Feature Comparison Chart

Feature Description Advanced Firewall & UTM Appliances Express 3 Notes
Stateful Inspection Yes Yes
Local IP Addresses Unlimited Unlimited F1
Users Supported 250 to 5000 n/a F1
Dynamic Network Address Translation Yes Yes
Static Network Address Translation Yes No F2
Outgoing (Egress) Traffic Control Yes Limited F3
Support multiple public IP addresses Yes No F4
Port Forward from public IP address to DMZ/local IP Yes Yes
“Round Robin” Port Forward to multiple DMZ servers Yes No F5
Detection and blocking of port agile Peer to Peer traffic Yes No F6
Administrator maintained IP Block list Yes Yes
Object based Port Rules Yes No
Internal Firewall Yes No F7, A6
Traffic Blocking includes drop and reject options for both source and destination addresses Yes No
Total Network Interfaces 20 4 N1
External Network (Internet) Interfaces 1 to 19 (of total) 1 N2
Internal Network Zones (Local Networks and DMZs) 1 to 19 (of total) 1 Local + DMZ + 1 Wireless N3
Ethernet Yes Yes
PPP connections (ISDN, ADSL and analogue modem) Yes Yes N4
PPPoA ADSL support Yes Yes
PPPoE ADSL support Yes Yes
PPTP ADSL support Yes No
Load balancing between multiple external network interfaces Yes No N5
Split traffic between multiple external network interfaces Yes No N5
Split external traffic based on source or port Yes No N5
Fail-over from one external interface to another Automatic No N6
Routing protocol support (RIP) Yes No
Configure static routes Yes No
VLAN Trunking (802.1Q) support Yes No N7
Naming of Network Interfaces Yes No
Multiple local network subnets Yes No
Bind multiple IP addresses to a Green NIC Yes No
Red interface MAC address spoofing Yes No N8
Configurable Maximum Transmission Unit (MTU) and TCP transmit/receive window sizes Yes No
Automatic Hardware Failover (HA) Yes No N9
Inbound Load Balancing Yes No N10
Proxies and Application Helpers:
Web Proxy (Transparent and Non-Transparent Mode) Yes Yes P1
GUI configuration of Web Proxy Server Yes No P2
SMTP (Email) Relay / Proxy SmoothZap No P3
POP3 (Email) Transparent Proxy SmoothZap Partial P4
SIP (VoIP) Registering Proxy Yes Yes P5
Transparent SIP (VoIP) Proxy Yes Yes P6
H323 (VoIP) Application Helper Yes No
PPTP Helper (for pass-through and forwarding) Yes No
DNS Proxy Server Yes Yes
IM logging and filtering proxy Yes Yes
Advanced IM logging and reports Yes No

Multi Processor support (SMP) Yes No
Hardware RAID (SCSI, SATA or SAS) Yes Yes H1
Software RAID 1 (Disk Mirror) (SCSI, SATA, SAS or IDE) Yes No H2
SCSI (No RAID) Disk Yes Yes H3
SATA Disk Yes Yes H4
SAS Disk Yes Yes
IDE Disk Yes Yes
IDE/SCSI CDROM support Yes Yes
10/100/1000 (Gigabit) Ethernet card Yes Yes H5
Multi-port Ethernet card Yes Yes H6
Full VMWare support including network drivers Yes No
USB ADSL modems and PCI ADSL modem cards Yes Yes H7
ISDN cards and terminal adapters Yes Yes H8
Analog modems Yes Yes H9
Compact Flash support Yes Partial H10
1 Gigabyte plus memory support Yes Yes
USB keyboard support Yes Yes
Serial Console Yes No
Display ADSL modem signal strength information Yes No H11
Un-interruptible Power Supply support Yes No H12
UPS Network Slave Mode Yes No H12
Installation / Maintenance:
Streamlined / simplified installer with basic and advanced modes Yes No IN1
Includes security hardened Linux operating system Yes Yes IN2
Smoothwall and Linux security updates Free Free IN3
Installation from CDROM Yes Yes
Installation from network server No Yes
Installation from a USB CD/DVD Device Yes Yes
Configuration backup to hard disk file/floppy and restore Yes No
Backup/restore configurtion from USB device Yes No
Automatic configuration backup (time of day) Yes No
Backup to multiple remote targets Yes No
Partial configuration restore (time of day) Yes No IN4
Backup to multiple remote targets Yes No
Partial configuration restore Yes No IN4
Install new device drivers from floppy disk/CDROM Yes No
Automatic download of new updates Yes Yes IN5
Install update automatically at configured time Yes No
Scheduled reboots Yes No
Bulk application of updates from CD at installation time Yes n/a IN6
Automatic installation of any modules present on the firewall installation CD Yes n/a IN7
Ethernet cable status reporting Yes No IN8
Un-install modules Yes n/a
Pre-installed software Yes n/a IN9

Configuration via a web browser GUI Yes Yes
Dashboard, configurable GUI Home page display of system status, VPN, firewall reports, traffic statistics etc. Yes No C1
AJAX Enhanced GUI Yes Yes
Network interfaces (IP Address) configured via GUI Yes Yes
Restrict configuration access to specified public IP addresses Yes Yes
Restrict config access to specified local IP addresses Yes No
Administration users with limited access (eg reports, log viewers, VPN, Guardian web content filtering) Yes No
Drop down lists of common IP services/ports Yes Yes
On-line Help appears in a seperate pop-up window Yes Yes
All rule lists and log files can be sorted by any column Yes No C2
Validation of configuration parameters as they are typed Yes Yes
Infrequently used options exposed by “Advanced” buttons Yes No
Tooltips Yes Yes
Realtime display of service status, web proxy stats Yes No
Config replication between master and slave systems Yes No C3

Microsoft Active Directory (LDAP) User Authentication Yes No A1
OpenLDAP User Authentication Yes No A2
Novell eDirectory (NDS) User Authentication Yes No
Local User Authentication Database Yes No A3
RADIUS Authentication Yes No
Authentication via Ident client for Microsoft Windows Yes No A4
SSL Login page (transparent mode user authentication) Yes No A5
Microsoft NTLM User Authentication (including password protected mode) Yes No
Smoothwall User Groups linked to Active Directory, eDirectory, LDAP user authentication Yes n/a
Guardian web access can be controlled by Group (user authentication) Yes n/a
Guardian web access controlled by IP/IP Address Range/Network Address Yes n/a
User Internet access controlled by Group (user authentication) or IP Address/IP Address Range/Network Address Yes n/a
Inter-zone access controlled by user authentication Yes n/a A6
VPN user access controlled by user authentication Yes n/a A7
Multiple Admin/Configuration Users Yes No A8
Login page with configurable login messages and log-out facility Yes No
Intrusion Detection:
Intrusion Detection System Yes Yes
Intrusion Detection System on Internal Interfaces Yes No
Intrusion Alert Messages by email or SMS text messages Yes No IDS1
Intrusion Prevention System Yes No

Virtual Private Network (VPN):
SSL VPN for mobile (Road Warrior) or home users Yes No
L2TP VPN for mobile (Road Warrior) or home users Yes No V3
IPSec VPN for site-to-site network connections Yes Yes V1
IPSec VPN for mobile (Road Warrior) or home users Yes No V2
Configure which Internet connection each IPSec tunnel should use Yes No
VPN Tunnels 20 (Included) to 500 See note V4
AES Encryption (256 bit) Yes No
3DES Encryption Yes Yes
x509 Certificate Authentication Yes No
Certificate Authority included Yes No V5
Pre-Shared Key (PSK/Shared Secret) Authentication Yes Yes
NAT Traversal (NAT-T) Yes No V6
VPN secure local (wireless) connection Yes No V7
Logging of Road Warrior VPN connections (with option to send alert messages) Yes No V8
PPTP forwarding and pass-through Yes Yes

Logging and Reporting:
Disk logging of all firewall/IDS events, web traffic etc. Yes Yes
Configure/enable individual logging functions Yes No L1
Configure how long log files are retained (day/weeks) Yes No L1
Forced log file rotation in the event of low free disk space Yes No
Log files on RAM disk Yes No
Log filtering (eg by Source IP/Port, Destination IP/Port) Yes No
Google-like paginated log file viewers Yes Yes
All rule lists and log files can be sorted by any column Yes No L2
Scheduled report generation / scheduled email reports Yes No L3
Outgoing (egress) traffic reporting/analysis Yes No L4
Real-time AJAX traffic graphs and log viewers Yes No
Selectively log blocked traffic Yes No
Network analysis tool for displaying network traffic info Yes No
SNMP Support Yes No L5
Remote Syslog support Yes No
Service availability checking (including systems behind the firewall) Yes No
Physical hardware monitoring (eg disk status) Yes No
User designed reports using templates Yes No
Export log files in multiple formats (csv, tsv, xls etc) Yes No
Advanced reports in HTML format Yes No
Multiple report formats (csv, tsv) Yes No
Reports in Microsoft Excel format Yes No
Reports in Adobe PDF format Yes No
DHCP Server:
DHCP server support for local (Green) networks Multiple Single
DHCP server support for DMZ Multiple DMZ No
View DHCP leases granted Yes No
Display list of MAC addresses on local/DMZ networks Yes No
DHCP Relay Yes No
NTP, network boot, TFTP and automatic web proxy detection options Yes No

NTP service for computers on local networks/DMZ Yes Yes
Modularization of core services/components (eg Web Proxy server, DHCP server) Yes No M1
Timed/delayed shutdown/reboot Yes No
Inbuilt ClamAV anti-virus Yes POP3 only M2
Network Doctor diagnostic tool Yes No

Available Modules:
Web Security/Content Filtering (SmoothGuardian) Yes No
Bandwidth Management/QoS (SmoothTraffic) Yes No
VPN Gateway (SmoothTunnel) Integrated No V1-8
Internet Access Control/Outbound Rules (SmoothRule) Integrated No F3
Incident Alerting and Reporting (SmoothMonitor) Integrated No L3
Support for Multiple DMZ Servers (SmoothHost) Integrated No F4
Email Security (Anti-spam/virus and relay) (SmoothZap) Yes No

System Requirements:
Processor PIII 500 MHz Pentium S1
Memory 128MB 64MB S2
Hard Disk 4 GBytes 1 GBytes S3
Flash Memory (alternative to Hard Disk) 256 MBytes n/a S3

Commercial Support:
Technical support by Phone and Email from Smoothwall Yes No
Global support from Smoothwall Reseller Partners Yes No
Technical Training Courses from Smoothwall Ltd. Yes No
F1 Advanced Firewall supports 250 authenticated users as standard, expandable to 5000 users with the addition of user license packs.
F2 Static Network Address Translation (SNAT) (Source Mapping) is an integral component of Advanced Firewall.
F3 Outbound (egress) traffic control (user access to Internet services) is an integral component of Advanced Firewall
F4 Support for multiple public aliased IP address is a standard feature of Advanced Firewall.
F5 For load balancing, where for example high traffic applications are served by multiple web servers responding to page requests from a single public IP address.
F6 Egress Filtering incorporates traffic inspection technology to can detect and block Peer to Peer (P2P) traffic such as KaZaA, Bit Torrent and eDonkey, regardless of which port the file sharing software attempts to use.
F7 Internal firewall segregation of local networks into physically independent zones. Inter zone access (bridging) controlled by user authentication (eg only system administrators allowed admin access to DMZ servers)
N1 Advanced firewall will support 4 NICs as standard, license expandable to 20 NICs and VLAN trunk (802.1Q) interfaces by license.
N2 Smoothwall Express supports a single active External Network (Internet) connection. Smoothwall Express supports a single External Internet (Red) interface, a DMZ (Orange) and a Local Protected Network (Green). Advanced Firewall can support multiple active External Network connections as any NIC can be designated as External (Red), Local Protected (Green) or DMZ (Orange).
N3 Multiple internal network zones allow the physical separation of different user groups, internal servers, publicly accessible servers etc. Inter-zone access rules permit strictly limited access from one zone to another (by server/IP address, port/service etc.).
N4 Advanced Firewall and Smoothwall Express can all support a single active PPP (dial-up) connection (eg ISDN, ADSL modem or analog modem). Multiple connection profiles (eg ISP details) can be stored.
N5 Outgoing traffic can be load balanced between multiple external network interfaces, with a weighting facility to control the proportion of the total traffic being routed via each interface in the load balancing pool. Both NAT and web proxy traffic can independently be subject to load balancing. Specific IP addresses, such as mail-servers can be excluded from being load balanced. Alternatively, traffic can be split between multiple external (Red) network interfaces according to the IP address, IP address range or network address of the originating computer. Traffic may also be split according to port (protocol) in order to separate web and email traffic, for example.
N6 If an Internet connection should fail then Advanced Firewall can be configured to automatically route all traffic from the failed interface to another. There is no limit to how many interfaces can be set in the failure cascade path, nor is there any limitation on the type of interface that can be used (Ethernet, ADSL modem, ISDN or analog modem).
N7 802.1Q VLAN trunking support allowing communication with VLAN capable switches and the routing of traffic between VLANs.
N8 For easier support of cable modems which will typically only communicate with the MAC address from which the modem or Internet connection was initially configured.
N9 Advanced Firewall can be used in an Active/Passive High Availability (HA) configuration with fully automatic failover should one appliance fail.
N10 Inbound traffic may be load-balanced over two or more Internet connections for increased bandwidth availability and resilience (in the event of an Internet connection failure).
Proxies and Application Helpers:
P1 Squid caching web proxy server (reduces page display times and Internet bandwidth utilization).
P2 Configuration options include: cache size, max object size, logging options and domains not to be cached.
P3 Reconstructs and relays incoming email to a protected mail server located within a local network zone or DMZ, with support for an unlimited number of domains. Transparent relay of outgoing SMTP email.
P4 The transparent POP3 proxy provided by the SmoothZap module for Advanced Firewall ensures that all POP3 email, whether company or personal email, is subject to anti-virus and anti-spam controls without any configuration changes to users’ email client software. Express includes a POP3 proxy for anti-virus purposes only.
P5 SIP registering proxy for inbound connections to SIP phones and softphones (PC clients).
P6 Transparent SIP proxy and gateway for the protection of VoIP telephone systems, supporting the use of a remote SIP proxy at an Internet Telephone Service Provider (ITSP).
See the Hardware Compatibility Guide: http://www.smoothwall.net/support/hcg for full information on the hardware supported by Smoothwall Security Software.
H1 Supported RAID controllers will Include Compaq, Dell PERC and DAC960.
H2 Software RAID Software RAID 1 (Mirroring) using two IDE, SATA or SCSI disks which do not have to be of identical size. The firewall will remain operational in the event of a single disk failure. Automatic mirror rebuild.
H3 SCSI controllers from Adaptec, Future Domain, Sym Bios, Initio, Advansys and BusLogic are supported.
H4 Smoothwall Express supports a limited set of SATA disk controllers. Advanced Firewall supports all common SATA controllers.
H5 Gigabit Ethernet cards from Intel, 3Com, Broadcom and other manufacturers.
H6 Multi-Port NIC support includes Intel quad and dual port cards, 3Com dual port cards and the DLink DE580 4 port card.
H7 Over 30 types of USB ADSL modems are supported, along with Ethernet connected ADSL modems and the BeWAN PCI ADSL card modem.
H8 Drivers for numerous PCI ISDN cards are included, together with support for USB ISDN and RS232 connected ISDN Terminal Adapters.
H9 Hayes compatible RS232 connected analog modems and several ISA card modems are supported.
H10 Compact Flash can be used as an alternative to hard disk for appliance applications. Advanced Firewall includes logic to operate with reduced space relative to hard disk operation, a minimum flash memory capacity is 256 MByte with 512 MByte recommended. The flash memory must present itself as an IDE device. Express can also operate on flash memory but does not include the extra logic to reduce space requirements. Logs will be stored in a non-persistent (volatile) RAM disk, thus the use of Syslog for off-box log recording is recommended.
H11 BeWAN PCI ADSL modem.
H12 Supports APC models. Advanced Firewall can support UPS slave mode operation, where up to 5 systems (eg Advanced Firewall, Unix/Microsoft Windows system running apcupsd software) on the network can share the same UPS.
Installation / Maintenance:
IN1 Advanced mode installation provides full set of Setup configuration options whereas Basic mode installation applies sensible default values to reduce the number of configuration questions presented during installation.
IN2 Smoothwall Security Solutions are based on a cut-down security hardened version of the Linux operating system, where all unnecessary components have been removed from the operating system, reducing disk and memory utilization, improving security and performance.
IN3 Security updates and bug fixes are supplied free of charge for all supported Smoothwall products.
IN4 To be able to select which rules/configuration information to restore from a Smoothwall Configuration Backup (allowing specific rules, such as Port Forward rules, to be copied between systems).
IN5 Option to automatically download and store any new updates on the firewall, which can then be applied at a convenient time by administrator command.
IN6 All updates (patches) present on an installation CD will automatically be applied.
IN7 Any modules present on the same CD as the firewall software will be automatically installed (single disk installation).
IN8 MAC address of each Network Interface Card (NIC) displayed. Network cable status (present/not present) displayed to help identify a particular NIC when multiple NICs of the same type are installed.
IN9 Smoothwall and its authorized Resellers can supply pre-installed versions of Advanced Firewall, providing pre-configured installations.
C1 Configurable home (Control) page options allow the display a variety of information, including alert messages, system status, VPN status, traffic statistics, firewall reports, update/blocklist status and various information from the SmoothGuardian web filtering add-on module.
C2 All rule lists and log files can be sorted on any column (eg IP address, source port etc.).
C3 Master to slave configuration replication can be to automatically propagate configuration changes from say a head office system to remote branch office systems.
A1 Integrated Kerberos user authentication system to work with LDAP authentication systems such as Microsoft Windows 2000® and Microsoft Windows 2003® Server using Active Directory.
A2 Support for the common InetOrgPerson (RFC2798) schema.
A3 With Advanced Firewall, this authentication database can also be used to control users’ access to Internet services (outbound/egress rules) and inter-zone access.
A4 An Ident client for Microsoft Windows™ operating systems can be used to identify the computer user to the Smoothwall system.
A5 The SSL Login page automatically senses from the users’ browsers if it should display in English, German, Italian, Spanish, Danish, Dutch, French or Swedish.
A6 Multiple internal network zones allow the physical separation of different user groups, internal servers, publicly accessible servers etc. Inter-zone access rules permit strictly limited access from one zone to another (by server/IP address, port/service etc.). User authentication can be used to control which access control policies (rule-sets) are applied to a user session.
A7 Access for VPN users to internal servers and services can be controlled by user authentication, ie determines the policies (rule-sets) are applied to that VPN session.
A8 Multiple users with configurable access rights (eg reporting only, network configuration etc.)
Intrusion Detection:
IDS1 Email and SMS text message alerting is an integrated into Smoothwall’s commercial software. Alerts are generated based on intelligent monitoring of hardware, user and network activity, whilst reports are scheduled for regular delivery.
Virtual Private Networking (VPN):
V1 X509 certificate authentication is recommended or Pre-Shared Key (PSK)/Shared Secret authentication can be used. Smoothwall Express supports site-to-site VPN tunnels using Pre-Shared Key (PSK)/Shared Secret authentication.
V2 IPSec VPN connectivity for single computers (mobile/laptop/home user/Road Warrior users) is an integral component of Advanced Firewall.
V3 Layer 2 Tunneling Protocol (L2TP) VPN connectivity for single computers (mobile/laptop/home user/Road Warrior users) is an integral component of Advanced Firewall.
V4 Advanced Firewall supports 20 VPN tunnels as standard (any combination of IPSec site-to-site, IPSec Road Warrior or L2TP Road Warrior tunnels). This can be expanded to a maximum of 500 tunnels by the addition of VPN license packs. The lack of individual tunnel management facilities in Smoothwall Express makes it impractical to establish and control more than a few VPN tunnels.
V5 Advanced Firewall includes a Certificate Authority (CA) for the creation and issue of self-signed x509 certificates. Alternatively an external Certificate Authority, such as Microsoft Windows 2000/2003 Server may be used, or an external certificate provider such as Verisign or Thawte.
V6 NAT Traversal (NAT-T) mode for IPSec VPN connections is supported as standard.
V7 Either L2TP or IPSec VPN can be used for local as well as remote (Internet) VPN connections with Advanced Firewall. This is principally used for Wireless (WiFi) access, providing secure L2TP connections with the user PC authenticated using an x509 certificate and the data encrypted using the 3DES encryption algorithm. IPSec internal subnet routing can also be configured.
V8 The Firewall will log each connection and disconnection by mobile/laptop/home user/Road Warrior VPN users, with option to display an alert message on the GUI Home (Control) page or send Alert message by email or SMS text message.
Logging and Reporting:
L1 To reduce disk space utilization for non hard-disk operation (eg flash memory).
L2 All log files and rule lists can be sorted on any column (eg IP address, port, time etc.)
L3 Advanced Firewall includes scheduled reporting, which is available for most reports and integrates with all add-on modules.
L4 Advanced Firewall provides more detailed traffic statistics than Smoothwall Express, with the option to generate an alert message reports if the current inbound or outbound traffic exceeds a configurable threshold. There is also a volume threshold where an alert can be generated if the total traffic volume exceeds a configurable limit for a daily/weekly/monthly limit.
L5 Query an Advanced Firewall system to report management information, including disk utilization and traffic information.
M1 Modularization of many components/services, such as the DHCP server and the Web Proxy, allows them to be removed as desired. This allows the system to be customized and the memory/system requirements reduced if desired. The required modules can be configured at install time, thus the system can be tailored to the target hardware.
M2 The ClamAV anti-virus engine supports the SmoothGuardian (web security/content filtering) and SmoothZap (email security/anti-spam) modules. Automatic updates to virus signatures.
System Requirements:
S1 For Advanced Firewall the minimum recommended processor is a Pentium III 500 MHz (2 GHz+ recommended). Compatible processors from AMD and VIA are supported.
S2 For Advanced Firewall the minimum recommended memory is 128 Mbytes DDR or similar fast RAM. For Smoothwall Express minimum memory is 64 Mbytes with 96 Mbytes recommended. For Advanced Firewall the maximum useable memory is 4 GBytes; for Smoothwall Express the maximum useable memory is 950 MBytes. More RAM memory is beneficial for web proxy cache performance and is necessary for operation of the SmoothGuardian web content filtering module.
S3 For Advanced Firewall the minimum recommended hard disk capacity is 4 GBytes. Alternatively Advanced Firewall can utilize compact flash memory instead of a hard disk, when 256 Mbytes flash memory is the minimum recommended figure. The compact flash must appear as an IDE device, with logging to non-persistent (volatile) RAM disk.
For the latest information and prices for currently available products please see our web site: www.smoothwall.net.