H3C SecPath M9000-X Series Multi-Service Gateway Datasheet
H3C SecPath M9000-X Series Multi-Service Gateway Datasheet
H3C SecPath M9000-X Series Multi-Service Gateway Datasheet
Product description
H3C SecPath M9000-X series multi-service security gateway is H3C Technology Co., Ltd. (hereinafter referred to as H3C
company) in combination with the development trend of cloud computing, 5G, Internet of Things, IPv6, big data and high-
performance computing. A new generation of high-performance multi-service security gateway launched for commercial core
network , large enterprise and campus network egress market.
H3C SecPath M9000-X has the highest firewall throughput performance of M9000 series products, and fully supports traffic
content audit, encrypted application identification, attack defense, abnormal traffic cleaning, unknown threat detection, server
abnormal outreach detection, sensitive data protection, and web application security Functions such as protection, access control,
security domain division, blacklist, traffic monitoring, email filtering, web page filtering, and application layer filtering can effectively
ensure network security; in-depth business security detection can provide more detailed protection for web servers. Adopt ASPF
(Application Specific Packet Filter) application state detection technology, which can detect the connection state process and
abnormal commands; support a variety of VPN services, such as L2TP VPN, GRE VPN, IPSec VPN, SSL VPN, MPLS VPN, etc., to meet
a variety of High-performance VPN access requirements; support the most abundant NAT features in the industry to meet the NAT
needs of major operators; provide rich routing capabilities, support static routing, RIP/OSPF/BGP/ISIS routing strategies and policy
routing; fully support IPv4/IPv6 dual protocol stack.
H3C SecPath M9000-X series multi-service security gateway fully considers the high reliability requirements of network
applications, adopts a leading multi-core fully distributed architecture, and the module is separated and pluggable design, which
is convenient for flexible networking and expansion. The main control engine is 1+1 redundant, which provides unified
configuration management of the whole machine and supports secure clustering; service engines and interface units support
mixed insertion, and can be flexibly selected according to performance requirements; fan modules are redundant, and the fan
frame supports fan status monitoring. Supports stepless speed regulation, and can automatically group speed regulation
according to the ambient temperature and single board configuration; power module M+N backup, AC and DC power modules
support hot swap, multi-power module load sharing, and can flexibly configure modules according to system power
consumption Quantity, to ensure that the module works efficiently. All units of the equipment support hot swap, which fully
meets the needs of network maintenance, upgrade and optimization.
1
datasheet
M9000-X06 M9000-X10
Features
Independent high-performance control engine to realize unified system configuration management and secure cluster
The security service engine adopts the latest multi-core high-performance processor, and the high-speed processing
security service performance of a single board is the highest in the industry; a hardware board can simultaneously provide
L2 - L7 comprehensive security defense, including firewall, NAT , LB , IPS , AV, ACG , VPN , etc.;
The built-in modular software system supports multi-process scheduling, and the running space between processes is
isolated . The abnormality of a single process will not affect other parts of the system , which improves system reliability ;
supports authority management functions, based on features, command lines, system resources, and WEB management
Equal levels define user read and write permissions, improve system security; support hot patch, support ISSU , realize
system upgrade without interrupting business, and improve system usability
Support RBM (remote hot backup technology) 1:1 hot backup function, support Active/Active and Active/Passive and other
working modes, realize load sharing and business backup
2
datasheet
Supports unified management The host + multi-service engine is always managed as a network element in a unified
manner, and there is no need to plan the IP address of each card, which saves the user's IP address and greatly reduces the
complexity of deployment, and can realize comprehensive management of the equipment. Configuration management,
performance monitoring and log auditing.
Support intelligent flow distribution (IFF) After deploying multi-service cards, traffic is automatically load-shared among
multiple service cards to achieve distributed processing.
Supports packet filtering By using standard or extended access control rules between security zones, data packets can be
filtered with the help of information such as UDP or TCP ports in the message, and it supports filtering according to time
periods
Supports authentication, authorization and accounting ( AAA ) services including: authentication based on
RADIUS/HWTACACS+ / LDAP(AD) , CHAP , PAP , etc.
Support VPN functions include: support L2TP, manual/automatic IPSec , GRE , MPLS VPN, etc.
Support rich routing protocols Support IPv4, IPv6 static routing, equal-cost routing, policy routing, and dynamic IPv4
routing protocols such as BGP, RIPv2, OSPF , ISIS, etc., support dynamic IPv6 routing protocols such as BGP4+ , OSPFv3 ,
ISISV6
Support security log Support operation log, inter-domain policy matching log, attack defense log; support DS-LITE log;
support NAT444 log, support telecom, China Unicom, mobile format;
Unknown threat detection relying solely on feature analysis is no longer sufficient to deal with complex network
3
datasheet
environments. In the face of typical APT (Advanced Persistent Threat, advanced persistent threat) attack sandbox
technology is one of the most effective methods to defend against APT attacks. It is used to construct Isolated threat
detection environment. The H3C Security Gateway sends network traffic to the sandbox for isolation and analysis, and the
sandbox draws a conclusion on whether there is a threat. If a traffic is detected as malicious, the device will block the traffic.
Terminal identification, shared management Terminal identification is an important prerequisite for establishing a secure
connection to the Internet of Things, and is used to identify terminals in the Internet of Things. When terminal traffic flows
through the device, the H3C Security Gateway can analyze and extract terminal information, such as the manufacturer and
model of the terminal, and supports sending The user sends the log, prompting the user. At the same time, the application
detection method and IPID detection method are used to identify and manage the behavior of sharing the Internet
through NAT technology or proxy technology.
Server abnormal outreach detection Server outreach protection is a protection mechanism for intranet servers, which can
effectively identify active outreach behaviors of servers, formulate corresponding outreach protection strategies to identify
abnormal messages, and output alarm information for management staff for further processing. It provides a basis for the
administrator to check the server, thereby preventing the server from becoming a part of the botnet, launching external
attacks or infiltrating internally.
The high-precision and high-efficiency intrusion detection engine adopts the FIRST (Full Inspection with Rigorous State
Test, comprehensive detection based on accurate state) engine with independent intellectual property rights of H3C. The
FIRST engine integrates a number of detection technologies, realizes comprehensive detection based on accurate status,
and has extremely high intrusion detection accuracy; at the same time, the FIRST engine adopts parallel detection
technology, and the software and hardware can be flexibly adapted, which greatly improves the performance of intrusion
detection. efficiency.
Real-time virus protection flow engine virus checking technology, so as to quickly and accurately kill viruses and other
malicious codes in network traffic .
Comprehensive and timely security signature database Through years of operation and accumulation, H3C has a senior
attack signature database team in the industry, and is equipped with a professional attack and defense laboratory to keep
up with the latest developments in the field of network security, thereby ensuring timely and accurate update of the
signature database .
Industry-leading IPv6
Support IPv6 basic protocols Support TCP6, UDP6, RAWIP6, ICMPV6, PPPoEv6, DHCPV6 Server, DHCPv6 Client, DHCPV6
Relay, DNSv6, RADIUS6 and other protocols; support IPv6 routing protocols. Support static routing, BGP4+ \O SPFv3 \
ISISV6 routing policy and policy routing; support IPv6 ASPF.
Various IPv6 transition technologies are supported, including NAT-PT, IPv6 Over IPv4 GRE tunnel, manual tunnel, 6to4
tunnel, IPv4 compatible IPv6 automatic tunnel, ISATAP tunnel, NAT444, DS-Lite, etc.
Integrate SSL VPN features to meet the security access requirements of mobile office and employee business trips. It can
4
datasheet
not only combine USB-Key and SMS for mobile user identity authentication, but also combine with the original
authentication system of the enterprise to realize an integrated authentication interface. enter.
DLP basic function support, support email filtering, provide SMTP email address, title, attachment and content filtering;
support web page filtering, provide HTTP URL and content filtering; support file filtering of network transmission protocols;
support application layer filtering, provide Java / ActiveX Blocking and SQL injection attack prevention.
Supports standard network management SNMPv3, and is compatible with SNMP v1 and v2. Device management and
security service configuration can be performed through the command line interface, meeting the needs of professional
management and mass configuration
Support packet capture based on interface and IP. Generate the captured packets with a .cap suffix file that can be
recognized by Wireshark (a network packet analysis software), and save them to the local or external server for users to
analyze and diagnose the traffic entering and exiting the device.
Support the packet loss statistics function to analyze and record the detailed reasons for discarding packets in the
forwarding process of the device and security business modules (such as: attack defense, session management, and
connection limit, etc.)
Support webpage diagnosis function When the intranet user accesses the webpage and there is a failure, the basic
diagnosis of the network is carried out, and the cause of the failure is given.
Support message trace function Support real flow, import message, construct message, etc., used to analyze and track each
security business module in the device (such as: attack defense, uRPF, session management and connection limit, etc.) By
viewing the detailed information of the packet trace records, it is helpful for the administrator to quickly troubleshoot and
locate network faults.
Through H3C's self-developed management system, unified management is realized, which integrates functions such as
security information and event collection, analysis, and response, and solves the problems of isolation of network and
security devices, unintuitive network security status, slow response to security incidents, and difficulties in network fault
location and other issues, so that IT and security administrators can get rid of tedious management work, can concentrate
on core business, and greatly improve work efficiency
normalizes logs in different formats ( Syslog , binary flow logs, etc.). At the same time, high aggregation compression
technology is used to store massive events, and log files can be automatically compressed, encrypted and saved to external
storage systems such as DAS , NAS or SAN to avoid loss of important security events
Provides rich reports, mainly including application-based reports, network flow-based analysis reports, etc.
through the web interface, and the customized content includes the time range of the data, the source device of the data,
the generation cycle and the output type, etc.
5
datasheet
product specification
Attributes M9000-X06 M9000-X10
Number of slots on the 2 2
main control board
redundant design Main control, SFU, power supply, Main control, SFU, power supply, fan
fan
Total power
<2252W <3360W
consumption (W)
0 ~40 ℃
ambient temperature
Non-working: -40~70℃
Access control lists based on domain name (domain name group), service, user,
application, time period, etc.
Supports strategic risk classification and application risk tuning
Policies can be fuzzily queried to retrieve redundant and no-hit policies
security strategy
Supports policy grouping, and can be connected to third-party platforms through
the NETCONF interface to create, delete, modify, and move policies
Security monitoring based on state legitimacy
Support access control based on black and white lists, and support one-click
6
datasheet
Supports virus feature detection and protection based on IPV4 and IPV6 dual
stacks, and can detect email viruses, web application viruses, common file viruses,
Trojan horses, worms, malicious web pages, compressed data, packers and
compressed packages (zip, gzip , tar ) virus killing
Support manual and automatic upgrade of virus database, support manual
import of signature database
virus protection
Support cloud virus database
Packet Flow Processing Mode
Support HTTP, FTP, SMTP, POP3 protocol
Supported virus types: Backdoor, Email-Worm, IM-Worm, P2P-Worm, Trojan, AD-
Ware, Virus, etc. Support virus logs and reports
Encrypted traffic Supports HTTPS proxy and ssl offloading, and can perform content detection and
protection filtering, auditing, and attack protection on decrypted HTTPS encrypted traffic.
7
datasheet
email filtering
SMTP email address filtering
email header filtering
Email Content Filtering
Email attachment filtering
Supports bandwidth guarantee based on user, IP, interface, and service, supports
traffic shaping, and supports maximum/minimum flow and connection speed
limit management for each IP and user
Smart Bandwidth Control
It can support setting flow control policies based on application layer protocols,
and can set maximum/minimum bandwidth, guaranteed bandwidth, protocol
traffic priority, etc., and supports eight-level control
Support application layer link load balancing based on HTTP and HTTPS
Support DNS transparent proxy, support DNS filtering, support intelligent DNS
Support server load balancing
load balancing
Support global load
Support link health status detection
Support intelligent link selection
Support multiple internal addresses mapped to the same public network address
Support mapping of multiple internal addresses to multiple public network
addresses
Support one-to-one mapping from internal addresses to public network
addresses
Support port multiplexing technology, which can increase the upper limit of NAT
conversion
Supports simultaneous translation of source and destination addresses, real-time
NAT alarm when the usage of the source NAT address pool exceeds the limit
Support external network hosts to access internal servers
Support direct mapping of internal addresses to interface public IP addresses
Support DNS mapping function
Configurable valid time to support address translation
Support multiple NAT ALGs, including DNS, FTP, H.323, ILS, MSN, NBT, PPTP, SIP,
etc.
Support NAT444, NAT64
L2TP VPN, IPSec VPN, GRE VPN, MPLS VPN, SSL VPN
VPN
Support IPv6 over IPv4 GRE tunnel
8
datasheet
Environmental
protection and Support Europe's strict RoHS environmental protection certification
certification
9
datasheet
Typical networking
File Server
OA
Internal DC
Internet
UNTRUST
DMZ-1
SecPath M9000-X
TRUST DMZ-2
DMZ 区
finance
WEB
R&D
POP3
SC
Excellent anti-attack capability, effectively preventing single-packet, Flood and other attacks
10
datasheet
Optional information
Host purchase list
switching engine
11
datasheet
12