H3C SecPath Series M9000-AI-E Multiservice Security Gateway
To embrace the trend towards cloud computing, 5G, IoT, IPv6, big data, and high-performance computing, H3C designed the new-generation high-performance SecPath M9000-AI-E multiservice security gateway series for cloud computing data centers, Carrier-Grade NAT (CGN), large-sized enterprises, and campus networks.
H3C SecPath M9000-AI-E series uses dual GPUs + dual CPUs + AI chip architecture and AI-powered new computing module to deliver the following features:
All-around attack defense, abnormal traffic cleaning, unknown threat detection, server connection detection, sensitive data protection, Web application firewall (WAF), access control, security zone, denylist, traffic monitoring, mail filtering, webpage filtering, and application layer filtering, which effectively ensure network security.
Deep packet inspection (DPI) to provide robust protection for Web servers.
Application Specific Packet Filter (ASPF), which can inspect connection status and detect exceptional commands.
VPN services, including L2TP VPN, GRE VPN, IPsec VPN, and MPLS VPN.
Routing capabilities, including static routing, RIP, OSPF, BGP, and ISIS routing policies, and policy-based routing.
IPv4 and IPv6 dual stacks.
The H3C SecPath M9000-AI-E series provides the following hardware features to meet the following network availability, maintenance, upgrade, and optimization requirements:
Multi-core, fully distributed, and modular hardware architecture, allowing for more flexibility in networking and scaling.
1+1 MPU redundancy, unified configuration management, and security cluster.
Fan tray redundancy, fan status monitoring, and stepless speed regulation, which enables automatic fan speed adjusting based on temperature and card configuration.
M+N power module backup, AC and DC power module hot swapping, and load sharing. You can configure power modules based on system power consumption.
Mixed installation of service modules and interface modules for various performance requirements.
Hot swapping of all modules.
Uses fully distributed hardware architecture with separation of control, service, and data, and decouples key system components to improve reliability. Uses independent switching engine to implement high-performance security service processing and forwarding.
Uses high-performance MPUs to implement unified configuration management and security cluster.
Has the highest service processing speed per card in the industry. Each card is capable of providing all Layer 2 to Layer 7 security features, including firewall, NAT, LB, IPS, AV, ACG, and VPN, simultaneously.
Uses built-in TCAM to ensure high speed searching for a great number of policy entries.
Uses built-in modular software system for multi-process scheduling to improve system reliability. Processes are running separately. The failure of a single process does not affect other processes of the system.
Supports authority management to define read-write authorities of users based on feature, command line, system resource, and Web management level to improve system security.
Supports hot patching and ISSU, which allow system upgrading without interrupting services to improve system usability.
Uses H3C highly-available proprietary software and hardware platforms that have been proven by Telecom carriers and medium- to large-sized enterprises.
Supports 1:1 stateful failover: active/active stateful failover for load sharing and active/standby stateful failover for backup.
Supports N:N stateful failover, providing load sharing and service backup.
Supports Security Cluster Framework (SCF), including multi-chassis cluster and heterogeneous cluster.
Powerful security protection features
Attack protection—Detects and prevents various attacks, including Land, Smurf, UDP Snork attack, UDP Chargen DoS attack (Fraggle), large ICMP packet, ping of death, tiny fragment, Tear Drop, IP spoofing, IP fragment, ARP spoofing, reverse ARP lookup, invalid TCP flag, IP/port scanning, and common DDoS attacks such as SYN flood, UDP flood, ICMP flood, DNS flood, and CC.
Unified management—Manages the host and service modules as a single network element. You do not need to plan IP addresses for each card. This function saves IP addresses, facilitates deployment, and realizes comprehensive configuration management, performance monitoring, and log auditing.
IFF—Intelligent Flow Forwarding (IFF), which balances traffic on the deployed service modules to implement distributed traffic processing.
SCF—Supports multi-chassis cluster, which simplifies management and deployment, and implements resilient extension of security services and security performance.
SOP—Security ONE platform. It provides virtual firewall functions by using container-based virtualization technology.
Process-based isolation among SOPs.
Static and dynamic system resource dividing at a high level of granularity based on the unified OS kernel.
SOP quantity adjustment based on system requirements.
SOP capability adjustment based on user requirements.
Security zone—Allows you to configure security zones based on interfaces and VLANs.
Packet filtering—Allows you to apply standard or advanced ACLs between security zones to filter packets based on information contained in the packets, such as UDP and TCP port numbers. You can also configure time ranges during which packet filtering will be performed.
AAA—Supports authentication based on RADIUS/HWTACACS+/LDAP(AD), CHAP, and PAP.
Denylist—Supports static denylist and dynamic denylist.
NAT—Supports static NAT, source address NAT, destination address NAT, static CGN NAT, and dynamic CGN NAT.
P2P traversal—Supports Fullcone and Hairpin.
VPN—Supports L2TP, IPsec/IKE, GRE, and MPLS VPN.
Routing—Supports IPv4 and IPv6 static routing, ECMP routing, policy-based routing, IPv4 routing protocols (such as BGP, RIPv2, OSPF, and ISIS), and IPv6 routing protocols (such as BGP4+, OSPFv3, and ISISv6).
Security logs—Supports operation logs, interzone policy matching logs, attack protection logs, DS-LITE logs, and NAT444 logs.
Traffic monitoring, statistics, and management.
Flexible and extensible, integrated and advanced deep security
Robust Web protection—In addition to conventional IPS/AV solutions, the gateway provides precise and granular Web application protection for internal servers to effectively prevent the most troublesome CC attacks on servers, illegal server connections, and common attacks such as SQL injections, HTTP slow attacks, and cross-site script attacks. It checks various requests from Web application clients to ensure their security and validity, and blocks illegal requests in real time. These bring robust security for all websites.
Unknown threats prevention—In the current complicated network environment, feature analysis alone is no longer adequate to prevent attacks and threats. The gateway supports using the sandbox solution to construct an isolated environment for threat detection and prevention. It sends network traffic to the sandbox for isolated analysis and blocks malicious traffic. With sandbox, the gateway delivers the most effective solution to prevent typical advanced persistent threats (APTs).
Endpoint identification—Endpoint identification is a prerequisite for establishing secure IoT connections. When traffic from an endpoint flows through the gateway, the gateway can analyze and extract information about the endpoint, such as the vendor and model name, and it can send a log message to the user when the endpoint information changes (such as change of the camera vendor). In addition, the gateway can use Application Recognition (APR) and IPID trail tracking to detect network sharing behaviors through a NAT device or proxy.
Server connection detection (SCD)—SCD monitors internal servers and prevents them from becoming part of a botnet, launching attacks, or performing internal network penetration. SCD enables the gateway to learn the connections initiated by designated servers. The learning results provide the basis for the administrator to create SCD policies to monitor and log illegal connections initiated by the servers.
Highly precise and effective intrusion inspection engine—Uses the H3C-proprietary Full Inspection with Rigorous State Test (FIRST) engine and various intrusion inspection technologies to implement highly precise inspection of intrusions based on application states. The FIRST engine also supports software and hardware concurrent inspections to improve the inspection efficiency.
Real-time anti-virus protection—Uses the Kaspersky stream-based anti-virus module to prevent, detect, and remove malicious codes from network traffic.
Complete and updated security signature database—H3C has a senior signature database team and professional attack protection labs that can provide a precise and up-to-date signature database.
Industry-leading IPv6 features
Basic IPv6 protocols, including TCP6, UDP6, RAWIP6, ICMPV6, PPPoEv6, DHCPV6 Server, DHCPv6 Client, DHCPV6 Relay, DNSv6, and RADIUS6.
IPv6 routing protocols, including IPv6 static routing, IPv6 routing policies (BGP4+\OSPFv3\ISISV6), and policy-based routing.
IPv6 attack protection.
IPv6 transition technologies, including NAT-PT, IPv6 over IPv4 GRE tunnel, manual tunnel, 6to4 tunnel, automatic IPv4-compatible IPv6 tunnel, ISATAP tunnel, NAT444, and DS-Lite.
Next-generation multi-service features
Integrated link load balancing—Using link state inspection and link busy detection technologies, applies link load balancing to a network egress to balance traffic among links.
Integrated SSL VPN feature—Uses USB-Key, SMS messages, and the enterprise's existing authentication system to authenticate users, providing secure access of mobile users to the enterprise network.
Basic DLP—Supports email filtering by SMTP mail address, subject, attachment, and content, HTTP URL and content filtering, FTP file filtering, and application layer filtering (including Java/ActiveX blocking and SQL injection attack prevention).
Policy hit analysis and policy optimization—Analyzes and identifies redundant and unmatched security polices for the administrators to have an informed, further analysis and handling of the policies. The application layer detection engine on the gateway can analyze potential risks in the traffic allowed by the security policy intelligently, and conduct an overall assessment of the safety levels for all security policies in the gateway.
Comprehensive management methods—Allows professional and powerful CLI management as well as simple and easy Web management, supports SNMPv3, and is compatible with SNMPv1 and SNMPv2c.
Port- and IP-based packet capture—Captures incoming and outgoing packets, and generates and saves the packet capture records to a .cap file on the local device or a remote server, for you to use a packet analyzer such as Wireshark to view the file for traffic analysis.
Packet loss analytics—Provides statistics about packets dropped during the forwarding process and by the security services (such as attack prevention, session management, and connection limit services) for analysis of detailed reasons for packet discarding.
Webpage diagnosis—Conducts basic diagnosis of the network when the internal network user fails to access the webpages and provides reasons for the failure.
Packet trace—Uses real traffic, imported packets, and constructed packet to trace packet processing by security services (such as attack protection, uRPF, session management, and connection limit services), and provides detailed information about the packets to help the administrators troubleshoot network failures.
Centralized network security management with H3C Security Service Manager (SSM)—Collects and analyzes security information, and offers an intuitive view into network and security conditions, saving management efforts and improving management efficiency.
Centralized log management based on advanced data drill-down and analysis technology—Requests and receives information to generate logs, compiles different types of logs (such as syslogs and binary stream logs) in the same format, and compresses and stores large amounts of logs. You can encrypt and export saved logs to external storage devices such as DAS, NAS, and SAN to avoid loss of important security logs.
Abundant reports—Include application-based reports and stream-based analysis reports.
Report customization from the Web interface—Customizable contents include time range, data source device, generation period, and export format.
Supervisor engine module slots
Service module slots
Switching fabric module slots
Redundant supervisor engine modules, switching fabric modules, power supplies, and fan trays
Dimensions (H × W × D)
264 × 440 × 857 mm (10.39 × 17.32 × 33.74 in), 6 RU
841.7 × 440 × 640 mm (33.14 × 17.32 × 25.20 in), 19 RU
< 140 kg (308.64 lb)
< 220 kg (485.01 lb)
< 2252 W
< 3360 W
Operating: 0°C to 45°C (32°F to 113°F)
Storage: –40°C to +70°C (–40°F to +158°F)
Route, transparent, bridge
Portal, RADIUS, HWTACACS, PKI/CA (X.509 format) , and domain authentications
Manual key, IKEv2, redundant VPN gateway, EAP authentication, IKEv2 redirection
Multiservice security gateway
Virtual multi-service security gateway
Attack protection against malicious attacks, such as land, smurf, fraggle, ping of death, tear drop, IP spoofing, IP fragmentation, ARP spoofing, reverse ARP lookup, invalid TCP flag, large ICMP packet, address/port scanning, SYN flood, ICMP flood, UDP flood, and DNS query flood
Dynamic packet filtering
ASPF application layer packet filtering
Static and dynamic blacklist function
802.1Q VLAN transparent transmission
ACL with rule matching criteria including security zone (security zone group), service, user, application, and time range.
Security level evaluation for security policies, security policy optimization
Fuzzy search for security policies, including redundant and unmatched security policies
Policy creation, deletion, editing, migration on a third-party platform
State validity-based security monitoring
Access control by allowlist and denylist, one-key setting of allowlist and denylist
Dynamic routing protocols: RIP, OSPF, BGP, IS-IS
Policy-based routing with support for traffic matching criteria including source IP address, destination IP address, source port number, destination port number, service, application type, user, user group, incoming interface, outgoing interface, and link state
IPv4 and IPv6 dual-stack virus signature detection and protection, protecting against mail viruses, Web application viruses, common file viruses, Trojans, worms, malicious webpages, compressed data, shelling and compressed package (zip, gzip, tar) viruses
Manual and automatic upgrade of the signature library, manual import of signature libraries
Cloud virus signature library
Virus detection based on HTTP, FTP, SMTP, and POP3
Support for detection of Backdoor, Email-Worm, IM-Worm, P2P-Worm, Trojan, AdWare, and Virus
Virus logs and reports
Web security protection
Web security detection
CC attack prevention
Server connection detection, allowing for learning parameter configuration
Prevention against attacks such as webpage hanging horse and Trojan
Prevention against brute force cracking of passwords for common Web services (including HTTP, FTP, SSH, SMTP, and IMAP) and common database software (such as MySQL, Oracle, and MSSQL)
Deep packet inspection
Prevention of attacks such as hacker, worm/virus, Trojan, malicious code, spyware/adware
Application scenario-specific security policy and attack defense template
Application layer (HTTP, HTTPS, DNS, FTP, and SIP) flood attack defense
Automatic generation of DDoS attack prevention policies through threshold-based and self-learning techniques
Prevention of attacks such as buffer overflow, SQL injection, and IDS/IPS bypass
Attack signature categories (based on attack types and target systems) and severity levels (including high, medium, low, and notification)
Manual and automatic upgrade for the attack signature database (TFTP and HTTP)
P2P/IM traffic identification and control
URL identification, malicious URL blocking, interoperation with a cloud URL server to expand the number of addresses in the URL address database
Local and cloud sandbox interoperation to detect APT attacks in real time and prevent unknown threats
Support for integration into a unified security management platform for network-wide security protection
HTTPS encrypted traffic inspection
SSL proxy and SSL decryption, decrypting the HTTPS traffic from the client (or server), implementing content security checks, auditing, and attack defense for the traffic
Refined classification and decryption of URLs
Email/webpage/application layer filtering
SMTP email address filtering
Email subject/content/attachment filtering
HTTP URL/content filtering
SQL injection attack prevention
Intelligent bandwidth control
Bandwidth guarantee for specific users, IP addresses, interfaces, or services
Maximum traffic limit, minimum traffic limit, or connection limit setting by user or IP
Application layer protocol-based flow control policy settings, including maximum/minimum bandwidth, guaranteed bandwidth, and protocol traffic priority
HTTP- and HTTPS-based application layer link load balancing
Transparent DNS proxy, DNS filtering, intelligent DNS
Server load balancing
Global load balancing
Link health monitoring
Intelligent link selection
Many-to-one NAT, which maps multiple internal addresses to one public address
Many-to-many NAT, which maps multiple internal addresses to multiple public addresses
One-to-one NAT, which maps one internal address to one public address
NAT capacity expansion through port reuse
NAT of both source address and destination address, source NAT address pool usage alarm
External hosts access to internal servers
Internal address to public interface address mapping
NAT support for DNS
Setting effective period for NAT
NAT ALGs for NAT ALG, including DNS, FTP, H.323, ILS, MSN, NBT, PPTP, and SIP
IPv6 over IPv4 GRE tunnels
IPv6 status firewall
IPv6 interzone policy
IPv6 attack protection
IPv6 connection limit
IPv6 protocols such as ICMPv6, PMTU, Ping6, DNS6, TraceRT6, Telnet6, DHCPv6 Client, and DHCPv6 Relay
IPv6 routing: RIPng, OSPFv3, BGP4+, static routing, policy-based routing, PIM-SM, and PIM-DM
IPv6 transition techniques: NAT-PT, IPv6 tunneling, NAT64 (DNS64), and DS-LITE
Active/active and active/standby stateful failover
Asymmetric-path mode stateful failover
Static and dynamic link aggregation
HA with support for software of different versions
Configuration and management
Configuration management at the CLI
Remote management through Web
Device management through H3C IMC
SNMPv3, compatible with SNMPv2c and SNMPv1
Security policy optimization by simulating deployment of security policies and comparing the results
Compliance and legitimacy check of security policies by denylist, allowlist, application type, policy risk level, security rule, and hybrid rule.
Security policy logs, NAT logs, attack defense logs, URL logs
Logs containing any combinations of security policy, NAT, attack defense, and URL information
Log sending at intervals
EU RoHS compliance
BOM part No
H3C SecPath M9000-AI-E8 Multiservice Security Gateway Appliance
H3C SecPath M9000-AI-E16 Multiservice Security Gateway Appliance
Supervisor engine modules
Install two supervisor engine modules for 1+1 redundancy.
BOM part No
H3C SecPath M9000-AI-E8 Supervisor Engine Module, Type A
H3C SecPath M9000-AI-E16 Supervisor Engine Module, Type A
Switching fabric modules
BOM part No
H3C SecPath M9000-AI-E8 Switching Fabric Module, Type A
H3C SecPath M9000-AI-E16 Switching Fabric Module, Type A
BOM part No
H3C SecPath M9000-AI-E AI Security Engine Module
H3C SecPath M9000-AI-E SecBlade V Next Generation Firewall A Module (MP)
BOM part No
H3C SecPath M9000-E Interface Switch A Module (SH)
H3C SecPath M9000-AI-E 24-Port 10Gb Ethernet Optical Interface Module (SFP+)
H3C SecPath M9000-AI-E 2-Port 100Gb Ethernet Optical Interface (QSFP28)+16-Port 10Gb Ethernet Optical Interface Module (SFP+)
H3C SecPath M9000-AI-E 4-Port 40Gb Ethernet Optical Interface (QSFP+)+16-Port 10Gb Ethernet Optical Interface Module (SFP+)
H3C SecPath M9000-AI-E 6-Port 100Gb Ethernet Optical Interface Module (QSFP28)
BOM part No
3000W AC & 240V-380V HVDC Power Supply Module
3000W AC Power Supply Module
2400W DC Power Supply Module
2400W AC Power Supply Module
BOM part No
H3C Fan Tray Module 8A,Rear-Out Airflow
H3C Fan Tray Module 16A,Rear-Out Airflow