Page 1 of 26

REF:AIXL/IT/T/01 Date 13-01-2020

TENDER FOR SUPPLYOF FIREWALL

FOR

AIR INDIA EXPRESS LIMITED

AT

KOCHI AND TRIVANDRUM

Air India Express Ltd. Is a wholly owned subsidiary of Air India is looking for a Supply

,Installation ,Testing & Commissioning of Firewall and Support for post

implementation on call onsite 24X7 Support for 2 year extended warranty period

after completion of 1 year free warranty .

Air India Express Ltd (AIXL) under the brand name “Air India Express” operates approximately about 525 flights per week to and from India to Middle East/ South East Asia. It has a fleet size of 25 aircrafts of B 737-800 series.

DISCLAIMER

The information contained in this bid documentor subsequently provided to

applicant(s)/bidder(s)whether verbally or in documentary or any other form by or on behalf

of Air India Express Ltd. is provided to the applicant(s)/bidder(s) on the terms and

conditions set out in this Tender and such other terms and conditions subject to which such

information is provided.

This bid document is not an agreement and is neither an offer nor invitation by Air India

Express Ltd. to the prospective applicants / bidders or any other person. The purpose of this

bid document is to provide interested parties with information that may be useful to the

making of their technical / eligibility criteria and financial offers pursuant to this document.

Air India Express Ltd. will not be responsible for the legality, effectiveness, adequacy or

enforceability of any oral discussions or correspondence exchanged.

Air India Express Ltd. makes no representation or warranty and shall have no liability to any

person, including any applicant or bidder under any law, statute, rules or regulations or tort,

principles of restitution or unjust enrichment or otherwise for any loss, damages, cost or

expense which may arise from or be incurred or suffered on account of anything contained

in this bid document or otherwise, including the accuracy, adequacy, correctness,

completeness or reliability of the bid document and any assessment, assumption, statement

or information contained therein or deemed to form part of this document or arising in any

way in the bidding process.

Page 2 of 26

Air India Express Ltd. also accepts no liability of any nature whether resulting from

negligence or otherwise howsoever caused arising from reliance of any applicant or bidder

upon the statements contained in this document.

1. No. and Name of the Tender TENDER NO:AIXL/IT/T/01 TENDER FOR SUPPLY FIREWALL

2. Date Issued 13-Jan-2020 (The Tender can be downloaded from website (www.airindia.in)/ www.airindiaexpress.in

3. Last date of receipt of

queries from the prospective

Bidders for if any by hard

copy or email.

23 Jan 2020 11:00 AM

4. Last date/ time for submission of Bid documents(“Due Date/Time”)

03 Feb 2020 10:30 IST

5. Place of Submission of Bids Air - India Express Building, 1st Floor ,Gandhi Square, D.H. Road, Kochi - 682 016, India.

6. Time and Date of Opening of Bids

(i) Technical Bid 03-Feb-2020, 11 :00 AM (ii) Price Bid 03-Feb-2020 ,15: 00 PM

7. Place of Opening of Bids Air - India Express Building, 1st Floor, Gandhi Square, D.H. Road, Kochi - 682 016, India.

8. Extension of Due Date/Time The Due Date / Time of submission of Bid documents and opening of Bids may be extended at any time, at the sole discretion of AIXL and shall be displayed on AIXL’s website. No separate press advertisement will be issued by AIXL regarding extension of Bid opening date and Due Date/Time.

9. Earnest Money Deposit (EMD)

Rs. 20,000/- (Rupees Twenty Thousand only) shall be submitted along with the technical bid in the form DD/pay order/ banker’s cheque, drawn in favour of “Air India Express Limited” payable at Mumbai. Bids without EMD shall be rejected.

10. Address of Communication

for any clarifications. s.vishnu@airindiaexpress.in& omm.aiex@airindia.in

(IV) SUBMISSION OF BIDS The Bidders should submit their Bids in a two-bid format (a) Technical Bid & (b) Price Bid as per following details:

❖ Envelope– 1 (Technical Bid): The Envelope 1 containing the Technical Bid, should be submitted separately in a sealed/closed envelope super scribing along with the requisite proof of submission. The Bidders must furnish the Technical Bid along with all attachments/documents/information

Page 3 of 26

and details sought / required through documentary evidence, duly signed by the authorised signatory of the Bidder(s) with company stamp on all the pages of such documentary evidence and annexure submitted along with Technical Bid, as per the terms of the Tender. The Bidders name, emails ID / contact numbers (telephone and fax) of the Bidders contact person, and the item(s) for which the Bid has been submitted should also be mentioned on the Envelope-1.

❖ Envelope– 2 (Price Bid): The duly filled and signed Price Bid, as per price format ’, should be submitted separately in

another sealed/closed envelope super scribing “Price Bid for Tender No:AIXL/IT/T/01 for

“Tender for Supply of Firewall”. The words “Price Bid not to be opened with Technical

Bid” should also be super-scribed on the envelope. The Price Bid must be signed by the

authorised signatory of the Bidder and company stamp shall be duly affixed on each page.

The name of the Bidder, mailing address, contact no., fax, e-mail-id and the item(s) for which

the Bid has been submitted should also be mentioned on Envelope-2.

❖ Envelope 3 (Master Envelope):

Both the above envelopes i.e. the Technical Bid and Price Bid, should further be enclosed in a master envelope which should also be in a sealed/closed condition super scribing “Tender No:RFPAIXL/IT/T/01 for “Tender for Supply of Firewall“NOT TO BE OPENED BEFORE 03 Feb 2020 at 1030 hrs(Bidders to mention Due Date and Time in the blank space)”, The name, contact no., fax, e-mail-id and complete address of the Biddershould be mentioned on the Master Envelope and the same shall be addressed

CHIEF OF HR (For Chief of IT) Air - India Express Building, 1st Floor, Gandhi Square, D.H. Road, Kochi-682 016 KerlaIndia

I. The Bid should be only in the prescribed format. The Bid cover should carry the

complete name and address of the Bidder, along with the telephone, fax and e-mail address. Bids must be received by AIXL at the address specified above not later than the Due Date/Time. If for some reason, the Bid Due Date/Time or the Bid opening date, as the case may be, is declared a holiday, then the Bid Due Date/Time or the Bid opening date will automatically stand extended to the same timings of the next working day. In the event of the receipt of the Bid after the Due Date/Time, the Bid shall be rejected. AIXL reserves the right to reject any Bid in part or full or annul the Tender process without assigning any reasons.

ii. OPENING OF BIDS

1. The applicant/bidder, or their authorized representative (only one person), would be permitted to attend the opening of bids. The representative must carry a letter of authority from the authorized signatory as per Annexure K, authorizing them to attend the bid opening, failing which they will not be permitted to participate in the bid opening process. Only qualified bidders of technical evaluation would be considered for Financial bid evaluation. Separate authorization letters would be required for Technical and Commercial Bid opening. Such letter of authority may be directly sent to AIXL in advance of the date of opening of the bids by e-mail to omm.aiex@airindia.in

Page 4 of 26

2. On the date of opening of the bid only the Technical Bids would be opened, and the Commercial Bids would be kept in the custody of AIXL in the same sealed / closed covers as received from the applicant/bidder.

3. Quotations received by or through E-mail will not be acceptable.

4. The Commercial bid of only those bidder(s) who qualify in the Technical bid evaluation, would be considered for commercial evaluation and shall be intimated separately.

Page 5 of 26

II. TERMS & CONDITIONS 1. General Terms:

(i) No applicant/bidder shall submit more than one bid (Technical and Commercial/ Financial bid) for the purposes herein contained.

(ii) Bids received after the closing date & time will not be considered.

(iii) In case the Commercial/Financial Bid and the Technical Bid are enclosed in the same envelope and/or in an open condition instead of in two separate sealed / closed envelopes, such bids will be rejected.

(iv) The bids should be neatly presented. Corrections, if any, should be duly authenticated with full signature of the person who has signed the bids, failing which such bids are liable to be rejected.

(v) The Technical bid should not contain any indication of price. In case, there is any indication of the price quoted in the Technical bid, such bids will be rejected without any reference to the applicant/bidder. No correspondence will be entertained in this regard.

(vi) The price quoted in the Commercial/Financial bid should remain valid for acceptance for a minimum period of 180 days from the date of opening of the Commercial bids.

(vii) Any clarifications, queries, enquiries, e-mails, submissions with regards the Tender etc will be addressed through Emails The Tender document is neither an agreement nor a binding offer by AIXLto the prospective bidders or any other person. The purpose of this document is to provide with information to assist the interest applicants/bidder in the formulation of their proposal pursuant to this Tender document. This document includes statements, which reflect various assumptions and assessments arrived at by AIXLin relation to this appointment of agency. Such assumptions and statements do not purport to contain all the information that each bidder may require.

(viii) The applicants/bidders shall be responsible to bear all costs associated with or relating to the preparation and submission of bid including but not limited to preparation, copying, postage, delivery fees, expenses associated with any demonstrations or presentations which may be required by the AIXLor any other costs incurred in connection with or relating to the bid. AIXL will not be responsible or in any way liable for such costs, regardless of the conduct or outcome of the bidding process.

(ix) For any clarifications on work scope, the applicant/bidder may contact the following: 1) s.vishnu@airindiaexpress.in 2) omm.aiex@airindia.in

Page 6 of 26

2. Payment& Security Deposit/Bank Guarantee:

a) Payment term is 60 (sixty) days from the date of receipt of the material / item or receipt of original / Tax invoice for payment, whichever is later. However, if a Successful Bidder is a MSME Unit, then the payment will be made within 45 days from the date of receipt of material / item or receipt of original / Tax invoice for payment, whichever is later as per the guidelines for MSME.

b) Payment will be made preferably through ECS (Electronic Clearance Service) mode for

all undisputed amounts. Cheque will be issued only in the absence of ECS.(Successful bidders will have to provide the Bank details and a photo copy of a cancelled cheque for our reference and records)

c) The following Bank details for reference and record are to be provided by all Bidders

including the Successful Bidder for the ECS mode of transfer:

a. Account Name b. Name of the Bank c. Branch Name d. Account Number e. Bank Code/MICR No. f. IFSC Code

d) TDS shall be deducted by AIXL from the payment made against these invoices, as per

the applicable laws.

e) No advance payment shall be made by AIXL.

f) The bidder who qualifies for award of Contract is required to submit an amount equivalent to 5 % of the value of item as interest free Security Deposit by way of Demand Draft/ Bank Guarantee in favour of Air India Express Ltd. payable at Mumbai.

g) AIXL reserves the right to deduct amount from the bill as may be considered reasonable for unsatisfactory services or delay in providing of services. The decision of AIXL will be final in this regard.

3. Evaluation Criteria:

(i) Technical Bid

a. The bidders’ technical bid would be evaluated based on their

response to the technical information and as per the eligibility criteria

specified in the tender schedule. All the conditions indicated as

“MANDATORY” conditions in the Pre-Qualification Criteria and the Technical

requirements response format are to be replied as “YES/NO” along-with the

supporting documents thereof, in order to qualify for the evaluation of the

technical bid. Bidders are advised to note in case any/all mandatory

conditions are replied as “NO”, the bids will be liable for disqualification.

b. AIXL reserves the right to confirm the authenticity of the documents or to seek clarifications from the concerned authorities for

Page 7 of 26

compliance with the requirements, without making any reference to the applicants/bidders. AIXL also reserves the right to seek additional documents / information / clarifications required from the applicants/bidders as it may deem necessary for the purpose of evaluation of the Technical bids.

(ii) Commercial /Financial Bid: The evaluation criteria for the price bids are as stated below:

a. Only those bidders who are technically qualified as per technical Criteria are eligible to be considered for Commercial/Financial evaluation.

b. The Lowest Bidder (L-1) price would be determined based on the lowest total costs i.e. Supply, Installation, Testing &Commissioning of Firewall and Support for post implementation on call onsite 24X7 Support for two (2) year extended warranty period after completion of one (1) year free warranty.

c. In case of a tie for L-1 between the bidder’s quote, Vendor would be required to resubmit separate financial quote as per procedure for further evaluation and determination of L-1.

Note Price quoted in words will be considered as Final

4. Grounds for Rejection of bids:

The bids are liable to be rejected forthwith, i.e., without being evaluated, on the

following grounds:

(i) If the bids are received after the closing date / time of the tender.

(ii) If only the Technical bid has been received and the Commercial/Financial bid has not been received, and vice versa.

(iii) If the tender bids are been received by fax, telex, telegram or e-mail. (iv) If bids are not submitted in separate sealed/closed covers as

mentioned in the document under two bid system.

(v) If the tender documents are not signed by the authorized signatory of the Tenderer applicant/bidder.

(vi) If the Commercial/Financial bids are not submitted as per the format given in Annexure 3.

(vii) If conditional offers/ discounted offers/ ambiguous offers are made by

the bidder. (viii) In case, if the financial details are indicated in any part of the tender

submissions / papers (other than financial bid).

Page 8 of 26

5. Price Negotiation:

As it is not the general norm for AIXL to carry out price negotiations following

evaluation of the Commercial bids, the applicants/bidders are advised to

submit their best quotes in response to this tender. AIXL, however, reserves

the right to carry out techno-commercial negotiations in exceptional cases

with the selected bidder (s) including L1 bidder.

6. Documentation:

All relevant documents required are to be submitted by the successful bidder

at their own cost.

7. Amendment of tender document:

(i) At any time prior to the last date for submission of bids, AIXL may forany reason, whether at its own initiative or in response to aclarification requested by a prospective bidder, modify this tenderdocument by an amendment.

(ii) The amendments, if any, will be notified by Email and will be bindingon the bidders to comply with.

(iii) In order to afford reasonable time to the bidders to take suchamendments into account for preparation and submission of theirbids, AIXL may, at its discretion, extend the last date for thesubmission of bids through Email.

8. Warranty: Warranty for the supplied product should be minimum one year with fullreplacement in case unrepairable within 24 hours by the supplier.

Page 9 of 26

3.1. TECHNICAL SPECIFICATION:

A. Performance Requirement and OEM Qualification

1. The proposed solution must support a user base of 200 to 250 users

2. The proposed solution must be in the Leader’s quadrant in Gartner Magic

Quadrant of Enterprise Firewalls for the last 2 annual reports.

3. The proposed solution shall be an appliance based Next Generation Firewall

4. Appliance must support Firewall Throughput of minimum 20 Gbps

5. Appliance must support NGFW Throughput of minimum 1.5 Gbps for Enterprise

Mix Traffic

6. Appliance must support Threat Protection Throughput of minimum 1 Gbps for

Enterprise Mix Traffic

7. Appliance must support IPSec VPN Throughput of minimum 8 Gbps with support

for 2000 IPSec Tunnels

8. Appliance must support SSL VPN Throughput of minimum 500 Mbps with support

for 200 SSL VPN licenses from day one

9. ` Appliance must have all the features i.e. IPS, Gateway Antivirus, Antimalware,

Anti-spam, VPN, Application Control, Web Filtering

10. Appliance must support Minimum 14 No 1G Ethernet ports and 4 nos of 1G SFP

Slots. Appliance must ship 4X1G SFP along with the product.

11. The solution must have 10/100/1000 dedicated ports for HA connectivity apart from

the ports mentioned above

12. Appliance should have RJ45 console and 1 No USB port for firmware Up

gradation.

13. The proposed solution must be in the Leaders of Forrester Automated Malware

Analysis Report

14. System should use on internal storage of minimum 50 GB in for storing logs and

report locally

15. Solution shall support active-passive and active-active high availability without

need of any external system or software.

16. Solution must not have Application specific chips must be based on parallel

processing architecture and must not use proprietary ASIC chips.

17. The Device should have capability to create virtual firewall systems.

B. Functional Requirement

Page 10 of 26

18. The proposed solution must allow single policy rule creation for application

control, user based control, host profile, threat prevention, Anti-virus, file filtering,

content filtering, QoS Marking and scheduling at single place within a single rule

and not at multiple locations. There must not be different places and options to

define policy rules based on these parameters.

19. Solution must not have any dependence on TCP/UDP/IP port based policies to

use application control function. Application identification and control function

should work without needing port based policies

20. Should be possible to define application based policies on application default

ports without needing to define any port numbers. Applications should strictly use

their default ports.

21. Shall be able to define application based policies as part of firewall policy

construct to safely enable application. Application identification and control should

be enforced before firewall policy action and not a profile based feature after

firewall policy action has been taken.

22. System should have the capability to identify and inform admin about any

application dependencies while pushing the policies to reduce errors and time to

deploy.

23. The solution must provide Firewall, User identification, Application visibility and

control, SSL VPN for 1000 users, IPS, Gateway Anti-virus, Anti-bot, data leakage

protection, URL filtering and cloud based sandboxing from day one.

24. Appliance must enable enforcement of Application usage policies: allow, deny,

schedule, inspect, and apply traffic shaping.

25. Appliance must be able to identify and control Applications

26. Appliance must provide for policy based visibility and control over applications

27. Threat prevention and layer 7 functions should process traffic by single pass

traffic processing design and not multiple process/functions to achieve higher

security performance.

28. The solution must have always on access to the firewall. The Firewall should

have dedicated inbuilt hardware CPU, memory and disk resources for firewall

management access, and firewall access must be available irrespective of load

on data plane resources.

29. The admins must be able to view report on the CPU usage for management

activities and CPU usage for other activities.

30. The Device should be Purpose-built platform on dedicated hardware.

31. The Device must be rack-mountable on 19” standard equipment rack and must be

provided with OEM supplied Rack Mount Kit for mounting in 19" Rack

32.

Device must support built-in function of signature base Gateway Antivirus,

Intrusion prevention, URL Filtering and Anti-spyware capability. It should be

possible to enable all functions at the same time.

33. Device should have fully Customizable Block Page – The web page that is displayed when a user attempts to access a blocked site should be fully customizable.

Page 11 of 26

34. Device must support Multiple Internet & Intranet Link Load Balancing

35. Antivirus engine should support real‐time detection of viruses and malicious code for HTTP, HTTPS, FTP, SMTP, SMTPS, POP3 and IMAP, NNTP and IM protocols

36. Should support Gateway Data Loss Prevention (DLP) feature for popular protocols like HTTP, HTTPS, FTP, POP3, IMAP, SMTP, POP3S, IMAPS, SMTPS and IM (AIM, ICQ, Yahoo, MSN) with Document Fingerprinting or provide an equivalent external DLP appliance solution which can be integrated with firewall

37. The proposed solution must support Policy Based forwarding based on Source or

Destination Address, Source or destination port, Application-ID AD/LDAP user or

User Group, Services or ports

38. Device must support dynamic wan path controller

39. Firewall should have the functionality of Geo Protection to Block the traffic country

wise in incoming direction, outgoing direction or both using firewall policies only,

without using any other security module such as IPS.

40. Shall be able to identify traffic coming from or going towards Known malicious IP

addresses and High risk IP addresses. Shall be possible to take different policy

actions based on these two types. System should update the list of IP address

automatically

41. Firewall should support minimum 2000 default application signatures and also

allow administrators to create custom application signatures.

42. Solution shall prevent credential stealing attack using identification of phishing

URL, identify username/password submission to outside website over HTTP

POST message and provide multifactor authentication for critical resources.

Credential theft function should allow admin to define credential detection policies

based on URL categories.

43. Solution must support creation of custom IPS signatures and custom application

identification signatures

44. IPS signatures should have severity associated with each of the signature and

administrator should be able to configure alert/drop for IPS based on severity. For

example all critical and high severity detection should be dropped and all other

severity should be on alert.

45. Solution should support Session based load sharing (not packet based) over

multiple equal cost paths. It should work with both static and dynamic routing.

Solution must support minimum 4 ISP links for load balancing and automated

failover in case of any ISP link failure

46. Should be able to integrate with multiple infrastructure components such as Wi-Fi

controller using API and syslog, terminal server, Microsoft exchange, SSLVPN,

proxy, domain controller etc. for enforcing userid based policies.

Page 12 of 26

47. Firewall must support integration with open LDAP, AD and Radius for

Authentication

48. System should have the capability to dynamically trigger action of block source

and or destination IP based on logs. For ex. If system detects user receive

malware from outside source IP. That source IP should automatically go in to

predefined object group which can be called in policy to block traffic going to or

coming from that IP address.

49. Proposed solution must have inbuilt OEM developed URL filtering solution to

identify URL traffic on more than 50 default categories and support millions of

URL's

50. Solution should be able to provide capability to create custom URL categories to

allow/deny set of URL's

51. Solution must be able to maintain allow/deny URL list per URL profile

52. URL filtering logs must include source user, source IP, destination IP, port and

URL category

53. System should have the capability to identify file type download and upload and

should allow administrators to restrict file upload/download based on file type.

54. The solution must support languages like Hindi, Urdu and Tamil for URL filtering to

fulfill web security needs

55. Solution should be able to decrypt SSH and SSL inbound and outbound traffic to detect and block any unauthorized or malicious traffic over encrypted session. Should support SSL decryption on non 443 port and should support decryption of

SSL enabled SMTP and POP3 email traffic

56. The proposed solution must support on appliance Per policy SSL decryption for

both inbound and outbound traffic. Policy construct must support source IP,

Destination IP, source zone, destination zone, source user, destination URL

category and action to decrypt or bypass along with custom profile for decryption.

57. To prevent evasive users and applications from bypassing security functions, all

product functions for IPS, Threat Prevention, and Anti-Virus, shall not require

specific software port and protocol combinations for detection, mitigation, or

enforcement.

58. System should provide the capability to see the applications that are bypassing

traditional controls & running over non-standard ports in real-time.

59. System should support event correlation on the box which can connect isolated

network events and look for patterns that indicate a more significant event.

System should be able to correlate threat logs such as C&C, URL, DNS and

threat traffic

60. Proposed solution must include capability to send unknown files cloud sandbox

from day 1. Once malware is identified the firewall must receive automated

signature update from cloud within 5 minutes.

Page 13 of 26

61. Cloud based sandboxing should not have any daily, weekly or monthly limitation

on number of unique files that firewall can send to cloud for inspection. In case

proposed firewall has any such limit vendor shall quote 2Gbps capacity on

premise sandboxing with HA design

62. Solution must provide automatic signatures for zero-day malware based on File

content and file type (not just file hash and file name)

63. Device should support http, smtp, pop3, imap and ftp protocols

64. Device should support bare metal analysis along with virtualized environment

analysis

65. Device should support windows, android and mac operating system devices.

66. The proposed solution must support Policy Based forwarding based on:

- Zone

- Source or Destination Address

- Source or destination port

- Application (not port based)

- AD/LDAP user or User Group

- Services or ports

67. Firewall should support Active/Active and Active/Passive HA and must support synchronization of the following for HA:

-All sessions

-Decryption Certificates

-All VPN Security Associations

-All IPS and AV sessions

-All threat and application signatures

-FIB Tables

68. Firewall active-active HA must support IPv6 traffic inspection and stateful failover

69. The proposed solution be able to support simultaneous deployment with interfaces

servicing Layer 3, Layer 2, Transparent and Tap modes

C. Services and Other Requirements

70. Solution must be quoted with 3 years license subscriptions and 3 years OEM

direct 24X7 premium TAC support and advanced hardware replacement. Firewall

to be replaced or fixed within 4 hours of fault reporting on site.

71. Will provide 24*7 Helpdesk support number and engineer contact number (mobile

number) to be provided for reporting of fault and support services with escalation

matrix and their mobile number and email address.

72. Effective date of license to 1st Apr 2020, Temp license until 31-Mar-2020.Licence

to valid until 31-03-2023.

Page 14 of 26

D. Warranty and Installation Requirement

73. a) Free Warranty of Product should be 1 years from date of commissioning

on site with replacement with 24 hours.

b) 2 Year Extended warranty for 24 x7 with on call on Site Support

74. Installation and configuration of the equipment within one week of the arrival of

materials at the Air India Express Cochin Office and Trivandrum or any other

Office in India if required

Eligibility Criteria:

(i) Tenderer should be the manufacturer / authorized dealer. Letter of Authorization from

original equipment manufacturer (OEM) specific to the tender should be enclosed.

(ii) An undertaking from the OEM is required stating that they would facilitate the

tenderer on a regular basis with technology/product updates and extend support for

the warranty as well. (Ref. Annexure-4)

(iii) OEM should be Nationally/Internationally reputed Company.

(iv) Non-compliance of tender terms, non-submission of required documents, lack of

clarity of the specifications, contradiction between tenderer specification and

supporting documents etc. may lead to rejection of the bid.

(v) In the tender, either the Indian agent on behalf of the Principal/OEM or

Principal/OEM itself can bid but both cannot bid simultaneously for the same

item/product in the same tender.

(vi) If an agent submits bid on behalf of the Principal/OEM, the same agent shall not

submit a bid on behalf of another Principal/OEM in the same tender for the same

item/product.

Installation & Demonstration

The supplier is required to do the installation and configuration of the equipment

within one week of the arrival of materials at the Air India Express Cochin/TRV

Office, otherwise the penalty clause will be the same as per the supply of materials.

Licence to be effective 1-Apr-2020 until31-Mar-2023 a temp license to be provided

during the transition phase.

Shifting: The supplier has to shift and reinstall the instrument, in case we shift the

premise to new location or another floor in next 36 months(if required) to our new

HQ.

Downtime: During the warranty period, not more than 1% downtime will be

permissible. For every day exceeding permissible downtime, penalty of 1/365 of the

5% FOB value will be imposed. Downtime will be counted from the date and time of

the filing of complaint.

Training of Personnel: The supplier shall be required to undertake to provide the

technical training to the personnel involved in the use of the equipment at the AIXL

premises, immediately after completing the installation of the equipment as per

Annexure 2

Compliancy certificate: This certificate must be provided indicating conformity to

the technical specifications. (Annexure 1)

Page 15 of 26

Technical Bid (on Letter Head)

ANNEXURE-1

COMPLIANCE SHEET

TECHNICAL SPECIFICATION

A. Performance Requirement and OEM Qualification Compliance (Yes/No)

1. The proposed solution must support a user base of 200 to 250

users

2. The proposed solution must be in the Leader’s quadrant in

Gartner Magic Quadrant of Enterprise Firewalls for the last 2

annual reports.

3. The proposed solution shall be an appliance based Next

Generation Firewall

4. Appliance must support Firewall Throughput of minimum 20 Gbps

5. Appliance must support NGFW Throughput of minimum 1.5 Gbps

for Enterprise Mix Traffic

6. Appliance must support Threat Protection Throughput of

minimum 1 Gbps for Enterprise Mix Traffic

7. Appliance must support IPSec VPN Throughput of minimum 8

Gbps with support for 2000 IPSec Tunnels

8. Appliance must support SSL VPN Throughput of minimum 500

Mbps with support for 200 SSL VPN licenses from day one

9. ` Appliance must have all the features i.e. IPS, Gateway Antivirus,

Antimalware, Anti-spam, VPN, Application Control, Web Filtering

10. Appliance must support Minimum 14 No 1G Ethernet ports and 4

no’s of 1G SFP Slots. Appliance must ship 4X1G SFP along with

the product.

11. The solution must have 10/100/1000 dedicated ports for HA

connectivity apart from the ports mentioned above

12. Appliance should have RJ45 console and 1 No USB port for

firmware Up gradation.

13. The proposed solution must be in the Leaders of Forrester

Automated Malware Analysis Report

14. System should use on internal storage of minimum 50 GB in for

storing logs and report locally

15. Solution shall support active-passive and active-active high

availability without need of any external system or software.

16. Solution must not have Application specific chips must be based

on parallel processing architecture and must not use proprietary

ASIC chips.

Page 16 of 26

17. The Device should have capability to create virtual firewall

systems.

B. Functional Requirement Compliance(Yes/No)

18. The proposed solution must allow single policy rule creation for

application control, user based control, host profile, threat

prevention, Anti-virus, file filtering, content filtering, QoS Marking

and scheduling at single place within a single rule and not at

multiple locations. There must not be different places and options

to define policy rules based on these parameters.

19. Solution must not have any dependence on TCP/UDP/IP port

based policies to use application control function. Application

identification and control function should work without needing

port based policies

20. Should be possible to define application based policies on

application default ports without needing to define any port

numbers. Applications should strictly use their default ports.

21. Shall be able to define application based policies as part of

firewall policy construct to safely enable application. Application

identification and control should be enforced before firewall policy

action and not a profile based feature after firewall policy action

has been taken.

22. System should have the capability to identify and inform admin

about any application dependencies while pushing the policies to

reduce errors and time to deploy.

23. The solution must provide Firewall, User identification,

Application visibility and control, SSL VPN for 1000 users, IPS,

Gateway Anti-virus, Anti-bot, data leakage protection, URL

filtering and cloud based sandboxing from day one.

24. Appliance must enable enforcement of Application usage

policies: allow, deny, schedule, inspect, and apply traffic shaping.

25. Appliance must be able to identify and control Applications

26. Appliance must provide for policy based visibility and control over

applications

27. Threat prevention and layer 7 functions should process traffic by

single pass traffic processing design and not multiple

process/functions to achieve higher security performance.

28. The solution must have always on access to the firewall. The

Firewall should have dedicated inbuilt hardware CPU, memory

and disk resources for firewall management access, and firewall

access must be available irrespective of load on data plane

resources.

29. The admins must be able to view report on the CPU usage for

management activities and CPU usage for other activities.

30. The Device should be Purpose-built platform on dedicated

hardware.

Page 17 of 26

31.

The Device must be rack-mountable on 19” standard equipment

rack and must be provided with OEM supplied Rack Mount Kit for

mounting in 19" Rack

32.

Device must support built-in function of signature base Gateway

Antivirus, Intrusion prevention, URL Filtering and Anti-spyware

capability. It should be possible to enable all functions at the

same time.

33.

Device should have fully Customizable Block Page – The web page that is displayed when a user attempts to access a blocked site should be fully customizable.

34. Device must support Multiple Internet & Intranet Link Load Balancing

35. Antivirus engine should support real‐time detection of viruses and malicious code for HTTP, HTTPS, FTP, SMTP, SMTPS, POP3 and IMAP, NNTP and IM protocols

36. Should support Gateway Data Loss Prevention (DLP) feature for popular protocols like HTTP, HTTPS, FTP, POP3, IMAP, SMTP, POP3S, IMAPS, SMTPS and IM (AIM, ICQ, Yahoo, MSN) with Document Fingerprinting or provide an equivalent external DLP appliance solution which can be integrated with firewall

37. The proposed solution must support Policy Based forwarding

based on Source or Destination Address, Source or destination

port, Application-ID AD/LDAP user or User Group, Services or

ports

38. Device must support dynamic wan path controller

39. Firewall should have the functionality of Geo Protection to Block

the traffic country wise in incoming direction, outgoing direction or

both using firewall policies only, without using any other security

module such as IPS.

40. Shall be able to identify traffic coming from or going towards

Known malicious IP addresses and High risk IP addresses. Shall

be possible to take different policy actions based on these two

types. System should update the list of IP address automatically

41. Firewall should support minimum 2000 default application

signatures and also allow administrators to create custom

application signatures.

42. Solution shall prevent credential stealing attack using

identification of phishing URL, identify username/password

submission to outside website over HTTP POST message and

provide multifactor authentication for critical resources. Credential

theft function should allow admin to define credential detection

policies based on URL categories.

43. Solution must support creation of custom IPS signatures and

custom application identification signatures

Page 18 of 26

44. IPS signatures should have severity associated with each of the

signature and administrator should be able to configure alert/drop

for IPS based on severity. For example, all critical and high

severity detection should be dropped and all other severity should

be on alert.

45. Solution should support Session based load sharing (not packet

based) over multiple equal cost paths. It should work with both

static and dynamic routing. Solution must support minimum 4 ISP

links for load balancing and automated failover in case of any ISP

link failure

46. Should be able to integrate with multiple infrastructure

components such as Wi-Fi controller using API and syslog,

terminal server, Microsoft exchange, sslvpn, proxy, domain

controller etc. for enforcing userid based policies.

47. Firewall must support integration with open LDAP, AD and

Radius for Authentication

48. System should have the capability to dynamically trigger action of

block source and or destination IP based on logs. For ex. If

system detects user receive malware from outside source IP.

That source IP should automatically go in to predefined object

group which can be called in policy to block traffic going to or

coming from that IP address.

49. Proposed solution must have inbuilt OEM developed URL filtering

solution to identify URL traffic on more than 50 default categories

and support millions of URL's

50. Solution should be able to provide capability to create custom

URL categories to allow/deny set of URL's

51. Solution must be able to maintain allow/deny URL list per URL

profile

52. URL filtering logs must include source user, source IP, destination

IP, port and URL category

53. System should have the capability to identify file type download

and upload and should allow administrators to restrict file

upload/download based on file type.

54. The solution must support languages like Hindi, Urdu and Tamil

for URL filtering to fulfill web security needs

55. Solution should be able to decrypt SSH and SSL inbound and outbound traffic to detect and block any unauthorized or malicious traffic over encrypted session. Should support SSL decryption on non 443 port and should

support decryption of SSL enabled SMTP and POP3 email traffic

56. The proposed solution must support on appliance Per policy SSL

decryption for both inbound and outbound traffic. Policy construct

must support source IP, Destination IP, source zone, destination

zone, source user, destination URL category and action to

decrypt or bypass along with custom profile for decryption.

Page 19 of 26

57. To prevent evasive users and applications from bypassing

security functions, all product functions for IPS, Threat

Prevention, and Anti-Virus, shall not require specific software port

and protocol combinations for detection, mitigation, or

enforcement.

58. System should provide the capability to see the applications that

are bypassing traditional controls & running over non-standard

ports in real-time.

59. System should support event correlation on the box which can

connect isolated network events and look for patterns that

indicate a more significant event. System should be able to

correlate threat logs such as C&C, URL, DNS and threat traffic

60. Proposed solution must include capability to send unknown files

cloud sandbox from day 1. Once malware is identified the firewall

must receive automated signature update from cloud within 5

minutes.

61. Cloud based sandboxing should not have any daily, weekly or

monthly limitation on number of unique files that firewall can send

to cloud for inspection. In case proposed firewall has any such

limit vendor shall quote 2Gbps capacity on premise sandboxing

with HA design

62. Solution must provide automatic signatures for zero-day malware

based on File content and file type (not just file hash and file

name)

63. Device should support http, smtp, pop3, imap and ftp protocols

64. Device should support bare metal analysis along with virtualized

environment analysis

65. Device should support windows, android and mac operating

system devices.

66. The proposed solution must support Policy Based forwarding

based on:

- Zone

- Source or Destination Address

- Source or destination port

- Application (not port based)

- AD/LDAP user or User Group

- Services or ports

67. Firewall should support Active/Active and Active/Passive HA and must support synchronization of the following for HA:

-All sessions

-Decryption Certificates

-All VPN Security Associations

-All IPS and AV sessions

-All threat and application signatures

-FIB Tables

Page 20 of 26

68. Firewall active-active HA must support IPv6 traffic inspection and

stateful failover

69. The proposed solution be able to support simultaneous

deployment with interfaces servicing Layer 3, Layer 2,

Transparent and Tap modes

C. Services and Other Requirements Compliance

(Yes/No)

70. Solution must be quoted with 3 years license subscriptions and 3

years OEM direct 24X7 premium TAC support and advanced

hardware replacement. Firewall to be replaced or fixed in 4 hours

of fault reporting on site.

71. Will provide 24*7 Helpdesk support number and engineer contact

number (mobile number) to be provided for reporting of fault and

support services with escalation matrix and their mobile number

and email address.

72. Effective date of license to 1st Apr 2020, Temp license until 31-

Mar-2020.Licence to valid until 31-03-2023.

D. Warranty and Installation Requirement Compliance

(Yes/No)

73. Free Warranty of Product should be 1 years from date of

commissioning on site with replacement with 24 hours.

2 Year Extended Warranty for 24 x7 with on call on Site Support.

74. Installation and configuration of the equipment within one week of

the arrival of materials at the Air India Express Cochin Office or

Any other Office in India if required

I have also enclosed all relevant documents in support of my claims, (as above) in

the following pages.

Scope of Work : IT is agreed that following would be the scope of work under the

contract.

1. OEM 24X7 which should include:

a. 24X7 telephonic and ticket support (TAC).

b. In-case of failure, next business day onsite replacement. For failures reported after

2pm on Friday the replacement unit should be provided by coming Monday /Tuesday

(business day).

c. 24X7 firmware updates, software updates / upgrades and patches.

d. Air India Express Ltd should be able to log calls through support portal of the

OEM.

e. Submission of the renewal certificate(s) in physical or electronic from OEM

2. Vendor

a. On-site support by the vendor in case of any issues.

b. Coordination with OEM as and when required, if Air India Express Ltd is not able

to resolve the issues.

c. In-case of failure, within 4 hours onsiteresolution ofdefault to be provided by

theOEM, vendor to:

i. Install and configure the appliance

Page 21 of 26

ii. Collect the faulty unit and sent the same to brand repair centre in India.

iii. All charges for shifting and repair to be borne by the vendor.

d. Vendor will have to conduct monthly preventive maintenanceand report to be

submit.

e. Should have office in Cochin and Trivandrum for support with Product Certified

engineers.

f. To provide a 24*7 contact number for support services

Page 22 of 26

ANNEXURE 2

Training Requirement

S.No Description Network Firewall Remark

Yes/No

1. No of Attendees 3

2. No. of Days 2

3. Type of Training Operational Training

/Maintenance

Page 23 of 26

ANNEXURE 3

PRICE BID

(On Company letter head)

Reference/Tender No.: - Due Date: -

Sl.

No

Description of item &

specification with

Make & Model No.

Qty

Required

Unit Price Discount

%

GST % Other charges if anyplease

specify

details

Total

Price

1. Firewall 02 Cochin-01

Trivandrum-01

2. Optional Hardware

(SFP, etc.) per unit cost

for different types

3. Optional Subscription

and Services

4. 3 years Subscription

licenses

5. 3 years OEM Premium

Support Services

6. Installation and

Commissioning

Charges on Site

7. Two years 24x7 Support Charges per Quarter

Grand Total

In Words

Delivery Period: .........................................days (should be within 3 weeks of order)

Price should include

1. 24*7 on call service from OEM

2. 24*7 on call service from supplier

3. 24*7 on site visit support from supplier based on AIXL request.

4. 2 years extended warranty on device after initial 1 year warranty.

5. Replacement within four hour of fault reporting if not serviceable.

6. Includes all cables

Page 24 of 26

7. Includes the installation and configuration of the firewall.

8. Firewall production licence to be effective 1-Apr-2020.

9. A temp license to be provided during the transition phase until successful

configuration and accepted by IT Department authorized personal of AIXL.

10. Delivery on FOC basis to Installation Site at Cochin and Tr.

11. Delivery Period: 3 weeks or earlier

12. Validity of the bid 180 days from the date of submission of quotation/tender.

Signature………………………… ……..

Name……………………………………...

Business Address

&Stamp…………………………

Place: ………………. Date: ……………….

Note: - Price Bid should be submitted in given format only. For additional

information/extra items above format may be typed and used.

Page 25 of 26

ANNEXURE- 4

On Company letterhead

Undertaking

Date:

To

Air India Express Ltd.,

Kochi Sub: Dear Sir, We, __________________(Name of Manufacturer) having registered office at __________________hereby authorize M/s _____________ (Name of Bidder) to quote, supply, install and support Servers and additional Hardware as per Air India Express requirements mentioned in the subject RFP. We, further Confirm that all quoted Hardware Equipment will be fully supported and their spares will be available for a minimum period of 03 years from the date of equipment installation and the equipment will not become obsolete during this period. The undersigned is authorized to issue such authorization on behalf of __________________(Name of Manufacturer) For M/s ________________ Signature & company seal Name Designation

E-mail/Mobile No.

Page 26 of 26

Annexure 5

On Company Letterhead To Date

Chief of IT

Air India Express Ltd

Sir,

Sub: Authorization for attending opening of TECHNICAL / COMMERCIAL BID

The following person(s) is/are hereby authorized to attend Technical/ Commercial Bid

opening of subject tender.

S. No. Name E-Mail Contact No. Signature

Signature: ………………………………..

Authorized Signatory’s Name: ……………..

Company Name:

NOTE:

1. Permission for entry to the Hall where bids are opened may be refused in case authorization as prescribed above is not received.

2. The authorized representatives, in their own, interest, must reach venue of bid opening well in time.

3. The authorized representatives must carry a valid photo identity. 4. Separate authorization letters would be required for Technical and Commercial Bid

opening.