Please quantify the number of applications to be supported.

(1)

Sl. RFP (Page No.) Ref Sections/Clause requiring Clarification

Points of clarification given in the RFP

Clarification Sought Requested/Suggested Change Bank's Reply

1 22 Annexure-3/1. Firewall/ 3

Firewall Should have complete application control functionality from day one.

In case of Application Control support, the respective solution should support maximum number of applications to be classified and tagged as malignant (if applicable). Higher number indicates better coverage of application threat landscape.

Please quantify the number of applications to be supported.

Firewall should have complete application control functionality and must support atleast 5000 applications from day one.

No Change. Clause remains the same. Firewall Should be capable of all the Next Generation features. Bank may at its discretion get the functionality activated at a later date.

2 22 Annexure-3/1. Firewall/ 12

Management of the entire solution should include real-time monitoring, event logs collection, policy enforement.

Real-time monitroing with policy enforcement is an ask, which will enable bank to have next generation management. We request bank to make statement more clear.

Management of the entire solution should allow Administrator to change signature configuration from monitoring window/log itself. It should include real-time monitoring, event logs collection, policy enforement

No Change. Clause remains the same.

3 22 Annexure-3/1. Firewall/ Performance Requirement/ 8

The Firewall appliance/solution should have sufficient local hard-disk in order to keep the logs of minimum 90 days

Assuming 2 GB of logs per day, firewall appliance should have minimum of 180 GB of storage capacity.

Please confirm.

The Firewall appliance should have atleast 180 GB of inbuilt local hard-disk in order to keep the logs of minimum 90 days.

No Change. Clause remains the same. However, logs should be retrievable and readable. 4 22 Annexure-3/1. Firewall/ Performance Requirement/ 6

Solution should have minimum 1,50,000 connection per second processing

In our experience of BFSI segment, a ratio of 1:25 for new connection per second to concurrent connections suffices most demanding banking DC enviroments. The requirement of 1,50,000 new connections per second for 25,00,000 concurrent connections seems on a higher side and it favors a specific vendor.

Solution should have minimum 1,00,000 connection per second processing

5 22 Annexure-3/1. Firewall/ Performance Requirement/ 6

Real world (multi-protocol) throughput of IPS should be of 10 Gbps or higher

"Real world (multi-protocol)" terms are used by one specific vendor. Every vendor has a diffrent intrepretation for real world traffic and it leads to diffrent sizing of appliance. Please clarify bank's understanding of real world traffic parameters so that every bidder can size the solution on those commonly defined parameters

Please clarify. No Change. Clause remains the same.

The intent behind the usage of word Real World (multi-protocol) was discussed with all the prospective bidders including those who raised this query and the term was as it is accepted by all the participants in the Pre-Bid meeting .

(2)

6 9 18. The Bidder shall be responsible for providing the operational and maintenance training to the identified IT staff of the Bank as and when asked by the Bank.

Request OBC to provide the training duration, frequency, location & batch size for which training needs to be conducted.

The revised clause is asunder:-“The successful bidder will be required to hold training for 5 Bank officials/ management team for 2/3 days duration covering Basic Concept, Configuring as per the different specs , Report generations in different customized formats like time wise , severity wise, protocol wise,

source/destination etc , Managing , Log analysis, Definition & software version update/upgrade . Successful bidder would repeat training for 2/3 days every year till Warranty/AMC. The training shall be conducted at vendor’s location within India at no extra cost to Bank."

7 14 Payment Terms Request the bank to change the payment

terms as:

The Bank will make payment as per following scheduled terms.

70% - On delivery of the perimeter security equipments.

30% - After installation, Configuration, operationalization and integration of the same to the satisfaction of the Bank.

Bank may ask for a BG for payment

8 14 Delivery, Installation &

Commissioning of Items

The revised clause is as

under:-The vendor shall be responsible for delivery and installation of the ordered item(s) at the sites i.e. Primary Data Centre, Navi Mumbai and Disaster Recovery Site, Delhi and making them fully operational at no extra charge within12 weeks of the date of purchase order.

Request OBC to change the Delivery and installation time to 12 weeks from 8 weeks (as delivery takes 4-6 weeks). Please confirm?

(3)

9 15 Order Cancellation The revised clause is as under:- "The Bank reserves the right to cancel the purchase order in the event of one or more of the following situations:

1. Delay in supply, installation, and commissioning of perimeter security equipment beyond the specified period (12

weeks).

2. Deviations of the perimeter security equipments proposed from those mentioned in the RFP including non-integration of these equipments with Bank's infrastructure as mentioned in Scope of Work above to the satisfaction of the Bank. In the event of order cancellation the vendor shall be responsible to take back the faulty equipments at its own cost & expenses. In the event of cancellation of order, the Bank shall also invoke the Performance Bank Guarantee (PBG) submitted by the bidder."

10 17 Penalty Request bank to kindly review the penalty as

this is on a higher side

11 16 Uptime for single mode solution

should which requires 99.5% on monthly basis should be removed, as there are so many factors which impacts uptime of any solution.

We recommend to have high availability for management solution if it is that much critical. Please confirm?

12 Additional Point We propose that the clause pertaining to

Limitation of Liability be included and the limitation of liability for direct damages should be limited to 10% of contract value or the maximum aggregate liability of the Vendor shall not exceed the PO value.

Clause inserted as

under:-Limitation of Liability

Except in respect of any third party claims resulting from infringement in terms of clause 25- Indemnity, of the RFP, the aggregate liability shall be limited to the value of the purchase order placed to the vendor. However, Bank has the right to invoke the performance Bank Guarantee of the bidder over and above the claim amount as applicable as per the Terms of RFP.

13 17 Liquidated Damages LD should be applicable only if the delay is

due to reason solely attributable to the Bidder. Also adequate notice must be given to bidder before LD is imposed

No change same as per existing clause. Request OBC to change the Delivery and

installation time to 12 weeks from 8 weeks (as delivery takes 4-6 weeks). Please confirm?

(4)

14 22 Real world throughput of IPS should be of 10 Gbps or higher

As per thumb rule, IPS throughput within any UTM/Next generation Firewall bundle should not be equivalent to Firewall throughput. Kindly clarify the evaluation criteria for IPS throughput calculation

Request bank to modify IPS throughput from 10Gbps to 7 Gbps

15 22 Real world throughput of

Firewall with all features enabled (if required in future) should be of 5 Gbps or higher

Request bank to clarify all the feature which are being referred for enablement of full blow throughput of 5 Gbps alongwith Firewall

Please clarify & confirm The revised clause is "The real world throughput of Firewall with all the feature enabled (if required in future), should be 10 Gbps or higher."

16 22 Firewall should have a provision

to support next generation firewall capabilities including- IPS, Application Control, URL, Content Filtering features (if required in future) by adding software license or modules on the same firewall appliance.

It is understood that OBC is presently looking for only Firewall fucntionality from day-1. Rest all features including- IPS, Application Control, URL, Content Filtering features are not required to be provisioned from day-1 & will be enabled as add-on in future (based on additional cost implication for bank as & when required).

Please clarify & confirm The IPS and Firewall are required from day one.

Further, the Firewall Should be capable of all the Next Generation features. Bank may at its discretion get the functionality activated at a later date.

17 22 High availability for redundancy:

The firewall must support Stateful active-active OR Active-Failover architecture

High Availability for Perimeter Firewall is a critical function & should support both the modes ( Active &

Active-Passive/Failover architecture) out of the box. This should also be applicable for features (including IPS) if required in future by the bank.

Please clarify & confirm No Change. Clause remains the same.

18 22 Solution should provide

signature & protection against APT & zero day attack within 1 hour from the 1st encountering

Kindly clarity whether bidder needs to provision required hardware & license to deliver this fucntionality from day-1 while quoting

Please clarify & confirm The Firewall Should be capable of all the Next Generation features. Bank may at its discretion get the functionality activated at a later date. However this feature would be required when APT/Anti BOT feature is subscribed by the Bank.

19 7 2.Bidder's Eligibility Criteria

The Bidder should have minimum annual turnover of at least 50 Crores (Rupees Fifty Crore Only) in the last three financial years <i e 2011-12, 2012-13 & 2013-14) and should also have reported cash profit during those years

As per DIT Guidelines, Positive Net-worth is better assessment of bidder's financial capability than the profit. Therefore we request the clause to be amended as:

"The Bidder should have minimum annual turnover of at least 50 Crores (Rupees Fifty Crore Only) in the last three financial years <i e 2011-12, 2012-13 & 2013-14) and should also have reported positive networth during those years". In addition the bidder should have cash profit in minimum last financial year i.e 2013-14."

20 7 Sl no 4.c Bidder should have minimum 5 CISA/CISM/CISSP certified professionals

In order to invite more bidder's participation pls reduce to Minimum 2 Nos CISA/CISSP/CISM certified professionals.

(5)

21 7 Clause 2 Bidder's Eligibility Criteria Sl No 4. d)

d) The bidder should have at least 2 professionals with necessary certifications on the OEM platform they are quoting

Certification on similar technology will help more bidders to participate. Therefore request amendment as: "The bidder should have at least 2 professionals with Industry certifications on similar products from same OEM or other OEM products."

22 9 Clause 3

Scope of Work Sl no 20

Bidder shall be responsible for integration of offered solution with Bank's Active Directory System

Please elaborate if integration is for VPN users or administrators of proposed solution.

This integration is required for administrators of proposed solution.

23 7 Clause 2

Bidder's Eligibility Criteria Sl No 5

The Bidder should be empanelled with CERT-ln for Information Security Services.

This clause will restrict only a few bidder's to participate. Pls make this clause optional to allow more bidder's to participate

24 7 Clause 2

Bidder's Eligibility Criteria Sl No 7

1. The Bidder should be an OEM or their authorized partner with highest partnership level of the OEM Either the authorized partner on behalf of the Principal / OEM or Principal / OEM Itself can bid but both cannot bid simultaneously for the same item / product for this tender

2. One OEM can bid with maximum two bidders

1. In order to establish proven technology product, Pls ask OEM should be in Leader's or Challenger's quadrant rather than partnership level between OEM and bidder otherwise this clause will favor a few selected bidder's only. 2. Pls delete the clause "One OEM can bid with maximum two bidders" as this clause may restrict more bidder's participation

25 7 The bidders should have minimal annual turnover of Rs 50 Cr(Fifty crores only)in last three financial year (I.e 2011-12, 12- 13 and 13-14) and should have reported cash profit during these years

This point which will stop strong technologies partners to quote for the rfp.

Request you to kindly amend this point to cumulative turnover of Rs 50 crores for last three financial year.

26 7 Bidders should have 5 CISA/CISM/CI SSP certified professional

As this is firewall tender so competancy and certified professinal for OEM will be required.

Request to please amend this point as bidders should have certified progfessional from the OEM on quoted product

(6)

27 7 Thebidder should provide at least three public sector bank /financial institution /Govt./ PSU as customer reference where it has executed similar perimeter security solution for information security infrastructure project in last 5 years

Please amend this point as the bidder should have executed the perimeter security solution at three enterprise/BFSI customer

28 7 The bidders should be empannelled with Cert-In for information security solution.

Request you to please dilute this point.

29 8 EMD of Rs 15, 00000 should be submitted by bidders

Request you to please amend this as Rs 500000

30 22 Scope of work What features are required from day1? Is it

firewall only or Firewallwith application control only or Firewall with IPS, Application Control, URL Filtering,Kindly clarify

The IPS and Firewall are required from day one.

Further, the Firewall Should be capable of all the Next Generation features. Bank may at its discretion get the functionality activated at a later date.

31 22 Scope of work Request you to name the 150

predified/Services/protocols

32 22 Scope of work Please clarify, full load on Firewall or the

management server

No Change. Clause remains the same. Further, the Point was clarified during the pre-bid meeting that the Bank meant full load on Firewall.

(7)

33 Reque st Bank to includ e this clause

Termination Request addition of below clause:

Either Party shall have the right to terminate this Agreement at any time in the event that the other party commits a material breach of the Agreement and fails to cure such default to the non-defaulting party’s reasonable satisfaction within thirty (30) days.In the event of termination Customer shall pay Bidder for goods delivered and services rendered till the date of termination.

The revised clause is "Bank shall have the right to terminate this Agreement at any time in the event that the bidder commits a material breach of the Agreement and fails to cure such default to the Bank's reasonable satisfaction within thirty (30) days.In the event of termination Customer shall pay Bidder for goods delivered and services rendered till the date of termination. 34 Reque st Bank to includ e this clause Limitation of Liability

Request addition of below clause: Notwithstanding anything to the contrary elsewhere contained in this Agreement, neither Party shall, in any event, regardless of the form of claim, be liable for (1) any indirect, special, punitive, exemplary, speculative or consequential damages, including, but not limited to, any loss of use, loss of data, business interruption, and loss of income or profits, irrespective of whether it had an advance notice of the possibility of any such damages; or (2) damages relating to any claim that accrued more than two (2) years before the institution of adversarial proceedings thereon.

Subject to the above and notwithstanding anything to the contrary elsewhere contained herein, the maximum aggregate liability of Bidder shall be, regardless of the form of claim, the consideration received by Bidder for the SOW / PO to which the claim relates during the preceding three (3) months.

Clause inserted as

under:-Limitation of Liability

Except in respect of any third party claims resulting from infringement in terms of clause 25- Indemnity, of the RFP, the aggregate liability shall be limited to the value of the purchase order placed to the vendor. However, Bank has the right to invoke the performance Bank Guarantee of the bidder over and above the claim amount as applicable as per the Terms of RFP. 35 Reque st Bank to includ e this clause Deemed Acceptance

Request addition of below clause: Deliverables will be deemed to be fully and finally accepted by Customer in the event Customer has not submitted such Deliverable Review Statement to the Implementation Partner before the expiration of the 15-day review period, or when Customer uses the Deliverable in its business, whichever occurs earlier (“Deemed Acceptance”).

(8)

36 Reque st Bank to includ e this clause Change Request

Request addition of below clause: Either party may request a change order (“Change Order”) in the event of actual or anticipated change(s) to the agreed scope, Services, Deliverables, schedule, or any other aspect of the Statement of Work.

Implementation Partner will prepare a Change Order reflecting the proposed changes, including the impact on the Deliverables, schedule, and fee. Absent a signed Change Order, Implementation Partner shall not be bound to perform any additional services. The parties agree to negotiate in good faith all Change Order proposals.

Not Accepted. 37 Reque st Bank to includ e this clause Non-Solicitation

Request addition of below clause: During the term of this Agreement and for a period of one year thereafter Bank shall not, directly or indirectly, hire or solicit for hire, any of the personnel engaged by Bidder, without the prior written consent thereof from Bidder. Thus, the Bank agrees to the entry of an injunction against it in the event of actual or threatened breach of its obligations hereunder, and acknowledges such relief shall be in addition to such other and further relief as may be available to Bidder at law or in equity

Not Accepted. 38 Reque st Bank to includ e this clause

Change order Either party may request a change order

(“Change Order”) in the event of actual or anticipated change(s) to the agreed scope, Services, Deliverables, schedule, or any other aspect of the Statement of Work. Bidder will prepare a Change Order reflecting the proposed changes, including the impact on the Deliverables, schedule, and fee. In the absence of a signed Change Order, Bidder shall not be bound to perform any additional services. Not Accepted. 39 Reque st Bank to includ e this clause Savings Clause

Bidder’s failure to perform its contractual responsibilities, to perform the services, or to meet agreed service levels shall be excused if and to the extent Bidder’s non-performance is caused by Company’s omission to act, delay, wrongful action, failure to provide Inputs, or failure to perform its obligations under this Agreement.

(9)

40 Reque st Bank to includ e this clause

Risk and Title The risk, title and ownership of the products

shall be transferred to the customer upon dispatch of such products to the customer

Not Accepted.

41 2 Firewall should have a provision

to support next generation firewall capabilities including- IPS, Application Control, URL Filtering, Content Filtering features (if required in future).

As Anti-virus, Anti-malware, Anti-bot are integrated part of a next generation firewall, Therefor please include the same. More over Malware is the main threat vector for Banking customers.

Please modify the clause as :Firewall should have a provision to support next generation firewall capabilities including- IPS, Application Control, URL Filtering, Content Filtering features, virus, Anti-malware, Anti-bot (if required in future).

No Change. Clause remains the same. Firewall Should be capable of all the Next Generation features. Bank may at its discretion get the functionality activated at a later date.

42 Technical

Specifications 8

High availability for redundancy: The firewall must support Stateful Active or Active-Failover architecture.

It is extremely important for Banking customers that all sessions should be failovered during failure of one device. Therefore, the firewall must support stateful syncronization of all sessions like Firewall, IPS, Application, VPN, Anti-virus, etc.

Please modify the clause as: High availability for redundancy: The firewall must support Stateful Active-Active or Active-Failover architecture., the firewall must support stateful syncronization of all sessions like Firewall, IPS, Application, VPN, Anti-virus, etc.

(10)

43 Technical Specifications 9

Solution should have capability that even in case of full load on it, the administrator must be able to log-in for management activities.

This is very important point with reference to firewall management.In order to achieve this the firewall should have dedicated resources ( RAM, HDD etc) for management and dedicated resources for traffic

management.Therefore request you to modify the clause as:

Therefore request you to modify the clause as:Solution should have capability that even in case of full load on it, the administrator must be able to log-in for management activities. The firewall should have dedicated resources ( RAM, HDD etc) for management and dedicated resources for traffic management.

44 Technical

Specifications 10

The IPS should be able to inspect SSL, https etc. traffic. Integrated IPS should not make use of additional external device to perform these functions.

Most of the core banking applications are accessed through SSH, therefore it is important to include this so that threats can be checked within encrypted SSH tunnel. Moreover the inspection should be done for both inbound and outbound traffic.

Therefore Please modify the clause as : The IPS should be able to inspect SSL, SSH, https etc. traffic. Integrated IPS should not make use of additional external device to perform these functions. The solution should be able to decrypt both inbound and outbound SSL, SSH, https connections.

45 Performance

Requirements 2

Real world (multi-protocol) throughput of Firewall should be 10 Gbps or higher

As 95% traffic in any banking and enterprise network is TCP in nature and includes 100% applications. Moreover the Bank has requested Application control from day one. Therefore please mention full application visibility of applications while measuring throughput.

Therefore please modify the clause as: Real world (multi-protocol) throughput of Firewall should be 10 Gbps or higher with TCP traffic and with full application visibility.

No Change. Clause remains the same. The intent behind the usage of word Real World (multi-protocol) was discussed with all the vendors and the term was as it is accepted by all the vendors in the Pre-Bid meeting .

(11)

46 Performance Requirements 5

Solution should have minimum 25,00,000 concurrent connections.

Palo Alto Networks despite a Leader in Enterprise Firewalls is not able to comply to this point. Moreover 20,00,000 concurrent connections are sufficient to handle 2 Lac users assuming 10 connections per user.

Therefore please modify the clause as : Solution should have minimum 20,00,000 concurrent connections.

47 Performance

Requirements 6

Solutio should have minimum 1,50,000 connection per second processing.

Palo Alto Networks despite a Leader in Enterprise Firewalls is not able to comply to this point.Please modify the clause to provide us equal opportunity.

Solutio should have minimum 1,20,000 connection per second processing.

48 Performance

Requirements 7

Solution should have at least 8x 10/100/1000 Mbps RJ 45 Ethernet interfaces and 8 x 10 Gbps SFP ports

Please relax the clause to include both 1 Gbps SFP and 10 Gbps SFP interfaces to include all vendors.

Solution should have at least 12x

10/100/1000 Mbps RJ 45 Ethernet interfaces and 4x 1 Gbps SFP and 4 x 10 Gbps SFP ports.

49 New Query As core banking applications like Finacle and other custom applications are important for Bank. Therefor it is important that the Firewall provides security for these applications. As these applications are custom/home grown

applications and no signature is available by default in Firewalls to secure them. Therefore please specify that the Firewall should allow custom Application signatures for Core Banking applications.

The Firewall should allow custom signatures for home grown and custom applications like Finacle and other banking applications.

Bidders may provide this additional feature over and above the functionalities asked for.

(12)

50 New Query As deployment mode decides the coverage of Firewall security. Therefore it is important to secify that the firewall supports all possible deployment modes- Route mode, Transparent mode, Layer 2 mode, Tap mode and Mixed mode (combination of any). This will allow the Bank to have security not only at outbound/inbound traffic but also complete visibility for nternal traffic.

Firewall should support all possible

deployment modes- Route mode, Transparent mode (bump in the wire), Layer 2 mode, Tap mode and Mixed mode (combination of any).

Bidders may provide this additional feature over and above the functionalities asked for.

51 New Query Firewall being a critical infrastructure for the bank, the OEM proposing the solution should be validated by globally reputed third party accredition agency like Gartner.

The proposed solution must be in the Leader’s quadrant in Gartner Magic Quadrant of Enterprise Firewall for 3 years

Not Accepted.

52 7 (4) To be considered for selection, Firms / Companies should meet the following conditions.-a) Should have strong competence in Information Systems Security Management.

b) Should have among their existing clientele, banks financial Institutions with an ali-India presence.

c) Bidder should have minimum 5 CISA/CISM/CISSP certified professionals

d) The bidder should have at least 2 professionals with necessary certifications on the OEM platform they are quoting.

We request the Bank to kindly relax and change the clause to CISA/CISM/CISSP/OEM certified professionals. Since looking at the project, Bank will require

engineers/professionals who can install and maintain entire project for the period mentioned in RFP. Hence we request the bank to kindly add OEM certified professionals options also.

53 7 (5) The Bidder should be empanelled with Cert-In for information Security Services

Cert-In empanelment is required mainly for Security assessment and bank has not asked for any security assessment services in this RFP. So we request the Bank to kindly remove this clause.

(13)

54 7(6) The Bidder should be an OEM or their authorized partner with highest partnership level of the OEM. Either the authorized partner on behalf of the Principal / OEM or Principal / OEM Itself can bid but both cannot bid simultaneously for the same item / product for this tender. One OEM can bid with maximum two bidders.

The Bidder should be an OEM or their authorized partner on behalf of the Principal / OEM or Principal / OEM Itself can bid but both cannot bid simultaneously for the same item / product for this tender. One OEM can bid with maximum two bidders.

55 Corrigendum A Revised L1 Commercial Format (Annexure V) is

uploaded along with Reply to Pre-Bid queries as Corrigendum A on Bank's Corporate Website (www.obcindia.co.in) & e-tendering portal. The revised L1 Commercial Format includes the

following:-Cost of Mandatory deliverables

•Cost of Next Generation Firewall at PDC & DRS • Cost of Centralized Management Gateway (PDC/DRS)

• Buy Back of PIX 535 & PIX 525 Cost of Optional deliverables

• Cost of Application Control / Visibility feature • Cost of APT / Anti-BOT feature

Cost of Optional FM Resource

• 24x7x365 FM resource for above mentioned Firewall Solution with respect to their configuration. Apart from the solution being offered, the FM resource would also be responsible for configuration of existing Cisco ASA 5550 & ASA 5540 firewalls , Cisco 4270 IPS. The FM resource is required to be a graduate in Engineering having at least one

56 Corrigendum B New Annexure - Corrigendum B Annexure - VIII

(Scope of Work of Optional FM Resources) is uploaded along with Reply to Pre-Bid queries as Corrigendum A on Bank's Corporate Website (www.obcindia.co.in) & e-tendering portal.