TZ500

SonicWall TZ series
Integrated threat prevention and SD-WAN platform for
small/medium organizations and distributed enterprises
The SonicWall TZ series enables small to
Branch locations are able to exchange
mid-size organizations and distributed
information securely with the central
enterprises realize the benefits of an
office using virtual private networking
integrated security solution that checks
(VPN). Creating virtual LANs (VLANs)
all the boxes. Combining high-speed
enables segmentation of the network
threat prevention and software-defined
into separate corporate and customer
wide area networking (SD-WAN)
groups with rules that determine the
technology with an extensive range of
level of communication with devices on
networking and wireless features plus
other VLANs. SD-WAN offers a secure
simplified deployment and centralized
alternative to costly MPLS circuits
management, the TZ series provides a
while delivering consistent application
Benefits:
unified security solution at a low total
performance and availability. Deploying
cost of ownership.
TZ firewalls to remote locations is easy
Flexible, integrated security solution
using Zero-Touch Deployment which
• Secure SD-WAN
Flexible, integrated security solution
enables provisioning of the firewall
• Powerful SonicOS operating system
The foundation of the TZ series is
remotely through the cloud.
• High-speed 802.11ac wireless
SonicOS, SonicWall’s feature-rich
• Power over Ethernet (PoE/PoE+)
Superior threat prevention and
operating system. SonicOS includes a
performance
• Network segmentation with VLANs
powerful set of capabilities that provides
organizations with the flexibility to
Our vision for securing networks in
Superior threat prevention
tune these Unified Threat Management
today’s continually-evolving cyber
and performance
(UTM) firewalls to their specific network
threat landscape is automated, real-
• Patent-pending real-time deep
requirements. For example, creating a
time threat detection and prevention.
memory inspection technology
secure high-speed wireless network is
Through a combination of cloud-based
• Patented reassembly-free deep
packet inspection technology
simplified through a built-in wireless
and on-box technologies we deliver
controller and support for the IEEE
protection to our firewalls that’s been
• On-box and cloud-based threat
prevention
802.11ac standard or by adding our
validated by independent third-party
• TLS/SSL decryption and inspection
SonicWave 802.11ac Wave 2 access
testing for its extremely high security
points. To reduce the cost and complexity
effectiveness. Unknown threats are sent
• Industry-validated security
effectiveness
of connecting high-speed wireless
to SonicWall’s cloud-based Capture
• Dedicated Capture Labs threat
access points and other Power over
Advanced Threat Protection (ATP) multi-
research team
Ethernet (PoE)-enabled devices such
engine sandbox for analysis. Enhancing
• Endpoint security with Capture Client
as IP cameras, phones and printers,
Capture ATP is our patent-pending
the TZ300P and TZ600P provide
Real-Time Deep Memory Inspection
Easy deployment, setup and
PoE/PoE+ power.
(RTDMI™) technology. The RTDMI
ongoing management
engine detects and blocks malware
• Zero-Touch Deployment
Distributed retail businesses and
and zero-day threats by inspecting
• Cloud-based and on-premises
campus environments can take
directly in memory. RTDMI technology
centralized management
advantage of the many tools in
is precise, minimizes false positives, and
• Scalable line of firewalls
SonicOS to gain even greater benefits.
identifies and mitigates sophisticated
• Low total cost of ownership
attacks where the malware’s weaponry is
protection by performing full decryption
Security Center which offers the ultimate
exposed for less than 100 nanoseconds.
and inspection of TLS/SSL and SSH
in visibility, agility and capacity to
In combination, our patented single-pass
encrypted connections regardless of
centrally govern the entire SonicWall
Reassembly-Free Deep Packet Inspection
port or protocol. The firewall searches for
security ecosystem from a single pane
(RFDPI) engine examines every byte of
protocol non-compliance, threats, zero-
of glass.
every packet, inspecting both inbound
days, intrusions, and even defined criteria
A key component of the Capture Security
and outbound traffic directly on the
by looking deep inside every packet.
Center is Zero-Touch Deployment. This
firewall. By leveraging Capture ATP with
The deep packet inspection engine
cloud-based feature simplifies and
RTDMI technology in the SonicWall
detects and prevents hidden attacks
speeds the deployment and provisioning
Capture Cloud Platform in addition to
that leverage cryptography. It also
of SonicWall firewalls at remote and
on-box capabilities including intrusion
blocks encrypted malware downloads,
branch office locations. The process
prevention, anti-malware and web/
ceases the spread of infections and
requires minimal user intervention, and
URL filtering, TZ series firewalls stop
thwarts command and control (C&C)
is fully automated to operationalize
malware, ransomware and other threats
communications and data exfiltration.
firewalls at scale in just a few steps.
at the gateway. For mobile devices used
Inclusion and exclusion rules allow total
This significantly reduces the time,
outside the firewall perimeter, SonicWall
control to customize which traffic is
cost and complexity associated with
Capture Client provides an added layer of
subjected to decryption and inspection
installation and configuration, while
protection by applying advanced threat
based on specific organizational
security and connectivity occurs
protection techniques such as machine
compliance and/or legal requirements.
instantly and automatically. Together, the
learning and system rollback. Capture
Easy deployment, setup and
simplified deployment and setup along
Client also leverages the deep inspection
ongoing management
with the ease of management enable
of encrypted TLS traffic (DPI-SSL) on
organizations to lower their total cost
TZ series firewalls by installing and
SonicWall makes it easy to configure
of ownership and realize a high return
managing trusted TLS certificates.
and manage TZ series firewalls and
on investment.
SonicWave 802.11ac Wave 2 access
The continued growth in the use of
points no matter where you deploy them.
encryption to secure web sessions
Centralized management, reporting,
means it is imperative firewalls are able
licensing and analytics are handled
to scan encrypted traffic for threats.
through our cloud-based Capture
TZ series firewalls provide complete
* 802.11ac currently not available on SOHO/SOHO 250 models; SOHO/SOHO 250 models support 802.11a/b/g/n
Integrated Security and Power for
Your PoE-enabled Devices
SonicWave 432i
access point
Provide power to your PoE-enabled
devices without the cost and complexity
of a Power over Ethernet switch or
Printer
injector. TZ300P and TZ600P firewalls
integrate IEEE 802.3at technology to
Bi-directional
scanning
power PoE and PoE+ devices such as
wireless access points, cameras, IP
SonicWall TZ600P
IP Phone
phones and more. The firewall scans all
traffic coming from and going to each
device using deep packet inspection
Camera
technology and then removes harmful
threats such as malware and intrusions,
even over encrypted connections.
802.3at PoE+ Devices
2
Capture Cloud Platform
classes of attacks, covering tens of
In addition to providing threat prevention,
thousands of individual threats. In
the Capture Cloud Platform offers
SonicWall's Capture Cloud Platform
addition to the countermeasures on
single pane of glass management and
delivers cloud-based threat prevention
the appliance, TZ firewalls also have
administrators can easily create both
and network management plus reporting
continuous access to the Capture Cloud
real-time and historical reports on
and analytics for organizations of any
Platform database which extends the
network activity.
size. The platform consolidates threat
onboard signature intelligence with tens
intelligence gathered from multiple
of millions of signatures.
sources including our award-winning
multi-engine network sandboxing service,
Capture Advanced Threat Protection, as
well as more than 1 million SonicWall
sensors located around the globe.
If data coming into the network is found
to contain previously-unseen malicious
code, SonicWall’s dedicated, in-house
Capture Labs threat research team
develops signatures that are stored in
the Capture Cloud Platform database
and deployed to customer firewalls for
up-to-date protection. New updates take
effect immediately without reboots or
interruptions. The signatures resident
on the appliance protect against wide
Advanced threat protection
The service analyzes a broad range
For complete endpoint protection, the
of operating systems and file types,
SonicWall Capture Client combines
At the center of SonicWall automated,
including executable programs, DLL,
next-generation anti-virus technology
real-time breach prevention is SonicWall
PDFs, MS Office documents, archives,
with SonicWall's cloud-based
Capture Advanced Threat Protection
JAR and APK.
multi-engine sandbox.
service, a cloud-based multi-engine
sandbox that extends firewall threat
protection to detect and prevent zero-
day threats. Suspicious files are sent
to the cloud where they are analyzed
Streaming Data
Classified Malware
using deep learning algorithms with
PDF
RANSOMWARE
the option to hold them at the gateway
Locky
Email
until a verdict is determined. The multi-
RANSOMWARE
Data File
BLOCK
WannaCry
engine sandbox platform, which includes
101001001010
Artfact 1
TROJAN
Real-Time Deep Memory Inspection,
010100101101
Spartan
Artfact 2
MACHINE
010010100100
virtualized sandboxing, full system
LEARNING
101001010010
emulation and hypervisor level analysis
110101010010
Artfact 3
UNKNOWN
Deep Learning
010100100010
technology, executes suspicious code
Artfact 4
Algorithms
CLOUD CAPTURE
101100100101
SANDBOX
and analyzes behavior. When a file is
A
Hypervisor
identified as malicious, it is blocked
Endpoint
A
B
C
D
B
Emulaton
and a hash is immediately created
C
Virtualizaton
within Capture ATP. Soon after, a
D
RTDMI
signature is sent to firewalls to prevent
follow-on attacks.
Bad
BLOCK
Good
untl
SENT
VERDICT
3
Reassembly-Free Deep Packet
network streams through extensive and
relative to these databases until it
Inspection engine
repeated normalization and decryption
encounters a state of attack, or other
in order to neutralize advanced evasion
“match” event, at which point a pre-set
The SonicWall Reassembly-Free Deep
techniques that seek to confuse detection
action is taken.
Packet Inspection (RFDPI) is a single-
engines and sneak malicious code into
pass, low latency inspection system that
In most cases, the connection is
the network.
performs stream-based, bi-directional
terminated and proper logging and
traffic analysis at high speed without
Once a packet undergoes the necessary
notification events are created. However,
proxying or buffering to effectively
pre-processing, including TLS/SSL
the engine can also be configured for
uncover intrusion attempts and malware
decryption, it is analyzed against a single,
inspection only or, in case of application
downloads while identifying application
proprietary memory representation of
detection, to provide Layer 7 bandwidth
traffic regardless of port and protocol.
three signature databases: intrusion
management services for the remainder
This proprietary engine relies on
attacks, malware and applications. The
of the application stream as soon as the
streaming traffic payload inspection to
connection state is then advanced to
application is identified.
detect threats at Layers 3-7, and takes
represent the position of the stream
Packet assembly-based process
Reassembly-free Deep Packet Inspection (RFDPI)
CPU n
Packet
Proxy
Scanning
disassembly
TLS/SSL
TLS/SSL
CPU 4
Traffic in
Traffic out
Traffic in
Traffic out
CPU 3
CPU 2
When proxy buffer
Inspection time
becomes full or
Inspection capacity
Inspection time
Inspection capacity
content too large,
CPU 1
Less
More
files bypass
Min
Max
Less
More
Min
Max
scanning.
Reassembly-free packet
scanning eliminates proxy
and content size limitations.
Competitive proxy-based architecture
SonicWall stream-based architecture
process. Enterprises can easily
SonicWall management and reporting
consolidate the management of security
solutions provide a coherent way to
appliances, reduce administrative and
manage network security by business
troubleshooting complexities, and govern
processes and service levels, dramatically
all operational aspects of the security
simplifying lifecycle management of your
infrastructure, including centralized
overall security environments compared
policy management and enforcement;
to managing on a device-by-device basis.
real-time event monitoring; user
Centralized management
activities; application identifications; flow
and reporting
analytics and forensics; compliance and
For highly regulated organizations
audit reporting; and more. In addition,
wanting to achieve a fully coordinated
enterprises meet the firewall’s change
security governance, compliance and
management requirements through
risk management strategy, SonicWall
workflow automation which provides the
provides administrators a unified,
agility and confidence to deploy the right
secure and extensible platform to
firewall policies at the right time and in
manage SonicWall firewalls, wireless
conformance with compliance regulations.
access points and Dell N-Series
Available on premises as SonicWall
and X-Series switches through a
Global Management System and in
correlated and auditable workstream
the cloud as Capture Security Center,
4
Distributed networks
Data Center
Web Server Farm
Because of their flexibility, TZ series
Distributed Enterprise
firewalls are ideally suited for both
Network with SD-WAN
NSa 9650
Application Server Farm
distributed enterprise and single site
deployments. In distributed networks
like those found in retail organizations,
each site has its own TZ firewall which
Capture
Security Center
connects to the Internet often through
Cloud Orchestration
and Management
a local provider using a DSL, cable
NSsp 12800
or 3G/4G connection. In addition to
IP
Corporate HQ
Low-Cost Transport Technologies
PBX
Internet access, each firewall utilizes
Ethernet / DSL / Cable / 3G / 4G
SD-WAN Enabled
Transport
an Ethernet connection to transport
SonicWall Secure
· Anti-malware
SonicWave
SD-WAN Features
TZ600P Firewall
Wireless
packets between remote sites and the
· IPS
NSS Labs validated high
· Content filtering
Access Point
central headquarters. Web services
security efficacy
· Capture ATP
Zero-touch deployment
· VPN
and SaaS applications such as Office
WAN load balancing
Dynamic path selection for
365, Salesforce and others are served
business-critical applications
Secure AES 256 VPN
Remote / Branch Offices
up from the data center. Through mesh
Application identification and visibility
POS IoT Devices - Cameras,
Corp
Guest
Cloud-based central management
Terminal
IP Phones, etc.
WiFi
WiFi
VPN technology, IT administrators can
create a hub and spoke configuration
for the safe transport of data between
all locations.
deployed at remote and branch sites.
can choose lower-cost public Internet
Instead of relying on more expensive
services while continuing to achieve a
The SD-WAN technology in SonicOS
legacy technologies such as MPLS
high level of application availability and
is a perfect complement to TZ firewalls
and T1, organizations using SD-WAN
predictable performance.
Capture Security Center
Capture
Security Center
Tying the distributed network together
NSa or NSsp
TZ product line
is SonicWall’s cloud-based Capture
Security Center (CSC) which centralizes
Internet
deployment, ongoing management
Corporate
Headquarters
and real-time analytics of the TZ
3G/analog failover
firewalls. A key feature of CSC is Zero-
Touch Deployment. Configuring and
deploying firewalls across multiple
sites is time-consuming and requires
Secure wireless zone
onsite personnel. However Zero-
$
Sales network
Touch Deployment removes these
Printers
challenges by simplifying and speeding
the deployment and provisioning of
Engineering network
18-port Dell N-Series/X-Series switch
Storage
SonicWall firewalls remotely through
the cloud. Similarly, CSC eases ongoing
PoE
cameras
management by providing cloud-based
Finance network
single-pane-of-glass management for
SonicWall devices on the network. For
Protected server network
complete situational awareness of the
network security environment, SonicWall
Single Sites
same security engine in our mid-range
Analytics offers a single-pane view
NSa series and high-end NSsp series
For single site deployments, having an
into all activity occurring inside the
is featured in TZ series firewall along
integrated network security solution
network. Organizations gain a deeper
with the broad feature set of SonicOS.
is highly beneficial. TZ series firewalls
understanding of application usage
Configuration and management is
combine high security effectiveness
and performance while reducing the
easy using the intuitive SonicOS UI.
with options such as built-in 802.11ac
possibility of Shadow IT.
Organizations save valuable rack space
wireless and, in the case of the TZ300P
due to the compact desktop form factor.
and TZ600P, PoE/PoE+ support. The
5
SonicWall TZ600 series
For emerging enterprises, retail and branch offices looking for security, performance and options such as 802.3at PoE+ support at a
value price, the SonicWall TZ600 secures networks with enterprise-class features and uncompromising performance.
Specification
TZ600 series
Firewall throughput
1.9 Gbps
Threat Prevention throughput
800 Mbps
Anti-malware throughput
800 Mbps
IPS throughput
1.2 Gbps
Maximum connections
150,000
New connections/sec
12,000
TZ600P
PoE/PoE+ ports (4 PoE/PoE+)
Power LED Test LED
USB port
Link and
Expansion
Console
X0 LAN port
(3G/4G WAN
activity
module
port
X1 WAN port
failover)
indicator LEDs
8x1-GbE
switch
12V DC 2A
(configurable)
power
SonicWall TZ500 series
For growing branch offices and SMBs, the SonicWall TZ500 series delivers highly effective, no-compromise protection with
network productivity and optional integrated 802.11ac dual-band wireless.
Specification
TZ500 series
Firewall throughput
1.4 Gbps
Threat Prevention throughput
700 Mbps
Anti-malware throughput
700 Mbps
IPS throughput
1.0 Gbps
Optional
802.11ac
Maximum connections
150,000
wireless
New connections/sec
8,000
Power LED Test LED
USB port
Link and
Console
6x1-GbE switch X0 LAN port
12V DC 2A
(3G/4G WAN
activity
port
(configurable)
X1 WAN port power
failover)
indicator LEDs
6
SonicWall TZ400 series
For small business, retail and branch office locations, the SonicWall TZ400 series delivers enterprise-grade protection. Flexible
wireless deployment is available with optional 802.11ac dual-band wireless integrated into the firewall.
Specification
TZ400 series
Firewall throughput
1.3 Gbps
Threat Prevention throughput
600 Mbps
Anti-malware throughput
600 Mbps
Optional
IPS throughput
900 Mbps
802.11ac
Maximum connections
150,000
wireless
New connections/sec
6,000
Power LED Test LED
USB port
Link and
Console
5x1-GbE switch
X0 LAN port
12V DC
(3G/4G WAN
activity
port
(configurable)
X1 WAN port
2A power
failover)
indicator
LEDs
SonicWall TZ350/TZ300 series
The SonicWall TZ300 and TZ350 series offer an all-in-one solution that protects networks from advanced attacks. Unlike consumer
grade products, these UTM firewalls combine high-speed intrusion prevention, anti-malware and content/URL filtering plus broad
secure mobile access support for laptops, smartphones and tablets along with optional integrated 802.11ac wireless. In addition,
the TZ300 offers optional 802.3at PoE+ to power PoE-enabled devices.
Specification
TZ350 series
TZ300 series
Firewall throughput
1.0 Gbps
750 Mbps
Threat Prevention throughput
335 Mbps
235 Mbps
Anti-malware throughput
335 Mbps
235 Mbps
TZ300P
PoE/PoE+ ports (2 PoE or 1 PoE+)
IPS throughput
400 Mbps
300 Mbps
Maximum connections
100,000
100,000
New connections/sec
6,000
5,000
Optional
802.11ac
wireless
Power LED Test LED USB port
Link and
(3G/4G WAN
activity
failover)
indicator LEDs
Console
3x1-GbE switch
X0 LAN port
12V DC 2A
port
(configurable)
X1 WAN port
power
7
SonicWall SOHO 250/SOHO series
For wired and wireless small and home office environments, the SonicWall SOHO 250 and SOHO series deliver the same business-
class protection large organizations require at a more affordable price point. Add optional 802.11n wireless to provide employees,
customers and guests with secure wireless connectivity.
Specification
SOHO 250 series SOHO series
Firewall throughput
600 Mbps
300 Mbps
Threat Prevention throughput
200 Mbps
150 Mbps
Optional
Anti-malware throughput
200 Mbps
150 Mbps
802.11n
wireless
IPS throughput
250 Mbps
200 Mbps
Maximum connections
50,000
10,000
New connections/sec
3,000
1,800
Console
3x1-GbE switch X0 LAN port
12V DC 2A
port
(configurable)
X1 WAN port power
Power LED Test LED
Link and
USB port
activity
(3G/4G WAN
indicator LEDs
failover)
Partner Enabled Services
Need help to plan, deploy or optimize your SonicWall
solution? SonicWall Advanced Services Partners are
trained to provide you with world class professional
services. Learn more at www.sonicwall.com/PES.
8
Features
RFDPI ENGINE
Feature
Description
This high-performance, proprietary and patented inspection engine performs stream-based, bi-directional
Reassembly-Free Deep Packet
traffic analysis, without proxying or buffering, to uncover intrusion attempts and malware and to identify
Inspection (RFDPI)
application traffic regardless of port.
Scans for threats in both inbound and outbound traffic simultaneously to ensure that the network is not
Bi-directional inspection
used to distribute malware and does not become a launch platform for attacks in case an infected machine
is brought inside.
Proxy-less and non-buffering inspection technology provides ultra-low latency performance for DPI of
Stream-based inspection
millions of simultaneous network streams without introducing file and stream size limitations, and can be
applied on common protocols as well as raw TCP streams.
The unique design of the RFDPI engine works with the multi-core architecture to provide high DPI
Highly parallel and scalable
throughput and extremely high new session establishment rates to deal with traffic spikes in demanding
networks.
A single-pass DPI architecture simultaneously scans for malware, intrusions and application identification,
Single-pass inspection
drastically reducing DPI latency and ensuring that all threat information is correlated in a single architecture.
FIREWALL AND NETWORKING
Feature
Description
An alternative to more expensive technologies such as MPLS, Secure SD-WAN enables distributed
enterprise organizations to build, operate and manage secure, high-performance networks across remote
Secure SD-WAN
sites for the purpose of sharing data, applications and services using readily-available, low-cost public
internet services.
Allows the firewall to receive and leverage any and all proprietary, original equipment manufacturer and
REST APIs
third-party intelligence feeds to combat advanced threats such as zero-day, malicious insider, compromised
credentials, ransomware and advanced persistent threats.
Stateful packet inspection
All network traffic is inspected, analyzed and brought into compliance with firewall access policies.
SonicWall TZ500 and TZ600 models support high availability with Active/Standby with state synchronization.
High availability/clustering
SonicWall TZ300 and TZ400 models support high availability without Active/Standby synchronization. There
is no high availability on SonicWall SOHO models.
SYN flood protection provides a defense against DoS attacks using both Layer 3 SYN proxy and Layer
DDoS/DoS attack protection
2 SYN blacklisting technologies. Additionally, it protects against DoS/DDoS through UDP/ICMP flood
protection and connection rate limiting.
Internet Protocol version 6 (IPv6) is in its early stages to replace IPv4. With SonicOS, the hardware will
IPv6 support
support filtering and wire mode implementations.
Flexible deployment options
The TZ series can be deployed in traditional NAT, Layer 2 bridge, wire and network tap modes.
WAN load balancing
Load-balances multiple WAN interfaces using Round Robin, Spillover or Percentage methods.
Guarantees critical communications with 802.1p, DSCP tagging, and remapping of VoIP traffic on the
Advanced quality of service (QoS)
network.
H.323 gatekeeper and SIP proxy
Blocks spam calls by requiring that all incoming calls are authorized and authenticated by H.323 gatekeeper or
support
SIP proxy.
Manage security settings of additional ports, including Portshield, HA, PoE and PoE+, under a single pane
Single and cascaded Dell N-Series and
of glass using the firewall management dashboard for Dell’s N-Series and X-Series network switch (not
X-Series switch management
available with SOHO model).
Supports mobile device authentication such as fingerprint recognition that cannot be easily duplicated or
Biometric authentication
shared to securely authenticate the user identity for network access.
Enable guest users to use their credentials from social networking services such as Facebook, Twitter, or
Open authentication and social login
Google+ to sign in and access the Internet and other guest services through a host's wireless, LAN or DMZ
zones using pass-through authentication.
Available as an integrated option on SonicWall TZ300 through TZ500, IEEE 802.11ac wireless technology
Wireless Network Security
can deliver up to 1.3 Gbps of wireless throughput with greater range and reliability. Optional 802.11 a/b/g/n
is available on SonicWall SOHO models.
MANAGEMENT AND REPORTING
Feature
Description
Cloud-based and on-premises
Configuration and management of SonicWall appliances is available via the cloud through the SonicWall
management
Capture Security Center and on-premises using SonicWall Global Management System (GMS).
An intuitive web-based interface allows quick and convenient configuration, in addition to a comprehensive
Powerful single device management
command-line interface and support for SNMPv2/3.
IPFIX/NetFlow application flow
Exports application traffic analytics and usage data through IPFIX or NetFlow protocols for real-time and
reporting
historical monitoring and reporting with tools that support IPFIX and NetFlow with extensions.
9
VIRTUAL PRIVATE NETWORKING
Feature
Description
Simplifies and reduces complex distributed firewall deployment down to a trivial effort by automating the initial
Auto-provision VPN
site-to-site VPN gateway provisioning between SonicWall firewalls while security and connectivity occurs
instantly and automatically.
High-performance IPSec VPN allows the TZ series to act as a VPN concentrator for thousands of other
IPSec VPN for site-to-site connectivity
large sites, branch offices or home offices.
Utilizes clientless SSL VPN technology or an easy-to-manage IPSec client for easy access to email, files,
SSL VPN or IPSec client remote access
computers, intranet sites and applications from a variety of platforms.
When using multiple WANs, a primary and secondary VPN can be configured to allow seamless, automatic
Redundant VPN gateway
failover and failback of all VPN sessions.
The ability to perform dynamic routing over VPN links ensures continuous uptime in the event of a
Route-based VPN
temporary VPN tunnel failure, by seamlessly re-routing traffic between endpoints through alternate routes.
CONTENT/CONTEXT AWARENESS
Feature
Description
User identification and activity are made available through seamless AD/LDAP/Citrix1/Terminal Services1
User activity tracking
SSO integration combined with extensive information obtained through DPI.
Identifies and controls network traffic going to or coming from specific countries to either protect against
attacks from known or suspected origins of threat activity, or to investigate suspicious traffic originating
GeoIP country traffic identification
from the network. Provides the ability to create custom country and Botnet lists to override an incorrect
country or Botnet tag associated with an IP address. Eliminates unwanted filtering of IP addresses due to
misclassification.
Prevents data leakage by identifying and controlling content crossing the network through regular
Regular expression DPI filtering
expression matching. Provides the ability to create custom country and Botnet lists to override an incorrect
country or Botnet tag associated with an IP address.
CAPTURE ADVANCE THREAT PROTECTION
Feature
Description
The multi-engine sandbox platform, which includes virtualized sandboxing, full system emulation,
Multi-engine sandboxing
and hypervisor level analysis technology, executes suspicious code and analyzes behavior, providing
comprehensive visibility to malicious activity.
This patent-pending cloud-based technology detects and blocks malware that does not exhibit any
Real-Time Deep Memory Inspection
malicious behavior and hides its weaponry via encryption. By forcing malware to reveal its weaponry into
(RTDMI)
memory, the RTDMI engine proactively detects and blocks mass-market, zero-day threats and unknown
malware.
To prevent potentially malicious files from entering the network, files sent to the cloud for analysis can be
Block until verdict
held at the gateway until a verdict is determined.
Supports analysis of a broad range of file types, either individually or as a group, including executable
Broad file type and size analysis
programs (PE), DLL, PDFs, MS Office documents, archives, JAR, and APK plus multiple operating systems
including Windows, Android, Mac OS X and multi-browser environments.
When a file is identified as malicious, a signature is immediately deployed to firewalls with SonicWall Capture
Rapid deployment of signatures
ATP subscriptions and Gateway Anti-Virus and IPS signature databases and the URL, IP and domain
reputation databases within 48 hours.
Capture Client is a unified client platform that delivers multiple endpoint protection capabilities, including
Capture Client
advanced malware protection and support for visibility into encrypted traffic. It leverages layered protection
technologies, comprehensive reporting and endpoint protection enforcement.
ENCRYPTED THREAT PREVENTION
Feature
Description
Decrypts and inspects TLS/SSL encrypted traffic on the fly, without proxying, for malware, intrusions and
data leakage, and applies application, URL and content control policies in order to protect against threats
TLS/SSL decryption and inspection
hidden in encrypted traffic. Included with security subscriptions for all TZ series models except SOHO. Sold
as a separate license on SOHO.
Deep packet inspection of SSH (DPI-SSH) decrypts and inspect data traversing over SSH tunnel to prevent
SSH inspection
attacks that leverage SSH.
INTRUSION PREVENTION
Feature
Description
Tightly integrated intrusion prevention system (IPS) leverages signatures and other countermeasures
Countermeasure-based protection
to scan packet payloads for vulnerabilities and exploits, covering a broad spectrum of attacks and
vulnerabilities.
The SonicWall Threat Research Team continuously researches and deploys updates to an extensive list of
Automatic signature updates
IPS countermeasures that covers more than 50 attack categories. The new updates take immediate effect
without any reboot or service interruption required.
10
INTRUSION PREVENTION CON'T
Feature
Description
Bolsters internal security by segmenting the network into multiple security zones with intrusion prevention,
Intra-zone IPS protection
preventing threats from propagating across the zone boundaries.
Botnet command and control (CnC)
Identifies and blocks command and control traffic originating from bots on the local network to IPs and
detection and blocking
domains that are identified as propagating malware or are known CnC points.
Protocol abuse/anomaly
Identifies and blocks attacks that abuse protocols in an attempt to sneak past the IPS.
Protects the network against zero-day attacks with constant updates against the latest exploit methods
Zero-day protection
and techniques that cover thousands of individual exploits.
Extensive stream normalization, decoding and other techniques ensure that threats do not enter the
Anti-evasion technology
network undetected by utilizing evasion techniques in Layers 2-7.
THREAT PREVENTION
Feature
Description
The RFDPI engine scans all inbound, outbound and intra-zone traffic for viruses, Trojans, key loggers and
Gateway anti-malware
other malware in files of unlimited length and size across all ports and TCP streams.
A continuously updated database of tens of millions of threat signatures resides in the SonicWall cloud
Capture Cloud malware protection
servers and is referenced to augment the capabilities of the onboard signature database, providing RFDPI
with extensive coverage of threats.
New threat updates are automatically pushed to firewalls in the field with active security services, and take
Around-the-clock security updates
effect immediately without reboots or interruptions.
The RFDPI engine is capable of scanning raw TCP streams on any port bi-directionally preventing attacks
Bi-directional raw TCP inspection
that they to sneak by outdated security systems that focus on securing a few well-known ports.
Identifies common protocols such as HTTP/S, FTP, SMTP, SMBv1/v2 and others, which do not send data in raw
Extensive protocol support
TCP, and decodes payloads for malware inspection, even if they do not run on standard, well-known ports.
APPLICATION INTELLIGENCE AND CONTROL
Feature
Description
Control applications, or individual application features, that are identified by the RFDPI engine against a
Application control
continuously expanding database of over thousands of application signatures, to increase network security
and enhance network productivity.
Control custom applications by creating signatures based on specific parameters or patterns unique to an
Custom application identification
application in its network communications, in order to gain further control over the network.
Granularly allocate and regulate available bandwidth for critical applications or application categories while
Application bandwidth management
inhibiting nonessential application traffic.
Control applications, or specific components of an application, based on schedules, user groups, exclusion
Granular control
lists and a range of actions with full SSO user identification through LDAP/AD/Terminal Services/Citrix
integration.
CONTENT FILTERING
Feature
Description
Enforce acceptable use policies and block access to HTTP/HTTPS websites containing information or
Inside/outside content filtering
images that are objectionable or unproductive with Content Filtering Service and Content Filtering Client.
Extend policy enforcement to block internet content for Windows, Mac OS, Android and Chrome devices
Enforced Content Filtering Client
located outside the firewall perimeter.
Block content using the predefined categories or any combination of categories. Filtering can be scheduled
Granular controls
by time of day, such as during school or business hours, and applied to individual users or groups.
URL ratings are cached locally on the SonicWall firewall so that the response time for subsequent access to
Web caching
frequently visited sites is only a fraction of a second.
ENFORCED ANTI-VIRUS AND ANTI-SPYWARE
Feature
Description
Utilize the firewall capabilities as the first layer of defense at the perimeter, coupled with endpoint
Multi-layered protection
protection to block, viruses entering network through laptops, thumb drives and other unprotected systems.
Ensure every computer accessing the network has the appropriate antivirus software and/or DPI-
Automated enforcement option
SSL certificate installed and active, eliminating the costs commonly associated with desktop antivirus
management.
Automated deployment and
Machine-by-machine deployment and installation of antivirus and anti-spyware clients is automatic across
installation option
the network, minimizing administrative overhead.
Capture Client uses a static artificial intelligence (AI) engine to determine threats before they can execute
Next-generation antivirus
and roll back to a previous uninfected state.
Powerful spyware protection scans and blocks the installation of a comprehensive array of spyware programs
Spyware protection
on desktops and laptops before they transmit confidential data, providing greater desktop security and
performance.
11
SonicOS feature summary
Firewall
Application identification1
• NAT
• Stateful packet inspection
• Application control
• Bandwidth management
• Application bandwidth management
• High availability - Active/Standby with
• Reassembly-Free Deep Packet
state sync2
Inspection
• Custom application signature creation
• Inbound/outbound load balancing
• Data leakage prevention
• DDoS attack protection
• L2 bridge mode, NAT mode
(UDP/ICMP/SYN flood)
• Application reporting over NetFlow/IPFIX
3G/4G WAN failover
• IPv4/IPv6 support
• Comprehensive application signature
database
• Common Access Card (CAC) support
• Biometric authentication for remote
access
Traffic visualization and analytics
VoIP
• User activity
• Granular QoS control
• DNS proxy
• Application/bandwidth/threat usage
• Bandwidth management
• REST APIs
• Cloud-based analytics
• DPI for VoIP traffic
SSL/SSH decryption and inspection¹
• H.323 gatekeeper and SIP proxy support
HTTP/HTTPS Web content filtering1
• Deep packet inspection for TLS/SSL/SSH
• URL filtering
Management and monitoring
• Inclusion/exclusion of objects, groups or
hostnames
• Anti-proxy technology
• Web GUI
• TLS/SSL control
• Keyword blocking
• Command line interface (CLI)
• Granular DPI SSL controls per zone or rule
• Policy-based filtering (exclusion/
• SNMPv2/v3
inclusion)
• Centralized management and reporting
Capture Advanced Threat Protection1
• HTTP header insertion
with SonicWall GMS and Capture
• Real-Time Deep Memory Inspection
Security Center
• Bandwidth manage CFS rating
• Cloud-based multi-engine analysis
categories
• Logging
• Virtualized sandboxing
• Unified policy model with app control
• Netflow/IPFix exporting
• Hypervisor level analysis
• Content Filtering Client
• Cloud-based configuration backup
• Full system emulation
• Application and bandwidth visualization
VPN
• Broad file type examination
• IPv4 and IPv6 management
• Auto-provision VPN
• Automated and manual submission
• Dell N-Series and X-Series switch
• IPSec VPN for site-to-site connectivity
management including cascaded
• Real-time threat intelligence updates
• SSL VPN and IPSec client remote access
switches2
• Block until verdict
• Redundant VPN gateway
Integrated Wireless
• Capture Client
• Mobile Connect for iOS, Mac OS X,
• Dual-band (2.4 GHz and 5.0 GHz)
Windows, Chrome, Android and
Intrusion prevention1
Kindle Fire
802.11 a/b/g/n/ac wireless standards2
• Signature-based scanning
• Route-based VPN (OSPF, RIP, BGP)
• WIDS/WIPS
• Automatic signature updates
• Wireless guest services
Networking
• Bidirectional inspection
• Lightweight hotspot messaging
• Secure SD-WAN
• Granular IPS rule capability
• Virtual access point segmentation
• PortShield
• GeoIP/Botnet filtering2
• Captive portal
• Enhanced logging
• Regular expression matching
• Cloud ACL
• Layer-2 QoS
Anti-malware1
• Port security
• Stream-based malware scanning
• Dynamic routing (RIP/OSPF/BGP)
• Gateway anti-virus
• SonicWall wireless controller
• Gateway anti-spyware
• Policy-based routing
• Bi-directional inspection
(ToS/metric and ECMP)
• No file size limitation
• Asymmetric routing
• Cloud malware database
• DHCP server
1 Requires added subscription
2 State sync high availability only on SonicWall TZ500 and SonicWall TZ600 models
12
SonicWall TZ series system specifications
FIREWALL GENERAL
SOHO SERIES
SOHO 250 SERIES
TZ300 SERIES
TZ350 SERIES
Operating system
SonicOS
5x1GbE, 1 USB,
5x1GbE, 1 USB,
Interfaces
5x1GbE, 1 USB, 1 Console
1 Console
1 Console
TZ300P - 2 ports
Power over Ethernet (PoE) support
(2 PoE or 1 PoE+)
Expansion
USB
Management
CLI, SSH, Web UI, Capture Security Center, GMS, REST APIs
Single Sign-On (SSO) Users
250
350
500
500
VLAN interfaces
25
Access points supported (maximum)
2
4
8
8
FIREWALL/VPN PERFORMANCE
SOHO SERIES
SOHO 250 SERIES
TZ300 SERIES
TZ350 SERIES
Firewall inspection throughput1
300 Mbps
600 Mbps
750 Mbps
1.0 Gbps
Threat Prevention throughput2
150 Mbps
200 Mbps
235 Mbps
335 Mbps
Application inspection throughput2
275 Mbps
375 Mbps
600 Mbps
IPS throughput2
200 Mbps
250 Mbps
300 Mbps
400 Mbps
Anti-malware inspection throughput2
150 Mbps
200 Mbps
235 Mbps
335 Mbps
TLS/SSL inspection and decryption throughput (DPI SSL)2
30 Mbps
50 Mbps
60 Mbps
65 Mbps
IPSec VPN throughput3
150 Mbps
200 Mbps
300 Mbps
430 Mbps
Connections per second
1,800
3,000
5,000
6,000
Maximum connections (SPI)
10,000
50,000
100,000
100,000
Maximum connections (DPI)
10,000
50,000
90,000
90,000
Maximum connections (DPI SSL)
250
25,000
25,000
25,000
VPN
SOHO SERIES
SOHO 250 SERIES
TZ300 SERIES
TZ350 SERIES
Site-to-site VPN tunnels
10
10
10
15
IPSec VPN clients (maximum)
1 (5)
1 (5)
1 (10)
1 (10)
SSL VPN licenses (maximum)
1 (10)
1 (25)
1 (50)
1 (75)
Virtual assist bundled (maximum)
1 (30-day trial)
1 (30-day trial)
1 (30-day trial)
Encryption/authentication
DES, 3DES, AES (128, 192, 256-bit), MD5, SHA-1, Suite B Cryptography
Key exchange
Diffie Hellman Groups 1, 2, 5, 14v
Route-based VPN
RIP, OSPF, BGP
Verisign, Thawte, Cybertrust, RSA Keon, Entrust and Microsoft CA for SonicWall-to-
Certificate support
SonicWall VPN, SCEP
Dead Peer Detection, DHCP Over VPN, IPSec NAT Traversal,
VPN features
Redundant VPN Gateway, Route-based VPN
Microsoft® Windows Vista 32/64-bit, Windows 7 32/64-bit,
Global VPN client platforms supported
Windows 8.0 32/64-bit, Windows 8.1 32/64-bit, Windows 10
Microsoft Windows Vista 32/64-bit, Windows 7, Windows 8.0 32/64-bit, Windows 8.1
NetExtender
32/64-bit, Mac OS X 10.4+, Linux FC3+/Ubuntu 7+/OpenSUSE
Apple® iOS, Mac OS X, Google® Android, Kindle Fire, Chrome,
Mobile Connect
Windows 8.1 (Embedded)
SECURITY SERVICES
SOHO SERIES
SOHO 250 SERIES
TZ300 SERIES
TZ350 SERIES
Deep Packet Inspection services
Gateway Anti-Virus, Anti-Spyware, Intrusion Prevention, DPI SSL
HTTP URL, HTTPS IP, keyword and content scanning, Comprehensive filtering based
Content Filtering Service (CFS)
on file types such as ActiveX, Java, Cookies for privacy, allow/forbid lists
Comprehensive Anti-Spam Service
Supported
Application Visualization
No
Yes
Yes
Yes
Application Control
Yes
Yes
Yes
Yes
Capture Advanced Threat Protection
No
Yes
Yes
Yes
NETWORKING
SOHO SERIES
SOHO 250 SERIES
TZ300 SERIES
TZ350 SERIES
IP address assignment
Static, (DHCP, PPPoE, L2TP and PPTP client), Internal DHCP server, DHCP relay
NAT modes
1:1, 1:many, many:1, many:many, flexible NAT (overlapping IPs), PAT, transparent mode
Routing protocols4
BGP4, OSPF, RIPv1/v2, static routes, policy-based routing
Bandwidth priority, max bandwidth, guaranteed bandwidth, DSCP marking,
QoS
802.1e (WMM)
13
SonicWall TZ series specifications cont'd
NETWORKING CONT'D
SOHO SERIES
SOHO 250 SERIES
TZ300 SERIES
TZ350 SERIES
LDAP (multiple domains), XAUTH/
LDAP (multiple domains), XAUTH/RADIUS,
RADIUS, SSO, Novell, internal user
Authentication
SSO, Novell, internal user database
database, Terminal Services, Citrix,
Common Access Card (CAC)
Local user database
150
VoIP
Full H.323v1-5, SIP
TCP/IP, UDP, ICMP, HTTP, HTTPS, IPSec, ISAKMP/IKE, SNMP, DHCP, PPPoE, L2TP,
Standards
PPTP, RADIUS, IEEE 802.3
FIPS 140-2 (with Suite B) Level 2, UC APL, VPNC, IPv6 (Phase 2), ICSA Network
Certifications
Firewall, ICSA Anti-virus
Certifications pending
Common Criteria NDPP (Firewall and IPS)
Common Access Card (CAC)
Supported
High availability
No
Active/standby
HARDWARE
SOHO SERIES
SOHO 250 SERIES
TZ300 SERIES
TZ350 SERIES
Form factor
Desktop
24W external
24W external
Power supply
24W external
65W external
(TZ300P only)
Maximum power consumption (W)
6.4 / 11.3
6.9 / 11.3
6.9 / 12.0
6.9 / 12.0
Input power
100 to 240 VAC, 50-60 Hz, 1 A
Total heat dissipation
21.8 / 38.7 BTU
23.5 / 38.7 BTU
23.5 / 40.9 BTU
23.5 / 40.9 BTU
3.5 x 13.4 x 19 cm
3.5 x 13.4 x 19 cm
3.6 x 14.1 x 19 cm
Dimensions
1.38 x 5.28 x 7.48 in
1.38 x 5.28 x 7.48
1.42 x 5.55 x 7.48 in
in
0.34 kg / 0.75 lbs
0.73 kg / 1.61 lbs
0.73 kg / 1.61 lbs
Weight
0.48 kg / 1.06 lbs
0.84 kg / 1.85 lbs
0.84 kg / 1.85 lbs
0.80 kg / 1.76 lbs
1.15 kg / 2.53 lbs
1.15 kg / 2.53 lbs
WEEE weight
0.94 kg / 2.07 lbs
1.26 kg / 2.78 lbs
1.26 kg / 2.78 lbs
1.20 kg / 2.64 lbs
1.37 kg / 3.02 lbs
1.37 kg / 3.02 lbs
Shipping weight
1.34 kg / 2.95 lbs
1.48 kg / 3.26 lbs
1.48 kg / 3.26 lbs
MTBF (in years)
58.9/56.1 (wireless)
56.1
56.1
56.1
Environment (Operating/Storage)
32°-105° F (0°-40° C)/-40° to 158° F (-40° to 70° C)
Humidity
5-95% non-condensing
REGULATORY
SOHO SERIES
SOHO 250 SERIES
TZ300 SERIES
TZ350 SERIES
FCC Class B, ICES Class B, CE (EMC, LVD,
FCC Class B, ICES Class B, CE (EMC, LVD,
RoHS), C-Tick, VCCI Class B, UL, cUL,
RoHS), C-Tick, VCCI Class B, UL, cUL,
Major regulatory compliance (wired models)
TUV/GS, CB, Mexico CoC by UL, WEEE,
TUV/GS, CB, Mexico CoC by UL, WEEE,
REACH, KCC/MSIP
REACH, KCC/MSIP
FCC Class B, FCC RF ICES Class B, IC RF
FCC Class B, FCC RF ICES Class B, IC
CE (RED, RoHS), RCM, VCCI Class B, MIC/
RF CE (RED, RoHS), RCM, VCCI Class B,
Major regulatory compliance (wireless models)
TELEC, UL, cUL, TUV/GS, CB, Mexico CoC
MIC/TELEC, UL, cUL, TUV/GS, CB, Mexico
by UL, WEEE, REACH
CoC by UL, WEEE, REACH
INTEGRATED WIRELESS
SOHO SERIES
SOHO 250 SERIES
TZ300 SERIES
TZ350 SERIES
802.11a/b/g/n/ac (WEP, WPA, WPA2,
Standards
802.11 a/b/g/n
802.11i, TKIP, PSK,02.1x, EAP-PEAP,
EAP-TTLS
802.11a: 5.180-5.825 GHz; 802.11b/g:
Frequency bands5
802.11a: 5.180-5.825 GHz; 802.11b/g:
2.412-2.472 GHz; 802.11n: 2.412-2.472
2.412-2.472 GHz; 802.11n: 2.412-2.472
GHz, 5.180-5.825 GHz; 802.11ac: 2.412-
GHz, 5.180-5.825 GHz
2.472 GHz, 5.180-5.825 GHz
14
SonicWall TZ series system specifications cont'd
INTEGRATED WIRELESS
SOHO SERIES
SOHO 250 SERIES
TZ300 SERIES
TZ350 SERIES
802.11a: US and Canada 12, Europe
Operating Channels
11, Japan 4, Singapore 4, Taiwan 4;
802.11a: US and Canada 12, Europe 11,
802.11b/g: US and Canada 1-11, Europe
Japan 4, Singapore 4, Taiwan 4; 802.11b/g:
1-13, Japan 1-14 (14-802.11b only);
US and Canada 1-11, Europe 1-13, Japan
802.11n (2.4 GHz): US and Canada 1-11,
1-14 (14-802.11b only); 802.11n (2.4
Europe 1-13, Japan 1-13; 802.11n (5
GHz): US and Canada 1-11, Europe 1-13,
GHz): US and Canada 36-48/149-165,
Japan 1-13; 802.11n (5 GHz): US and
Europe 36-48, Japan 36-48, Spain 36-
Canada 36-48/149-165, Europe 36-48,
48/52-64; 802.11ac: US and Canada 36-
Japan 36-48, Spain 36-48/52-64;
48/149-165, Europe 36-48, Japan 36-48,
Spain 36-48/52-64
Transmit output power
Based on the regulatory domain specified by the system administrator
Transmit power control
Supported
Data rates supported
802.11a: 6, 9, 12, 18, 24, 36, 48, 54
Mbps per channel; 802.11b: 1, 2, 5.5,
11 Mbps per channel; 802.11g: 6, 9, 12,
802.11a: 6, 9, 12, 18, 24, 36, 48, 54 Mbps
18, 24, 36, 48, 54 Mbps per channel;
per channel; 802.11b: 1, 2, 5.5, 11 Mbps
802.11n: 7.2, 14.4, 21.7, 28.9, 43.3, 57.8,
per channel; 802.11g: 6, 9, 12, 18, 24, 36,
65, 72.2, 15, 30, 45, 60, 90, 120, 135,
48, 54 Mbps per channel; 802.11n: 7.2,
150 Mbps per channel; 802.11ac: 7.2,
14.4, 21.7, 28.9, 43.3, 57.8, 65, 72.2, 15,
14.4, 21.7, 28.9, 43.3, 57.8, 65, 72.2,
30, 45, 60, 90, 120, 135, 150 Mbps per
86.7, 96.3, 15, 30, 45, 60, 90, 120, 135,
channel
150, 180, 200, 32.5, 65, 97.5, 130, 195,
260, 292.5, 325, 390, 433.3, 65, 130,
195, 260, 390, 520, 585, 650, 780, 866.7
Mbps per channel
Modulation technology spectrum
802.11a: Orthogonal Frequency Division
802.11a: Orthogonal Frequency Division
Multiplexing (OFDM); 802.11b: Direct
Multiplexing (OFDM); 802.11b: Direct
Sequence Spread Spectrum (DSSS);
Sequence Spread Spectrum (DSSS);
802.11g: Orthogonal Frequency
802.11g: Orthogonal Frequency Division
Division Multiplexing (OFDM)/Direct
Multiplexing (OFDM)/Direct Sequence
Sequence Spread Spectrum (DSSS);
Spread Spectrum (DSSS); 802.11n:
802.11n: Orthogonal Frequency
Orthogonal Frequency Division Multiplexing
Division Multiplexing (OFDM); 802.11ac:
(OFDM)
Orthogonal Frequency Division
Multiplexing (OFDM)
*Future use.
1 Testing Methodologies: Maximum performance based on RFC 2544 (for firewall). Actual performance may vary depending on network conditions and activated services.
2 Threat Prevention/GatewayAV/Anti-Spyware/IPS throughput measured using industry standard Spirent WebAvalanche HTTP performance test and Ixia test tools. Testing
done with multiple flows through multiple port pairs. Threat Prevention throughput measured with Gateway AV, Anti-Spyware, IPS and Application Control enabled.
3 VPN throughput measured using UDP traffic at 1280 byte packet size adhering to RFC 2544. All specifications, features and availability are subject to change.
4 BGP is available only on SonicWall TZ400, TZ500 and TZ600.
5All TZ integrated wireless models can support either 2.4GHz or 5GHz band. For dual-band support, please use SonicWall's wireless access point products
15
SonicWall TZ series system specifications cont'd
FIREWALL GENERAL
TZ400 SERIES
TZ500 SERIES
TZ600 SERIES
Operating system
SonicOS
10x1GbE, 2 USB,
7x1GbE, 1 USB,
8x1GbE, 2 USB,
Interfaces
1 Console,
1 Console
1 Console
1 Expansion Slot
TZ600P - 4 ports
Power over Ethernet (PoE) support
(4 PoE or 4 PoE+)
Expansion
USB
2 USB
Expansion Slot (Rear)*, 2 USB
Management
CLI, SSH, Web UI, Capture Security Center, GMS, REST APIs
Single Sign-On (SSO) Users
500
500
500
VLAN interfaces
50
50
50
Access points supported (maximum)
16
16
24
FIREWALL/VPN PERFORMANCE
TZ400 SERIES
TZ500 SERIES
TZ600 SERIES
Firewall inspection throughput1
1.3 Gbps
1.4 Gbps
1.9 Gbps
Threat Prevention throughput2
600 Mbps
700 Mbps
800 Mbps
Application inspection throughput2
1.2 Gbps
1.3 Gbps
1.8 Gbps
IPS throughput2
900 Mbps
1.0 Gbps
1.2 Gbps
Anti-malware inspection throughput2
600 Mbps
700 Mbps
800 Mbps
TLS/SSL inspection and decryption throughput
180 Mbps
225 Mbps
300 Mbps
(DPI SSL)2
IPSec VPN throughput3
900 Mbps
1.0 Gbps
1.1 Gbps
Connections per second
6,000
8,000
12,000
Maximum connections (SPI)
150,000
150,000
150,000
Maximum connections (DPI)
125,000
125,000
125,000
Maximum connections (DPI SSL)
25,000
25,000
25,000
VPN
TZ400 SERIES
TZ500 SERIES
TZ600 SERIES
Site-to-site VPN tunnels
20
25
50
IPSec VPN clients (maximum)
2 (25)
2 (25)
2 (25)
SSL VPN licenses (maximum)
2 (100)
2 (150)
2 (200)
Virtual assist bundled (maximum)
1 (30-day trial)
1 (30-day trial)
1 (30-day trial)
Encryption/authentication
DES, 3DES, AES (128, 192, 256-bit)/MD5, SHA-1, Suite B Cryptography
Key exchange
Diffie Hellman Groups 1, 2, 5, 14v
Route-based VPN
RIP, OSPF, BGP
Verisign, Thawte, Cybertrust, RSA Keon, Entrust and Microsoft CA for
Certificate support
SonicWall-to- SonicWall VPN, SCEP
Dead Peer Detection, DHCP Over VPN, IPSec NAT Traversal,
VPN features
Redundant VPN Gateway, Route-based VPN
Microsoft® Windows Vista 32/64-bit, Windows 7 32/64-bit,
Global VPN client platforms supported
Windows 8.0 32/64-bit, Windows 8.1 32/64-bit, Windows 10
Microsoft Windows Vista 32/64-bit, Windows 7, Windows 8.0 32/64-bit, Windows 8.1 32/64-bit,
NetExtender
Mac OS X 10.4+, Linux FC3+/Ubuntu 7+/OpenSUSE
Mobile Connect
Apple® iOS, Mac OS X, Google® Android™, Kindle Fire, Chrome, Windows 8.1 (Embedded)
SECURITY SERVICES
TZ400 SERIES
TZ500 SERIES
TZ600 SERIES
Deep Packet Inspection services
Gateway Anti-Virus, Anti-Spyware, Intrusion Prevention, DPI SSL
HTTP URL, HTTPS IP, keyword and content scanning, Comprehensive filtering based on file types
Content Filtering Service (CFS)
such as ActiveX, Java, Cookies for privacy, allow/forbid lists
Comprehensive Anti-Spam Service
Supported
Application Visualization
Yes
Yes
Yes
Application Control
Yes
Yes
Yes
Capture Advanced Threat Protection
Yes
Yes
Yes
NETWORKING
TZ400 SERIES
TZ500 SERIES
TZ600 SERIES
IP address assignment
Static, (DHCP, PPPoE, L2TP and PPTP client), Internal DHCP server, DHCP relay
NAT modes
1:1, 1:many, many:1, many:many, flexible NAT (overlapping IPs), PAT, transparent mode
Routing protocols4
BGP4, OSPF, RIPv1/v2, static routes, policy-based routing
QoS
Bandwidth priority, max bandwidth, guaranteed bandwidth, DSCP marking, 802.1e (WMM)
16
SonicWall TZ series system specifications cont'd
NETWORKING
TZ400 SERIES
TZ500 SERIES
TZ600 SERIES
Authentication
LDAP (multiple domains), XAUTH/RADIUS, SSO, Novell, internal user database,
Terminal Services, Citrix, Common Access Card (CAC)
Local user database
150
250
VoIP
Full H.323v1-5, SIP
Standards
TCP/IP, UDP, ICMP, HTTP, HTTPS, IPSec, ISAKMP/IKE, SNMP, DHCP, PPPoE, L2TP, PPTP, RADIUS,
IEEE 802.3
Certifications
FIPS 140-2 (with Suite B) Level 2, UC APL, VPNC, IPv6 (Phase 2), ICSA Network Firewall, ICSA
Anti-virus
Certifications pending
Common Criteria NDPP (Firewall and IPS)
Common Access Card (CAC)
Supported
High availability
Active/standby
Active/Standby with stateful synchronization
HARDWARE
TZ400 SERIES
TZ500 SERIES
TZ600 SERIES
Form factor
Desktop
Power supply
24W external
36W external
60W external
180W external
(TZ600P only)
Maximum power consumption (W)
9.2 / 13.8
13.4 / 17.7
16.1
Input power
100-240 VAC, 50-60 Hz, 1 A
Total heat dissipation
31.3 / 47.1 BTU
45.9 / 60.5 BTU
55.1 BTU
Dimensions
3.5 x 13.4 x 19 cm
3.5 x 15 x 22.5 cm
3.5 x 18 x 28 cm
1.38 x 5.28 x 7.48 in
1.38 x 5.91 x 8.86 in
1.38 x 7.09 x 11.02 in
Weight
0.73 kg / 1.61 lbs
0.92 kg / 2.03 lbs
1.47 kg / 3.24 lbs
0.84 kg / 1.85 lbs
1.05 kg / 2.31 lbs
WEEE weight
1.15 kg / 2.53 lbs
1.34 kg / 2.95 lbs
1.89 kg /4.16 lbs
1.26 kg / 2.78 lbs
1.48 kg / 3.26 lbs
Shipping weight
1.37 kg / 3.02 lbs
1.93 kg / 4.25 lbs
2.48 kg / 5.47 lbs
1.48 kg / 3.26 lbs
2.07 kg / 4.56 lbs
MTBF (in years)
54.0
40.8
18.4
Environment (Operating/Storage)
32°-105° F (0°-40° C)/-40° to 158° F (-40° to 70° C)
Humidity
5-95% non-condensing
REGULATORY
TZ400 SERIES
TZ500 SERIES
TZ600 SERIES
Major regulatory compliance (wired models)
FCC Class B, ICES Class B,
FCC Class B, ICES Class B,
FCC Class A, ICES Class A,
CE (EMC, LVD, RoHS), C-Tick,
CE (EMC, LVD, RoHS), C-Tick,
CE (EMC, LVD, RoHS), C-Tick,
VCCI Class B, UL, cUL, TUV/
VCCI Class B, UL, cUL, TUV/
VCCI Class A, UL cUL, TUV/GS,
GS, CB, Mexico CoC by UL,
GS, CB, Mexico CoC by UL,
CB, Mexico CoC by UL, WEEE,
WEEE, REACH, KCC/MSIP
WEEE, REACH, BSMI, KCC/
REACH, KCC/MSIP
MSIP
Major regulatory compliance (wireless models)
FCC Class B, FCC RF ICES
FCC Class B, FCC RF ICES
Class B, IC RF CE (RED, RoHS),
Class B, IC RF CE (RED, RoHS),
RCM, VCCI Class B, MIC/
RCM, VCCI Class B, MIC/
TELEC, UL, cUL, TUV/GS, CB,
TELEC, UL, cUL, TUV/GS, CB,
Mexico CoC by UL, WEEE,
Mexico CoC by UL, WEEE,
REACH
REACH
17
SonicWall TZ series system specifications cont'd
INTEGRATED WIRELESS
TZ400 SERIES
TZ500 SERIES
TZ600 SERIES
Standards
802.11a/b/g/n/ac (WEP, WPA, WPA2, 802.11i, TKIP, PSK,02.1x,
EAP-PEAP, EAP-TTLS
Frequency bands5
802.11a: 5.180-5.825 GHz; 802.11b/g: 2.412-2.472 GHz;
802.11n: 2.412-2.472 GHz, 5.180-5.825 GHz; 802.11ac: 2.412-
2.472 GHz, 5.180-5.825 GHz
Operating Channels
802.11a: US and Canada 12, Europe 11, Japan 4, Singapore
4, Taiwan 4; 802.11b/g: US and Canada 1-11, Europe 1-13,
Japan 1-14 (14-802.11b only); 802.11n (2.4 GHz): US and
Canada 1-11, Europe 1-13, Japan 1-13; 802.11n (5 GHz): US
and Canada 36-48/149-165, Europe 36-48, Japan 36-48, Spain
36-48/52-64; 802.11ac: US and Canada 36-48/149-165, Europe
36-48, Japan 36-48, Spain 36-48/52-64
Transmit output power
Based on the regulatory domain specified by the system
administrator
Transmit power control
Supported
Data rates supported
802.11a: 6, 9, 12, 18, 24, 36, 48, 54 Mbps per channel; 802.11b:
1, 2, 5.5, 11 Mbps per channel; 802.11g: 6, 9, 12, 18, 24, 36, 48,
54 Mbps per channel; 802.11n: 7.2, 14.4, 21.7, 28.9, 43.3, 57.8,
65, 72.2, 15, 30, 45, 60, 90, 120, 135, 150 Mbps per channel;
802.11ac: 7.2, 14.4, 21.7, 28.9, 43.3, 57.8, 65, 72.2, 86.7, 96.3,
15, 30, 45, 60, 90, 120, 135, 150, 180, 200, 32.5, 65, 97.5, 130,
195, 260, 292.5, 325, 390, 433.3, 65, 130, 195, 260, 390, 520,
585, 650, 780, 866.7 Mbps per channel
Modulation technology spectrum
802.11a: Orthogonal Frequency Division Multiplexing (OFDM);
802.11b: Direct Sequence Spread Spectrum (DSSS); 802.11g:
Orthogonal Frequency Division Multiplexing (OFDM)/Direct
Sequence Spread Spectrum (DSSS); 802.11n: Orthogonal
Frequency Division Multiplexing (OFDM); 802.11ac: Orthogonal
Frequency Division Multiplexing (OFDM)
18
SonicWall TZ Series ordering information
Product
SKU
SOHO 250 with 1-year TotalSecure Advanced Edition
02-SSC-1815
SOHO 250 Wireless-AC with 1-year TotalSecure Advanced Edition
02-SSC-1824
TZ300 with 1-year TotalSecure Advanced Edition
01-SSC-1702
TZ300 Wireless-AC with 1-year TotalSecure Advanced Edition
01-SSC-1703
TZ300P with 1-year TotalSecure Advanced Edition
02-SSC-0602
TZ350 with 1-year TotalSecure Advanced Edition
02-SSC-1843
TZ350 Wireless-AC with 1-year TotalSecure Advanced Edition
02-SSC-1851
TZ400 with 1-year TotalSecure Advanced Edition
01-SSC-1705
TZ400 Wireless-AC with 1-year TotalSecure Advanced Edition
01-SSC-1706
TZ500 with 1-year TotalSecure Advanced Edition
01-SSC-1708
TZ500 Wireless-AC with 1-year TotalSecure Advanced Edition
01-SSC-1709
TZ600 with 1-year TotalSecure Advanced Edition
01-SSC-1711
TZ600P with 1-year TotalSecure Advanced Edition
02-SSC-0600
High availability options (each unit must be the same model)
TZ500 High Availability
01-SSC-0439
TZ600 High Availability
01-SSC-0220
Services
SKU
For SonicWall SOHO 250 Series
Advanced Gateway Security Suite - Capture ATP, Threat Prevention, Firewall management and reporting,
02-SSC-1726
Shadow IT Visibility, and 24x7 Support (1-year)
Capture Advanced Threat Protection for SOHO 250 (1-year)
02-SSC-1732
Gateway Anti-Virus, Intrusion Prevention and Application Control (1-year)
02-SSC-1750
Content Filtering Service (1-year)
02-SSC-1744
Comprehensive Anti-Spam Service (1-year)
02-SSC-1823
24x7 Support (1-year)
02-SSC-1720
For SonicWall TZ300 Series
Advanced Gateway Security Suite - Capture ATP, Threat Prevention, Firewall management and reporting,
01-SSC-1430
Shadow IT Visibility, and 24x7 Support (1-year)
Capture Advanced Threat Protection for TZ300 (1-year)
01-SSC-1435
Gateway Anti-Virus, Intrusion Prevention and Application Control (1-year)
01-SSC-0602
Content Filtering Service (1-year)
01-SSC-0608
Comprehensive Anti-Spam Service (1-year)
01-SSC-0632
24x7 Support (1-year)
01-SSC-0620
For SonicWall TZ350 Series
Advanced Gateway Security Suite - Capture ATP, Threat Prevention, Firewall management and reporting,
02-SSC-1773
Shadow IT Visibility, and 24x7 Support (1-year)
Capture Advanced Threat Protection for TZ350 (1-year)
02-SSC-1779
Gateway Anti-Virus, Intrusion Prevention and Application Control (1-year)
02-SSC-1797
Content Filtering Service (1-year)
02-SSC-1791
Comprehensive Anti-Spam Service (1-year)
02-SSC-1809
24x7 Support (1-year)
02-SSC-1767
19
SonicWall TZ Series ordering information
For SonicWall TZ400 Series
Advanced Gateway Security Suite - Capture ATP, Threat Prevention, Firewall management and reporting,
01-SSC-1440
Shadow IT Visibility, and 24x7 Support (1-year)
Capture Advanced Threat Protection for TZ400 (1-year)
01-SSC-1445
Gateway Anti-Virus, Intrusion Prevention and Application Control (1-year)
01-SSC-0534
Content Filtering Service (1-year)
01-SSC-0540
Comprehensive Anti-Spam Service (1-year)
01-SSC-0561
24x7 Support (1-year)
01-SSC-0552
For SonicWall TZ500 Series
Advanced Gateway Security Suite - Capture ATP, Threat Prevention, Firewall management and reporting,
01-SSC-1450
Shadow IT Visibility, and 24x7 Support (1-year)
Capture Advanced Threat Protection for TZ500 (1-year)
01-SSC-1455
Gateway Anti-Virus, Intrusion Prevention and Application Control (1-year)
01-SSC-0458
Content Filtering Service (1-year)
01-SSC-0464
Comprehensive Anti-Spam Service (1-year)
01-SSC-0482
24x7 Support (1-year)
01-SSC-0476
For SonicWall TZ600 Series
Advanced Gateway Security Suite - Capture ATP, Threat Prevention, Firewall management and reporting,
01-SSC-1460
Shadow IT Visibility, and 24x7 Support (1-year)
Capture Advanced Threat Protection for TZ600 (1-year)
01-SSC-1465
Gateway Anti-Virus, Intrusion Prevention and Application Control (1-year)
01-SSC-0228
Content Filtering Service (1-year)
01-SSC-0234
Comprehensive Anti-Spam Service (1-year)
01-SSC-0252
24x7 Support (1-year)
01-SSC-0246
About SonicWall
Regulatory model numbers
SonicWall has been fighting the cybercriminal industry for over
SOHO/SOHO Wireless
APL31-0B9/APL41-0BA
27 years defending small and medium businesses, enterprises
SOHO 250/SOHO 250 Wireless
APL41-0D6/APL41-0BA
and government agencies worldwide. Backed by research
TZ300/TZ300 Wireless/
APL28-0B4/APL28-0B5/
from SonicWall Capture Labs, our award- winning, real-time
TZ300P
APL47-0D2
breach detection and prevention solutions secure more than a
TZ350/TZ350 Wireless
APL28-0B4/APL28-0B5
million networks, and their emails, applications and data, in over
TZ400/TZ400 Wireless
APL28-0B4/APL28-0B5
215 countries and territories. These organizations run more
effectively and fear less about security. For more information,
TZ500/TZ500 Wireless
APL29-0B6/APL29-0B7
visit www.sonicwall.com or follow us on Twitter, LinkedIn,
TZ600/TZ600P
APL30-0B8/APL48-0D3
The Gartner Peer Insights Customers’ Choice logo is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner Peer Insights
Customers’ Choice distinctions are determined by the subjective opinions of individual end-user customers based on their own experiences, the number of published reviews on Gartner Peer Insights and
overall ratings for a given vendor in the market, as further described here, and are not intended in any way to represent the views of Gartner or its affiliates.
SonicWall, Inc.
© 2019 SonicWall Inc. ALL RIGHTS RESERVED. SonicWall is a
1033 McCarthy Boulevard | Milpitas, CA 95035
trademark or registered trademark of SonicWall Inc. and/or its
Refer to our website for additional information.
affiliates in the U.S.A. and/or other countries. All other trademarks and
registered trademarks are property of their respective owners.
Datasheet-TZ Series-US-VG-340