华为USG6600系列下一代防火墙规格清单(渠道版)

产品概述企业网络正向以移动宽带、大数据、社交化和云服务为核心的下一代网络演进。

移动APP 、Web2.0、社交网络让企业处于开放的网络环境，攻击者通过身份仿冒、网站挂马、恶意软件、僵尸网络等多种方式进行网络渗透，企业面临前所未有的安全风险，传统防火墙面对变革却无能为力。

华为Secospace USG6500系列下一代防火墙应需而生，面向下一代网络环境，基于“ACTUAL ”感知，实现安全管理自我优化，通过云技术识别未知威胁，高性能地为中小企业、大型企业的分支机构、小型数据中心提供以应用层威胁防护为核心的下一代网络安全。

华为Secospace USG6500系列下一代防火墙产品特点最精准的应用访问控制•全面创新的下一代环境感知和访问控制。

通过应用、内容、时间、用户、威胁和位置六个维度的组合，全局感知日益增多的应用层威胁，实现应用层安全防护。

•丰富的报表将业务状态、网络环境、安全态势、用户行为等可视化展现，让用户全方位感知，安全运营。

•深度融合的下一代内容安全。

通过解析引擎合并，将安全能力与应用识别深度融合，防范借助应用进行的恶意代码植入、网络入侵、数据窃取等破坏行为。

最高的性能体验•专用软硬件平台架构，IAE 单次解析引擎。

智能感知应用信息后，全安全特性并行处理。

•内容检测硬件加速，提升应用层防护效率，保障全安全特性开启下的最佳性能。

最简单的安全管理•根据应用场景提供策略模板，实现策略快速部署。

•根据网络中的实际流量和应用的风险，遵循最小权限控制原则，自动生成策略优化建议。

•分析策略命中率，发现冗余、失效的策略，有效控制策略规模，简化管理。

最全面的未知威胁防护•遍布全球的安全中心，丰富的可疑样本来源。

在云端采用沙箱技术，在模拟环境中监控可疑样本的运行行为，高效发现未知威胁。

•发现未知威胁后自动提取威胁特征，并迅速将特征同步到设备侧，有效防范零日攻击。

•准确、完善的信誉体系，防范APT攻击。

USG6550/6570USG6510-sjjUSG6530产品规格。

OverviewWith the continuous digitalization and cloudification of enterprise services, networks play an important role in enterprise operations, and must be protected. Network attackers use various methods, such as identity spoofing, website Trojan horses, and malware, to initiate network penetration and attacks, affecting the normal use of enterprise networks.Deploying firewalls on network borders is a common way to protect enterprise network security. However, firewalls can only analyze and block threats based on signatures. This method cannot effectively handle unknown threats and may deteriorate device performance. This single-point and passive method does not pre-empt or effectively defend against unknown threat attacks. Threats hidden in encrypted traffic in particular cannot be effectively identified without breaching user privacy.Huawei's next-generation firewalls provide the latest capabilities and work with other security devices to proactively defend against network threats, enhance border detection capabilities, effectively defend against advanced threats, and resolve performance deterioration problems. The network processing chip provides pattern matching and encryption/decryption service processing acceleration functions, which greatly improve the firewalls ability to process content security detection and IPSec services.Huawei USG6515E/USG6550E/USG6560E/USG6580E Next-Generation FirewallsProduct HighlightsComprehensive and integrated protection•Integrates the traditional firewall, VPN, intrusion prevention, antivirus, data leak prevention, bandwidth management, URL filtering, and online behavior management functions all in one device.•Interworks with the local or cloud sandbox to effectively detect unknown threats and prevent zero-day attacks.DeploymentCloud-based management•Firewalls proactively register with and quickly incorporated into the cloud management platform to implement quick device deployment without manual attendance.•Remote service configuration management, device monitoring, and fault management are used to implement cloud-based management of mass devices and simplify O&M.Enterprise border protection•Firewalls are deployed at the network border. The built-in traffic probe extracts packets of encrypted traffic and sends the packets to the CIS, a big data analysis platform. In this way, threats in encrypted traffic are monitored in real time. The deception function in enabled on the firewalls to proactively respond to malicious scanning behavior and associate with the CIS for behavior analysis to quickly detect and record malicious behavior, protecting enterprise against threats in real time.USG6515E/USG6550E/USG6560E/USG6580EHUAWEI TECHNOLOGIES CO., LTD.•Implements refined bandwidth management based on applications and websites, preferentially forwards key services, and ensures bandwidth for key services.More comprehensive defense•The built-in traffic probe of a firewall extracts traffic information and reports it to the CIS, a security big data analysis platform developed by Huawei. The CIS analyzes threats in the traffic, without decrypting the traffic or compromising the device performance. The threat identification rate is higher than 90%.•The deception system proactively responds to hacker scanning behavior and quickly detects and records malicious behavior, facilitating forensics and source tracing.High performance•Uses the network processing chip based on the ARM architecture, improving forwarding performance significantly.•Enables chip-level pattern matching and accelerates encryption/decryption, improving the performance for processing IPS, antivirus, and IPSec services.Specifications1. The performance is tested under ideal conditions based on RFC2544, 3511. The actual result may vary with deployment environments.2. Antivirus, IPS, and SA performances are measured using 100 KB HTTP files.3. Full protection throughput is measured with Firewall, SA, IPS, Antivirus and URL Filtering enabled. Antivirus, IPS and SA performances are measured using 100 KB HTTP files.4. SSL inspection throughput is measured with IPS enabled and HTTPS traffic using TLS v1.2 with AES128-GCM-SHA256.5. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.*SA: Service Awareness.About This PublicationThis publication is for reference only and does not constitute any commitments or guarantees. All trademarks, pictures, logos, and brands mentioned in this document are the property of Huawei Technologies Co., Ltd. or a third party.Copyright©2019 Huawei Technologies Co., Ltd. All rights reserved.System Performance and Capacity。

HUAWEI USG Series Terabit-level Next-Generatation Firewall Configuration Quote Operation MaunalIssue 1.0Date 2017-03-24Copyright © Huawei Technologies Co., Ltd. 2016. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.Trademarks and Permissionsand other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders.NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.Huawei Technologies Co., Ltd.Address: Huawei Industrial BaseBantian, LonggangShenzhen 518129People's Republic of ChinaWebsite: Email: ******************Change HistoryContentsChange History (ii)1 Overview (1)1.1 Version Positioning and Hardware Description (1)2 LPU (4)3 SPU (6)4 New Quotation Items (8)4.2 Version Mapping (9)4.3 Legal and Regulatory Restrictions (9)5 Product Configuration (11)5.1 Typical Configuration and Parts Replacement (11)1 Overview[Description]1.This document guides the local marketing personnel, network design personnel, andproduct data engineers (PDEs) through product configuration, product quotation, andconfiguration generator (CFG) development. Note that this version applies only to theindustry network.2.This document is an internal document and must not be disclosed to customers or peervendors.3.This document applies to V500R001C50. In this version, NGFW features are integratedto normalize low-end, mid-range, and high-end firewall versions. V300R001 features arealso included in this version.1.1 Version Positioning and Hardware DescriptionThe USG9500 V500R001C50 applies to the USG9520, USG9560, and USG9680 chassis andis the main version to be sold globally in 2017. This high-end firewall can provide amaximum of 1.92Tbit/s throughput based on the scenario.The maximum throughput is obtained by testing 1518-byte packets in ideal conditions. The specifications may vary depending on live network environments.Hardware description:The USG9500 series has the distributed hardware architecture, and the quotation items include the chassis, MPU, SFU, power supply, CF card, DDR memory, LPU, SPU, optical transceiver, optical fiber, and license.USG9580 AppearanceUSG9560 Appearance⑥⑥⑦⑧⑦⑧⑧⑧⑨①③②④⑤⑤①④③② ② ④⑤⑥⑦⑦ ⑧⑨⑥ ⑧ ⑧ ⑧USG9580 AppearanceFor quotation convenience, basic configurations of each model are bundled, for example, the USG9560 DCconfiguration. In the basic configurations, the chassis, MPUs, SFUs, CF cards, and DDR memory modules are included. For high availability and excellent performance, the maximum numbers of these components are configured. If you select the AC model, configure external AC power supplies.①②②③④①2 LPU Two factors need to be considered when you configure the LPUs: interface capacity requirement and interface type. For the former, communicate with customers about the interface capacity requirements on the USG9500, such as 2 x 10GE interfaces and 4 x GE interfaces. Another interface capacity requirement comes from the product. For example, in a two-node deployment scenario, Gigabit/10-Gigabit interfaces must be reserved for interconnecting the two nodes. For the interface type, you also need to confirm with the customer the interface type of the peer device connected to theUSG9500, a 10G Ethernet or POS interface, Gigabit Ethernet optical interface or electrical interface.The USG9500 supports LPUF-21 (20G), LPUF-40 (40G), LPUF-101 (100G), LPUF-120 (120G) and LPUF-240 (240G) are supported.*When two 12 x 10GE SFP+ flexible interface subcards are installed on the LPUF-120 LPU, the processing capability of each subcard is converged to 60 Gbit/s.**LPUF-240 cannot be used on the USG9520 chassis, but can be used on the USG9560 and USG9580 chassis. If some flexible subcards listed in the preceding table have the same name, they can be used in different mother boards.3 SPUWhen configuring the SPU, take into consideration the application scenario first, then the service processing capacity. SPUs of the USG9500 support flexible configurations that provide refined service perfectly meeting the customers' requirements.USG9500 V500R001 supports SPUs with 240Gbit/s throughput in a single slot. For the market in China, SPUs can be configured according to requirements. For example, SPUs and expansion cards with the FW/NAT throughput of 40G, 80G, 100G, 120G can beconfigured to adapt to different application scenarios. For the market outside China,SPUs starting with 20 Gbit/s (step 20 Gbit/s) can be configured. License capacity can be expanded through hardware and software.The SPU throughput is obtained by testing 1518-byte packets in ideal conditions. The specifications may vary depending on live network environments.V500R001 firewall SPUs have a hardware architecture design similar to the LPU, that is, baseboard + subcard. The subcard occupies a 1/2 slot and can be classified into single-CPU firewall SPC (40 Gbit/s performance, 100Gbit/s performance), dual-CPU firewall SPC (80 Gbit/s performance, 120Gbit/s performance), and application security SPC. For sales outside China, licenses are used for performance expansion. There is single-CPU firewall SPC, dual-CPU firewall SPC and application security SPC. The dual-CPU firewall SPC provides 20 Gbit/s processing performance. If you require a higher performance, purchase 20 Gbit/s firewall or 40 Gbit/s firewall performance license for expansion. The processing performance can be expanded to 100 Gbit/s on the single-CPU firewall SPC, or expanded to 120 Gbit/s on the dual-CPU firewall SPC. If the traffic exceeds 120 Gbit/s, you need to purchase a new hardware subcard. The application security SPC is the same as that for the market in China. This card is still in hardware sales mode. The antivirus, URL filtering, and intrusionConfiguration Quote Operation Maunal 3 SPUprevention functions provided by this SPC can be upgraded using independent licenses or oneintegrated upgrade service license. That is, if a customer needs to purchase 1-year upgradeservice for two application security SPCs, the customer needs only 1 set of 1-year upgradeservice license.4 New Quotation Items USG9500 V500R001C50 has the following new hardware quotation items.USG9500 V500R001C50 adds the following software quotation items.The software license of V500R001C50 has the following changes compared with that ofV500R001C30:1.Added the function of the SSL VPN and the license of SSL VPN concurrent userquantity.2.Added the function of the cloud sandbox inspection and the one-year license and three-year license of cloud sandbox inspection service.By default, V500R001C50 provides the following resources (do not need to buy the license orboards):1.Ten virtual systems are provided, excluding the root system.2.The number of IPSec tunnels is not limited and are provided for free.3.The number of CGN (including 6RD, NAT64, and DSLite) sessions is 1 million.4.Service Awareness (SA) is integrated into the firewall SPU and application securitySPC.5.URL source tracing is integrated into the firewall SPU, and additional boards are notrequired.4.2 Version MappingThe following table lists the version mapping for USG9500 V500R001.4.3 Legal and Regulatory Restrictions4.3.1 Security Redline RestrictionsUSG9500 V500R001C50 meets Huawei cyber security requirements.4.3.2 Export Control Restrictions1.ChinaSales are allowed.2.Non-trade embargoed or controlled countries (non-sensitive countries)Sales are allowed for governmental public information service projects and commercialenterprise security projects.Sales are forbidden for confidential government services, national and social securitymonitoring systems, and carrier security projects.3.Non-trade embargoed or controlled countries (security-sensitive countries)Sales are forbidden in France and all its dependent territories.Sales are allowed for governmental public information service projects and commercial enterprise security projects.Sales are forbidden for confidential government services, national and social security monitoring systems, and carrier security projects.4.Partially embargoed countries (nine countries)Sales are allowed for only commercial enterprise security projects, not for other projects.Sales on behavior audit, content audit, and content filtering licenses are forbidden for commercial enterprise security projects.5.Fully embargoed countries (five countries)Sales are forbidden.Description of sales restriction:1.Stick to the "being integrated" strategy. The following items are not allowed: directsales, content resolution, and integration or OEM of content resolution products.2.Avoid direct or indirect funding or preferential loans by the Chinese government.3.After measures are taken to avoid associated legal and control policy risks (such as acontract DISCLAIMER), standard products and components are allowed to be provided based on the business principles and risk premium principles.5 Product Configuration5.1 Typical Configuration and Parts Replacement5.1.1 Typical ConfigurationUSG9500 V500R001C50 supports the typical configuration of the 200 Gbit/s DC/ACswitching host bundle. For the typical configurations of the USG9520 and USG9560, thesame parts (altogether 4 types) are used in and outside China. These parts are different fromthose used in V300R001C20. Pay attention to this point.For new sites, the default configurations of the 200 Gbit/s DC/AC switching host bundle areused by default.The four types of typical configurations are as follows:If the USG9560 requires AC power, the following parts shall be configured for each device:If the USG9580 requires AC power, the following parts shall be configured for each device:The USG9560 and USG9580 are chassis introduced from the NE40E-X router, and the existing roadmapdoes not provide independent AC chassis. Therefore, a solution of a DC chassis with an AC powermodule shall be provided to address the issue of AC power supply.5.1.2 External Quoted Cables or Optical Fiber ConfigurationFor details, see HUAWEI USG9500 Series Terabit-level Next-Generation Firewall ProductConfiguration Manual.5.1.3 Optical Transceiver ConfigurationIf the LPU provides optical interfaces, additional optical transceivers are required forconnecting the optical fibers. Verify the specification of the optical transceiver (XFP, SFP, oreSFP). Specifications, including the mode of optical transceivers, wavelength, andtransmission distance require customer confirmation.For details, see HUAWEI USG9500 Series Terabit-level Next-Generation Firewall ProductConfiguration Manual.。

产品概述企业网络正向以移动宽带、大数据、社交化和云服务为核心的下一代网络演进。

移动APP 、Web2.0、社交网络让企业处于开放的网络环境,攻击者通过身份仿冒、网站挂马、恶意软件、僵尸网络等多种方式进行网络渗透,企业面临前所未有的安全风险,传统防火墙面对变革却无能为力。

华为Secospace USG6600系列下一代防火墙应需而生,面向下一代网络环境,基于“ACTUAL ”感知,实现安全管理自我优化,通过云技术识别未知威胁,高性能地为大型企业、数据中心提供以应用层威胁防护为核心的下一代网络安全。

华为Secospace USG6600系列下一代防火墙产品特点最精准的应用访问控制•全面创新的下一代环境感知和访问控制。

通过应用、内容、时间、用户、威胁和位置六个维度的组合,全局感知日益增多的应用层威胁,实现应用层安全防护。

•丰富的报表将业务状态、网络环境、安全态势、用户行为等可视化展现,让用户全方位感知,安全运营。

•深度融合的下一代内容安全。

通过解析引擎合并,将安全能力与应用识别深度融合,防范借助应用进行的恶意代码植入、网络入侵、数据窃取等破坏行为。

最高的性能体验•专用软硬件平台架构,IAE 单次解析引擎。

智能感知应用信息后,全安全特性并行处理。

•内容检测硬件加速,提升应用层防护效率,保障全安全特性开启下的万兆最佳性能。

最简单的安全管理•将6000+应用良好地分为5个大类33个小类,使用应用小类可快速实现基于应用的访问控制。

•根据网络中的实际流量和应用的风险,遵循最小权限控制原则,自动生成策略优化建议。

•分析策略命中率,发现冗余、失效的策略,有效控制策略规模,简化管理。

最全面的未知威胁防护•遍布全球的安全中心,丰富的可疑样本来源。

在云端采用沙箱技术,在模拟环境中监控可疑样本的运行行为,高效发现未知威胁。

•发现未知威胁后自动提取威胁特征,并迅速将特征同步到设备侧,有效防范零日攻击。

•准确、完善的信誉体系,防范APT 攻击。