Uses fully distributed hardware architecture with separation of control, service, and data, and decouples key system components to improve reliability. Uses independent switching engine to implement high-performance security service processing and forwarding.
Uses high-performance MPUs to implement unified configuration management and security cluster.
Has the highest service processing speed per card in the industry. Each card is capable of providing all Layer 2 to Layer 7 security features, including firewall, NAT, LB, IPS, AV, ACG, and VPN, simultaneously.
Uses built-in TCAM to ensure high speed searching for a great number of policy entries.
Uses built-in modular software system for multi-process scheduling to improve system reliability. Processes are running separately. The failure of a single process does not affect other processes of the system.
Supports authority management to define read-write authorities of users based on feature, command line, system resource, and Web management level to improve system security.
Supports hot patching and ISSU, which allow system upgrading without interrupting services to improve system usability.
Uses H3C highly-available proprietary software and hardware platforms that have been proven by Telecom carriers and medium- to large-sized enterprises.
Supports 1:1 stateful failover: active/active stateful failover for load sharing and active/standby stateful failover for backup.
Supports N:N stateful failover, providing load sharing and service backup.
Supports Security Cluster Framework (SCF), including multi-chassis cluster and heterogeneous cluster.
Powerful security protection features
Attack protection—Detects and prevents various attacks, including Land, Smurf, UDP Snork attack, UDP Chargen DoS attack (Fraggle), large ICMP packet, ping of death, tiny fragment, Tear Drop, IP spoofing, IP fragment, ARP spoofing, reverse ARP lookup, invalid TCP flag, IP/port scanning, and common DDoS attacks such as SYN flood, UDP flood, ICMP flood, DNS flood, and CC.
Unified management—Manages the host and service modules as a single network element. You do not need to plan IP addresses for each card. This function saves IP addresses, facilitates deployment, and realizes comprehensive configuration management, performance monitoring, and log auditing.
IFF—Intelligent Flow Forwarding (IFF), which balances traffic on the deployed service modules to implement distributed traffic processing.
SCF—Supports multi-chassis cluster, which simplifies management and deployment, and implements resilient extension of security services and security performance.
SOP—Security ONE platform. It provides virtual firewall functions by using container-based virtualization technology.
● Process-based isolation among SOPs.
● Static and dynamic system resource dividing at a high level of granularity based on the unified OS kernel.
● SOP quantity adjustment based on system requirements.
● SOP capability adjustment based on user requirements.
Security zone—Allows you to configure security zones based on interfaces and VLANs.
Packet filtering—Allows you to apply standard or advanced ACLs between security zones to filter packets based on information contained in the packets, such as UDP and TCP port numbers. You can also configure time ranges during which packet filtering will be performed.
AAA—Supports authentication based on RADIUS/HWTACACS+/LDAP(AD), CHAP, and PAP.
Denylist—Supports static denylist and dynamic denylist.
NAT—Supports static NAT, source address NAT, destination address NAT, static CGN NAT, and dynamic CGN NAT.
P2P traversal—Supports Fullcone and Hairpin.
VPN—Supports L2TP, IPsec/IKE, GRE, and MPLS VPN.
Routing—Supports IPv4 and IPv6 static routing, ECMP routing, policy-based routing, IPv4 routing protocols (such as BGP, RIPv2, OSPF, and ISIS), and IPv6 routing protocols (such as BGP4+, OSPFv3, and ISISv6).
Security logs—Supports operation logs, interzone policy matching logs, attack protection logs, DS-LITE logs, and NAT444 logs.
Traffic monitoring, statistics, and management.
Flexible and extensible, integrated and advanced deep security
Robust Web protection—In addition to conventional IPS/AV solutions, the gateway provides precise and granular Web application protection for internal servers to effectively prevent the most troublesome CC attacks on servers, illegal server connections, and common attacks such as SQL injections, HTTP slow attacks, and cross-site script attacks. It checks various requests from Web application clients to ensure their security and validity, and blocks illegal requests in real time. These bring robust security for all websites.
Unknown threats prevention—In the current complicated network environment, feature analysis alone is no longer adequate to prevent attacks and threats. The gateway supports using the sandbox solution to construct an isolated environment for threat detection and prevention. It sends network traffic to the sandbox for isolated analysis and blocks malicious traffic. With sandbox, the gateway delivers the most effective solution to prevent typical advanced persistent threats (APTs).
Endpoint identification—Endpoint identification is a prerequisite for establishing secure IoT connections. When traffic from an endpoint flows through the gateway, the gateway can analyze and extract information about the endpoint, such as the vendor and model name, and it can send a log message to the user when the endpoint information changes (such as change of the camera vendor). In addition, the gateway can use Application Recognition (APR) and IPID trail tracking to detect network sharing behaviors through a NAT device or proxy.
Server connection detection (SCD)—SCD monitors internal servers and prevents them from becoming part of a botnet, launching attacks, or performing internal network penetration. SCD enables the gateway to learn the connections initiated by designated servers. The learning results provide the basis for the administrator to create SCD policies to monitor and log illegal connections initiated by the servers.
Highly precise and effective intrusion inspection engine—Uses the H3C-proprietary Full Inspection with Rigorous State Test (FIRST) engine and various intrusion inspection technologies to implement highly precise inspection of intrusions based on application states. The FIRST engine also supports software and hardware concurrent inspections to improve the inspection efficiency.
Real-time anti-virus protection—Uses the Kaspersky stream-based anti-virus module to prevent, detect, and remove malicious codes from network traffic.
Complete and updated security signature database—H3C has a senior signature database team and professional attack protection labs that can provide a precise and up-to-date signature database.
Industry-leading IPv6 features
Basic IPv6 protocols, including TCP6, UDP6, RAWIP6, ICMPV6, PPPoEv6, DHCPV6 Server, DHCPv6 Client, DHCPV6 Relay, DNSv6, and RADIUS6.
IPv6 routing protocols, including IPv6 static routing, IPv6 routing policies (BGP4+\OSPFv3\ISISV6), and policy-based routing.
IPv6 ASPF.
IPv6 attack protection.
IPv6 multicast.
IPv6 transition technologies, including NAT-PT, IPv6 over IPv4 GRE tunnel, manual tunnel, 6to4 tunnel, automatic IPv4-compatible IPv6 tunnel, ISATAP tunnel, NAT444, and DS-Lite.
Next-generation multi-service features
Integrated link load balancing—Using link state inspection and link busy detection technologies, applies link load balancing to a network egress to balance traffic among links.
Integrated SSL VPN feature—Uses USB-Key, SMS messages, and the enterprise's existing authentication system to authenticate users, providing secure access of mobile users to the enterprise network.
Basic DLP—Supports email filtering by SMTP mail address, subject, attachment, and content, HTTP URL and content filtering, FTP file filtering, and application layer filtering (including Java/ActiveX blocking and SQL injection attack prevention).
Intelligent management
Policy hit analysis and policy optimization—Analyzes and identifies redundant and unmatched security polices for the administrators to have an informed, further analysis and handling of the policies. The application layer detection engine on the gateway can analyze potential risks in the traffic allowed by the security policy intelligently, and conduct an overall assessment of the safety levels for all security policies in the gateway.
Comprehensive management methods—Allows professional and powerful CLI management as well as simple and easy Web management, supports SNMPv3, and is compatible with SNMPv1 and SNMPv2c.
Port- and IP-based packet capture—Captures incoming and outgoing packets, and generates and saves the packet capture records to a .cap file on the local device or a remote server, for you to use a packet analyzer such as Wireshark to view the file for traffic analysis.
Packet loss analytics—Provides statistics about packets dropped during the forwarding process and by the security services (such as attack prevention, session management, and connection limit services) for analysis of detailed reasons for packet discarding.
Webpage diagnosis—Conducts basic diagnosis of the network when the internal network user fails to access the webpages and provides reasons for the failure.
Packet trace—Uses real traffic, imported packets, and constructed packet to trace packet processing by security services (such as attack protection, uRPF, session management, and connection limit services), and provides detailed information about the packets to help the administrators troubleshoot network failures.
Centralized network security management with H3C Security Service Manager (SSM)—Collects and analyzes security information, and offers an intuitive view into network and security conditions, saving management efforts and improving management efficiency.
Centralized log management based on advanced data drill-down and analysis technology—Requests and receives information to generate logs, compiles different types of logs (such as syslogs and binary stream logs) in the same format, and compresses and stores large amounts of logs. You can encrypt and export saved logs to external storage devices such as DAS, NAS, and SAN to avoid loss of important security logs.
Abundant reports—Include application-based reports and stream-based analysis reports.
Report customization from the Web interface—Customizable contents include time range, data source device, generation period, and export format.
Login
Products and Solutions
All-around attack defense, abnormal traffic cleaning, unknown threat detection, server connection detection, sensitive data protection, Web application firewall (WAF), access control, security zone, denylist, traffic monitoring, mail filtering, webpage filtering, and application layer filtering, which effectively ensure network security.
Technical Documents
Software Download