• contact@isoagroup.com
  • (707) 773-1198
  • Building a lasting foundation for the digital enterprise.
April 17, 2017 Cheryl Bertini

Expert’s Corner: Is DataPower a Firewall or a Layer 7 Protocol Proxy?


When discussing the capabilities of DataPower with colleagues, the topic of routing capabilities of the DataPower appliance often comes up.  It may seem convenient, at first, to compare it to a firewall, but it actually behaves much differently.   Keeping a clear understand of its behavior and how it handles routing of messages is important, as you determine the correct architecture and use cases for deployment.

DataPower operates almost exclusively as a non-transparent, Layer 7 protocol proxy, handling only an explicit number of protocols, such as HTTP (HTTPS) and FTP (FTPS). While it may appear that DataPower passes data, or messages, from one network segment to another, messages are actually terminated on the inbound TCP connection, introspecting message based data, and then a separate and distinct TCP connection is created from the device to a destination host.


Unlike Router/Firewalls, DataPower devices DO NOT route IP packets directly. They employ a high degree of interface isolation which is controlled by the configuration set in DataPower, but they will not connect two network segments for random protocols.

A protocol specific proxy service (XML Firewall, Multiprotocol Gateway, WS-Proxy, etc.) must be configured on the device in order to pass any data through said device, to a destination host.

For some supported protocol types – namely asynchronous messaging protocols such as IBM MQ Series™, IBMʼs WebSphere Messaging Engine™, or Tibcoʼs EMS™ protocol – the device does not act as a protocol proxy at all, but instead is responsible for establishing TCP level connections to support both the ingress and egress message path associated with an integration service.