All of which form part of the Tender Documents and should not be detached. NOTE

Information Management Unit ENQUIRY 1i-17297 Request for Proposal for: Supply & Installation of a Firewall Solution with Licencing 1. Information Page 2. Conditions of Tender 3. General Conditions of Contract 4. Technical Specification 5. Tender Documents - (to be completed and returned by Tenderer) Official Tender Form Checklist Tender Returnable s Annexure 1- Contractor Acknowledgement of Responsibility in Terms of Occupational Health and Safety Act Annexure 2 MBD4 Declaration of Interest Annexure 3 - Declaration of Municipal Fees Annexure 4 MBD 9 Certificate of Independent Bid Determination Annexure 5 - Banking Rating Questionnaire Annexure 6 MBD 6.1 Preference Points Claim Form Annexure 7 MDB 8 Declaration of Bidders Past Supply Chain Practices Annexure 9 MBD 2 Tax Clearance Certificate All of which form part of the Tender Documents and should not be detached. All annexures are not included in this pack and must be downloaded from: ftp.durban.gov.za/munidocs. These need to be printed, completed and submitted with tender response. NOTE SEALED TENDERS ADDRESSED TO THE TENDERS SECTION AND MARKED Enquiry 1I-17297 SUPPLY & INSTALLATION OF A FIREWALL SOLUTION WITH LICENSING MUST BE PLACED IN THE TENDER BOX LOCATED IN THE FOYER, GROUND FLOOR, MUNICIPAL BUILDING, 166 KE MASINGA ROAD (FORMERLY OLD FORT ROAD), DURBAN (AND NOT ANY OTHER MUNICIPAL DEPARTMENT NOT LATER THAN 11:00 ON FRIDAY, DATE 4 October 2015 Enquiries in regard to this contract should be made to ISquotes2@durban.gov.za

1. INFORMATION PAGE In terms of ethekwini Municipality s Procurement Policy a NON-REFUNDABLE TENDER CHARGE for tender documents collected in hard copy has been implemented. The following forms of payment will be acceptable:- Cash Bank Guaranteed Cheques addressed to ethekwini Municipality Bank Deposits (information/account details reflected below) Should a bank deposit be made, a copy of the deposit slip as proof of payment must be faxed to (031) 311 7718 for the urgent attention of the Senior Contracts Officer. Once proof of payment has been received the tender document will be released. Alternatively the deposit slip could be sent with the Courier who is collecting the tender document on behalf of the company. Note: - Any company requiring a courier service will bear the cost for the service as well as have deposited the relevant tender charge into the Municipality s account prior to the Courier collecting a document. BANKING DETAILS Name of Account Holder : ethekwini City Engineer s Deposit Account Name of Banking Institution : Standard Bank Branch : Kingsmead Branch Code : 04 0026 Account Number : 05 0134264 Type of Account : Business Current Targeted Procurement Registration Documents available on:- Website Address: - http://www.durban.gov.za/resource_centre/tenders/pages/default.aspx Supply & Installation of a Firewall Solution #1I-17297 2

2. CONDITIONS OF TENDER (GOODS/SERVICES) 1. BID INFORMATION 1.1 Each bidder shall complete fully and accurately the following all required documents stipulated in the checklist Tender Returnable s with its bid. Remaining bid documents issued with this enquiry, such as Conditions of Tender (Goods and Services) and Government Procurement General Conditions of Contract shall be detached and retained by the bidder. 1.2 The specification will be governed by the Conditions of Tender (Goods and Services) and Government Procurement General Conditions of Contract, attached hereto, and to the Occupational Health and Safety Act, Act No. 85 of 1993. 1.3 The adjudication will be based upon 90/10 procurement point system in accordance with ethekwini Municipality s Targeted Procurement Policy. Should any compliant bid be received at a value below R 1 000 000 (all applicable taxes included) ethekwini Municipality will however evaluate using the 80/20 point system. 1.4 All bidder prices quoted by the contractor must be in South African currency (Rand). 1.5 ethekwini Municipality reserves the right to accept more than one technically and contractually compliant bid for part or the whole of the contract and to place orders on the price and availability. 1.6 Bidders may submit alternative solutions that in the Bidder s opinion are to ethekwini Municipality s advantage economically and technically. Full technical details of these alternative offer(s) shall be submitted with Bid documents. Alternative Bid(s) shall be submitted separately. 2. TAX CLEARANCE CERTIFICATE Bidders are to include with their bid submission a valid tax clearance certificate, or obtain one prior to the evaluation of submissions, which has sufficient validity to ensure that the tender process is adequately covered. 3. DECLARATION OF MUNICIPAL FEES Only those bidders whose municipal fees are fully paid or arrangements have been concluded with the Municipality to pay the said fees are eligible to bid. 4. DECLARATION OF INTEREST All bidders are to sign the declaration of interest wherein they declare any relationship that may exist with an official of the Municipality involved in the evaluation process. 6. SPECIAL CONDITIONS OF TENDER / CONTRACT Any special conditions relative to the contract will form part of this contract. Supply & Installation of a Firewall Solution #1I-17297 3

7. PURCHASE OF GOODS FROM OTHER SOURCES Nothing contained in this contract shall be held to restrain the Municipality from purchasing from persons other than the contractor, any of the goods described or referred to in this contract, if it shall in its discretion think fit to do so. 8. DELIVERY, RISK, PACKAGES, ETC 1. Unless otherwise provided, all goods are to be supplied only against the official form of order issued by the Municipality. 2. The risk in all goods purchased by the Municipality under the contract shall remain with the contractor until such goods shall have been duly delivered. 3. Bidders shall quote a unit price which shall include delivery to specified delivery point within the ethekwini Municipal area. 4. Bidders shall clearly state the period within which delivery will be made after receipt of the official order, as this may be material in the adjudication of the Bid. 9. PAYMENT Where no conditions of payment are prescribed, payment for goods received and accepted by the Municipality shall be made no later than 30 days after submission of invoice or claim, provided however that all the terms of the contract are duly observed. 10. RATES OF EXCHANGE (1) Where the goods are imported the contractor shall within seven days of date of Official Purchase Order, arrange through his bankers for the foreign commitment to be covered forward down to the Rand in order to fix the rate of exchange. The contractor shall notify the Municipality as soon as possible thereafter regarding the rate which has been fixed on such forward exchange. Any increase or decrease between the basic rate of exchange as at a date seven days prior to the date of closing of Bids and that existing at the date of establishment of the forward exchange cover within the period stipulated above shall be paid or deducted by the Municipality. Upon the failure of the contractor to arrange forward exchange cover, the contractor shall be liable should there be any increase in the basic rate of exchange occurring after the last mentioned date. The bank charges incurred in obtaining the forward exchange cover shall be for the Municipality s account. (2) The contractor shall on request:- (i) (ii) submit documentary proof of the rate of exchange; When an adjustment is claimed in terms of this sub-clause, whether by the contractor or the Municipality, submit documentary proof to the satisfaction of the Deputy City Manager: Treasury in respect of such claim. Supply & Installation of a Firewall Solution #1I-17297 4

11. VALUE ADDED TAX (V.A.T) The Bidder shall state the amount of value added tax (V.A.T) separately on the Official Tender Form. 12. FORM OF TENDER AND CLOSING DATE Sealed bids made out on the enclosed Official Tender Form which shall be signed by or on behalf of the Bidder and addressed to the Head : Supply Chain Management Unit and marked with the appropriate enquiry number must be placed in the Tender box provided which is located in the Foyer, Ground Floor, City Engineer s Unit, Municipal Centre, 166 K.E. Masinga Road (Formerly Old Fort Road), Durban, not later than 11:00 on the date stated in the public advertisement inviting bids, where they will be opened publicly. All couriered documents must be placed directly into the tender box and should not be delivered to any other Municipal Department. Bidders are advised that bids submitted by fax or email will not be considered. Any bid received after the closing date and time advertised for the receipt thereof shall not be accepted for consideration by the Head: Supply Chain Management Unit and shall be returned to the Bidder. 13. BIDS WILL BE LIABLE TO REJECTION UNLESS MADE OUT AND SIGNED ON THE OFFICIAL TENDER FORM ANNEXED HERETO Failure of a tenderer to complete and sign the tender form in its entirety will invalidate the tender. 14. ACCEPTANCE OF BID The Municipality does not bind itself to accept the lowest or any Bid and reserves the right to accept the whole or any part of a Bid. 15. PRICING (1) Nett Prices All prices shall be quoted in South African currency after deduction of any brokerage or discount allowed to the Municipality. (2) Firm Bids Bidders may submit firm prices, which prices shall be free from all fluctuations, including any statutory increases. (3) Unit Prices Bidders shall quote only one price in respect of each item, such price to hold good for the full duration of the contract period, being subject to variation only in accordance with specified criteria. Supply & Installation of a Firewall Solution #1I-17297 5

16. WITHDRAWAL OF BIDS Bids must hold good until 16h00 on the Friday of the twelfth week (85 calendar days) following the Friday on which Bids are opened or during such other period as may be specified. The Municipality may, during the period for which Bids are to remain open for acceptance, authorize a Bidder to withdraw his/her Bid in whole or in part on condition that the Bidder pays to the Municipality on demand, a sum of R1 000. The Municipality may, if it thinks fit, waive payment of such sum in whole or in part. 17. DIFFERENCES OR DISCREPANCIES (1) Prices Should there be any difference or discrepancy between the prices or price contained in the Official Tender Form and those contained in any covering letter from the Bidder, the prices or price contained in the Official Tender Form shall prevail. (2) Complete Acceptance of Conditions Unless otherwise expressly stipulated in the letter covering the Bid every Bidder shall be deemed to have waived, renounced, and abandoned any conditions printed or written upon any stationery used by him for the purpose of or in connection with the submission of his Bid, which are in conflict with the General Conditions of Contract or Conditions of Tender (Goods/Services). Bidders are advised that any material divergences from the official Conditions or Specification will render their Bids liable to disqualification. 18. BRIBERY AND COMMUNICATION WITH COUNCILLORS / OFFICIALS (1) Bribery No Bidder shall offer, promise or give to any person or person connected with a bid or the awarding of a contract, any gratuity, bonus or discount etc, in connection with the obtaining of a contract. (2) Communication, Councillors and Officials (1) A Bidder shall not in any way communicate with a member of the Municipality or with any official of the Municipality on a question affecting any contract for the supply of goods or for any work, undertaking or services which is the subject of a bid during the period between the closing date for receipt of Bids and the dispatch of the written notification of the Municipality s decision on the award of the contract; provided that a Bidder shall not hereby be precluded: - at the request of the Head : Supply Chain Management Unit or his authorized representative, from furnishing him with additional information or with a sample or specimen for testing purposes or otherwise or from giving a demonstration so as to enable the recommendation to the Bid Committee on the award of the contract to be formulated; Supply & Installation of a Firewall Solution #1I-17297 6

- from obtaining from the Head : Supply Chain Management Unit his authorised representative information as to the date upon which the award of the contract is likely to be made or, after the decision upon the award has been made by the Municipality or any Committee to which the Municipality has delegated its powers, information as to the nature of the decision or such information as was publicly disclosed at the opening of bids or from submitting to the Accounting Officer in writing any communication relating to his/her Bid or the award of the contract or a request for leave to withdraw his/her bid; - and provided further that nothing contained herein shall be construed so as to prevent information being sought and obtained from an Official in regard to any decision taken at an open Municipal meeting, or any Committee to which the Municipality has delegated its powers. A contravention of subsection (1) and / or (2) or an attempt to contravene such subsection shall be reported to the Accounting Officer, who may on receipt of such report may disqualify the bid of the Bidder concerned. 19. IMPORT PERMITS (1) In order to minimize special importation, Bidders should, where possible, have recourse to local suppliers and/or manufacturers. (2) Bidders must state whether their bid is dependent upon the issue of a special import permit or whether they are able to supply the goods by making use of the import facilities available to them. (3) In the event of a Bid being dependent upon the issue of a special import permit, application for such special import permit shall be made by the Bidder, unless otherwise provided in the Special Conditions of Tender (Goods and Services). Supply & Installation of a Firewall Solution #1I-17297 7

20. LEGAL STATUS OF BIDDER It is essential for the purpose of entering into a legal contract that Bidders state on the Official Tender Form their full legal status, for example the full registered name of the company Bidding; or if the Bidder is a person conducting business under a recognised trading name then state the name of the person/s - Trading as (state recognised trading name) and state whether owner, co-owner, proprietor, etc. 21. AUTHORITY OF SIGNATORY Bidders should submit with their bids a certified copy of the Resolution of the Company authorising the signatory to sign Bid documents on behalf of the Company. If the Bidder is not a registered company, the signatory shall indicate in what capacity and under what authority the bid documents were signed by him/her. 22. ALTERATIONS TO BID DOCUMENTS Any alterations effected upon any of the bid documents must be clearly shown by means of a hand written/typed entry and must be signed in full by the Bidder. 23. MANUFACTURERS The names of the manufacturers and brands of the Goods or Equipment offered must be stated in the bid. 24. FACTORING Payment will be made only to the contractor(s). Factoring arrangements will not be accepted. 25. PREFERENTIAL PROCUREMENT 25.1 Applicable Documentation These conditions of tender are to be read together with the following documents:- - ethekwini Municipality Targeted procurement Policy document. It is a requirement of this Tender that all the Contractors, Joint Ventures and Targeted Enterprises, must be registered, or be eligible for registration, on the ethekwini Municipal Procurement Database such that their classification, as described above, has been or can be determined and verified prior to Tender adjudication and award. Supply & Installation of a Firewall Solution #1I-17297 8

26. TENDERS WILL ONLY BE ACCEPTED ON CONDITION THAT: (a) (b) (c) The tender is signed by a person authorised to sign on behalf of the Tenderer; A valid original Tax Clearance Certificate is received prior to the evaluation of tenders which has sufficient validity to ensure the process is adequately covered; A Tenderer who submitted his/her tender as a Joint Venture has included an acceptable Joint Venture Agreement with his/her tender. 27. PERFORMANCE SECURITY (SURETY BOND) The attention of Tenderers is drawn to Clause 7 of the General Conditions of Contract relative to Performance Security. No Performance Security (Surety Bond) is required with this tender. 28. MUNICIPAL FEES All tenderers are to sign a declaration wherein they declare that their municipal fees are in order, or proper arrangements have been made with the Municipality, and include the relevant account numbers in the declaration. Failure to include account numbers or sign will invalidate the tender. The completion of the declaration is also applicable to tenderers outside of the ethekwini Municipal Area. Supply & Installation of a Firewall Solution #1I-17297 9

29. NON REFUNDABLE TENDER CHARGE The non-refundable tender fee paid for this document, is relevant only for this tender. The tenderer who purchases this document, is the only tenderer who will be allowed to submit a price for this contract i.e. No other tenderer will be allowed to use this document to submit a tender, be it the original or a photocopied specimen. Should this occur, all who are party to this will not be considered in the adjudication process. 30. APPEAL PROCESS In terms of Regulation 49 of the Municipal Supply Chain Management Regulations persons aggrieved by decisions or actions taken by the Municipality, may lodge an appeal within 14 days of the decision or action, in writing to the Municipality. Tenderers are advised that the following is the appeal process and in dealing with these appeals the Municipal Manager shall follow the following procedure:- 1. The appeal (clearly setting out the reasons for the appeal) and queries with regard to decision of award are to be directed to the office of the City Manager, Attention : Mr T Siemela, P O Box 1014, Durban, 4000; Facsimile : (031) 311-3261 2. A copy of the appeal will be forwarded to the Chairperson of the Bid Adjudication Committee, who must provide a response in writing within seven days. 3. In the event that there are allegations made against third parties, they will also be given an opportunity to respond to the allegations within seven days. 4. These responses will then be sent to the appellant for a reply within five days. 5. The appeal will be considered on these written submissions, unless the appeal authority is of the view that there is a need for oral submissions, in which case, the appellant will be notified of the date, place and time of such hearing. 6. The Appeal Authority will consider the appeal and may confirm, vary or revoke the decision of the Committee, but not such variation or revocation of a decision may detract from any rights that may have accrued as a result of the decision. 7. The Appeal Authority must commence with the appeal within six weeks and decide the appeal within reasonable period. Supply & Installation of a Firewall Solution #1I-17297 10

31. PROHIBITION ON AWARDS TO PERSONS IN THE SERVICE OF THE STATE Regulation 44 of the Supply Chain Management Regulations states that the Municipality or Municipal Entity may not make any award to a person:- (a) (b) (c) Who is in the service of the state If that person is not a natural person, of which any Director, Manager, Principal, Shareholder or Stakeholder is a person in the service of the state; or Who is an advisor or consultant contracted with the municipality or municipal entity. Should a contract be awarded, and it is subsequently established that clause 44 has been breached, the employer shall have the right to terminate the contract with immediate effect. 32. AGREEMENTS All tenderers that are not manufacturers, accredited agents or distributors must provide agreements which cover the contract period. The aforementioned must also agree with all of the conditions of the contract. 33. NEGOTIATIONS WITH PREFERRED BIDDERS The municipality reserves the right to invoke Section 24 of the Municipal Finance Management Act if so desired. (1) The Accounting Officer may negotiate the final terms of a contract with bidders identified through a competitive bidding process as preferred bidders, provided that such negotiation:- (a) (b) (c) Does not allow any preferred bidder a second or unfair opportunity; Is not to the detriment of any other bidder; and Does not lead to a higher price than the bid as submitted. (2) Minutes of such negotiations must be kept for record purposes. (3) Such negotiation may be delegated to the designated Senior Manager by the Accounting Officer. 3. GENERAL CONDITIONS OF CONTRACT Government Procurement; General Conditions of Contract must be downloaded and read prior to submission of tender response. Documents can be downloaded from: ftp.durban.gov.za/munidocs. The Document in question is: General Conditions of Contract.pdf. Supply & Installation of a Firewall Solution #1I-17297 11

Technical Specification Information Management Unit ENQUIRY 1I-17297 Supply and Installation of a Firewall Solution July 2015 Supply & Installation of a Firewall Solution #1I-17297 12

Contents I. Definitions... 15 II. Background... 16 III. Current technical environment... 16 IV. Scope of requirements... 18 General requirements... 19 2. Requirements for Next Generation Firewall... 20 2.1 Firewall... 20 2.2 Intrusion Prevention System... 20 2.3 User Identity Acquisition... 22 2.4 Application Control and URL Filtering... 22 2.5 Anti-Bot and Anti-Virus... 23 2.6 Threat Emulation... 23 2.7 Anti-Spam & Email Security... 24 2.8 IPsec VPN... 24 2.9 Security Management... 24 2.10 Threat Prevention Updates... 26 2.11 Logging & Monitoring... 26 2.12 Event Correlation and Reporting... 27 2.13 Management Portal... 29 2.14 Data Loss Prevention (DLP)... 29 2.15 Mobility... 29 2.16 Security Gateway Sizing and Recommendations... 29 3. Solution Evaluation... 31 Appliance: Firewall... 32 Appliance: Management Server... 32 4. Response requirements... 34 a. General Requirements... 34 Supply & Installation of a Firewall Solution #1I-17297 13

b. Post Project Support Requirements... 34 c. Previous Implementation History... 34 i. Number and size of Client Base... 34 ii. Provide reference sites, in South Africa, with contact details... 34 d. Technical Support... 35 i. Technical competencies within your organization.... 35 ii. Number of Network support resources. Specify how many are locally based in Durban.... 35 iii. Provide Certificates of the Network support resources.... 35 e. Professional Services... 35 i. Specify what technical documentation and training material will be provided.... 35 ii. Specify the project controls that will be place... 35 iii. Specify how change management will be delivered.... 35 5. Pricing structure... 36 6. Evaluation of Responses... 36 6.1 Technical Evaluation... 37 6.1.1 Critical/ Mandatory Requirements (Please Fill In)... 37 6.1.2 Non Mandatory Evaluation... 38 6.1.3 Product & Company Details... 40 6.1.4 Schedule of Experience... 41 6.1.5 Schedule of Compliance with specification... 42 7. RATE OF EXCHANGE QUESTIONNAIRE... 43 8. Costs... 45 8.1 Year One... 45 8.2 Year Two... 46 9. Required Documentation and Tender Returnable s... 47 9.1 Tender Returnable s Checklist... 47 10. Form of Offer... 48 Supply & Installation of a Firewall Solution #1I-17297 14

I. Definitions Term Vendor Reseller/service provider/supplier FWSM DMZ DLP IPS SR LR Gb Mb FMB OFP NGFW HSRP VLAN Gbps Mbps OSI RFC GHz Definition Refers to the equipment manufacturer Refers to the company supplying, installing and/or providing service with a Vendors equipment Firewall Services Module Demilitarized Zone Data Loss Prevention Intrusion Prevention System Short Range Long Range Gigabyte Megabyte Florence Mkhize Building Old Fort Place Next Generation Firewall Hot Standby Router Protocol Virtual local area network Gigabits per second Megabits per second Open standards Interconnect Request for comments Gigahertz Supply & Installation of a Firewall Solution #1I-17297 15

II. Background EThekwini Municipality is looking for a Company to Supply and Install a Firewall solution with licensing. EThekwini municipality current Firewall Solution sits on the Cisco Catalyst 6500 switches, the solution controls traffic to the Server Farm from Internal Network and also provides up to OSI Layer 4 protection to protect the datacentre from various internal attacks and provide relevant access to authorized users or systems. The solution has reached its end of life and is not supported anymore. III. Current technical environment ethekwini Municipality has two FWSMs, one installed on the Cisco Catalyst 6509 at FMB and the other at on the Cisco Catalyst 6509 at OFP. These FWSM are setup in an Active/Standby mode. Should the Active Cisco 6509 chassis go down the other will become the active firewall. The FWSM controls traffic to the Server Farm from Internal Network. The FWSM provides up to OSI Layer 4 protection to all servers in the datacentre. The FWSM is also connected to the Checkpoint 12600 firewalls which control access to the DMZ and Internet access via a 1 Gb Ethernet interface The following is current setup on the existing system: The FWSM is setup in routed mode Hardware specifications CPU: Pentium III @ 1Ghz Ram: 1024mb Flash: 40mb The software version is FWSM Firewall Version 4.0(5) Device Manager Version 6.1(3)F Its MAX concurrent handled connection is 1000 000 (1 million) Its MAX new connections handled per second is 100000 (1 hundred thousand) The FWSM directly controls access to 34 VLANs The 6509 directly controls access to 31 VLANs The FWSM utilises the existing HSRP for high availability The FWSM Also Controls Access To The Following: MTN and Vodacom APN Lawyers Access Web SMME companies based at SmartXchange Standard Bank via our InfoConnect Link Access to Library catalogue services How the End User Is Affected By the FWSM The end user is affected if they try to access resources located in the server farm (mail, database etc.) from the Internal Network Resources, also access to the internal resources for APN and VPN users are controlled via the FWSM. Access to the Standard Bank Info-Connect Service is controlled via the FWSM. SMME access to the Server Farm is controlled via the FWSM Supply & Installation of a Firewall Solution #1I-17297 16

The diagram below provides an overview of the current network architecture Installed with the Cisco Catalyst 6500 Series: Supply & Installation of a Firewall Solution #1I-17297 17

IV. Scope of requirements Below is a diagram of a proposed architecture Installation, migration & configuration of the firewall solution would be performed by the nominated service provider of the proposed vendor solution. This would include, but is not limited to: Active/Active clustering of solution. Migration of existing rules and rule sets from the current system into new solution. Implementation of routing (Dynamic, Static, Policy based or combination of the mentioned). Ensure critical systems as defined by ethekwini to be fully operational within the given time frame. Migration of existing VLANs present on both the Cisco Catalyst 6509 and FWSM into the solution. Implementation of the new features as required. The nominated service provider would plan for, implement and design a solution that incorporates the above as well as any other recommendations deemed necessary from the service provider in order to achieve full effectiveness of the solution. Due to the nature of this project the implementation must be handled by staff that are certified in both Cisco firewall technologies, to handle the FWSM migration, and the proposed vendor s product. The proposed solution must also minimize impact on ethekwini Municipality s user base and deliver a best practice environment. The service provider is also required ensure the transfer of skills to ethekwini staff to understand & maintain solution. A quote for the official vendor s respective training must be in their submission. Planning and deployment will be for two sites, FMB (251 Anton Lembede Street), and the Data Centre based at the OFP (31 Old Fort Complex). Note that partnerships between the service provider and 3rd parties are allowed for goods or services, provided the proof of agreement between the various parties are submitted in their response. On award of this tender, a service level agreement will be entered into with the service provider. Supply & Installation of a Firewall Solution #1I-17297 18

General requirements 1.1. The Vendor of the gateway software must have at least 15 years of experience in the security market 1.2. The vendor must exclusively provide Internet security solutions. 1.3. The vendor must be capable of serving the entire scope of security gateway requirements, including throughput, connection rate and next generation security application enablement for all network deployments, from small office to data center in a single hardware appliance. 1.4. The vendor must have a virtualized security gateway solution that can support the enablement of all next generation firewall security applications, including intrusion protection, application control, Threat Emulation, URL filtering, Anti-Bot, Anti-Virus, all managed from a central platform. 1.5. The next generation gateway must be capable of supporting these next generation security applications on a unified platform. 1.5.1. Stateful Inspection Firewall 1.5.2. Intrusion Prevention System 1.5.3. User Identity Acquisition 1.5.4. Application Control and URL filtering 1.5.5. Anti Bot and Anti Virus 1.5.6. Anti Spam and Email Security 1.5.7. IPSec VPN 1.5.8. Data Loss Prevention- Capable 1.5.9. Mobile Access 1.5.10. Security Policy Management 1.5.11. Logging and Status 1.5.12. Event Correlation and Reporting 1.6. These applications must be exclusively supplied by and managed by the vendor. 1.7. The vendor solution must provide a mechanism to constantly educate end users of the security policy in real time. 1.8. The vendor must supply all industry certifications of the solution. 1.9. Vendor must have the capability to provide a solution to mitigate Distributed Denial of Service attacks. Supply & Installation of a Firewall Solution #1I-17297 19

2. Requirements for Next Generation Firewall 2.1 Firewall 2.1.1 The security gateway must use Stateful Inspection based on granular analysis of communication and application state to track and control the network flow. 2.1.2 The security gateway must be capable of supporting throughput, connection rate, concurrent connections requirements of ethekwini municipality. 2.1.3 Solution must support access control for at least 150 predefined /services/protocols 2.1.4 Must provide security rule hit count statistics to the management application. 2.1.5 Must allow security rules to be enforced within time intervals to be configured with an expiry date/time. 2.1.6 The communication between the management servers and the security gateways must be encrypted and authenticated with PKI Certificates. 2.1.7 The firewall must support user, client and session authentication methods. 2.1.8 The following user authentication schemes must be supported by the security gateway and VPN module: tokens (ie -SecureID), TACACS, RADIUS and digital certificates. 2.1.9 Solution must include a local user database to allow user authentication and authorization without the need for an external device 2.1.10 Solution must support DCHP, server and relay 2.1.11 Solution must support HTTP & HTTPS proxy 2.1.12 Solution must include the ability to work in Transparent/Bridge mode 2.1.13 Solution must support gateway high availability and load sharing with state synchronization 2.2 Intrusion Prevention System 2.2.1 Vendor must provide evidence of year over year leadership position of Gartner Magic Quadrant for Intrusion Prevention solutions and/or Eneterprise network Firewall Gartner Magic Quadrant. 2.2.2 IPS must be based on the following detection mechanisms: exploit signatures, protocol anomalies, application controls and behavior-based detection. 2.2.3 IPS and firewall module must integrated on one platform. 2.2.4 The administrator must be able to configure the inspection to protect internal hosts only. 2.2.5 IPS must have options to create profiles for either client or server based protections, or a combination of both. 2.2.6 IPS must provide at least two pre-defined profiles/policies that can be used immediately. 2.2.7 IPS must have a software based fail-open mechanism, configurable based on thresholds of security gateways CPU and memory usage. 2.2.8 IPS must provide an automated mechanism to activate or manage new signatures from updates. Supply & Installation of a Firewall Solution #1I-17297 20

2.2.9 IPS must support network exceptions based on source, destination, service or a combination of the three. 2.2.10 IPS must include a troubleshooting mode which sets the in use profile to detect only, with one click without modifying individual protections. 2.2.11 IPS application must have a centralized event correlation and reporting mechanism. 2.2.12 The administrator must be able to automatically activate new protections, based on configurable parameters (performance impact, threat severity, confidence level, client protections, server protections) 2.2.13 IPS must be able to detect and prevent the following threats: Protocol misuse, malware communications, tunneling attempts and generic attack types without predefined signatures. 2.2.14 For each protection the solution must include protection type (server-related or client related), threat severity, performance impact, confidence level and industry reference. 2.2.15 IPS must be able to collect packet capture for specific protections. 2.2.16 IPS must be able to detect and block network and application layer attacks, protecting at least the following services: email services, DNS, FTP, Windows services (Microsoft Networking), SNMP 2.2.17 Vendor must supply evidence of leadership in protecting Microsoft vulnerabilities. 2.2.18 IPS and/or Application Control must include the ability to detect and block peer to peer traffic using evasion techniques. 2.2.19 The administrator must be able to define network and host exclusions from IPS inspection. 2.2.20 Solution must protect from DNS Cache Poisoning, and prevents users from accessing blocked domain addresses. 2.2.21 Solution must provide VOIP protocols protections. 2.2.22 IPS and/or Application Control must detect and block remote controls applications, including those that are capable tunneling over HTTP traffic. 2.2.23 IPS must have SCADA protections. 2.2.24 IPS must have a mechanism to convert SNORT signatures. 2.2.25 Solution must be allow the administrator to easily block inbound and/or outbound traffic based on countries, without the need to manually manage the IP ranges corresponding to the country. Supply & Installation of a Firewall Solution #1I-17297 21

2.3 User Identity Acquisition 2.3.1 Must be able to acquire user identity by querying Microsoft Active Directory based on security events. 2.3.2 Must have a browser based User Identity authentication method for non-domain users or assets. 2.3.3 Must support a dedicated client agent that can be installed by policy on users' computers that can acquire and report identities to the Security Gateway. 2.3.4 Must support terminal server environments 2.3.5 Impact on the domain controllers must be less than 3%. 2.3.6 Must be able to acquire user identity from Microsoft Active Directory without any type of agent installed on the domain controllers. 2.3.7 Must support Kerberos transparent authentication for single sign on. 2.3.8 Must support the use of LDAP nested groups. 2.3.9 Must be able share or propagate user identities between multiple security gateways. 2.3.10 Must be able to create identity roles to be used across all security applications. 2.4 Application Control and URL Filtering 2.4.1 Solution must not have any known published vulnerabilities in the last year to the existing architecture which can be exploited. 2.4.2 Solution must be able to create a filtering rule with multiple categories. 2.4.3 Solution must be able to create a filtering for single site being supported by multiple categories. 2.4.4 Solution must have users and groups granularity with security rules. 2.4.5 The solution must have an easy to use, searchable interface for applications and URLs 2.4.6 The solution must categorize applications and URLs and applications by Risk Factor. 2.4.7 The application control and URL Filter security policy must be able to be defined by user identities. 2.4.8 The application control and URL Filter database must be updated by a cloud based service 2.4.9 The solution must have unified application control and URL Filter security rules. 2.4.10 The solution must provide a mechanism to inform or ask users in real time to educate them or confirm actions based on the security policy. 2.4.11 The solution must provide a mechanism to limit application usage based on bandwidth consumption. 2.4.12 The solution must allow network exceptions based on defined network objects 2.4.13 The solution must provide the option to modify the Blocking Notification and to redirect the user to a remediation page. Supply & Installation of a Firewall Solution #1I-17297 22

2.4.14 Solution must include a Black and White lists mechanism to allow the administrator to deny or permit specific URLs regardless of the category 2.4.15 Solution must have a configurable bypass mechanisms 2.4.16 Solution must provide an override mechanism on the categorization for the URL database. 2.4.17 The application control and URL Filter security policy must report on the rule hit count. 2.5 Anti-Bot and Anti-Virus 2.5.1 Vendor must have an integrated Anti-Bot and Anti-Virus application on the next generation firewall. 2.5.2 Anti-bot application must be able to detect and stop suscpicous abnormal network behaviour. 2.5.3 Anti-Bot application must use a multi-tiered detection engine, which includes the reputation of IPs, URLs and DNS addresses and detect patterns of bot communications. 2.5.4 Anti-Bot applications must be able to scan for bot actions. 2.5.5 Anti-Bot and Anti-Virus policy must be administered from a central console. 2.5.6 Anti-Bot and Anti-Virus application must have a centralized event correlation and reporting mechanism. 2.5.7 Anti-virus application must be able to prevent access to malicious websites 2.5.8 Anti-virus application must be able to inspect SSL encrypted traffic. 2.5.9 Anti-Bot and Anti-Virus must be have real time updates from a cloud based service 2.5.10 Anti-Virus must be able to stop incoming malicious files. 2.5.11 Anti-Virus and Anti-Bot policies must be centrally managed with granular policy configuration and enforcement. 2.6 Threat Emulation 2.6.1 The solution must provide the ability to Protect against zero-day attacks before static signature protections have been created 2.6.2 The solution must provide the ability for analyzing and detecting malware in business documents such as Adobe PDFs and MS Office files as well as EXE and Zip files 2.6.3 The solution must provide the ability for flexible deployment using local appliances or the cloud. 2.6.4 The solution must provide the ability for Zero false-positives 2.6.5 The solution must provide the ability to emulate attacks targeting multiple Windows OS environments, at least :windows xp,windows 7, windows 8 2.6.6 The solution must provide the ability to be centraly managed 2.6.7 The solution must provide the ability to Increase security with automatic sharing of new attack information with other gateways in means of signature updates etc. Supply & Installation of a Firewall Solution #1I-17297 23

2.7 Anti-Spam & Email Security 2.7.1 Anti-Spam and Email security application must be content and language agnostic. 2.7.2 Anti-Spam and Email security application must have real-time classification and protections based on detected spam outbreaks which are based on patterns and not content. 2.7.3 The Anti-Spam and Email security application must include IP reputation blocking based on an online service to avoid false positives 2.7.4 Solution must include a Zero-hour protection mechanism for new viruses spread through email and spam without relying solely in heuristic or content inspection 2.8 IPsec VPN 2.8.1 Internal CA and External third party CA must be supported. 2.8.2 Solution must support 3DES and AES-256 cryptographic for IKE Phase I and II IKEv2 plus "Suite-B-GCM-128" and "Suite-B-GCM-256" for phase II. 2.8.3 Solution must support at least the following Diffie-Hellman Groups: Group 1 (768 bit), Group 2 (1024 bit), Group 5 (1536 bit), Group 14 (2048 bit), Group 19 and Group 20 2.8.4 Solution must support data integrity with md5, sha1 SHA-256, SHA-384 and AES- XCBC 2.8.5 Solution must include support for site-to-site VPN 2.8.6 Solution must support clientless SSL VPNs for remote access. 2.8.7 Solution must support L2TP VPNs, including support for iphone L2TP client 2.8.8 Solution must allow the administrator to apply security rules to control the traffic inside the VPN. 2.8.9 Solution must support domain based VPNs and route based VPNs using VTI s and dynamic routing protocols. 2.8.10 Solution must include the ability to establish VPNs with gateways with dynamic public IPs 2.8.11 Solution must include IP compression for client-to-site and site-to-site VPNs 2.9 Security Management 2.9.1 Security management application must be able to co-exist on the security gateway as an option. 2.9.2 Security management application must support role based administrator accounts. For instance roles for firewall policy management only or role for log viewing only. 2.9.3 Solution must include a Certificate-based encrypted secure communications channel among all vendor distributed components belonging to a single management domain 2.9.4 Solution must include an internal x.509 CA (Certificate Authority) that can generate certificates to gateways and users to allow easy authentication on VPNs 2.9.5 Solution must include the ability to use external CAs, that supports PKCS#12, CAPI or Entrust standards. Supply & Installation of a Firewall Solution #1I-17297 24

2.9.6 All security applications must be managed from the central console. 2.9.7 The management must provide a security rule hit counter in the security policy. 2.9.8 Solution must include a search option to be able to easily query which network object contain a specific IP or part of it. 2.9.9 Solution must include the option to segment the rule base using labels or section titles to better organize the policy 2.9.10 Solution must provide the option to save the entire policy or specific part of the policy. 2.9.11 Solution must have a security policy verification mechanism prior to policy installation. 2.9.12 Solution must have a security policy revision control mechanism. 2.9.13 Solution must provide the option to add management high availability, using a standby management server that is automatically synchronized with the active one, without the need for an external storage device 2.9.14 Solution must include a comprehensive map with all network objects and their connections that can be export to Microsoft Visio or to an image file 2.9.15 Solution must include the ability to centrally distribute and apply new gateway software versions 2.9.16 Solution must include a tool to centrally manage licenses of all gateways controlled by the management station 2.9.17 Solution must have the capabilities for multi-domain management and support the concept of global security policy across domains. 2.9.18 The management GUI should have the ability to easily exclude IP address from the IPS signature definition 2.9.19 The Log Viewer should have the ability to easily exclude IP address from the IPS logs when detected as false positive 2.9.20 The management GUI should have the ability to easily get to IPS signature definition from the IPS logs 2.9.21 The Log Viewer should have the ability view all of the security logs (fw,ips,urlf...) in one view pane (helpful when troubleshooting connectivity problem for one IP address ) 2.9.22 The Log Viewer should have the ability in the log viewer to create filter using the predefined objects (hosts,network,groups,users...) 2.9.23 The Log Viewer should have the ability in the log viewer to create custom multiple "saved filter" for use at a later time Supply & Installation of a Firewall Solution #1I-17297 25

2.10 Threat Prevention Updates 2.10.1 Vendor must provide the details of its threat prevention update mechanism and its ability to handle zero day attacks across all next generation threat prevention applications including IPS, Application Control, URL filtering, Anti-Bot and Anti- Virus. 2.10.2 Vendor must provide details on the re-categorization of URL, under the circumstances that a website has been comprised and possibly distributing malware. 2.10.3 Vendor should have the capability to provide incident handling 2.11 Logging & Monitoring 2.11.1 The central logging must be part of the management system. Alternatively administrators can install deedicated Log Servers. 2.11.2 Solution must provide the option to run on the management server or on a dedicated server 2.11.3 Solution must be able to run on an X86 based open servers listed on a hardware compatibility list. 2.11.4 Solution must have the ability to log all rules (+30k logs/sec) 2.11.5 Log viewer must have an indexed search capability 2.11.6 Solution must have the ability to log all integrated security applications on the gateway and including IPS, Application Control, URL Filtering, Anti-Virus, Anti-Bot, Anti Spam, User Identity, Data Loss Prevention, Mobile Access. 2.11.7 Solution must include an automatic packet capture mechanism for IPS events to provide better forensic analysis 2.11.8 Solution must provide different logs for regular user activity and management related logs 2.11.9 Solution must be able to move from security log record to the policy rule with one mouse click. 2.11.10 For each match rule or type of event Solution must provide at least the following event options: Log, alert, SNMP trap, email and execute a user defined script 2.11.11 The logs must have a secure channel to transfer logging to prevent eavesdropping, Solution must be authenticated and encrypted 2.11.12 The logs must be securely transferred between the gateway and the management or the dedicated log server and the log viewer console in the administrator s PC 2.11.13 Solution must include the option to dynamically block an active connection from the log graphical interface without the need to modify the rule base 2.11.14 Solution must support exporting logs in database format 2.11.15 Solution must support automatic switch of the log file, based on a scheduled time or file size 2.11.16 Solution must support adding exceptions to IPS enforcement from the log record Supply & Installation of a Firewall Solution #1I-17297 26

2.11.17 Solution must be able to associate a username and machine name to each log record. 2.11.18 Solution must include a graphical monitoring interface that provides an easy way to monitor gateways status 2.11.19 Solution must provide the following system information for each gateway: OS, CPU usage, memory usage, all disk partitions and % of free hard disk space. 2.11.20 Solution must provide the status of each gateway components (i.e. firewall, vpn, cluster, antivirus, etc) 2.11.21 Solution must include the status of all VPN tunnels, site-to-site and client-to-site 2.11.22 Solution must include customizable threshold setting to take actions when a certain threshold is reached on a gateway. Actions must include: Log, alert, send an SNMP trap, send an email and execute a user defined alert. 2.11.23 Solution must include preconfigured graphs to monitor the evolution in time of traffic and system counters: top security rules, top P2P users, vpn tunnels, network traffic and other useful information. Solution must provide the option to generate new customized graphs with different chart types 2.11.24 Solution must include the option to record traffic and system views to a file for later viewing at any time. 2.11.25 Solution must be able to recognize malfunctions and connectivity problems, between two points connected through a VPN, and log and alert when the VPN tunnel is down. 2.12 Event Correlation and Reporting 2.12.1 Solution must be fully integrated in the management application. 2.12.2 Solution must include a tool to correlate events from all the gateway features and third party devices 2.12.3 Solution must allow the creation of filters based on any characteristic of the event such as security application, source and destination IP, service, event type, event severity, attack name, country of origin and destination, etc. 2.12.4 The application must have a mechanism to assign these filters to different graph lines that are updated in regular intervals showing all events that matches that filter. Allowing the operator to focus on the most important events. 2.12.5 The event correlation application must supply a graphical view events based on time. 2.12.6 Solution must show the distribution of events per country on a map. 2.12.7 Solution must allow the administrator to group events based on any of it characteristics, including many nesting levels and export to PDF. 2.12.8 Solution must include the option to search inside the list of events, drill down into details for research and forensics. 2.12.9 It the event list view Solution must include the option to automatically generate small graphs or tables with the event, source and destination distribution. 2.12.10 Solution must detect Denial of Service attacks correlating events from all sources. 2.12.11 Solution must detect an administrator login at irregular hour Supply & Installation of a Firewall Solution #1I-17297 27

2.12.12 Solution must detect credential guessing attacks 2.12.13 Solution must report on all security policy installations. 2.12.14 Solution must include predefined hourly, daily, weekly and monthly reports. Including at least Top events, Top sources, Top destinations, Top services, Top sources and their top events, Top destinations and their top events and Top services and their top events. 2.12.15 The reporting tool must support filters that allow to customize a predefined report to be closest to administrator s needs 2.12.16 Solution must support automatic reports scheduling for information that need to extract on regular basis (daily, weekly, and monthly). Solution must also allow the administrator to define the date and time that reporting system begins to generate the scheduled report. 2.12.17 Solution must support atleast two of the following reports formats: HTML, CSV, PDF and MHT 2.12.18 Solution must support automatic report distribution by email, upload to FTP/Web server and an external custom report distribution script 2.12.19 The reporting system must provides consolidated information about: 2.12.20 The volume of connections that were blocked by security rule. 2.12.21 Top sources of blocked connections, their destinations and services 2.12.22 Top Rules used by the security policy 2.12.23 Top security attacks detected by enforcement point (perimeter) determining their the top sources and destinations 2.12.24 Number of installed and uninstalled policies in the enforcement point 2.12.25 Top networking services 2.12.26 Web activity by user detailing the top visited sites and top web users 2.12.27 Top services that created most load for encrypted traffic 2.12.28 Top VPN users performing the longest duration connections Supply & Installation of a Firewall Solution #1I-17297 28

2.13 Management Portal 2.13.1 Solution must include a browser based access to view in read-only the security policies, manage firewall logs and users providing access to managers and auditors without the need to use the management application 2.13.2 Solution must include SSL support and configurable port 2.14 Data Loss Prevention (DLP) 2.14.1 Vendor must have an option to add a fully integrated Data Loss Prevention application 2.14.2 DLP policy must be centrally managed with all other security applications 2.14.3 DLP application must have a mechanism for end user self-incident handling 2.14.4 DLP application must have over 500 pre-defined data types. 2.14.5 DLP must have an open scripting language to create custom data types relevant to ethekwini municipality 2.14.6 DLP must alert the data type owner when an incident occurs. 2.14.7 DLP application must cover transport types SMTP, HTTP/HTTPS, and FTP TCP protocols 2.15 Mobility 2.15.1 The vendor should have an option to provide a fully integrated secure mobility solution on the next generation firewall. 2.15.2 The solution must support both managed and unmanaged access devices, such as BYOD 2.16 Security Gateway Sizing and Recommendations 2.16.1 Vendor must have a dedicated hardware solution to meet all next generation requirements of ethekwini Municipality 2.16.2 Vendor must be able to supply a recommended hardware configuration based on the criteria of real world traffic and next generation security applications provided by ethekwini municipality. Vendor must be able to supply the recommended platform for any combination of these next generation firewall application, with supporting evidence that the appliance will perform as expected. 2.16.3 Internet Bandwidth requirements 2.16.4 Total Throughput requirements 2.16.5 Network Address Translation enabled 2.16.6 Logging Enabled 2.16.7 Maximum Users 2.16.8 IMIX traffic blend of HTTP, SMTP, DNS 2.16.9 Enablement of next generation firewall applications 2.16.10 Firewall 2.16.11 Intrusion Prevention 2.16.12 Application Control and URL filtering Supply & Installation of a Firewall Solution #1I-17297 29

2.16.13 Anti-Bot 2.16.14 Anti-Virus 2.16.15 IPsec VPN 2.16.16 Data Loss Prevention 2.16.17 Anti-Spam 2.16.18 Threat Emulation (Sandboxing) 2.16.19 Local or remote management 2.16.20 Clustering or high availability 2.16.21 Network Interface requirements 2.16.22 Virtual Contexts or Domains Supply & Installation of a Firewall Solution #1I-17297 30

3. Solution Evaluation Below are minimum specifications of the solution required by the ethekwini municipality: Hardware Minimum requirements 2 x Next Generation Firewall Appliances. Appliance must be equipped with a 10Gig SFP+ interface card with 4 available ports. Appliance must equipped with 1Gig RJ45 Ethernet interface card with 8 available ports. Appliance must support additional expansion slots for future use. Appliance should allow for hardware components to be upgradeable/replaceable. Appliance must support load balancing (Active/Passive, Active/Active & Clustering). Appliance must support Lights Out Management. Firewall must make use of stateful packet inspection technology. Firewall production throughput no less than 20 Gbps per appliance. IPS production throughput no less than 5.5 Gbps per appliance. The minimum firewall concurrent connections required is 4000 000(four million). The minimum firewall connections per second required is 190 000(one hundred ninety thousand). The maximum latency should be 10μs(10 microseconds) or less. The Platform must be able to work with both IPv4 and Ipv6 Appliance must be configured (hardware & software) optimally to perform as required. Appliance must be equipped with: 4 x Long Range 10Gig SFP+ transceivers (2 per appliance). 4 x Short Range 10Gig SFP+ transceivers (2 per appliance). In addition supplier must provide: 2 x Short Range 10Gig SFP+ transceivers for Checkpoint 12600 Appliances. (1 per appliance). Other Standard enterprise swap out or equivalent support for 1 year for all supplied hardware. SLA hardware for swap out support. Cisco Firewall experience (for migrating existing FWSM to new solution). Vendor Partner status. Project Plan. Network Documentation including network datacentre design. The service provider must, on completion of this project, is to provide knowledge skills transfer and onsite training for technical and support staff. The service provider will plan and deliver business change delivery process that will minimize the business change impact. Technical support would be provided by the service provider Supply & Installation of a Firewall Solution #1I-17297 31

Appliance: Firewall Vendor Appliance Network Interfaces Operating System Quantity Appliance: Management Server MAX SFP+: MAX Gigabit Ethernet : Slots: Vendor Appliance Model Network interfaces Operating System Quantity MAX SFP+: MAX Gigabit Ethernet: Slots: Documentation: Annexure/Document Documentation: Annexure/Document Firewall/IPS Components Response Documentation: Annexure/Document Firewall Engine Type IPS Engine Type (Signature, Anomaly etc) LAB testing using the following RFCs (1242, 2544, 2588, 2647, 3511, 4487) Raw Firewall throughput (Gbps) Production Firewall throughput (Gbps) Raw IPS throughput (Gbps) Production IPS throughput Connections per second Concurrent connections Latency Maximum NAT translations Data Threat Management Supported(Yes/No) #Signatures Anti-Virus Malware Anti-bot/Botnets Real-time updates(yes/no) %Catch rate Documentation: Annexure/Document

Zero-day Internet Management Application Control URL Filtering Supported(Yes/No) WEB 2.0 compliant(yes/no) HTTPS inspection(yes/no) # Categories Real-time updates(yes/no) Documentation: Annexure/Document Future proof features Supported(Yes/No) Licences required(yes/no) Firewall Contexts(virtual domains) Additional Expansion slots Upgradable hardware components Data loss prevention Sandboxing/Threat emulation Documentation: Annexure/Document Reports Logs Supported Licenses(Yes/No) Documentation: Annexure/Document Real time Event correlation Usage Reports Analytics(Trend statistics) Industry Standard Report as at Q1 2015 Overall Recommendation level Overall Quadrant position Gartner NSS Labs Documentation: Annexure/Document Supply & Installation of a Firewall Solution #1I-17297 33

4. Response requirements a. General Requirements Please provide the following together with your response: Service Level Agreement to be provided to ethekwini Municipality Call Logging facility and procedure. Please supply a risk mitigation strategy of how the proposed solution will be implemented whilst minimizing the business change impact Please provide us with your pricing review policy Please include an implementation project plan and timelines as part of your response. b. Post Project Support Requirements In order to ensure the solution is stable and adequately supported post the project completion a support contract should be included. The support must include: Swap-out of faulty equipment in the event of failure Support must be available in locally in Durban c. Previous Implementation History Indicate the number of customers where you have deployed this type of solution. Please indicate services that are procured by the customers. i. Number and size of Client Base ii. Provide reference sites, in South Africa, with contact details

d. Technical Support Demonstrate how you would support this implementation and migration to give the municipality a peace of mind, and ability to deliver on your proposed solution. i. Technical competencies within your organization. ii. Number of Network support resources. Specify how many are locally based in Durban. iii. Provide Certificates of the Network support resources. e. Professional Services Indicate your professional service capacity to design, configure and install the solution to an industry best practice? Demonstrate your ability to deliver a breadth of professional services, including implementation and design, maintenance, security, managed services and consultation. Demonstrate a proven methodology and ability of adherence to relevant standards. i. Specify what technical documentation and training material will be provided. ii. iii. Specify the project controls that will be place Specify how change management will be delivered. Supply & Installation of a Firewall Solution #1I-17297 35

5. Pricing structure The cost structure must be reflected as found on tables, page 25. The price proposal must contain all of the following: Year 1 (2015) Once off cost for supply and delivery of hardware, modules and hardware items. Once of cost for licensing and software features, if any for 1 year Once off cost for Standard Enterprise Swap out support or equivalent on all supplied items for 1 year. Once off cost for planning, designing and implementing solution Once off cost for training Cost of any additional supplied hardware if any All pricing to be given in South African Rands. Indicate if your prices are linked to the Rand/Dollar or Rand/Euro exchange rate (7. Exchange rate questionnaire page 43). Year 2 (2016) Once off cost for renewal of software features and/or licenses for supplied items for a further 2 years Once off cost for Standard Enterprise Swap out support or equivalent for a further 2 years on supplied items 6. Evaluation of Responses Evaluation will be done on a points system in three phases Technical Evaluation to ensure the responses meet the critical\mandatory requirements (100%) and achieve a satisfactory (70 % or above) score on the non-mandatory criteria. Price evaluation to establish the lowest cost technically compliant option over the full period of the contract. Preference points will be added as per Annexure 6 MDB 6.1 Preference Points Claim form. Supply & Installation of a Firewall Solution #1I-17297 36

6.1 Technical Evaluation The technical evaluation will be on the following basis: 6.1.1 Critical/ Mandatory Requirements (Please Fill In) NO. Requirement YES NO Supplier Response 1. Vendor Partner Status Hardware minimum requirements Please provide Proof Annex/Doc: Page #: 2.3 4 5 6 Distributed Architecture: Management and Gateway separate 4 x SFP+ 10gig interface slot 8 x RJ45 1 Gig Ethernet interface slot 2 x SFP+ 10 Gig Short Range modules 2 x SFP+ 10 Gig Long Range modules 2 x SFP+ 10 Gig Short Range Checkpoint modules Firewall: Engine: Stateful packet inspection Minimum Production Throughput(IMIX traffic blend) : 20Gps per appliance Minimum Concurrent Connections : 4 Million connections Minimum Connection rate: 190 000 connections per second Must support Virtual Firewall Contexts Load balancing support: Active/Passive, Active/Active & Clustering IPS: Integrated IPS Engine: Signature based Minimum Production throughput(imix traffic blend): 5.5 Gbps per appliance Policy based rule inspection Fail-open threshold User Identity: Active directory integration LDAP integration Radius and TACACS support Application Control with URL filtering: Supports HTTPS inspection Real time updates Support Rule flexibility with users and group objects WEB 2.0 Compliant Please provide Proof Annex/Doc: Page #: Please provide Proof Annex/Doc: Page #: Please provide Proof Annex/Doc: Page #: Please provide Proof Annex/Doc: Page #: Please provide Proof Annex/Doc: Page #: Supply & Installation of a Firewall Solution #1I-17297 37

7 8 9 Data Threat Management: Anti-Virus Anti-bot Malware Anti-spam Real time updates Reporting and Logging: Central Logging to management for all features Graphical reports Granular reporting for all features based on o Usage o Attacks o Audit tracking Real time event correlation Future proof features: DLP Threat emulation/sandboxing Hot-swappable hardware components Additional Slots for expansion Please provide Proof Page #: Please provide Proof Page #: Please provide Proof Page #: 6.1.2 Non Mandatory Evaluation The supplier will need to score an average of at least 70% to be considered Supply & Installation of a Firewall Solution #1I-17297 38

QUALITY CRITERIA SUB CRITERIA Poor (Score 40%) Satisfactory (Score 70%) Table 1- INDICATORS Good (Score 80%) Very Good (Score 100%) Ref Page # RESPONSE TO BRIEF level of understanding (weighting=15) proposed methodology (weighting=15) The proposal shows limited understanding of the business, has not adequately dealt with the key challenges The proposal does not address many of the criteria identified in the brief. The methodology is weak in important areas and is unlikely to meet the programme requirements. The opportunity is well understood, clearly articulated and key business sectors are adequately addressed. The proposal reflects necessary concepts but has insufficient detail for it to be distinctive. The proposal meets most of the criteria listed in the brief. The proposed methodology is in line with standard practice, covers the key aspects and should meet the programme requirements. The proposal clearly demonstrates an understanding of the programme s vision All key business criteria are identified and adequately addressed. The proposal meets all the criteria listed in the brief. The proposed methodology is detailed and wellconceived, has made allowance for key aspects and risk areas. It meets programme requirements. A unique proposal that is strongly aligned to and identifiable with the programme. It identifies and deals well with all the business plan criteria. Besides the good rating, the methodology is innovative and is poses no risk to the Municipality in terms of Connectivity Downtime. A temporary solution would be in place and the cutover to the permanent solution would be seamless. 18-34 & 37 35 Tenderer s experience with similar projects (weighting=15) The tenderer has limited experience in projects of a similar nature and has not undertaken a project of this magnitude The tenderer has relevant experience in projects of a similar nature but has not directly undertaken a project of this magnitude The tenderer has extensive experience in projects of a similar nature, and has directly undertaken similar projects The tenderer has outstanding experience in projects of a similar nature and has taken many such projects 34 & 41 EXPERTISE & EXPERIENCE Experience of key staff (weighting=15) Key personnel allocated to the project have limited relevant experience Key personnel allocated to the project have reasonable relevant experience. Have 1 certified personnel in their field of work that pertains to this project Key personnel allocated to the project have extensive relevant experience. Have 2 certified personnel in their field of work that pertains to this project and have a least one staff based locally in Durban Key personnel allocated to the project have outstanding relevant experience. The personnel have at least. Have 3 or more certified personnel in their field of work that pertains to this project and have a least two staff based locally in Durban 41 FINANCIAL Cost Effectiveness (weighting=20) The financial proposal is excessive and did not substantiate costs. The financial proposal is acceptable The financial proposal is exceptionally competitive and has favourable pricing incentives for future demands. The tenderer provided proof of financial resources which are well in excess of what is required for the contract 36 CAPACITY & CAPABILITY Operational plan and resources (weighting=20) Operational plan is sketchy, there is no clarity in terms of rates and/or resources. Operational plan is complete & reasonably detailed. Rates and resources appear adequate. Besides meeting satisfactory rates and resources have been clearly defined and make provision for key risk areas Besides meeting the good rating, the plan make provision for every eventuality Supply & Installation of a Firewall Solution #1I-17297 39

6.1.3 Product & Company Details 1. What is your company name:- (a) Is this a cc, (Pty) Ltd, Partnership, Sole Trader, Joint Venture - (tick):- (i) (ii) (iii) (iv) (v) Cc (Pty) Ltd Partnership Sole Trader Joint Venture (b) If (iii), (iv) or (v) name of partners or owner must be stated below. 2. Are you a registered VAT Vendor (YES / NO)? Please state VAT Number 3. (a) Are you the Manufacturer - (YES / NO)? (b) If not, who is the manufacturer of the equipment? Supply & Installation of a Firewall Solution #1I-17297 40

6.1.4 Schedule of Experience Please indicate sales of similar nature recently successfully executed by your company. References need to be given of Corporate Customer that have more than 6000 employees and purchase more than one type of internet service. Name and Address of Company Contact Person and Telephone Number Nature of Sale Value of Work (incl. of VAT) Date Completed or Expected to be Completed Supply & Installation of a Firewall Solution #1I-17297 41

Please state the number and certification level of maintenance and support staff. Name Certification Years of Experience 6.1.5 Schedule of Compliance with specification Please indicate below your compliance with the tender requirement. I/We hereby agree that this tender will hold good and remain open for acceptance until 16:00 on the Friday of the twelfth week (85 calendar days) following the Friday on which tenders are opened or during such other period as may be specified in the Special Conditions of Tender. Delivery time (must be stated in days or weeks from date of receipt of order). I/We hereby undertake to deliver the above goods or to carry out the services within the following period/s:-...... I/We hereby agree that this tender, together with the Council's letter of Acceptance thereof, will constitute a binding contract which will take effect from the business day following the date of despatch of the letter of acceptance. A separate Service Level agreement (SLA) will however be entered into to govern the contractual relationship between the parties. Any alterations effected upon any part of the tender documents must be clearly shown by means of a handwritten entry and signed by the tenderer. Please state your Procurement Reference Number: - PR (refer Clause 20 - Special Conditions of Tender (Goods/Services)). Supply & Installation of a Firewall Solution #1I-17297 42

7. RATE OF EXCHANGE QUESTIONNAIRE This page to be completed by Bidders offering goods ex import. Rate Of Exchange (i.e. ROE) will only be applicable if Rate of Exchange change by 5%, either way, from tendered ROE. a) Country of origin and/or manufacture: b) Price each f.o.b country of origin. Item 1: Item 2: c) Delivery charges each from f.o.b country of origin to c.i.f Durban (Prices and delivery charges must be shown in South African currency) *Item 1: Item 2: d) Ocean freight rate: per 1000 kg/m³ or 2 240 lbs/40 cu.ft. e) Marine insurance rate: % of value of goods. Please indicate basis of valuation: f) Marine war risk insurance rate: % value of goods. g) Wharfage rate: per R 100 value. h) Landing charges rate: per 1 000 kg or m³. ** per 100 kg or m³. ** Supply & Installation of a Firewall Solution #1I-17297 43

i) Delivery charges rate: j) Customs tariff heading and description (Brussels Nomenclature): k) Customs duty % of value of goods for duty purposes, or rated duty per kg/m³ article.** l) Import surcharge: % of value of goods. m) Railage rate: per 100 kg. n) Basic rate of exchange (ie. seven days prior to the date of closing of tenders): See Clause 5 of the Special Conditions of Contract (Goods/Services). o) Will the Tenderer comply in all respects with Clause 5 of the Special Conditions of Contract (Goods/Services)? (State Yes or No ) * Additional items should be scheduled on a separate page which should be signed and dated by the Tenderer. ** Delete whichever is not applicable. Supply & Installation of a Firewall Solution #1I-17297 44

8. Costs 8.1 Year One All Costs Must Be Reflected As Once-Off Cost for Year 1 (2015/2016) Item No Description/Part No Quantity Price (Excl. VAT) VAT Total (Incl. VAT) Appliance Gateway 1 Vendor: Model: 2 Appliance Management 2 Vendor: Model: 3 Installed 8 x 1Gig Ethernet module 1 4 Installed 10G SFP+ Compliant Module cards 2 5 10G SFP+ Long range Transceiver for fibre ports 4 6 10G SFP+ Short range Transceiver for fibre ports 4 7 8 9 10G SFP+ Short range Transceiver for Checkpoint 12600 appliance Standard Enterprise Support swap out or equivalent for supplied hardware items Official Vendor Training for Administrator level of the solution 2 2 10 Official Vendor Training for Professional level of the solution 2 11 Project Cost for Implementation * Other (please define) 12 13 14 Total Supply & Installation of a Firewall Solution #1I-17297 45

8.2 Year Two All Costs Must Be Reflected As Once-Off Cost for Year 2 (2016/2017) Item No 1 2 Description/Part No Renewal of licenses and/or any software features on all supplied appliances for 2 years Renewal Enterprise swap out support or equivalent for supplied appliances for 2 years Total Quantity Price (Excl. VAT) VAT Total (Incl. VAT) 1 1 Supply & Installation of a Firewall Solution #1I-17297 46

9. Required Documentation and Tender Returnable s 9.1 Tender Returnable s Checklist In addition to the tender document, the following must be submitted/attached thereto. The standard forms are attached to this tender document. Description Yes No Official Tender Form Banking Rating Questionnaire Critical/ Mandatory Checklist Checklist Tender Returnables Contractor Acknowledgement of Responsibility in of Occupational Health and Safety Act Declaration of Interest Declaration of Municipal Fees Original Valid Tax Clearance Certificate Valid Agreement with Manufacturer Or Accredited Distributor/agent Schedule of Experience Rate of Exchange Questionnaire Proof of Resolution As A Close Corporation Or Company Original Signed Company Letterhead Reflecting Banking Details and Cancelled Cheque Procurement Reference (PR) Number or Supplier Registration Form MBD 9 Certificate of Independent Bid Determination MDB 6.1 Preference Points Claim Form BBB-EE Certificate MDB 8 Declaration of Bidders Past Supply Chain Practices SIGNATURE DATE CAPACITY NAME OF SIGNATORY (In Block Letters) Supply & Installation of a Firewall Solution #1I-17297 47

10. Form of Offer In response to your Enquiry 1I-17297 Supply & Installation of Firewall Solution Dated... I/we hereby offer to supply the products and services detailed hereunder in accordance with the Technical Specification, and subject to the Conditions of Tender (Goods/Services) and Government Procurement; General Conditions of Contract which accompanied your Enquiry (with which I/we acknowledge myself/ourselves to be fully acquainted) at the price/s stated in the appropriate column below :- Item Description Total Price (Excluding VAT) VAT Total Price (Including VAT) 1. Total Price (Year 1) 2. Total Price (Year 2) 3. Grand Total brought forward for year 1 and 2 Tenders Value added TAX Registration number NAME AND ADDRESS OF TENDERER:- SIGNATURE TELEPHONE NO : NAME OF SIGNATORY IN BLOCK LETTERS FAX NUMBER : DATE : CAPACITY OF SIGNATORY NB: - This Official Tender Form must be completed in its entirety and signed, non-compliance will render this tender invalid. Supply & Installation of a Firewall Solution #1I-17297 48