SOLICITATION NOTICE
D -- PAN Next Generation Firewall (NGFW)
- Notice Date
- 6/3/2024 12:17:02 PM
- Notice Type
- Solicitation
- NAICS
- 541512
— Computer Systems Design Services
- Contracting Office
- Acquisition Services Washington DC 20401 USA
- ZIP Code
- 20401
- Solicitation Number
- 040ADV-24-R-0048
- Response Due
- 6/14/2024 2:00:00 PM
- Archive Date
- 06/29/2024
- Point of Contact
- Jasanya Bias Harrison, Phone: 2025120058, Abdulrashid Behi, Phone: 2023045098
- E-Mail Address
-
Proposals-1@gpo.gov., abehi@gpo.gov
(Proposals-1@gpo.gov., abehi@gpo.gov)
- Description
- *The purpose of today's amendment is to Delete all options years which make this soliciation only for 12 months.*�� C.1�������� OBJECTIVE As part of Hardware Lifecycle Refresh task, GPO intends to replace its legacy PAN Next Generation Firewall (NGFW) with the most recent PAN NGFW platforms at two (2) geographically separate GPO sites. The existing firewall platform is coming to End of Life and End of Support. The Government Publishing Office (GPO) is seeking qualified Contractor to provide all hardware components as listed in section B on page-4 and provide end-to-end installation, configuration, and implementation services. The two (2) GPO locations (GPO Data Center in Northern Virginia and Headquarters locations), including hardware and software maintenance and technical support and provide expert professional services to assist GPO with installation, configuration, and validation testing and operational activation of the new NGFW. The new NGFW System should be installed without disrupting the current GPO systems and day to day operations. The intent is to have the new NGFW system replace and take over all the current functions of GPO firewall system at the two (2) GPO locations (GPO Data Center and Headquarters locations) at the conclusion of the project. C.2�������� Technical Requirements C.2.1���������������� Capacity and Performance 2 x 100Gbps physical interfaces capable of being configured as trunks and sub-interfaces 8 x 10/40Gbps physical interfaces capable of being configured as trunks and sub-interfaces 1/10 Gbps Out of Band management interface Firewall Throughput inner tier > 60 Gbps; outer tier > 40 Gbps Throughput with all Next Gen features running > inner tier > 40 Gbps; outer tier > 20 Gbps TLS decryption > 5 Gbps IPSec VPN throughput > 5Gbps Concurrent connections with full Next Gen inspection > 2 million Maximum new connections per second > 100K C.2.2���������������� Management Centralized management of all the physical and virtual firewall, including cloud-based, in the domain via a multi-faceted GUI based controller.� This should include an at-a-glance view of the general health and performance of the environment. Support for Administrative Role Based Access for Authentication and Authorization via a variety of services including TACACS+ RADIUS Active Directory/LDAP/Kerberos SAML Multifactor Authentication incorporating the above and second factors from providers such as RSA SecurID, Okta Adaptive, etc. Notifications via email and/or SNMP in reaction to single or a threshold of events occurring on the firewall Built-in optimization tools such as rules shadowing identification, hit counts, rule usage information Built-in troubleshooting tools such as packet captures, traffic tracing Comprehensive logging to remote destinations via Syslog or SNMP, with the ability to filter and transmit specific logs to a variety of destinations, and the ability to take actions such as Block or Alert based on specific log entries. Comprehensive views, via the local management console, of traffic and events occurring on and through the firewalls. Shall provide a set of individual and summarized, canned reports on web browsing activity including: most attempts to access blocked sites by user and highest web traffic (usage) by user. Able to integrate with the Windows Server 2019 environment to correlate AD user and group information with IP addresses. Firewall rules must be exportable from the NGFW in a file format that can be sorted (expanded) and searched by components such as ports, protocols, zones, interfaces, etc. (CSV format is highly desirable; TXT format is required). An API interfaces Interfaced withing SolarWinds for Pro-active Monitoring of uptime of both virtual and physical interfaces as well 24x7 monitoring of all critical services C.2.3���������������� High Availability Ability to run in a hitless high availability scenario either Active/Active or Active/Standby including the ability to selectively decide what constitutes a failure such as specific groups of interfaces, reachability to an external target C.2.4���������������� Access Control Access control based on ports and protocols at a minimum but must also include additional access controls listed below. Access control via well-known applications regardless of port, and the ability to add new applications and customize applications. Access control based on URLs, and also on browsing running on other that the well-known ports of 80 and 443 Access control based on source user-id. Support for dynamic local allow and blocklists, and external lists and feeds that can be imported by the firewalls and applied to rules.� These lists should include components that can be defined by IP address, URL or user-id. Dynamic Group Expansive URL categorization, and filtering based on these URL categories to control access to inappropriate and dangerous web sites. Web Access Firewall (WAF) functionality (outer tier) or tight integration with a separate WAF is desirable. C.2.5���������������� Next Generation IPS and Traffic Inspection Automatic Threat feed and IPS signature update Support for Anti-Virus, Anti-Spyware, Data Loss Protection File access control � including multi-level decoding of zipped files Zero-day malware inspection and sandboxing C.2.6���������������� Denial of Service (DoS) Protection Denial of Service protection for individual or aggregate devices.� Including SYN, ICMP and UDP flood protection. Protection against reconnaissance such as port scans and hosts sweeps. Packet attacks such as non-SYN initial packets, too large or other malformed packets Protection against Unexpected protocols attacks. C.2.7���������������� Quality of Service (QoS) Quality of Service (QoS) marking recognition, and the ability to remark, and assign traffic to priority queues based on bandwidth or latency. C.2.8���������������� Decryption (outer Tier) Selective decryption of outgoing traffic with the ability to bypass by category, and exclude by URL domain. Selective decryption of incoming traffic. C.2.9���������������� DNS Security �Comprehensive DNS Security support including; The ability to identify threats being tunneled within DNS traffic. The recognition of newly generated malicious domains created by Domain Generation Algorithms (DGA) Handling of fast-flux domains. Protection against DNS rebinding The ability to take DNS sink-holing action to enable the firewall to create a response to a DNS query for a known malicious domain. C.2.10����������������� NAT Support Comprehensive NAT support including one-to-one static map, PAT, many-to-many, and translation based on destination port.� This should include IPv6 support and IPv4 to IPv6 translation. C.2.11����������������� Additional Features Support for Policy Based Routing/Forwarding Multicast support. IGP Routing support including EIGRP (preferred) or OSPF. BGP is also desirable. C.2.12����������������� VPN (Outer Tier) The ability to support Remote Access VPN and Site-to-Site VPN, with a selection of Suite B protocols, and multiple single and two factor authentication options.
- Web Link
-
SAM.gov Permalink
(https://sam.gov/opp/89c30a39874e413196750785da9ea1c5/view)
- Place of Performance
- Address: Washington, DC 20401, USA
- Zip Code: 20401
- Country: USA
- Zip Code: 20401
- Record
- SN07083664-F 20240605/240603230038 (samdaily.us)
- Source
-
SAM.gov Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's SAM Daily Index Page |