windows, Android, Mac OS X and multi-browser environments.

When a le is identied as malicious, a signature is immediately deployed to rewalls with SonicWall Capture
ATP subscriptions and Gateway Anti-Virus and IPS signature databases and the URL, IP and domain
reputation databases within 48 hours.

Capture Client is a unied client platform that delivers multiple endpoint protection capabilities, including
advanced malware protection and support for visibility into encrypted trafc. It leverages layered protection
technologies, comprehensive reporting and endpoint protection enforcement.

Feature Description

Decrypts and inspects TLS/SSL encrypted trafc on the y, without proxying, for malware, intrusions and

TLS/SSL decryption and inspection

SSH inspection

INTRUSION PREVENTION

data leakage, and applies application, URL and content control policies in order to protect against threats
hidden in encrypted trafc. Included with security subscriptions for all TZ series models except SOHO. Sold

as a separate license on SOHO.

Deep packet inspection of SSH (DPI-SSH) decrypts and inspect data traversing over SSH tunnel to prevent

attacks that leverage SSH.

Feature Description

Countermeasure-based protection

Automatic signature updates

Tightly integrated intrusion prevention system (IPS) leverages signatures and other countermeasures
to scan packet payloads for vulnerabilities and exploits, covering a broad spectrum of attacks and

vulnerabilities.

The SonicWall Threat Research Team continuously researches and deploys updates to an extensive list of
IPS countermeasures that covers more than 50 attack categories. The new updates take immediate effect
without any reboot or service interruption required.

10

INTRUSION PREVENTION CON'T

Feature Description

Intra-zone IPS protection

Botnet command and control (CnC)

detection and blocking

Protocol abuse/anomaly Identies and blocks attacks that abuse protocols in an attempt to sneak past the IPS.

Zero-day protection

Anti-evasion technology

THREAT PREVENTION

Bolsters internal security by segmenting the network into multiple security zones with intrusion prevention,
preventing threats from propagating across the zone boundaries.

Identies and blocks command and control trafc originating from bots on the local network to IPs and
domains that are identied as propagating malware or are known CnC points.

Protects the network against zero-day attacks with constant updates against the latest exploit methods
and techniques that cover thousands of individual exploits.

Extensive stream normalization, decoding and other techniques ensure that threats do not enter the
network undetected by utilizing evasion techniques in Layers 2-7.

Feature Description

Gateway anti-malware

Capture Cloud malware protection

Around-the-clock security updates

Bi-directional raw TCP inspection

Extensive protocol support

APPLICATION INTELLIGENCE AND CONTROL

The RFDPI engine scans all inbound, outbound and intra-zone trafc for viruses, Trojans, key loggers and
other malware in les of unlimited length and size across all ports and TCP streams.

A continuously updated database of tens of millions of threat signatures resides in the SonicWall cloud
servers and is referenced to augment the capabilities of the onboard signature database, providing RFDPI
with extensive coverage of threats.

New threat updates are automatically pushed to rewalls in the eld with active security services, and take
effect immediately without reboots or interruptions.

The RFDPI engine is capable of scanning raw TCP streams on any port bi-directionally preventing attacks
that they to sneak by outdated security systems that focus on securing a few well-known ports.

Identies common protocols such as HTTP/S, FTP, SMTP, SMBv1/v2 and others, which do not send data in raw
TCP, and decodes payloads for malware inspection, even if they do not run on standard, well-known ports.

Feature Description

Application control

Custom application identication

Application bandwidth management

Granular control

CONTENT FILTERING

Control applications, or individual application features, that are identied by the RFDPI engine against a
continuously expanding database of over thousands of application signatures, to increase network security
and enhance network productivity.

Control custom applications by creating signatures based on specic parameters or patterns unique to an
application in its network communications, in order to gain further control over the network.

Granularly allocate and regulate available bandwidth for critical applications or application categories while
inhibiting nonessential application trafc.

Control applications, or specic components of an application, based on schedules, user groups, exclusion
lists and a range of actions with full SSO user identication through LDAP/AD/Terminal Services/Citrix

integration.

Feature Description

Inside/outside content ltering

Enforced Content Filtering Client

Granular controls

Web caching

ENFORCED ANTI-VIRUS AND ANTI-SPYWARE

Enforce acceptable use policies and block access to HTTP/HTTPS websites containing information or
images that are objectionable or unproductive with Content Filtering Service and Content Filtering Client.

Extend policy enforcement to block internet content for Windows, Mac OS, Android and Chrome devices
located outside the rewall perimeter.

Block content using the predened categories or any combination of categories. Filtering can be scheduled
by time of day, such as during school or business hours, and applied to individual users or groups.

URL ratings are cached locally on the SonicWall rewall so that the response time for subsequent access to
frequently visited sites is only a fraction of a second.

Feature Description

Multi-layered protection

Automated enforcement option

Automated deployment and

installation option

Next-generation antivirus

Spyware protection

Utilize the rewall capabilities as the rst layer of defense at the perimeter, coupled with endpoint
protection to block, viruses entering network through laptops, thumb drives and other unprotected systems.

Ensure every computer accessing the network has the appropriate antivirus software and/or DPI­SSL certicate installed and active, eliminating the costs commonly associated with desktop antivirus

management.

Machine-by-machine deployment and installation of antivirus and anti-spyware clients is automatic across
the network, minimizing administrative overhead.

Capture Client uses a static articial intelligence (AI) engine to determine threats before they can execute
and roll back to a previous uninfected state.

Powerful spyware protection scans and blocks the installation of a comprehensive array of spyware programs
on desktops and laptops before they transmit condential data, providing greater desktop security and
performance.

11

SonicOS feature summary

Firewall

• Stateful packet inspection

• Reassembly-Free Deep Packet
Inspection

• DDoS attack protec tion

(UDP/ICMP/SYN ood)

• IPv4/IPv6 support

• Biometric authentication for remote
access

• DNS proxy

• REST APIs

SSL/SSH decryption and inspection¹

• Deep packet inspection for TL S/SSL /SSH

• Inclusion/exclusion of objects, groups or
hostnames

• TLS/SSL control

• Granular DPI SSL controls per zone or rule

Capture Advanced Threat Protection1

• Real-Time Deep Memor y Inspection

• Cloud-based multi-engine analysis

• Virtualized sandboxing

• Hyper visor level analysis

• Full system emulation

• Broad le type examination

• Automated and manual submission

• Real-time threat intelligence updates

• Block until verdict

• Capture Client

Intrusion prevention1

• Signature-based scanning

• Automatic signature updates

• Bidirectional inspection

• Granular IPS rule capability

• GeoIP/Botnet ltering

• Regular expression matching

Anti-malware1

• Stream-based malware scanning

• Gateway anti-virus

• Gateway anti-spyware

• Bi-directional inspection

• No le size limitation

• Cloud malware database

2

Application identication1

• Application control

• Application bandwidth management

• Custom application signature creation

• Data leakage prevention

• Application reporting over NetFlow/IPFIX

• Comprehensive application signature
database

Trafc visualization and analytics

• User activity

• Application/bandwidth/threat usage

• Cloud-based analytics

HTTP/HTTPS Web content ltering1

• URL ltering

• Anti-proxy technology

• Keyword blocking

• Policy-based ltering (exclusion/
inclusion)

• HTTP header insertion

• Bandwidth manage CFS rating
categories

• Unied policy model with app control

• Content Filtering Client

VPN

• Auto-provision VPN

• IPSec VPN for site-to-site connectivity

• SSL VPN and IPSec client remote access

• Redundant VPN gateway

• Mobile Connect for iOS, Mac OS X ,
Windows, Chrome, Android and
Kindle Fire

• Route-based VPN (OSPF, RIP, BGP)

Networking

• Secure SD-WAN

• PortShield

• Enhanced logging

• Layer-2 QoS

• Port security

• Dynamic routing (RIP/OSPF/BGP)

• SonicWall wireless controller

• Policy-based routing
(ToS/metric and ECMP)

• Asymmetric routing

• DHCP server

• NAT

• Bandwidth management

• High availability - Active/Standby with
state sync

2

• Inbound/outbound load balancing

• L2 bridge mode, NAT mode

• 3G/4G WAN failover

• Common Access Card (CAC) support

VoIP

• Granular QoS control

• Bandwidth management

• DPI for VoIP traf c

• H.323 gatekeeper and SIP proxy support

Management and monitoring

• Web GUI

• Command line interface (CLI)

• SNMPv2/ v3

• Centralized management and reporting
with SonicWall GMS and Capture
Security Center

• Logging

• Net ow/IPFix expor ting

• Cloud-based conguration backup

• Application and bandwidth visualization

• IPv4 and IPv6 management

• Dell N-Series and X-Series switch
management including cascaded
switches

2

Integrated Wireless

• Dual-band (2.4 GHz and 5.0 GHz)

• 802.11 a/b/g/n/ac wireless standards

• WIDS/WIPS

• Wireless guest services

• Lightweight hotspot messaging

• Virtual access point segmentation

• Captive portal

• Cloud ACL

2

1

Requires added subscription

2

State sync high availability only on SonicWall TZ500 and SonicWall TZ6 00 models

12

SonicWall TZ series system specications

FIREWALL GENERAL SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES

Operating system SonicOS

Interfaces 5x1GbE, 1 USB, 1 Console

Power over Ethernet (PoE) support — —

5x1GbE, 1 USB,

1 Console

TZ300P - 2 ports

(2 PoE or 1 PoE+)
Expansion USB

Management CLI, SSH, Web UI, Capture Security Center, GMS, REST APIs

Single Sign-On (SSO) Users 250 350 500 500
VLAN interfaces 25
Access points supported (maximum) 2 4 8 8

FIREWALL/VPN PERFORMANCE SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES

Firewall inspection throughput

Threat Prevention throughput

Application inspection throughput
IPS throughput

2

Anti-malware inspection throughput
TLS/SSL inspection and decryption throughput (DPI SSL)
IPSec VPN throughput

1

2

2

300 Mbps 600 Mbps 750 Mbps 1.0 Gbps
150 Mbps 200 Mbps 235 Mbps 335 Mbps

— 275 Mbps 375 Mbps 600 Mbps

200 Mbps 250 Mbps 300 Mbps 400 Mbps

2

2

3

150 Mbps 200 Mbps 235 Mbps 335 Mbps

30 Mbps 50 Mbps 60 Mbps 65 Mbps

150 Mbps 200 Mbps 300 Mbps 430 Mbps

Connections per second 1,800 3,000 5,000 6,000

Maximum connections (SPI) 10,000 50,000 100,000 100,000
Maximum connections (DPI) 10,000 50,000 90,000 90,000
Maximum connections (DPI SSL) 250 25,000 25,000 25,000

VPN SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES

Site-to-site VPN tunnels 10 10 10 15
IPSec VPN clients (maximum) 1 (5) 1 (5) 1 (10) 1 (10)
SSL VPN licenses (maximum) 1 (10) 1 (25) 1 (50) 1 (75)
Virtual assist bundled (maximum) — 1 (30-day trial) 1 (30-day trial) 1 (30-day trial)
Encryption/authentication DES, 3DES, AES (128, 192, 256-bit), MD5, SHA-1, Suite B Cryptography
Key exchange Dife Hellman Groups 1, 2, 5, 14v
Route-based VPN RIP, OSPF, BGP

Certicate support

VPN features

Global VPN client platforms supported

NetExtender

Mobile Connect

Verisign, Thawte, Cybertrust, RSA Keon, Entrust and Microsoft CA for SonicWall-to-

SonicWall VPN, SCEP

Dead Peer Detection, DHCP Over VPN, IPSec NAT Traversal,

Redundant VPN Gateway, Route-based VPN

Microsoft® Windows Vista 32/64-bit, Windows 7 32/64-bit,

Windows 8.0 32/64-bit, Windows 8.1 32/64-bit, Windows 10

Microsoft Windows Vista 32/64-bit, Windows 7, Windows 8.0 32/64-bit, Windows 8.1

32/64-bit, Mac OS X 10.4+, Linux FC3+/Ubuntu 7+/OpenSUSE

Apple® iOS, Mac OS X, Google® Android™, Kindle Fire, Chrome,

Windows 8.1 (Embedded)

SECURITY SERVICES SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES

Deep Packet Inspection services Gateway Anti-Virus, Anti-Spyware, Intrusion Prevention, DPI SSL

Content Filtering Service (CFS)

HTTP URL, HTTPS IP, keyword and content scanning, Comprehensive ltering based

on le types such as ActiveX, Java, Cookies for privacy, allow/forbid lists
Comprehensive Anti-Spam Service Supported
Application Visualization No Yes Yes Yes
Application Control Yes Ye s Yes Ye s
Capture Advanced Threat Protection No Ye s Yes Yes

NETWORKING SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES

IP address assignment Static, (DHCP, PPPoE, L2TP and PPTP client), Internal DHCP server, DHCP relay
NAT modes 1:1, 1:many, many:1, many:many, exible NAT (overlapping IPs), PAT, transparent mode

Routing protocols

QoS

4

BGP4, OSPF, RIPv1/v2, static routes, policy-based routing

Bandwidth priority, max bandwidth, guaranteed bandwidth, DSCP marking,

802.1e (WMM)

5x1GbE, 1 USB,

1 Console

—

13

SonicWall TZ series specications cont'd

NETWORKING CONT'D SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES

Authentication

LDAP (multiple domains), XAUTH/RADIUS,

SSO, Novell, internal user database

Local user database 150
VoIP Full H.323v1-5, SIP

Standards

Certications

TCP/IP, UDP, ICMP, HTTP, HTTPS, IPSec, ISAKMP/IKE, SNMP, DHCP, PPPoE, L2TP,

PPTP, RADIUS, IEEE 802.3

FIPS 140-2 (with Suite B) Level 2, UC APL, VPNC, IPv6 (Phase 2), ICSA Network

Firewall, ICSA Anti-virus
Certications pending Common Criteria NDPP (Firewall and IPS)
Common Access Card (CAC) Supported

High availability No Active/standby

HARDWARE SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES

Form factor Desktop

Power supply 24W external

Maximum power consumption (W) 6.4 / 11.3 6.9 / 11.3

Input power 100 to 240 VAC, 50-60 Hz, 1 A

Total heat dissipation 21.8 / 38.7 BTU 23.5 / 38.7 BTU

Dimensions

Weight

WEEE weight

Shipping weight

3.6 x 14.1 x 19 cm

1.42 x 5.55 x 7.48 in

0.34 kg / 0.75 lbs

0.48 kg / 1.06 lbs

0.80 kg / 1.76 lbs

0.94 kg / 2.07 lbs

1.20 kg / 2.64 lbs

1.34 kg / 2.95 lbs

MTBF (in years) 58.9/56.1 (wireless) 56.1

Environment (Operating/Storage) 32°-105° F (0°-40° C)/-40° to 158° F (-40° to 70° C)

Humidity 5-95% non-condensing

REGULATORY SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES

FCC Class B, ICES Class B, CE (EMC, LVD,

Major regulatory compliance (wired models)

RoHS), C-Tick, VCCI Class B, UL, cUL,

TUV/GS, CB, Mexico CoC by UL, WEEE,

REACH, KCC/MSIP

FCC Class B, FCC RF ICES Class B, IC RF

Major regulatory compliance (wireless models)

CE (RED, RoHS), RCM, VCCI Class B, MIC/
TELEC, UL, cUL, TUV/GS, CB, Mexico CoC

by UL, WEEE, REACH

INTEGRATED WIRELESS SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES

Standards

Frequency bands

5

802.11a: 5.180-5.825 GHz; 802.11b/g:

802.11 a/b/g/n

2.412-2.472 GHz; 802.11n: 2.412-2.472

GHz, 5.180-5.825 GHz

LDAP (multiple domains), XAUTH/

RADIUS, SSO, Novell, internal user

database, Terminal Services, Citrix,

Common Access Card (CAC)

24W external

24W external

65W external

(TZ300P only)

6.9 / 12.0 6.9 / 12.0

23.5 / 40.9 BTU 23.5 / 40.9 BTU

3.5 x 13.4 x 19 cm

1.38 x 5.28 x 7.48 in

3.5 x 13.4 x 19 cm

1.38 x 5.28 x 7.48

in

0.73 kg / 1.61 lbs

0.84 kg / 1.85 lbs

1.15 kg / 2.53 lbs

1.26 kg / 2.78 lbs

1.37 kg / 3.02 lbs

1.48 kg / 3.26 lbs

0.73 kg / 1.61 lbs

0.84 kg / 1.85 lbs

1.15 kg / 2.53 lbs

1.26 kg / 2.78 lbs

1.37 kg / 3.02 lbs

1.48 kg / 3.26 lbs

56.1 56.1

FCC Class B, ICES Class B, CE (EMC, LVD,

RoHS), C-Tick, VCCI Class B, UL, cUL,

TUV/GS, CB, Mexico CoC by UL, WEEE,

REACH, KCC/MSIP

FCC Class B, FCC RF ICES Class B, IC

RF CE (RED, RoHS), RCM, VCCI Class B,

MIC/TELEC, UL, cUL, TUV/GS, CB, Mexico

CoC by UL, WEEE, REACH

802.11a/b/g/n/ac (WEP, WPA, WPA2,

802.11i, TKIP, PSK,02.1x, EAP-PEAP,
EAP-TTLS

802.11a: 5.180-5.825 GHz; 802.11b/g:

2.412-2.472 GHz; 802.11n: 2.412-2.472

GHz, 5.180-5.825 GHz; 802.11ac: 2.412-

2.472 GHz, 5.180-5.825 GHz

14

SonicWall TZ series system specications cont'd

INTEGRATED WIRELESS SOHO SERIES SOHO 250 SERIES TZ300 SERIES TZ350 SERIES

Operating Channels

Transmit output power

Transmit power control

Data rates supported

Modulation technology spectrum

802.11a: US and Canada 12, Europe 11,

Japan 4, Singapore 4, Taiwan 4; 802.11b/g:

US and Canada 1-11, Europe 1-13, Japan

1-14 (14-802.11b only); 802.11n (2.4

GHz): US and Canada 1-11, Europe 1-13,

Japan 1-13; 802.11n (5 GHz): US and

Canada 36-48/149-165, Europe 36-48,

Japan 36-48, Spain 36-48/52-64;

Based on the regulatory domain specied by the system administrator

Supported

802.11a: 6, 9, 12, 18, 24, 36, 48, 54 Mbps
per channel; 802.11b: 1, 2, 5.5, 11 Mbps

per channel; 802.11g: 6, 9, 12, 18, 24, 36,

48, 54 Mbps per channel; 802.11n: 7.2,

14.4, 21.7, 28.9, 43.3, 57.8, 65, 72.2, 15,
30, 45, 60, 90, 120, 135, 150 Mbps per

channel

802.11a: Orthogonal Frequency Division
Multiplexing (OFDM); 802.11b: Direct

Sequence Spread Spectrum (DSSS);

802.11g: Orthogonal Frequency Division
Multiplexing (OFDM)/Direct Sequence

Spread Spectrum (DSSS); 802.11n:

Orthogonal Frequency Division Multiplexing

(OFDM)

802.11a: US and Canada 12, Europe
11, Japan 4, Singapore 4, Taiwan 4;

802.11b/g: US and Canada 1-11, Europe
1-13, Japan 1-14 (14-802.11b only);

802.11n (2.4 GHz): US and Canada 1-11,
Europe 1-13, Japan 1-13; 802.11n (5

GHz): US and Canada 36-48/149-165,
Europe 36-48, Japan 36-48, Spain 36-

48/52-64; 802.11ac: US and Canada 36-

48/149-165, Europe 36-48, Japan 36-48,

Spain 36-48/52-64

802.11a: 6, 9, 12, 18, 24, 36, 48, 54

Mbps per channel; 802.11b: 1, 2, 5.5,

11 Mbps per channel; 802.11g: 6, 9, 12,

18, 24, 36, 48, 54 Mbps per channel;

802.11n: 7.2, 14.4, 21.7, 28.9, 43.3, 57.8,

65, 72.2, 15, 30, 45, 60, 90, 120, 135,
150 Mbps per channel; 802.11ac: 7.2,

14.4, 21.7, 28.9, 43.3, 57.8, 65, 72.2,

86.7, 96.3, 15, 30, 45, 60, 90, 120, 135,
150, 180, 200, 32.5, 65, 97.5, 130, 195,

260, 292.5, 325, 390, 433.3, 65, 130,

195, 260, 390, 520, 585, 650, 780, 866.7

Mbps per channel

802.11a: Orthogonal Frequency Division
Multiplexing (OFDM); 802.11b: Direct

Sequence Spread Spectrum (DSSS);

802.11g: Orthogonal Frequency
Division Multiplexing (OFDM)/Direct
Sequence Spread Spectrum (DSSS);

802.11n: Orthogonal Frequency

Division Multiplexing (OFDM); 802.11ac:

Orthogonal Frequency Division

Multiplexing (OFDM)

*Future use.

1

Testing Methodologies: Maximum per formance based on RFC 2544 (for rewall). Actual performance may vary depending on net work conditions and ac tivated services.

2

Threat Prevention/ GatewayAV/Anti-Spyware/IPS throughput measured using indus try standard Spirent WebAvalanche HT TP perfor mance test and Ixia test tools. Testing
done with multiple ows through multiple port pairs. Threat Prevention throughput measured with Gateway AV, Anti-Spy ware, IPS and Applicat ion Control enabled.

3

VPN throughput measured using UDP trafc at 1280 by te packet size adhering to RFC 254 4. All speci cat ions, features and availability are subject to change.

4

BGP is available only on SonicWall TZ400, TZ500 and T Z60 0.

5

All TZ integr ated wireless models can support either 2.4GHz or 5GHz band. For dual-band support, please use SonicWall's wireless access point products

15

SonicWall TZ series system specications cont'd

FIREWALL GENERAL TZ400 SERIES TZ500 SERIES TZ600 SERIES

Operating system SonicOS

Interfaces

7x1GbE, 1 USB,

1 Console

8x1GbE, 2 USB,

1 Console

Power over Ethernet (PoE) support — —

Expansion USB 2 USB Expansion Slot (Rear)*, 2 USB

Management CLI, SSH, Web UI, Capture Security Center, GMS, REST APIs

Single Sign-On (SSO) Users 500 500 500
VLAN interfaces 50 50 50
Access points supported (maximum) 16 16 24

FIREWALL/VPN PERFORMANCE TZ400 SERIES TZ500 SERIES TZ600 SERIES

Firewall inspection throughput

Threat Prevention throughput

Application inspection throughput
IPS throughput

2

Anti-malware inspection throughput
TLS/SSL inspection and decryption throughput

(DPI SSL)

2

IPSec VPN throughput

1

2

2

1.3 Gbps 1.4 Gbps 1.9 Gbps

600 Mbps 700 Mbps 800 Mbps

1.2 Gbps 1.3 Gbps 1.8 Gbps

900 Mbps 1.0 Gbps 1.2 Gbps

2

600 Mbps 700 Mbps 800 Mbps

180 Mbps 225 Mbps 300 Mbps

3

900 Mbps 1.0 Gbps 1.1 Gbps

Connections per second 6,000 8,000 12,000

Maximum connections (SPI) 150,000 150,000 150,000
Maximum connections (DPI) 125,000 125,000 125,000
Maximum connections (DPI SSL) 25,000 25,000 25,000

VPN TZ400 SERIES TZ500 SERIES TZ600 SERIES

Site-to-site VPN tunnels 20 25 50
IPSec VPN clients (maximum) 2 (25) 2 (25) 2 (25)
SSL VPN licenses (maximum) 2 (100) 2 (150) 2 (200)
Virtual assist bundled (maximum) 1 (30-day trial) 1 (30-day trial) 1 (30-day trial)
Encryption/authentication DES, 3DES, AES (128, 192, 256-bit)/MD5, SHA-1, Suite B Cryptography
Key exchange Dife Hellman Groups 1, 2, 5, 14v
Route-based VPN RIP, OSPF, BGP

Certicate support

VPN features

Global VPN client platforms supported

NetExtender

Microsoft Windows Vista 32/64-bit, Windows 7, Windows 8.0 32/64-bit, Windows 8.1 32/64-bit,

Verisign, Thawte, Cybertrust, RSA Keon, Entrust and Microsoft CA for

SonicWall-to- SonicWall VPN, SCEP

Dead Peer Detection, DHCP Over VPN, IPSec NAT Traversal,

Redundant VPN Gateway, Route-based VPN

Microsoft® Windows Vista 32/64-bit, Windows 7 32/64-bit,

Windows 8.0 32/64-bit, Windows 8.1 32/64-bit, Windows 10

Mac OS X 10.4+, Linux FC3+/Ubuntu 7+/OpenSUSE
Mobile Connect Apple® iOS, Mac OS X, Google® Android™, Kindle Fire, Chrome, Windows 8.1 (Embedded)

SECURITY SERVICES TZ400 SERIES TZ500 SERIES TZ600 SERIES

Deep Packet Inspection services Gateway Anti-Virus, Anti-Spyware, Intrusion Prevention, DPI SSL

Content Filtering Service (CFS)

HTTP URL, HTTPS IP, keyword and content scanning, Comprehensive ltering based on le types

such as ActiveX, Java, Cookies for privacy, allow/forbid lists
Comprehensive Anti-Spam Service Supported
Application Visualization Yes Yes Yes
Application Control Yes Yes Yes
Capture Advanced Threat Protection Yes Yes Yes

NETWORKING TZ400 SERIES TZ500 SERIES TZ600 SERIES

IP address assignment Static, (DHCP, PPPoE, L2TP and PPTP client), Internal DHCP server, DHCP relay

NAT modes 1:1, 1:many, many:1, many:many, exible NAT (overlapping IPs), PAT, transparent mode

Routing protocols

4

BGP4, OSPF, RIPv1/v2, static routes, policy-based routing

QoS Bandwidth priority, max bandwidth, guaranteed bandwidth, DSCP marking, 802.1e (WMM)

10x1GbE, 2 USB,

1 Console,

1 Expansion Slot

TZ600P - 4 ports

(4 PoE or 4 PoE+)

16

SonicWall TZ series system specications cont'd

NETWORKING TZ400 SERIES TZ500 SERIES TZ600 SERIES

Authentication LDAP (multiple domains), XAUTH/RADIUS, SSO, Novell, internal user database,

Local user database 150 250

VoIP Full H.323v1-5, SIP

Standards TCP/IP, UDP, ICMP, HTTP, HTTPS, IPSec, ISAKMP/IKE, SNMP, DHCP, PPPoE, L2TP, PPTP, RADIUS,

Certications FIPS 140-2 (with Suite B) Level 2, UC APL, VPNC, IPv6 (Phase 2), ICSA Network Firewall, ICSA

Certications pending Common Criteria NDPP (Firewall and IPS)

Common Access Card (CAC) Suppor ted

High availability Active/standby Active/Standby with stateful synchronization

HARDWARE TZ400 SERIES TZ500 SERIES TZ600 SERIES

Form factor Desktop

Power supply 24W external 36W external 60W external

Maximum power consumption (W) 9.2 / 13.8 13.4 / 17.7 16.1

Input power 100-240 VAC, 50-60 Hz, 1 A

Total heat dissipation 31.3 / 47.1 BTU 45.9 / 60.5 BTU 55.1 BTU

Dimensions 3.5 x 13.4 x 19 cm

1.38 x 5.28 x 7.48 in

Weight 0.73 kg / 1.61 lbs

0.84 kg / 1.85 lbs

WEEE weight 1.15 kg / 2.53 lbs

1.26 kg / 2.78 lbs

Shipping weight 1.37 kg / 3.02 lbs

1.48 kg / 3.26 lbs

MTBF (in years) 54.0 40.8 18.4

Environment (Operating/Storage) 32°-105° F (0°-40° C)/-40° to 158° F (-40° to 70° C)

Humidity 5-95% non-condensing

REGULATORY TZ400 SERIES TZ500 SERIES TZ600 SERIES

Major regulatory compliance (wired models) FCC Class B, ICES Class B,

CE (EMC, LVD, RoHS), C-Tick,

VCCI Class B, UL, cUL, TUV/

GS, CB, Mexico CoC by UL,

WEEE, REACH, KCC/MSIP

Major regulatory compliance (wireless models) FCC Class B, FCC RF ICES

Class B, IC RF CE (RED, RoHS),

RCM, VCCI Class B, MIC/

TELEC, UL, cUL, TUV/GS, CB,

Mexico CoC by UL, WEEE,

REACH

Terminal Services, Citrix, Common Access Card (CAC)

IEEE 802.3

Anti-virus

3.5 x 15 x 22.5 cm

1.38 x 5.91 x 8.86 in

0.92 kg / 2.03 lbs

1.05 kg / 2.31 lbs

1.34 kg / 2.95 lbs

1.48 kg / 3.26 lbs

1.93 kg / 4.25 lbs

2.07 kg / 4.56 lbs

FCC Class B, ICES Class B,

CE (EMC, LVD, RoHS), C-Tick,

VCCI Class B, UL, cUL, TUV/

GS, CB, Mexico CoC by UL,

WEEE, REACH, BSMI, KCC/

MSIP

FCC Class B, FCC RF ICES

Class B, IC RF CE (RED, RoHS),

RCM, VCCI Class B, MIC/

TELEC, UL, cUL, TUV/GS, CB,

Mexico CoC by UL, WEEE,

REACH

1.38 x 7.09 x 11.02 in

FCC Class A, ICES Class A,

CE (EMC, LVD, RoHS), C-Tick,

VCCI Class A, UL cUL, TUV/GS,

CB, Mexico CoC by UL, WEEE,

REACH, KCC/MSIP

180W external

(TZ600P only)

3.5 x 18 x 28 cm

1.47 kg / 3.24 lbs

1.89 kg /4.16 lbs

2.48 kg / 5.47 lbs

—

17

SonicWall TZ series system specications cont'd

INTEGRATED WIRELESS TZ400 SERIES TZ500 SERIES TZ600 SERIES

Standards 802.11a/b/g/n/ac (WEP, WPA, WPA2, 802.11i, TKIP, PSK,02.1x,

EAP-PEAP, EAP-TTLS

Frequency bands

5

802.11a: 5.180-5.825 GHz; 802.11b/g: 2.412-2.472 GHz;

802.11n: 2.412-2.472 GHz, 5.180-5.825 GHz; 802.11ac: 2.412-

2.472 GHz, 5.180-5.825 GHz

Operating Channels 802.11a: US and Canada 12, Europe 11, Japan 4, Singapore

4, Taiwan 4; 802.11b/g: US and Canada 1-11, Europe 1-13,

Japan 1-14 (14-802.11b only); 802.11n (2.4 GHz): US and

Canada 1-11, Europe 1-13, Japan 1-13; 802.11n (5 GHz): US

and Canada 36-48/149-165, Europe 36-48, Japan 36-48, Spain

36-48/52-64; 802.11ac: US and Canada 36-48/149-165, Europe

36-48, Japan 36-48, Spain 36-48/52-64

Transmit output power Based on the regulatory domain specied by the system

administrator

Transmit power control Supported —

Data rates supported

802.11a: 6, 9, 12, 18, 24, 36, 48, 54 Mbps per channel; 802.11b:
1, 2, 5.5, 11 Mbps per channel; 802.11g: 6, 9, 12, 18, 24, 36, 48,

54 Mbps per channel; 802.11n: 7.2, 14.4, 21.7, 28.9, 43.3, 57.8,

65, 72.2, 15, 30, 45, 60, 90, 120, 135, 150 Mbps per channel;

802.11ac: 7.2, 14.4, 21.7, 28.9, 43.3, 57.8, 65, 72.2, 86.7, 96.3,

15, 30, 45, 60, 90, 120, 135, 150, 180, 200, 32.5, 65, 97.5, 130,

195, 260, 292.5, 325, 390, 433.3, 65, 130, 195, 260, 390, 520,

585, 650, 780, 866.7 Mbps per channel

Modulation technology spectrum

802.11a: Orthogonal Frequency Division Multiplexing (OFDM);

802.11b: Direct Sequence Spread Spectrum (DSSS); 802.11g:
Orthogonal Frequency Division Multiplexing (OFDM)/Direct

Sequence Spread Spectrum (DSSS); 802.11n: Orthogonal

Frequency Division Multiplexing (OFDM); 802.11ac: Orthogonal

Frequency Division Multiplexing (OFDM)

—

—

—

—

—

—

18

SonicWall TZ Series ordering information

Product SKU

SOHO 250 with 1-year TotalSecure Advanced Edition 02-SSC-1815

SOHO 250 Wireless-AC with 1-year TotalSecure Advanced Edition 02-SSC-1824

TZ300 with 1-year TotalSecure Advanced Edition 01-SSC-1702

TZ300 Wireless-AC with 1-year TotalSecure Advanced Edition 01-SSC-1703

TZ300P with 1-year TotalSecure Advanced Edition 02-SSC-0602

TZ350 with 1-year TotalSecure Advanced Edition 02-SSC-1843

TZ350 Wireless-AC with 1-year TotalSecure Advanced Edition 02-SSC-1851

TZ400 with 1-year TotalSecure Advanced Edition 01-SSC-1705

TZ400 Wireless-AC with 1-year TotalSecure Advanced Edition 01-SSC-1706

TZ500 with 1-year TotalSecure Advanced Edition 01-SSC-1708

TZ500 Wireless-AC with 1-year TotalSecure Advanced Edition 01-SSC-1709

TZ600 with 1-year TotalSecure Advanced Edition 01-SSC-1711

TZ600P with 1-year TotalSecure Advanced Edition 02-SSC-0600

High availability options (each unit must be the same model)

TZ500 High Availability 01-SSC-0439

TZ600 High Availability 01-SSC-0220

Services SKU

For SonicWall SOHO 250 Series

Advanced Gateway Security Suite - Capture ATP, Threat Prevention, Firewall management and reporting,
Shadow IT Visibility, and 24x7 Support (1-year)

Capture Advanced Threat Protection for SOHO 250 (1-year) 02-SSC-1732

Gateway Anti-Virus, Intrusion Prevention and Application Control (1-year) 02-SSC-1750

Content Filtering Service (1-year) 02-SSC-1744

Comprehensive Anti-Spam Service (1-year) 02-SSC-1823

24x7 Support (1-year) 02-SSC-1720

For SonicWall TZ300 Series

Advanced Gateway Security Suite - Capture ATP, Threat Prevention, Firewall management and reporting,
Shadow IT Visibility, and 24x7 Support (1-year)

Capture Advanced Threat Protection for TZ300 (1-year) 01-SSC-1435

Gateway Anti-Virus, Intrusion Prevention and Application Control (1-year) 01-SSC-0602

Content Filtering Service (1-year) 01-SSC-0608

Comprehensive Anti-Spam Service (1-year) 01-SSC-0632

24x7 Support (1-year) 01-SSC-0620

For SonicWall TZ350 Series

Advanced Gateway Security Suite - Capture ATP, Threat Prevention, Firewall management and reporting,
Shadow IT Visibility, and 24x7 Support (1-year)

Capture Advanced Threat Protection for TZ350 (1-year) 02-SSC-1779

Gateway Anti-Virus, Intrusion Prevention and Application Control (1-year) 02-SSC-1797

Content Filtering Service (1-year) 02-SSC-1791

Comprehensive Anti-Spam Service (1-year) 02-SSC-1809

24x7 Support (1-year) 02-SSC-1767

02-SSC-1726

01-SSC-1430

02-SSC-1773

19

SonicWall TZ Series ordering information

For SonicWall TZ400 Series

Advanced Gateway Security Suite - Capture ATP, Threat Prevention, Firewall management and reporting,
Shadow IT Visibility, and 24x7 Support (1-year)

Capture Advanced Threat Protection for TZ400 (1-year) 01-SSC-1445

Gateway Anti-Virus, Intrusion Prevention and Application Control (1-year) 01-SSC-0534

Content Filtering Service (1-year) 01-SSC-0540

Comprehensive Anti-Spam Service (1-year) 01-SSC-0561

24x7 Support (1-year) 01-SSC-0552

For SonicWall TZ500 Series

Advanced Gateway Security Suite - Capture ATP, Threat Prevention, Firewall management and reporting,
Shadow IT Visibility, and 24x7 Support (1-year)

Capture Advanced Threat Protection for TZ500 (1-year) 01-SSC-1455

Gateway Anti-Virus, Intrusion Prevention and Application Control (1-year) 01-SSC-0458

Content Filtering Service (1-year) 01-SSC-0464

Comprehensive Anti-Spam Service (1-year) 01-SSC-0482

24x7 Support (1-year) 01-SSC-0476

For SonicWall TZ600 Series

Advanced Gateway Security Suite - Capture ATP, Threat Prevention, Firewall management and reporting,
Shadow IT Visibility, and 24x7 Support (1-year)

Capture Advanced Threat Protection for TZ600 (1-year) 01-SSC-1465

Gateway Anti-Virus, Intrusion Prevention and Application Control (1-year) 01-SSC-0228

Content Filtering Service (1-year) 01-SSC-0234

Comprehensive Anti-Spam Service (1-year) 01-SSC-0252

24x7 Support (1-year) 01-SSC-0246

01-SSC-1440

01-SSC-1450

01-SSC-1460

Regulatory model numbers

SOHO/SOHO Wireless A PL31- 0B9/AP L41-0BA

SOHO 250/SOHO 250 Wireless AP L41-0D6 /A P L41-0B A

TZ300/ TZ300 Wireless/

TZ300P

TZ350/ TZ350 Wireless APL28-0B4/APL28-0B5

TZ400/ TZ400 Wireless APL28-0B4/APL28-0B5

TZ500/ TZ500 Wireless APL29-0B6/APL29-0B7

TZ600/ TZ600P APL30-0B8/APL48-0D3

The Gartner Peer Insights Customers’ Choice logo is a trademark and service mark of Gartner, Inc., and/or its afliates, and is used herein with permission. All rights reser ved. Gartner Peer Insights
Customers’ Choice distinctions are determined by the subjective opinions of individual end-user customers based on their own experiences, the number of published reviews on Gartner Peer Insights and
overall ratings for a given vendor in the market, as further described here, and are not intended in any way to represent the views of Gartner or its afliates.

SonicWall, Inc.

1033 McCarthy Boulevard | Milpitas, CA 95035
Refer to our website for additional information.

www.sonicwall.com

APL28-0B4/APL28-0B5/
AP L 47- 0 D2

© 2019 SonicWall Inc. ALL RIGHTS RESERVED. SonicWall is a
trademark or registered trademark of SonicWall Inc. and/or its

aliates in the U.S.A. and/or other countries. All other trademarks and
registered trademarks are property of their respective owners.

Datasheet-TZ Series-US-VG-340

SonicWall has been ghting the cybercriminal industry for over
27 years defending small and medium businesses, enterprises
and government agencies worldwide. Backed by research
from SonicWall Capture Labs, our award- winning, real-time

breach detection and prevention solutions secure more than a

million networks, and their emails, applications and data, in over

215 countries and territories. These organizations run more

effectively and fear less about security. For more information,

visit www.sonicwall.com or follow us on Twit t e r, LinkedIn,

Facebook and Instagram.

About SonicWall