Data Sheet

McAfee Next Generation

Firewall
McAfee Next Generation Firewall protects enterprise networks with high-
performance intelligence aware security supported by real-time updates
from the Security Connected ecosystem. This enables McAfee, a part of Intel
Security, to deliver the industrys best defense against advanced evasions,
Key Benefits
along with complete next-generation firewall (NGFW) protections when and
The best protection for where you need itat remote sites, branch offices, data centers, and the
your business and digital
assets.
network edge.
Adapts easily to your McAfee Next Generation Firewall starts with Superior Flexibility to Keep Pace with
security needs.
a solid foundation of protections, including Changing Security Needs
Scales effortlessly as your granular application control, an intrusion A unified software core enables McAfee Next
business grows.
prevention system (IPS), built-in virtual private Generation Firewall to easily change security
Optimizes productivity of network (VPN), and deep packet inspection, roles, from NGFW to IPS to layer 2 firewall, in
employees and customers.
all in an efficient, extensible, and highly dynamic business environments. The unified
Lowers TCO for both your scalable unified design. Then we add powerful software core also serves to optimize the data
security and network
anti-evasion technologies that decode and plane, providing a significant performance
infrastructure.
normalize network trafficbefore inspection advantage regardless of security role or number
Key Features and across all protocol layersto expose and of active security features. For even more
Superior NGFW protection. block the most advanced attack methods. flexibility, McAfee Next Generation Firewall can
Intelligence aware be deployed in a wide variety of formatsas
security controls. a physical appliance, software solution, virtual
Advanced evasion appliance, or as virtual contexts on a physical
prevention. appliance.
Unified software core
design.
High availability options
for security and network
infrastructure. Security Management Center
Powerful centralized
management. Physical
Built-in SSL VPN and Licensing and
NGFW

Virtual
IPsecVPN. Operating Roles
FW/VPN IPS L2FW Software

Unified Software Core

Figure 1. McAfee Next Generation Firewall adapts to multiple roles and installations.
Data Sheet

High Scalability and Availability to Secure McAfee Next Generation Firewall uses a
Business-Critical Applications variety of techniques on network traffic to
Todays businesses demand fully resilient identify applications and users at a granular
network security solutions. McAfee Next level. Security policies can then be applied
Generation Firewall delivers high scalability and based on strict business rules. Then McAfee
availability in three powerful ways: Next Generation Firewall performs specialized
deep packet inspection, including advanced
Native active clustering: Up to 16 techniques such as full stack normalization and
nodes can be clustered together, horizontal data stream-based inspection. These
providing superior performance and techniques normalize traffic flows, enabling
resiliency when running demanding McAfee to expose AETs and traffic anomalies
security applications, such as deep that other NGFWs miss. Only after traffic
packet inspection and VPNs. has been fully normalized can it be properly
Transparent session failover: Provides inspected across all protocols and layers for
industry-leading availability and threats and malware. And only McAfee Next
serviceability of security systems. Generation Firewall has been successfully
McAfee Next Generation Firewall tested against more than 800 million AETs.
even supports transparent failover
for multiple software and hardware Knowledge Is Power
versions within the same cluster. Point security solutions restrict knowledge
McAfee Multi-Link: Extends high sharing, weakening their ability to recognize
availability coverage to network and and block threats. The Security Connected
IPsec VPN connections. Provides threat ecosystem enables rapid sharing
the confidence of non-stop security of extensive real-time threat information,
along with high performance for every empowering organizations to defeat
deployment. cybercrime with the latest global and local
threat knowledge. Security Connected enables
McAfee Next Generation Firewall to leverage
Unmatched Protection to Keep Your
threat information from a wide variety of third
Business in Business
party sources, as well as other McAfee security
Its no secret. Every day attackers get better at
solutions including:
penetrating enterprise networks, applications,
data centers, and endpoints. Once inside, ePolicy Orchestrator (McAfee
they can steal intellectual property, customer ePO) software: Allows McAfee Next
information, and other sensitive data, causing Generation Firewall to obtain contextual
irreparable damage to your business and global information from users and their host
reputation. systems, providing valuable insights
into endpoint security postures. This
Unknown to many security administrators,
information can also be used to simplify
determined attackers can use advanced
workflows when troubleshooting or
evasion techniques (AETs) to bypass most of
investigating threats or problems.
todays security devices. AETs deliver advanced
persistent threats (APTs) through advanced McAfee Enterprise Security Manager:
techniques such as masking and obfuscation. Ensures continuous monitoring and
Once inside your network, threats are alerting of compliance status, providing
reassembled. Here they can hide, execute, and real-time situational awareness while
propagate unchallenged. improving security posture and
reducing event response times.

McAfee Next Generation Firewall 2

Data Sheet

McAfee Advanced Threat Defense: Powerful Centralized Management for

Delivers superior protection against Lower TCO
zero-day threats through dynamic In order to contain costs and optimize resources,
sandboxing of malware and static todays businesses need operational and
inspection of suspect code. McAfee workflow efficiency when managing their
Advanced Threat Defense integration NGFWs. McAfee Security Management Center
also allows McAfee Next Generation provides centralized management and visibility
Firewall to offload inspection of suspect of any role or features used on McAfee Next
files for rapid threat feedback without Generation Firewall. From a central location,
impacting network performance. McAfee Security Management Center gains deep
McAfee Global Threat Information: insight into applications, user traffic, and shared
Provides McAfee Next Generation content. A simple graphical user interface
Firewall with superior reputation enables easy configuration, management, and
intelligence to protect against globally monitoring of the entire system, lowering
active advanced threats and malware. operational expenses so you can keep your
business running smoothly as threats and
Security Connected, along with the flexibility related security needs evolve.
of McAfee Next Generation Firewall, enables
dynamic enterprises to quickly and easily
deploy multilayered security solutions when
and where they are needed.

McAfee Next Generation Firewall Specifications

Supported Platforms
Appliances Multiple hardware appliances with firewall throughput of 5 Gbit/s to 120 Gbit/s.
See the appliance comparison data sheets for more details.
Software Appliance X86-based systems
Virtual Appliance VMware ESX and KVM support
Supported Roles Firewall/VPN (layer 3), IPS mode (layer 2), layer 2 firewall
Virtual Contexts Virtualization to separate logical contexts (FW, IPS, or L2FW) with separate interfaces,
addressing, routing, and policies
Firewall/VPN-Specific Functionality
General Stateful and stateless packet filtering, circuit-level firewall with TCP proxy protocol agent
Firewall Protocol Agents FTP, H.323, HTTP, HTTPS, IMAP4, MGCP, MS RPC, NetBios Datagram, Oracle SQL Net,
POP3, RSH, RTSP, SCCP, SIP, SMTP, SSH, SunRPC, TCP Proxy, TFTP
User Authentication Internal user database, LDAP
Microsoft Active Directory, RADIUS, TACACS+
High Availability Active-active/active-standby firewall clustering up to 16 nodes
Stateful failover (including VPN connections)
VRRP
Server load balancing
Link aggregation (802.3ad)
Link failure detection
ISP Multihoming McAfee Multi-Link: high availability and load balancing between multiple ISPs, including
VPN connections, McAfee Multi-Link VPN link aggregation, QoS-based link selection
IP Address Assignment FW clusters: static, IPv4, IPv6
FW single nodes: static, DHCP, PPPoA, PPPoE, IPv4, static IPv6
Services: DHCP Server and DHCP relay for IPv4
Address Translation IPv4, IPv6
Static NAT, source NAT with port address translation (PAT), destination NAT with PAT

McAfee Next Generation Firewall 3

Data Sheet

McAfee Next Generation Firewall Specifications continued

Routing Static IPv4 and IPv6 routes, policy-based routing, static multicast routing
Dynamic Routing IGMP proxy, RIPv2, RIPng, OSPFv2, OSPFv3, BGP, PIM-SM
IPv6 Dual stack IPv4/IPv6, ICMPv6, DNSv6
SIP Allows RTP media streams dynamically, NAT traversal, deep inspection, interoperability
with RFC3261-compliant SIP devices
CIS Redirection HTTP, FTP, SMTP protocols redirection to content inspection server (CIS)
IPsec VPN
Protocols IKEv1, IKEv2, and IPsec with IPv4 and IPv6
Encryption AES-128, AES-256, AES-GCM-128, AES-GCM-256, Blowfish, DES, 3DES1
Message Digest Algorithms AES-XCBC-MAC, MD5, SHA-1, SHA-2-256, SHA-2-512
Diffie-Hellman DH group 1, 2, 5, 14, 19, 20, 21
Authentication RSA, DSS, ECDSA signatures with X.509 certificates, pre-shared keys, hybrid, XAUTH, EAP
Other IPCOMP deflate compression
NAT-T
Dead peer detection
MOBIKE
Site-to-Site VPN Policy-based VPN, route-based VPN (GRE, IP-IP, SIT)
Hub and spoke, full mesh, partial mesh topologies
McAfee Multi-Link fuzzy-logic-based dynamic link selection
McAfee Multi-Link modes: load sharing, active/standby, link aggregation
Client-to-Gateway VPN IPsec VPN client for Microsoft Windows
Automatic configuration updates from gateway
Automatic failover with McAfee Multi-Link
Client security checks
Secure domain logon
SSL VPN
Client-Based Access Supported platforms: Android 4.0, Mac 10.72 and Windows Vista SP23 (and newer versions)
Portal-Based Access OWA and Intranet access via SSL VPN portal through a browser
Antispam
Scanned Protocols SMTP
Engine Scoring-based spam detection
Filtering Methods Customizable email envelope/header/content matching
Local anti-spoofing and relay
Honeypot filtering
SPF/MX record matching
DNS-based blacklists
IPS Mode And Layer 2 Firewall-Specific Functionality
General Stateless packet filtering for Ethernet protocols (Dix/IEEE)
Stateful packet filtering for IP protocols
Logical Interface matching for VLANs and physical interfaces
VLAN re-tagging
MAC address filtering
High Availability Layer 2 firewall clustering (active-passive)
IDS clustering (active-active/active-passive)
IPS serial clustering (active-active)
Fail-open interface support (IPS mode)
Dynamic inspection overload handling (IPS mode)

McAfee Next Generation Firewall 4

Data Sheet

McAfee Next Generation Firewall Specifications continued

General Functionality (All Roles)
Encapsulation Ethernet, 802.1q VLAN, PPPoA4, PPPoE5
Access Control IPv4 and IPv6 tunneled IP IP-in-IP
IPV6 encapsulation GRE
Advanced Access Control Interface zones
Time
TLS information
Domain names
User information
Applications
Traffic Management and QoS Policy-based traffic shaping
Guaranteed/maximum/bandwidth prioritization
Differentiated services code point (DSCP) matching/marking
Policy-based concurrent session limiting
Policy-based TCP MSS rewrite
Inspection
Anti-Botnet Decryption-based detection
Message length sequence analysis
Advanced Anti-Malware Down-selection using file filtering, reputation, McAfee Advanced Threat Defense, and
McAfee antivirus options
File Reputation Policy-based file filtering
File categories: archive, executable, media file, Microsoft Office document
File types: Flash, GIF, JPEG, MPEG, OLE, PDF, PNG, Riff, RTF, ZIP
Classification from McAfee Global Threat Intelligence cloud service
Advanced Threat Defense File redirection to McAfee Advanced Threat Defense
Antivirus McAfee antivirus: file-based, local signature database, automatic real-time updates
Scanned protocols: FTP, HTTP, HTTPS, POP3, IMAP, SMTP
Dynamic Context Detection Protocol, application, file type (Flash, GIF, JPEG, MPEG, OLE, PDF, PNG, RIFF, RTF, text file,
binary file)
Protocol Normalization Full protocol normalization for Ethernet, IPv4, IPv6, ICMP, UDP, TCP, DNS, FTP, HTTP,
IMAP, IMAPS, SMTP, SSH, NBT, SMB, SMB2, MSRPC, POP3, POP3S, SIP, TFTP, HTTPS
(SSL/TLS), GRE, IP-in-IP, IPv6 encapsulation
Protocol-Specific Inspection DNS, FTP, HTTP, HTTPS, IMAP, IMAPS, SMTP, SSH, NBT, SMB, SMB2, MSRPC, POP3,
POP3S, SIP, TFTP
Protocol-Independent Any TCP/UDP protocol
Fingerprinting
Evasion and Anomaly Detection Multilayer traffic normalization
Vulnerability-based fingerprints
Fully upgradable software-based inspection engine
Evasion and anomaly logging
Custom Fingerprinting Protocol-independent fingerprint matching
Regular expression-based fingerprint language
Snort signature converter
Custom application fingerprinting
TLS Inspection HTTPS client and server stream decryption and inspection
TLS certificate validity checks
Certificate domain name-based exemption list
Correlation Local correlation, log server correlation
DoS/DDoS Protection SYN/UDP flood detection
Concurrent connection limiting, interface-based log compression
Protection against slow HTTP request methods
Reconnaissance TCP/UDP/ICMP scan, stealth, and slow scan detection in IPv4 and IPv6
Blocking Methods Direct blocking, connection reset, blacklisting (local and distributed), HTML response,
redirect
Traffic Recording Automatic traffic recordings/excerpts from misuse situations
Updates Automatic dynamic updates through McAfee Security Management Center
Current coverage of approximately 4,000 protected vulnerabilities

McAfee Next Generation Firewall 5

Data Sheet

McAfee Next Generation Firewall Specifications continued

URL Filtering
Protocols HTTP, HTTPS
Engine Webroot category-based URL filtering, blacklist/whitelist
Database More than 280 million top-level domains and sub-pages (billions of URLs)
Support for more than 43 languages, 82 categories
Management and Monitoring
Centralized Management Enterprise-level centralized management, logging and reporting system. See the McAfee
Security Management Center data sheet for more details.
SNMP Monitoring SNMPv1, SNMPv2c, and SNMPv3
Traffic Capturing Console tcpdump, remote capture through SMC
High Security Management 256-bit security strength in enginemanagement communication
Communication
Security Certifications Common Criteria EAL4+, FIPS 140-2 crypto certificate, CSPN by ANSSI
(First Level Security Certification)
1
Supported encryption algorithms depend on license used.
2
Available soon.
3
Ibid.
4
Firewall/VPN role only.
5
Ibid.

McAfee. Part of Intel Security. Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered
2821 Mission College Boulevard trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property
Santa Clara, CA 95054 of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are
888 847 8766 provided without warranty of any kind, express or implied. Copyright 2014 McAfee, Inc. 61327ds_ngfw_1114_fnl_ETMG
www.intelsecurity.com