Skip to main content

Services

Standard Service

The standard service includes the following:

  • Managed Firewall Service which consists of a HA Firewall Pair
  • Standard1 logging, including up to 1GB of log data per day, up to 10GB log data quota and up to 60 days retention per FW pair2
  • Configuration of two usable network interfaces3
  • Default routing: Border Gateway Protocol (BGP) or static routing
  • Setup of the Self-Service and Analyzer Portal including up to three Equinix-created read-only/read-write user accounts4
  • API access to Self-Service Portal
  • Regular patching and updating of the firewall(s)
  • 24x7 monitoring of the firewall(s)
  • Incident Management & Support:
    • Priority 1 Incidents: 24x7
    • Priority 2 and 3 Incidents: Business Hours
    • Service Requests: Business Hours
  • The Firewall functionality is included in all subscriptions. It offers standard firewall service which are described in detail in Service Options.

Note:

1 Extensive Logging (>10GB) is offered as a chargeable option.
2 If logging is enabled on a Firewall Policy then more logging is generated, then retention of the default 60 days analytics and 10GB Quota is quickly consumed. This can be solved by more carefully select which policies have logging enabled or expand the Quota.
3 Dual-Homed Internet Access/WAN connectivity requires more interfaces.
4 Depending on the use-case. If customer will manage the Firewall itself then read-write is created. Otherwise when Equinix will manged the firewall, the customer is able to get read-only access.

Service Variants

Managed Firewall service is available in the following two service variants:

Managed Firewall - Virtual (MFW-V)

This is based on a high available active-passive virtual appliance pair, which is installed on top of the Managed Private Cloud platform in an Equinix IBX. We offer different performance options to accommodate different throughput requirements. This service variant includes:

  • vCPU, vRAM and storage resources required for the ordered performance option
  • Configuration of the resources
  • Installation and configuration of the HA Virtual Firewall pair in an IBX as set out in the order
  • Access to the Self-Service Portal and Analyzer Portal

Managed Firewall - Physical (MFW-P)

This is based on a high available active-passive physical appliance pair which is installed in either your Licensed Space or optionally in Managed Solutions Licensed Space in an IBX. We offer different performance options to accommodate different throughput requirements. This variant includes:

  • Installation and configuration of the HA Physical Firewall pair in an IBX as set out in the order
  • Physical Cabling to the Network Switches and Firewalls (including management, etc.)
  • Access to the Self-Service Portal and Analyzer Portal

The MFW-V is the most flexible and often the most suitable variant. In some specific use-cases the MFW-P is a better option, for example due to high throughput or regulatory requirements. Other than performance there are only slight variations between the MFW-V and MFW-P Service Variants. Therefore, to avoid duplication in this service description, we will describe the service based on the MFW-V service and in case the MFW-P service deviates this will be called out in in-line text or a footnote as much as practically possible.

Service Options

Service Options are optional additions to your MFW service that enhance its capabilities.

Stretched Deployment (MFW-(V/P)-SD)

As standard, the firewalls are deployed in an active-failover high availability pair in a single IBX data center, offering at least 99.9% availability. With this option, the firewalls are deployed in an active-failover high availability pair across two IBX data centers, offering at least 99.95% availability.

This option could be selected to support the following enhanced high availability use cases:

  • Dual Site WAN, Internet Access or Equinix Fabric connectivity
  • Dual Site MPC

This Service Option also includes the required network connectivity between the two IBX data centers (applicable to MFW-V service variant).

Security Subscription

The Standard Service is based on the Firewall license. As a chargeable option, the IPS license or ATP/UTP bundle can also be selected. This table shows the different features which are unlocked by these licenses.

Attribute-CodeLicenseDescriptionFunctionalities
IncludedFWStandard Service* Firewall
MFW-(V/P)-(size)-IPSIPSIntrusion Prevention Services* Firewall * IPS
MFW-(V/P)-(size)-ATPATPAdvanced Threat Protection* Firewall * IPS * Advanced Malware Protection Service * App Control
MFW-(V/P)-(size)-UTPUTPUnified Threat Protection* Firewall * IPS * Advanced Malware Protection Service * App Control * Web Security

Firewall

The Firewall functionality is included in all subscriptions, and offers the following functions and features:

  • Network Interfaces
  • Policy/Rules (Firewall Rules)
  • Security Profiles (default “out-of-the-box” profiles)
  • VPN IPsec
  • VPN SSL (Web & Tunnel)
  • NLB (Network Load Balancing)
  • DoS Policy (L3/4 Anomalies)
  • Logging (Analyzer)

IPS

Intrusion Prevention Services protects against new and existing vulnerabilities and detects and blocks known and zero-day threats. It also helps with Network-based virtual patching and detects hidden malware, ransomware, and other HTTPS-borne attacks.

Advanced Malware Protection Service

Antivirus, Botnet IP/Domain Security, Mobile Security, Sandbox Cloud, Virus Outbreak Protection, and Content Disarm & Reconstruction.

App Control

Application Control allows quick creation of policies to allow, deny, or restrict access to applications or entire categories of applications.

Web Security

Web Content Filtering controls access to web content by blocking web pages containing specific words or patterns. This helps to prevent access to pages with questionable material. Words, phrases, patterns, wildcards and Perl regular expressions can be specified to match content on web pages.

Performance Options

You can select from a range of performance options for the MFW-V and MFW-P service variants, to select the right type for the required throughput.

MFW-V performance options

The performance of the firewall in terms of Gbps throughput depends on the license selected, the vRAM and vCPU resources assigned to the virtual appliances and the features enabled on the firewall. The performance options range from S to XL. Below table gives an indication of the performance and the resources required.

VM Resources1Maximum Throughput (Gbps)2
Attribute-CodevCPUvRAM (GB)FW3IPS4ATP/UTP5
MFW-V-S2471.70.9
MFW-V-M4810.83.31.8
MFW-V-L812145.93.4
MFW-V-XL161615.510.16.3

Note:

1 VM Resources are included in the service.
2 Maximum throughput is the total incoming and outgoing amount of traffic ("throughput") that the firewall can handle. The displayed values are based on test data from the supplier. Depending on the set of rule sets, the functionalities used and the specific traffic of the customer, the maximum capacity achieved may differ. It is an estimation.
3 Firewall throughput has been measured with UDP (512 byte) packets.
4 IPS performance was measured with Enterprise Traffic Mix.
5 Threat protection performance has been measured with IPS and Application Control and Malware protection, based on Enterprise Traffic Mix.

MFW-P performance options

Sizing for Physical Firewall can be provided upon request and assumptions will be documented in the Solutions Document.

Log Storage Extension (MFW-LSE)

Up to 1GB log data per day and 10GB log data storage is included in the standard service per Managed Firewall Service pair. This log data can be used for security analysis and/or retention purposes. If a customer wishes to store more log data, this can be ordered as an additional option.

External Logging (MFW-EXL)

By default, this service logs to the Self-Service Analyzer. If an external log target is needed, this option provides feed from the Self-Service Analyzer to an external customer-provided SIEM via an Equinix Managed Log Gateway. This option can only be ordered in combination with an Equinix Managed Log Gateway. This needs to be ordered separately as it is not part of the Managed Firewall Service.

Customer ID Provider / Authentication (MFW-CPA)

By default, the customer can add local users via the self-service portal. Optionally an external customer Identity Provider (Customer Provided Authentication) can be added and be used for authentication.

Dedicated Portal (MFW-DSSP/DLAP)

Dedicated Self-Service Portal (MFW-DSSP)

  • The standard service uses a central self-service portal.
  • Optionally, a dedicated management portal can be ordered. For example, if non-standard compliance, law and regulations, etc, are needed and cannot be offered with the central portal.
  • This option requires the Dedicated Log Analyzing Portal.

Dedicated Log Analyzing Portal (MFW-DLAP)

  • The standard service uses a central log-analyzing portal.
  • Optionally, a dedicated Log Analyzing portal can be ordered. For example, if non-standard compliance, law and regulations, if more logging than the standard service can provide, etc, are needed and cannot be offered with the central portal.

Service Requests

In addition to the standard service and if the appropriate service option(s) have been selected, the following functionality/configuration can be requested either at installation or via Service Request as a chargeable option. The following service requests can be ordered. Some are also available as self-service:

  • MFW-SR-ANW: Add/Remove Additional Network – As standard the Firewall is configured with up to two subnets. With this option, additional subnets can be added, for instance to provide an additional DMZ, firewalling between different tiers or an additional WAN connection.
  • MFW-SR-AVD: Add/Remove Additional VDOM (only MFW-P) – The standard firewall is configured with one VDOM for administration and one VDOM for (production) traffic. Additional VDOMs can be configured to offer additional separation, for example, to separate production, test and development environments and/or to separate Internet and WAN policies per Firewall.
  • MFW-SR-AU: Add/Remove Additional User on Self-Service Portal – As standard, three Equinix-created user accounts are included in the service. Additional user accounts can be created upon request.
  • MFW-SR-SPC: Add/Remove/Change Security Profile (Additional/Custom) – Creating customer security profiles (IPS, Web filtering, etc.). Requires a valid Subscription.
  • MFW-SR-S2S: Add/Remove/Change VPN (Site to site) connections – To establish a secure (encrypted) connection over the Internet between two locations or sites via Gateway-to-Gateway IP-SEC VPN.
  • MFW-SR-C2S: Add/Remove/Change VPN (SSL) connections – Secure user access over the Internet to the firewall protected systems using an SSL VPN. User authentication needs to be provided by a customer administered system or a supporting service.
  • MFW-SR-CERT: Add/Remove/Change Add SSL Certificate – Creation of a Certificate Signing Request (CSR) and implementation of the certificate.
  • MFW-SR-SLB: Add/Remove/Change Server Load Balancing – Supports basic traffic load balancing across multiple backend servers, based on multiple load balancing schedules including: Static (failover), Round robin, Weighted. Supports L3 (IP), L4 (TCP/UDP), L7 (HTTP, HTTPS, SSL/TLS, IMAPS, POP3S, SMTPS). SLB offloads most SSL/TLS versions up to TLS 1.3.
  • MFW-SR-DP(-E): Add/Remove/Change DoS Policy – A Denial of Service (DoS) policy can be enabled to examine network traffic arriving at a Firewall for anomalous patterns at layer 3 and layer 4, which usually indicates an attack. When selecting this option, the Default Thresholds will be configured.
  • MFW-QT-FVP: Change of Firewall Variant Performance – Option to change the variant performance.
  • MFW-QT-LSE: Change of Log Storage Extension – Option to extend the standard log data storage. The standard service includes up to 1GB log data per day and 10GB log data storage stored for security analysis and/or retention purposes per Managed Firewall Service pair. If a customer wishes to store more log data, this can be ordered as an additional option.

Some changes can be implemented via self-service as indicated in the table below or can be requested to be implemented by Equinix through the service portal as a Service Request.

CodeType of ChangeSelf ServiceService RequestRequest Type
MFW-SR-ANWAdd/Remove Additional Network (Interface)-SR
MFW-SR-AVDAdd/Remove Additional VDOM (only MFW-P)-SR
MFW-SR-AUAdd/Remove Additional User on Self-Service Portal-SR
MFW-SR-PRAdd/Remove/Change Policy/Rule(s) (Maximum 5 rules per service request)SR
MFW-SR-SPCAdd/Remove/Change Security Profile (Additional/Custom) (Subscription needed)SR
MFW-SR-S2SAdd/Remove/Change VPN (IPsec/S2S)SR
MFW-SR-C2SAdd/Remove/Change VPN (SSL) (Creation of certificate excluded)SR
MFW-SR-CERTAdd/Remove/Change SSL Certificate-SR
MFW-SR-SLBAdd/Remove/Change Server Load BalancingSR
MFW-SR-DPAdd/Remove/Change DoS PolicySR
MFW-QT-FVPChange of Firewall Variant Performance (only MFW-V)-✓1Quote
MFW-QT-LSEChange in higher amount of log data (extensive logging)-✓1Quote

Note:

1 Can be requested once per month.

If Service Requests are not listed in the table above, they may be requested by the customer by selecting other in the service request module. Equinix will perform an impact analysis to determine whether the change can be implemented, associated costs and lead time, which will be shared with the requestor for approval.

Service Demarcation and Enabling Services

The MFW-V Service Variant can only be ordered in combination with Managed Private Cloud (MPC) and as such act as a security component in a solution. The MFW-P Service Variant can only be ordered as part of a managed solution which includes MPC and/or other Equinix products.

Equinix is solely responsible for the Standard Service and combination of Service Options as set out in the Order(s) and subsequent Service Requests. Equinix is not responsible for any client software or client internet connectivity to either manage or use the Service.

MFW-V Demarcations & Enabling Services

For the Virtual Firewalls the following service boundaries apply:

  • Logical network interfaces on the Firewalls for production traffic
  • UI and API for the Management and Analyzer portals

MFW-V Stretched Option

  • In addition to the MPC Service, the customer needs to have ordered a Stretched MPC Service Option as an Enabling Service.

MFW-P Demarcations & Enabling Services

Physical network interfaces on the Firewall are the demarcation from the Managed Firewall Service perspective, including power and network cables to connect to the customer power and network infrastructure as per Equinix provided specifications.

Deployment in Customer Licensed Space

An MFW-P can only be ordered in combination with the following enabling services:

  • Managed Switch (at least for Console and Management connectivity)
  • MPC External Network Service Option (if MPC is included)
  • Cross Connects to Equinix Managed Solutions Management Platform

The customer must provide:

  • Licensed Space and power to host the firewalls in the IBX
  • Dual PDUs in customer rack as per Equinix provided specifications
  • Switch Ports to connect Equinix Equipment as per Equinix provided specifications

Deployment in Equinix Managed Solutions Licensed Space

An MFW-P can only be ordered in combination with the following enabling services:

  • MPC External Network Service Option (if MPC is included)
  • Infrastructure Ports

MFW-P Stretched Option

  • The customer needs to have ordered connectivity between customer licensed space as an Enabling Service.
  • Other requirements determined individually on a case-by-case basis.

Purchase Units

MFW-V/MFW-P

Attribute-CodeDescriptionUOMNRCMRC
MFW-(V/P)-(S,M,L,XL)FWFW pair
MFW-(V/P)-(S,M,L,XL)-IPSFW + IPSFW pair
MFW-(V/P)-(S,M,L,XL)-ATPFW + ATPFW pair
MFW-(V/P)-(S,M,L,XL)-UTPFW + UTPFW pair
MFW-SDStretched DeploymentFW pair
MFW-LSELog storage extensionFW pair
MFW-ELExternal loggingFW pair
MFW-CPACustomer Provided AuthenticationFW pair
MFW-DSSPDedicated Self-Service PortalAppliance
MFW-DLAPDedicated Log Analyzing PortalAppliance
Premier Support PlanService Request Pre-Paid HoursHour-

Note: UOM - Unit of measure