High-performance software and hardware platforms
The firewall series is powered by advanced 64-bit multi-core processors and caches.
Carrier-level high availability
Adopts H3C highly-available proprietary software and hardware platforms that have been successfully applied in many Telecom carriers and small- to medium-sized enterprises.
Supports H3C SCF, which can virtualize multiple devices into one device for service backup and system performance improvement.
Powerful security protection features
Attack protection—Detects and prevents various attacks, including Land, Smurf, Fraggle, ping of death, Tear Drop, IP spoofing, IP fragment, ARP spoofing, reverse ARP lookup, invalid TCP flag, large ICMP packet, IP/port scanning, and common DDoS attacks such as SYN flood, UDP flood, DNS flood, and ICMP flood.
SOP 1:N virtualization—Adopts the container-based virtualization technology. An F5000 firewall can be virtualized into multiple logical firewalls, which have the same features as the physical firewall. Each virtual firewall can have its own security policy and can be managed independently.
Security zone—Allows users to configure security zones based on interfaces and VLANs.
Packet filtering—Allows users to apply standard or advanced ACLs between security zones to filter packets based on information contained in the packets, such as UDP and TCP port numbers. User can also configure time ranges during which packet filtering will be performed.
ASPF—Dynamically determines whether to forward or drop a packet by checking its application layer protocol information and state. ASPF supports inspecting FTP, HTTP, SMTP, RTSP, and other TCP/UDP-based application layer protocols.
AAA—Supports authentication based on RADIUS/HWTACACS+, CHAP, PAP, and LDAP.
Blacklist—Supports static blacklist and dynamic blacklist.
NAT and VRF-aware NAT.
VPN—Supports L2TP, IPsec/IKE, GRE, and SSL VPNs. Allows smart devices to connect to the VPNs.
Routing—Supports static routing, RIP, OSPF, BGP, routing policies, and application- and URL-based policy-based routing.
Security logs—Supports operation logs, zone pair policy matching logs, attack protection logs, DS-LITE logs, and NAT444 logs.
Traffic monitoring, statistics, and management.
Flexible and extensible, integrated and advanced security
Integrated security service processing platform. The firewall highly integrates the basic and advanced security protection measures to a security platform.
Application layer traffic identification and management.
Adopts the state machine and traffic exchange inspection technologies to detect traffic of P2P, IM, network game, stock, network video, and network multi-media applications, such as Thunder, Web Thunder, BitTorrent, eMule, eDonkey, WeChat, Weibo, QQ, MSN, and PPLive.
Adopts the deep inspection technology to identify P2P traffic precisely and provides multiple policies to control and manage the P2P traffic flexibly.
Highly precise and effective intrusion inspection engine. The firewall uses the H3C-proprietary Full Inspection with Rigorous State Test (FIRST) engine and various intrusion inspection technologies to implement highly precise inspection of intrusions based on application states. The FIRST engine also supports software and hardware concurrent inspections to improve the inspection efficiency.
Real-time virus protection. The firewall uses the stream-based antivirus engine to prevent, detect, and remove malicious code from network traffic.
Massive URL category filtering. The firewall supports local + cloud mode, 139 category libraries, and over 20 million URL rules.
Complete and updated security signature database. H3C has a senior signature database team and professional attack protection labs, guaranteeing the signature database is always precise and up to date.
Industry-leading IPv6 features
IPv6 stateful firewall.
IPv6 attack protection.
IPv6 data forwarding, IPv6 static routing and dynamic routing, and IPv6 multicast.
IPv6 transition technologies, including NAT-PT, IPv6 over IPv4 GRE tunnel, manual tunnel, 6to4 tunnel, automatic IPv4-compatible IPv6 tunnel, ISATAP tunnel, NAT444, and DS-Lite.
IPv6 ACL and RADIUS.
Next-generation multi-service features
Integrated link load balancing feature: This feature uses the link state inspection and link busy detection technologies, and applies to a network egress to balance traffic among links.
Integrated SSL VPN feature: This feature can use USB-Key, SMS messages, and the enterprise's existing authentication system to authenticate users, providing secure access of mobile users to the enterprise network.
Data leakage prevention (DLP):The firewall supports email filtering by SMTP mail address, subject, attachment, and content, HTTP URL and content filtering, FTP file filtering, and application layer filtering (including Java/ActiveX blocking and SQL injection attack prevention.
Intrusion prevention system (IPS):The firewall supports Web attack identification and protection, such as cross-site scripting attacks and SQL injection attacks.
Antivirus (AV): The firewall uses a high-performance virus engine that can protect against more than 5 million viruses and Trojan horses. The virus signature database is automatically updated every day.
Unknown threat defense:By cooperating with the situation awareness platform, the firewall can quickly detect attacks and locate problems. Once a single point is attacked, the firewall can trigger security warnings and take fast responses in the whole network.
Intelligent and unified security policy management, which detects duplicate policies, optimizes policy matching rules, detects and proposes security policies dynamically generated in the internal network.
SNMPv3, compatible with SNMPv1 and SNMPv2.
CLI-based configuration and management.
Web-based management, with simple, user-friendly GUI.
Unified security management provided by the H3C SSM, which can collect and analyze security information, and offer an intuitive view into network and security conditions, saving management efforts and improving management efficiency.
Centralized log management based on advanced data drill-down and analysis technology. It can request and receive information to generate logs, compile different types of logs (such as sys-logs and binary stream logs) in the same format, and compress and store large amounts of logs. User can encrypt and export saved logs to external storage devices such as DAS, NAS, and SAN to avoid loss of important security logs.
Abundant reports, including application-based reports and stream-based analysis reports.
Export of reports in different formats, such as PDF, HTML, word, and txt.
Report customization through the Web interface. Customizable contents include time range, data source device, generation period, and export format.
Service chain is a forwarding technology used to guide network traffic through service nodes. It is based on the Overlay technology and combines the software defined network (SDN) centralized management theory. User can configure service chains by using a virtual converged framework controller (VCFC).
Service chain implements the following functions:
Decoupling the tenant logical network and the physical network, and separating the control plane from the forwarding plane.
Service resource allocation and deployment on demand with no physical topology restriction.
Dynamic creation and automatic deployment of network function virtualization (NFV) resource pools.
Tenant-specific service arrangement and modification without affecting the physical topology and other tenants.