H3C SecPath M9000-CN Firewall-H3C

WelcomeuserNew H3C 退出

1. Have an accountLogin
2. Create an accountRegister

English

Home

Products and Solutions

Security

Products

Boundary Security

High-end Firewall

H3C SecPath M9000-CN Firewall

Datasheet Download

H3C SecPath M9000-CN04 firewall is H3C Technology Co., Ltd. (hereinafter referred to as H3C company) in combination with the development trend of cloud computing, 5G, Internet of Things, IPv6, big data and high-performance computing. A new generation of high-performance firewall launched for commercial core network, large enterprise and campus network egress market.

H3C SecPath M9000-CN04 Firewall fully supports traffic content audit, encrypted application identification, attack defense, abnormal traffic cleaning, unknown threat detection, server abnormal outreach detection, sensitive data protection, and web application security Functions such as protection, access control, security domain division, blacklist, traffic monitoring, email filtering, web page filtering, and application layer filtering can effectively ensure network security; in-depth business security detection can provide more detailed protection for web servers. Adopt ASPF (Application Specific Packet Filter) application state detection technology, which can detect the connection state process and abnormal commands; support a variety of VPN services, such as L2TP VPN, GRE VPN, IPSec VPN, SSL VPN, MPLS VPN, etc., to meet a variety of High-performance VPN access requirements; support the most abundant NAT features in the industry to meet the NAT needs of major operators; provide rich routing capabilities, support static routing, RIP/OSPF/BGP/ISIS routing strategies and policy routing; fully support IPv4/IPv6 dual protocol stack.

H3C SecPath M9000-CN04 firewall fully considers the high reliability requirements of network applications, adopts a leading multi-core fully distributed architecture, and the module is separated and pluggable design, which is convenient for flexible networking and expansion. The main control engine is 1+1 redundant, which provides unified configuration management of the whole machine and supports secure clustering; service engines and interface units support mixed insertion, and can be flexibly selected according to performance requirements; fan modules are redundant, and the fan frame supports fan status monitoring. Supports stepless speed regulation, and can automatically group speed regulation according to the ambient temperature and single board configuration; power module 1+1 backup, AC and DC power modules support hot swap, multi-power module load sharing, and can flexibly configure modules according to system power consumption Quantity, to ensure that the module works efficiently. All units of the equipment support hot swap, which fully meets the needs of network maintenance, upgrade and optimization.

Learn More

The following contents are complex, and it is recommended to browse on PC.

Enter c.h3c.com.cn on the PC browser and operate according to the page to synchronize to the PC and continue browsing.

Continue by mobile

Features

High-performance hardware and software processing platform

Adopting a fully distributed architecture that separates control, business, and data, the hardware of the control engine, business engine, and interface unit is separated, decoupling the key components of the system, and improving system reliability.

Independent high-performance control engine to realize unified system configuration management and secure cluster.

The security service engine adopts the latest multi-core high-performance processor, and the high-speed processing security service performance of a single board is the highest in the industry; a hardware board can simultaneously provide L2 - L7 comprehensive security defense, including firewall, NAT, LB, IPS, AV, ACG, VPN, etc.

The built-in modular software system supports multi-process scheduling, and the running space between processes is isolated. The abnormality of a single process will not affect other parts of the system, which improves system reliability; supports authority management functions, based on features, command lines, system resources, and WEB management Equal levels define user read and write permissions, improve system security; support hot patch, realize system upgrade without interrupting business, and improve system usability.

Carrier-grade equipment with high reliability

Adopt the software and hardware platform with independent intellectual property rights owned by H3C. Product applications have gone through years of market tests from large and medium-sized enterprise users to major telecom operators.

Support RBM (remote hot backup technology) 1:1 hot backup, support Active/Active and Active/Passive and other working modes, realize load sharing and business backup.

Powerful security protection features

Supports rich attack defense functions including: Land, Smurf, UDP Snork attack, UDP Chargen DoS attack (Fraggle), Large ICMP Traffic, Ping of Death, Tiny Fragment, Tear Drop, IP Spoofing, IP fragmentation packets, ARP spoofing, ARP active reverse query, TCP packet flag bit illegal, oversized ICMP packets, address scanning, port scanning and other attack defenses, including SYN Flood, Detection and defense of common DDoS attacks such as UPD Flood, ICMP Flood, DNS Flood, and CC.

Supports unified management: The multi-service card is always managed as a network element in a unified manner, and there is no need to plan the IP address of each card, which saves the user's IP address and greatly reduces the complexity of deployment, and can realize comprehensive management of the equipment, configuration management, performance monitoring and log auditing.

Support intelligent flow distribution (IFF) After deploying multi-service cards, traffic is automatically load-shared among multiple service cards to achieve distributed processing.

divide security zones based on interfaces and VLANs.

Supports packet filtering By using standard or extended access control rules between security zones, data packets can be filtered with the help of information such as UDP or TCP ports in the message, and it supports filtering according to time periods.

Supports authentication, authorization and accounting (AAA) services including: authentication based on RADIUS, HWTACACS+, LDAP(AD), CHAP, PAP, etc.

Support static and dynamic blacklist.

Support static NAT, source address NAT, destination address NAT.

Support static and dynamic carrier CGN NAT.

Support P2P traversal technologies such as Fullcone and Hairpin.

Support VPN functions include: support L2TP, manual/automatic IPSec, GRE, MPLS VPN, etc.

Support rich routing protocols Support IPv4, IPv6 static routing, equal-cost routing, policy routing, and dynamic IPv4 routing protocols such as BGP, RIPng, OSPF, ISIS, etc., support dynamic IPv6 routing protocols such as BGP4+, OSPFv3, ISISv6.

Support security log Support operation log, inter-domain policy matching log, attack defense log; support DS-LITE log; support NAT444 log, support telecom, China Unicom, mobile format.

Support traffic monitoring statistics and management.

Flexible and scalable integrated deep security

The in-depth WEB security protection is not limited to the conventional IPS and AV protection. It provides detailed web application protection for intranet servers. For the most troublesome CC attacks on servers, abnormal outreach, SQL injection, HTTP slow attacks, cross- Common attacks such as website scripts, content detection and verification of various requests from web application clients to ensure their security and legality, real-time blocking of illegal requests, and effective protection of various websites.

Unknown threat detection relying solely on feature analysis is no longer sufficient to deal with complex network environments. In the face of typical APT (Advanced Persistent Threat, advanced persistent threat) attack sandbox technology is one of the most effective methods to defend against APT attacks. It is used to construct Isolated threat detection environment. The H3C Security Gateway sends network traffic to the sandbox for isolation and analysis, and the sandbox draws a conclusion on whether there is a threat. If a traffic is detected as malicious, the device will block the traffic.

Terminal identification, shared management Terminal identification is an important prerequisite for establishing a secure connection to the Internet of Things, and is used to identify terminals in the Internet of Things. When terminal traffic flows through the device, the H3C Security Gateway can analyze and extract terminal information, such as the manufacturer and model of the terminal, and supports sending The user sends the log, prompting the user. At the same time, the application detection method and IPID detection method are used to identify and manage the behavior of sharing the Internet through NAT technology or proxy technology.

Server abnormal outreach detection Server outreach protection is a protection mechanism for intranet servers, which can effectively identify active outreach behaviors of servers, formulate corresponding outreach protection strategies to identify abnormal messages, and output alarm information for management staff for further processing. It provides a basis for the administrator to check the server, thereby preventing the server from becoming a part of the botnet, launching external attacks or infiltrating internally.

The high-precision and high-efficiency intrusion detection engine adopts the FIRST (Full Inspection with Rigorous State Test, comprehensive detection based on accurate state) engine with independent intellectual property rights of H3C. The FIRST engine integrates a number of detection technologies, realizes comprehensive detection based on accurate status, and has extremely high intrusion detection accuracy; at the same time, the FIRST engine adopts parallel detection technology, and the software and hardware can be flexibly adapted, which greatly improves the performance of intrusion detection. efficiency.

Real-time virus detection engine, so as to quickly and accurately kill viruses and other malicious codes in network traffic.

Comprehensive and timely security signature database Through years of operation and accumulation, H3C has a senior attack signature database team in the industry, and is equipped with a professional laboratory to keep up with the latest developments in the field of network security, thereby ensuring timely and accurate update of the signature database.

Industry-leading IPv6 features

Support IPv6 basic protocols Support TCP6, UDP6, RAWIP6, ICMPv6, PPPoEv6, DHCPv6 Server, DHCPv6 Client, DHCPv6 Relay, DNSv6, RADIUS6 and other protocols; support IPv6 routing protocols. Support static routing, BGP4+, OSPFv3 and ISISv6 routing policy and policy routing; support IPv6 ASPF.

Support IPv6 attack defense. Support IPv6 Multicast.

Various IPv6 transition technologies are supported, including NAT-PT, IPv6 over IPv4 GRE tunnel, manual tunnel, 6to4 tunnel, IPv4 compatible IPv6 automatic tunnel, ISATAP tunnel, NAT444, DS-Lite, etc.

Next-generation multi-service features

Integrated link load balancing feature, through link status detection, link busy protection and other technologies, effectively realize multi-link automatic balancing and automatic switching of enterprise Internet egress.

Integrate SSL VPN features to meet the security access requirements of mobile office and employee business trips. It can not only combine USB-Key and SMS for mobile user identity authentication, but also combine with the original authentication system of the enterprise to realize an integrated authentication.

DLP basic function support, support email filtering, provide SMTP email address, title, attachment and content filtering; support web page filtering, provide HTTP URL and content filtering; support file filtering of network transmission protocols; support application layer filtering, provide Java / ActiveX Blocking and SQL injection attack prevention.

Professional intelligent management

Self-inspection operation and maintenance, policy risk tuning Through redundancy and hit analysis of security policies, redundant and missing security policies are identified to help administrators conduct in-depth analysis and processing of security policies on devices. At the same time, the application layer detection engine intelligently analyzes the potential risks in the traffic allowed by the security policy, and conducts an overall assessment of the safety factor of all security policies in the device.

Supports standard network management SNMPv3, and is compatible with SNMP v1 and v2. Device management and security service configuration can be performed through the command line interface, meeting the needs of professional management and mass configuration.

Support packet capture based on interface and IP. Generate the captured packets with a .cap suffix file that can be recognized by Wireshark (a network packet analysis software), and save them to the local or external server for users to analyze and diagnose the traffic entering and exiting the device.

Support the packet loss statistics function to analyze and record the detailed reasons for discarding packets in the forwarding process of the device and security business modules (such as: attack defense, session management, and connection limit, etc.).

Support webpage diagnosis function When the intranet user accesses the webpage and there is a failure, the basic diagnosis of the network is carried out, and the cause of the failure is given.

Support message trace function Support real flow, import message, construct message, etc., used to analyze and track each security business module in the device (such as: attack defense, uRPF, session management and connection limit, etc.) By viewing the detailed information of the packet trace records, it is helpful for the administrator to quickly troubleshoot and locate network faults.

Graphical interface, providing easy-to-use web management.

Through H3C's self-developed management system, unified management is realized, which integrates functions such as security information and event collection, analysis, and response, and solves the problems of isolation of network and security devices, unintuitive network security status, slow response to security incidents, and difficulties in network fault location and other issues, so that IT and security administrators can get rid of tedious management work, can concentrate on core business, and greatly improve work efficiency.

Normalizes logs in different formats (syslog, binary flow logs, etc.). At the same time, compression technology is used to store massive events logs, and log files can be automatically compressed, encrypted and saved to external storage systems such as DAS, NAS or SAN to avoid loss of important security events.

Provides rich reports, mainly including application-based reports, network flow-based analysis reports, and the customized content includes the time range of the data, the source device of the data, the generation cycle and the output type, etc.

Specification

Hardware specifications

Item	M9000-CN04
Number of main control board slots	2
Number of service board slots	2
Number of interface board slots	2
Redundant design	Main board, power supply, fan
Dimensions ( W x H x D )	440mm × 88.1mm × 660mm (2RU)
Weight (Kg)	< 30 Kg
Total power consumption (W)	<1100W
Ambient temperature	0 ~ 40°C Non-working: -40 ~ 70°C
Environmental protection	EU RoHS Compliance
EMC	FCC Part 15 (CFR 47) CLASS A ICES-003 CLASS A VCCI CLASS A CISPR 22 CLASS A EN 55022 CLASS A AS/NZS CISPR22 CLASS A CISPR 32 CLASS A EN 55032 CLASS A AS/NZS CISPR32 CLASS A CISPR 24 EN 55024 EN 61000-3-2 EN 61000-3-3 ETSI EN 300 386 GB 9254 GB 17625.1 YD/T 993
Safety	UL 60950-1 CAN/CSA C22.2 No 60950-1 IEC 60950-1 EN 60950-1 AS/NZS 60950-1 FDA 21 CFR Subchapter J GB 4943.1
Environmental protection and certification	Support Europe's strict RoHS environmental protection certification

Software specifications

Item	Description
Operating mode	Routing mode, transparent mode, bridge mode
AAA service	Portal authentication, RADIUS authentication, HWTACACS authentication, PKI/CA (X.509 format) authentication, domain authentication Support manual key, IKEv2, redundant VPN gateway, EAP authentication, IKEv2 redirection
Multi-service security gateway	Virtual Multi-Service Security Gateway Security area division Can defend against Land, Smurf, Fraggle, Ping of Death, Tear Drop, IP Spoofing, IP Fragmentation, ARP spoofing, ARP active reverse query, TCP message flag bit illegal oversized ICMP message, address scanning, port scanning, SYN Flood, UPD Flood, ICMP Flood, DNS Flood and other malicious attacks Dynamic packet filtering, ASPF application layer packet filtering Static and dynamic blacklist functions MAC and IP binding function MAC-based access control list ICMPv6, DHCPv6 Support 802.1q VLAN transparent transmission MLD, ND
Security Strategy	Access control lists based on domain name (domain name group), service, user, application, time period, etc. Supports strategic risk classification and application risk tuning Policies can be fuzzily queried to retrieve redundant and no-hit policies Supports policy grouping, and can be connected to third-party platforms through the NETCONF interface to create, delete, modify, and move policies Security monitoring based on state legitimacy Support access control based on black and white lists, and support one-click setting of black and white lists based on alarms
Routing function	Support static routing Support dynamic routing: RIP, OSPF, BGP, ISIS and other routing protocols Support policy routing based on source/destination IP, source/destination port, service, application type, user and user group, outbound/incoming interface, link state, etc.
Virus protection	Supports virus feature detection and protection based on IPv4 and IPv6 dual stacks, and can detect email viruses, web application viruses, common file viruses, Trojan horses, worms, malicious web pages, compressed data, packers and compressed packages (zip, gzip, tar ) virus killing Support manual and automatic upgrade of virus database, support manual import of signature database Support cloud virus database Packet Flow Processing Mode Support HTTP, FTP, SMTP, POP3 protocol Supported virus types: Backdoor, Email-Worm, IM-Worm, P2P-Worm, Trojan, AD-Ware, Virus, etc. Support virus logs and reports
Web security protection	Support web security detection Support CC attack protection Supports server abnormal outreach detection, and can customize learning parameters Support web page hanging horse, Trojan horse, and other attack protection Password and password brute force cracking detection and protection for common web services ( including HTTP, FTP, SSH, SMTP, IMAP, etc. ), common database software (MySQL, Oracle, MSSQL)
Deep security	Supports defense against hacker attacks, worms/viruses, Trojan horses, malicious codes, spyware/adware, etc., can subdivide strategies and formulate intrusion defense templates according to different scenarios Supports Flood attacks at the application layer (HTTP, HTTPS, DNS, FTP, SIP, etc.), can set the learning time and threshold through machine self-learning, and automatically generate DDoS prevention strategies based on the results Support buffer overflow, SQL injection, IDS/IPS escape and other attack defense Support the classification of attack signature database (classification according to attack type and target machine system), grading (divided into four levels: high, medium, low, and prompt) Support manual and automatic upgrade of attack signature database (TFTP and HTTP) Support P2P/IM identification and control such as BitTorrent Support URL identification, support malicious URL blocking, and can connect with cloud URL server to expand the number of URL address databases For unknown threat attacks, support local and cloud sandbox docking to detect APT attacks in real time Supports docking and management with the unified security management platform, which facilitates the security situation protection of the entire network
Encrypted traffic protection	Supports HTTPS proxy and SSL offloading, and can perform content detection and filtering, auditing, and attack protection on decrypted HTTPS encrypted traffic. It can finely classify and decrypt URLs to improve the protection effect
Mail / Web/Application layer filtering	Email filtering SMTP email address filtering email header filtering Email Content Filtering Email attachment filtering Web filtering HTTP URL filtering HTTP content filtering Application Layer Filtering Java Blocking ActiveX Blocking Defense against SQL injection attacks
Smart bandwidth control	Supports bandwidth guarantee based on user, IP, interface, and service, supports traffic shaping, and supports maximum/minimum flow and connection speed limit management for each IP and user It can support setting flow control policies based on application layer protocols, and can set maximum/minimum bandwidth, guaranteed bandwidth, protocol traffic priority, etc., and supports eight-level control
Load balancing	Support application layer link load balancing based on HTTP and HTTPS Support DNS transparent proxy, support DNS filtering, support intelligent DNS Support server load balancing Support global load Support link health status detection Support intelligent link selection
NAT	Support multiple internal addresses mapped to the same public network address Support mapping of multiple internal addresses to multiple public network addresses Support one-to-one mapping from internal addresses to public network addresses Support port multiplexing technology, which can increase the upper limit of NAT conversion Supports simultaneous translation of source and destination addresses, real-time alarm when the usage of the source NAT address pool exceeds the limit Support external network hosts to access internal servers Support direct mapping of internal addresses to interface public IP addresses Support DNS mapping function Configurable valid time to support address translation Support multiple NAT ALGs, including DNS, FTP, H.323, ILS, MSN, NBT, PPTP, SIP, etc. Support NAT444, NAT64
VPN	L2TP VPN, IPSec VPN, GRE VPN, MPLS VPN, SSL VPN Support IPv6 over IPv4 GRE tunnel
IPv6	IPv6 stateful firewall IPv6 inter-domain policy IPv6 Attack Defense IPv6 connection limit IPv6 protocol: I CMPv6, PMTU, Ping6, DNS6, TraceRT6, Telnet6, DHCPv6 Client, DHCPv6 Relay, etc. IPv6 routing: RIPng, OSPFv3, BGP4+, static routing, policy routing, PIM-SM, PIM-DM, etc. IPv6 transition technology: NAT-PT, IPv6 Tunnel, NAT64 (DNS64), DS-LITE, etc.
High reliability	Support RBM dual-machine state hot backup (Active/Active and Active/Backup two working modes) Support for asymmetric paths Support IKE state synchronization of IPSec VPN Support VRRP Support static and dynamic link aggregation Support continuous upgrade of ISSU Support hot patch technology, can upgrade smoothly, and support dual-machine hot backup for different versions of software Support BFD link detection
Ease of maintenance	Supports command-line based configuration management Support web mode for remote configuration management Support H3C iMC management platform for device management Support standard network management SNMPv3, and compatible with SNMP v1 and v2 By means of simulated deployment, you can compare the policies to be deployed according to the learning results of business mutual visits, which is convenient for operation and maintenance personnel to manage security policies. At the same time, it supports black and white lists, application types, policy risks, security rules, mixed rules, etc. Security policy compliance check Supports security policy logs, NAT logs, security protection logs, and URL logs, which can contain the above types of log fields at the same time. NAT logs can support port segment allocation, and device logs can be polled and sent

Performance specifications

Item	M9000-CN04
Firewall throughput (1518 byte, UDP)	600 Gbps
Firewall latency	10 μs
Concurrent sessions (HTTP)	240 Million
New sessions/second (HTTP)	5 Million
FW+AV+IPS (512K HTTP Files)	130 Gbps
Security policies (IPv4+IPv6 Maximum)	480,000

Ordering Information

Item		Description
Hardware appliance	H3C SecPath M9000-CN04	H3C SecPath M9000-CN04 main chassis
	SecPath M9000-CN04 main control engine module	H3C SecPath M9000-CN04 06 main control engine
	SecBlade Next Generation Firewall Module	SecBlade Security Service Board
Power supply	PSR1600B-12A-C	1600W AC power module
Power supply	PSR2000-12D-C	2000W DC power module
FAN	FAN-80B-2-D	H3C fan frame module
Modules	NSQM6CGQ2TG16A1	2-port 100G Ethernet optical interface (QSFP28)+16-port 10 Gigabit Ethernet optical interface module (SFP+)
	NSQM6CGQ4TG16A0-G1	4-port 100G Ethernet optical interface (QSFP28)+16 port 10 Gigabit Ethernet optical interface module (SFP+)
	NSQM6TG24A1	24-port 10 Gigabit Ethernet optical interface module (SFP+)
	NSQM6CGQ6A1	6-port 100G Ethernet optical interface module (QSFP28)

Resources

Resource Center

Technical Documents

Software Download

H3C SecPath M9000-CN Firewall

High-performance hardware and software processing platform

Carrier-grade equipment with high reliability

Powerful security protection features

Flexible and scalable integrated deep security

Industry-leading IPv6 features

Next-generation multi-service features

Professional intelligent management

Hardware specifications

Software specifications

Performance specifications

Resource Center

Related Links

Cloud & AI

Intelligent Connection

Intelligent Computing

Intelligent Storage

Security

SMB Products

Intelligent Terminal Products

Industry Solutions

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Technical Blogs

Training & Certification

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Partner Business Management

Service Business

Profile

News & Events

Online Exhibition Center

Contact Us