NSV Series Overview:
        The design, implementation and deployment of modern network architectures, such as virtualization and cloud, continue to be a game-changing strategy for many organizations. Virtualizing the data center, migrating to the cloud, or a combination of both, demonstrates significant operational and economic advantages. However, vulnerabilities within virtual environments are well-documented. New vulnerabilities are discovered regularly that yield serious security implications and challenges. To ensure applications and services are delivered safely, efficiently and in a scalable manner, while still combating threats harmful to all parts of the virtual framework including virtual machines (VMs), application workloads and data must be among the top priorities.
        The SonicWall Network Security virtual (NSv) firewall series helps security teams reduce these types of security risks and vulnerabilities, which can cause serious disruption to your business-critical services and operations. NSv nextgeneration virtual firewalls integrate two advanced security technologies to deliver cutting-edge threat prevention that keeps your network one step ahead. SonicWall’s patent-pending Real-Time Deep Memory Inspection (RTDMI™) technology enhances our award-winning multi-engine Capture Advanced Threat Protection (ATP) sandboxing service. The RTDMI engine proactively detects and blocks mass market, zero-day threats and unknown malware by inspecting directly in memory. Because of the real-time architecture, SonicWall RTDMI technology is precise, minimizes false positives, and identifies and mitigates sophisticated attacks where the malware’s weaponry is exposed for less than 100 nanoseconds. In combination, SonicWall’s patented* single-pass Reassembly-Free Deep Packet Inspection (RFDPI®) engine examines every byte of every packet, inspecting both inbound and outbound traffic on the firewall.
        
        
          *U.S. Patents 7,310,815; 7,600,257; 7,738,380; 7,835,361; 7,991,723
        
        
        The NSv series delivers the automated real-time breach detection and prevention organizations need by utilizing innovative deep learning technologies in the SonicWall Capture Cloud Platform. This platform delivers cloud-based threat prevention and network management plus reporting and analytics for organizations of any size. This platform consolidates threat intelligence gathered from multiple sources including our Capture ATP, as well as more than 1 million SonicWall sensors located around the globe. By leveraging the SonicWall Capture Cloud Platform in addition to capabilities including intrusion prevention, antimalware and web/URL filtering, the NSv series blocks even the stealthiest threats at the gateway.
        NSv is easily deployed and provisioned in a virtual environment, typically between virtual networks (VNs) or virtual private clouds (VPCs). This allows it to capture communications and data exchanges between virtual machines for automated breach prevention, while establishing stringent access control measures for data confidentiality and VM safety and integrity. Security threats (such as crossvirtual-machine or side-channel attacks, common network-based intrusions, and application and protocol vulnerabilities) are neutralized successfully through SonicWall’s comprehensive suite of security inspection services1. All VM traffic is subjected to multiple threat analysis engines, including intrusion prevention, gateway anti-virus and antispyware, cloud anti-virus, botnet filtering, application control and Capture ATP multi-engine sandboxing with RTDMI technology.
        Segmentation Security
        For optimal effectiveness against Advanced Persistent Threats (APTs), network security segmentation must apply an integrated set of dynamic, enforceable barriers to advanced threats. With segment-based security capabilities, NSv can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface. By applying security policies to the inside of the VN, segmentation can be configured to organize network resources into different segments, and allow or restrict traffic between those segments. This way, access to critical internal resources can be strictly controlled.
        NSv automatically enforces segmentation restrictions based upon dynamic criteria, such as user identity credentials, geoIP location and the security stature of mobile endpoints. For extended security, NSv is also capable of integrating multi-gigabit network switching into its security segment policy and enforcement. It directs segment policy to traffic at switching points throughout the network, and globally manages segment security enforcement from a single pane of glass.
        Since segments are only as effective as the security that can be enforced between them, NSv applies intrusion prevention system (IPS) to scan incoming and outgoing traffic on the VLAN segment to enhance security for internal network traffic. For each segment, it enforces a full range of security services on multiple interfaces based on enforceable policy.
        Flexible Deployment Use Cases
        With infrastructure support for high availability implementation, NSv fulfills scalability and availability requirements of Software Defined Data Centers. It ensures system resiliency, service reliability, and regulatory conformance. Optimized for broad range of public, private and hybrid deployment use cases, NSv can adapt to service-level changes and ensure VMs and their application workloads and data assets are available, as well as secure. It can do it all at multiGbps speed with low latency.
        Organizations gain all the security advantages of a physical firewall, with the operational and economic benefits of virtualization. This includes system scalability, operation agility, provisioning speed, simple management and cost reduction.
        The NSv series is available in multiple virtual flavors carefully packaged for a broad range of virtualized and cloud deployment use cases. Delivering multigigabit threat prevention and encrypted traffic inspection performance, the NSv series adapts to capacity-level increases and ensures VN and VPC safety. The series also ensures application workloads and data assets are available as well as secure.
        Govern Centrally
        NSv deployments can be centrally managed either on premises with SonicWall Global Management System (GMS²), or with Capture Security Center², SonicWall’s open, scalable cloud security management, monitoring, reporting and analytics platform delivered as a costeffective as-a-service offering.
        Capture Security Center gives the ultimate in visibility, agility and capacity to govern the entire SonicWall virtual and physical firewall ecosystem with greater clarity, precision, and speed – all from a single pane of glass.
        Flexible Licensing
        NSv supports Bring Your Own License (BYOL) and Pay As You Go (PAYG) licensing. The BYOL license for NSv can be purchased directly from SonicWall, a partner or reseller. Whereas, PAYG license is purchased directly from the AWS Marketplace. This type of license is a usage-based license wherein payment is made as per usage on an hourly or annual basis.
        
          
            
              GOVERN CENTRALLY
              
                - Establish an easy path to comprehensive security management, analytic reporting and compliance to unify your network security defense program
- Automate and correlate workflows to form a fully coordinated security governance, compliance and risk management strategy
 
            
              COMPLIANCE
              
                - Make regulatory bodies and auditors happy with automatic PCI, HIPAA and SOX security reports
- Customize any combination of security auditable data to help you move towards specific compliance regulations
 
            
              RISK MANAGEMENT
              
                - Move fast and drive collaboration, communication and knowledge across the shared security framework
- Make informed security policy decisions based on time-critical and consolidated threat information for higher level of security efficiency
 
           
         
        GMS provides a holistic approach to security governance, compliance and risk management
       
      
        Features:
        SonicOS Platform
        The SonicOS architecture is at the core of every SonicWall physical and virtual firewall including the NSv and NSa Series, SuperMassive Series and TZ Series. Refer to the SonicWall SonicOS Platform datasheet for the complete list of features and capabilities.
        Automated breach prevention1
        NSv delivers complete advanced threat protection, including high-performance intrusion and malware prevention, and cloud-based sandboxing with SonicWall’s RTDMI technology.
        Around-the-clock security1
        NSv ensures lateral movement protection, plus inbound and outbound traffic protection. New threat updates are automatically pushed to firewalls with active security services, and take effect immediately without reboots or interruptions.
        Zero-day protection1
        NSv protects against zero-day attacks with constant updates against the latest exploit methods and techniques that cover thousands of individual exploits.
        Threat API
        NSv receives and leverages any and all proprietary, original equipment manufacturer and third-party intelligence feeds to combat advanced threats, such as zero-day, malicious insider, compromised credentials, ransomware and advanced persistent threats.
        Zone protection
        NSv strengthens internal security by enabling segmentation of the network into multiple security zones, with intrusion prevention service keeping threats from propagating across the zone boundaries. Creating and applying access rules and NAT policies to traffic passing through the various interfaces, it can allow or deny internal or external network access based on various criteria.
        Application intelligence and control1
        NSv provides granular control over network traffic at the user, email address, schedule, and IP-subnet levels, with application-specific policies. It controls custom applications by creating signatures based on specific parameters or patterns unique to an application. Internal or external network access is allowed or denied based on various criteria.
        Data leakage prevention
        NSv provides the ability to scan streams of data for keywords. This restricts the transfer of certain file names, file types, email attachments, attachment types, email with certain subjects, and email or attachments with certain keywords or byte patterns.
        Application layer bandwidth management
        NSv can select among various bandwidth management settings to reduce network bandwidth usage by an application using packet monitor. This provides further control over the network.
        Secure communication
        NSv ensures the data exchange between groups of virtual machines is done securely, including isolation, confidentiality, integrity, and information flow control within these networks via the use of segmentation.
        Access control
        NSv validates that only VMs that satisfy a given set of conditions are able to access data belonging to another through the use of VLANs.
        User authentication
        NSv creates policies to control or restrict VM and workload access by unauthorized users.
        Data confidentiality
        NSv blocks information theft and illegitimate access to protected data and services.
        Virtual network resilience and availability
        NSv prevents disruption or degradation of application services and communications.
        System safety and integrity
        NSv stops unauthorized takeover of VM systems and services.
        Traffic validation, inspection and monitoring mechanisms
        NSv detects irregularities and malicious behaviors to stop attacks targeting VM workloads.
        Deployment options
        NSv can be deployed on a wide variety of virtualized and cloud platforms for various private/public cloud security use cases.
        
          ¹ Requires SonicWall Advanced Gateway Security Services (AGSS) subscription.
          ² SonicWall Global Management System and Capture Security Center require separate licensing or subscription.
        
       
      
        Compare Models (NSv 10 - NSv 100):
        
          
            
              
                | FIREWALL GENERAL | NSv 10 | NSv 25 | NSv 50 | NSv 100 | 
            
            
              
                | Operating system | SonicOS1 | 
              
                | Supported Hypervisors | VMware ESXi v5.5 / v6.0 / v6.5 / v6.7, Microsoft Hyper-V Win 2012 / 2016 | 
              
                | Licensing | BYOL | 
              
                | Max Supported vCPUs | 2 | 2 | 2 | 2 | 
              
                | Interface Count (ESXi/Hyper-V) | 8/8 | 8/8 | 8/8 | 8/8 | 
              
                | Max Mgmt/DataPlane Cores | 1/1 | 1/1 | 1/1 | 1/1 | 
              
                | Min Memory3 | 4 GB | 4 GB | 4 GB | 4 GB | 
              
                | Max Memory4 | 6 GB | 6 GB | 6 GB | 6 GB | 
              
                | Supported IP/Nodes | 10 | 25 | 50 | 100 | 
              
                | Minimum Storage | 60 GB | 
              
                | SSO users | 25 | 50 | 100 | 100 | 
              
                | Logging | Analyzer, Local Log, Syslog | 
              
                | High availability | Active/Passive | 
            
            
              
                | FIREWALL/VPN PERFORMANCE6 | NSv 10 | NSv 25 | NSv 50 | NSv 100 | 
            
            
              
                | Firewall Inspection Throughput | 2 Gbps | 2.5 Gbps | 3 Gbps | 3.5 Gbps | 
              
                | Full DPI Throughput (GAV/GAS/IPS) | 450 Mbps | 550 Mbps | 650 Mbps | 750 Mbps | 
              
                | Application Inspection Throughput | 1 Gbps | 1.25 Gbps | 1.5 Gbps | 1.75 Gbps | 
              
                | IPS Throughput | 1 Gbps | 1.25 Gbps | 1.5 Gbps | 1.75 Gbps | 
              
                | Anti-Malware Inspection Throughput | 450 Mbps | 550 Mbps | 650 Mbps | 750 Mbps | 
              
                | IMIX Throughput | 750 Mbps | 850 Mbps | 950 Mbps | 1100 Mbps | 
              
                | TLS/SSL DPI Throughput | 650 Mbps | 750 Mbps | 850 Mbps | 950 Mbps | 
              
                | VPN Throughput | 500 Mbps | 550 Mbps | 600 Mbps | 650 Mbps | 
              
                | Connections per second | 1,800 | 5,000 | 8,000 | 10,000 | 
              
                | Maximum connections (SPI) | 2,500 | 6,250 | 12,500 | 25,000 | 
              
                | Maximum connections (DPI) | 2,500 | 6,250 | 12,500 | 25,000 | 
              
                | TLS/SSL DPI Connections | 500 | 1,000 | 2,000 | 4,000 | 
            
            
              
                | VPN | NSv 10 | NSv 25 | NSv 50 | NSv 100 | 
            
            
              
                | Site-to-Site VPN Tunnels | 10 | 10 | 25 | 50 | 
              
                | IPSec VPN clients | 10 | 10 | 25 | 25 | 
              
                | SSL VPN NetExtender Clients (Maximum) | 2(10) | 2(25) | 2(25) | 2(25) | 
              
                | Encryption/authentication | DES, 3DES, AES (128, 192, 256-bit)/MD5, SHA-1, Suite B, Common Access Card (CAC) | 
              
                | Key exchange | Diffie Hellman Groups 1, 2, 5, 14v | 
              
                | Route-based VPN | RIP, OSPF, BGP | 
            
            
              
                | NETWORKING | NSv 10 | NSv 25 | NSv 50 | NSv 100 | 
            
            
              
                | IP address assignment | Static, DHCP, internal DHCP server, DHCP relay | 
              
                | NAT modes | 1:1, many:1, 1:many, flexible NAT (overlapping IPs), PAT | 
              
                | Max VLAN | 25 | 25 | 50 | 50 | 
              
                | Routing protocols | BGP, OSPF, RIPv1/v2, static routes, policy-based routing | 
              
                | QoS | Bandwidth priority, max bandwidth, guaranteed bandwidth, DSCP marking, 802.1p | 
              
                | Authentication | XAUTH/RADIUS, Active Directory, SSO, LDAP, Novell, internal user database, Terminal Services, Citrix | 
              
                | VoIP | SIP | 
              
                | Standards | TCP/IP, ICMP, HTTP, HTTPS, IPSec, ISAKMP/IKE, SNMP, DHCP, L2TP, PPTP, RADIUS | 
              
                | Max SD-WAN groups | 12 | 12 | 18 | 32 | 
              
                | Max SD-WAN members per product | 24 | 24 | 36 | 64 | 
            
          
         
        
          1 Currently supporting SonicOS 6.5.4 on ESXi. Support of SonicOS 6.5.4 on Hyper-V, Azure and AWS will be available August 2019.
          2 PAYG is currently available only on AWS.
          3 Memory with Jumbo frame disabled.
          4 Memory with Jumbo frame enabled. Additional memory is required for Jumbo frames. Jumbo frames are not supported on Azure and AWS.
          5 High availability available on VMware ESXi platform and Microsoft Hyper-V, plus HA is not supported on Azure and AWS.
          6 Published performance numbers are up to the specification and the actual performance may vary depending on underlying hardware, network conditions; firewall configuration and activated services. Performance and capacities may also vary based on underlying virtualization infrastructure, and we recommend additional testing within your environment to ensure your performance and capacity requirements are met. Performance metrics were observed using Intel Xeon W Processor (W-2195 2.3GHz, 4.3GHz Turbo, 24.75M Cache) running SonicOSv 6.5.0.2 with VMware vSphere 6.5.
          7 VLAN interfaces are not supported on Azure and AWS.
          Testing Methodologies: Maximum performance based on RFC 2544 (for firewall). Full DPI/Gateway AV/Anti-Spyware/IPS throughput measured using industry standard Spirent WebAvalanche HTTP performance test and Ixia test tools.
          Testing done with multiple flows through multiple port pairs. VPN throughput measured using UDP traffic at 1418 byte packet size adhering to RFC 2544. All specifications and features are subject to change.
        
       
      
        Compare Models (NSv 200 - NSv 1600):
        
          
            
              
                | FIREWALL GENERAL | NSv 200 | NSv 300 | NSv 400 | NSv 800 | NSv 1600 | 
            
            
              
                | Operating system | SonicOS1 | 
              
                | Supported Hypervisors | VMware ESXi v5.5 / v6.0 / v6.5 / v6.7, Microsoft Hyper-V | 
              
                | Supported Public Cloud Platforms (Instance Type) | AWS (c5.large), Azure (Std D2 v2) | N/A | AWS (c5.xlarge), Azure (Std D3 v2) | AWS (c5.2xlarge), Azure (Std D4 v2) | AWS (c5.4xlarge), Azure (Std D5 v2) | 
              
                | Licensing | BYOL, PAYG2 | 
              
                | Max Supported vCPUs | 2 | 3 | 4 | 8 | 16 | 
              
                | Interface Count (ESXi/ Hyper-V/ AWS/ Azure) | 8/8/2/2 | 8/8/-/- | 8/8/4/4 | 8/8/8/8 | 8/8/8 | 
              
                | Max Mgmt/DataPlane Cores | 1/1 | 1/2 | 1/3 | 1/7 | 1/15 | 
              
                | Min Memory3 | 6 GB | 6 GB | 8 GB | 10 GB | 12 GB | 
              
                | Max Memory4 | 6 GB | 8 GB | 10 GB | 14 GB | 18 GB | 
              
                | Supported IP/Nodes | Unlimited | Unlimited | Unlimited | Unlimited | Unlimited | 
              
                | Minimum Storage | 60 GB | 
              
                | SSO users | 500 | 5,000 | 10,000 | 15,000 | 20,000 | 
              
                | Logging | Analyzer, Local Log, Syslog | 
              
                | High availability | Active/Passive5 | 
            
            
              
                | FIREWALL/VPN PERFORMANCE6 | NSv 200 | NSv 300 | NSv 400 | NSv 800 | NSv 1600 | 
            
            
              
                | Firewall Inspection Throughput | 4.1 Gbps | 5.9 Gbps | 7.8 Gbps | 13.9 Gbps | 17.2 GBPS | 
              
                | Full DPI Throughput (GAV/GAS/IPS) | 900 Mbps | 1.6 Gbps | 2.2 Gbps | 4.0 Gbps | 6.4 Gbps | 
              
                | Application Inspection Throughput | 2.3 Gbps | 3.4 Gbps | 4.1 Gbps | 5.5 Gbps | 6.4 Gbps | 
              
                | IPS Throughput | 2.3 Gbps | 3.4 Gbps | 4.1 Gbps | 5.5 Gbps | 6.7 GBPS | 
              
                | Anti-Malware Inspection Throughput | 900 Mbps | 1.6 Gbps | 2.2 Gbps | 4.0 Gbps | 6.6 Gbps | 
              
                | IMIX Throughput | 1.5 Gbps | 2.3 Gbps | 2.8 Gbps | 4.2 Gbps | 5.3 Gbps | 
              
                | TLS/SSL DPI Throughput | 1.1 Gbps | 1.2 Gbps | 1.8 Gbps | 3.4 Gbps | 5.1 GBPS | 
              
                | VPN Throughput | 750 Mbps | 1.4 Gbps | 1.9 Gbps | 4.2 Gbps | 8.4 Gbps | 
              
                | Connections per second | 13,760 | 24,360 | 37,270 | 75,640 | 125,000 | 
              
                | Maximum connections (SPI) | 225,000 | 1M | 1.5M | 3M | 4M | 
              
                | Maximum connections (DPI) | 125,000 | 500,000 | 1.5M | 2M | 2.5M | 
              
                | TLS/SSL DPI Connections | 8,000 | 12,000 | 20,000 | 30,000 | 50,000 | 
            
            
              
                | VPN | NSv 200 | NSv 300 | NSv 400 | NSv 800 | NSv 1600 | 
            
            
              
                | Site-to-Site VPN Tunnels | 75 | 100 | 6000 | 10,000 | 25,000 | 
              
                | IPSec VPN clients (Maximum) | 50(1000) | 50(1000) | 2000(4000) | 2000(6000) | 2000(10,000) | 
              
                | SSL VPN NetExtender Clients (Maximum) | 2(100) | 2(100) | 2(100) | 2(100) | 2(100) | 
              
                | Encryption/authentication | DES, 3DES, AES (128, 192, 256-bit)/MD5, SHA-1, Suite B, Common Access Card (CAC) | 
              
                | Key exchange | Diffie Hellman Groups 1, 2, 5, 14v | 
              
                | Route-based VPN | RIP, OSPF, BGP | 
            
            
              
                | NETWORKING | NSv 200 | NSv 300 | NSv 400 | NSv 800 | NSv 1600 | 
            
            
              
                | IP address assignment | Static, DHCP, internal DHCP server, DHCP relay | 
              
                | NAT modes | 1:1, many:1, 1:many, flexible NAT (overlapping IPs), PAT | 
              
                | Max VLAN7 | 128 | 128 | 128 | 128 | 128 | 
              
                | Routing protocols | BGP, OSPF, RIPv1/v2, static routes, policy-based routing | 
              
                | QoS | Bandwidth priority, max bandwidth, guaranteed bandwidth, DSCP marking, 802.1p | 
              
                | Authentication | XAUTH/RADIUS, Active Directory, SSO, LDAP, Novell, internal user database, Terminal Services, Citrix | 
              
                | VoIP | SIP | 
              
                | Standards | TCP/IP, ICMP, HTTP, HTTPS, IPSec, ISAKMP/IKE, SNMP, DHCP, L2TP, PPTP, RADIUS | 
              
                | Max SD-WAN groups | 38 | 38 | 70 | 102 | 102 | 
              
                | Max SD-WAN members per product | 76 | 76 | 140 | 204 | 204 | 
            
          
         
        
          1 Currently supporting SonicOS 6.5.4 on ESXi. Support of SonicOS 6.5.4 on Hyper-V, Azure and AWS will be available August 2019.
          2 PAYG is currently available only on AWS.
          3 Memory with Jumbo frame disabled.
          4 Memory with Jumbo frame enabled. Additional memory is required for Jumbo frames. Jumbo frames are not supported on Azure and AWS.
          5 High availability available on VMware ESXi platform and Microsoft Hyper-V, plus HA is not supported on Azure and AWS.
          6 Published performance numbers are up to the specification and the actual performance may vary depending on underlying hardware, network conditions; firewall configuration and activated services. Performance and capacities may also vary based on underlying virtualization infrastructure, and we recommend additional testing within your environment to ensure your performance and capacity requirements are met. Performance metrics were observed using Intel Xeon W Processor (W-2195 2.3GHz, 4.3GHz Turbo, 24.75M Cache) running SonicOSv 6.5.0.2 with VMware vSphere 6.5.
          7 VLAN interfaces are not supported on Azure and AWS.
          Testing Methodologies: Maximum performance based on RFC 2544 (for firewall). Full DPI/Gateway AV/Anti-Spyware/IPS throughput measured using industry standard Spirent WebAvalanche HTTP performance test and Ixia test tools.
          Testing done with multiple flows through multiple port pairs. VPN throughput measured using UDP traffic at 1418 byte packet size adhering to RFC 2544. All specifications and features are subject to change.