USG9560防火墙网络恢复技术手册

USG6550防火墙用户手册目录前言 (ii)1 查看类 (1)1.1 查看设备运行状态 (1)1.2 查看接口流量 (6)1.3 查看ESN和系列号(USG6000) (10)1.4 查看ESN和系列号(USG9500) (11)1.5 查看光模块信息 (12)1.6 查看会话表 (13)1.7 查看日志 (16)1.8 查看报表 (17)1.9 查看VPN状态 (18)2 配置类 (21)2.1 创建新的管理员 (21)2.2 修改管理员密码 (23)2.3 修改Web服务端口号 (24)2.4 更新License (24)2.5 备份配置文件 (27)2.6 配置IP-MAC绑定 (28)2.7 配置NAT (30)3 故障类 (33)3.1 恢复管理员密码 (33)3.2 恢复出厂配置 (34)3.3 恢复配置文件 (36)3.4 升级特征库 (37)3.5 升级系统软件 (44)3.6 采集故障信息 (45)4 附录 (47)4.1 危险操作一览表 (47)1 查看类关于本章1.1 查看设备运行状态介绍查看设备运行状态的相关操作。

1.2 查看接口流量介绍查看接口流量的相关操作。

1.3 查看ESN和系列号(USG6000)通过display esn命令可以查看设备及各部件的ESN。

1.4 查看ESN和系列号(USG9500)通过display esn命令可以查看设备及各部件的ESN。

1.5 查看光模块信息通过display esn interface命令可以查看光模块信息。

1.6 查看会话表会话表是设备转发报文的关键表项。

所以当出现业务故障时，通常可以通过Web查看会话表信息，大致定位发生故障的模块或阶段。

1.7 查看日志1.8 查看报表介绍查看报表的相关操作。

1.9 查看VPN状态1.1 查看设备运行状态介绍查看设备运行状态的相关操作。

通过Web方式查看设备部件状态选择“面板> 设备资源信息”，查看CPU使用率、内存使用率、CF卡使用率，如图1-1所示。

华为USG9500高端防火墙技术建议书华为技术有限公司版权所有© 华为技术有限公司2012。

保留一切权利。

非经本公司书面许可，任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部，并不得以任何形式传播。

商标声明和其他华为商标均为华为技术有限公司的商标。

本文档提及的其他所有商标或注册商标，由各自的所有人拥有。

注意您购买的产品、服务或特性等应受华为公司商业合同和条款的约束，本文档中描述的全部或部分产品、服务或特性可能不在您的购买或使用范围之内。

除非合同另有约定，华为公司对本文档内容不做任何明示或默示的声明或保证。

由于产品版本升级或其他原因，本文档内容会不定期进行更新。

除非另有约定，本文档仅作为使用指导，本文档中的所有陈述、信息和建议不构成任何明示或暗示的担保。

华为技术有限公司地址：深圳市龙岗区坂田华为总部办公楼邮编：518129网址：客户服务邮箱：******************客户服务电话：4008302118目录1概述 (6)1.1网络安全 (6)1.2网络安全管理 (6)2××网络分析 (6)2.1××网络现状 (6)2.2××××网络业务分析 (7)2.3××网络安全问题与分析 (7)2.4××网络安全需求 (7)3华为××网安全解决方案 (8)3.1大型IDC中心安全解决方案 (8)3.2政府或大型企业网络总部安全防护 (10)3.3IPv4向IPv6过渡解决方案 ...................................................................................... 错误!未定义书签。

3.4大型IDC中心DDOS安全解决方案....................................................................... 错误!未定义书签。

华为防火墙配置使用手册防火墙默认的管理接口为g0/0/0，默认的ip地址为192.168.0.1/24，默认g0/0/0接口开启了dhcp server，默认用户名为admin，默认密码为Admin@123一、配置案例1.1 拓扑图GE 0/0/1：10.10.10.1/24GE 0/0/2：220.10.10.16/24GE 0/0/3：10.10.11.1/24WWW服务器：10.10.11.2/24（DMZ区域）FTP服务器：10.10.11.3/24（DMZ区域）1.2 Telnet配置配置VTY 的优先级为3，基于密码验证。

# 进入系统视图。

<USG5300> system-view# 进入用户界面视图[USG5300] user-interface vty 0 4# 设置用户界面能够访问的命令级别为level 3[USG5300-ui-vty0-4] user privilege level 3配置Password验证# 配置验证方式为Password验证[USG5300-ui-vty0-4] authentication-mode password# 配置验证密码为lantian[USG5300-ui-vty0-4]set authentication password simple lantian ###最新版本的命令是authentication-mode password cipher huawei@123配置空闲断开连接时间# 设置超时为30分钟[USG5300-ui-vty0-4] idle-timeout 30[USG5300] firewall packet-filter default permit interzone untrust local direction inbound //不加这个从公网不能telnet防火墙。

基于用户名和密码验证user-interface vty 0 4authentication-mode aaaaaalocal-user admin password cipher ]MQ;4\]B+4Z,YWX*NZ55OA!!local-user admin service-type telnetlocal-user admin level 3firewall packet-filter default permit interzone untrust local direction inbound如果不开放trust域到local域的缺省包过滤，那么从内网也不能telnet的防火墙，但是默认情况下已经开放了trust域到local域的缺省包过滤。

USG系列设备维护以下内容将详细向您介绍设备的维护方法（包括设备韧体的上传(即设备升级)和恢复设备出厂设置）一、设备升级：步骤如下：1、打开web浏览器，输入设备管理IP:https://192.168.1.1，输入用户名:admin,密码:1234。

点击登录进入设备配置界面。

若您想更改设备管理员密码，您需要在如下界面输入您更改的新密码，点击应用，如您不需要更改密码，请点击忽略。

2、进入维护配置界面，打开文件管理＞韧体上传，点击开启档案。

找到对应设备的bin 文件，点击上传。

3、等待设备的升级，这期间设备可能会重启若干次，而设备sys 灯在不断闪烁，可能需要花费五分钟时间，请您耐心等待。

（注意:升级设备时请不要断电）升级完成时，设备sys灯将常亮，重新登陆设备，显示如下界面，再次输入用户名、密码登陆设备。

4、进入设备配置界面后，显示升级后的版本。

如下：二、设备恢复出厂设置：1、登陆维护配置界面，打开文件管理＞配置文件，点击开启档案。

找到设备的conf 文件，点击上传，上传文件后，该文件会现在配置文件中。

默认的出厂文件，也可以是在经过配置后所备份的文件）正在恢复出厂设置。

当设备sys灯稳定常亮，说明设备恢复出厂完毕。

USG系列设备注册及服务更新如果您还没有注册的话，您可以在注册您的ZyWALL，激活试用的服务（如防病毒等）。

下面向您具体介绍如何注册设备并激活服务。

1、打开web浏览器，输入设备管理IP:https://192.168.1.1，登录设备配置界面，依次进入许可证＞注册，在如下界面选择新建帐号。

2、输入：用户名:6到20位的包括数字和字母的字符（包括下划线），不允许使用空格。

点击检查按钮确认该用户名是否有效。

密码:一个6到20位的包括数字和字母的密码（包括下划线），不允许使用空格。

E-Mail地址:输入您的e-mail地址。

最多80位的包括数字和字母的字符（包括句点和下划线），不允许使用空格。

目录第1章系统维护管理 ............................................................................................................... 1-11.1 系统维护管理介绍 ............................................................................................................. 1-11.2 配置文件管理..................................................................................................................... 1-11.2.1 配置文件内容及格式............................................................................................... 1-11.2.2 查看防火墙的当前配置和起始配置 ......................................................................... 1-11.2.3 修改和保存当前配置............................................................................................... 1-21.2.4 擦除配置文件.......................................................................................................... 1-21.2.5 配置文件使用.......................................................................................................... 1-31.3 维护调试............................................................................................................................ 1-41.3.1 配置防火墙名称和系统时钟 .................................................................................... 1-41.3.2 正则表达式的使用................................................................................................... 1-41.3.3 系统状态信息收集................................................................................................... 1-71.3.4 网络连接的测试工具............................................................................................... 1-71.3.5 系统调试功能.......................................................................................................... 1-91.4 补丁软件升级................................................................................................................... 1-111.4.1 补丁软件升级........................................................................................................ 1-111.5 信息中心功能................................................................................................................... 1-121.5.1 信息中心简介........................................................................................................ 1-121.5.2 信息中心配置........................................................................................................ 1-121.5.3 显示终端的配置 .................................................................................................... 1-171.5.4 信息中心配置举例................................................................................................. 1-171.6 日志维护.......................................................................................................................... 1-191.6.1 日志简介 ............................................................................................................... 1-191.6.2 二进制流日志配置................................................................................................. 1-211.6.3 日志维护的显示和调试 ......................................................................................... 1-221.6.4 日志典型配置举例................................................................................................. 1-221.7 VPN Manager适配 .......................................................................................................... 1-251.7.1 VPN Manager简介................................................................................................ 1-251.7.2 Eudemon防火墙上的VPN Manager适配 ............................................................ 1-26第2章文件管理 ...................................................................................................................... 2-12.1 文件系统............................................................................................................................ 2-12.1.1 文件系统简介.......................................................................................................... 2-12.1.2 目录操作 ................................................................................................................. 2-12.1.3 文件操作 ................................................................................................................. 2-12.1.4 存储设备操作.......................................................................................................... 2-22.1.5 文件系统提示方式................................................................................................... 2-22.1.6 文件系统使用举例................................................................................................... 2-22.2 FTP配置............................................................................................................................ 2-32.2.1 FTP简介 ................................................................................................................. 2-32.2.2 FTP服务器配置....................................................................................................... 2-42.2.3 FTP服务器的显示和调试........................................................................................ 2-52.2.4 FTP连接典型举例................................................................................................... 2-52.3 TFTP配置.......................................................................................................................... 2-92.3.1 TFTP简介 ............................................................................................................... 2-92.3.2 TFTP协议配置........................................................................................................ 2-92.4 XModem协议配置 ........................................................................................................... 2-102.4.1 XModem协议简介................................................................................................. 2-102.4.2 XModem协议配置................................................................................................. 2-11第3章NTP配置 ..................................................................................................................... 3-13.1 NTP协议简介 .................................................................................................................... 3-13.2 NTP协议配置 .................................................................................................................... 3-23.2.1 配置NTP工作模式................................................................................................. 3-23.2.2 配置NTP身份验证功能.......................................................................................... 3-63.2.3 配置NTP验证密钥................................................................................................. 3-63.2.4 配置指定密钥是可信的 ........................................................................................... 3-73.2.5 配置本地发送NTP消息的接口............................................................................... 3-73.2.6 配置NTP主时钟 .................................................................................................... 3-73.2.7 配置禁止/允许接口接收NTP消息 .......................................................................... 3-83.2.8 配置对本地防火墙服务的访问控制权限.................................................................. 3-83.2.9 配置本地允许建立的sessions数目........................................................................ 3-93.3 NTP显示与调试................................................................................................................. 3-93.4 NTP典型配置举例 ........................................................................................................... 3-103.4.1 配置NTP服务器 .................................................................................................. 3-103.4.2 配置NTP对等体举例 ........................................................................................... 3-123.4.3 配置NTP广播模式............................................................................................... 3-133.4.4 配置NTP组播模式............................................................................................... 3-143.4.5 配置带身份验证的NTP服务器模式 ..................................................................... 3-16第4章SNMP配置 .................................................................................................................. 4-14.1 协议简介............................................................................................................................ 4-14.1.1 SNMP协议介绍....................................................................................................... 4-14.1.2 SNMP版本及支持的MIB ........................................................................................ 4-14.2 SNMP配置 ........................................................................................................................ 4-34.2.1 启动或关闭SNMP Agent服务................................................................................ 4-34.2.2 使能或禁止SNMP协议的相应版本........................................................................ 4-34.2.3 配置团体名（Community Name） ......................................................................... 4-44.2.4 配置/删除SNMP组 ................................................................................................ 4-44.2.5 添加/删除用户......................................................................................................... 4-54.2.6 配置管理员的标识及联系方法（sysContact） ....................................................... 4-54.2.7 允许/禁止发送Trap报文 ........................................................................................ 4-64.2.8 配置本地设备的引擎ID........................................................................................... 4-64.2.9 配置Trap目标主机的地址...................................................................................... 4-74.2.10 配置防火墙位置（sysLocation）.......................................................................... 4-74.2.11 指定发送Trap的源地址 ....................................................................................... 4-74.2.12 视图信息配置........................................................................................................ 4-84.2.13 配置消息包的最大值............................................................................................. 4-84.2.14 配置Trap报文的消息队列的长度......................................................................... 4-84.2.15 配置Trap报文的保存时间.................................................................................... 4-94.3 SNMP显示和调试.............................................................................................................. 4-94.4 SNMP典型配置举例........................................................................................................ 4-10第5章RMON配置.................................................................................................................. 5-15.1 RMON简介........................................................................................................................ 5-15.2 RMON配置........................................................................................................................ 5-35.2.1 使能/禁止RMON接口统计..................................................................................... 5-35.2.2 统计表的配置.......................................................................................................... 5-35.2.3 历史控制表的配置................................................................................................... 5-45.2.4 事件表的配置.......................................................................................................... 5-45.2.5 告警表的配置.......................................................................................................... 5-55.2.6 扩展告警表的配置................................................................................................... 5-55.3 RMON显示和调试............................................................................................................. 5-65.4 RMON典型配置举例 ......................................................................................................... 5-75.5 RMON故障诊断与排除.................................................................................................... 5-10第6章RMON2配置................................................................................................................ 6-16.1 RMON2简介...................................................................................................................... 6-16.2 RMON2配置...................................................................................................................... 6-16.2.1 协议目录表的配置................................................................................................... 6-16.2.2 主机控制表的配置................................................................................................... 6-36.3 RMON2显示和调试........................................................................................................... 6-46.4 RMON2典型配置举例 ....................................................................................................... 6-46.5 RMON2故障诊断与排除.................................................................................................... 6-7第1章系统维护管理1.1 系统维护管理介绍系统维护管理主要包括以下几项内容：●配置文件管理●系统状态信息的收集和维护调试简单工具的使用●补丁升级管理●系统信息中心的维护管理●日志的维护和管理1.2 配置文件管理1.2.1 配置文件内容及格式配置文件为一文本文件，其格式如下：●以命令格式保存。

【防火墙技术案例3】强叔拍案惊奇校园网出口网关配置论坛的小伙伴们，大家好。

强叔刚刚从某著名高校开局归来，气儿还没喘匀，就为大家伏案写下这篇经典的校园网出口网关配置。

墨迹未干，就此奉上~这篇案例来源于此次开局的真实组网，是真实组网的“微缩改造"版。

但这丝毫不影响这篇案例的真实性和实用性，各位准备部署校园网出口网关的小伙伴们可以尽情参考噢～—--——-—-—-本案例很长，但看完一定会有收获--——-—-———--——【组网需求】如图所示，防火墙（USG9560 V300R001C20版本）作为网关部署在学校网络出口。

学校的具体需求如下：1、为了保证内网用户的上网体验,学校希望去往特定目的地址的流量能够通过特定的ISP链路转发。

例如，去往ISP1的服务器的流量能够通过ISP1提供的链路转发，去往ISP2的服务器的流量能够通过ISP2提供的链路转发，去往教育网服务器的流量能够通过教育网链路转发.另外学校希望特定内网用户的流量能够通过特定的ISP链路转发。

例如图书馆的上网流量能够通过教育网链路转发.2、学校内部署了提供对外访问的服务器，供多个ISP的用户访问。

例如学校网站主页、邮件、Portal等服务器.学校内还部署了DNS服务器为以上服务器提供域名解析.学校希望各ISP的外网用户能够解析到自己ISP 的地址，从而提高访问服务器的速度。

3、学校希望USG能够保护内部网络，防止SYN—flood攻击，并对网络入侵行为进行告警。

4、学校希望限制P2P流量，包括每个用户的P2P流量，以及网络总体的P2P流量。

5、学校希望能够在网管系统上查看攻击防范和入侵检测的日志，并且能够查看NAT转换前后的IP地址.【配置步骤】1、配置各接口的IP地址。

接口的配置我想大家都会的，所以强叔这里只给出GE1/0/0的配置了.本举例中的接口都为10GE接口。

【强叔点评】一般ISP分配给你的IP地址都是30位掩码的。

建议在接口上配置描述或别名，表示接口的情况.〈USG〉 system-view［USG] interface GigabitEthernet 1/0/0[USG —GigabitEthernet1/0/0] ip address 218.1。

华为USG防火墙基本配置-电脑资料学习目的掌握登陆USG防火墙的方法掌握修改防火墙设备名的方法掌握对防火墙的时间、时区进行修改的方法掌握修改防火墙登陆标语信息的方法掌握修改防火墙登陆密码的方法掌握查看、保存和删除防火墙配置的方法掌握在防火墙上配置vlan、地址接口、测试基本连通性的方法拓扑图学习任务步骤一.登陆缺省配置的防火墙并修改防火墙的名称防火墙和路由器一样，有一个Console接口，。

使用console线缆将console接口和计算机的com口连接在一块。

使用windows操作系统自带的超级终端软件，即可连接到防火墙。

防火墙的缺省配置中，包括了用户名和密码。

其中用户名为admin、密码Admin@123，所以登录时需要输入用户名和密码信息，输入时注意区分大小写。

修改防火墙的名称的方法与修改路由器名称的方法一致。

另外需要注意的是，由于防火墙和路由器同样使用了VRP平台操作系统，所以在命令级别、命令帮助等，与路由器上相应操作相同。

sys13:47:28 2014/07/04Enter system view, return user view withCtrl+Z.[SRG]sysname FW13:47:32 2014/07/04步骤二.修改防火墙的时间和时区信息默认情况下防火墙没有定义时区，系统保存的时间和实际时间可能不符。

使用时应该根据实际的情况定义时间和时区信息。

实验中我们将时区定义到东八区，并定义标准时间。

clock timezone 1 add 08:00:0013:50:57 2014/07/04dis clock21:51:15 2014/07/032014-07-03 21:51:15ThursdayTime Zone : 1 add 08:00:00clock datetime 13:53:442014/07/0421:53:29 2014/07/03dis clock13:54:04 2014/07/042014-07-04 13:54:04FridayTime Zone : 1 add 08:00:00步骤三。

华为防火墙配置使用手册(自己写)一、网络拓扑一台华为USG6000E防火墙，作为网络边界设备，连接内网、外网和DMZ区域。

一台内网交换机，连接内网PC和防火墙的GE0/0/1接口。

一台外网路由器，连接Internet和防火墙的GE0/0/2接口。

一台DMZ交换机，连接DMZ区域的WWW服务器和FTP服务器，以及防火墙的GE0/0/3接口。

一台内网PC，IP地址为10.1.1.2/24，作为内网用户，需要通过防火墙访问Internet和DMZ区域的服务器。

一台WWW服务器，IP地址为192.168.1.10/24，作为DMZ区域的Web 服务提供者，需要对外提供HTTP服务。

一台FTP服务器，IP地址为192.168.1.20/24，作为DMZ区域的文件服务提供者，需要对外提供FTP服务。

Internet用户，需要通过防火墙访问DMZ区域的WWW服务器和FTP服务器。

图1 网络拓扑二、基本配置本节介绍如何进行防火墙的基本配置，包括初始化配置、登录方式、接口配置、安全区域配置等。

2.1 初始化配置防火墙出厂时，默认的管理接口为GE0/0/0，IP地址为192.168.1. 1/24，开启了DHCP服务。

默认的用户名为admin，密码为Admin123。

首次登录防火墙时，需要修改密码，并选择是否清除出厂配置。

步骤如下：将PC与防火墙的GE0/0/0接口用网线相连，并设置PC的IP地址为19 2.168.1.x/24（x不等于1）。

在PC上打开浏览器，并输入192.168.1.1访问防火墙的Web界面。

输入默认用户名admin和密码Admin123登录防火墙，并根据提示修改密码。

新密码必须包含大小写字母、数字和特殊字符，并且长度在8到32个字符之间。

选择是否清除出厂配置。

如果选择是，则会删除所有出厂配置，并重启防火墙；如果选择否，则会保留出厂配置，并进入Web主界面。

2.2 登录方式2.2.1 Web登录Web登录是通过浏览器访问防火墙的Web界面进行管理和配置的方式。

USG9500 SeriesTerabit Level Next-Generation FirewallA fully connected world is becoming a reality. Glasses, watches, and even home appliances and healthcheck products are going smart and digitally connected. In this big data era, the growth of networktraffic is exponential, network access methods are diverse, and services can scale on demand.Mobile working offers convenience, allowing people to be productive at home or anywhere. However,traditional security architectures cannot effectively protect agile and ubiquitous connections from equallyubiquitous vulnerabilities, risks, and intrusions that may compromise data security and privacy. Securityhas been the top priority in the ICT world.Therefore, cloud service providers and large data centers and enterprises are upgrading their firewallsat network borders to high-performance and full-featured next generation firewalls (NGFWs). Allenterprises that are exploring the viability of mobile working are advised to evaluate the functionality andperformance of their firewalls for bottlenecks, and to upgrade their devices before becoming a target ofemerging threats.Product AppearanceUSG9520USG9560USG9580Product DescriptionThe USG9500 series comprises the USG9520, USG9560, and USG9580, and provides industry-leading security capabilities and scalability. The firewall throughput of the series is up to 1.92 Tbps.By using dedicated multi-core chips and a distributed hardware platform, the USG9500 provides industry-leading service processing and expansion capabilities. Moreover, all key components are redundant to ensure service continuity on high-speed networks, providing a level of availability that is normally seen in core routers. The distributed technology uses line-rate intelligent traffic distribution for data forwarding. All data flows are equally distributed to service processing units (SPUs) to prevent performance bottlenecks. Therefore, the service processing capability increases linearly with service modules, supporting the long-term development of customer networks.The USG9500 provides multiple types of I/O interface modules (LPUs) for external connections and data transmissions. Line processing units (LPUs) and SPUs have the same interface slots and can be mixed and matched as needed. The SPUs of the USG9500 process all services. The motherboard of each SPU can hold expansion cards that house multi-core CPUs, which together with the software modules allow the SPUs to process all services on the USG9500. To ensure service continuity, the USG9500 provides SPU redundancy and a heartbeat detection mechanism between the SPU and LPU If one SPU fails, all functions are switched to other SPUs without interrupting service transmission. In addition, the USG9500 provides GE, 10GE, 40GE and 100GE interfaces and supports cross-board port bundling to improve throughput and port density.HighlightsMost accurate access control – ACTUAL-based comprehensive protectionThe core function of both traditional firewalls and NGFWs is access control. However, access control is based on port and IP address on traditional firewalls. In contrast, the USG9500 provides a more fine-grained access control:• Comprehensive protection:Provides integrated control and protection based on application, content, time, user, attack, and location (ACTUAL). The application-layer protection and application identification are combined. For example, the USG9500 can identify Oracle-specific traffic and implement intrusion prevention accordingly to increase efficiency and reduce false positives.• Based on application:Accurately identifies over 6000 applications (including mobile and web applications) and their services, and then implements access control and service acceleration accordingly.For example, the USG9500 can identify the voice and data services of an instant messaging application and apply different control policies to the services.• Based on user:Supports eight user authentication methods, including RADIUS, LDAP, and AD authentication, synchronization of user information from an existing user authentication system, user-based access control, and QoS management.• Based on location: Uses IP address geolocation to identify from where application and attack traffic originates, promptly detects network anomalies, and implements differentiated user-defined access control for traffic from different locations.Most pragmatic NGFW features – equivalent to multiple devices to reduce TCOAs more information assets are accessible from the Internet, cyber attacks and information theft are rampant, requiring a wider range of protection from next-generation firewalls. The USG9500 provides comprehensive protection:• Versatility:Integrates traditional firewall functions, VPN, intrusion prevention, antivirus, data leakprevention (DLP), bandwidth management, and online behavior management into one device to simplify deployment and improve efficiency.• Intrusion prevention system (IPS): Detects and prevents exploits of over 5000 vulnerabilities and web application attacks, such as cross-site scripting and SQL injection.• Antivirus (AV): Prevents over 5 million viruses and Trojan horses using the high-performance antivirus engine and the daily-updated virus signature database.• Data leak prevention: Identifies and filters file and content transfers. The USG9500 can identify more than 120 file types, regardless of whether file name extensions are maliciously changed. In addition, the USG9500 can restore and implement content filtering for over 30 types of files, such as Word, Excel, PPT, PDF, and RAR files, to prevent leaks of critical enterprise information.• SSL decryption: Serves as a proxy to perform application-layer protection, such as IPS, A V, DLP, and URL filtering, for SSL-encrypted traffic.• Anti-DDoS: Identifies and prevents 10 types of DDoS attacks, such as SYN and UDP flood attacks.• Online behavior management: Implements cloud-based URL filtering to prevent threats from malicious websites by using a URL category database that contains 85 million URLs, controls online behaviors such as posting to social media and FTP upload and download, and audits Internet access records.• Secure interconnection: Supports various VPN features, such as IPSec, L2TP, MPLS, and GRE VPN, to ensure secure and reliable connections between enterprise headquarters and branch offices.• QoS management: Flexibly manages the upper and lower traffic thresholds and supports application-specific policy-based routing and QoS marking to preferentially forward traffic of specified URL categories, such as financial websites.• Load balancing: Supports server load balancing, such as load balancing based on link quality, bandwidth, and weight in scenarios where multi-egresses are available.Most advanced network processor + multi-core CPU + distributed architecture – allowing linear increase of performance to break the performance bottleneckThe USG9500 uses a hardware platform that is often used in core routers to provide modularized components. Each LPU has two network processors (NPs) to provide line rate forwarding. The SPU uses multi-core CPUs and a multi-threaded architecture, and each CPU has an application acceleration engine. These hardware advantages, combined with Huawei's optimized concurrent processing technology, increase CPU capacity to ensure the high speed parallel processing of multiple services, such as NAT and VPN. LPUs and SPUs function separately. The overall performance increases linearly with the number of SPUs so that customers can easily scale up the performance at a low cost.With the revolutionary system architecture, the USG9500 is the industry's highest-performance security gateway in terms of throughput and concurrent connections. The dedicated traffic distribution technology allows for linear performance growth with the number of SPUs. The USG9500 delivers a maximum of 1.92 Tbps large-packet throughput, 2.56 billion concurrent connections, and 4095 virtual firewalls to meet the performance demand of high-end customers, such as television and broadcast companies, government agencies, energy companies, and education organizations.Most stable and reliable security gateway – full redundancy to ensure service continuityNetwork security is important for the normal operation of enterprises. To ensure the service continuity on high-speed networks, the USG9500 supports active/standby and active/active redundancy, port aggregation, VPN redundancy, and SPU load balancing. The USG9500 also supports dual-MPU active/standby switchover,which is normally seen in high-end routers, to provide high availability. The mean time between failures (MTBF) of the USG9500 is up to 200,000 hours, and the failover time is less than one second.Most diverse virtualization functions – for cloud networksCloud computing relies on virtualization and secure high-speed network connections. To support cloud technologies, the USG9500 delivers high throughput and supports virtual systems that have dedicated resources, independently forward traffic, and are configured and managed separately to meet the requirements of different customers. You can assign different resources to virtual systems as needed, configure different policies, log management, and audit functions on virtual systems based on the requirements of tenants, and customize traffic forwarding processes on virtual systems. The forwarding planes of virtual systems are separated to ensure the data security of tenants and that any resource exhaustion on one virtual system does not affect other virtual systems.SpecificationsSecurity FeaturesBasic Firewall Functions Transparent, routing, and hybrid modes Stateful inspectionBlacklist and whitelistAccess controlApplication specific packet filter (ASPF) Security zonesEgress Load BalancingISP-based routingIntelligent uplink selection Transparent DNS proxy at egressUser-based traffic control Application-based traffic controlLink-based traffic controlTime-based traffic controlIngress Load BalancingIntelligent DNS at ingress Server load balancingApplication-based QoSURL FilteringURL database of 85 million URLs80+ URL categoriesTrend and top N statistics based on users, IP addresses, categories, and countsQuery of URL filtering logsVPNDES, 3DES, and AES encryptionMD5 and SHA-1 authenticationManual key, PKI (X509), and IKEv2Perfect forward secrecy (DH group)Anti-replayTransport and tunnel modesIPSec NAT traversalDead peer detection (DPD)* Performance is tested under ideal conditions. Real result may vary with different deployment environments.EAP authenticationEAP-SIM, EAP-AKAVPN gateway redundancyIPSec v6, IPSec 4 over 6, and IPSec 6 over 4L2TP tunnelGRE tunnelAnti-DDoSPrevention of SYN, ICMP, TCP, UDP, and DNS floods Prevention of port scan, Smurf, teardrop, and IP sweep attacksPrevention of attacks exploiting IPv6 extension headersTTL detectionTCP-mss detectionAttack logsHigh AvailabilityMulti-DC clusterActive/active and active/standby modesHot standby (Huawei redundancy protocol) Configuration synchronizationData backup between SPUs in a chassisFirewall and IPSec VPN session synchronization Device fault detectionLink fault detectionDual-MPU switchoverManagementWeb UI (HTTP/HTTPS)CLI (console)CLI (remote login)CLI (SSH)U2000/VSM network management system Hierarchical administratorsSoftware upgradeConfiguration rollbackSTelnet and SFTPCertificationSafety certificationElectro Magnetic Compatibility (EMC) certification CB, Rohs, FCC, MET, C-tick, and VCCI certification ICSA Labs: Firewalls, IPS, IPSec, SLL-TLS, Anti-Virus NAT/CGNDestination NAT/PATNAT NO-PATSource NAT-IP address persistencySource IP address pool groupsNAT serverBidirectional NATNAT-ALGUnlimited IP address expansionPolicy-based destination NATPort range allocationHairpin connectionsSMART NATNAT64DS-LiteIPv6 rapid deployment (6RD)Service AwarenessIdentification and prevention of over 6000 protocols: P2P, IM, game, stock charting/trading, VoIP, video, stream media, email, mobile phone services, Web browsing, remote access, network management, and news applicationsAntivirusDetection of 5 million virusesFlow-based inspection for higher performance Inspection of encrypted trafficTrend and top N statistics by virus familyPKIOnline CA certificate enrollmentOnline CRL checkHierarchical CA certificatesSupport for public-key cryptography standards (PKCS#10 protocol)CA certificateSupport for SCEP, OCSP, and CMPv2 protocols Self-signed certificatesIntrusion Prevention SystemProtocol anomaly detectionUser-defined signaturesAutomatic update of the knowledge basesNote: Not all versions support all listed features. Contact your Huawei representative for details.Zero-day attack defensePrevention of worms, Trojan horses, and malware attacksNetworking/RoutingSupport for POS, GE, and 10GE interfaces DHCP relay/server Policy-based routingIPv4/IPv6 dynamic routing protocols, such as RIP , OSPF, BGP , and IS-IS Interzone/inter-VLAN routingLink aggregation, such as Eth-trunk and LACP Virtual SystemUp to 4095 virtual systems (VSYS)VLAN on virtual systems Security zones on virtual systemsUser-configurable resources on virtual systems Inter-virtual system routingVirtual system-specific Committed Access Rate (CAR)Separate management of virtual systems Resource isolation for different tenants Logging/Monitoring Structured system logs SNMPv2Binary logs TracerouteLog server (LogCenter)User Authentication and Access Control Built-in (internal) database RADIUS accounting Web-based authenticationApplication ScenarioServer FarmServer FarmStorage DeviceBackground and ChallengesWith the dramatic increase in the volume of enterprise data, data centers provide more types of services, handle more traffic, and become more important for enterprises—they also attract more hackers. Data centers have evolved from data concentration to server consolidation based on virtualization technologies in the cloud era. This evolution has brought security challenges to data centers. Now, security is the key factor that determines their efficiency and availability.Customer RequirementsUpgrading data centers to cloud data centers will increase the volume of remote access traffic that a cloud data center handles. Separate security planes are therefore required for different services and tenants; however, deploying traditional security devices at the egress of data centers will complicate internal traffic policing and management and expose data centers to malicious access and attacks. As a result, the functions and performance of traditional security devices at the egress of data centers cannot meet new requirements and have become a bottleneck of data centers.SolutionAs shown in the preceding figure, two USG9500 firewalls are deployed at the ingress of a large IDC/VDC/ enterprise network. Virtual systems can be created on the firewalls for different tenants. The bandwidth and number of available sessions of virtual systems can be configured as needed. The virtual systems are isolated from each other, and the external network is isolated from the internal network. Adding SPUs to the USG9500 increases the volume of traffic it can handle, which is more cost-effective than purchasing new devices in terms of per Gigabit power consumption, and also facilitates smooth capacity expansion. The service awareness and log analysis reports provide visibility into network security and forensic evidence. IPS and anti-DDoS boards can be added to block viruses from external networks. To ensure availability and implement millisecond-level switchover, two devices are deployed in active/active or active/standby mode.Ordering InformationNote: This table lists only some parts of the USG9500. For more information, contact your Huawei representative.About This PublicationThis publication is for reference only and does not constitute any commitments or guarantees. All trademarks, pictures, logos, and brands mentioned in this document are the property of Huawei Technologies Co., Ltd. or a third party. Copyright©2017 Huawei Technologies Co., Ltd. All rights reserved.。