Managed firewall

Business-grade firewalls powered by your trusted partner.

Firewalls are fundamental to protecting networks and strengthening security posture, but with so many options on the market, deciding which one to purchase is difficult. As the sector’s trusted partner, our priority is to make sure you get the right solution.

As the operator of the Janet Network, Jisc is in a unique position, with oversight of threats from across the education and research sector’s connected community. The firewall service combines threat intelligence feeds from all participating members, enabling the rapid detection and proactive mitigation of potentially harmful cyber threats.

Developed by Jisc in collaboration with Jisc members, the service is operated by cyber security specialist, KHIPU Networks using Palo Alto Networks’ platform.


  • Fully managed service: removes the time, resources and risks associated with day-to-day administration
  • Co-managed service: provides direct customer access and management of the device
  • Virtual managed and co-managed services to support cloud infrastructure


The solution is tailored to the needs of the Janet-connected community across further and higher education, research organisations, tertiary educations sector bodies, the public sector and charities.

Benefits include:

  • Community-acquired threat intelligence, detection and mitigation
  • 24x7x365 threat monitoring and alerts
  • Removes the need for the local management of firewall by IT staff
  • Managed by Khipu - our trusted, accredited cyber security specialist
  • Eliminates the admin burden of firewall license renewals
  • Reduces the financial and resource overheads for an organisation
  • Enhances security and helps to maintain business continuity

The solution is based on an on-premises Customer Premise Equipment firewall, remotely managed by an operational management system.


Features include:

  • Rapid detection and prevention of network-based threats
  • Centrally managed service
  • Automatic software updates
  • Maintenance, patching and configuration, according to best practice
  • Rigorous change control process, according to ITIL standards
  • Regular reporting and data-based strategic intelligence for ever-evolving cyber security posturing

Core service offer

The service offers a wide range of firewall solutions, with offerings from 1 Gbits/s up to 25 Gbits/s. We can work with you to find the best solution for your organisation.

This managed service covers the maintenance of both the firewall hardware, the overall solution, its core configuration and mitigations. The service is built upon a configuration devised from firewall best practice and updated by the service provider as the threat landscape changes.

Customers can request service rule and configuration changes to tailor the service to meet their needs. See the section on customer change requests in the service description below.

Service options

Additional setup options

  • The firewalls are available as single units or as a high availability pair working in active failover and failback. This not only avoids loss of availability due to faults, but also service down-time caused by maintenance updates.
  • The service uses zero-touch provisioning. However, if onboarding is part of a more complex infrastructure delivery plan, you may prefer to choose on-site installation.

Additional packages

In addition to the core configuration and its mitigation, there are additional options.

These may depend on the customer’s LAN configuration and the network’s identity strategy being configured to support best use of the mitigation offered by each package.

Additional charges, licences, and professional service charges may be required for each of the following packages.

  • User visibility and control
  • On demand remote access
  • Always-on remote access
  • Advanced reporting
  • Site-to-site VPN
  • Policy control

As the service evolves to address the changing threat landscape, additional options may become part of the core configuration and its mitigation.  Similarly, mitigation packages may well change, with new options offered.

Find out more

Register your interest

Service level description

Administration of services

The service onboarding group administers the procedures for approval and commissioning of this service.

Eligibility and service prerequisites

Organisations wishing to use the service must be connected to the Janet Network, typically through a Janet IP connection or a Janet cloud connection. Eligibility for organisations wishing to connect to the Janet Network is covered in the Janet Network connection policy.

Service on-boarding

Following an initial discussion and capture of the customer’s requirements, led by a Jisc relationship manager, a quote can be issued and, if acceptable, an order placed. Once an order is placed, service on-boarding will begin. This covers the agreement of the scope of works for the proposed solution, contracting and order fulfilment. Working with the customer to agree a suitable date the team will deploy the firewall solution to the customer site with the required configuration so that the firewall CPE can be bought under the management of the centralised operational management system.

Target availability

The target availability for the service is 99.9% (equating to 8 hours, 45 minutes loss of availability per year).

The capability of the firewall to process and forward traffic ensures that there is no loss of service to the customer. The measurement of 99.9% availability excludes the failure of a high-availability firewall, if the remaining firewall was still providing service. The measurement would also exclude any agreed scheduled upgrades, hardware replacements within the service level agreement, or waiting on an action by the customer.

This measurement will be made available in the customer’s monthly reports for their service.

Service delivery time

On receipt of the signed service agreement and any other information that we may reasonably require, the order will be placed with the operating partner. Installation will be arranged and notified by email once the operating partner has received the equipment, subject to availability. The service will not commence until, in the opinion of Jisc Services Limited, adequate and satisfactory testing has been concluded. When we have received all necessary information from you, we will email you a target date for service commencement, keeping you informed of any changes.  Once the service is configured and tested satisfactorily, we will confirm the commencement date by email.

Cancellation of services will be implemented within 30 business days of confirmation of the request, unless the cancellation is prevented by reasons beyond our control.

Service management

Jisc provides 24/7 support via our service desk, which acts as a first point of contact for any service-related issues or queries. The service desk works in conjunction with Khipu to ensure customer incidents are recorded and on-call engineers are available to investigate urgent issues.

Jisc is a proven network and service management specialist with extensive experience of service management implementation, network operation, security and continual service improvement. All our operational processes are aligned with ITIL v3 and managed within our ISO 9001 QMS. Information assurance is provided through our ISO 27001 certification. The service is jointly operated by our operating partner, KHIPU, a company certified to the following quality standards:

  • ISO9001 Quality Management
  • ISO27001 Security Management
  • ISO14001 Environmental Management
  • ISO45001 Occupational Health and Safety Standard
  • Cyber Essentials

Customer change requests

The service can accommodate bespoke configurations changes at the request of the customer. Each change will be categorised under the ITIL standard as ‘Normal’, ‘Standard’ or ‘Emergency’.
Each change type has an appropriate change advisory board (CAB) and SLA process.

‘Standard’ changes

Configuration changes, which are agreed and preauthorised by Jisc in advance, do not require further CAB approval. These changes have little to no risk association and follow a documented process. Standard change requests need to be requested via the service desk so they can be logged and tracked. The service team will only apply changes requested by designated users authorised in advance by the customer.

Requests should be made by email.

Examples include, but not limited to:

  • Adding, removing, or changing a new object to the existing policy (address object, user id, group ID, application or service)
  • Adding an exception (allow or block) to the URL profile.
  • Adding additional IP range for VPN users
  • Creating and scheduling report
  • Changing details of AD / Syslog / email servers
  • Adding/changing the description on the rule
  • Disabling or deleting rules not used for more than 60 days
  • Optimising the existing rule, or changing it to App-ID rule based on traffic hits

Requests logged will be responded to within one hour. Once details of the required change are confirmed, Standard Changes will be applied within two hours.

Allowance: 15 standard change requests per calendar month with the option of carrying forward up to 15 unused changes, giving a theoretical maximum of 30 standard changes in a single month.

Acknowledgement and response: One hour acknowledgement and two hour response

‘Normal’ changes

Non-emergency proposed configuration changes need to be approved by the CAB. Normal changes need to be requested via the service desk so they can be logged and tracked and require a change request form to be completed and approved by the customer. The service team will only apply proposed changes requested by recognised designated authorised callers.

Requests should be made by email.

Examples include, but are not limited to:

  • Adding new security nat rule + necessary objects required
  • Adding new admin user
  • Changing authentication source for users/admins
  • Adding new subnet, firewall interface, zone
  • Changing network details, network interfaces/routing
  • Changing management IP address of the firewall
  • Deleting/disabling rules not used for more than 30 days

Logged requests will be responded to within one hour. Normal change requests require customer authorisation. The service team will either help complete or complete the change request form to be submitted for authorisation. Once authorised, the service team will apply the change within two hours.

Allowance: 15 normal change requests per calendar month with the option of carrying forward up to 15 unused changes giving a theoretical maximum of 30 normal changes in a single month.

Acknowledgement and response: One hour acknowledgement and two hour response

Short notice user requests to the IT manager

It is likely that IT managers will occasionally receive short-notice requests to block or allow specific URLs, for example, access to an education resource that a tutor needs to give to a class later that day.

The service team will review the change request to ensure it can be safely applied. If a potential issue is identified, such as concern about permitting access to a high-risk URL, this will be raised with the IT manager. Provided there are no concerns, the change will be applied as a standard change and the customer updated.

Temporary changes will be treated as standard changes as they are authorised by the IT manager and do not require additional CAB approval. Once authorised by the IT manager, the change will be applied within two hours.

Temporary changes will be reverted after two days, and the original request submitted as a normal change request for review by CAB. 

‘Emergency change’

An urgent change is one that, if not addressed promptly, may present a high risk. Examples include security incidents or the resolution of a P1 type incident such as ‘network down’.

For emergency changes, it may be appropriate for the customer to give verbal approval to apply the change rather than wait for written approval, but this must be followed up with a retrospective written change control form.

The service team will only apply changes requested by recognised, designated and authorised callers.

Requests can be made by telephone or email, with retrospective confirmed via email.

Examples include:

  • Stopping an active security incident
  • A change required to fix an issue impacting multiple users
  • Applying emergency patches to prevent an imminent threat

The number of emergency change requests responding to active security incidents is unlimited.

Up to 12 other emergency change requests can be made in a year, for example, to restore service where changes have been made elsewhere on the network resulting in a P1 type incident such as ‘network down’.

Emergency change requests which are required as a direct result of unscheduled changes elsewhere on the network, poor planning, or failure to act on recommendations may be chargeable.

Change requests can be placed by customers but also proposed by Jisc.

Service requests are managed 24x7x365.

If the change allowances are insufficient, the customer can pay to increase their monthly limit or buy a block of additional changes, which are separate to the monthly allowance but will expire at the end of the contract. This flexible approach accommodates customers with a higher volume of project work or during busy periods when more changes are required.

Fault management and escalation

The Jisc managed firewall service will follow ITIL incident management process guidelines to log, assign and diagnose incidents and to restore service operation as quickly as possible with the minimum disruption, in line with the agreed hours of service.

Our support design can diagnose and resolve connectivity, routing and firewall issues for your organisation.

The volume of incidents is not sufficiently large to warrant distinct priority levels. The timings below indicate the target time to respond to an incident.

Service incident response targets

Our response target is the same for all service incidents.

Urgent incidents involve service component failure or a severely impaired service, resulting in serious business-wide impact or multiple users/services impacted.

Service desk

JSD Help Desk
0300 300 2212

24 hours a day, 7 days a week

Phone calls: answered in six rings
Email/ticket requests: response within one hour

Urgent incidents must be reported by phone. Engineers will raise a ticket and begin investigations, aiming to respond within one hour of the call.

Note: Incident resolution targets do not apply in cases where the incident is outside of Jisc’s control, eg local connectivity problems within a customer data centre, or where the customer is not on-site to affect incident resolution.

If you are experiencing an issue with the service and wish to escalate the issue, please contact us via the service desk details above.

Firewall ownership

The firewall, customer premises equipment (CPE) used to deliver this service, and the licenses used will remain the property of Jisc Services Limited.

Customer responsibilities

Organisations have the following responsibilities in relation to the service:

Processing locations

The managed firewall service is only available to UK customers that are connected to the Janet Network. All network and security operation functions and external connection locations are based in the UK.

Information assurance

Jisc is an ISO27001 certified organisation and will utilise, as required, appropriately certified management infrastructure, network connectivity, staff security clearance and processes to deliver the service.

Price changes

We have a standardised timeline for the rollout of pricing changes on existing live services. To our best endeavour, we will issue price change notifications in January ahead of application in the August invoice of the same year. We understand that this aligns with HE and FE budget setting cycles and gives a notification period that is helpful to members. This will also exceed the three months’ notice stipulated in our terms.

Typically, service price change notifications will be issued via email to the relevant organisational contacts. We will not email you if are not affected by a price change.

End of contract

Customers will be notified as they approach the end of the initial term contract period to allow time to re-procure. The customer may cease use of the service at any time. There is a fixed fee, per service instance, for supported off-boarding from the service. 

Service off-boarding

Service termination is defined as end of contract, without transfer of services to a new provider or customer function. In this case, upon service termination, Jisc will remove the firewall solution from the customer site.

Cancellation of services will be implemented within 30 business days of written notice, and confirmation of the request, unless the cancellation is prevented by reasons beyond our control.

Supported off-boarding means that the customer’s firewall configuration is made available to customer.