TL-FW5600 industrial firewall product is an industrial firewall product launched by TP-LINK, which supports 4 characteristic libraries such as anti-virus, intrusion prevention, malicious domain name, and application identification, and integrates firewall policy, attack protection, DPI in-depth security, security audit, bandwidth management, VPN and other functions, effectively resisting network risks, achieving comprehensive protection, simplifying operation and maintenance, and ensuring the continuous and stable operation of enterprise core applications and services, suitable for enterprises, government agencies, parks, chain hotels and other scenarios.
- Dual-core 64-bit network-specific processor, single-core frequency 1GHz, 1GB DDRIV high-speed memory
- 3 x 10/100/1000M RJ45 ports, 1 x MGMT management port
- Industrial working temperature: -40°C~75°C
- EMS advanced protection, three redundant power inputs, more reliable work
- The port bypass function is supported, and the port is directly connected after the power is off
- You can configure security policies, audit policies, bandwidth policies, NAT policies, and ALG policies
- It supports a variety of security protection functions to defend against ARP spoofing, ARP attacks, DDoS attacks, network scanning, and suspicious packet attacks
- It supports scalable integrated DPI in-depth security (intrusion prevention, anti-virus, file filtering, remote query of malicious domain names, and application behavior control), and the signature database is updated regularly
- Supports a wide range of policy objects (security zones, addresses, users, services, websites, applications, blacklists and whitelists, security profiles, intrusion prevention, and audit profiles).
- Supports rich network functions, such as static routing, policy-based routing, intelligent balancing, VPN (IPSec/PPTP/L2TP VPN), DDNS, etc
- Multi-administrator roles, refined permission management
Abundant ports and powerful performance
It adopts a professional dual-core 64-bit network-specific processor and 1GB DDRIV high-speed memory to provide powerful packet processing capabilities.
It provides 3 10/100/1000M RJ45 service ports, 2 Gigabit SFP ports (Combo), 1 management port, 1 console port, 1 USB storage port, and 1 Micro SD card slot, which is convenient for users to manage and maintain the system while meeting the needs of high-speed data forwarding.
Support rich industrial control protocol identification and control
It supports in-depth identification and control of various mainstream industrial control protocols including Modbus/TCP, S7, CIP, DNP3, FF-FMS, FF-SM, FINS, IEC60870-5-104, Modbus, PROFINET-CM, PROFINET-RT, OPC UA, etc.
Comprehensive security strategy
Adopting the principle of minimum security, it supports security policies based on security zones, source IP addresses, destination IP addresses, source ports, destination ports, service groups, application groups, user groups, time periods, blacklists and whitelists, websites, anti-viruses, URL filtering, file filtering, application behavior control, email content filtering, intrusion prevention, audit profiles and other objects.
All-round attack protection
It supports a variety of intranet/extranet attack protection functions, and can effectively prevent various DoS attacks, scanning attacks, and suspicious packet attacks, such as TCP Syn Flood, UDP Flood, ICMP Flood, IP Scanning, Port Scanning, WinNuke Attacks, Fragment Packet Attacks, WAN Port Ping, TCP Scan (Stealth FIN/Xmas/Null), IP Spoofing, TearDrop, etc.
ARP protection, such as ARP spoofing and ARP attacks, is supported to avoid service interruption and frequent network disconnection.
Support IP and MAC binding, which can bind the IP and MAC address information of the LAN port (intranet) and WAN port (extranet) hosts at the same time to prevent ARP spoofing.
MAC address filtering is supported to block access to unauthorized hosts.
Expandable integrated DPI for in-depth security
Support intrusion prevention, get the latest threat information in the first time, and accurately detect and defend against attacks against vulnerabilities;
Support anti-virus, can quickly and accurately detect and kill viruses and other malicious programs in network traffic, and protect more than 1 million viruses and Trojans;
It supports filtering file expansion types, which can easily filter all kinds of small files embedded in web pages to prevent viruses and Trojan horses from invading the enterprise network through small files and endangering network security.
Support URL filtering, remote query of malicious domain names, effectively intercept phishing websites, Trojan attacks, hacker intrusions and network fraud through local + cloud methods;
It supports application recognition, and the accuracy reaches the level of application behavior. The combination of application identification and intrusion detection, anti-virus, URL filtering, and filtering file expansion types greatly improves the detection performance and accuracy.
Provide a comprehensive and timely security signature database, keep up with the latest developments in the field of network security, and ensure timely and accurate updates of the feature database.
Refined identification and control of online behaviors
It has a large-scale application identification feature database, and can control more than 500 common desktop and mobile Internet applications in China with one click, including video, social networking, shopping, finance and other applications;
Accurately identify popular application behaviors such as WeChat, Weibo, and QQ, such as text communication, voice and video, file transfer, music playback, etc., and finely control these behaviors, and intercept or restrict them in a purposeful and targeted manner;
Built-in database of more than 10 types of domestic URLs, which can restrict employees' access to the corresponding websites with one click;
Support prohibiting web submission, restricting employees from logging in to various web-based forums, microblogs, mailboxes, etc. to publish information, filtering email content, and effectively avoiding the leakage of sensitive enterprise data;
*The database of applications and URLs will be updated and added continuously.
Complete security audit strategy
Detailed and comprehensive logging: System logs, operation logs, policy hit logs, traffic logs, audit logs, threat logs, content logs, URL logs, and email filtering logs are supported to record firewall-related traffic and operation history in detail, helping administrators understand network status and quickly locate network problems.
Graphical traffic statistics: Traffic statistics can be performed in three dimensions: interface, IP, and security policy, and the traffic data of security policies can be displayed graphically in real time, which is clear at a glance. The traffic analysis report can be output in the form of PDF report to help the administrator analyze the historical traffic distribution.
Internet behavior audit: Support HTTP behavior audit, FTP behavior audit, email audit, IM audit, through audit logs, you can understand the Internet behavior of employees during work, including web access, APP application, etc., so that bad Internet behavior can be traced;
TP-LINK security audit system: It can be used with the TP-LINK security audit system to store logs for a long time and in large capacity, and output more detailed analysis reports.
Simple O&M and security management
Full Chinese web interface, detailed and clear configuration guidance;
Graphical interface display, real-time monitoring of key resources such as CPU utilization, clear and intuitive;
Support local/remote management, convenient chain operation, remote assistance;
Support password authentication/identity recognition to ensure authorization security;
Support multi-administrator roles and refined permission management;
Support license management and feature database upgrade;
Support active/standby switchover and on-line detection to ensure high-reliability operation of the equipment;
A separate console management port is provided to debug the device through the command line with the assistance of technical support personnel.
Flexible bandwidth management policies
Provides flexible bandwidth management policies to control the bandwidth used by each IP address in the network to ensure the network experience of key services and users. The management and control methods include bidirectional bandwidth control, connection limit, and connection monitoring.
Abundant routing features
Static routing, policy-based routing, intelligent balancing, VPN (IPSec/PPTP/L2TP VPN), dynamic DNS (Peanutshell, Kemai, 3322) and other functions are supported.
Supports multiple deployment modes
Layer 3 routing gateway mode
As a Layer 3 routing gateway, the TL-FW5600 industrial grade replaces the original router in the network, and the data communication between the internal network and the external network is NAT converted through the firewall.
Layer 2 transparent bridge mode
The TL-FW5600 industrial supports setting up some or all interfaces as bridges, which work in a Layer 2 network, and the network can be protected by firewalls as long as data passes through the bridge interfaces. In this mode, firewall deployment does not need to change the original topology, which is more convenient and faster.
Route + Bridge mode
During actual network deployment, some interfaces of the firewall can be set as bridge interfaces and part of the firewall interfaces as routing interfaces according to on-site requirements, so that the two methods can be flexibly combined to achieve more cost-effective network protection.
Hardware specifications
| Port | - 3 x 10/100/1000M RJ45 ports
- 2 SFP (Combo) ports
- 1 USB memory port
- 1 console port
- 1 x Micro SD card slot
- 1 MGMT management port
|
| Processor | - Dual-core 64-bit MIPS network dedicated processor, single-core frequency 1GHz
|
| Memory | |
| FLASH | |
| Light | - Ports: Link/Act, USB, Micro SD
- Devices: PWR, SYS, CLOUD
|
| Dimensions | |
| Enter the power supply | - 12/24/48 VDC (9.6~ 60 VDC)
- *The power supply is not included in the factory, if you need to use it, please purchase TL-IP75-24 or TL-IP75D-24 separately
|
| Heat dissipation | |
| Use environment | - Operating temperature: -40°C~75°C, Operating humidity: 10%~90%RH non-condensing
- Storage temperature: -40°C~85°C, Storage humidity: 5%~90%RH non-condensing
|
Software Features
| Policy configuration | - Security policies and audit policies
- Bandwidth policies (bandwidth control, connection limiting, connection monitoring)
- NAT Policies (NAPT, One-to-One NAT, Virtual Server, NAT-DMZ, UPnP)
- ALG Strategies (FTP ALG, H.323 ALG, PPTP ALG, SIP ALG)
|
| Policy Objects | - Security areas, addresses, users, services, websites, applications, blacklists, and intrusion prevention
- Security profiles (URL filtering, file filtering, application behavior control, email content filtering, anti-virus)
- Audit Profiles (HTTP Behavior Audit, FTP Behavior Audit, Email Audit, IM Audit)
|
| Attack protection | - Supports ARP protection, such as ARP spoofing and ARP attacks
- Supports protection against a variety of common attacks, such as DDoS attacks, network scanning, and suspicious packet attacks
- MAC address filtering is supported to block access to unauthorized hosts
|
| All-in-one DPI for in-depth security | - Intrusion prevention is supported
- Anti-virus support
- Remote query of malicious domain names is supported
- Application behavior recognition is supported
- Extended file types can be filtered
|
| Network Capabilities | - Static routes, policy-based routes
- Smart Equalization
- VPN(IPSec/PPTP/L2TP VPN)
- Dynamic DNS (Peanut Shell, Kemai, 3322)
|
| System administration | - Support Chinese Web management and remote management
- Multiple administrative roles are supported
- Configuration backup and import are supported
- Support system software upgrade
- Supports a variety of logs, reports, diagnostic centers, and panel statuses
- License management is supported
- Signature database upgrades are supported
|
Compatible with Micro SD cards
| SanDisk | - Memory 64G and 128G, performance parameters U3, V30, Class10
|
| Kingston | - RAM 64G and 128G, performance parameters U1, A1, V10, Class10
|
| Samsung | - Memory 64G and 128G, performance parameters U1, Class 10
|
| Toshiba | - Memory 64G and 128G, performance parameters U1, Class 10
|
Performance Parameters*
| Maximum number of concurrent connections | |
| New Connection Rate (CPS) | |
| Network layer throughput (1518 bytes, UDP) | |
| Application Layer Throughput (Mbps) | |
| Application Recognition Throughput (Mbps) | |
| Total Threat Throughput (Application Identification + IPS + AV + Malicious Domain Name) (Mbps) | |
| *Parameter description | - The parameters are tested with an HTTP load of 128KB
|
License Authorization (TL-FW-LIS-ALL, all-in-one)
| IPS library | |
| AV library | |
| Malicious domain name library | |
| App Gallery | |
| Website Library | - Comes with 1200+ websites
|
TL-FW5600 industrial firewall product is an industrial firewall product launched by TP-LINK, which supports 4 characteristic libraries such as anti-virus, intrusion prevention, malicious domain name, and application identification, and integrates firewall policy, attack protection, DPI in-depth security, security audit, bandwidth management, VPN and other functions, effectively resisting network risks, achieving comprehensive protection, simplifying operation and maintenance, and ensuring the continuous and stable operation of enterprise core applications and services, suitable for enterprises, government agencies, parks, chain hotels and other scenarios.
Dual-core 64-bit network-specific processor, single-core frequency 1GHz, 1GB DDRIV high-speed memory
3 x 10/100/1000M RJ45 ports, 1 x MGMT management port
Industrial working temperature: -40°C~75°C
EMS advanced protection, three redundant power inputs, more reliable work
The port bypass function is supported, and the port is directly connected after the power is off
You can configure security policies, audit policies, bandwidth policies, NAT policies, and ALG policies
It supports a variety of security protection functions to defend against ARP spoofing, ARP attacks, DDoS attacks, network scanning, and suspicious packet attacks
It supports scalable integrated DPI in-depth security (intrusion prevention, anti-virus, file filtering, remote query of malicious domain names, and application behavior control), and the signature database is updated regularly
Supports a wide range of policy objects (security zones, addresses, users, services, websites, applications, blacklists and whitelists, security profiles, intrusion prevention, and audit profiles).
Supports rich network functions, such as static routing, policy-based routing, intelligent balancing, VPN (IPSec/PPTP/L2TP VPN), DDNS, etc
Multi-administrator roles, refined permission management
Abundant ports and powerful performance
It adopts a professional dual-core 64-bit network-specific processor and 1GB DDRIV high-speed memory to provide powerful packet processing capabilities.
It provides 3 10/100/1000M RJ45 service ports, 2 Gigabit SFP ports (Combo), 1 management port, 1 console port, 1 USB storage port, and 1 Micro SD card slot, which is convenient for users to manage and maintain the system while meeting the needs of high-speed data forwarding.
Support rich industrial control protocol identification and control
It supports in-depth identification and control of various mainstream industrial control protocols including Modbus/TCP, S7, CIP, DNP3, FF-FMS, FF-SM, FINS, IEC60870-5-104, Modbus, PROFINET-CM, PROFINET-RT, OPC UA, etc.
Comprehensive security strategy
Adopting the principle of minimum security, it supports security policies based on security zones, source IP addresses, destination IP addresses, source ports, destination ports, service groups, application groups, user groups, time periods, blacklists and whitelists, websites, anti-viruses, URL filtering, file filtering, application behavior control, email content filtering, intrusion prevention, audit profiles and other objects.
All-round attack protection
It supports a variety of intranet/extranet attack protection functions, and can effectively prevent various DoS attacks, scanning attacks, and suspicious packet attacks, such as TCP Syn Flood, UDP Flood, ICMP Flood, IP Scanning, Port Scanning, WinNuke Attacks, Fragment Packet Attacks, WAN Port Ping, TCP Scan (Stealth FIN/Xmas/Null), IP Spoofing, TearDrop, etc.
ARP protection, such as ARP spoofing and ARP attacks, is supported to avoid service interruption and frequent network disconnection.
Support IP and MAC binding, which can bind the IP and MAC address information of the LAN port (intranet) and WAN port (extranet) hosts at the same time to prevent ARP spoofing.
MAC address filtering is supported to block access to unauthorized hosts.
Expandable integrated DPI for in-depth security
Support intrusion prevention, get the latest threat information in the first time, and accurately detect and defend against attacks against vulnerabilities;
Support anti-virus, can quickly and accurately detect and kill viruses and other malicious programs in network traffic, and protect more than 1 million viruses and Trojans;
It supports filtering file expansion types, which can easily filter all kinds of small files embedded in web pages to prevent viruses and Trojan horses from invading the enterprise network through small files and endangering network security.
Support URL filtering, remote query of malicious domain names, effectively intercept phishing websites, Trojan attacks, hacker intrusions and network fraud through local + cloud methods;
It supports application recognition, and the accuracy reaches the level of application behavior. The combination of application identification and intrusion detection, anti-virus, URL filtering, and filtering file expansion types greatly improves the detection performance and accuracy.
Provide a comprehensive and timely security signature database, keep up with the latest developments in the field of network security, and ensure timely and accurate updates of the feature database.
Refined identification and control of online behaviors
It has a large-scale application identification feature database, and can control more than 500 common desktop and mobile Internet applications in China with one click, including video, social networking, shopping, finance and other applications;
Accurately identify popular application behaviors such as WeChat, Weibo, and QQ, such as text communication, voice and video, file transfer, music playback, etc., and finely control these behaviors, and intercept or restrict them in a purposeful and targeted manner;
Built-in database of more than 10 types of domestic URLs, which can restrict employees' access to the corresponding websites with one click;
Support prohibiting web submission, restricting employees from logging in to various web-based forums, microblogs, mailboxes, etc. to publish information, filtering email content, and effectively avoiding the leakage of sensitive enterprise data;
*The database of applications and URLs will be updated and added continuously.
Complete security audit strategy
Detailed and comprehensive logging: System logs, operation logs, policy hit logs, traffic logs, audit logs, threat logs, content logs, URL logs, and email filtering logs are supported to record firewall-related traffic and operation history in detail, helping administrators understand network status and quickly locate network problems.
Graphical traffic statistics: Traffic statistics can be performed in three dimensions: interface, IP, and security policy, and the traffic data of security policies can be displayed graphically in real time, which is clear at a glance. The traffic analysis report can be output in the form of PDF report to help the administrator analyze the historical traffic distribution.
Internet behavior audit: Support HTTP behavior audit, FTP behavior audit, email audit, IM audit, through audit logs, you can understand the Internet behavior of employees during work, including web access, APP application, etc., so that bad Internet behavior can be traced;
TP-LINK security audit system: It can be used with the TP-LINK security audit system to store logs for a long time and in large capacity, and output more detailed analysis reports.
Simple O&M and security management
Full Chinese web interface, detailed and clear configuration guidance;
Graphical interface display, real-time monitoring of key resources such as CPU utilization, clear and intuitive;
Support local/remote management, convenient chain operation, remote assistance;
Support password authentication/identity recognition to ensure authorization security;
Support multi-administrator roles and refined permission management;
Support license management and feature database upgrade;
Support active/standby switchover and on-line detection to ensure high-reliability operation of the equipment;
A separate console management port is provided to debug the device through the command line with the assistance of technical support personnel.
Flexible bandwidth management policies
Provides flexible bandwidth management policies to control the bandwidth used by each IP address in the network to ensure the network experience of key services and users. The management and control methods include bidirectional bandwidth control, connection limit, and connection monitoring.
Abundant routing features
Static routing, policy-based routing, intelligent balancing, VPN (IPSec/PPTP/L2TP VPN), dynamic DNS (Peanutshell, Kemai, 3322) and other functions are supported.
Supports multiple deployment modes
Layer 3 routing gateway mode
As a Layer 3 routing gateway, the TL-FW5600 industrial grade replaces the original router in the network, and the data communication between the internal network and the external network is NAT converted through the firewall.
Layer 2 transparent bridge mode
The TL-FW5600 industrial supports setting up some or all interfaces as bridges, which work in a Layer 2 network, and the network can be protected by firewalls as long as data passes through the bridge interfaces. In this mode, firewall deployment does not need to change the original topology, which is more convenient and faster.
Route + Bridge mode
During actual network deployment, some interfaces of the firewall can be set as bridge interfaces and part of the firewall interfaces as routing interfaces according to on-site requirements, so that the two methods can be flexibly combined to achieve more cost-effective network protection.
admin - September 12, 2018
roadthemes