tender for supplyof firewall for air india express …
TRANSCRIPT
Page 1 of 26
REF:AIXL/IT/T/01 Date 13-01-2020
TENDER FOR SUPPLYOF FIREWALL
FOR
AIR INDIA EXPRESS LIMITED
AT
KOCHI AND TRIVANDRUM
Air India Express Ltd. Is a wholly owned subsidiary of Air India is looking for a Supply
,Installation ,Testing & Commissioning of Firewall and Support for post
implementation on call onsite 24X7 Support for 2 year extended warranty period
after completion of 1 year free warranty .
Air India Express Ltd (AIXL) under the brand name “Air India Express” operates approximately about 525 flights per week to and from India to Middle East/ South East Asia. It has a fleet size of 25 aircrafts of B 737-800 series.
DISCLAIMER
The information contained in this bid documentor subsequently provided to
applicant(s)/bidder(s)whether verbally or in documentary or any other form by or on behalf
of Air India Express Ltd. is provided to the applicant(s)/bidder(s) on the terms and
conditions set out in this Tender and such other terms and conditions subject to which such
information is provided.
This bid document is not an agreement and is neither an offer nor invitation by Air India
Express Ltd. to the prospective applicants / bidders or any other person. The purpose of this
bid document is to provide interested parties with information that may be useful to the
making of their technical / eligibility criteria and financial offers pursuant to this document.
Air India Express Ltd. will not be responsible for the legality, effectiveness, adequacy or
enforceability of any oral discussions or correspondence exchanged.
Air India Express Ltd. makes no representation or warranty and shall have no liability to any
person, including any applicant or bidder under any law, statute, rules or regulations or tort,
principles of restitution or unjust enrichment or otherwise for any loss, damages, cost or
expense which may arise from or be incurred or suffered on account of anything contained
in this bid document or otherwise, including the accuracy, adequacy, correctness,
completeness or reliability of the bid document and any assessment, assumption, statement
or information contained therein or deemed to form part of this document or arising in any
way in the bidding process.
Page 2 of 26
Air India Express Ltd. also accepts no liability of any nature whether resulting from
negligence or otherwise howsoever caused arising from reliance of any applicant or bidder
upon the statements contained in this document.
1. No. and Name of the Tender TENDER NO:AIXL/IT/T/01 TENDER FOR SUPPLY FIREWALL
2. Date Issued 13-Jan-2020 (The Tender can be downloaded from website (www.airindia.in)/ www.airindiaexpress.in
3. Last date of receipt of
queries from the prospective
Bidders for if any by hard
copy or email.
23 Jan 2020 11:00 AM
4. Last date/ time for submission of Bid documents(“Due Date/Time”)
03 Feb 2020 10:30 IST
5. Place of Submission of Bids Air - India Express Building, 1st Floor ,Gandhi Square, D.H. Road, Kochi - 682 016, India.
6. Time and Date of Opening of Bids
(i) Technical Bid 03-Feb-2020, 11 :00 AM (ii) Price Bid 03-Feb-2020 ,15: 00 PM
7. Place of Opening of Bids Air - India Express Building, 1st Floor, Gandhi Square, D.H. Road, Kochi - 682 016, India.
8. Extension of Due Date/Time The Due Date / Time of submission of Bid documents and opening of Bids may be extended at any time, at the sole discretion of AIXL and shall be displayed on AIXL’s website. No separate press advertisement will be issued by AIXL regarding extension of Bid opening date and Due Date/Time.
9. Earnest Money Deposit (EMD)
Rs. 20,000/- (Rupees Twenty Thousand only) shall be submitted along with the technical bid in the form DD/pay order/ banker’s cheque, drawn in favour of “Air India Express Limited” payable at Mumbai. Bids without EMD shall be rejected.
10. Address of Communication
for any clarifications. [email protected]& [email protected]
(IV) SUBMISSION OF BIDS The Bidders should submit their Bids in a two-bid format (a) Technical Bid & (b) Price Bid as per following details:
❖ Envelope– 1 (Technical Bid): The Envelope 1 containing the Technical Bid, should be submitted separately in a sealed/closed envelope super scribing along with the requisite proof of submission. The Bidders must furnish the Technical Bid along with all attachments/documents/information
Page 3 of 26
and details sought / required through documentary evidence, duly signed by the authorised signatory of the Bidder(s) with company stamp on all the pages of such documentary evidence and annexure submitted along with Technical Bid, as per the terms of the Tender. The Bidders name, emails ID / contact numbers (telephone and fax) of the Bidders contact person, and the item(s) for which the Bid has been submitted should also be mentioned on the Envelope-1.
❖ Envelope– 2 (Price Bid): The duly filled and signed Price Bid, as per price format ’, should be submitted separately in
another sealed/closed envelope super scribing “Price Bid for Tender No:AIXL/IT/T/01 for
“Tender for Supply of Firewall”. The words “Price Bid not to be opened with Technical
Bid” should also be super-scribed on the envelope. The Price Bid must be signed by the
authorised signatory of the Bidder and company stamp shall be duly affixed on each page.
The name of the Bidder, mailing address, contact no., fax, e-mail-id and the item(s) for which
the Bid has been submitted should also be mentioned on Envelope-2.
❖ Envelope 3 (Master Envelope):
Both the above envelopes i.e. the Technical Bid and Price Bid, should further be enclosed in a master envelope which should also be in a sealed/closed condition super scribing “Tender No:RFPAIXL/IT/T/01 for “Tender for Supply of Firewall“NOT TO BE OPENED BEFORE 03 Feb 2020 at 1030 hrs(Bidders to mention Due Date and Time in the blank space)”, The name, contact no., fax, e-mail-id and complete address of the Biddershould be mentioned on the Master Envelope and the same shall be addressed
CHIEF OF HR (For Chief of IT) Air - India Express Building, 1st Floor, Gandhi Square, D.H. Road, Kochi-682 016 KerlaIndia
I. The Bid should be only in the prescribed format. The Bid cover should carry the
complete name and address of the Bidder, along with the telephone, fax and e-mail address. Bids must be received by AIXL at the address specified above not later than the Due Date/Time. If for some reason, the Bid Due Date/Time or the Bid opening date, as the case may be, is declared a holiday, then the Bid Due Date/Time or the Bid opening date will automatically stand extended to the same timings of the next working day. In the event of the receipt of the Bid after the Due Date/Time, the Bid shall be rejected. AIXL reserves the right to reject any Bid in part or full or annul the Tender process without assigning any reasons.
ii. OPENING OF BIDS
1. The applicant/bidder, or their authorized representative (only one person), would be permitted to attend the opening of bids. The representative must carry a letter of authority from the authorized signatory as per Annexure K, authorizing them to attend the bid opening, failing which they will not be permitted to participate in the bid opening process. Only qualified bidders of technical evaluation would be considered for Financial bid evaluation. Separate authorization letters would be required for Technical and Commercial Bid opening. Such letter of authority may be directly sent to AIXL in advance of the date of opening of the bids by e-mail to [email protected]
Page 4 of 26
2. On the date of opening of the bid only the Technical Bids would be opened, and the Commercial Bids would be kept in the custody of AIXL in the same sealed / closed covers as received from the applicant/bidder.
3. Quotations received by or through E-mail will not be acceptable.
4. The Commercial bid of only those bidder(s) who qualify in the Technical bid evaluation, would be considered for commercial evaluation and shall be intimated separately.
Page 5 of 26
II. TERMS & CONDITIONS 1. General Terms:
(i) No applicant/bidder shall submit more than one bid (Technical and Commercial/ Financial bid) for the purposes herein contained.
(ii) Bids received after the closing date & time will not be considered.
(iii) In case the Commercial/Financial Bid and the Technical Bid are enclosed in the same envelope and/or in an open condition instead of in two separate sealed / closed envelopes, such bids will be rejected.
(iv) The bids should be neatly presented. Corrections, if any, should be duly authenticated with full signature of the person who has signed the bids, failing which such bids are liable to be rejected.
(v) The Technical bid should not contain any indication of price. In case, there is any indication of the price quoted in the Technical bid, such bids will be rejected without any reference to the applicant/bidder. No correspondence will be entertained in this regard.
(vi) The price quoted in the Commercial/Financial bid should remain valid for acceptance for a minimum period of 180 days from the date of opening of the Commercial bids.
(vii) Any clarifications, queries, enquiries, e-mails, submissions with regards the Tender etc will be addressed through Emails The Tender document is neither an agreement nor a binding offer by AIXLto the prospective bidders or any other person. The purpose of this document is to provide with information to assist the interest applicants/bidder in the formulation of their proposal pursuant to this Tender document. This document includes statements, which reflect various assumptions and assessments arrived at by AIXLin relation to this appointment of agency. Such assumptions and statements do not purport to contain all the information that each bidder may require.
(viii) The applicants/bidders shall be responsible to bear all costs associated with or relating to the preparation and submission of bid including but not limited to preparation, copying, postage, delivery fees, expenses associated with any demonstrations or presentations which may be required by the AIXLor any other costs incurred in connection with or relating to the bid. AIXL will not be responsible or in any way liable for such costs, regardless of the conduct or outcome of the bidding process.
(ix) For any clarifications on work scope, the applicant/bidder may contact the following: 1) [email protected] 2) [email protected]
Page 6 of 26
2. Payment& Security Deposit/Bank Guarantee:
a) Payment term is 60 (sixty) days from the date of receipt of the material / item or receipt of original / Tax invoice for payment, whichever is later. However, if a Successful Bidder is a MSME Unit, then the payment will be made within 45 days from the date of receipt of material / item or receipt of original / Tax invoice for payment, whichever is later as per the guidelines for MSME.
b) Payment will be made preferably through ECS (Electronic Clearance Service) mode for
all undisputed amounts. Cheque will be issued only in the absence of ECS.(Successful bidders will have to provide the Bank details and a photo copy of a cancelled cheque for our reference and records)
c) The following Bank details for reference and record are to be provided by all Bidders
including the Successful Bidder for the ECS mode of transfer:
a. Account Name b. Name of the Bank c. Branch Name d. Account Number e. Bank Code/MICR No. f. IFSC Code
d) TDS shall be deducted by AIXL from the payment made against these invoices, as per
the applicable laws.
e) No advance payment shall be made by AIXL.
f) The bidder who qualifies for award of Contract is required to submit an amount equivalent to 5 % of the value of item as interest free Security Deposit by way of Demand Draft/ Bank Guarantee in favour of Air India Express Ltd. payable at Mumbai.
g) AIXL reserves the right to deduct amount from the bill as may be considered reasonable for unsatisfactory services or delay in providing of services. The decision of AIXL will be final in this regard.
3. Evaluation Criteria:
(i) Technical Bid
a. The bidders’ technical bid would be evaluated based on their
response to the technical information and as per the eligibility criteria
specified in the tender schedule. All the conditions indicated as
“MANDATORY” conditions in the Pre-Qualification Criteria and the Technical
requirements response format are to be replied as “YES/NO” along-with the
supporting documents thereof, in order to qualify for the evaluation of the
technical bid. Bidders are advised to note in case any/all mandatory
conditions are replied as “NO”, the bids will be liable for disqualification.
b. AIXL reserves the right to confirm the authenticity of the documents or to seek clarifications from the concerned authorities for
Page 7 of 26
compliance with the requirements, without making any reference to the applicants/bidders. AIXL also reserves the right to seek additional documents / information / clarifications required from the applicants/bidders as it may deem necessary for the purpose of evaluation of the Technical bids.
(ii) Commercial /Financial Bid: The evaluation criteria for the price bids are as stated below:
a. Only those bidders who are technically qualified as per technical Criteria are eligible to be considered for Commercial/Financial evaluation.
b. The Lowest Bidder (L-1) price would be determined based on the lowest total costs i.e. Supply, Installation, Testing &Commissioning of Firewall and Support for post implementation on call onsite 24X7 Support for two (2) year extended warranty period after completion of one (1) year free warranty.
c. In case of a tie for L-1 between the bidder’s quote, Vendor would be required to resubmit separate financial quote as per procedure for further evaluation and determination of L-1.
Note Price quoted in words will be considered as Final
4. Grounds for Rejection of bids:
The bids are liable to be rejected forthwith, i.e., without being evaluated, on the
following grounds:
(i) If the bids are received after the closing date / time of the tender.
(ii) If only the Technical bid has been received and the Commercial/Financial bid has not been received, and vice versa.
(iii) If the tender bids are been received by fax, telex, telegram or e-mail. (iv) If bids are not submitted in separate sealed/closed covers as
mentioned in the document under two bid system.
(v) If the tender documents are not signed by the authorized signatory of the Tenderer applicant/bidder.
(vi) If the Commercial/Financial bids are not submitted as per the format given in Annexure 3.
(vii) If conditional offers/ discounted offers/ ambiguous offers are made by
the bidder. (viii) In case, if the financial details are indicated in any part of the tender
submissions / papers (other than financial bid).
Page 8 of 26
5. Price Negotiation:
As it is not the general norm for AIXL to carry out price negotiations following
evaluation of the Commercial bids, the applicants/bidders are advised to
submit their best quotes in response to this tender. AIXL, however, reserves
the right to carry out techno-commercial negotiations in exceptional cases
with the selected bidder (s) including L1 bidder.
6. Documentation:
All relevant documents required are to be submitted by the successful bidder
at their own cost.
7. Amendment of tender document:
(i) At any time prior to the last date for submission of bids, AIXL may forany reason, whether at its own initiative or in response to aclarification requested by a prospective bidder, modify this tenderdocument by an amendment.
(ii) The amendments, if any, will be notified by Email and will be bindingon the bidders to comply with.
(iii) In order to afford reasonable time to the bidders to take suchamendments into account for preparation and submission of theirbids, AIXL may, at its discretion, extend the last date for thesubmission of bids through Email.
8. Warranty: Warranty for the supplied product should be minimum one year with fullreplacement in case unrepairable within 24 hours by the supplier.
Page 9 of 26
3.1. TECHNICAL SPECIFICATION:
A. Performance Requirement and OEM Qualification
1. The proposed solution must support a user base of 200 to 250 users
2. The proposed solution must be in the Leader’s quadrant in Gartner Magic
Quadrant of Enterprise Firewalls for the last 2 annual reports.
3. The proposed solution shall be an appliance based Next Generation Firewall
4. Appliance must support Firewall Throughput of minimum 20 Gbps
5. Appliance must support NGFW Throughput of minimum 1.5 Gbps for Enterprise
Mix Traffic
6. Appliance must support Threat Protection Throughput of minimum 1 Gbps for
Enterprise Mix Traffic
7. Appliance must support IPSec VPN Throughput of minimum 8 Gbps with support
for 2000 IPSec Tunnels
8. Appliance must support SSL VPN Throughput of minimum 500 Mbps with support
for 200 SSL VPN licenses from day one
9. ` Appliance must have all the features i.e. IPS, Gateway Antivirus, Antimalware,
Anti-spam, VPN, Application Control, Web Filtering
10. Appliance must support Minimum 14 No 1G Ethernet ports and 4 nos of 1G SFP
Slots. Appliance must ship 4X1G SFP along with the product.
11. The solution must have 10/100/1000 dedicated ports for HA connectivity apart from
the ports mentioned above
12. Appliance should have RJ45 console and 1 No USB port for firmware Up
gradation.
13. The proposed solution must be in the Leaders of Forrester Automated Malware
Analysis Report
14. System should use on internal storage of minimum 50 GB in for storing logs and
report locally
15. Solution shall support active-passive and active-active high availability without
need of any external system or software.
16. Solution must not have Application specific chips must be based on parallel
processing architecture and must not use proprietary ASIC chips.
17. The Device should have capability to create virtual firewall systems.
B. Functional Requirement
Page 10 of 26
18. The proposed solution must allow single policy rule creation for application
control, user based control, host profile, threat prevention, Anti-virus, file filtering,
content filtering, QoS Marking and scheduling at single place within a single rule
and not at multiple locations. There must not be different places and options to
define policy rules based on these parameters.
19. Solution must not have any dependence on TCP/UDP/IP port based policies to
use application control function. Application identification and control function
should work without needing port based policies
20. Should be possible to define application based policies on application default
ports without needing to define any port numbers. Applications should strictly use
their default ports.
21. Shall be able to define application based policies as part of firewall policy
construct to safely enable application. Application identification and control should
be enforced before firewall policy action and not a profile based feature after
firewall policy action has been taken.
22. System should have the capability to identify and inform admin about any
application dependencies while pushing the policies to reduce errors and time to
deploy.
23. The solution must provide Firewall, User identification, Application visibility and
control, SSL VPN for 1000 users, IPS, Gateway Anti-virus, Anti-bot, data leakage
protection, URL filtering and cloud based sandboxing from day one.
24. Appliance must enable enforcement of Application usage policies: allow, deny,
schedule, inspect, and apply traffic shaping.
25. Appliance must be able to identify and control Applications
26. Appliance must provide for policy based visibility and control over applications
27. Threat prevention and layer 7 functions should process traffic by single pass
traffic processing design and not multiple process/functions to achieve higher
security performance.
28. The solution must have always on access to the firewall. The Firewall should
have dedicated inbuilt hardware CPU, memory and disk resources for firewall
management access, and firewall access must be available irrespective of load
on data plane resources.
29. The admins must be able to view report on the CPU usage for management
activities and CPU usage for other activities.
30. The Device should be Purpose-built platform on dedicated hardware.
31. The Device must be rack-mountable on 19” standard equipment rack and must be
provided with OEM supplied Rack Mount Kit for mounting in 19" Rack
32.
Device must support built-in function of signature base Gateway Antivirus,
Intrusion prevention, URL Filtering and Anti-spyware capability. It should be
possible to enable all functions at the same time.
33. Device should have fully Customizable Block Page – The web page that is displayed when a user attempts to access a blocked site should be fully customizable.
Page 11 of 26
34. Device must support Multiple Internet & Intranet Link Load Balancing
35. Antivirus engine should support real‐time detection of viruses and malicious code for HTTP, HTTPS, FTP, SMTP, SMTPS, POP3 and IMAP, NNTP and IM protocols
36. Should support Gateway Data Loss Prevention (DLP) feature for popular protocols like HTTP, HTTPS, FTP, POP3, IMAP, SMTP, POP3S, IMAPS, SMTPS and IM (AIM, ICQ, Yahoo, MSN) with Document Fingerprinting or provide an equivalent external DLP appliance solution which can be integrated with firewall
37. The proposed solution must support Policy Based forwarding based on Source or
Destination Address, Source or destination port, Application-ID AD/LDAP user or
User Group, Services or ports
38. Device must support dynamic wan path controller
39. Firewall should have the functionality of Geo Protection to Block the traffic country
wise in incoming direction, outgoing direction or both using firewall policies only,
without using any other security module such as IPS.
40. Shall be able to identify traffic coming from or going towards Known malicious IP
addresses and High risk IP addresses. Shall be possible to take different policy
actions based on these two types. System should update the list of IP address
automatically
41. Firewall should support minimum 2000 default application signatures and also
allow administrators to create custom application signatures.
42. Solution shall prevent credential stealing attack using identification of phishing
URL, identify username/password submission to outside website over HTTP
POST message and provide multifactor authentication for critical resources.
Credential theft function should allow admin to define credential detection policies
based on URL categories.
43. Solution must support creation of custom IPS signatures and custom application
identification signatures
44. IPS signatures should have severity associated with each of the signature and
administrator should be able to configure alert/drop for IPS based on severity. For
example all critical and high severity detection should be dropped and all other
severity should be on alert.
45. Solution should support Session based load sharing (not packet based) over
multiple equal cost paths. It should work with both static and dynamic routing.
Solution must support minimum 4 ISP links for load balancing and automated
failover in case of any ISP link failure
46. Should be able to integrate with multiple infrastructure components such as Wi-Fi
controller using API and syslog, terminal server, Microsoft exchange, SSLVPN,
proxy, domain controller etc. for enforcing userid based policies.
Page 12 of 26
47. Firewall must support integration with open LDAP, AD and Radius for
Authentication
48. System should have the capability to dynamically trigger action of block source
and or destination IP based on logs. For ex. If system detects user receive
malware from outside source IP. That source IP should automatically go in to
predefined object group which can be called in policy to block traffic going to or
coming from that IP address.
49. Proposed solution must have inbuilt OEM developed URL filtering solution to
identify URL traffic on more than 50 default categories and support millions of
URL's
50. Solution should be able to provide capability to create custom URL categories to
allow/deny set of URL's
51. Solution must be able to maintain allow/deny URL list per URL profile
52. URL filtering logs must include source user, source IP, destination IP, port and
URL category
53. System should have the capability to identify file type download and upload and
should allow administrators to restrict file upload/download based on file type.
54. The solution must support languages like Hindi, Urdu and Tamil for URL filtering to
fulfill web security needs
55. Solution should be able to decrypt SSH and SSL inbound and outbound traffic to detect and block any unauthorized or malicious traffic over encrypted session. Should support SSL decryption on non 443 port and should support decryption of
SSL enabled SMTP and POP3 email traffic
56. The proposed solution must support on appliance Per policy SSL decryption for
both inbound and outbound traffic. Policy construct must support source IP,
Destination IP, source zone, destination zone, source user, destination URL
category and action to decrypt or bypass along with custom profile for decryption.
57. To prevent evasive users and applications from bypassing security functions, all
product functions for IPS, Threat Prevention, and Anti-Virus, shall not require
specific software port and protocol combinations for detection, mitigation, or
enforcement.
58. System should provide the capability to see the applications that are bypassing
traditional controls & running over non-standard ports in real-time.
59. System should support event correlation on the box which can connect isolated
network events and look for patterns that indicate a more significant event.
System should be able to correlate threat logs such as C&C, URL, DNS and
threat traffic
60. Proposed solution must include capability to send unknown files cloud sandbox
from day 1. Once malware is identified the firewall must receive automated
signature update from cloud within 5 minutes.
Page 13 of 26
61. Cloud based sandboxing should not have any daily, weekly or monthly limitation
on number of unique files that firewall can send to cloud for inspection. In case
proposed firewall has any such limit vendor shall quote 2Gbps capacity on
premise sandboxing with HA design
62. Solution must provide automatic signatures for zero-day malware based on File
content and file type (not just file hash and file name)
63. Device should support http, smtp, pop3, imap and ftp protocols
64. Device should support bare metal analysis along with virtualized environment
analysis
65. Device should support windows, android and mac operating system devices.
66. The proposed solution must support Policy Based forwarding based on:
- Zone
- Source or Destination Address
- Source or destination port
- Application (not port based)
- AD/LDAP user or User Group
- Services or ports
67. Firewall should support Active/Active and Active/Passive HA and must support synchronization of the following for HA:
-All sessions
-Decryption Certificates
-All VPN Security Associations
-All IPS and AV sessions
-All threat and application signatures
-FIB Tables
68. Firewall active-active HA must support IPv6 traffic inspection and stateful failover
69. The proposed solution be able to support simultaneous deployment with interfaces
servicing Layer 3, Layer 2, Transparent and Tap modes
C. Services and Other Requirements
70. Solution must be quoted with 3 years license subscriptions and 3 years OEM
direct 24X7 premium TAC support and advanced hardware replacement. Firewall
to be replaced or fixed within 4 hours of fault reporting on site.
71. Will provide 24*7 Helpdesk support number and engineer contact number (mobile
number) to be provided for reporting of fault and support services with escalation
matrix and their mobile number and email address.
72. Effective date of license to 1st Apr 2020, Temp license until 31-Mar-2020.Licence
to valid until 31-03-2023.
Page 14 of 26
D. Warranty and Installation Requirement
73. a) Free Warranty of Product should be 1 years from date of commissioning
on site with replacement with 24 hours.
b) 2 Year Extended warranty for 24 x7 with on call on Site Support
74. Installation and configuration of the equipment within one week of the arrival of
materials at the Air India Express Cochin Office and Trivandrum or any other
Office in India if required
Eligibility Criteria:
(i) Tenderer should be the manufacturer / authorized dealer. Letter of Authorization from
original equipment manufacturer (OEM) specific to the tender should be enclosed.
(ii) An undertaking from the OEM is required stating that they would facilitate the
tenderer on a regular basis with technology/product updates and extend support for
the warranty as well. (Ref. Annexure-4)
(iii) OEM should be Nationally/Internationally reputed Company.
(iv) Non-compliance of tender terms, non-submission of required documents, lack of
clarity of the specifications, contradiction between tenderer specification and
supporting documents etc. may lead to rejection of the bid.
(v) In the tender, either the Indian agent on behalf of the Principal/OEM or
Principal/OEM itself can bid but both cannot bid simultaneously for the same
item/product in the same tender.
(vi) If an agent submits bid on behalf of the Principal/OEM, the same agent shall not
submit a bid on behalf of another Principal/OEM in the same tender for the same
item/product.
Installation & Demonstration
The supplier is required to do the installation and configuration of the equipment
within one week of the arrival of materials at the Air India Express Cochin/TRV
Office, otherwise the penalty clause will be the same as per the supply of materials.
Licence to be effective 1-Apr-2020 until31-Mar-2023 a temp license to be provided
during the transition phase.
Shifting: The supplier has to shift and reinstall the instrument, in case we shift the
premise to new location or another floor in next 36 months(if required) to our new
HQ.
Downtime: During the warranty period, not more than 1% downtime will be
permissible. For every day exceeding permissible downtime, penalty of 1/365 of the
5% FOB value will be imposed. Downtime will be counted from the date and time of
the filing of complaint.
Training of Personnel: The supplier shall be required to undertake to provide the
technical training to the personnel involved in the use of the equipment at the AIXL
premises, immediately after completing the installation of the equipment as per
Annexure 2
Compliancy certificate: This certificate must be provided indicating conformity to
the technical specifications. (Annexure 1)
Page 15 of 26
Technical Bid (on Letter Head)
ANNEXURE-1
COMPLIANCE SHEET
TECHNICAL SPECIFICATION
A. Performance Requirement and OEM Qualification Compliance (Yes/No)
1. The proposed solution must support a user base of 200 to 250
users
2. The proposed solution must be in the Leader’s quadrant in
Gartner Magic Quadrant of Enterprise Firewalls for the last 2
annual reports.
3. The proposed solution shall be an appliance based Next
Generation Firewall
4. Appliance must support Firewall Throughput of minimum 20 Gbps
5. Appliance must support NGFW Throughput of minimum 1.5 Gbps
for Enterprise Mix Traffic
6. Appliance must support Threat Protection Throughput of
minimum 1 Gbps for Enterprise Mix Traffic
7. Appliance must support IPSec VPN Throughput of minimum 8
Gbps with support for 2000 IPSec Tunnels
8. Appliance must support SSL VPN Throughput of minimum 500
Mbps with support for 200 SSL VPN licenses from day one
9. ` Appliance must have all the features i.e. IPS, Gateway Antivirus,
Antimalware, Anti-spam, VPN, Application Control, Web Filtering
10. Appliance must support Minimum 14 No 1G Ethernet ports and 4
no’s of 1G SFP Slots. Appliance must ship 4X1G SFP along with
the product.
11. The solution must have 10/100/1000 dedicated ports for HA
connectivity apart from the ports mentioned above
12. Appliance should have RJ45 console and 1 No USB port for
firmware Up gradation.
13. The proposed solution must be in the Leaders of Forrester
Automated Malware Analysis Report
14. System should use on internal storage of minimum 50 GB in for
storing logs and report locally
15. Solution shall support active-passive and active-active high
availability without need of any external system or software.
16. Solution must not have Application specific chips must be based
on parallel processing architecture and must not use proprietary
ASIC chips.
Page 16 of 26
17. The Device should have capability to create virtual firewall
systems.
B. Functional Requirement Compliance(Yes/No)
18. The proposed solution must allow single policy rule creation for
application control, user based control, host profile, threat
prevention, Anti-virus, file filtering, content filtering, QoS Marking
and scheduling at single place within a single rule and not at
multiple locations. There must not be different places and options
to define policy rules based on these parameters.
19. Solution must not have any dependence on TCP/UDP/IP port
based policies to use application control function. Application
identification and control function should work without needing
port based policies
20. Should be possible to define application based policies on
application default ports without needing to define any port
numbers. Applications should strictly use their default ports.
21. Shall be able to define application based policies as part of
firewall policy construct to safely enable application. Application
identification and control should be enforced before firewall policy
action and not a profile based feature after firewall policy action
has been taken.
22. System should have the capability to identify and inform admin
about any application dependencies while pushing the policies to
reduce errors and time to deploy.
23. The solution must provide Firewall, User identification,
Application visibility and control, SSL VPN for 1000 users, IPS,
Gateway Anti-virus, Anti-bot, data leakage protection, URL
filtering and cloud based sandboxing from day one.
24. Appliance must enable enforcement of Application usage
policies: allow, deny, schedule, inspect, and apply traffic shaping.
25. Appliance must be able to identify and control Applications
26. Appliance must provide for policy based visibility and control over
applications
27. Threat prevention and layer 7 functions should process traffic by
single pass traffic processing design and not multiple
process/functions to achieve higher security performance.
28. The solution must have always on access to the firewall. The
Firewall should have dedicated inbuilt hardware CPU, memory
and disk resources for firewall management access, and firewall
access must be available irrespective of load on data plane
resources.
29. The admins must be able to view report on the CPU usage for
management activities and CPU usage for other activities.
30. The Device should be Purpose-built platform on dedicated
hardware.
Page 17 of 26
31.
The Device must be rack-mountable on 19” standard equipment
rack and must be provided with OEM supplied Rack Mount Kit for
mounting in 19" Rack
32.
Device must support built-in function of signature base Gateway
Antivirus, Intrusion prevention, URL Filtering and Anti-spyware
capability. It should be possible to enable all functions at the
same time.
33.
Device should have fully Customizable Block Page – The web page that is displayed when a user attempts to access a blocked site should be fully customizable.
34. Device must support Multiple Internet & Intranet Link Load Balancing
35. Antivirus engine should support real‐time detection of viruses and malicious code for HTTP, HTTPS, FTP, SMTP, SMTPS, POP3 and IMAP, NNTP and IM protocols
36. Should support Gateway Data Loss Prevention (DLP) feature for popular protocols like HTTP, HTTPS, FTP, POP3, IMAP, SMTP, POP3S, IMAPS, SMTPS and IM (AIM, ICQ, Yahoo, MSN) with Document Fingerprinting or provide an equivalent external DLP appliance solution which can be integrated with firewall
37. The proposed solution must support Policy Based forwarding
based on Source or Destination Address, Source or destination
port, Application-ID AD/LDAP user or User Group, Services or
ports
38. Device must support dynamic wan path controller
39. Firewall should have the functionality of Geo Protection to Block
the traffic country wise in incoming direction, outgoing direction or
both using firewall policies only, without using any other security
module such as IPS.
40. Shall be able to identify traffic coming from or going towards
Known malicious IP addresses and High risk IP addresses. Shall
be possible to take different policy actions based on these two
types. System should update the list of IP address automatically
41. Firewall should support minimum 2000 default application
signatures and also allow administrators to create custom
application signatures.
42. Solution shall prevent credential stealing attack using
identification of phishing URL, identify username/password
submission to outside website over HTTP POST message and
provide multifactor authentication for critical resources. Credential
theft function should allow admin to define credential detection
policies based on URL categories.
43. Solution must support creation of custom IPS signatures and
custom application identification signatures
Page 18 of 26
44. IPS signatures should have severity associated with each of the
signature and administrator should be able to configure alert/drop
for IPS based on severity. For example, all critical and high
severity detection should be dropped and all other severity should
be on alert.
45. Solution should support Session based load sharing (not packet
based) over multiple equal cost paths. It should work with both
static and dynamic routing. Solution must support minimum 4 ISP
links for load balancing and automated failover in case of any ISP
link failure
46. Should be able to integrate with multiple infrastructure
components such as Wi-Fi controller using API and syslog,
terminal server, Microsoft exchange, sslvpn, proxy, domain
controller etc. for enforcing userid based policies.
47. Firewall must support integration with open LDAP, AD and
Radius for Authentication
48. System should have the capability to dynamically trigger action of
block source and or destination IP based on logs. For ex. If
system detects user receive malware from outside source IP.
That source IP should automatically go in to predefined object
group which can be called in policy to block traffic going to or
coming from that IP address.
49. Proposed solution must have inbuilt OEM developed URL filtering
solution to identify URL traffic on more than 50 default categories
and support millions of URL's
50. Solution should be able to provide capability to create custom
URL categories to allow/deny set of URL's
51. Solution must be able to maintain allow/deny URL list per URL
profile
52. URL filtering logs must include source user, source IP, destination
IP, port and URL category
53. System should have the capability to identify file type download
and upload and should allow administrators to restrict file
upload/download based on file type.
54. The solution must support languages like Hindi, Urdu and Tamil
for URL filtering to fulfill web security needs
55. Solution should be able to decrypt SSH and SSL inbound and outbound traffic to detect and block any unauthorized or malicious traffic over encrypted session. Should support SSL decryption on non 443 port and should
support decryption of SSL enabled SMTP and POP3 email traffic
56. The proposed solution must support on appliance Per policy SSL
decryption for both inbound and outbound traffic. Policy construct
must support source IP, Destination IP, source zone, destination
zone, source user, destination URL category and action to
decrypt or bypass along with custom profile for decryption.
Page 19 of 26
57. To prevent evasive users and applications from bypassing
security functions, all product functions for IPS, Threat
Prevention, and Anti-Virus, shall not require specific software port
and protocol combinations for detection, mitigation, or
enforcement.
58. System should provide the capability to see the applications that
are bypassing traditional controls & running over non-standard
ports in real-time.
59. System should support event correlation on the box which can
connect isolated network events and look for patterns that
indicate a more significant event. System should be able to
correlate threat logs such as C&C, URL, DNS and threat traffic
60. Proposed solution must include capability to send unknown files
cloud sandbox from day 1. Once malware is identified the firewall
must receive automated signature update from cloud within 5
minutes.
61. Cloud based sandboxing should not have any daily, weekly or
monthly limitation on number of unique files that firewall can send
to cloud for inspection. In case proposed firewall has any such
limit vendor shall quote 2Gbps capacity on premise sandboxing
with HA design
62. Solution must provide automatic signatures for zero-day malware
based on File content and file type (not just file hash and file
name)
63. Device should support http, smtp, pop3, imap and ftp protocols
64. Device should support bare metal analysis along with virtualized
environment analysis
65. Device should support windows, android and mac operating
system devices.
66. The proposed solution must support Policy Based forwarding
based on:
- Zone
- Source or Destination Address
- Source or destination port
- Application (not port based)
- AD/LDAP user or User Group
- Services or ports
67. Firewall should support Active/Active and Active/Passive HA and must support synchronization of the following for HA:
-All sessions
-Decryption Certificates
-All VPN Security Associations
-All IPS and AV sessions
-All threat and application signatures
-FIB Tables
Page 20 of 26
68. Firewall active-active HA must support IPv6 traffic inspection and
stateful failover
69. The proposed solution be able to support simultaneous
deployment with interfaces servicing Layer 3, Layer 2,
Transparent and Tap modes
C. Services and Other Requirements Compliance
(Yes/No)
70. Solution must be quoted with 3 years license subscriptions and 3
years OEM direct 24X7 premium TAC support and advanced
hardware replacement. Firewall to be replaced or fixed in 4 hours
of fault reporting on site.
71. Will provide 24*7 Helpdesk support number and engineer contact
number (mobile number) to be provided for reporting of fault and
support services with escalation matrix and their mobile number
and email address.
72. Effective date of license to 1st Apr 2020, Temp license until 31-
Mar-2020.Licence to valid until 31-03-2023.
D. Warranty and Installation Requirement Compliance
(Yes/No)
73. Free Warranty of Product should be 1 years from date of
commissioning on site with replacement with 24 hours.
2 Year Extended Warranty for 24 x7 with on call on Site Support.
74. Installation and configuration of the equipment within one week of
the arrival of materials at the Air India Express Cochin Office or
Any other Office in India if required
I have also enclosed all relevant documents in support of my claims, (as above) in
the following pages.
Scope of Work : IT is agreed that following would be the scope of work under the
contract.
1. OEM 24X7 which should include:
a. 24X7 telephonic and ticket support (TAC).
b. In-case of failure, next business day onsite replacement. For failures reported after
2pm on Friday the replacement unit should be provided by coming Monday /Tuesday
(business day).
c. 24X7 firmware updates, software updates / upgrades and patches.
d. Air India Express Ltd should be able to log calls through support portal of the
OEM.
e. Submission of the renewal certificate(s) in physical or electronic from OEM
2. Vendor
a. On-site support by the vendor in case of any issues.
b. Coordination with OEM as and when required, if Air India Express Ltd is not able
to resolve the issues.
c. In-case of failure, within 4 hours onsiteresolution ofdefault to be provided by
theOEM, vendor to:
i. Install and configure the appliance
Page 21 of 26
ii. Collect the faulty unit and sent the same to brand repair centre in India.
iii. All charges for shifting and repair to be borne by the vendor.
d. Vendor will have to conduct monthly preventive maintenanceand report to be
submit.
e. Should have office in Cochin and Trivandrum for support with Product Certified
engineers.
f. To provide a 24*7 contact number for support services
Page 22 of 26
ANNEXURE 2
Training Requirement
S.No Description Network Firewall Remark
Yes/No
1. No of Attendees 3
2. No. of Days 2
3. Type of Training Operational Training
/Maintenance
Page 23 of 26
ANNEXURE 3
PRICE BID
(On Company letter head)
Reference/Tender No.: - Due Date: -
Sl.
No
Description of item &
specification with
Make & Model No.
Qty
Required
Unit Price Discount
%
GST % Other charges if anyplease
specify
details
Total
Price
1. Firewall 02 Cochin-01
Trivandrum-01
2. Optional Hardware
(SFP, etc.) per unit cost
for different types
3. Optional Subscription
and Services
4. 3 years Subscription
licenses
5. 3 years OEM Premium
Support Services
6. Installation and
Commissioning
Charges on Site
7. Two years 24x7 Support Charges per Quarter
Grand Total
In Words
Delivery Period: .........................................days (should be within 3 weeks of order)
Price should include
1. 24*7 on call service from OEM
2. 24*7 on call service from supplier
3. 24*7 on site visit support from supplier based on AIXL request.
4. 2 years extended warranty on device after initial 1 year warranty.
5. Replacement within four hour of fault reporting if not serviceable.
6. Includes all cables
Page 24 of 26
7. Includes the installation and configuration of the firewall.
8. Firewall production licence to be effective 1-Apr-2020.
9. A temp license to be provided during the transition phase until successful
configuration and accepted by IT Department authorized personal of AIXL.
10. Delivery on FOC basis to Installation Site at Cochin and Tr.
11. Delivery Period: 3 weeks or earlier
12. Validity of the bid 180 days from the date of submission of quotation/tender.
Signature………………………… ……..
Name……………………………………...
Business Address
&Stamp…………………………
Place: ………………. Date: ……………….
Note: - Price Bid should be submitted in given format only. For additional
information/extra items above format may be typed and used.
Page 25 of 26
ANNEXURE- 4
On Company letterhead
Undertaking
Date:
To
Air India Express Ltd.,
Kochi Sub: Dear Sir, We, __________________(Name of Manufacturer) having registered office at __________________hereby authorize M/s _____________ (Name of Bidder) to quote, supply, install and support Servers and additional Hardware as per Air India Express requirements mentioned in the subject RFP. We, further Confirm that all quoted Hardware Equipment will be fully supported and their spares will be available for a minimum period of 03 years from the date of equipment installation and the equipment will not become obsolete during this period. The undersigned is authorized to issue such authorization on behalf of __________________(Name of Manufacturer) For M/s ________________ Signature & company seal Name Designation
E-mail/Mobile No.
Page 26 of 26
Annexure 5
On Company Letterhead To Date
Chief of IT
Air India Express Ltd
Sir,
Sub: Authorization for attending opening of TECHNICAL / COMMERCIAL BID
The following person(s) is/are hereby authorized to attend Technical/ Commercial Bid
opening of subject tender.
S. No. Name E-Mail Contact No. Signature
Signature: ………………………………..
Authorized Signatory’s Name: ……………..
Company Name:
NOTE:
1. Permission for entry to the Hall where bids are opened may be refused in case authorization as prescribed above is not received.
2. The authorized representatives, in their own, interest, must reach venue of bid opening well in time.
3. The authorized representatives must carry a valid photo identity. 4. Separate authorization letters would be required for Technical and Commercial Bid
opening.