# **FPGA Firewall for Network Security**

Joshua Pinti - Supervised by Dr Matthew D'Souza

RFIT4841

### **FPGA Firewall**

### Background

Over 20 billion IoT devices are expected by 2025, many of them unpatched and exposed to network attacks [3].

Software firewalls on ARM-based systems consume CPU resources and add latency, making them unsuitable for low-power embedded devices [4].

#### Concept

This project implements a hardware firewall directly in FPGA fabric to filter TCP and UDP packets, offloading packet inspection from the processor.

#### Integration

The firewall is connected to a Zynq processor via the AXI interface, running Petalinux for configuration and testing on a Zybo board.

#### Outcome

The result is a low-latency, high-throughput and efficient network firewall tailored for embedded systems

### **Vivado Implementation**



Figure 1 – Vivado Implementation showing AXI Interface

| Resource | Utilization | Available | Utilization % |
|----------|-------------|-----------|---------------|
| LUT      | 3402        | 17600     | 19.33         |
| LUTRAM   | 693         | 6000      | 11.55         |
| FF       | 2912        | 35200     | 8.27          |
| BUFG     | 1           | 32        | 3.13          |

Table 1 – Vivado Resource Usage

### References

1] netfilter. "The netfilter org project." netfilter https://www.netfilter.org/ (accessed 23 October, 2025).
2| Digilent. "Zybo (Legacy)." Digilent. https://digilent.com/reference/programmable-logic/zybo/start (accessed 21 March, 2025).
3| S. Sinha. "State of 1of 2024." I/O Analytics. https://ioi-analytics.com/number-connected-devices/ (accessed 20 March, 2025).
4| RedHat. "ARM vs. x86: What's the difference?" RedHat. https://www.redhat.com/en/topics/linux/ARM-vs-x86#arm-vs-x86-for-energy-usage (accessed 21 March, 2025).

### **Packet Processing FSM** Deny Packet Deny Packet Deny Packet Extract SRC and DST EtherType Check IP heck UDP o Extract SRC and DST Recieve Ethernet Ports from TCP/UDP IPv4? **TCP** Version is 4 IPs from IP Packet Packet Packet Return Data from **FSM** Figure 2 - Pack Processing FSM

## System Block Design



Figure 3 – System Block Design

### **System Results**



Figure 4 – System Results Comparing FPGA Firewall to Netfilter [1]



### **Acknowledgements**

Acknowledgements are given to fellow peer Carl Flottman for his assistance in debugging various Zybo and AXI-related issues encountered during the project's undertaking.

<sup>□</sup> joshuapinti@hotmail.com□ Joshua Pinti