下载文档原格式
产品概述企业网络正向以移动宽带、大数据、社交化和云服务为核心的下一代网络演进。
移动APP 、Web2.0、社交网络让企业处于开放的网络环境,攻击者通过身份仿冒、网站挂马、恶意软件、僵尸网络等多种方式进行网络渗透,企业面临前所未有的安全风险,传统防火墙面对变革却无能为力。
华为Secospace USG6500系列下一代防火墙应需而生,面向下一代网络环境,基于“ACTUAL ”感知,实现安全管理自我优化,通过云技术识别未知威胁,高性能地为中小企业、大型企业的分支机构、小型数据中心提供以应用层威胁防护为核心的下一代网络安全。
华为Secospace USG6500系列下一代防火墙产品特点最精准的应用访问控制•全面创新的下一代环境感知和访问控制。
通过应用、内容、时间、用户、威胁和位置六个维度的组合,全局感知日益增多的应用层威胁,实现应用层安全防护。
•丰富的报表将业务状态、网络环境、安全态势、用户行为等可视化展现,让用户全方位感知,安全运营。
•深度融合的下一代内容安全。
通过解析引擎合并,将安全能力与应用识别深度融合,防范借助应用进行的恶意代码植入、网络入侵、数据窃取等破坏行为。
最高的性能体验•专用软硬件平台架构,IAE 单次解析引擎。
智能感知应用信息后,全安全特性并行处理。
•内容检测硬件加速,提升应用层防护效率,保障全安全特性开启下的最佳性能。
最简单的安全管理•根据应用场景提供策略模板,实现策略快速部署。
•根据网络中的实际流量和应用的风险,遵循最小权限控制原则,自动生成策略优化建议。
•分析策略命中率,发现冗余、失效的策略,有效控制策略规模,简化管理。
最全面的未知威胁防护•遍布全球的安全中心,丰富的可疑样本来源。
在云端采用沙箱技术,在模拟环境中监控可疑样本的运行行为,高效发现未知威胁。
•发现未知威胁后自动提取威胁特征,并迅速将特征同步到设备侧,有效防范零日攻击。
•准确、完善的信誉体系,防范APT攻击。
USG6550/6570USG6510-sjjUSG6530产品规格。
OverviewWith the continuous digitalization and cloudification of enterprise services, networks play an important role in enterprise operations, and must be protected. Network attackers use various methods, such as identity spoofing, website Trojan horses, and malware, to initiate network penetration and attacks, affecting the normal use of enterprise networks.Deploying firewalls on network borders is a common way to protect enterprise network security. However, firewalls can only analyze and block threats based on signatures. This method cannot effectively handle unknown threats and may deteriorate device performance. This single-point and passive method does not pre-empt or effectively defend against unknown threat attacks. Threats hidden in encrypted traffic in particular cannot be effectively identified without breaching user privacy.Huawei's next-generation firewalls provide the latest capabilities and work with other security devices to proactively defend against network threats, enhance border detection capabilities, effectively defend against advanced threats, and resolve performance deterioration problems. The network processing chip provides pattern matching and encryption/decryption service processing acceleration functions, which greatly improve the firewalls ability to process content security detection and IPSec services.Huawei USG6515E/USG6550E/USG6560E/USG6580E Next-Generation FirewallsProduct HighlightsComprehensive and integrated protection•Integrates the traditional firewall, VPN, intrusion prevention, antivirus, data leak prevention, bandwidth management, URL filtering, and online behavior management functions all in one device.•Interworks with the local or cloud sandbox to effectively detect unknown threats and prevent zero-day attacks.DeploymentCloud-based management•Firewalls proactively register with and quickly incorporated into the cloud management platform to implement quick device deployment without manual attendance.•Remote service configuration management, device monitoring, and fault management are used to implement cloud-based management of mass devices and simplify O&M.Enterprise border protection•Firewalls are deployed at the network border. The built-in traffic probe extracts packets of encrypted traffic and sends the packets to the CIS, a big data analysis platform. In this way, threats in encrypted traffic are monitored in real time. The deception function in enabled on the firewalls to proactively respond to malicious scanning behavior and associate with the CIS for behavior analysis to quickly detect and record malicious behavior, protecting enterprise against threats in real time.USG6515E/USG6550E/USG6560E/USG6580EHUAWEI TECHNOLOGIES CO., LTD.•Implements refined bandwidth management based on applications and websites, preferentially forwards key services, and ensures bandwidth for key services.More comprehensive defense•The built-in traffic probe of a firewall extracts traffic information and reports it to the CIS, a security big data analysis platform developed by Huawei. The CIS analyzes threats in the traffic, without decrypting the traffic or compromising the device performance. The threat identification rate is higher than 90%.•The deception system proactively responds to hacker scanning behavior and quickly detects and records malicious behavior, facilitating forensics and source tracing.High performance•Uses the network processing chip based on the ARM architecture, improving forwarding performance significantly.•Enables chip-level pattern matching and accelerates encryption/decryption, improving the performance for processing IPS, antivirus, and IPSec services.Specifications1. The performance is tested under ideal conditions based on RFC2544, 3511. The actual result may vary with deployment environments.2. Antivirus, IPS, and SA performances are measured using 100 KB HTTP files.3. Full protection throughput is measured with Firewall, SA, IPS, Antivirus and URL Filtering enabled. Antivirus, IPS and SA performances are measured using 100 KB HTTP files.4. SSL inspection throughput is measured with IPS enabled and HTTPS traffic using TLS v1.2 with AES128-GCM-SHA256.5. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.*SA: Service Awareness.About This PublicationThis publication is for reference only and does not constitute any commitments or guarantees. All trademarks, pictures, logos, and brands mentioned in this document are the property of Huawei Technologies Co., Ltd. or a third party.Copyright©2019 Huawei Technologies Co., Ltd. All rights reserved.System Performance and Capacity。
HUAWEI USG Series Terabit-level Next-Generatation Firewall Configuration Quote Operation MaunalIssue 1.0Date 2017-03-24Copyright © Huawei Technologies Co., Ltd. 2016. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.Trademarks and Permissionsand other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders.NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.Huawei Technologies Co., Ltd.Address: Huawei Industrial BaseBantian, LonggangShenzhen 518129People's Republic of ChinaWebsite: Email: ******************Change HistoryContentsChange History (ii)1 Overview (1)1.1 Version Positioning and Hardware Description (1)2 LPU (4)3 SPU (6)4 New Quotation Items (8)4.2 Version Mapping (9)4.3 Legal and Regulatory Restrictions (9)5 Product Configuration (11)5.1 Typical Configuration and Parts Replacement (11)1 Overview[Description]1.This document guides the local marketing personnel, network design personnel, andproduct data engineers (PDEs) through product configuration, product quotation, andconfiguration generator (CFG) development. Note that this version applies only to theindustry network.2.This document is an internal document and must not be disclosed to customers or peervendors.3.This document applies to V500R001C50. In this version, NGFW features are integratedto normalize low-end, mid-range, and high-end firewall versions. V300R001 features arealso included in this version.1.1 Version Positioning and Hardware DescriptionThe USG9500 V500R001C50 applies to the USG9520, USG9560, and USG9680 chassis andis the main version to be sold globally in 2017. This high-end firewall can provide amaximum of 1.92Tbit/s throughput based on the scenario.The maximum throughput is obtained by testing 1518-byte packets in ideal conditions. The specifications may vary depending on live network environments.Hardware description:The USG9500 series has the distributed hardware architecture, and the quotation items include the chassis, MPU, SFU, power supply, CF card, DDR memory, LPU, SPU, optical transceiver, optical fiber, and license.USG9580 AppearanceUSG9560 Appearance⑥⑥⑦⑧⑦⑧⑧⑧⑨①③②④⑤⑤①④③② ② ④⑤⑥⑦⑦ ⑧⑨⑥ ⑧ ⑧ ⑧USG9580 AppearanceFor quotation convenience, basic configurations of each model are bundled, for example, the USG9560 DCconfiguration. In the basic configurations, the chassis, MPUs, SFUs, CF cards, and DDR memory modules are included. For high availability and excellent performance, the maximum numbers of these components are configured. If you select the AC model, configure external AC power supplies.①②②③④①2 LPU Two factors need to be considered when you configure the LPUs: interface capacity requirement and interface type. For the former, communicate with customers about the interface capacity requirements on the USG9500, such as 2 x 10GE interfaces and 4 x GE interfaces. Another interface capacity requirement comes from the product. For example, in a two-node deployment scenario, Gigabit/10-Gigabit interfaces must be reserved for interconnecting the two nodes. For the interface type, you also need to confirm with the customer the interface type of the peer device connected to theUSG9500, a 10G Ethernet or POS interface, Gigabit Ethernet optical interface or electrical interface.The USG9500 supports LPUF-21 (20G), LPUF-40 (40G), LPUF-101 (100G), LPUF-120 (120G) and LPUF-240 (240G) are supported.*When two 12 x 10GE SFP+ flexible interface subcards are installed on the LPUF-120 LPU, the processing capability of each subcard is converged to 60 Gbit/s.**LPUF-240 cannot be used on the USG9520 chassis, but can be used on the USG9560 and USG9580 chassis. If some flexible subcards listed in the preceding table have the same name, they can be used in different mother boards.3 SPUWhen configuring the SPU, take into consideration the application scenario first, then the service processing capacity. SPUs of the USG9500 support flexible configurations that provide refined service perfectly meeting the customers' requirements.USG9500 V500R001 supports SPUs with 240Gbit/s throughput in a single slot. For the market in China, SPUs can be configured according to requirements. For example, SPUs and expansion cards with the FW/NAT throughput of 40G, 80G, 100G, 120G can beconfigured to adapt to different application scenarios. For the market outside China,SPUs starting with 20 Gbit/s (step 20 Gbit/s) can be configured. License capacity can be expanded through hardware and software.The SPU throughput is obtained by testing 1518-byte packets in ideal conditions. The specifications may vary depending on live network environments.V500R001 firewall SPUs have a hardware architecture design similar to the LPU, that is, baseboard + subcard. The subcard occupies a 1/2 slot and can be classified into single-CPU firewall SPC (40 Gbit/s performance, 100Gbit/s performance), dual-CPU firewall SPC (80 Gbit/s performance, 120Gbit/s performance), and application security SPC. For sales outside China, licenses are used for performance expansion. There is single-CPU firewall SPC, dual-CPU firewall SPC and application security SPC. The dual-CPU firewall SPC provides 20 Gbit/s processing performance. If you require a higher performance, purchase 20 Gbit/s firewall or 40 Gbit/s firewall performance license for expansion. The processing performance can be expanded to 100 Gbit/s on the single-CPU firewall SPC, or expanded to 120 Gbit/s on the dual-CPU firewall SPC. If the traffic exceeds 120 Gbit/s, you need to purchase a new hardware subcard. The application security SPC is the same as that for the market in China. This card is still in hardware sales mode. The antivirus, URL filtering, and intrusionConfiguration Quote Operation Maunal 3 SPUprevention functions provided by this SPC can be upgraded using independent licenses or oneintegrated upgrade service license. That is, if a customer needs to purchase 1-year upgradeservice for two application security SPCs, the customer needs only 1 set of 1-year upgradeservice license.4 New Quotation Items USG9500 V500R001C50 has the following new hardware quotation items.USG9500 V500R001C50 adds the following software quotation items.The software license of V500R001C50 has the following changes compared with that ofV500R001C30:1.Added the function of the SSL VPN and the license of SSL VPN concurrent userquantity.2.Added the function of the cloud sandbox inspection and the one-year license and three-year license of cloud sandbox inspection service.By default, V500R001C50 provides the following resources (do not need to buy the license orboards):1.Ten virtual systems are provided, excluding the root system.2.The number of IPSec tunnels is not limited and are provided for free.3.The number of CGN (including 6RD, NAT64, and DSLite) sessions is 1 million.4.Service Awareness (SA) is integrated into the firewall SPU and application securitySPC.5.URL source tracing is integrated into the firewall SPU, and additional boards are notrequired.4.2 Version MappingThe following table lists the version mapping for USG9500 V500R001.4.3 Legal and Regulatory Restrictions4.3.1 Security Redline RestrictionsUSG9500 V500R001C50 meets Huawei cyber security requirements.4.3.2 Export Control Restrictions1.ChinaSales are allowed.2.Non-trade embargoed or controlled countries (non-sensitive countries)Sales are allowed for governmental public information service projects and commercialenterprise security projects.Sales are forbidden for confidential government services, national and social securitymonitoring systems, and carrier security projects.3.Non-trade embargoed or controlled countries (security-sensitive countries)Sales are forbidden in France and all its dependent territories.Sales are allowed for governmental public information service projects and commercial enterprise security projects.Sales are forbidden for confidential government services, national and social security monitoring systems, and carrier security projects.4.Partially embargoed countries (nine countries)Sales are allowed for only commercial enterprise security projects, not for other projects.Sales on behavior audit, content audit, and content filtering licenses are forbidden for commercial enterprise security projects.5.Fully embargoed countries (five countries)Sales are forbidden.Description of sales restriction:1.Stick to the "being integrated" strategy. The following items are not allowed: directsales, content resolution, and integration or OEM of content resolution products.2.Avoid direct or indirect funding or preferential loans by the Chinese government.3.After measures are taken to avoid associated legal and control policy risks (such as acontract DISCLAIMER), standard products and components are allowed to be provided based on the business principles and risk premium principles.5 Product Configuration5.1 Typical Configuration and Parts Replacement5.1.1 Typical ConfigurationUSG9500 V500R001C50 supports the typical configuration of the 200 Gbit/s DC/ACswitching host bundle. For the typical configurations of the USG9520 and USG9560, thesame parts (altogether 4 types) are used in and outside China. These parts are different fromthose used in V300R001C20. Pay attention to this point.For new sites, the default configurations of the 200 Gbit/s DC/AC switching host bundle areused by default.The four types of typical configurations are as follows:If the USG9560 requires AC power, the following parts shall be configured for each device:If the USG9580 requires AC power, the following parts shall be configured for each device:The USG9560 and USG9580 are chassis introduced from the NE40E-X router, and the existing roadmapdoes not provide independent AC chassis. Therefore, a solution of a DC chassis with an AC powermodule shall be provided to address the issue of AC power supply.5.1.2 External Quoted Cables or Optical Fiber ConfigurationFor details, see HUAWEI USG9500 Series Terabit-level Next-Generation Firewall ProductConfiguration Manual.5.1.3 Optical Transceiver ConfigurationIf the LPU provides optical interfaces, additional optical transceivers are required forconnecting the optical fibers. Verify the specification of the optical transceiver (XFP, SFP, oreSFP). Specifications, including the mode of optical transceivers, wavelength, andtransmission distance require customer confirmation.For details, see HUAWEI USG9500 Series Terabit-level Next-Generation Firewall ProductConfiguration Manual.。
产品概述企业网络正向以移动宽带、大数据、社交化和云服务为核心的下一代网络演进。
移动APP 、Web2.0、社交网络让企业处于开放的网络环境,攻击者通过身份仿冒、网站挂马、恶意软件、僵尸网络等多种方式进行网络渗透,企业面临前所未有的安全风险,传统防火墙面对变革却无能为力。
华为Secospace USG6600系列下一代防火墙应需而生,面向下一代网络环境,基于“ACTUAL ”感知,实现安全管理自我优化,通过云技术识别未知威胁,高性能地为大型企业、数据中心提供以应用层威胁防护为核心的下一代网络安全。
华为Secospace USG6600系列下一代防火墙产品特点最精准的应用访问控制•全面创新的下一代环境感知和访问控制。
通过应用、内容、时间、用户、威胁和位置六个维度的组合,全局感知日益增多的应用层威胁,实现应用层安全防护。
•丰富的报表将业务状态、网络环境、安全态势、用户行为等可视化展现,让用户全方位感知,安全运营。
•深度融合的下一代内容安全。
通过解析引擎合并,将安全能力与应用识别深度融合,防范借助应用进行的恶意代码植入、网络入侵、数据窃取等破坏行为。
最高的性能体验•专用软硬件平台架构,IAE 单次解析引擎。
智能感知应用信息后,全安全特性并行处理。
•内容检测硬件加速,提升应用层防护效率,保障全安全特性开启下的万兆最佳性能。
最简单的安全管理•将6000+应用良好地分为5个大类33个小类,使用应用小类可快速实现基于应用的访问控制。
•根据网络中的实际流量和应用的风险,遵循最小权限控制原则,自动生成策略优化建议。
•分析策略命中率,发现冗余、失效的策略,有效控制策略规模,简化管理。
最全面的未知威胁防护•遍布全球的安全中心,丰富的可疑样本来源。
在云端采用沙箱技术,在模拟环境中监控可疑样本的运行行为,高效发现未知威胁。
•发现未知威胁后自动提取威胁特征,并迅速将特征同步到设备侧,有效防范零日攻击。
•准确、完善的信誉体系,防范APT 攻击。
华为USG6000系列下一代防火墙详细性能参数表能,与Agile Controller配合可以实现微信认证。
应用安全●6000+应用协议识别、识别粒度细化到具体动作,自定义协议类型,可与阻断、限流、审计、统计等多种手段自由结合在线协议库升级。
注:USG6320可识别1600+应用。
●应用识别与病毒扫描结合,发现隐藏于应用中的病毒,木马和恶意软件,可检出超过500多万种病毒。
●应用识别与内容检测结合,发现应用中的文件类型和敏感信息,防范敏感信息泄露。
入侵防御●基于特征检测,支持超过3500漏洞特征的攻击检测和防御。
●基于协议检测,支持协议自识别,基于协议异常检测。
●支持自定义IPS签名。
APT防御与沙箱联动,对恶意文件进行检测和阻断。
Web安全●基于云的URL分类过滤,支持8500万URL库,80+分类。
●提供专业的安全URL分类,包括钓鱼网站库分类和恶意URL库分类。
●基于Web的防攻击支持,如跨站脚本攻击、SQL注入攻击。
●提供URL关键字过滤,和URL黑白名单。
邮件安全●实时反垃圾邮件功能,在线检测,防范钓鱼邮件。
●本地黑、白名单,远程实时黑名单、内容过滤、关键字过滤、附件类型、大小、数量。
●支持对邮件附件进行病毒检查和安全性提醒。
数据安全●基于内容感知数据防泄露,对邮件,HTTP,FTP,IM、SNS等传输的文件和文本内容进行识别过滤。
●20+文件还原和内容过滤,如Word、Excel、PPT、PDF等),60+文件类型过滤。
安全虚拟化安全全特性虚拟化,转发虚拟化、用户虚拟化、管理虚拟化、视图虚拟化、资源虚拟化(带宽、会话等)。
网络安全●DDoS攻击防护,防范多种类型DDoS攻击,如SYN flood、UDP flood、ICMP flood、HTTP flood、DNS flood、ARP flood和ARP欺骗等。
●丰富的VPN特性,IPSec VPN、SSL VPN、L2TP VPN、MPLS VPN、GRE等。
掌控下一代网络安全-Huawei Secospace USG6000 NGFW当前,在所有保证互联网连接安全的防火墙中,使用下一代防火墙(NGFW)的比例少于10%。
到2014年底,这个比例将会上升到35%,60%新购买的防火墙将是NGFW。
– Gartner,「Magic Quadrant for Enterprise Network Firewalls 2013」FW的发展历程1989 1994 1998NGFW 2004包过滤防火墙基于状态检测Checkpoint/Cisco 基于ASICNetScreenUTM统一威胁管理多核+分布式架构Fortinet2008Huawei/Juniper PaloaltoPC时代网络时代互联网时代Web2.0时代2009移动互联网时代基本访问控制引入会话机制专用芯片提升性能多功能叠加性能提升基于应用+用户+内容做管控Gartner 如何定义NGFW标准FW 功能IPS 一体化应用感知APP智能联动/分析 最低要求NGFW混淆产品NGFWUTM/多引擎叠加应用控制+IPSFW+ 有限应用识别网络型DLP大企业环境 只适合SMB场景基础功能场景功能相似,基础不同、集成度不同是不是Source:《Defining the Next-Generation Firewall 》—Greg Young ,12 October 2009当前NGFW 面临的挑战1管控是否精细2管理是否简单 3威胁是否可辨4性能是否足够全 新 挑战NGFW●BYOD 、云、社交化后,管控力度不足 ●75%攻击覆盖应用层●端口->应用:管理复杂度数量级提高●人员技能不足,参与比例过高,难保持●APT 攻击持续扩大和强化●50%以上的攻击是有组织的团队行为●全面防护能力成为安全网关刚性需求 ●处理性能出现瓶颈,再度沦为UTMBYODCloudSocial华为是如何定义NGFW 的1细粒度管控2智能管理3全面防护4高性能体验重 ●匹配 IT 的移动化、虚拟化、社交化●除了感知应用、用户和内容外,还应该感知位置、风险、设备等●提供新管控方式下的策略建议 ●提供安全风险的智能分析和处理建议●不仅仅识别应用,还要识别应用威胁 ●具备未知威胁和APT 的防御机制●基础性能 = 防火墙+应用识别●全威胁防护开启时,性能下降小于50%基于新 定 义NGFW下一代 网络安全NGFWACTUAL 环境感知 提供全新访问控制视角最细粒度的访问控制:ACTUAL 管控最精细的访问控制能力移动化:30%的企业使用移动办公社交化:50%的企业采用社交媒体云化:65%的数据中心虚拟化Web 化:90%的网络应用采用80端口攻击全球化1010001000 00011 1000111101 10101 11100 10100 1110100110A pp L ocationT ime A ttack C ontent U ser面对日益变化IT 环境 企业该如何应对? 功能ACTUALHuawei√ √ √√ √ √ 6000+ ★★★ 8种认证★★★ 国家/地区海外领先厂家√√ √ √ √ √ 2000-5000 ★★★ 最多7种认证★★★ 国家 国内其它厂家√部分有 √ √ √ × 500-2000★最多6种认证★不支持6000多种应用识别,比海外厂家多20%以上,是国内厂家的3-5倍8500万多URL 过滤,除按类别分类外,还专门提供恶意URL 库基于位置的访问策略,可以支持地区级的识别控制数十种文件的内容过滤功能,并支持对伪装文件的识别最简单的管理配置:智能管理基于应用快速部署华为NGFW业界其它NGFW管理挑战几千+应用数量如何基于应用防护现实业务设备定义应用?多维、多级应用分类:• 应用类型、传输方式、应用分析三个维度描述应用,快速准确定位应用。
Huawei USG6620/6630 next-generation firewalls are designed for network egresses of medium-sized businesses or branch offices of large enterprises. The firewalls accurately identify more than 6,000 applications and implement fine-grained access control. Application-layer defense functions, such as Intrusion Prevention System (IPS) and antivirus, are used with application identification technologies to improve the threat prevention efficiency and accuracy, providing users with full-fledged network border protection capabilities. The firewalls use the industry-leading Smart Policy technology to automatically fine-tune and simplify existing security policies, reducing the overall operational costs and delivering continuous, simple, and effective next-generation network security.HighlightsThird-party proven security capability• Obtained Firewall, IPS, IPsec, and SSL VPN certifications from the ICSA Labs• Obtained the highest-level CC certificate (EAL4+), ranking among the highest security levels in the world Comprehensive and integrated protection• Multiple security functions, including firewall, VPN, intrusion prevention, and online behaviormanagement, for complete versatility• Accurately identify more than 6000 applications to deliver fine-grained access control and improve thequality of key services• Detection and prevention of unknown threats, such as zero-day attacks, using sandboxing and the reputation system*Flexible bandwidth management, improving Internet access experience•Differentiated user bandwidth and quota management for fair and prioritized bandwidth usage • Application-based bandwidth management to prioritize bandwidth for mission-critical applications • Modification of URL category priorityHUAWEI USG6620/6630 Next-Generation Firewalls---Best-in-Class Security for Medium-sized BusinessesVisualized management and operation• Deliver diversified reports to provide all-around visibility into service status, network environment, security posture, and user behavior• Provide a web UI that offers a variety of easy-to-use and visualized management and maintenance functions, with which you can easily view logs and reports, manage configurations, and diagnose faults.The quick wizard on the web UI helps you configure important features with ease• Support both NETCONF and RESTCONF northbound APIs, which enable you to centrally configure and maintain the firewalls using an upper-level controller to simplify O&MDeploymentBorder protection for medium-sized businesses• Block all unauthorized access attempts at enterprise network egresses.• Provide real-time 10-Gigabit-level application-layer threat prevention, even when IPS is enabled.• P erform data filtering and auditing on files transmitted through sources such as email and IM to monitor social network applications and prevent data leaks.• D eliver user- and application-specific bandwidth management to guarantee service quality for core users and of mission-critical services.• S upport online behavior management based on URL categories and applications to block access to malicious websites and websites irrelevant to work.Enterprise networkHardwareUSG6620/6630Interfaces1. 2 x USB Ports2. Console Port3. 1 x GE (RJ45) Management Port4. 8 x GE (RJ45) Ports5. 4 x GE (SFP) PortsTable 1. Wide Service Interface Cards (WSICs) for USG6600 SeriesSoftware Features1: I f no hard disk is inserted, you can view and export system and service logs. By inserting a hard disk, you can also view, export, customize, and subscribe to reports.Functions marked with * are supported only in USG V500R001 and later versions.Specifications *System Performance and Capacity1. P erformance is tested under ideal conditions based on RFC 2544 and RFC 3511. The actual result may vary with deployment environments.2. Antivirus, IPS, and SA performances are measured using 100 KB of HTTP files.3. Throughput is measured with the Enterprise Traffic Model.4. SSL inspection throughput is measured with IPS-enabled and HTTPS traffic using TLS v1.2 with AES256-SHA.5. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.6. USG6000 V100R001 supports only the RESTCONF interface and cannot interwork with sandbox or third-party tools.* SA indicates Service Awareness.* This content is applicable only to regions outside mainland China. Huawei reserves the right to interpret this content. Hardware Specifications1. WISC is not hot-swappable.2. the equipment is operating in an ambient temperature equal to +23°C and fan speed 50%CertificationsRegulatory, Safety, and EMC ComplianceOrdering GuideAbout This PublicationThis publication is for reference only and does not constitute any commitments or guarantees. All trademarks, pictures, logos, and brands mentioned in this document are the property of Huawei Technologies Co., Ltd. or a third party.For more information, visit /en/products/enterprise-networking/security.Copyright©2018 Huawei Technologies Co., Ltd. All rights reserved.。
