Allied Telesis ARX200S-GT: Secure 1G Branch Office Firewall

Security Appliances | Product Information

Overview

The Allied Telesis ARX200S-GT is designed for businesses requiring Unified Threat Management (UTM) and secure WAN connectivity. It offers a powerful 1G firewall, threat protection, routing, switching, comprehensive VPN support, and SD-WAN capabilities, providing an innovative high-performance business solution for branch offices.

The ARX200S-GT is ideal for 1G WAN performance at the branch office, supporting cloud-first environments. It features an advanced UTM firewall with integrated security, an application-aware firewall, SD-WAN for inter-branch automation and optimization, and remote worker VPNs. Its fanless design ensures silent operation and allows for flexible deployment in modern WAN solutions.

High Performance with Flexible Connectivity:

Leveraging multi-core processors and application acceleration engines, the ARX200S-GT delivers high performance with 1G WAN and LAN ports.

Performance Specifications
Feature	ARX200S-GT
Firewall Throughput	2Gbps
Firewall Concurrent Sessions	600,000
VPN Throughput (AES-GCM)	1Gbps
VPN Throughput (AES256/SHA256)	1Gbps
UTM Throughput (Application Control/Web Control)¹	1.2Gbps

¹ Note: Actual values may vary considerably depending on network environment.

² UTM features require a license.

Key Features

DPI Firewall Engine

The high-performance inspection engine performs stream-based bi-directional traffic analysis, identifying individual applications while blocking intrusion attempts and malware. It protects networks by scanning inbound traffic for threats and outbound traffic for business reputation risks. Its integrated, purpose-built solution provides single-pass, low-latency inspection and protection for all network traffic.

Application and Web Control

Application Control: Provides fine-grained control over applications, content, and users. It supports a built-in application list or a subscription-based database of regularly updated application signatures.

Application Bandwidth Management: Manages application bandwidth to support business requirements while limiting non-essential applications.

Web Control: Utilizes a subscription-based Web Control feature for easy management of user website access. Users can select content categories to allow or deny globally, or per user or group. URLs can be checked for their web control category to ensure alignment with business policies. Proxy-based or Deep Packet Inspection (DPI) options offer flexibility.

URL Filtering: Enables HTTP or HTTPS access to specific websites to be allowed or blocked using user-defined lists.

Firewall and Networking

VRF-Lite: Allows multiple routing tables, enabling the use of the same or overlapping IPv4 addresses across independent routing instances. The built-in DHCP Server is VRF-aware for IP address supply across multiple isolated networks.

Deployment Options: Supports traditional NAT, Layer 2 Bridge, Wire Mode, and Network Tap modes.

IPv6 Transition Technologies: Supports DS (Dual Stack) Lite, Lightweight 4over6, and MAP-E for connecting IPv4 networks over an IPv6 Internet connection.

WAN Connectivity: A gigabit LAN switch port can be configured as a second WAN port for resiliency and higher performance, supporting dual Service Provider connections.

AMF-WAN (Allied Telesis SD-WAN): Measures WAN link quality and directs applications over the most suitable inter-branch connection. It allows load balancing across multiple WAN links and prioritizes business-critical applications. Internet breakout sends cloud-based applications directly from the branch to the Internet, reducing VPN traffic load and increasing performance.

sFlow: An industry-standard technology for monitoring networks, providing visibility into network use for performance optimization, usage accounting/billing, and security threat defense. It supports up to five collectors for a real-time view of network traffic.

Unified Threat Management

DoS Attack Protection: Protects against Denial of Service (DoS) attacks designed to consume resources and deny network access.

Automatic Security Updates: UTM Firewalls with active security subscriptions automatically receive new threat signature and database updates, ensuring up-to-the-minute security without user intervention.

Zone-based Protection: Enhances internal security by segmenting the network into multiple security zones, blocking threat propagation.

Virtual Private Networking

IPSec VPN: High-performance IPSec VPN enables Allied Telesis UTM Firewalls to act as VPN concentrators for large sites, branch offices, or home offices. Multipoint VPN connects a head office to multiple branch offices via a single VPN.

SSL/TLS VPN: The OpenVPN client provides easy access to corporate digital resources remotely. Secure login options include LDAP authentication and two-factor authentication (code, certificates, or OTP via email). Users can specify the TLS version for OpenVPN connections and utilize TLS Crypt for enhanced security against TLS DoS attacks.

Redundant VPN Gateway: Configurable primary and secondary VPNs support seamless failover of VPN connectivity when using multiple WAN connections.

Dynamic Routing through VPN tunnels: Ensures connectivity by routing traffic through an alternate link in the event of a tunnel failure.

Key Solution: Integrated Security and Threat Protection

The ARX200S-GT UTM Firewall serves as an integrated security platform for modern businesses, combining next-generation firewall and threat protection with secure remote access, routing, and switching. This provides a single platform to connect and protect corporate data.

The solution can involve a 1G ARX200S-GT at the branch office and a 10G ARX200S-GTX at the central office, connected via site-to-site IPSec VPN. SSL VPN access for remote workers ensures full access to digital company resources when away from the office.

The firewall secures both remote connectivity and inbound/outbound business data. Full application control allows organizations to manage application usage, enforcing security and acceptable use policies effectively.

Allied Telesis UTM Firewalls offer a comprehensive, integrated security platform for protecting online business activity.

Automated Network Management

The firewalls integrate with Allied Telesis AMF Plus, a suite of management tools that automate and simplify network administration. Features like centralized management, auto-backup, auto-upgrade, auto-provisioning, and auto-recovery streamline networking. Network growth is simplified with plug-and-play deployment, and network node recovery is zero-touch.

The ARX200S-GT can operate as an AMF Plus member, benefiting from advanced management and automation capabilities.

Key Solution: Integrated Wireless Network Management

Allied Telesis AWC (Autonomous Wireless LAN) addresses common Wireless LAN challenges such as initial setup complexity and performance degradation. The auto-setup option simplifies wireless deployment by creating wireless profiles and automatically associating Access Points (APs). AWC's intelligent process recalibrates signal strength and radio channels for optimal WLAN performance.

When combined with the ARX200S-GT firewall, AWC provides an ideal solution for branch offices and small businesses, enabling both network protection and management. It saves time and money for network administrators deploying and managing WLANs.

Vista Manager mini, integrated into the ARX200S-GT's Device GUI, offers a solution for modern networks, enabling automated management and monitoring of both wired (AMF) and wireless (AWC) networks. This reduces administration time and cost while maximizing network performance for a superior user experience.

Up to 10 TQ Series wireless APs can be managed for free.

Features Summary

Firewall

Deep Packet Inspection (DPI) application-aware firewall (built-in or Sandvine application lists) for granular control of apps and IM (chat, file transfer, video).
Application Layer Gateway (ALG) for FTP, SIP, and H.323.
Application layer proxies for SMTP and HTTP.
Bandwidth limiting control for applications and IM/P2P.
Firewall session limiting per user or entity (zone, network, host).
Bridging between Ethernet ports.
Data leakage prevention.
Bidirectional single-pass inspection engine.
Maximum and guaranteed bandwidth control.
Multi-zone firewall with stateful inspection.
Static NAT (port forwarding), double NAT, and subnet-based NAT.
Masquerading (outbound NAT).
Proxy-based web control by content categorization (Opentext).
Custom web control categories, match criteria, and keyword blocking per entity.
Control network access and traffic regionally with GeoIP (Geographic IP).
Security for IPv6 traffic.

Networking

A gigabit LAN switch port can be configured as a second WAN port for resiliency and higher performance.
Routing mode / bridging mode / mixed mode.
Static unicast and multicast routing for IPv4 and IPv6.
DS-Lite, Lightweight 4over6, and MAP-E for connecting IPv4 networks over IPv6.
Dynamic routing (RIP, OSPF, BGP) for IPv4 and IPv6.
Flow-based Equal Cost Multi Path (ECMP) routing.
Dynamic multicasting support by IGMP and PIM.
Route maps and prefix redistribution (OSPF, BGP, RIP).
Virtual Routing and Forwarding (VRF-Lite).
Traffic control for bandwidth shaping and congestion avoidance.
Policy-based routing.
SD-WAN: performance measure and load balance WAN links.
PPPoE client with PADT support.
DHCP client, relay, and server for IPv4 and IPv6.
Dynamic DNS client.
IPv4 and IPv6 dual stack.
Device management over IPv6 networks with SNMP, Telnet, and SSH.
Logging to IPv6 hosts with Syslog v6.
Web redirection allows service providers to direct users to a specified web address.
LLDP and LLDP-MED for network discovery.
sFlow packet sampling for network monitoring.

Management

Allied Telesis Autonomous Management Framework Plus (AMF Plus) enables powerful centralized management and zero-touch device installation and recovery.
AMF Plus secure mode increases network security with management traffic encryption, authorization, and monitoring.
Web-based Device GUI for firewall configuration and easy monitoring.
Vista Manager mini, built-in to the Device GUI, enables visual management and monitoring of a wireless network.
Industry-standard CLI with context-sensitive help.
Role-based administration with multiple CLI security levels.
Built-in text editor and powerful CLI scripting engine.
Comprehensive SNMPv2c/v3 support for standards-based device management.
Event-based triggers allow user-defined scripts to be executed upon selected system events.
Comprehensive logging to local memory and syslog.
Console management port on the front panel for ease of access.
USB interface allows software release files, configurations, and other files to be stored for backup and distribution to other devices.

Diagnostic Tools

Automatic link flap detection and port shutdown.
Ping polling for IPv4 and IPv6.
Port mirroring.
Trace Route for IPv4 and IPv6.
DPI statistics per entity (Zone, Network, Host), or per PBR rule for SD-WAN.

Authentication

RADIUS authentication and accounting.
RADIUS group selection per VLAN or port.
TACACS+ Authentication, Accounting, and Authorization (AAA).
Local or server-based RADIUS user database.
Strong password security and encryption.
RADIUS CoA (Change of Authorization).
MAC and 802.1x Port authentication on switch ports.
Web Authentication.
Two-factor authentication using a code, certificates, or a one-time password (OTP) via email for maximum security.

Unified Threat Management (UTM)

Auto-update of UTM signature files.
DoS and DDoS attack detection and protection.
URL blacklists and whitelists (block or allow HTTP and HTTPS access to specific websites).
Zone-based UTM.

VPN Tunneling

Diffie-Hellman key exchange (D-H groups 2, 5, 14, 15, 16, 18).
Secure encryption algorithms: AES and 3DES.
Secure authentication: SHA-1, SHA-256, SHA-512.
IKEv1 and IKEv2 key management.
IPsec Dead Peer Detection (DPD).
IPsec NAT traversal.
IPsec VPN for site-to-site connectivity.
Multipoint VPN for connecting a single VPN to multiple endpoints.
Dynamic routing through VPN tunnels (RIP, OSPF, BGP).
Redundant VPN gateway.
SSL/TLS VPN for secure remote access using OpenVPN.
Two-factor authentication and LDAP authentication options ensure secure OpenVPN login.
IPv6 tunneling.

Wireless Controller AWC

Allied Telesis AWC is an intelligent WLAN controller that automatically maintains optimal wireless coverage.
Up to ten access points (APs) can be managed for free.
Auto-setup simplifies wireless network deployment.
Rogue AP detection for increased WLAN security.
WEP/WPA personal or WPA enterprise, pre-shared key (WEP/WPA personal), RADIUS server (WPA enterprise).
Wireless networks can have separate SSIDs, VLANs, security settings, etc.
APs can belong to multiple networks each with different wireless settings, and can broadcast multiple SSIDs (Virtual AP).
APs can be defined individually or in bulk using a common profile.
AP radio settings can be configured automatically (default) or manually.
AP functions such as updating firmware, executing AWC calculations, and applying calculation results can be run automatically based on a user-defined schedule.
AWC supports Allied Telesis TQ Series wireless access points.

Specifications

Category	ARX200S-GT
Processor and memory
Security processor	1.6GHz 4-core
Memory (RAM)	2GB
Memory (Flash)	4GB
Security features
Firewall	Stateful deep packet inspection, application aware, multi-zone firewall
Application proxies	FTP, TFTP, SIP
Threat protection	DoS attacks, fragmented and malformed packets, blended threats, and more
Security subscriptions	Advanced Firewall
Tunneling and encryption
Site-to-site VPN tunnels (IPsec)	500
Client-to-site VPN tunnels (OpenVPN)	500
Encrypted VPN	IPsec, SHA-1, SHA-256, SHA-512, IKEv2, SSL/TLS VPN
Encryption	3DES, AES-128, AES-192, AES-256, AES-GCM, TLS-Crypt (OpenVPN)
Key exchange	Diffie-Hellman groups 5, 14, 16
Dynamic routed VPN	RIP, OSPF, BGP, RIPng, OSPFv3, BGP4+
Point to point	Static PPP, L2TPv2 virtual tunnels, L2TPv3 Ethernet pseudo-wires
Encapsulation	GRE for IPv4 and IPv6
Management and authentication
Logging and notifications	Syslog (IPv4 and IPv6), SNMPv2c & v3
User interfaces	Web-based GUI, scriptable industry-standard CLI, NETCONF/RESTCONF
Secure management	SSHv1/v2, strong passwords
Management tools	Allied Telesis Autonomous Management Framework™ Plus (AMF Plus), Autonomous Wave Control for wireless LAN APs (AWC), Vista Manager EX
User authentication	RADIUS, TACACS+, internal user database
Command authorization	TACACS+ AAA (Authentication, Accounting, and Authorization)
Networking
Routing (IPv4)	Static, Dynamic (BGP4, OSPF, RIPv1/v2), source-based routing, policy-based routing, VRF-Lite, SD-WAN
Routing (IPv6)	Static, Dynamic (BGP4+, OSPFv3, RIPng), policy-based routing, SD-WAN
Multicasting	IGMPv1/v2/v3, PIM-SM, PIM-DM, PIM-SSM, PIMv6
High availability	VRRP, VRRPv3
Traffic control	8 priority queues, DiffServ, HTB scheduling, RED curves
IP address management	Static v4/v6, DHCP v4/v6 (server, relay, client), PPPoE
NAT	Static, Dynamic & Static ENAT, Double NAT, subnet-based NAT
Link aggregation	802.3ad static and dynamic (LACP)
VLANs	802.1Q tagging
Discovery	LLDP, LLDP-MED, sFlow

Hardware Characteristics

Input power	90V to 264V AC (47 to 63Hz)
Max power consumption	17W
LAN ports	4 x 10/100/1000T RJ-45
WAN port	1 x 10/100/1000T RJ-45
Other ports	1 x USB port (3.0), 1 x RJ-45 console port
Product dimensions (W x D x H)	210 mm (8.26 in) x 220 mm (8.66 in) x 42.5 mm (1.67 in)
Packaged dimensions (W x D x H)	560 mm (22.04 in) x 331 mm (13.03 in) x 321 mm (12.63 in)
Product weight	1.4 kg
Typical / Max noise	Fanless/Silent Operation

Environmental Specifications

Operating temperature range	0°C to 50°C (32°F to 122°F)
Storage temperature range	-25°C to 70°C (-13°F to 158°F)
Operating relative humidity range	5% to 90% non-condensing
Storage relative humidity range	5% to 95% non-condensing
Operating altitude	Up to 3000 meters (9,843 ft)

Regulations and Compliances

EMC	CISPR 32 class A, EN55032 class A, FCC class A, VCCI class A, ICES class A, UKCA class A
Immunity	EN55035
Safety Standards	UL 62368-1, IEC 62368-1, EN 62368-1
Safety Certifications	UL, TuV
Reduction of Hazardous Substances (RoHS)	EU RoHS compliant, China RoHS compliant

Security Licenses

NAME	DESCRIPTION	INCLUDES
AT-ARX2-UTM-01-1YR	Advanced Firewall license (1 year)	Application Control (Sandvine) Web Control (Opentext)
AT-ARX2-UTM-01-5YR	Advanced Firewall license (5 years)	Application Control (Sandvine) Web Control (Opentext)

Ordering Information

AT-ARX200S-GT-xx

1 x 10/100/1000 WAN
4 x 10/100/1000 LAN
Where xx = power cord type (e.g., 10 for USA, 30 for UK, 40 for Australia, 50 for Europe)

Accessories:

AT-RKMT-J15: Rack mount kit for two devices side-by-side in a 19-inch equipment rack.
AT-RKMT-J14: Rack mount kit for one device in a 19-inch equipment rack.
AT-BRKT-J24: Wall mount kit for AT-ARX200S.
AT-STND-J03: Stand-kit for AT-ARX200S.
AT-VT-kit3: USB console Cable.

Related Products

Wireless APs that can be managed by the ARX200S-GT:

AT-TQ7403: Enterprise-Class hybrid Wi-Fi 6E AP with 3 radios (2x2 2.4GHz and 2x2 5GHz and 2x2 6GHz), embedded and external antenna.
AT-TQ6702 GEN2: Enterprise-Class hybrid Wi-Fi 6 AP with 2 radios (4 x 4 2.4GHz and 8 x 8 5GHz) and embedded antenna.
AT-TQ6702e GEN2: Outdoor Wi-Fi 6 hybrid AP with 2 radios (4x4 2.4GHz and 8x8 5GHz) and embedded antenna.
AT-TQ6602 GEN2: Enterprise-Class hybrid Wi-Fi 6 AP with 2 radios (4 x 4 2.4GHz and 4 x 4 5GHz) and embedded antenna.
AT-TQ6403 GEN2: Enterprise-Class hybrid Wi-Fi 6 AP with 3 radios (2x2 2.4GHz, 2x2 5GHz 1, and 2x2 5GHz 2) and embedded antenna.
AT-TQm6702 GEN2: Enterprise-Class Wi-Fi 6 AP with 2 radios (4 x 4 2.4GHz and 8 x 8 5GHz) and embedded antenna.
AT-TQm6602 GEN2: Enterprise-Class Wi-Fi 6 AP with 2 radios (4x4 2.4GHz and 4x4 5GHz) and embedded antenna.
AT-TQ1402: Enterprise-Class Advanced 802.11ac Wave 2 Wireless Access Point with 2 radios and embedded antenna.
AT-TQm1402: Enterprise-Class 802.11ac Wave 2 Wireless Access Point with 2 radios and embedded antenna.

Google Docs
Google Drive
Download [pdf]

File Info : application/pdf, 8 Pages, 922.64KB

ati-arx200s-gt-ds Adobe PDF Library 17.0

	Allied Telesis AR3050S and AR4050S UTM Firewalls: Integrated Security and Network Management Explore the Allied Telesis AR3050S and AR4050S Unified Threat Management (UTM) Firewalls, offering robust integrated security, advanced threat protection, comprehensive network management, and seamless wireless control for modern business environments.
	Release Note for Vista Manager EX Software Version 3.14.x This document details the new features, enhancements, and important considerations for Allied Telesis Vista Manager EX software version 3.14.0. It covers updates to network management, licensing, notifications, SD-WAN rules, and more, along with instructions for upgrading.
	Allied Telesis Vista Manager Virtual (VST-VRT) Release Notes Version 3.12.1 This document provides release notes for Allied Telesis Vista Manager Virtual (VST-VRT) software version 3.12.1. It details new features, supported virtual platforms, important upgrade considerations, and provides step-by-step instructions for upgrading the VST-VRT operating system and its associated applications, including Vista Manager, AMF Cloud, AMF Security, RADgate, Wireless Controller (AWC), and SNMP (Full).
	Vista Manager EX v3.14.x User Guide A comprehensive user guide for Allied Telesis Vista Manager EX v3.14.x, detailing its features for network monitoring, management, and automation. Covers installation, configuration, dashboard usage, network mapping, health monitoring, event management, asset management, network services, WAN configuration, user management, and system management.
	Allied Telesis Vista Manager EX v3.15.0 Release Notes This release note details the new features, enhancements, and important considerations for Allied Telesis Vista Manager EX software version 3.15.0. It covers updates to network management capabilities, security features like SMTP OAuth and 2FA, AI integration, and AWC plugin improvements.
	Allied Telesis Web-based Device GUI Release Notes Version 2.12.0 This document provides release notes for Allied Telesis Web-based Device GUI version 2.12.0. It details new features such as Access Control Lists (ACLs), simplified Passpoint setup, increased wireless VAP support, and Emergency Mode activation via USB. Instructions for accessing and updating the GUI on switches and AR-Series devices are also included.
	Allied Telesis Product Catalog 2023: Network Solutions Explore the comprehensive Allied Telesis Product Catalog 2023, featuring advanced network management, switches, security appliances, wireless solutions, media converters, network adapters, and transceiver modules designed for enterprise, campus, and industrial networks.
	Getting Started with Allied Telesis TQR Series Wireless Routers using the Device GUI A comprehensive guide to setting up and configuring Allied Telesis TQR Series Wireless Routers using the intuitive Device GUI. Learn to manage Wi-Fi networks, configure firewall and NAT rules, monitor system performance, and upgrade firmware.