supply & installation of checkpoint firewall solution

Information Management Unit

ENQUIRY 1i-17297 Request for Proposal for:

Supply & Installation of a Firewall Solution with Licencing

1. Information Page 2. Conditions of Tender 3. General Conditions of Contract

4. Technical Specification

5. Tender Documents - (to be completed and returned by Tenderer)

Official Tender Form Checklist Tender Returnable’s Annexure 1- Contractor Acknowledgement of Responsibility in Terms of Occupational Health and Safety Act Annexure 2 – MBD4 Declaration of Interest

Annexure 3 - Declaration of Municipal Fees

Annexure 4 – MBD 9 Certificate of Independent Bid Determination

Annexure 5 - Banking Rating Questionnaire

Annexure 6 – MBD 6.1 Preference Points Claim Form

Annexure 7 – MDB 8 Declaration of Bidders Past Supply Chain Practices

Annexure 9 – MBD 2 Tax Clearance Certificate

All of which form part of the Tender Documents and should not be detached.

All annexures are not included in this pack and must be downloaded from: ftp.durban.gov.za/munidocs. These need to be printed, completed and submitted with tender response.

NOTE

SEALED TENDERS ADDRESSED TO THE TENDERS SECTION AND MARKED “ Enquiry 1I-17297 SUPPLY & INSTALLATION OF A FIREWALL SOLUTION WITH LICENSING” MUST BE PLACED IN THE TENDER BOX LOCATED IN THE FOYER, GROUND FLOOR, MUNICIPAL BUILDING, 166 KE MASINGA ROAD (FORMERLY OLD FORT ROAD), DURBAN (AND NOT ANY OTHER MUNICIPAL DEPARTMENT NOT LATER THAN 11:00 ON FRIDAY, DATE 4 October 2015

Enquiries in regard to this contract should be made to [email protected]

ftp://ftp.durban.gov.za/munidocs

mailto:[email protected]

Supply & Installation of a Firewall Solution #1I-17297 2

1. INFORMATION PAGE In terms of eThekwini Municipality’s Procurement Policy a NON-REFUNDABLE TENDER CHARGE for tender documents collected in hard copy has been implemented. The following forms of payment will be acceptable:-

Cash

Bank Guaranteed Cheques addressed to eThekwini Municipality

Bank Deposits (information/account details reflected below) Should a bank deposit be made, a copy of the deposit slip as proof of payment must be faxed to (031) 311 7718 for the urgent attention of the Senior Contracts Officer. Once proof of payment has been received the tender document will be released. Alternatively the deposit slip could be sent with the Courier who is collecting the tender document on behalf of the company. Note: - Any company requiring a courier service will bear the cost for the service as well as have deposited the relevant tender charge into the Municipality’s account prior to the Courier collecting a document.

BANKING DETAILS

Name of Account Holder : eThekwini City Engineer’s Deposit Account

Name of Banking Institution : Standard Bank

Branch : Kingsmead

Branch Code : 04 0026

Account Number : 05 0134264

Type of Account : Business Current

Targeted Procurement Registration Documents available on:- Website Address: - http://www.durban.gov.za/Resource_Centre/Tenders/Pages/default.aspx

http://www.durban.gov.za/Resource_Centre/Tenders/Pages/default.aspx


2. CONDITIONS OF TENDER (GOODS/SERVICES)

1. BID INFORMATION

1.1 Each bidder shall complete fully and accurately the following all required

documents stipulated in the checklist Tender Returnable‘s with its bid. Remaining

bid documents issued with this enquiry, such as Conditions of Tender (Goods and

Services) and Government Procurement General Conditions of Contract shall be

detached and retained by the bidder.

1.2 The specification will be governed by the Conditions of Tender (Goods and

Services) and Government Procurement General Conditions of Contract, attached

hereto, and to the Occupational Health and Safety Act, Act No. 85 of 1993.

1.3 The adjudication will be based upon 90/10 procurement point system in

accordance with eThekwini Municipality’s Targeted Procurement Policy. Should

any compliant bid be received at a value below R 1 000 000 (all applicable taxes

included) eThekwini Municipality will however evaluate using the 80/20 point

system.

1.4 All bidder prices quoted by the contractor must be in South African currency

(Rand).

1.5 eThekwini Municipality reserves the right to accept more than one technically and

contractually compliant bid for part or the whole of the contract and to place orders

on the price and availability.

1.6 Bidders may submit alternative solutions that in the Bidder’s opinion are to

eThekwini Municipality’s advantage economically and technically. Full technical

details of these alternative offer(s) shall be submitted with Bid documents.

Alternative Bid(s) shall be submitted separately.

2. TAX CLEARANCE CERTIFICATE

Bidders are to include with their bid submission a valid tax clearance certificate, or obtain

one prior to the evaluation of submissions, which has sufficient validity to ensure that the

tender process is adequately covered.

3. DECLARATION OF MUNICIPAL FEES

Only those bidders whose municipal fees are fully paid or arrangements have been

concluded with the Municipality to pay the said fees are eligible to bid.

4. DECLARATION OF INTEREST

All bidders are to sign the declaration of interest wherein they declare any relationship

that may exist with an official of the Municipality involved in the evaluation process.

6. SPECIAL CONDITIONS OF TENDER / CONTRACT

Any special conditions relative to the contract will form part of this contract.


7. PURCHASE OF GOODS FROM OTHER SOURCES

Nothing contained in this contract shall be held to restrain the Municipality from

purchasing from persons other than the contractor, any of the goods described or

referred to in this contract, if it shall in its discretion think fit to do so.

8. DELIVERY, RISK, PACKAGES, ETC

1. Unless otherwise provided, all goods are to be supplied only against the official

form of order issued by the Municipality.

2. The risk in all goods purchased by the Municipality under the contract shall remain

with the contractor until such goods shall have been duly delivered.

3. Bidders shall quote a unit price which shall include delivery to specified delivery

point within the eThekwini Municipal area.

4. Bidders shall clearly state the period within which delivery will be made after

receipt of the official order, as this may be material in the adjudication of the Bid.

9. PAYMENT

Where no conditions of payment are prescribed, payment for goods received and

accepted by the Municipality shall be made no later than 30 days after submission of

invoice or claim, provided however that all the terms of the contract are duly observed.

10. RATES OF EXCHANGE

(1) Where the goods are imported the contractor shall within seven days of date of

Official Purchase Order, arrange through his bankers for the foreign commitment

to be covered forward down to the Rand in order to fix the rate of exchange. The

contractor shall notify the Municipality as soon as possible thereafter regarding the

rate which has been fixed on such forward exchange.

Any increase or decrease between the basic rate of exchange as at a date seven

days prior to the date of closing of Bids and that existing at the date of

establishment of the forward exchange cover within the period stipulated above

shall be paid or deducted by the Municipality. Upon the failure of the contractor to

arrange forward exchange cover, the contractor shall be liable should there be any

increase in the basic rate of exchange occurring after the last mentioned date.

The bank charges incurred in obtaining the forward exchange cover shall be for

the Municipality’s account.

(2) The contractor shall on request:-

(i) submit documentary proof of the rate of exchange;

(ii) When an adjustment is claimed in terms of this sub-clause, whether by the

contractor or the Municipality, submit documentary proof to the satisfaction of

the Deputy City Manager: Treasury in respect of such claim.


11. VALUE ADDED TAX (V.A.T)

The Bidder shall state the amount of value added tax (V.A.T) separately on the Official

Tender Form.

12. FORM OF TENDER AND CLOSING DATE

Sealed bids made out on the enclosed Official Tender Form which shall be signed by or

on behalf of the Bidder and addressed to the Head : Supply Chain Management Unit and

marked with the appropriate enquiry number must be placed in the Tender box provided

which is located in the Foyer, Ground Floor, City Engineer’s Unit, Municipal Centre, 166

K.E. Masinga Road (Formerly Old Fort Road), Durban, not later than 11:00 on the date

stated in the public advertisement inviting bids, where they will be opened publicly.

All couriered documents must be placed directly into the tender box and should not be

delivered to any other Municipal Department. Bidders are advised that bids submitted by

fax or email will not be considered.

Any bid received after the closing date and time advertised for the receipt thereof shall

not be accepted for consideration by the Head: Supply Chain Management Unit and shall

be returned to the Bidder.

13. BIDS WILL BE LIABLE TO REJECTION UNLESS MADE OUT AND SIGNED ON THE

OFFICIAL TENDER FORM ANNEXED HERETO

Failure of a tenderer to complete and sign the tender form in its entirety will invalidate the

tender.

14. ACCEPTANCE OF BID

The Municipality does not bind itself to accept the lowest or any Bid and reserves the

right to accept the whole or any part of a Bid.

15. PRICING

(1) Nett Prices

All prices shall be quoted in South African currency after deduction of any

brokerage or discount allowed to the Municipality.

(2) Firm Bids

Bidders may submit firm prices, which prices shall be free from all fluctuations,

including any statutory increases.

(3) Unit Prices

Bidders shall quote only one price in respect of each item, such price to hold good

for the full duration of the contract period, being subject to variation only in

accordance with specified criteria.


16. WITHDRAWAL OF BIDS

Bids must hold good until 16h00 on the Friday of the twelfth week (85 calendar days)

following the Friday on which Bids are opened or during such other period as may be

specified. The Municipality may, during the period for which Bids are to remain open for

acceptance, authorize a Bidder to withdraw his/her Bid in whole or in part on condition

that the Bidder pays to the Municipality on demand, a sum of R1 000. The Municipality

may, if it thinks fit, waive payment of such sum in whole or in part.

17. DIFFERENCES OR DISCREPANCIES

(1) Prices

Should there be any difference or discrepancy between the prices or price

contained in the Official Tender Form and those contained in any covering letter

from the Bidder, the prices or price contained in the Official Tender Form shall

prevail.

(2) Complete Acceptance of Conditions

Unless otherwise expressly stipulated in the letter covering the Bid every Bidder

shall be deemed to have waived, renounced, and abandoned any conditions

printed or written upon any stationery used by him for the purpose of or in

connection with the submission of his Bid, which are in conflict with the General

Conditions of Contract or Conditions of Tender (Goods/Services). Bidders are

advised that any material divergences from the official Conditions or Specification

will render their Bids liable to disqualification.

18. BRIBERY AND COMMUNICATION WITH COUNCILLORS / OFFICIALS

(1) Bribery

No Bidder shall offer, promise or give to any person or person connected with a

bid or the awarding of a contract, any gratuity, bonus or discount etc, in connection

with the obtaining of a contract.

(2) Communication, Councillors and Officials

(1) A Bidder shall not in any way communicate with a member of the Municipality

or with any official of the Municipality on a question affecting any contract for

the supply of goods or for any work, undertaking or services which is the

subject of a bid during the period between the closing date for receipt of Bids

and the dispatch of the written notification of the Municipality’s decision on

the award of the contract; provided that a Bidder shall not hereby be

precluded:

- at the request of the Head : Supply Chain Management Unit or his

authorized representative, from furnishing him with additional information

or with a sample or specimen for testing purposes or otherwise or from

giving a demonstration so as to enable the recommendation to the Bid

Committee on the award of the contract to be formulated;


- from obtaining from the Head : Supply Chain Management Unit his

authorised representative information as to the date upon which the

award of the contract is likely to be made or, after the decision upon the

award has been made by the Municipality or any Committee to which the

Municipality has delegated its powers, information as to the nature of the

decision or such information as was publicly disclosed at the opening of

bids or from submitting to the Accounting Officer in writing any

communication relating to his/her Bid or the award of the contract or a

request for leave to withdraw his/her bid;

- and provided further that nothing contained herein shall be construed so

as to prevent information being sought and obtained from an Official in

regard to any decision taken at an open Municipal meeting, or any

Committee to which the Municipality has delegated its powers.

A contravention of subsection (1) and / or (2) or an attempt to contravene such

subsection shall be reported to the Accounting Officer, who may on receipt of such

report may disqualify the bid of the Bidder concerned.

19. IMPORT PERMITS

(1) In order to minimize special importation, Bidders should, where possible, have

recourse to local suppliers and/or manufacturers.

(2) Bidders must state whether their bid is dependent upon the issue of a special

import permit or whether they are able to supply the goods by making use of the

import facilities available to them.

(3) In the event of a Bid being dependent upon the issue of a special import permit,

application for such special import permit shall be made by the Bidder, unless

otherwise provided in the Special Conditions of Tender (Goods and Services).


20. LEGAL STATUS OF BIDDER

It is essential for the purpose of entering into a legal contract that Bidders state on the

Official Tender Form their full legal status, for example the full registered name of the

company Bidding; or if the Bidder is a person conducting business under a recognised

trading name then state the name of the person/s - Trading as ____________ (state

recognised trading name) and state whether owner, co-owner, proprietor, etc.

21. AUTHORITY OF SIGNATORY

Bidders should submit with their bids a certified copy of the Resolution of the Company

authorising the signatory to sign Bid documents on behalf of the Company. If the Bidder

is not a registered company, the signatory shall indicate in what capacity and under what

authority the bid documents were signed by him/her.

22. ALTERATIONS TO BID DOCUMENTS

Any alterations effected upon any of the bid documents must be clearly shown by means

of a hand written/typed entry and must be signed in full by the Bidder.

23. MANUFACTURERS

The names of the manufacturers and brands of the Goods or Equipment offered must be

stated in the bid.

24. FACTORING

Payment will be made only to the contractor(s). Factoring arrangements will not be

accepted.

25. PREFERENTIAL PROCUREMENT

25.1 Applicable Documentation

These conditions of tender are to be read together with the following

documents:-

- eThekwini Municipality Targeted procurement Policy document.

It is a requirement of this Tender that all the Contractors, Joint Ventures and

Targeted Enterprises, must be registered, or be eligible for registration, on the

eThekwini Municipal Procurement Database such that their classification, as

described above, has been or can be determined and verified prior to Tender

adjudication and award.


26. TENDERS WILL ONLY BE ACCEPTED ON CONDITION THAT:

(a) The tender is signed by a person authorised to sign on behalf of the Tenderer;

(b) A valid original Tax Clearance Certificate is received prior to the evaluation of

tenders which has sufficient validity to ensure the process is adequately covered;

(c) A Tenderer who submitted his/her tender as a Joint Venture has included an

acceptable Joint Venture Agreement with his/her tender.

27. PERFORMANCE SECURITY (SURETY BOND)

The attention of Tenderers is drawn to Clause 7 of the General Conditions of Contract

relative to “Performance Security”. No Performance Security (Surety Bond) is required

with this tender.

28. MUNICIPAL FEES

All tenderers are to sign a declaration wherein they declare that their municipal fees are

in order, or proper arrangements have been made with the Municipality, and include the

relevant account numbers in the declaration. Failure to include account numbers or sign

will invalidate the tender. The completion of the declaration is also applicable to

tenderers outside of the eThekwini Municipal Area.


29. NON REFUNDABLE TENDER CHARGE

The non-refundable tender fee paid for this document, is relevant only for this tender.

The tenderer who purchases this document, is the only tenderer who will be allowed to

submit a price for this contract i.e. No other tenderer will be allowed to use this document

to submit a tender, be it the original or a photocopied specimen. Should this occur, all

who are party to this will not be considered in the adjudication process.

30. APPEAL PROCESS

In terms of Regulation 49 of the Municipal Supply Chain Management Regulations

persons aggrieved by decisions or actions taken by the Municipality, may lodge an

appeal within 14 days of the decision or action, in writing to the Municipality.

Tenderers are advised that the following is the appeal process and in dealing with these

appeals the Municipal Manager shall follow the following procedure:-

1. The appeal (clearly setting out the reasons for the appeal) and queries with regard

to decision of award are to be directed to the office of the City Manager, Attention :

Mr T Siemela, P O Box 1014, Durban, 4000; Facsimile : (031) 311-3261

2. A copy of the appeal will be forwarded to the Chairperson of the Bid Adjudication

Committee, who must provide a response in writing within seven days.

3. In the event that there are allegations made against third parties, they will also be

given an opportunity to respond to the allegations within seven days.

4. These responses will then be sent to the appellant for a reply within five days.

5. The appeal will be considered on these written submissions, unless the appeal

authority is of the view that there is a need for oral submissions, in which case, the

appellant will be notified of the date, place and time of such hearing.

6. The Appeal Authority will consider the appeal and may confirm, vary or revoke the

decision of the Committee, but not such variation or revocation of a decision may

detract from any rights that may have accrued as a result of the decision.

7. The Appeal Authority must commence with the appeal within six weeks and decide

the appeal within reasonable period.


31. PROHIBITION ON AWARDS TO PERSONS IN THE SERVICE OF THE STATE

Regulation 44 of the Supply Chain Management Regulations states that the Municipality

or Municipal Entity may not make any award to a person:-

(a) Who is in the service of the state

(b) If that person is not a natural person, of which any Director, Manager, Principal,

Shareholder or Stakeholder is a person in the service of the state; or

(c) Who is an advisor or consultant contracted with the municipality or municipal

entity.

Should a contract be awarded, and it is subsequently established that clause 44 has

been breached, the employer shall have the right to terminate the contract with

immediate effect.

32. AGREEMENTS

All tenderers that are not manufacturers, accredited agents or distributors must provide

agreements which cover the contract period. The aforementioned must also agree with

all of the conditions of the contract.

33. NEGOTIATIONS WITH PREFERRED BIDDERS

The municipality reserves the right to invoke Section 24 of the Municipal Finance

Management Act if so desired.

(1) The Accounting Officer may negotiate the final terms of a contract with bidders

identified through a competitive bidding process as preferred bidders, provided

that such negotiation:-

(a) Does not allow any preferred bidder a second or unfair opportunity;

(b) Is not to the detriment of any other bidder; and

(c) Does not lead to a higher price than the bid as submitted.

(2) Minutes of such negotiations must be kept for record purposes.

(3) Such negotiation may be delegated to the designated Senior Manager by the

Accounting Officer.

3. GENERAL CONDITIONS OF CONTRACT

Government Procurement; General Conditions of Contract must be downloaded and read prior to submission of tender response. Documents can be downloaded from: ftp.durban.gov.za/munidocs. The Document in question is: “General Conditions of Contract.pdf”.

ftp://ftp.durban.gov.za/munidocs


Technical Specification

Information Management Unit

ENQUIRY 1I-17297

Supply and Installation of a Firewall

Solution

July 2015


Contents I. Definitions ........................................................................................................................................ 15

II. Background ....................................................................................................................................... 16

III. Current technical environment .................................................................................................... 16

IV. Scope of requirements ................................................................................................................. 18

General requirements .......................................................................................................................... 19

2. Requirements for Next Generation Firewall ............................................................................ 20

2.1 Firewall ................................................................................................................................. 20

2.2 Intrusion Prevention System ................................................................................................ 20

2.3 User Identity Acquisition ...................................................................................................... 22

2.4 Application Control and URL Filtering .................................................................................. 22

2.5 Anti-Bot and Anti-Virus ......................................................................................................... 23

2.6 Threat Emulation .................................................................................................................. 23

2.7 Anti-Spam & Email Security .................................................................................................. 24

2.8 IPsec VPN .............................................................................................................................. 24

2.9 Security Management .......................................................................................................... 24

2.10 Threat Prevention Updates .................................................................................................. 26

2.11 Logging & Monitoring ........................................................................................................... 26

2.12 Event Correlation and Reporting .......................................................................................... 27

2.13 Management Portal .............................................................................................................. 29

2.14 Data Loss Prevention (DLP)................................................................................................... 29

2.15 Mobility ................................................................................................................................. 29

2.16 Security Gateway Sizing and Recommendations ................................................................. 29

3. Solution Evaluation ........................................................................................................................... 31

Appliance: Firewall ............................................................................................................................... 32

Appliance: Management Server ........................................................................................................... 32

4. Response requirements .................................................................................................................... 34

a. General Requirements .................................................................................................................. 34


b. Post Project Support Requirements ............................................................................................. 34

c. Previous Implementation History ................................................................................................. 34

i. Number and size of Client Base ................................................................................................ 34

ii. Provide reference sites, in South Africa, with contact details.................................................. 34

d. Technical Support ......................................................................................................................... 35

i. Technical competencies within your organization. .................................................................. 35

ii. Number of Network support resources. Specify how many are locally based in Durban. ...... 35

iii. Provide Certificates of the Network support resources. .......................................................... 35

e. Professional Services .................................................................................................................... 35

i. Specify what technical documentation and training material will be provided. ..................... 35

ii. Specify the project controls that will be place ......................................................................... 35

iii. Specify how change management will be delivered. ............................................................... 35

5. Pricing structure ............................................................................................................................... 36

6. Evaluation of Responses ................................................................................................................... 36

6.1 Technical Evaluation ....................................................................................................................... 37

6.1.1 Critical/ Mandatory Requirements (Please Fill In)............................................................ 37

6.1.2 Non Mandatory Evaluation .............................................................................................. 38

6.1.3 Product & Company Details.............................................................................................. 40

6.1.4 Schedule of Experience .................................................................................................... 41

6.1.5 Schedule of Compliance with specification ...................................................................... 42

7. RATE OF EXCHANGE QUESTIONNAIRE ............................................................................................. 43

8. Costs ................................................................................................................................................. 45

8.1 Year One ................................................................................................................................. 45

8.2 Year Two ................................................................................................................................. 46

9. Required Documentation and Tender Returnable‘s ........................................................................ 47

9.1 Tender Returnable’s Checklist .................................................................................................. 47

10. Form of Offer ................................................................................................................................ 48


I. Definitions

Term Definition

Vendor Refers to the equipment manufacturer

Reseller/service

provider/supplier

Refers to the company supplying, installing and/or

providing service with a Vendors equipment

FWSM Firewall Services Module

DMZ Demilitarized Zone

DLP Data Loss Prevention

IPS Intrusion Prevention System

SR Short Range

LR Long Range

Gb Gigabyte

Mb Megabyte

FMB Florence Mkhize Building

OFP Old Fort Place

NGFW Next Generation Firewall

HSRP Hot Standby Router Protocol

VLAN Virtual local area network

Gbps Gigabits per second

Mbps Megabits per second

OSI Open standards Interconnect

RFC Request for comments

GHz Gigahertz


II. Background EThekwini Municipality is looking for a Company to Supply and Install a Firewall solution with licensing. EThekwini municipality current Firewall Solution sits on the Cisco Catalyst 6500 switches, the solution controls traffic to the Server Farm from Internal Network and also provides up to OSI Layer 4 protection to protect the datacentre from various internal attacks and provide relevant access to authorized users or systems. The solution has reached its end of life and is not supported anymore.

III. Current technical environment eThekwini Municipality has two FWSMs, one installed on the Cisco Catalyst 6509 at FMB and

the other at on the Cisco Catalyst 6509 at OFP. These FWSM are setup in an Active/Standby

mode. Should the Active Cisco 6509 chassis go down the other will become the active firewall.

The FWSM controls traffic to the Server Farm from Internal Network. The FWSM provides up

to OSI Layer 4 protection to all servers in the datacentre. The FWSM is also connected to the

Checkpoint 12600 firewalls which control access to the DMZ and Internet access via a 1 Gb

Ethernet interface

The following is current setup on the existing system:

The FWSM is setup in routed mode

Hardware specifications

• CPU: Pentium III @ 1Ghz • Ram: 1024mb • Flash: 40mb

The software version is

• FWSM Firewall Version 4.0(5) • Device Manager Version 6.1(3)F

Its MAX concurrent handled connection is 1000 000 (1 million)

Its MAX new connections handled per second is 100000 (1 hundred thousand)

The FWSM directly controls access to 34 VLANs

The 6509 directly controls access to 31 VLANs

The FWSM utilises the existing HSRP for high availability

The FWSM Also Controls Access To The Following:

MTN and Vodacom APN Lawyers Access Web SMME companies based at SmartXchange Standard Bank via our InfoConnect Link Access to Library catalogue services

How the End User Is Affected By the FWSM

The end user is affected if they try to access resources located in the server farm (mail, database etc.) from the Internal Network Resources, also access to the internal resources for APN and VPN users are controlled via the FWSM. Access to the Standard Bank Info-Connect Service is controlled via the FWSM. SMME access to the Server Farm is controlled via the FWSM


The diagram below provides an overview of the current network architecture Installed with the Cisco Catalyst 6500 Series:


IV. Scope of requirements Below is a diagram of a proposed architecture

Installation, migration & configuration of the firewall solution would be performed by the

nominated service provider of the proposed vendor solution.

This would include, but is not limited to:

Active/Active clustering of solution.

Migration of existing rules and rule sets from the current system into new

solution.

Implementation of routing (Dynamic, Static, Policy based or combination of the

mentioned).

Ensure critical systems as defined by eThekwini to be fully operational within the

given time frame.

Migration of existing VLANs present on both the Cisco Catalyst 6509 and FWSM

into the solution.

Implementation of the new features as required.

The nominated service provider would plan for, implement and design a solution that

incorporates the above as well as any other recommendations deemed necessary from

the service provider in order to achieve full effectiveness of the solution. Due to the

nature of this project the implementation must be handled by staff that are certified in

both Cisco firewall technologies, to handle the FWSM migration, and the proposed

vendor’s product. The proposed solution must also minimize impact on eThekwini

Municipality’s user base and deliver a “best practice” environment. The service provider

is also required ensure the transfer of skills to eThekwini staff to understand & maintain

solution. A quote for the official vendor‘s respective training must be in their submission.

Planning and deployment will be for two sites, FMB (251 Anton Lembede Street), and

the Data Centre based at the OFP (31 Old Fort Complex). Note that partnerships

between the service provider and 3rd parties are allowed for goods or services, provided

the proof of agreement between the various parties are submitted in their response. On

award of this tender, a service level agreement will be entered into with the service

provider.


General requirements

1.1. The Vendor of the gateway software must have at least 15 years of experience in the

security market

1.2. The vendor must exclusively provide Internet security solutions.

1.3. The vendor must be capable of serving the entire scope of security gateway

requirements, including throughput, connection rate and next generation security

application enablement for all network deployments, from small office to data center in a

single hardware appliance.

1.4. The vendor must have a virtualized security gateway solution that can support the

enablement of all next generation firewall security applications, including intrusion

protection, application control, Threat Emulation, URL filtering, Anti-Bot, Anti-Virus, all

managed from a central platform.

1.5. The next generation gateway must be capable of supporting these next generation

security applications on a unified platform.

1.5.1. Stateful Inspection Firewall

1.5.2. Intrusion Prevention System

1.5.3. User Identity Acquisition

1.5.4. Application Control and URL filtering

1.5.5. Anti – Bot and Anti – Virus

1.5.6. Anti – Spam and Email Security

1.5.7. IPSec VPN

1.5.8. Data Loss Prevention- Capable

1.5.9. Mobile Access

1.5.10. Security Policy Management

1.5.11. Logging and Status

1.5.12. Event Correlation and Reporting

1.6. These applications must be exclusively supplied by and managed by the vendor.

1.7. The vendor solution must provide a mechanism to constantly educate end users of the

security policy in real time.

1.8. The vendor must supply all industry certifications of the solution.

1.9. Vendor must have the capability to provide a solution to mitigate Distributed Denial of

Service attacks.


2. Requirements for Next Generation Firewall

2.1 Firewall

2.1.1 The security gateway must use Stateful Inspection based on granular analysis of

communication and application state to track and control the network flow.

2.1.2 The security gateway must be capable of supporting throughput, connection rate,

concurrent connections requirements of eThekwini municipality.

2.1.3 Solution must support access control for at least 150 predefined /services/protocols

2.1.4 Must provide security rule hit count statistics to the management application.

2.1.5 Must allow security rules to be enforced within time intervals to be configured with an

expiry date/time.

2.1.6 The communication between the management servers and the security gateways

must be encrypted and authenticated with PKI Certificates.

2.1.7 The firewall must support user, client and session authentication methods.

2.1.8 The following user authentication schemes must be supported by the security

gateway and VPN module: tokens (ie -SecureID), TACACS, RADIUS and digital

certificates.

2.1.9 Solution must include a local user database to allow user authentication and

authorization without the need for an external device

2.1.10 Solution must support DCHP, server and relay

2.1.11 Solution must support HTTP & HTTPS proxy

2.1.12 Solution must include the ability to work in Transparent/Bridge mode

2.1.13 Solution must support gateway high availability and load sharing with state

synchronization

2.2 Intrusion Prevention System

2.2.1 Vendor must provide evidence of year over year leadership position of Gartner

Magic Quadrant for Intrusion Prevention solutions and/Or Eneterprise network

Firewall Gartner Magic Quadrant .

2.2.2 IPS must be based on the following detection mechanisms: exploit signatures,

protocol anomalies, application controls and behavior-based detection.

2.2.3 IPS and firewall module must integrated on one platform.

2.2.4 The administrator must be able to configure the inspection to protect internal hosts

only.

2.2.5 IPS must have options to create profiles for either client or server based

protections, or a combination of both.

2.2.6 IPS must provide at least two pre-defined profiles/policies that can be used

immediately.

2.2.7 IPS must have a software based fail-open mechanism, configurable based on

thresholds of security gateways CPU and memory usage.

2.2.8 IPS must provide an automated mechanism to activate or manage new signatures

from updates.


2.2.9 IPS must support network exceptions based on source, destination, service or a

combination of the three.

2.2.10 IPS must include a troubleshooting mode which sets the in use profile to detect

only, with one click without modifying individual protections.

2.2.11 IPS application must have a centralized event correlation and reporting

mechanism.

2.2.12 The administrator must be able to automatically activate new protections, based on

configurable parameters (performance impact, threat severity, confidence level,

client protections, server protections)

2.2.13 IPS must be able to detect and prevent the following threats: Protocol misuse,

malware communications, tunneling attempts and generic attack types without

predefined signatures.

2.2.14 For each protection the solution must include protection type (server-related or

client related), threat severity, performance impact, confidence level and industry

reference.

2.2.15 IPS must be able to collect packet capture for specific protections.

2.2.16 IPS must be able to detect and block network and application layer attacks,

protecting at least the following services: email services, DNS, FTP, Windows

services (Microsoft Networking), SNMP

2.2.17 Vendor must supply evidence of leadership in protecting Microsoft vulnerabilities.

2.2.18 IPS and/or Application Control must include the ability to detect and block peer to

peer traffic using evasion techniques.

2.2.19 The administrator must be able to define network and host exclusions from IPS

inspection.

2.2.20 Solution must protect from DNS Cache Poisoning, and prevents users from

accessing blocked domain addresses.

2.2.21 Solution must provide VOIP protocols protections.

2.2.22 IPS and/or Application Control must detect and block remote controls applications,

including those that are capable tunneling over HTTP traffic.

2.2.23 IPS must have SCADA protections.

2.2.24 IPS must have a mechanism to convert SNORT signatures.

2.2.25 Solution must be allow the administrator to easily block inbound and/or outbound

traffic based on countries, without the need to manually manage the IP ranges

corresponding to the country.


2.3 User Identity Acquisition

2.3.1 Must be able to acquire user identity by querying Microsoft Active Directory based

on security events.

2.3.2 Must have a browser based User Identity authentication method for non-domain

users or assets.

2.3.3 Must support a dedicated client agent that can be installed by policy on users'

computers that can acquire and report identities to the Security Gateway.

2.3.4 Must support terminal server environments

2.3.5 Impact on the domain controllers must be less than 3%.

2.3.6 Must be able to acquire user identity from Microsoft Active Directory without any

type of agent installed on the domain controllers.

2.3.7 Must support Kerberos transparent authentication for single sign on.

2.3.8 Must support the use of LDAP nested groups.

2.3.9 Must be able share or propagate user identities between multiple security

gateways.

2.3.10 Must be able to create identity roles to be used across all security applications.

2.4 Application Control and URL Filtering

2.4.1 Solution must not have any known published vulnerabilities in the last year to the

existing architecture which can be exploited.

2.4.2 Solution must be able to create a filtering rule with multiple categories.

2.4.3 Solution must be able to create a filtering for single site being supported by multiple

categories.

2.4.4 Solution must have users and groups granularity with security rules.

2.4.5 The solution must have an easy to use, searchable interface for applications and

URLs

2.4.6 The solution must categorize applications and URLs and applications by Risk

Factor.

2.4.7 The application control and URL Filter security policy must be able to be defined by

user identities.

2.4.8 The application control and URL Filter database must be updated by a cloud based

service

2.4.9 The solution must have unified application control and URL Filter security rules.

2.4.10 The solution must provide a mechanism to inform or ask users in real time to

educate them or confirm actions based on the security policy.

2.4.11 The solution must provide a mechanism to limit application usage based on

bandwidth consumption.

2.4.12 The solution must allow network exceptions based on defined network objects

2.4.13 The solution must provide the option to modify the Blocking Notification and to

redirect the user to a remediation page.


2.4.14 Solution must include a Black and White lists mechanism to allow the administrator

to deny or permit specific URLs regardless of the category

2.4.15 Solution must have a configurable bypass mechanisms

2.4.16 Solution must provide an override mechanism on the categorization for the URL

database.

2.4.17 The application control and URL Filter security policy must report on the rule hit

count.

2.5 Anti-Bot and Anti-Virus

2.5.1 Vendor must have an integrated Anti-Bot and Anti-Virus application on the next

generation firewall.

2.5.2 Anti-bot application must be able to detect and stop suscpicous abnormal network

behaviour .

2.5.3 Anti-Bot application must use a multi-tiered detection engine, which includes the

reputation of IPs, URLs and DNS addresses and detect patterns of bot

communications.

2.5.4 Anti-Bot applications must be able to scan for bot actions.

2.5.5 Anti-Bot and Anti-Virus policy must be administered from a central console.

2.5.6 Anti-Bot and Anti-Virus application must have a centralized event correlation and

reporting mechanism.

2.5.7 Anti-virus application must be able to prevent access to malicious websites

2.5.8 Anti-virus application must be able to inspect SSL encrypted traffic.

2.5.9 Anti-Bot and Anti-Virus must be have real time updates from a cloud based service

2.5.10 Anti-Virus must be able to stop incoming malicious files.

2.5.11 Anti-Virus and Anti-Bot policies must be centrally managed with granular policy

configuration and enforcement.

2.6 Threat Emulation

2.6.1 The solution must provide the ability to Protect against zero-day attacks before

static signature protections have been created

2.6.2 The solution must provide the ability for analyzing and detecting malware in

business documents such as Adobe PDFs and MS Office files as well as EXE and

Zip files

2.6.3 The solution must provide the ability for flexible deployment using local appliances

or the cloud .

2.6.4 The solution must provide the ability for Zero false-positives

2.6.5 The solution must provide the ability to emulate attacks targeting multiple Windows

OS environments, at least :windows xp,windows 7 , windows 8

2.6.6 The solution must provide the ability to be centraly managed

2.6.7 The solution must provide the ability to Increase security with automatic sharing of

new attack information with other gateways in means of signature updates etc.


2.7 Anti-Spam & Email Security

2.7.1 Anti-Spam and Email security application must be content and language agnostic.

2.7.2 Anti-Spam and Email security application must have real-time classification and

protections based on detected spam outbreaks which are based on patterns and

not content.

2.7.3 The Anti-Spam and Email security application must include IP reputation blocking

based on an online service to avoid false positives

2.7.4 Solution must include a Zero-hour protection mechanism for new viruses spread

through email and spam without relying solely in heuristic or content inspection

2.8 IPsec VPN

2.8.1 Internal CA and External third party CA must be supported.

2.8.2 Solution must support 3DES and AES-256 cryptographic for IKE Phase I and II

IKEv2 plus "Suite-B-GCM-128" and "Suite-B-GCM-256" for phase II.

2.8.3 Solution must support at least the following Diffie-Hellman Groups: Group 1 (768

bit), Group 2 (1024 bit), Group 5 (1536 bit), Group 14 (2048 bit), Group 19 and

Group 20

2.8.4 Solution must support data integrity with md5, sha1 SHA-256, SHA-384 and AES-

XCBC

2.8.5 Solution must include support for site-to-site VPN

2.8.6 Solution must support clientless SSL VPNs for remote access.

2.8.7 Solution must support L2TP VPNs, including support for iPhone L2TP client

2.8.8 Solution must allow the administrator to apply security rules to control the traffic

inside the VPN.

2.8.9 Solution must support domain based VPNs and route based VPNs using VTI’s and

dynamic routing protocols.

2.8.10 Solution must include the ability to establish VPNs with gateways with dynamic

public IPs

2.8.11 Solution must include IP compression for client-to-site and site-to-site VPNs

2.9 Security Management

2.9.1 Security management application must be able to co-exist on the security gateway

as an option.

2.9.2 Security management application must support role based administrator accounts.

For instance roles for firewall policy management only or role for log viewing only.

2.9.3 Solution must include a Certificate-based encrypted secure communications

channel among all vendor distributed components belonging to a single

management domain

2.9.4 Solution must include an internal x.509 CA (Certificate Authority) that can generate

certificates to gateways and users to allow easy authentication on VPNs

2.9.5 Solution must include the ability to use external CAs, that supports PKCS#12,

CAPI or Entrust standards.

http://www.checkpoint.com/products/softwareblades/network-policy-management.html


2.9.6 All security applications must be managed from the central console.

2.9.7 The management must provide a security rule hit counter in the security policy.

2.9.8 Solution must include a search option to be able to easily query which network

object contain a specific IP or part of it.

2.9.9 Solution must include the option to segment the rule base using labels or section

titles to better organize the policy

2.9.10 Solution must provide the option to save the entire policy or specific part of the

policy.

2.9.11 Solution must have a security policy verification mechanism prior to policy

installation.

2.9.12 Solution must have a security policy revision control mechanism.

2.9.13 Solution must provide the option to add management high availability, using a

standby management server that is automatically synchronized with the active one,

without the need for an external storage device

2.9.14 Solution must include a comprehensive map with all network objects and their

connections that can be export to Microsoft Visio or to an image file

2.9.15 Solution must include the ability to centrally distribute and apply new gateway

software versions

2.9.16 Solution must include a tool to centrally manage licenses of all gateways controlled

by the management station

2.9.17 Solution must have the capabilities for multi-domain management and support the

concept of global security policy across domains.

2.9.18 The management GUI should have the ability to easily exclude IP address from the

IPS signature definition

2.9.19 The Log Viewer should have the ability to easily exclude IP address from the IPS

logs when detected as false positive

2.9.20 The management GUI should have the ability to easily get to IPS signature

definition from the IPS logs

2.9.21 The Log Viewer should have the ability view all of the security logs (fw,IPS ,urlf...)

in one view pane (helpful when troubleshooting connectivity problem for one IP

address )

2.9.22 The Log Viewer should have the ability in the log viewer to create filter using the

predefined objects (hosts ,network,groups,users...)

2.9.23 The Log Viewer should have the ability in the log viewer to create custom multiple

"saved filter" for use at a later time


2.10 Threat Prevention Updates

2.10.1 Vendor must provide the details of its threat prevention update mechanism and its

ability to handle zero day attacks across all next generation threat prevention

applications including IPS, Application Control, URL filtering, Anti-Bot and Anti-

Virus.

2.10.2 Vendor must provide details on the re-categorization of URL, under the

circumstances that a website has been comprised and possibly distributing

malware.

2.10.3 Vendor should have the capability to provide incident handling

2.11 Logging & Monitoring

2.11.1 The central logging must be part of the management system. Alternatively

administrators can install deedicated Log Servers.

2.11.2 Solution must provide the option to run on the management server or on a

dedicated server

2.11.3 Solution must be able to run on an X86 based open servers listed on a hardware

compatibility list.

2.11.4 Solution must have the ability to log all rules (+30k logs/sec)

2.11.5 Log viewer must have an indexed search capability

2.11.6 Solution must have the ability to log all integrated security applications on the

gateway and including IPS, Application Control, URL Filtering, Anti-Virus, Anti-Bot,

Anti – Spam, User Identity, Data Loss Prevention, Mobile Access.

2.11.7 Solution must include an automatic packet capture mechanism for IPS events to

provide better forensic analysis

2.11.8 Solution must provide different logs for regular user activity and management

related logs

2.11.9 Solution must be able to move from security log record to the policy rule with one

mouse click.

2.11.10 For each match rule or type of event Solution must provide at least the following

event options: Log, alert, SNMP trap, email and execute a user defined script

2.11.11 The logs must have a secure channel to transfer logging to prevent eavesdropping,

Solution must be authenticated and encrypted

2.11.12 The logs must be securely transferred between the gateway and the management

or the dedicated log server and the log viewer console in the administrator’s PC

2.11.13 Solution must include the option to dynamically block an active connection from the

log graphical interface without the need to modify the rule base

2.11.14 Solution must support exporting logs in database format

2.11.15 Solution must support automatic switch of the log file, based on a scheduled time

or file size

2.11.16 Solution must support adding exceptions to IPS enforcement from the log record

http://www.checkpoint.com/products/softwareblades/logging-status.html


2.11.17 Solution must be able to associate a username and machine name to each log

record.

2.11.18 Solution must include a graphical monitoring interface that provides an easy way to

monitor gateways status

2.11.19 Solution must provide the following system information for each gateway: OS, CPU

usage, memory usage, all disk partitions and % of free hard disk space.

2.11.20 Solution must provide the status of each gateway components (i.e. firewall, vpn,

cluster, antivirus, etc)

2.11.21 Solution must include the status of all VPN tunnels, site-to-site and client-to-site

2.11.22 Solution must include customizable threshold setting to take actions when a certain

threshold is reached on a gateway. Actions must include: Log, alert, send an

SNMP trap, send an email and execute a user defined alert.

2.11.23 Solution must include preconfigured graphs to monitor the evolution in time of

traffic and system counters: top security rules, top P2P users, vpn tunnels,

network traffic and other useful information. Solution must provide the option to

generate new customized graphs with different chart types

2.11.24 Solution must include the option to record traffic and system views to a file for later

viewing at any time.

2.11.25 Solution must be able to recognize malfunctions and connectivity problems,

between two points connected through a VPN, and log and alert when the VPN

tunnel is down.

2.12 Event Correlation and Reporting

2.12.1 Solution must be fully integrated in the management application.

2.12.2 Solution must include a tool to correlate events from all the gateway features and

third party devices

2.12.3 Solution must allow the creation of filters based on any characteristic of the event

such as security application, source and destination IP, service, event type, event

severity, attack name, country of origin and destination, etc.

2.12.4 The application must have a mechanism to assign these filters to different graph

lines that are updated in regular intervals showing all events that matches that

filter. Allowing the operator to focus on the most important events.

2.12.5 The event correlation application must supply a graphical view events based on

time.

2.12.6 Solution must show the distribution of events per country on a map.

2.12.7 Solution must allow the administrator to group events based on any of it

characteristics, including many nesting levels and export to PDF.

2.12.8 Solution must include the option to search inside the list of events, drill down into

details for research and forensics.

2.12.9 It the event list view Solution must include the option to automatically generate

small graphs or tables with the event, source and destination distribution.

2.12.10 Solution must detect Denial of Service attacks correlating events from all sources.

2.12.11 Solution must detect an administrator login at irregular hour

http://www.checkpoint.com/products/softwareblades/ips-event-analysis.html


2.12.12 Solution must detect credential guessing attacks

2.12.13 Solution must report on all security policy installations.

2.12.14 Solution must include predefined hourly, daily, weekly and monthly reports.

Including at least Top events, Top sources, Top destinations, Top services, Top

sources and their top events, Top destinations and their top events and Top

services and their top events.

2.12.15 The reporting tool must support filters that allow to customize a predefined report to

be closest to administrator’s needs

2.12.16 Solution must support automatic reports scheduling for information that need to

extract on regular basis (daily, weekly, and monthly). Solution must also allow the

administrator to define the date and time that reporting system begins to generate

the scheduled report.

2.12.17 Solution must support atleast two of the following reports formats: HTML, CSV,

PDF and MHT

2.12.18 Solution must support automatic report distribution by email, upload to FTP/Web

server and an external custom report distribution script

2.12.19 The reporting system must provides consolidated information about:

2.12.20 The volume of connections that were blocked by security rule.

2.12.21 Top sources of blocked connections, their destinations and services

2.12.22 Top Rules used by the security policy

2.12.23 Top security attacks detected by enforcement point (perimeter) determining their

the top sources and destinations

2.12.24 Number of installed and uninstalled policies in the enforcement point

2.12.25 Top networking services

2.12.26 Web activity by user detailing the top visited sites and top web users

2.12.27 Top services that created most load for encrypted traffic

2.12.28 Top VPN users performing the longest duration connections


2.13 Management Portal

2.13.1 Solution must include a browser based access to view in read-only the security

policies, manage firewall logs and users providing access to managers and

auditors without the need to use the management application

2.13.2 Solution must include SSL support and configurable port

2.14 Data Loss Prevention (DLP)

2.14.1 Vendor must have an option to add a fully integrated Data Loss Prevention

application

2.14.2 DLP policy must be centrally managed with all other security applications

2.14.3 DLP application must have a mechanism for end user self-incident handling

2.14.4 DLP application must have over 500 pre-defined data types.

2.14.5 DLP must have an open scripting language to create custom data types relevant to

eThekwini municipality

2.14.6 DLP must alert the data type owner when an incident occurs.

2.14.7 DLP application must cover transport types SMTP, HTTP/HTTPS, and FTP TCP

protocols

2.15 Mobility

2.15.1 The vendor should have an option to provide a fully integrated secure mobility

solution on the next generation firewall.

2.15.2 The solution must support both managed and unmanaged access devices, such as

BYOD

2.16 Security Gateway Sizing and Recommendations

2.16.1 Vendor must have a dedicated hardware solution to meet all next generation

requirements of eThekwini Municipality

2.16.2 Vendor must be able to supply a recommended hardware configuration based on

the criteria of real world traffic and next generation security applications provided

by eThekwini municipality. Vendor must be able to supply the recommended

platform for any combination of these next generation firewall application, with

supporting evidence that the appliance will perform as expected.

2.16.3 Internet Bandwidth requirements

2.16.4 Total Throughput requirements

2.16.5 Network Address Translation enabled

2.16.6 Logging Enabled

2.16.7 Maximum Users

2.16.8 IMIX traffic blend of HTTP, SMTP, DNS

2.16.9 Enablement of next generation firewall applications

2.16.10 Firewall

2.16.11 Intrusion Prevention

2.16.12 Application Control and URL filtering

http://www.checkpoint.com/products/softwareblades/management-portal.html


2.16.13 Anti-Bot

2.16.14 Anti-Virus

2.16.15 IPsec VPN

2.16.16 Data Loss Prevention

2.16.17 Anti-Spam

2.16.18 Threat Emulation (Sandboxing)

2.16.19 Local or remote management

2.16.20 Clustering or high availability

2.16.21 Network Interface requirements

2.16.22 Virtual Contexts or Domains


3. Solution Evaluation

Below are minimum specifications of the solution required by the eThekwini

municipality:

Hardware Minimum requirements

2 x Next Generation Firewall Appliances.

Appliance must be equipped with a 10Gig SFP+ interface card with 4

available ports.

Appliance must equipped with 1Gig RJ45 Ethernet interface card with 8

available ports.

Appliance must support additional expansion slots for future use.

Appliance should allow for hardware components to be

upgradeable/replaceable.

Appliance must support load balancing (Active/Passive, Active/Active &

Clustering).

Appliance must support Lights Out Management.

Firewall must make use of stateful packet inspection technology. Firewall production throughput no less than 20 Gbps per appliance. IPS production throughput no less than 5.5 Gbps per appliance. The minimum firewall concurrent connections required is 4000 000(four million). The minimum firewall connections per second required is 190 000(one hundred

ninety thousand).

The maximum latency should be 10𝜇𝑠(10 microseconds) or less. The Platform must be able to work with both IPv4 and Ipv6 Appliance must be configured (hardware & software) optimally to perform as

required. Appliance must be equipped with:

4 x Long Range 10Gig SFP+ transceivers (2 per appliance).

4 x Short Range 10Gig SFP+ transceivers (2 per appliance).

In addition supplier must provide:

2 x Short Range 10Gig SFP+ transceivers for Checkpoint 12600 Appliances. (1 per appliance).

Other

Standard enterprise swap out or equivalent support for 1 year for all supplied hardware.

SLA hardware for swap out support.

Cisco Firewall experience (for migrating existing FWSM to new solution).

Vendor Partner status.

Project Plan.

Network Documentation including network datacentre design.

The service provider must, on completion of this project, is to provide knowledge skills

transfer and onsite training for technical and support staff. The service provider will

plan and deliver business change delivery process that will minimize the business

change impact. Technical support would be provided by the service provider

Appliance: Firewall

Appliance: Management Server

Vendor Appliance Model Network interfaces Operating System Quantity Documentation:

Annexure/Document _____

MAX SFP+: MAX Gigabit Ethernet: Slots:

Page No:

Firewall/IPS Components Response Documentation: Annexure/Document _____

Firewall Engine Type Page No:

IPS Engine Type (Signature, Anomaly etc) Page No:

LAB testing using the following RFCs (1242, 2544, 2588, 2647, 3511, 4487)

Page No:

Raw Firewall throughput (Gbps) Page No:

Production Firewall throughput (Gbps) Page No:

Raw IPS throughput (Gbps) Page No:

Production IPS throughput Page No:

Connections per second Page No:

Concurrent connections Page No:

Latency Page No:

Maximum NAT translations Page No:

Data Threat Management Supported(Yes/No) #Signatures Real-time

updates(Yes/No) %Catch rate

Documentation: Annexure/Document _____

Anti-Virus Page No:

Malware Page No:

Anti-bot/Botnets Page No:

Vendor Appliance Network Interfaces Operating System Quantity Documentation:

Annexure/Document _____

MAX SFP+: MAX Gigabit Ethernet : Slots:

Page No:


Zero-day Page No:

Internet Management Supported(Yes/No) WEB 2.0

compliant(Yes/No) HTTPS

inspection(Yes/No) # Categories

Real-time updates(Yes/No)

Documentation: Annexure/Document

__________

Application Control Page No:

URL Filtering Page No:

Future proof features Supported(Yes/No) Licences required(Yes/No) Documentation: Annexure/Document

_____

Firewall Contexts(virtual domains)

Additional Expansion slots Page No:

Upgradable hardware components Page No:

Data loss prevention Page No:

Sandboxing/Threat emulation Page No:

Reports Logs Supported Licenses(Yes/No) Documentation: Annexure/Document _____

Real time Page No:

Event correlation Page No:

Usage Reports Page No:

Analytics(Trend statistics) Page No:

Industry Standard Report as at Q1 2015 Overall Recommendation level Overall Quadrant position Documentation: Annexure/Document

_____

Gartner Page No:

NSS Labs Page No:

4. Response requirements

a. General Requirements

Please provide the following together with your response:

Service Level Agreement to be provided to eThekwini Municipality

Call Logging facility and procedure.

Please supply a risk mitigation strategy of how the proposed solution will be implemented whilst minimizing the business change impact

Please provide us with your pricing review policy

Please include an implementation project plan and timelines as part of your response.

b. Post Project Support Requirements

In order to ensure the solution is stable and adequately supported post the project

completion a support contract should be included.

The support must include:

Swap-out of faulty equipment in the event of failure

Support must be available in locally in Durban

c. Previous Implementation History

Indicate the number of customers where you have deployed this type of solution.

Please indicate services that are procured by the customers.

i. Number and size of Client Base

ii. Provide reference sites, in South Africa, with contact details


d. Technical Support

Demonstrate how you would support this implementation and migration to give the

municipality a peace of mind, and ability to deliver on your proposed solution.

i. Technical competencies within your organization.

ii. Number of Network support resources. Specify how many

are locally based in Durban.

iii. Provide Certificates of the Network support resources.

e. Professional Services

Indicate your professional service capacity to design, configure and install the

solution to an industry best practice? Demonstrate your ability to deliver a breadth of

professional services, including implementation and design, maintenance, security,

managed services and consultation. Demonstrate a proven methodology and ability

of adherence to relevant standards.

i. Specify what technical documentation and training material will be

provided.

ii. Specify the project controls that will be place

iii. Specify how change management will be delivered.


5. Pricing structure

The cost structure must be reflected as found on tables, page 25. The price

proposal must contain all of the following:

Year 1 (2015)

Once off cost for supply and delivery of hardware, modules and hardware

items.

Once of cost for licensing and software features, if any for 1 year

Once off cost for Standard Enterprise Swap out support or equivalent on all

supplied items for 1 year.

Once off cost for planning , designing and implementing solution

Once off cost for training

Cost of any additional supplied hardware if any

All pricing to be given in South African Rands. Indicate if your prices are

linked to the Rand/Dollar or Rand/Euro exchange rate (7. Exchange rate

questionnaire page 43).

Year 2 (2016)

Once off cost for renewal of software features and/or licenses for supplied

items for a further 2 years

Once off cost for Standard Enterprise Swap out support or equivalent for a

further 2 years on supplied items

6. Evaluation of Responses

Evaluation will be done on a points system in three phases

Technical Evaluation – to ensure the responses meet the critical\mandatory

requirements (100%) and achieve a satisfactory (70 % or above) score on the

non-mandatory criteria.

Price evaluation – to establish the lowest cost technically compliant option over

the full period of the contract.

Preference points will be added as per Annexure 6 MDB 6.1 Preference Points

Claim form.


6.1 Technical Evaluation

The technical evaluation will be on the following basis:

6.1.1 Critical/ Mandatory Requirements (Please Fill In)

NO. Requirement YES NO Supplier Response

1. Vendor Partner Status

Please provide Proof Annex/Doc: _____ Page #:______

2

Hardware minimum requirements

Distributed Architecture: Management and Gateway

separate

4 x SFP+ 10gig interface slot

8 x RJ45 1 Gig Ethernet interface slot

2 x SFP+ 10 Gig Short Range modules

2 x SFP+ 10 Gig Long Range modules

2 x SFP+ 10 Gig Short Range Checkpoint modules


.3

Firewall:

Engine: Stateful packet inspection

Minimum Production Throughput(IMIX traffic blend) :

20Gps per appliance

Minimum Concurrent Connections : 4 Million connections

Minimum Connection rate: 190 000 connections per

second

Must support Virtual Firewall Contexts

Load balancing support: Active/Passive, Active/Active &

Clustering


4

IPS:

Integrated IPS

Engine: Signature based

Minimum Production throughput(IMIX traffic blend): 5.5

Gbps per appliance

Policy based rule inspection

Fail-open threshold


5

User Identity:

Active directory integration

LDAP integration

Radius and TACACS support


6

Application Control with URL filtering:

Supports HTTPS inspection

Real time updates

Support Rule flexibility with users and group objects

WEB 2.0 Compliant



7

Data Threat Management:

Anti-Virus

Anti-bot

Malware

Anti-spam

Real time updates

Please provide Proof Page #:______

8

Reporting and Logging:

Central Logging to management for all features

Graphical reports

Granular reporting for all features based on

o Usage

o Attacks

o Audit tracking

Real time event correlation


9

Future proof features:

DLP

Threat emulation/Sandboxing

Hot-swappable hardware components

Additional Slots for expansion


6.1.2 Non Mandatory Evaluation

The supplier will need to score an average of at least 70% to be considered


QUALITY CRITERIA

SUB CRITERIA

Table 1- INDICATORS

Poor

(Score 40%)

Satisfactory

(Score 70%)

Good

(Score 80%)

Very Good

(Score 100%) Ref Page #

RESPONSE TO BRIEF

level of understanding

(weighting=15)

The proposal shows limited

understanding of the business, has

not adequately dealt with the key

challenges

The opportunity is well understood,

clearly articulated and key business

sectors are adequately addressed. The

proposal reflects necessary concepts

but has insufficient detail for it to be

distinctive.

The proposal clearly demonstrates an

understanding of the programme’s

vision

All key business criteria are identified

and adequately addressed.

A unique proposal that is strongly aligned

to and identifiable with the programme. It

identifies and deals well with all the

business plan criteria. 18-34 & 37

proposed methodology

(weighting=15)

The proposal does not address

many of the criteria identified in

the brief. The methodology is weak

in important areas and is unlikely

to meet the programme

requirements.

The proposal meets most of the

criteria listed in the brief. The

proposed methodology is in line with

standard practice, covers the key

aspects and should meet the

programme requirements.

The proposal meets all the criteria

listed in the brief. The proposed

methodology is detailed and well-

conceived, has made allowance for key

aspects and risk areas. It meets

programme requirements.

Besides the good rating, the methodology

is innovative and is poses no risk to the

Municipality in terms of Connectivity

Downtime. A temporary solution would be

in place and the cutover to the permanent

solution would be seamless.

35

EXPERTISE & EXPERIENCE

Tenderer’s experience with similar projects

(weighting=15)

The tenderer has limited

experience in projects of a similar

nature and has not undertaken a

project of this magnitude

The tenderer has relevant experience

in projects of a similar nature but has

not directly undertaken a project of

this magnitude

The tenderer has extensive experience

in projects of a similar nature, and has

directly undertaken similar projects

The tenderer has outstanding experience in

projects of a similar nature and has taken

many such projects

34 & 41

Experience of key staff

(weighting=15)

Key personnel allocated to the

project have limited relevant

experience

Key personnel allocated to the project

have reasonable relevant experience.

Have 1 certified personnel in their

field of work that pertains to this

project

Key personnel allocated to the project

have extensive relevant experience.

Have 2 certified personnel in their field

of work that pertains to this project

and have a least one staff based locally

in Durban

Key personnel allocated to the project have

outstanding relevant experience. The

personnel have at least. Have 3 or more

certified personnel in their field of work

that pertains to this project and have a

least two staff based locally in Durban

41

FINANCIAL

Cost Effectiveness

(weighting=20)

The financial proposal is excessive

and did not substantiate costs. The financial proposal is acceptable

The financial proposal is exceptionally

competitive and has favourable pricing

incentives for future demands.

The tenderer provided proof of financial

resources which are well in excess of what

is required for the contract

36

CAPACITY & CAPABILITY

Operational plan and resources

(weighting=20)

Operational plan is sketchy, there is no clarity in terms of rates and/or resources.

Operational plan is complete & reasonably detailed. Rates and resources appear adequate.

Besides meeting “satisfactory” rates

and resources have been clearly

defined and make provision for key risk

areas

Besides meeting the “good” rating, the

plan make provision for every eventuality


6.1.3 Product & Company Details

1. What is your company name:-

(a) Is this a cc, (Pty) Ltd, Partnership, Sole Trader, Joint Venture - (tick):-

(i) Cc

(ii) (Pty) Ltd

(iii) Partnership

(iv) Sole Trader

(v) Joint Venture

(b) If (iii), (iv) or (v) name of partners or owner must be stated below.

______________________________________________________________________

______________________________________________________________________

______________________________________________________________________

_________________________________

__

2. Are you a registered VAT Vendor (YES / NO)?

Please state VAT Number

3. (a) Are you the Manufacturer - (YES / NO)?

(b) If not, who is the manufacturer of the equipment?


6.1.4 Schedule of Experience

Please indicate sales of similar nature recently successfully executed by your company.

References need to be given of Corporate Customer that have more than 6000 employees and

purchase more than one type of internet service.

Name and

Address of

Company

Contact Person

and Telephone

Number

Nature of Sale Value of Work

(incl. of VAT)

Date Completed

or Expected to be

Completed


Please state the number and certification level of maintenance and support staff.

Name Certification Years of Experience

6.1.5 Schedule of Compliance with specification

Please indicate below your compliance with the tender requirement.

I/We hereby agree that this tender will hold good and remain open for acceptance until 16:00

on the Friday of the twelfth week (85 calendar days) following the Friday on which

tenders are opened or during such other period as may be specified in the Special Conditions

of Tender.

Delivery time (must be stated in days or weeks from date of receipt of order). I/We

hereby undertake to deliver the above goods or to carry out the services within the

following period/s:-

.......................................................................................................................................................

.......................................................................................................................................................

I/We hereby agree that this tender, together with the Council's letter of Acceptance

thereof, will constitute a binding contract which will take effect from the business day

following the date of despatch of the letter of acceptance. A separate Service Level

agreement (SLA) will however be entered into to govern the contractual relationship

between the parties.

Any alterations effected upon any part of the tender documents must be clearly shown by

means of a handwritten entry and signed by the tenderer.

Please state your Procurement Reference Number: - PR (refer Clause 20 -

Special Conditions of Tender (Goods/Services)).


7. RATE OF EXCHANGE QUESTIONNAIRE

This page to be completed by Bidders offering goods ex import. Rate Of Exchange (i.e. ROE) will only be applicable if Rate of Exchange change by 5%, either way, from tendered ROE.

a) Country of origin and/or manufacture:

b) Price each f.o.b country of origin.

Item 1:

Item 2:

c) Delivery charges each from f.o.b country of origin to c.i.f Durban (Prices and delivery charges must be shown in South African currency)

*Item 1:

Item 2:

d) Ocean freight rate:

per 1000 kg/m³ or 2 240 lbs/40 cu.ft.

e) Marine insurance rate:

% of value of goods.

Please indicate basis of valuation:

f) Marine war risk insurance rate:

% value of goods.

g) Wharfage rate:

per R 100 value.

h) Landing charges rate:

per 1 000 kg or m³. **

per 100 kg or m³. **


i) Delivery charges rate:

j) Customs tariff heading and description (Brussels Nomenclature):

k) Customs duty

% of value of goods for duty purposes, or

rated duty per kg/m³ article.**

l) Import surcharge:

% of value of goods.

m) Railage rate:

per 100 kg.

n) Basic rate of exchange (ie. seven days prior to the date of closing of tenders):

See Clause 5 of the Special Conditions of Contract (Goods/Services).

o) Will the Tenderer comply in all respects with Clause 5 of the Special Conditions of Contract (Goods/Services)?

(State ‘Yes’ or ‘No’)

* Additional items should be scheduled on a separate page which should be signed and dated by the Tenderer.

** Delete whichever is not applicable.


8. Costs

8.1 Year One All Costs Must Be Reflected As Once-Off Cost for Year 1 (2015/2016)

Item

No Description/Part No Quantity

Price

(Excl. VAT) VAT Total (Incl. VAT)

1

Appliance Gateway

Vendor:

Model:

2

2

Appliance Management

Vendor:

Model:

___

3 Installed 8 x 1Gig Ethernet module 1

4 Installed 10G SFP+ Compliant

Module cards 2

5

10G SFP+ Long range Transceiver

for fibre ports

4

6

10G SFP+ Short range Transceiver

for fibre ports

4

7 10G SFP+ Short range Transceiver for Checkpoint 12600 appliance

2

8

Standard Enterprise Support swap

out or equivalent for supplied

hardware items

9 Official Vendor Training for

Administrator level of the solution 2

10 Official Vendor Training for

Professional level of the solution 2

11 Project Cost for Implementation

* Other (please define)

12

13

14

Total


8.2 Year Two All Costs Must Be Reflected As Once-Off Cost for Year 2 (2016/2017)

Item

No

Description/Part No Quantity Price (Excl. VAT) VAT Total (Incl. VAT)

1

Renewal of licenses and/or

any software features on

all supplied appliances for

2 years

1

2

Renewal Enterprise swap

out support or equivalent

for supplied appliances for

2 years

1

Total


9. Required Documentation and Tender Returnable‘s

9.1 Tender Returnable’s Checklist

In addition to the tender document, the following must be submitted/attached thereto. The standard

forms are attached to this tender document.

Description Yes No

Official Tender Form

Banking Rating Questionnaire

Critical/ Mandatory Checklist

Checklist Tender Returnables

Contractor Acknowledgement of Responsibility in of Occupational Health and Safety Act

Declaration of Interest

Declaration of Municipal Fees

Original Valid Tax Clearance Certificate

Valid Agreement with Manufacturer Or Accredited Distributor/agent

Schedule of Experience

Rate of Exchange Questionnaire

Proof of Resolution As A Close Corporation Or Company

Original Signed Company Letterhead Reflecting Banking Details and Cancelled Cheque

Procurement Reference (PR) Number or Supplier Registration Form

MBD 9 Certificate of Independent Bid Determination

MDB 6.1 Preference Points Claim Form

BBB-EE Certificate

MDB 8 Declaration of Bidders Past Supply Chain Practices

SIGNATURE

DATE

CAPACITY

NAME OF SIGNATORY

(In Block Letters)


10. Form of Offer In response to your Enquiry 1I-17297 Supply & Installation of Firewall Solution

Dated.............................. I/we hereby offer to supply the products and services detailed

hereunder in accordance with the Technical Specification, and subject to the Conditions of

Tender (Goods/Services) and Government Procurement; General Conditions of Contract

which accompanied your Enquiry (with which I/we acknowledge myself/ourselves to be fully

acquainted) at the price/s stated in the appropriate column below :-

Item Description Total Price

(Excluding VAT) VAT Total Price

(Including VAT)

1. Total Price

(Year 1)

2. Total Price

(Year 2)

3. Grand Total

brought forward

for year 1 and 2

Tenders Value added TAX Registration number

NAME AND ADDRESS OF TENDERER:-

_______________________

_______________________

SIGNATURE

TELEPHONE NO :

NAME OF SIGNATORY IN BLOCK LETTERS

FAX NUMBER :

DATE :

CAPACITY OF SIGNATORY

NB: - This Official Tender Form must be completed in its entirety and signed, non-compliance

will render this tender invalid.