Firewall as a Service (FWaaS)

A component of the California Government Enterprise Network (CGEN), Firewall as a Service (FWaaS) is a CDT managed network service. FWaaS provides Layer 7 firewall capabilities for CGEN and customer Virtual Route Forwarding (VRF) connectivity.

CDT manages the infrastructure and the customer chooses to manage the security policies or have CDT manage security policies. This infrastructure includes network equipment designed with region diversity, fault tolerance and scalability. Customers are still responsible for their own local area network (LAN).



  • Layer 7 Firewall inspection including, URL filtering, IPS, malware and application level filtering
  • Dashboard login (with customer managed rules) to monitor firewall health, logs, and reporting of customer traffic
  • Geographically separated hardware


  • Send logs to customer syslog server
  • 24 x 7 monitoring, service desk, and security operations center (SOC) monitoring
  • Filtering for field office(s), headquarters, TMS-B and Cloud Provider Interconnect (CPI)

VRF Filtering

FWaaS provides protection by becoming the default gateway of one or many customer VRF(s). FWaaS configures the customer VRF(s) as a DMZ instance on the firewall. The internet connectivity is provided by the existing CGEN WAN connectivity.

Layer 7 Filtering

FWaaS provides Layer 7 filtering that you would expect from today’s modern Next Generation Firewalls. The CDT service request process will include detailed information you may need.

Customer Management

Customers who chose to self-manage policies are hosted on a logical instance of the hardware. Customers will have a customized login that allows access to Monitor, Configure, and Troubleshoot functionality of the firewall.

CDT will manage the Layer 3 connectivity/routing, interface configuration, failover, O/S and other infrastructure related to the service.


FWaaS is available to any CGEN customer. The physical equipment is located in Rancho Cordova and San Jose.

Maintenance Schedule

Maintenance is scheduled during standard CDT Preventive Maintenance windows that can be viewed at the link below.

What speeds does the FWaaS support?

  • From 250Mbps to 6Gbps, in increments of 250Mbps

Is FWaaS Redundant?

  • Yes, it is fault tolerant in Rancho Cordova, CA and region redundant in San Jose, CA

Why do I need to buy a minimum of 500Mbps to manage my own policies?

  • This is the required minimum to ensure the rates are competitive, based on license usage.

Is anything not supported on FWaaS?

  • FWaaS does not support Security Socket Layer (SSL) offloading or remote access Virtual Private Network (VPN) termination.

Can FWaaS terminate an IPSEC tunnel?

  • Yes, FWaaS will terminate site to site Internet Protocol Security (IPsec) tunnels.

What technology/vendor does FWaaS use?

  • The CDT Case / Request process will include this information and any other detailed information you may need. 

What if I want a physical firewall?

  • Contact your Customer Engagement Services (CES) representative.

StageCDTCustomer (Managing own Security Policies)Customer (CDT Managing Security Policies)
PlanningParticipate in design meetings to determine customer requirements and appropriate solutions.Actively engage with CDT and vendor partners to collaboratively determine the best network connectivity option. Consider access mechanisms, security, integration, application architecture, disaster recovery, bandwidth needs, and customer specific requirements.Actively engage with CDT and vendor partners to collaboratively determine the best network connectivity option. Consider access mechanisms, security, integration, application architecture, disaster recovery, bandwidth needs, and customer specific requirements.
ProvisioningTurn up and test logical connections. Document connectivity.Provide CDT with any customer side of network information required to provision FWaaS. Implement needed security policies.Provide CDT with any customer side of network information required to provision FWaaS. Provide security rules for CDT to implement (if known).
Support24 x 7 x 365 CDT Service Desk support for network connectivity. Collaborate with customer and vendor partners for trouble resolution. Plan and augment capacity as needed.Implement security policies as required. Monitor Customer environment based on agency need. Collaborate with CDT for trouble resolution.Submit Firewall Request for Security Policy changes. Collaborate with CDT for trouble resolution.

The rate schedule represents standard CDT services. If a Customer requires technology solutions that are not part of the standard, CDT will review the Customer’s request and provide customized pricing as necessary.

Service DescriptionService IdentifierProduct NameUnit of MeasurementRateService CodeNotes 
ConsultingFaaSFirewall as a ServicePer Hour*$112.00G358*Minimum 5 hours of consulting is required for configuration and installation of FWaaS.
Firewall as a ServiceFirewall as a ServiceNetwork ServicesMonthly/250 MB$279.00N788
Consulting - Dedicated Network Customer EquipmentFWaaSConsultingHourly$130.00G258
Consulting - Dedicated Network Customer EquipmentFWaaSConsultingHourly$95.00G458
Consulting - Dedicated Network Customer EquipmentFWaaSConsultingHourly$82.00G558

Subscriptions to this service are available.


Customer enrollment in the Firewall as a Service (FWaaS) is a two-step process that begins with the Customer submitting a Case/Request for a New Network Design and Cost Estimate for FWaaS (link below). CDT will contact the Customer and schedule a requirements gathering meeting.

If the Customer wants to move forward, the Customer attaches the design and cost estimate to a second Case/Request for Firewall as a Service (FWaaS).

Enrollment in the Firewall as a Service (FWaaS)

  1. The Customer contacts their Account Lead.
  2. The Customer submits a Case/Request for New Network Design and Cost Estimate for FWaaS. A requirements gathering and design meeting will be scheduled by CDT, if required.
  3. Based on this meeting, CDT attaches a cost estimate and high level design to the Case/Request.
  4. Case/Request is closed.
  5. The Customer submits a second Case/Request for FWaaS implementation by selecting Firewall as a Service (FWaaS).
  6. CDT works with the Customer to implement design, test and turn up connectivity.
  7. Case/Request is closed.

Submit a Case/Request a Design and Cost Estimate for FWaaS:  Request Design/Cost Estimate

Submit a Case/Request FWaaS Implementation: Request Implementation

If you have questions or need further clarification, please contact your CDT Account Lead by using the Account Lead Directory, or call Customer Engagement at (916) 431-5390.