Exploring firewalls
IBM Cloud® offers several firewalls to choose from. The following table compares the firewall solutions to help you choose the most suitable one. To learn more about the individual offering, click its name in the table.
These offerings are not managed services. When using them, you must understand the shared responsibilities between the client (or their managed services provider) and IBM. For more information, refer to Roles and responsibilities for IBM Cloud gateways and firewalls.
Effective 17 December 2025, Fortigate Security Appliance 10 Gbps and IBM Shared Hardware Firewall on IBM Cloud have reached End of Marketing (EOM) and no longer accept new orders. Additionally, both these services will reach End of Support (EOS) on 31 December 2026. After this date, they will no longer be supported or available for use on IBM Cloud.
Migration options for FSA 10Gbps and IBM shared hardware firewall
FortiGate Security Appliance 10Gbps and Shared Hardware Firewall are expected to reach end of support on 31 December 2026. To keep your network secure and avoid any business disruptions, we recommend planning your migration well before the end of support date.
The following alternatives help you migrate to a suitable firewall offering:
- Recommended option:
- Migrate to the Fortinet Virtual Firewall (vFSA). See Getting started with vFSA and license types.
- Use Forti-Converter Service that is included in the enterprise license to migrate security policies and configurations from Fortinet hardware to the Fortinet virtual appliance.
- Register an account in the FortiConverter Service for customer self-managed service.
- For help with creating a migration ticket, see the Forti-Converter Service Ticket Guide.
- Other virtual firewall options:
- Virtual Router Appliance (VRA 5600): Enterprise router with firewall, VPN, traffic shaping, and policy-based routing. See Getting started with Virtual Router Appliance.
- Juniper vSRX with Content Security Bundle: Enhanced security features, VLAN protection, HA configurations, IPS/IDS/UTM capabilities. See Getting started with Juniper vSRX.
Contact IBM Cloud Support for any guidance or to know more about the migration process.
| Security Groups (VSI only) | IBM Cloud Juniper vSRX Standard | Virtual Router Appliance | FortiGate Security Appliance 10 Gbps | Hardware Firewall | Cloud Internet Services | Virtual FortiGate Security Appliance | |
|---|---|---|---|---|---|---|---|
| Stateful Packet Inspection |  |
|
|
|
|
IP firewall only | |
| Public Network Protection | |
|
|
|
|
|
|
| Private Network Protection | |
|
|
|
|
||
| Ingress Rules | |
|
|
|
|
IP Firewall only | |
| Egress Rules | |
|
|
|
|
||
| Single Tenant Appliance | |
|
|
|
|
||
| VLAN Protection | |
|
|
|
|
||
| Multi-VLAN Support | |
|
|
|
|||
| NAT Support | |
|
|
|
|||
| SSL/IPsec VPN Termination | |
|
|
|
|
||
| Open VPN Termination | |
Only with single port on TCP/UDP | |
||||
| HA Option | N/A | |
|
|
Using range and load balancers | |
|
| Manage from API & Portal | Yes | Appliance GUI | Appliance GUI | Appliance GUI | Yes | Cloud console | Appliance GUI |
| 10 Gbps Support | N/A | |
|
|
|
||
| NGFW Add-ons (IPS, AV, WF) | |
|
TLS encryption, IP Firewall rules, and Proxy Protocol v1 | |
|||
| Remote Access VPN | |
|