The Modular Firewall Certification Criteria Version 4.1x


ICSA Labs tests firewall products against a standard yet evolving set of criteria. Our Firewall Certification Criteria is composed of both functional and assurance requirements. Our criteria requirements define an industry-accepted standard that all products claiming to have firewalling capabilities must attain.

Historically the ICSA Labs Firewall Product Certification Criteria has taken a "one size fits all" approach. The intent being that every product would have to meet the same requirements in order to be certified. However, the firewall market has evolved significantly since ICSA Labs introduced version 1.0 of the Firewall Product Certification Criteria in 1996. Version 4.1x of the ICSA Labs Modular Firewall Certification Criteria accommodates the evolution of the firewall market.

Version 4.0, the previous version of the criteria, was the culmination of over a year and half of work with industry experts, end users and the Firewall Product Developers Consortium - an international forum of competing developers of firewall products that work toward common goals to benefit both members and end users.

Version 4.1x reflects the different functional requirements in today's multi-segmented firewall market.

Points worth noting with respect to this version 4.1x:

  • The interpretation notes used in conjunction with version 4.0 of the criteria have been incorporated into version 4.1. The interpretation notes will left on the website for historical reference.
  • All products that do not possess an onboard, battery backed up clock must be able to acquire time from an external source. For the Residential category no change has been made. For SMB this mechanism must be either SNTP or NTP, as outlined in the criteria. For Corporate the mechanism must be NTP, as outlined in the criteria. Please note that, for now, this is a conditional requirement applicable only to those products that do not have a clock as noted above. To date any product that has not had a onboard clock would have failed to satisfy the version 4.0 persistence requirements.
  • With respect to log messages, any date formatting that is outlined in ISO 8601:2004 (Representation of Dates and Times) will be acceptable provided all the required data is present



Additionally, 4.1x introduces a new certification category. - Enterprise. The Enterprise module certification requirements, combined with the requirements contained within the Baseline module, derive the requriements for this new certification category.

This new category contains all of the requirements found within the Corporate category module. Addtionally, in order to be granted Enterpise certification a product must meet High Availability (HA), Voice over IP (VoIP) and IPv6 requirements.

Finally, unlike the Residential, Small-Medium Business (SMB) or Corporate categories, NTP or SNTP is a MUST requirement in order to achieve Enterprise certification.

 Criteria Documents

The 4.1 documents that can be downloaded from below (PDF format) are:

  • Baseline Module (required for every certified product)
  • Residential, Small/Medium Business (SMB), Corporate, Enterprise (vendor selects one of these for their product to be tested against)
  • Glossary (definitions of terms used in 4.1x criteria documents)

Additionally, ICSA Labs is releasing Optional Modules that vendors with certified products may elect to be tested against. The first optional module addresses the Network Firewall VoIP requirements. The second module addresses the Network Firewall High Availability requirements.

 All of these documents can be found in the Network Firewalls Document Library.

If you have an questions or comments regarding the Version 4.1x of ICSA Labs' Modular Firewall Certification Criteria please contact us at