Industry-leading network security platform
Running the industry-leading Comware 7 operating system, the vFW delivers the following benefits:
Rich network and security functionalities, meeting different network security demands of enterprise branches and public cloud multi-tenant environments.
Makes full use of computing resources with the control plane and the data plane separated and multi-core data forwarding specifically optimized for the virtual environment.
Modular architecture and open network platform allow the network to be operated and controlled on demand, making NFV/SDN implementation easier.
Shares a unified software platform and provides the same features and functionalities and consistent management interface with physical network devices.
With the service chain technology, it enables dynamic creation and automated deployment of NFV resource pools and allows flexible orchestration and modification of tenant services without affecting the physical topology and other tenants.
Supports the IRF technology, which can virtualize two vFWs into one distributed logical device for collaborative operation, unified management, and uninterrupted maintenance.
Supports ISSU, which enables upgrade without service interruptions.
Supporting using NAT64, NAT444, and DS-Lite technologies to enable seamless transition from IPv4 to IPv6.
Supports license server licensing. Unified license installation, operation, and management on the license server enables automated batch deployment of VNFs. Decoupling licensing from the device and unified licensing allows license pooling and reuse and reduces the licensing cost. This licensing method is highly secure, and can effectively prevent piracy and protect the legitimate rights and interests of users.
Ultra-lightweight deployment
Suitable for deployment on public clouds, with zero transportation, zero cabling, and accelerated deployment.
Operable on multiple mainstream supervisors including VMware ESXi, Linux KVM, and H3C CAS, it gives full play to the advantages of virtualization and enables rapid deployment, batch deployment, image backup, rapid recovery, and flexible migration.
Software images in ISO, OVA, IPE, and QCOW2 formats, adapting to deployment in various environments.
Supports multiple deployment tools including the VM management platform, network management platform, and local platform, allowing complete flexibility in deployment.
Allows dynamic creation or deletion of vFW1000s from H3C VNF Manager.
Superb service resiliency
The vFW provides superb service resiliency:
Operable on multiple mainstream supervisors including VMware ESXi, Linux KVM, and H3C CAS, it can adapt to various deployment environments.
Allows enterprises to build an enterprise network in a virtualized environment and allocate and manage network resources and services dynamically on demand. For example, the number and type of network interfaces can be flexibly adjusted as needed, eliminating the need to purchase new hardware cards.
Through dynamic adjustment of virtual resources and licenses, you can upgrade software smoothly and improve device performance on demand as business grows.
Comprehensive security assurance
Powerful security protection features
Packet filtering—Allows you to apply standard or advanced ACLs on incoming and outgoing packets based on information contained in the packets, such as priority, ToS, UDP or TCP port number. You can also configure time ranges during which packet filtering will be performed.
ASPF—Dynamically determines whether to forward or drop a packet by checking its application layer protocol information and state. ASPF supports inspecting FTP, HTTP, SMTP, RTSP, and other TCP/UDP-based application layer protocols.
Attack defense—Detects and prevents various attacks, including Land, Smurf, Fraggle, ping of death, Tear Drop, IP spoofing, IP fragment, ARP spoofing, reverse ARP lookup, invalid TCP flag, large ICMP packet, IP/port scanning, and common DDoS attacks such as SYN flood, UDP flood, DNS flood, and ICMP flood.
VPN—Supports multiple VPN services, including L2TP VPN, IPsec VPN, and GRE VPN, allowing remote access through dial-up, leased line, VLAN, or tunnel, and establishment of various forms of VPNs such as Internet, intranet, or access VPNs as needed. Combined with firewall, AAA, NAT, and various QoS technologies, the vFW ensures secure, reliable private network service over the open Internet.
Security zone—Allows you to configure security zones based on interfaces and VLANs.
Denylist—Supports static denylist and dynamic denylist.
Routing—Supports static routing, policy-based routing, and dynamic routing protocols such as RIP and OSPF.
Complete NAT solution
Provides many-to-one, address pool, ACL control and other address translation methods, supports multiple different address translation services on one interface, and provides FTP, Telnet, and WWW services through the internal server, delivering a complete NAT solution for users.
In addition to general NAT functions, the vFW can also provide NAT ALG for various application protocols, including VoIP and video multimedia applications such as H323, RAS, SIP, SCCP, and RTSP, PPTP VPN applications, and commonly used applications such as FTP, TFTP, DNS , NBT, ICMP, HWCC, DNS, and ILS.
Advanced security management
The vFW provides various types of logs including real-time attack logs, denylist logs, session logs, and NAT logs, which provide a sound basis for administrators to analyze the network situation and prevent network attacks.
The vFW supports management from the H3C IMC management system, which collects and analyzes security information, and offers an intuitive view into network and security conditions, saving management efforts and improving management efficiency.
Wide range of authentication options
The vFW provides a wide range of authentication options to ensure access security.
Role-based access control—Assigns permissions based on user roles, which can prevent low-privileged users from obtaining or modifying configuration information.
Hierarchical view protection—Prevents low-level users from entering higher-level views.
Remote Authentication Dial-In User Service (RADIUS)—Cooperates with a RADIUS server to implement authentication, authorization, and accounting security services for access users to prevent unauthorized access.
PKI/X.509—Provides certificate-based authentication.
MD5 authentication in OSPF and RIP2—Ensures authenticity and integrity of exchanged routing information.
Rich VPN connection solutions
The vFW supports multiple VPN technologies for you to set up VPN connections as needed.
L2TP VPN—Sets up point-to-point tunnels across a public network (for example, the Internet) and transmits encapsulated PPP frames (L2TP packets) over the tunnels. L2TP is currently the most widely used Virtual Private Dial Network (VPDN) tunneling protocol. The vFW supports multiple L2TP multi-domains.
GRE VPN—Encapsulates a protocol (such as IP, MPLS, or Ethernet) into a virtual point-to-point tunnel over a network (such as an IP network). Packets are encapsulated at one tunnel end and de-encapsulated at the other tunnel end.
IPsec VPN—Defined by the IETF to provide interoperable, high-quality, cryptography-based security for IP communications. IPsec uses Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols to ensure privacy, integrity, authenticity, and anti-replay of datagrams transmitted over the network. IPsec allows establishment of SAs automatically through Internet Key Exchange (IKE) or manually. The IPsec protocol provides a secure VPN solution for users who have high requirements for information security. IPsec VPN is typically used in combination with L2TP protocol and GRE protocol.