For Hong Kong, China

H3C SecPath M9000 Series Firewall

HomeProducts & TechnologyEnterprise ProductsSecurityH3C SecPath M9000 Series Firewall
H3C SecPath M9000 Series

The H3C SecPath M9000 series products are new-generation multi-service network security gateways developed by H3C. The H3C SecPath M9000 series is designed for cloud computation data centers, service provider CGN, large-scale enterprises, and residential LANs. The series has received third-party certifications from ICSA Labs.

The H3C SecPath M9000 series supports the following functions:

* Attack protection, access control, security zone, blacklist, traffic monitoring, mail filtering, webpage filtering, and application layer filtering, which effectively ensure the network security.

* Application Specific Packet Filter (ASPF), which can inspect the connection status and detect exceptional commands.

* VPN services, including L2TP VPN, GRE VPN, IPsec VPN, and MPLS VPN.

* Carrier Grade NAT services.

* Routing capabilities, including static routing, dynamic routing (RIP/OSPF/BGP/ISIS), policy-based routing, and routing policies.

* IPv4 and IPv6 dual stacks.

The H3C SecPath M9000 series features the following to meet the network availability, maintenance, upgrade, and optimization requirements:

* Uses multi-core, fully distributed hardware architecture.

* The MPUs provide 1+1 redundancy, unified configuration management for the entire device, and security cluster support. The fan trays provide redundancy. The fan trays support fan status monitoring. The fans support stepless speed regulation, which can automatically adjust the fan speed according to the environment temperature and card configuration.

* The power modules support M+N backup. AC and DC power modules support hot swapping and load sharing. You can configure the power modules according to the system power consumption.

* The service engine and interface units support mix insertion. You can deploy them as needed to meet various performance requirements.

* All units of the device support hot swapping.

High-performance software and hardware platforms

The H3C SecPath M9000 series uses a fully distributed hardware architecture and a built-in modularized software system.

* The hardware architecture decouples the key system components to improve system reliability. The MPU, switching fabric modules, service engine, and interface unit have separate hardware, implementing the separation of control, service, and data.

* The hardware switching fabric modules is capable of processing and forwarding security services at a high speed.

* The high-performance MPU implements unified system configuration management and security cluster.

* The service engine uses an updated multicore processor to provide 40G/100G processing capability for security services. It uses hardware TCAM to ensure high speed searching of a great number of policy entries.

* The software system supports multi-process scheduling to improve system reliability. Processes are running separately. The failure of a single process does not affect other processes of the system.

* The software system supports privilege management to improve system security. It defines users read and write privileges based on features, command lines, system resources, and Web management levels.

* The software system supports hot patching and ISSU to allow system upgrading without interrupting services, improving system usability. Carrier-level high availability

* Uses H3C highly-available proprietary software and hardware platforms that have been proven by Telecom carriers and medium- to large-sized enterprises.

* Supports 1:1 stateful failover: active/active stateful failover for load sharing and active/standby stateful failover for backup.

* Supports N:N stateful failover, providing load sharing and service backup.

* Supports Security Cluster Framework (SCF), including multi-chassis cluster and heterogeneous cluster.

Powerful security protection features

* Attack protection—Detects and prevents various attacks, including Land, Smurf, UDP Snork attack, UDP Chargen DoS attack (Fraggle), large ICMP packet, ping of death, tiny fragment, Tear Drop, IP spoofing, IP fragment, ARP spoofing, reverse ARP lookup, invalid TCP flag, IP/port scanning, and common DDoS attacks such as SYN flood, UDP flood, ICMP flood, DNS flood, and CC.

* Unified management—Manages the host and service modules as a single network element. You do not need to plan IP addresses for each card. This function saves IP addresses, facilitates deployment, and realizes comprehensive configuration management, performance monitoring, and log auditing.

* IFF—Intelligent Flow Forwarding, which balances traffic on the deployed service engines to implement distributed traffic processing.

* SCF——Supports multi-chassis cluster, which simplifies management and deployment, and implements resilient extensions of security services and security performances. Supports heterogeneous cluster, making the cluster system more flexible. For example, M9006, M9010, and M9014 can form a cluster.

* SOP—Security ONE platform. It implements the virtual firewall function by using the container based virtualization technology.

* SOP implement process-based isolation.

* SOP can divide static and dynamic system resources at a high level of granularity based on the unified OS kernel.

* The number of SOP can be adjusted according to system requirements.

* The SOP capabilities can be adjusted according to user requirements.

* Security zone—Allows you to configure security zones based on interfaces and VLANs.

* Packet filtering—Allows you to apply standard or advanced ACLs between security zones to filter packets based on information contained in the packets, such as UDP and TCP port numbers. You can also configure time ranges during which packet filtering will be performed.

* ASPF—Dynamically determines whether to forward or drop a packet by checking its application layer protocol information and state (such as RAWIP, ICMP, ICMPv6, UDP-LITE, SCTP, and other application layer protocols based on TCP/UDP).

* AAA—Supports authentication based on RADIUS/HWTACACS+/LDAP(AD), CHAP, and PAP.

* Blacklist—Supports static blacklist and dynamic blacklist.

* NAT—Supports static NAT, source address NAT, destination address NAT, static CGN NAT, dynamic CGN NAT, and NAT ALG.

* P2P traversal—Supports Fullcone and Hairpin.

* VPN—Supports L2TP, IPsec/IKE, GRE, and MPLS VPN.

* Routing—Supports IPv4 and IPv6 static routing, ECMP routing, policy-based routing, IPv4 routing protocols (such as BGP, RIPv2, OSPF, and ISIS), and IPv6 routing protocols (such as BGP4+, OSPFv3, and ISISv6).

* Multicasting—Supports IGMP v1/v2/v3, PIM-SM, and PIM-DM.

* Security logsSupports operation logs, interzone policy matching logs, attack protection logs, DS-LITE logs, and NAT444 logs.

* Traffic monitoring, statistics, and management.

* Industry-leading protection—ICSA validated security and performance.

Industry-leading IPv6 features

* Basic IPv6 protocols, including TCP6, UDP6, RAWIP6, ICMPV6, PPPoEv6, DHCPV6 Server, DHCPv6 Client, DHCPV6 Relay, DNSv6, and RADIUS6.

* IPv6 routing protocols, including IPv6 static routing, IPv6 dynamic routing (BGP4+\OSPFv3\ISISV6), policy-based routing, and routing policy.

* IPv6 ASPF.

* IPv6 attack protection.

* IPv6 multicast.

* IPv6 transition technologies, including NAT-PT, IPv6 over IPv4 GRE tunnel, manual tunnel, 6to4 tunnel, automatic IPv4-compatible IPv6 tunnel, ISATAP tunnel, NAT444, and DS-Lite.

Intelligent management

* Support for SNMPv3, which is backward compatible with SNMPv1 and SNMPv2.

* CLI-based configuration and management.

* Unified management functions provided by the H3C iMC, which can collect and analyze security information, and offer an intuitive view into network and security conditions, saving management efforts and improving management efficiency.

* Centralized log management functions based on advanced data drill-down and analysis technology. It can request and receive information to generate logs, compile different types of logs (such as syslogs and binary stream logs) in the same format, and compress and store large amounts of logs. You can encrypt and export saved logs to external storage devices such as DAS, NAS, and SAN to avoid loss of important security logs.

* Abundant reports, including application-based reports and stream-based analysis reports.

* Export of reports in different formats, such as PDF, HTML, word, and txt.

* Report customization through the Web interface. Customizable contents include time range, data source device, generation period, and export format.





MPU slots




LPU slots


8 (vertical)


Switching fabric module slots




Redundancy design

Redundant MPUs, switching fabric modules, power modules, and fan trays

Redundant MPUs, switching fabric modules, power modules, and fan trays

Redundant MPUs, switching fabric modules, power modules, and fan trays

Size (W X H X D)

440mm x 353mm x 660 mm(8RU)

440mm x 886mm x 660mm(20RU)

440mm x 797mm x 660mm



< 85kg

< 143kg

< 145kg





Throughputs (*With two I/O modules)




Maximum Concurrent connections per single firewall blade




Connections per second per single firewall blade




IPSEC Throughputs (3DES,1400bytes) per single firewall blade




IPSEC concurrent tunnel per single firewall blade




Ambient temperature

Operating: 0°C to 45°C (32°F to 113°F)

Non operating: –40°C to +70°C (–40°F to +158°F)

Operating mode



Portal authentication

RADIUS authentication

HWTACACS authentication

PKI/CA (X.509 format) authentication

Domain authentication

CHAP authentication

PAP authentication

Multi-service security gateway

Virtual multi-service security gateway

Security zone

Attack protection against malicious attacks, such as land, smurf, fraggle, ping of death, tear drop, IP spoofing, IP fragmentation, ARP spoofing, reverse ARP lookup, invalid TCP flag, large ICMP packet, address/port scanning, SYN flood, ICMP flood, UDP flood, and DNS query flood

Basic and advanced ACL

Time range-based ACL

Dynamic packet filtering

ASPF application layer packet filtering

Static and dynamic blacklist function

MAC-IP binding

MAC-based ACL

802.1Q VLAN transparent transmission


Many-to-one NAT, which maps multiple internal addresses to one public address

Many-to-many NAT, which maps multiple internal addresses to multiple public addresses

One-to-one NAT, which maps one internal address to one public address

NAT of both source address and destination address

External hosts access to internal servers

Internal address to public interface address mapping

NAT support for DNS

Setting effective period for NAT

NAT ALGs for NAT ALG, including DNS, FTP, H.323, ILS, MSN, NBT, PPTP, and SIP







IPv6 status firewall

IPv6 interzone policy

IPv6 attack protection

IPv6 connection limit

IPv6 protocols such as ICMPv6, PMTU, Ping6, DNS6, TraceRT6, Telnet6, DHCPv6 Client, and DHCPv6 Relay.

IPv6 routing: RIPng, OSPFv3, BGP4+, static routing, policy-based routing, PIM-SM, and PIM-DM

IPv6 transition techniques: NAT-PT, IPv6 tunneling, NAT64 (DNS64), and DS-LITE

High availability

Active/active and active/standby stateful failover



Asymmetric-path mode stateful failover

IKE-based IPsec


Static and dynamic link aggregation



Patch images

Configuration management

Configuration management at the CLI

Remote management through Web

Device management through H3C IMC

SNMPv3, compatible with SNMPv2c and SNMPv1

Environmental protection




H3C SecPath M9000 with data center application scenario

* Stateful failover and reliable network design

* Powerful process capabilities

* Powerful VPN encryption capabilities

* Excellent attack protection capabilities to prevent single packet and flood attacks

* Abundant routing protocols, implementing integration of security and network




H3C SecPath M9006


H3C SecPath M9010


H3C SecPath M9014


M9000 Main Control Engine

At least one is required.

Sevrice enginess

Security engine


SecBlade Enhanced FW engine


SecBlade Enhanced IPS engine


SecBlade LB engine


Secblade NetStream engine


Secblade ACG engine


Secblade SSL engine


Interface unitss

Interface unit


48-port Gigabit electrical Ethernet interface unit


48-port Gigabit optical Ethernet interface unit


16-port Gigabit + 8-port combo + 2-port 10-Gigabit optical Ethernet interface unit


4-port 10-Gigabit optical Ethernet interface unit


8-port 10-Gigabit optical Ethernet interface unit


32-port 10-Gigabit optical Ethernet interface unit


4-port 40-Gigabit optical Ethernet interface unit


Switching fabric modules

Switching fabric module


H3C SecPath M9006 switching fabric module


3 + 1 redundancy.

H3C SecPath M9010 switching fabric module


3 + 1 redundancy.

H3C SecPath M9014 switching fabric module


3 + 1 redundancy.

Power modules

Power module


AC power module (2500 W)


DC power module (2400 W)


Are you an H3C partner? Log in to see additional resources.
You can find excellent H3C partners, or you can become one of them to build a
partnership with H3C and share success together.