DATASHEET

THUNDER CFW
High-Performance Versatile Firewall

Supported Platforms_____________ The A10 Thunder Convergent Firewall (CFW) is a standalone security product, built on
A10 Networks Advanced Core Operating System (ACOS®) platform. Thunder CFW is
the first converged security solution for service providers, cloud providers and large
enterprises that includes:
Thunder CFW • A powerful Secure Web Gateway that combines URL filtering, A10’s SSL Insight
physical appliance
technology, and explicit proxy to increase security efficacy by decrypting SSL
traffic at high speed and restricting access to undesirable websites.
• A high-performance Data Center Firewall with an integrated Layer 4 firewall, DDoS
Thunder SPE
physical appliance protection, and server load balancing. By uniting application delivery control and
security on a single platform, Thunder CFW lowers hardware and operating costs.
APP • A scalable Gi/SGi Firewall with integrated DDoS protection and Carrier Grade
Networking (CGN) for mobile carriers. The Gi/SGi Firewall protects mobile
vThunder
virtual appliance infrastructure with advanced policy enforcement.
• High-speed site-to-site IPsec VPN that enables enterprises and service providers
to encrypt data at a massive scale and in the cloud.
aGalaxy
Centralized Management With its data center efficient design and compact form factor, Thunder CFW provides
an integrated security and application networking solution that minimizes rack space,
Overview_________________________ power consumption and cooling costs.

Thunder CFW also leverages the A10 Harmony™ architecture to provide open and
A10 Networks® Thunder® Convergent
standards-based programmability, which offers rapid integration with management and
Firewall (CFW) is a high-performance, orchestration systems, consistent policy enforcement and telemetry. The A10 Networks
all-inclusive and flexible security aGalaxy® Centralized Management System delivers everything that organizations need to
solution featuring a Secure Web configure, monitor and troubleshoot all A10 Thunder solutions, including Thunder CFW.
Gateway, Data Center Firewall, Gi/SGi
Firewall and site-to-site IPsec VPN Features and Benefits
for enterprises and service providers. Whether you are an enterprise, service provider or mobile carrier, A10 Thunder CFW
Thunder CFW uncovers threats in SSL offers the performance and the versatility you need to safeguard your applications, your
traffic and blocks access to malicious users and your infrastructure.
websites at the enterprise perimeter. Secure Web Gateway
It also protects high-value assets in Decrypt SSL once and inspect multiple times: Thunder CFW enables security devices
the data center from network and to inspect encrypted traffic, eliminating the SSL blind spot in corporate defenses.
Distributed Denial of Service (DDoS) Leveraging SSL Insight technology, Thunder CFW decrypts SSL traffic and forwards it
attacks. A10 Thunder CFW offers the to third-party security devices for inspection. With the Thunder CFW, organizations can
performance and the versatility you make their security infrastructure effective again.
need to safeguard your applications, Prevent data exfiltration and enforce compliance: Thunder CFW allows seamless
your users and your infrastructure. integration with third-party Data Loss Prevention (DLP) solutions via the industry standard
ICAP. Thunder CFW can send decrypted traffic to DLP servers for inspection before

1
forwarding intercepted traffic to a client or a server. According to Gi/SGi Firewall
inspection results from DLP servers, Thunder CFW enforces a policy Achieve massive scale and multiple functionality in a single
by either permitting or denying traffic to prevent data leaks and compact appliance: The Thunder CFW, with an integrated Gi/SGi
harmful infection. Firewall, delivers the performance that mobile carriers require to
Gain superior URL classification coverage: Thunder CFW provides scale and protect their networks. With the ability to support large
an optional URL filtering service that maximizes employee session capacity and high connections-per-second rates, the
productivity and mitigates web-based threats. Thunder CFW can Thunder CFW will meet both current and future traffic requirements.
monitor or block access to malicious websites, including malware, Thunder CFW enables mobile carriers to efficiently safeguard their
spam and phishing sites. The A10 URL Classification Service, infrastructure, including the Gateway GPRS Support Node (GGSN)
powered by Webroot, categorizes over 460 million domains and and P-Gateway in the Evolved Packet Core (EPC).
13 billion URLs into 83 categories, enabling organizations to block The Thunder CFW includes integrated Carrier Grade NAT
desirable sites and shield their users from online threats. functionality to allow mobile carriers to preserve their investment
Extend the life of security infrastructure: Thunder CFW, with in IPv4-based infrastructure. Also included are various IPv6
integrated load balancing, enables organizations to maximize transition technologies, such as NAT64/DNS64, to assist in
uptime and increase the capacity of their security infrastructure. providing a smooth transition to IPv6 networking and seamless
It also unburdens firewalls and other security devices from subscriber access to resources regardless of the type of IP
computationally intensive tasks like SSL decryption and ICAP version used. Integrated application layer gateways (ALGs) ensure
support, enabling those devices to do what they do best – detect that applications remain addressable and operate transparently
and stop attacks. through address translation. By including IPv4 preservation and
IPv6 migration support in the multi-functional Thunder CFW,
Data Center Firewall
operational tasks are greatly simplified.
Achieve unprecedented firewall performance: Powered by A10’s
Advanced Core Operating System (ACOS), Thunder CFW provides To protect mobile infrastructure, the Thunder CFW Gi/SGi Firewall
high performance in a compact appliance, allowing organizations provides granular control over network resources, allowing mobile
to stop emerging threats at scale. Combining a Shared Memory carriers to block network attacks and unauthorized access. It delivers
Architecture and Flexible Traffic Accelerator (FTA) technology, the a stateful firewall with a rich set of features to protect subscribers,
Data Center Firewall offers ultra-high throughput and unmatched along with shielding the LTE data and control plane services from
connection rates, eliminating traditional performance bottlenecks multiple types of threats. The Thunder CFW can also secure its own
while protecting data center assets. resources, such as Network Address Translation (NAT) pools, to
ensure that its operational functions are not compromised.
Lower OPEX and CAPEX: Consolidating multiple services on
one platform reduces the number of appliances that need to be Site-to-Site IPsec VPN
purchased and cuts power, space and cooling costs. Thunder CFW’s Encrypt data at unparalleled speeds: Thunder CFW enables
Data Center Firewall takes unification further by converging not enterprises and service providers to build out large-scale VPN
just security but also networking and application delivery features, deployments. By supporting thousands of VPN tunnels per
empowering organizations to eliminate single-purpose devices from Thunder CFW platform and a broad array of encryption algorithms
their data centers and reduce hardware and operating costs. and data integrity methods, organizations can deploy Thunder
CFW alongside their existing VPN equipment or build out new VPN
Protect multi-tenant environments: Thunder CFW leverages the
networks with Thunder CFW appliances.
A10 Harmony architecture to deliver completely programmable
security for the data center. A10 Harmony unifies policy control, Consolidate IPsec VPN, firewall and application delivery: Thunder
offers unprecedented telemetry and provides 100% RESTful API CFW combines Data Center Firewall, Gi/SGi Firewall and IPsec VPN
coverage. Thunder CFW also supports multi-tenancy features like on a single platform. Whether used with the Data Center Firewall
Application Delivery Partitions (ADPs) for segmentation. to support secure interconnectivity between data centers or to
support high-speed VPN connections in the cloud, Thunder CFW
provides a comprehensive networking and security platform that
reduces customers’ data center footprint and operating costs.

The A10 Thunder CFW IPsec solution has achieved

A10 Thunder CFW Data Center Firewall has the IPsec IKEv2 certification from ICSA Labs. ICSA
achieved the ICSA Labs Firewall Corporate Labs testing and certification ensures that A10
Certification. Thunder CFW performs as intended and provides
interoperable, cryptographically-based security
services for IP layer environments.

2
Architecture and Key Components

Mobile Service Provider 2 Gi/SGi FW Data Center 3 DC FW

Web App
v4 v6

DC FW & ADC
DNS
EPC with GGSN and PGW Router

CGN & Gi/SGi FW

IPsec VPN Other Apps

Internet
Secure Web
Enterprise Perimeter 1 Gateway 4 IPsec VPN

ICAP (AV/DLP) Web App

IPsec VPN

ATP NGFW DNS

Internal IPS
Network
SSLi & SWG SSLi & SWG DC FW & ADC Other Apps

Figure 1: Thunder CFW use cases

Flexibility to Deploy ADC and CGN complement our industry-standard CLI and Web GUI, our RESTful
Thunder CFW supports multi-tenancy and isolation of configuration API with 100% coverage offers rapid integration with third-party
components including administration with Application Delivery management consoles to efficiently operate one or more Thunder
Partitions (ADPs) using L3V (Layer 3 Visualization). L3V partitions CFW appliances. For larger deployments, our aGalaxy Centralized
enables flexible deployment of independent services like application Management System ensures that routine tasks can be performed
delivery controller (ADC) and carrier grade networking (CGN) on at scale, across multiple appliances, regardless of physical location.
a single appliance to accelerate faster time to market of load Thunder CFW supports granular role-based access control, enabling
balancing and networking services. you to create users and groups and grant read-only or read/write
Management privileges for specific partitions or management interfaces. To
scale load-balancing capacity, A10 Networks aVCS® Virtual Chassis
Comprehensive and scalable management: Thunder CFW
System allows multiple appliances to operate as one, with a single
devices feature an array of options to simplify and automate
management point for all appliances in the virtual chassis.
management tasks that reduce administrative costs and ensure
that complex tasks can be done accurately the first time. To

Thunder CFW’s integrated Web application

firewall has achieved WAF certification
from ICSA Labs. ICSA Labs testing and
certification ensures that Thunder CFW
performs as intended to secure application
services from exploitation and attack.

3
Product Description -- All models are dual power supply-capable*, feature solid-
state drives (SSDs) and use no inaccessible moving parts
Thunder CFW Product Line
for high availability.
Thunder CFW appliances support any deployment need. Each
-- All models benefit from A10’s Flexible Traffic Accelerator
Thunder CFW appliance is powered by ACOS software, which
(FTA) technology, with select models featuring Field
brings a unique combination of shared memory accuracy and
Programmable Gate Arrays (FPGAs) for hardware optimized
efficiency, 64-bit scalability and advanced flow processing.
FTA processing; this provides highly scalable flow
Thunder SPE Appliances: distribution and DDoS protection capabilities.
-- The Thunder SPE appliances deliver ultra high-speed -- Select models include switching and routing processors
Security and Policy Enforcement for your most demanding for high-speed network processing, dedicated security
application networking and security requirements. Thunder processors for SSL offload, and lights-out management
SPE appliances leverage A10’s innovative Security and (LOM) for out-of-band monitoring and management.
Policy Engine (SPE) to implement security and policy -- Each appliance offers exceptional performance per rack
enforcement functions at higher speed, harnessing the unit and the highest level “80 PLUS™ Platinum” certification*
power of advanced Flexible Traffic Acceleration (FTA) for power supplies* to reduce power consumption costs and
technology and high speed lookup capabilities. In addition, ensure a green solution. Coupled with high density
Thunder SPE is a future-proof design capable of enabling an 1 GbE, 10 GbE, and 40 GbE port options, Thunder CFW
expanded set of security and policy enforcements. meets the highest networking bandwidth demands.
-- All models are dual power supply-capable, feature solid- vThunder Virtual Appliances:
state drives (SSDs) and utilize no inaccessible moving parts
-- The vThunder® CFW line of virtual appliances is designed
for high availability.
to meet the growing needs of organizations requiring a
-- Thunder SPE appliances offer the best performance per flexible and easy-to-deploy converged security, carrier grade
rack unit coupled with high density interface 1 GbE, 10 GbE, networking, application delivery and server load balancer
40 GbE and 100 GbE port options and the highest level “80 solution running within a virtualized infrastructure or public
PLUS™ Platinum” certification for power supplies to ensure cloud service.
a green solution and reduce power consumption costs.
-- Each vThunder instance has a full set of features that can
Thunder CFW Hardware Appliances: run atop your choice of commodity hardware, as well as
-- The A10 Thunder CFW line of appliances fits all size your choice of leading hypervisor; for example, VMware
networks starting with entry level models and moving up ESXi, Microsoft Hyper-V, and KVM.
to high performance appliance for your most demanding The aGalaxy® Centralized Management System delivers everything
requirements. that organizations need to monitor, configure and troubleshoot
their Thunder CFW deployment.

* Except for Thunder 840

4
Thunder CFW Specifications Table
Thunder 840 Thunder 1030S Thunder 3030S
Data Center Firewall
DCFW Throughput 5 Gbps 10 Gbps 30 Gbps
DCFW Layer 4 CPS 200k 300k 500k
DCFW Concurrent Sessions 8 million 16 million 32 million
DCFW Rules 8k 8k 16k
Secure Web Gateway*1 | *2
SSLi Throughput 0.5 Gbps 1.5 Gbps 2.5 Gbps
RSA (1K): 500 RSA (1K): 4K RSA (1K) : 8k
SSLi CPS
RSA (2K): 300 RSA (2K): 3k RSA (2K): 6k
IPsec VPN*2
IPsec Throughput 1.5 Gbps 6 Gbps 8 Gbps
IPsec Tunnels 50 100 1k
Network Interface
1 GE Copper 5 6 6
1 GE Fiber (SFP) 0 2 2
1/10 GE Fiber (SFP+) 2 2 4
40 GE Fiber (QSFP+) 0 0 0
Management Interface Yes Yes Yes
Lights Out Management No Yes Yes
Console Port Yes Yes Yes
Solid-state Drive (SSD) Yes Yes Yes
Intel Intel Xeon Intel Xeon
Processor
Communication Processor 4-core 4-core
Memory (ECC RAM) 8 GB 8 GB 16 GB
Hardware Acceleration
64-bit Linear Decoupled Architecture Yes Yes Yes
Flexible Traffic Acceleration Software Software Software
Switching/Routing Software Software Software
SSL Security Processor ('S' Models) N/A Yes Yes
Power Consumption (Typical/Max) *3
57W / 75W 98W / 108W 180W / 240W
Heat in BTU/hour (Typical/Max) *3
195 / 256 334 / 369 615 / 819
Single 150W (AC only) Single 600W+ Dual 600W RPS
Power Supply (DC option available)
100 - 240 VAC, 50-60Hz 80 Plus Platinum efficiency, 100 - 240 VAC, 50 – 60 Hz
Cooling Fan Single Fixed Fan Hot Swap Smart Fans
Dimensions 1.75 in (H), 17.0 (W), 12 in (D) 1.75 in (H), 17.5 in (W), 17.45 in (D) 1.75 in (H), 17.5 in (W), 17.45 in (D)
Rack Units (Mountable) 1U 1U 1U
"18.0 lbs
Unit Weight 8.8 lbs 20.1 lbs
20.1 lbs (RPS)"
Operating Ranges Temperature 0° - 40° C | Humidity 5% - 95%
FCC Class A, UL, CE, TUV, CB, FCC Class A, UL, CE, TUV, CB,
FCC Class A, UL, CE, TUV, CB,
Regulatory Certifications VCCI, CCC, KCC BSMI, RCM, VCCI, CCC, KCC, BSMI, RCM,
VCCI, CCC, BSMI, RCM | RoHS
FAC | RoHS, FIPS 140-2+ EAC, FAC | RoHS, FIPS 140-2+
Standard Warranty 90-day Hardware and Software
*1 Tested in single appliance SSLi deployment with maximum SSL option. Cipher “AES128-SHA256” with 2K RSA keys are used for RSA cases, “ECDHE-RSA-AES128-SHA256” with EC P-256 and 2K RSA
keys are used for PFS case | *2 With maximum SSL | *3 With base model. Number varies by SSL model | *4 No dedicated hardware but FTA-4 FPGA handles select switching/routing functions |
^ Certification in process | + FIPS model must be purchased

5
Thunder CFW Specifications Table (continued)
Thunder 3040(S) Thunder 3230(S) Thunder 3430(S)
Data Center Firewall
DCFW Throughput 30 Gbps 25 Gbps 38 Gbps
DCFW Layer 4 CPS 500k 1.4 million 2 million
DCFW Concurrent Sessions 32 million 32 million 64 million
DCFW Rules 16k 16k 32k
Secure Web Gateway*1 | *2
SSLi Throughput 2.5 Gbps 3.5 Gbps 5.5 Gbps
RSA: 6.5k RSA: 12.5k RSA: 18k
SSLi CPS
ECDHE: 4.5k ECDHE: 7k ECDHE: 10k
IPsec VPN*2
IPsec Throughput N/A 15 Gbps 30 Gbps
IPsec Tunnels 1k 1k 4k
Network Interface
1 GE Copper 6 0 0
1 GE Fiber (SFP) 2 4 4
1/10 GE Fiber (SFP+) 4 4 4
40 GE Fiber (QSFP+) 0 0 0
Management Interface Yes Yes Yes
Lights Out Management Yes Yes Yes
Console Port Yes Yes Yes
Solid-state Drive (SSD) Yes Yes Yes
Intel Xeon Intel Xeon Intel Xeon
Processor
4-core 4-core 6-core
Memory (ECC RAM) 16 GB 16 GB 32 GB
Hardware Acceleration
64-bit Linear Decoupled Architecture Yes Yes Yes
Flexible Traffic Acceleration Software 1 x FTA-4 FPGA 1 x FTA-4 FPGA
Switching/Routing Software Hybrid*4 Hybrid*4
SSL Security Processor ('S' Models) Yes Yes Yes
Power Consumption (Typical/Max) *3
180W / 240W 190W / 240W 210W / 260W
Heat in BTU/hour (Typical/Max) *3
615 / 819 648 / 819 717 / 887
Dual 600W RPS Dual 600W RPS Dual 600W RPS
Power Supply (DC option available)
100 - 240 VAC, 50-60Hz 80 Plus Platinum efficiency, 100 - 240 VAC, 50 – 60 Hz
Cooling Fan Single Fixed Fan Hot Swap Smart Fans
1.75 in (H), 17.5 in (W), 1.75 in (H), 17.5 in (W), 1.75 in (H), 17.5 in (W),
Dimensions
17.45 in (D) 17.15 in (D) 17.15 in (D)
Rack Units (Mountable) 1U 1U 1U
Unit Weight 20.6 lbs 23 lbs 23 lbs
Operating Ranges Temperature 0° - 40° C | Humidity 5% - 95%
FCC Class A, UL, CE, CB, FCC Class A, UL, CE, TUV, CB, FCC Class A, UL, CE, GS, CB,
Regulatory Certifications GS^, VCCI, CCC, KCC, BSMI, VCCI, CCC, KCC, BSMI, RCM, VCCI, CCC, KCC, BSMI, RCM,
RCM | RoHS NEBS | RoHS NEBS | RoHS
Standard Warranty 90-day Hardware and Software
*1 Tested in single appliance SSLi deployment with maximum SSL option. Cipher “AES128-SHA256” with 2K RSA keys are used for RSA cases, “ECDHE-RSA-AES128-SHA256” with EC P-256 and 2K RSA
keys are used for PFS case | *2 With maximum SSL | *3 With base model. Number varies by SSL model | *4 No dedicated hardware but FTA-4 FPGA handles select switching/routing functions |
^ Certification in process | + FIPS model must be purchased

6
Thunder CFW Specifications Table (continued)
Thunder 4440(S) Thunder 5330(S) Thunder 5440(S)
Data Center Firewall
DCFW Throughput 70 Gbps 70 Gbps 90 Gbps
DCFW Layer 4 CPS 2.8 million 2.8 million 3.5 million
DCFW Concurrent Sessions 64 million 64 million 128 million
DCFW Rules 32k 32k 64k
Secure Web Gateway*1 | *2
SSLi Throughput 8 Gbps 10 Gbps 15 Gbps
RSA: 22k RSA: 30k RSA: 35k
SSLi CPS
ECDHE: 10k ECDHE: 15k ECDHE: 20k
IPsec VPN*2
IPsec Throughput 30 Gbps 35 Gbps 35 Gbps
IPsec Tunnels 4k 4k 8k
Network Interface
1 GE Copper 0 0 0
1 GE Fiber (SFP) 0 0 0
1/10 GE Fiber (SFP+) 24 8 24
40 GE Fiber (QSFP+) 4 0 4
Management Interface Yes Yes Yes
Lights Out Management Yes Yes Yes
Console Port Yes Yes Yes
Solid-state Drive (SSD) Yes Yes Yes
Intel Xeon Intel Xeon Intel Xeon
Processor
6-core 10-core 12-core
Memory (ECC RAM) 32 GB 32 GB 64 GB
Hardware Acceleration
64-bit Linear Decoupled Architecture Yes Yes Yes
Flexible Traffic Acceleration 2 x FTA-4 FPGA 1 x FTA-4 FPGA 2 x FTA-4 FPGA
Switching/Routing Hardware Hybrid*4 Hardware
SSL Security Processor ('S' Models) Yes Yes Yes
Power Consumption (Typical/Max) *3
360W / 445W 210W / 260W 360W / 445W
Heat in BTU/hour (Typical/Max) *3
1,229 / 1,519 717 / 887 1,229 / 1,519
Dual 1100W RPS Dual 600W RPS Dual 1100W RPS
Power Supply (DC option available)
80 Plus Platinum efficiency, 100 - 240 VAC, 50 – 60 Hz
Cooling Fan Hot Swap Smart Fans
1.75 in (H), 17.5 in (W),
Dimensions 1.75 in (H), 17.5 in (W), 30 in (D) 1.75 in (H), 17.5 in (W), 30 in (D)
17.15 in (D)
Rack Units (Mountable) 1U 1U 1U
Unit Weight 32.5 lbs 23 lbs 32.5 lbs
Operating Ranges Temperature 0° - 40° C | Humidity 5% - 95%
FCC Class A, UL, CE, GS, CB, FCC Class A, UL, CE, GS,
FCC Class A, UL, CE, GS, CB,
Regulatory Certifications VCCI, CCC, KCC, BSMI, RCM | CB, VCCI, CCC, BSMI, RCM,
VCCI, CCC, BSMI, RCM | RoHS
RoHS , FIPS 140-2^|+ NEBS | RoHS
Standard Warranty 90-day Hardware and Software
*1 Tested in single appliance SSLi deployment with maximum SSL option. Cipher “AES128-SHA256” with 2K RSA keys are used for RSA cases, “ECDHE-RSA-AES128-SHA256” with EC P-256 and 2K RSA
keys are used for PFS case | *2 With maximum SSL | *3 With base model. Number varies by SSL model | *4 No dedicated hardware but FTA-4 FPGA handles select switching/routing functions |
^ Certification in process | + FIPS model must be purchased

7
Thunder CFW Specifications Table (continued)
Thunder 5840(S) Thunder 6440(S) Thunder 7440(S)
Data Center Firewall
DCFW Throughput 100 Gbps 150 Gbps 220 Gbps
DCFW Layer 4 CPS 4.5 million 4.5 million 6.5 million
DCFW Concurrent Sessions 128 million 256 million 256 million
DCFW Rules 64k 128k 128k
Secure Web Gateway*1 | *2
SSLi Throughput 20 Gbps N/A N/A
RSA: 50k
SSLi CPS N/A N/A
ECDHE: 25k
IPsec VPN*2
IPsec Throughput 35 Gbps N/A N/A
IPsec Tunnels 8k 20k 20k
Network Interface
1 GE Copper 0 0 0
1 GE Fiber (SFP) 0 0 0
1/10 GE Fiber (SFP+) 24 48 48
40 GE Fiber (QSFP+) 4 4 4
Management Interface Yes Yes Yes
Lights Out Management Yes Yes Yes
Console Port Yes Yes Yes
Solid-state Drive (SSD) Yes Yes Yes
Intel Xeon Intel Xeon Intel Xeon
Processor
18-core Dual 10-core Dual 18-core
Memory (ECC RAM) 64 GB 128 GB 128 GB
Hardware Acceleration
64-bit Linear Decoupled Architecture Yes Yes Yes
Flexible Traffic Acceleration 2x FTA-4 FPGA 3 x FTA-4 FPGA 3 x FTA-4 FPGA
Switching/Routing Hardware Hardware Hardware
SSL Security Processor ('S' Models) Yes Yes Yes
Power Consumption (Typical/Max) *3
375W / 470W 480W / 550W 690W / 820W
Heat in BTU/hour (Typical/Max) *3
1,280 / 1,604 1,638 / 1,877 2,355 / 2,798
Dual 1100W RPS Dual 1100W RPS Dual 1100W RPS
Power Supply (DC option available)
80 Plus Platinum efficiency, 100 - 240 VAC, 50 – 60 Hz
Cooling Fan Hot Swap Smart Fans
Dimensions 1.75 in (H), 17.5 in (W), 30 in (D) 1.75 in (H), 17.5 in (W), 30 in (D) 1.75 in (H), 17.5 in (W), 30 in (D)
Rack Units (Mountable) 1U 1U 1U
Unit Weight 32.5 lbs 36 lbs 36 lbs
Operating Ranges Temperature 0° - 40° C | Humidity 5% - 95%
FCC Class A, UL, CE, GS, CB,
FCC Class A, UL, CE, GS, CB, FCC Class A, UL, CE, GS, CB,
Regulatory Certifications VCCI, CCC, KCC, BSMI, RCM |
VCCI, CCC, BSMI, RCM | RoHS VCCI, CCC, BSMI, RCM | RoHS
RoHS, FIPS 140-2^|+
Standard Warranty 90-day Hardware and Software
*1 Tested in single appliance SSLi deployment with maximum SSL option. Cipher “AES128-SHA256” with 2K RSA keys are used for RSA cases, “ECDHE-RSA-AES128-SHA256” with EC P-256 and 2K RSA
keys are used for PFS case | *2 With maximum SSL | *3 With base model. Number varies by SSL model | *4 No dedicated hardware but FTA-4 FPGA handles select switching/routing functions |
^ Certification in process | + FIPS model must be purchased

8
Thunder CFW SPE Specifications Table
Thunder 4435(S) SPE Thunder 5435(S) SPE Thunder 6435(S) SPE Thunder 6635(S) SPE
Data Center Firewall
DCFW Throughput 38 Gbps 76 Gbps 140 Gbps 150 Gbps
DCFW Layer 4 CPS 2.7 million 2.8 million 5.5 million 5.5 million
DCFW Concurrent Sessions 128 million 128 million 256 million 256 million
DCFW Rules 64k 64k 128k 128k
Secure Web Gateway*1 | *2
SSLi Throughput (RSA 2K key) 8 Gbps 8 Gbps 17.5 Gbps 17.5 Gbps
SSLi CPS (RSA 2K key) 22k 22k 50k 50k
IPsec VPN*2
IPsec Throughput 20 Gbps 20 Gbps 70 Gbps 80 Gbps
IPsec Tunnels 6k 6k 20k 20k
Network Interface
1 GE Copper 0 0 0 0
1 GE Fiber (SFP) 0 0 0 0
1/10 GE Fiber (SFP+) 16 16 16 12
40 GE Fiber (QSFP+) 0 4 4 0
100 GE Fiber (CXP) 0 0 0 4
Management Interface Yes Yes Yes Yes
Lights Out Management Yes Yes Yes Yes
Console Port Yes Yes Yes Yes
Solid-state Drive (SSD) Yes Yes Yes Yes
Intel Xeon Intel Xeon Intel Xeon Intel Xeon
Processor
10-core 10-core Dual 12-core Dual 12-core
Memory (ECC RAM) 64 GB 64 GB 128 GB 128 GB
Hardware Acceleration
64-bit Linear Decoupled Architecture Yes Yes Yes Yes
Flexible Traffic Acceleration 1 x FTA-3+ FPGA 2 x FTA-3+ FPGA 4 x FTA-3+ FPGA 4 x FTA-3+ FPGA
Security & Policy Engine Hardware Hardware Hardware Hardware
Switching/Routing Hardware Hardware Hardware Hardware
2 x Dual, 2 x Quad or
SSL Security Processor ('S' Models) Dual Dual Quad
4 x Quad
Power Consumption (Typical/Max)*3 350W / 420W 400W / 480W 620W / 710W 995W / 1,150W
Heat in BTU/hour (Typical/Max)*3 1,195 / 1,433 1,365 / 1,638 2,116 / 2,423 3,395 / 3,924
Dual 1100W RPS Dual 1100W RPS Dual 1100W RPS 2+2 1100W RPS
Power Supply (DC option available)
80 Plus Platinum efficiency, 100 - 240 VAC, 50 – 60 Hz
Cooling Fan Hot Swap Smart Fans
1.75 in (H), 17.5 in (W), 1.75 in (H), 17.5 in (W), 1.75 in (H), 17.5 in (W), 5.3 in (H), 16.9 in (W),
Dimensions
30 in (D) 30 in (D) 30 in (D) 28 in (D)
Rack Units (Mountable) 1U 1U 1U 3U
Unit Weight 34.5 lbs 35.5 lbs 39 lbs 74.5 lbs / 78 lbs*2
Operating Ranges Temperature 0° - 40° C | Humidity 5% - 95%
FCC Class A, UL, CE, FCC Class A, UL, CE, FCC Class A, UL, CE,
FCC Class A, UL, CE,
TUV, CB, VCCI, CCC, TUV, CB, VCCI, CCC, TUV, CB, VCCI, CCC,
Regulatory Certifications TUV, CB, VCCI, EAC,
MSIP, BSMI, RCM, EAC, BSMI, RCM, EAC, BSMI, RCM, EAC,
FAC | RoHS
NEBS | RoHS NEBS | RoHS NEBS | RoHS
Standard Warranty 90-day Hardware and Software

*1 SSLi performance are measured in single appliance SSLi deployment | *2 With maximum SSL | *3 With base model. Number varies by SSL model

9
vThunder CFW Specifications Table
vThunder CFW
VMware ESXi 5.5 or higher
Supported Hypervisors KVM QEMU 1.0 and higher (VirtIO, OvS with DPDK, SR-IOV)
Microsoft Hyper-V on Windows Server 2008 R2 or higher
Licenses (Throughput) Lab 1 Gbps 4 Gbps 8 Gbps
VMware ESXi • • • •
KVM (SR-IOV | OvS-DPDK) • • • •
KVM • • • •
Microsoft Hyper-V • • • •+
License is set based on L4 throughput performace of ADC/CGN features. Maximum throughput varies depending
Feature Basis Throughput Guideline
on each feature regardless of license type. See the performance guideline table below for more details.
Hardware Requirements See installation guide
Standard Warranty 90-day Software
+ 8 Gbps license not recommended for Microsoft Hyper-V

Feature Basis Throughput Guideline

1 Gbps License 4 Gbps License 8 Gbps License
ADC/CGN 1 Gbps 4 Gbps 8 Gbps
Data Center Firewall 1 Gbps 4 Gbps 8 Gbps
Gi Firewall 1 Gbps 4 Gbps 8 Gbps
Secure Web Gateway (SSL Insight) 500 Mbps 1.5 Gbps 3 Gbps

Thunder 840 Thunder 1030S Thunder 3030S

Thunder 3040(S) Thunder 3230(S) Thunder 3430(S)

Thunder 4440(S) Thunder 5330(S) Thunder 5440(S)

Thunder 5840(S) Thunder 6440(S) Thunder 7440(S)

Thunder4435(S) SPE Thunder 5435(S) SPE Thunder 6435(S) SPE

Thunder 6635(S) SPE

10
Detailed Feature List* IPv4 Preservation (CGNAT):
( Features may vary by appliance)
* • Carrier Grade NAT (CGN/CGNAT), Large Scale NAT (LSN),
NAT444, NAT44
Data Center Firewall (DCFW) IPv6 Migration:
Firewall: • Dual stack support, full native IPv6 management and features
• Stateful L4 network firewall • SLB-PT (Protocol Translation), SLB-64 (IPv4<–>IPv6,
• Application Layer Gateways (FTP, TFTP, DNS and SIP) IPv6<–>IPv4)
• Web Application Firewall (WAF) • NAT64/DNS64, NAT46, DS-Lite, 6rd, LW4o6
• DNS Application Firewall (DAF)
Secure Web Gateway (SWG)
DDoS Protection: SSL Insight:
• Flood attack protection: SYN cookies, TCP/UDP/ICMP flood
• High-performance SSL decryption and encryption as a
protection, DNS/HTTP flood protection
forward proxy
• Protocol attack protection: Invalid packets, anomalous TCP
• Internet Content Adaptation Protocol (ICAP) support for data
flag combinations, packet size validation (ping of death)
loss prevention
• Resource attack protection: Slowloris, slow POST, and
• Dynamic port decryption to detect and intercept SSL or TLS
Sockstress protection, fragmentation
traffic regardless of TCP port number
• Rate limiting: IP-based connection, HTTP, DNS request, DNS
• Forward proxy failsafe to bypass traffic when there is a
query, ICMP rate limiting
handshake failure
Application Access Management (AAM): • SSL Insight bypass based on hostname; bypass list scales up
• Authentication methods: HTTP Basic, NTLM over HTTP, form- to 1 million Server Name Indication (SNI) values
based, OCSP, TDS SQL Logon and SAML • Multi-bypass list support
• Authentication servers: LDAP, Active Directory, RADIUS, OCSP • Decryption of HTTPS, STARTTLS, SMTP, XMPP
Responder, NTLM, Kerberos, RSA Secure ID, Entrust Identity • Client certificate detection and optional bypass
Guard and SAML Identity Provider (IdP) • Untrusted certificate handling using the Online Certificate
• Authentication relay: Kerberos, form-based, LDAP, WS- Status Protocol (OCSP)
Federation, and Microsoft SharePoint and Outlook Web • TLS alert logging to log flow information from SSL Insight
Access events
• Extensive logging for audit • SSL session ID reuse
ADC: • Firewall Load Balancing (FWLB)
• Advanced Layer 4/Layer 7 server load balancing URL Filtering:
-- Fast HTTP, full HTTP proxy • URL Classification Service powered by Webroot to selectively
-- High-performance, template-based L7 switching with bypass trusted websites for SSL decryption**
header/URL/domain manipulation • Optional monitoring and blocking of malicious or undesirable
-- Comprehensive L7 application persistence support websites
• Comprehensive load-balancing methods – round-robin,
Operation modes
weighted round-robin (WRR), least connections (LC), fastest
• Transparent Forward Proxy
response and more
• Explicit Forward Proxy
• Comprehensive IPv4/IPv6 support
• Proxy chaining
• A10 Networks aFleX® TCL-based scripting technology – deep
packet inspection and transformation for customizable,
IPsec VPN
• Route-based VPN
application-aware switching
• Keying methods – IKEv1, IKEv2
• Global Server Load Balancing (GSLB)
• Authentication methods – RSA Signature, Pre-shared Key,
• HTTP acceleration: HTTP connection multiplexing (TCP
Public Key Infrastructure (PKI)
connection reuse), RAM caching, HTTP compression
• Key Exchange Diffie-Hellman Groups – 1, 2, 5, 14, 15, 16, 18
• SSL acceleration: Hardware SSL offload, TLS 1.2 and 4096-
• Encryption algorithms – DES, 3DES, AES-128, AES-192,
bit SSL key support, Elliptic Curve Diffie-Hellman Exchange
AES-256
(ECDHE) and other ECC ciphers
• Data integrity – MD5, SHA1 and SHA-256
Gi/SGi Firewall • OSPF, BGP and Bidirectional Forwarding Detection (BFD) over
Firewall: IPsec tunnel
• Stateful Layer 4 network firewall • Equal Cost Multipath (ECMP) support
• ALG protocol support for protocols with dynamic ports • NAT traversal
(including SIP, FTP) • Perfect Forward Secrecy (PFS) support
DDoS Protection: • Life bytes and time rekey
• Integrated DDoS protection for NAT pools • PKI support with Simple Certificate Enrollment Protocol
• IP anomaly detection (SCEP), Online Certificate Status Protocol (OCSP) and
certificate revocation list (CRL) distribution points

11
Detailed Feature List* Management
( Features may vary by appliance)
* • Dedicated management interface (console, SSH, Telnet,
HTTPS)
A10 Threat Intelligence Service** • Web-based GUI with language localization
• Dynamic threat intelligence feed updated in near real time • Industry-standard CLI support
• 30+ public, private and proprietary sources to block “call • Granular role-based access control
homes” to command and control servers, identify known • SNMP, syslog, email alerts, NetFlow v9 and v10 (IPFIX), sFlow
attack sources and mitigate zero-day attacks • Port mirroring
High-Performance ACOS Platform • REST-style XML API (aXAPI) for all functions
• Scalable platform with multi-core, multi-CPU support • LDAP, TACACS+, RADIUS support
• Linear application performance scaling Virtualization
Networking • aVCS (virtual chassis system)
• Integrated L2/L3 • Multi-tenancy with ADPs
• Transparent mode/gateway mode -- Partition-based management
• Routing – static routes, IS-IS (v4/v6), RIPv2/ng, OSPF v2/v3, -- L2/L3 virtualization
BGP4+ Carrier-Grade Hardware*
• VLAN (802.1Q) • Hot swap redundant power supplies (AC or DC)
• Trunking (802.1AX), LACP • 40 GbE ports, 100 GbE ports
• Access control lists (ACLs) • Tamper detection
• Traditional IPv4 NAT/NAPT, IPv6 NAPT • Lights Out Management (LOM/IPMI)
• Jumbo Frame support • Hardware Security Module (HSM) option
• Hardware-accelerated Virtual Extensible LAN (VXLAN) • High-performance security processor option
• Network Virtualization using Generic Routing Encapsulation *Features may vary by appliance
(NVGRE) **Additional paid service

About A10 Networks

A10 Networks is a leader in application networking, providing a range of high-performance application networking solutions that help organizations
ensure that their data center applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in
San Jose, California, and serves customers globally with offices worldwide. For more information, visit: www.a10networks.com.

Corporate Headquarters Worldwide Offices

A10 Networks, Inc North America Hong Kong To discover how A10 Networks products will
3 West Plumeria Ave. sales@a10networks.com hongkong@a10networks.com enhance, accelerate and secure your business,
San Jose, CA 95134 USA Europe Taiwan contact an A10 sales representative.
Tel: +1 408 325-8668 emea_sales@a10networks.com taiwan@a10networks.com
Fax: +1 408 325-8666 South America Korea
www.a10networks.com latam_sales@a10networks.com korea@a10networks.com
Japan South Asia
jinfo@a10networks.com southasia@a10networks.com
Part Number: A10-DS-15112-EN-09 Australia/New Zealand
China
Jun 2017
china_sales@a10networks.com anz_sales@a10networks.com
A10Networks.Optrics.com
©2017 A10 Networks, Inc. All rights reserved. A10 Networks, the A10 Networks logo, ACOS, A10 Harmony, A10 Lightning, toll free: 877.386.3763
Thunder and SSL Insight are trademarks or registered trademarks of A10 Networks, Inc. in the United States and other
countries. All other trademarks are property of their respective owners. A10 Networks assumes no responsibility for local: 780.430.6240
any inaccuracies in this document. A10 Networks reserves the right to change, modify, transfer, or otherwise revise this
publication without notice. For the full list of trademarks, visit: www.a10networks.com/a10-trademarks.