United States - Cisco Next Generation Firewall (NGFW)

Description

View Changes *The purpose of today's amendment is to Delete all options years which make this soliciation only for 12 months.*  

C.1         OBJECTIVE
As part of Hardware Lifecycle Refresh task, GPO intends to replace its legacy Cisco Next Generation Firewall (NGFW) with the most recent Cisco NGFW platforms at two (2) geographically separate GPO sites. The existing firewall platform is coming to End of Life and End of Support.
The Government Publishing Office (GPO) is seeking qualified Contractor to provide all hardware components as listed in section B.2 and provide end-to-end installation, configuration, and implementation services. The two (2) GPO locations (GPO Data Center in Northern Virginia and Headquarters locations), including hardware and software maintenance and technical support and provide expert professional services to assist GPO with installation, configuration, and validation testing and operational activation of the new NGFW. The new NGFW System should be installed without disrupting the current GPO system. The intent is to have the new NGFW system replaced and take over all the current functions of GPO firewall system at the two (2) GPO locations (GPO Data Center and Headquarters locations) at the conclusion of the project.
C.2         Technical Requirements
C.2.1  Capacity and Performance
2 x 100Gbps physical interfaces capable of being configured as trunks and sub-interfaces
8 x 10/40Gbps physical interfaces capable of being configured as trunks and sub-interfaces
1/10 Gbps Out of Band management interface
Firewall Throughput inner tier > 60 Gbps; outer tier > 40 Gbps
Throughput with all Next Gen features running > inner tier > 40 Gbps; outer tier > 20 Gbps
TLS decryption > 5 Gbps
IPsec VPN throughput > 5Gbps
Concurrent connections with full Next Gen inspection > 2 million
Maximum new connections per second > 100K
C.2.2                 Management
Centralized management of all the physical and virtual firewall, including cloud-based, in the domain via a multi-faceted GUI based controller. 
This should include an at-a-glance view of the general health and performance of the environment.
Support for Administrative Role Based Access for Authentication and Authorization via a variety of services including
TACACS+
RADIUS
Active Directory/LDAP/Kerberos
SAML
Multifactor Authentication incorporating the above and second factors from providers such as RSA SecurID, Okta Adaptive, etc.
Notifications via email and/or SNMP in reaction to single or a threshold of events occurring on the firewall
Built-in optimization tools such as rules shadowing identification, hit counts, rule usage information
Built-in troubleshooting tools such as packet captures, traffic tracing
Comprehensive logging to remote destinations via Syslog or SNMP, with the ability to filter and transmit specific logs to a variety of destinations, and the ability to take actions such as Block or Alert based on specific log entries.
Comprehensive views, via the local management console, of traffic and events occurring on and through the firewalls.
Shall provide a set of individual and summarized, canned reports on web browsing activity including: most attempts to access blocked sites by user and highest web traffic (usage) by user.
Able to integrate with the Windows Server 2019 environment to correlate AD user and group information with IP addresses.
Firewall rules must be exportable from the NGFW in a file format that can be sorted (expanded) and searched by components such as ports, protocols, zones, interfaces, etc. (CSV format is highly desirable; TXT format is required).
An API interfaces
Interfaced withing SolarWinds for Pro-active Monitoring of uptime of both virtual and physical interfaces as well 24x7 monitoring of all critical services
C.2.3                 High Availability
Ability to run in a hitless high availability scenario either Active/Active or Active/Standby including the ability to selectively decide what constitutes a failure such as specific groups of interfaces, reachability to an external target
C.2.4                 Access Control
Access control based on ports and protocols at a minimum but must also include additional access controls listed below.
Access control via well-known applications regardless of port, and the ability to add new applications and customize applications.
Access control based on URLs, and also on browsing running on other that the well-known ports of 80 and 443
Access control based on source user-id.
Support for dynamic local allow and blocklists, and external lists and feeds that can be imported by the firewalls and applied to rules.  These lists should include components that can be defined by IP address, URL or user-id. Dynamic Group
Expansive URL categorization, and filtering based on these URL categories to control access to inappropriate and dangerous web sites.
Web Access Firewall (WAF) functionality (outer tier) or tight integration with a separate WAF is desirable.
C.2.5                 Next Generation IPS and Traffic Inspection
Automatic Threat feed and IPS signature update
Support for
Anti-Virus,
Anti-Spyware,
Data Loss Protection
File access control – including multi-level decoding of zipped files
Zero-day malware inspection and sandboxing
C.2.6                 Denial of Service (DoS) Protection
Denial of Service protection for individual or aggregate devices. 
Including SYN, ICMP and UDP flood protection.
Protection against reconnaissance such as port scans and hosts sweeps.
Packet attacks such as non-SYN initial packets, too large or other malformed packets
Protection against Unexpected protocols attacks.

Opportunity closing date

06 June 2024

Value of contract

to be confirmed