网康下一代防火墙上线指南

网康下一代防火墙上线指南
网康下一代防火墙
简易上线指南
1、网线插入设备MGT口
2、浏览器输入：https://192.168.1.23
3、用户名：admin
4、密码：ngfw2012
5、进入设备依次后点击网络设置--->接口与区域-- 物理接口
6、配置E0口如下图所示（注意如果WAN口需要远程协助，需要在允许访问的IP内添加
全部IP允许访问）
实际配置以WAN口接入IP以及接入方法配置
7、继续配置E1口如下图所示（此口作为内网口，实际IP请按原内网结构）
8、左边列表选择静态路由设置，点击新建，建立通用默认路由（下一跳IP如果有网关，就指向网关，如果设备自己是网关，不用设置静态路由）
9、如果需要开启LAN内的DHCP，左边列表内设置DHCP功能
10、进入策略配置安全策略然后新建如下图
选择源地址或者目的地址，然后选择新建地址，如下图（做一个全局地址）
选择刚建立的地址（源地址与目的地址都相同）
11、进入地址转换（NAT）新建，按如下设置
12、最后，系统管理的基本配置里把DNS设置好
13、好了，以上设置基本可以上网了。

记得点击右上角的生效。

14、右上角的保存设置是你确认当前配置没问题后，就可以点保存了，否则没有保存的设置在设置重启后将会丢失。

目录摘要 (3)1、不断失陷的网络安全 (4)2、攻击者如何突破防御体系 (5)3、传统网络安全防护体系无法应对新的安全威胁 (7)4、云管端下一代安全架构 (8)4.1 PDFP安全模型 (8)4.2 云管端下一代网络安全架构 (10)4.3 下一代网络安全架构的5项关键能力 (11)4.4 云管端安全架构的价值 (12)5、关于网康科技 (13)摘要●网络攻击已经从早期的泛攻击演进为利用0-day漏洞、以获取重大经济/政治利益为目标、定向持续的高级攻击。

●随着企业业务的云化、虚拟化、移动化，网络边界被拉伸、模糊甚至消失，传统的网络安全架构已不能适应IT架构的变化，无法应对新的高级威胁。

●内部人员的误用、滥用或恶意行为，越来越成为安全事件频发的重要原因，内网不再是可信的安全区域，应加强内部人员网络行为的审计与监控。

●现有网络安全防护体系基于P2DR模型，以网络边界为中心，以特征匹配为核心手段，重在防御，是静态、被动的安全模型，不能有效应对未知威胁。

●云管端下一代网络安全架构基于PDFP模型，以异常检测、智能预测、协同联动为手段，强调对抗，是动态、主动的安全模型，能够有效应对未知威胁和APT攻击。

1、不断失陷的网络安全近年来，网络安全事件频发，危害逐渐升级。

据CNCERT《2014年中国互联网网络安全态势报告》，2014年通报的漏洞事件达9068起，比2013年增长3倍，其中“心脏滴血”和“破壳”漏洞，涉及基础应用与硬件设备，影响极为广泛严重；中国被控制的主机数量规模庞大，有1081万台僵尸主机被境外4.2万台服务器控制，针对互联网DNS服务、电商等大规模的DDoS攻击，与此不无关系。

国际上，网络安全形势犹有过之，RSA总裁AmitYoran认为2014年的网络安全是“Mega Breach”（Breach，失陷），而2015年的安全形势比2014年更糟，将是“Super Mega Breach”的一年。

网康下一代防火墙封堵“TCP 445”配置指引
近期国内多处高校网络出现ONION/Wncry勒索软件感染情况，磁盘文件会被病毒加密为.onion后缀，只有支付高额赎金才能解密恢复文件，对重要数据造成严重损失。

根据网络安全机构通报，这是不法分子利用NSA黑客武器库泄漏的“永恒之蓝”发起的蠕虫病毒攻击事件。

恶意代码会扫描开放445文件共享端口的Windows机器，无需用户任何操作，只要开机上网，不法分子就能在电脑和服务器中植入勒索软件、远程控制木马、虚拟货币挖矿机等恶意程序。

由于以前国内多次爆发利用445端口传播的蠕虫，部分运营商在主干网络上封禁了445端口，但是教育网并没有此限制，仍然存在大量暴露445端口且存在漏洞的电脑，导致目前此蠕虫在教育网内大量传播，大概量级是每天5000个用户中招。

当前，尽快从网络中阻断不必要的“Windows文件共享协议（SMB）”和445端口通信，是最为有效的网络处置方案。

网康NF系列下一代防火墙可通过配置安全策略完成封堵，具体操作步骤如下：
1.登录设备WebUI，在“策略配置-对象配置-服务”中新建一个SMB协
议的服务对象，“协议”选择“TCP”，“目的端口”填写为“445”；
2.在“策略配置-安全策略”中新建一条策略，“服务”选择步骤1中新建
的服务对象，“动作”选择“阻断”，“源地址”、“源区域”、“用
户”、“目的地址”、“目的区域”、“应用”均保持默认留空即可；
3.完成策略新建。

明御®安全网关下一代防火墙用户手册杭州安恒信息技术股份有限公司二〇二二年四月目录1 部署方式FAQ (8)1.1. DAS-Gateway应部署在哪里？ (8)1.1 DAS-Gateway部署方式有哪些？ (8)1.2 什么是路由模式？ (9)1.3 路由模式使用在什么情况下？ (9)1.4 路由模式下无法访问外网？ (9)1.5 什么是透明模式？ (9)1.6 透明模式无效果？ (9)1.7 透明模式的工作原理？ (9)1.8 透明模式的实用性在哪里？ (9)1.9 什么是旁路模式？ (10)1.10 使用旁路模式的好处是什么？ (10)1.11 查看DAS-Gateway日志信息为空时怎么处理？ (10)1.12 部署DAS-Gateway有什么好处？ (10)1.13 为什么DAS-Gateway配置正确但是数据无法通过？ (10)2 设备管理FAQ (10)2.1 为什么管理员用户不能通过HTTP、SSH、或者Telnet登录设备，不显示web页面？ (10)2.2 为什么HTTPS无法打开防火墙的WEB页面？ (10)2.3 在“系统管理>管理员”，“添加管理员”页面中的"管理IP/掩码"的作用是什么？ (10)2.4 用户登录成功后，可在哪里修改密码？ (11)2.5 默认admin管理员帐户的密码如何重置？ (11)3 应用审计FAQ (11)3.1 如何查看当前的应用审计策略？ (11)3.2 应用审计可以做关键字过滤吗？ (11)3.3 为什么恶意URL白名单不生效？ (11)4 用户中心FAQ (11)4.1 当用户中心用户识别错误的时候，同时用户数已经达到了用户中心的规格数，如何操作？ (11)4.2 当用户很大时，特定用户的信息为何没有更新？ (11)4.3 为何用户流量统计有时会出现某应用类的应用未显示在饼图中？ (12)4.4 为何用户在线时长有时会比在线用户显示的时长少？ (12)4.5 为何用户中心在线时长有时会比在线用户显示的时长多？ (12)4.6 用户中心用户的排名是按照什么方式？ (12)4.7 为何用户的应用行为不能记录到时间？ (12)4.8 为何在无线环境下在用户中心看到的账号信息不正确？ (12)5 流控FAQ (13)5.1 带宽的上下行如何区分？ (13)5.2 配置最大带宽和保障带宽为何无法成功？ (13)5.3 流量控制通道有多个匹配条件时如何匹配？ (13)5.4 最大带宽和保障带宽分别有什么作用？ (13)5.5 配置了保障带宽但是在拥塞时流量无法达到其保障带宽？ (13)5.6 配置了多个流量控制通道，只有第一个通道有流量匹配？ (13)5.7 什么是流量排除策略？ (13)5.8 每IP限速和通道带宽限制的处理关系？ (13)5.9 如何限制P2P的流量？ (14)5.10 流量控制通道的高、中、低级别有何作用？ (14)5.11 子通道的保障带宽总和大于父通道保障带宽，如何分配保障带宽？ (14)5.12 线路整体带宽仍然有富裕，部分应用延时很大？ (14)5.13 如何调整流控通道的顺序？ (14)5.14 如何定位QoS策略是否被命中，命中哪条QoS策略？ (14)5.15 如何定位数据包是否被QoS策略丢弃？ (14)6 设备流量统计FAQ (14)6.1 设备流量统计的值为何比实际数据包的速率小？ (14)6.2 设备整机转发流量中上行、下行如何区分？ (14)6.3 设备流量统计为何与用户流量统计有所出入？ (15)6.4 设备异常掉电后，为何丢失了部分数据？ (15)6.5 更改系统时间对设备流量统计会产生哪些影响？ (15)6.6 接口状态页面，没有完全显示所有接口的状态信息？ (15)6.7 接口状态页面上有接收或发送速率的信息，但健康统计页面整机转发流量无数据？ (15)6.8 设备健康统计页面，整机转发流量只能看到上行或者下行的流量信息？ (15)6.9 接口状态页面的数据，多长时间更新一次？ (15)7 策略路由FAQ (16)7.1 什么是策略路由？ (16)7.2 同一条策略路由最多支持几个下一跳？同时配置多个下一跳的情况下，如何转发报文？ (16)7.3 策略路由转发流程图 (17)7.4 策略路由下一跳不可达的判断条件是什么？ (17)8 ISP路由FAQ (18)8.1 什么是ISP路由？ (18)8.2 ISP路由的工作环境是什么？ (18)8.3 ISP路由是怎样工作的？ (18)8.4 ISP路由如何进行流量负载均衡？ (18)9 IPsec VPN FAQ (18)9.1 如何查看当前IKE SA信息？ (18)9.2 如何查看当前IPsec sa信息？ (18)9.3 IPsec VPN中报文的默认加密方式是什么？ (19)9.4 一条VPN最多支持多少条隧道？ (19)9.5 为什么IPsec VPN第一阶段协商不成功？ (19)9.6 为什么IPsec VPN第二阶段协商不成功？ (19)9.7 为什么保护子网不能通讯？ (19)9.8 为什么某些移动终端接入VPN不成功？ (20)9.9 NAT环境下IPSEC协商不成功？ (20)9.10 IPSEC建起连接后，一端断开后，IPSEC无法协商？ (20)9.11 本端SA状态显示连接，流量无法转发？ (20)9.12 当设备存在多出口时，其它参数正确，IPSEC协商失败？ (20)9.13 IPSEC使用国密证书协商不成功？ (20)9.14 IPSEC快速配置与IPSEC VPN标准配置有什么区别？ (21)9.15 IPSEC快速配置一阶段和二阶段默认参数？ (21)9.16 IPSEC快速配置默认参数支持修改吗？ (21)9.17 IPSEC预共享密钥有字符限制么？ (22)10 IPv6 FAQ (22)10.1 配置IPv6有什么优点？ (22)10.2 什么是IPv6邻居发现协议？ (22)10.3 IPv6中的路由器请求报文作用（Router Solicitation）？ (22)10.4 IPv6中的路由器通告报文作用（Router Advertisement）？ (22)10.5 邻居请求（Neighbor Solicitation）报文作用？ (23)10.6 邻居通告（Neighbor Advertisement）报文作用？ (23)10.7 邻居发现协议的功能是什么？ (23)10.8 在配置IPv6静态路由之前，需完成以下任务？ (23)10.9 IPv6缺省路由的生成方式？ (23)10.10 在Tunnel接口上配置了相关的参数后（例如隧道的起点、终点地址和隧道模式）仍未处于up状态？ (24)10.11 6to4隧道是否需要配置目的地址？ (24)10.12 ISATAP隧道是否需要配置目的地址？ (24)10.13 从设备端执行什么配置去主动ping另一台设备的IPv6地址？ (24)10.14 什么是IPv6手动隧道？ (24)10.15 什么是6to4自动隧道？ (24)10.16 什么是ISATAP自动隧道？ (25)11 VRF FAQ (25)11.1 不同的VRF间如何相连？ (25)11.2 DAS-Gateway最多可以创建多少个VRF？ (25)11.3 VRF基本设计概念是什么？ (25)11.4 路由表隔离功能的逻辑？ (25)11.5 流表的隔离功能？ (25)11.6 VRF模块设计背景？ (26)12 动态路由FAQ (26)12.1 RIP支持v1和v2功能吗？ (26)12.2 RIP开启时默认是V1还是V2版本？ (26)12.3 OSPF是否支持pppoe接口？ (26)12.4 OSPF的Router ID如何配置，缺省是什么？ (26)12.5 OSPF没有路由，甚至邻居都不能形成Full关系，最常见的原因是什么？ (26)12.6 有什么好的办法知道OSPF出了什么问题？ (27)12.7 OSPF如何自动计算接口cost的？ (27)12.8 OSPF链路两端配置不同的网络类型，能否形成Full关系？ (27)12.9 OSPF路由聚合是否可以跨区域聚合？ (27)12.10 OSPF的Virtual-Link是否很有用处？ (28)12.11 OSPFv3在界面中是否有配置选项？ (28)12.12 OSPFv3邻居无法建立？ (28)12.13 OSPFv3路由信息不正确？ (28)12.14 当执行no router ospf6后，其它接口有关ospfv3配置是否自动删除？ (28)13 HA FAQ (28)13.1 配置HA的优点？ (28)13.2 HA的工作模式 (29)13.3 什么是HA的主备模式？ (29)13.4 什么是HA的主主模式？ (29)13.5 HA工作状态 (29)13.6 HA接口概念 (29)13.7 抢占模式 (30)13.8 抢占延时定时器 (30)13.9 心跳报文 (30)13.10 HA管理地址 (30)13.11 HA状态同步 (30)13.12 HA主备状态切换 (30)13.13 HA主主状态切换 (31)13.14 HA主主邻居为什么建立不起来 (31)13.15 HA主主地址代理 (31)13.16 HA主主非对称路由 (31)14 Bypass FAQ (31)14.1 每台设备最多有多少组Bypass接口？ (31)14.2 Bypass接口使用在哪种网络场景中？ (31)14.3 Bypass功能默认开启吗？ (31)14.4 进程异常时是否会触发Bypass？ (32)14.5 系统运行过程断电是否会触发Bypass？ (32)14.6 系统启动过程中是否会持续Bypass状态？ (32)14.7 从系统正常到掉电进入Bypass状态时，会丢几个ICMP报文？ (32)15 APP缓存FAQ (32)15.1 本地文件如果不存在怎么办？ (32)15.2 App缓存文件存储在哪里？ (32)15.3 为什么重启后app缓存计数不正确？ (32)15.4 APP缓存能缓存哪些文化类型？ (32)15.5 URL链接为什么无法提交？ (32)15.6 CLI下上传的文件能大于剩余缓存空间？ (32)16 会话限制FAQ (33)16.1 会话限制基于什么原则来进行限制？ (33)16.2 配置两条会话限制，引用的地址对象分别都包含了某个IP地址，但是会话限制的配置不同，那么该以哪一个为标准？ (33)16.3 会话限制是否可以只限制会话总数，而不限制新建会话速度？ (33)16.4 同一个地址对象是否可以配置多个会话限制？ (34)16.5 在配置会话限制之前，地址对象的会话总数已经超过了该会话限制的会话总数，那么配置该条会话限制后是否会将会话数保持在限制的数目下？ (34)17 DNS代理FAQ (34)18 攻击防护FAQ (35)18.1 扫描攻击防御中的黑名单作用是什么？ (35)19 统计集FAQ (35)19.1 统计集统计最近1小时、最近1天、最近1周数据统计的刷新间隔是多少？ (35)19.2 统计集应用流量统计中所显示的流速计算？ (35)19.3 统计集用户统计中用户的类型？ (36)19.4 统计集统计用户及应用的规格？ (36)19.5 统计集中总流量是如何计算的？ (36)19.6 统计集中刷新按钮的作用？ (36)19.7 上行流量和下行流量如何区分？ (36)19.8 统计集数据是否支持HA？ (36)19.9 统计集数据保存重启后是否会丢失？导出再导入是否会丢失？ (36)19.10 饼图默认显示Top多少？其它应用是什么？ (36)19.11 统计集中是否会统计出到本地流量？ (36)19.12 当统计集显示页面放大或缩小时，饼图显示变化？ (36)19.13 统计集是否支持旁路模式？ (37)19.14 统计集中应用统计与用户统计查看区别？ (37)20 地址探测FAQ (37)20.1 如何配置track？ (37)20.2 为什么ping类型的track状态不稳定？ (37)20.3 为什么tcp类型的探测不成功？ (37)20.4 为什么dns类型探测失败？ (37)20.5 DAS-Gateway配置HA并且关联track，主墙无法切换？ (37)20.6 HA联动备墙无法跨网段探测？ (37)20.7 WEB页面导入csv格式用户和用户组无法同步？ (38)21 策略优化FAQ (38)21.1 七元组策略按照什么顺序进行匹配？ (38)21.2 单条七元组审计策略中的应用审计规则、URL审计规则按照什么顺序进行匹配？ (38)21.3 添加或修改七元组策略会有什么影响？ (38)22 第三方用户存储认证 (38)（1）首先查看ipv4策略是否将此数据包拒绝； (38)（2）查看DAS-Gateway设备路由是否正确； (38)（3）查看用户策略的目的IP是否将服务器的IP地址排除在外。

安全策略配置指导声明该配置指导只针对中小企业的在网络出口部署下一代防火墙的应用场景。

由于中小企业网络管理者安全意识不强、网络应用环境也不是特别复杂，所以本文档输出针对大多数企业有共性的基本安全策略配置建议。

细致完整的安全策略配置要根据客户实际情况具体分析。

以下安全策略配置是基于设备上线后，内外网已经能够正常访问的情况下，开启对内网的最基本的安全防护策略。

1. 网络部署在企业内网与互联网边界部署下一代防火墙的建议拓扑结构如下： 网关模式：部署在核心交换机前面，和运营商链路直接连接。

NGFW办公区1办公区N核心交换机透明模式：部署在核心交换机和路由器之间NGFW办公区1办公区N核心交换机2. 区域防护文件配置区域防护文件配置主要体现传统防火墙的安全防护功能。

只配置文件并不会生效，需要在区域配置时关联该区域防护文件才会生效。

配置步骤：【网络配置】【接口与区域】【区域防护配置文件】新建，【flood 防护】选择“SYN”、“ICMP”、“UDP”、“DNS”。

【端口扫描】选择“TCP”、“UDP”、“ICMP”。

【基于数据包的攻击防护】选择“Ping of Death”、“Tear Drop”、“IP Option”、“TCP Anomaly”、“Land Attack”、“Smurf”。

【ARP攻击防护】选择“ARP反向查询”、“每MAC的IP数限制”3.区域划分为了更有效的进行安全防护，对于不同安全等级的网络划分在不同的安全区域内。

安全域：NGFW连接内网用户的接口配置步骤：【网络配置】【接口与区域】【区域】新建，添加内网网口Eth1，选择安全域防护。

非安全域：NGFW连接外网的接口配置步骤：【网络配置】【接口与区域】【区域】新建，添加外网网口eth0.4.安全策略配置1）内网到外网的安全策略配置步骤：【策略配置】【策略配置】【安全策略】新建策略，源区域选择安全域，目的区域选择非安全域，动作选择允许，勾选记录流量日志，防漏洞配置选择default（保护客户端），网址过滤选择default，其他动作根据具体需求情况再配置。

中国人民银行金融信息中心下一代防火墙设备网上竞价需求1.采购需求品牌：网康型号数量见下表名称项目型号和描述数量单位下一代防火墙NGFW-JR3000 防火墙设备（含350W交流电源模块） 2 个PSU-R-AC-350 350W冗余交流电源模块 2 个ETH-GE-COP-4 4电口千兆网卡 2 个ETH-GE-OPT-4 4光口千兆网卡 2 个SFP-GE-MM 多模千兆光模块8 个采购的下一代防火墙设备应具备抗拒绝服务攻击功能、入侵防御功能、带宽管理功能及链路负载均衡功能，并实际配置支持上述功能三年（或三年以上）的授权与升级许可。

2.服务及资质要求2.1. 资质要求供应商必须具有本招标产品的代理资质，并提供原厂商的书面证明材料。

供应商须提供原厂商针对本次采购货物的维保承诺书。

2.2. 产品质量保证要求提供的所有产品必须为网康的原厂设备，包装未开封，而且设备（包括零部件）应是交付前六个月内生产且未被使用过的全新合格设备，并且是非长期积压的库存商品，同时必须在中国境内具有合法使用权，并明确用户为人民银行。

应提供原厂全套安装配件。

2.3. 到货要求在合同签订后，30个日历日内按用户要求在指定地点交货，并提前15个日历日将到货时间告知采购人。

供应商应提供货物送达合同规定的项目现场所需要的原厂包装，以防货物在运输中损坏，并提供原厂包装证明。

供应商应以醒目的中文印刷字体在各包装箱上标明通用规范的运输标记或标志，如项目名称、货物名称与合同号、以及采购人、双方名称等相关信息。

供应商负责办理货物的运输及运输保险事宜、支付交货前发生的包装费、运费、保险费、商检费、搬运费等费用。

供应商应随同货物交货的同时向用户提交标明货物内容的明细单一以及合同要求的相关文件，包括但不限于合同货物、装箱单、质量合格证书（由生产厂商签发）、产品使用说明书及其它应当随箱的技术资料等。

2.4. 货物验收要求货物运抵本合同确定的交货地点后，由用户和供应商根据合同的规定及供应商提交的发货证明对全部设备的型号、规格、数量、外型、包装及资料进行开箱检查验收，开箱时必须有供应商派出的代表在场。

深信服全网安全监测解决方案模板1.应用背景在当前互联网的浪潮下，日益成熟的网络基础建设和互联网丰富的资源大大提高了人类的生产力和生产效率，各组织业务得以持续、快速、高效的发展。

然而无处不在的网络带给人类发展便利的同时，也随之带来了诸多的网络安全风险。

互联网出口承载着内部所有用户的上网需求，首当其冲承受着最直接的安全威胁，因此在该区域部署相匹配的安全防护手段必不可少。

2.需求分析2.1.基础需求2.1.1.用户访问无控制，安全不可控在广域网环境下分支机构的各类用户对互联网或数据数据中心经常仅具有一部分的访问权限，而在实际网络中因仅仅解决了基础网络的使用，导致很多用户可以对互联网或数据中心随意进行访问。

最终使得各分支与总部没有实现有效的边界访问控制，无法对用户的访问行为进行有效的管理与审计。

2.1.2.无用数据占用带宽，影响业务运行在用户访问互联网或数据中心时，经常会产生大量的非关键业务流量或垃圾流量占用有限的宽带资源。

这样的情况严重了影响关键业务的正常运行，那么我们应该如何保证数据流在广域网中按业务的重要程度进行不同优先级的调度？2.2.安全需求2.2.1.网络欺诈泛滥，员工遭受损失互联网发展越来越快，人们对互联网的依赖性越来越强，网上购物、数据存储、信息查询等等业务应用不断向互联网端迁移，这也使得了攻击者可以通过互联网获取想要的一切。

而随着越累越多的黑客察觉到了其中的利益后，各种钓鱼网站、网络欺诈便开始变得层出不穷。

网络欺诈的泛滥直接导致了各类用户的经济损失、数据泄露，而各分支机构往往安全防护薄弱、员工安全意识低，最终致使网络欺诈行为屡获成功。

2.2.2.僵木蠕隐蔽性强，终端大量失陷大量的网络攻击往往都是通过僵木蠕的传播来实现的，而对于分支机构的终端来说从互联网端下载的参考资料、办公软件等数据便是主要的威胁来源。

为了更易感染终端，僵木蠕等恶意流量往往与参考资料、办公软件等进行捆绑，诱导用户下载执行从而感染终端实现后续目的，而分支机构边界的薄弱也就促成了恶意流量在整个广域网中肆意泛滥。

安全解决方案北京网康科技有限公司目录1安全风险分析 ...................... 错误!未定义书签。

1.1 来自公网的安全风险分析......... 错误!未定义书签。

1.2 来自内部人员及分部的安全威胁 ... 错误!未定义书签。

2安全方案设计 ...................... 错误!未定义书签。

2.1 方案概述....................... 错误!未定义书签。

2.2 总体设计....................... 错误!未定义书签。

2.3 详细设计....................... 错误!未定义书签。

2.3.1 外部安全防护 ................ 错误!未定义书签。

2.3.2 内部安全防护 ................ 错误!未定义书签。

3网康方案价值与产品优势 ............ 错误!未定义书签。

3.1 易用性......................... 错误!未定义书签。

3.2 健壮性......................... 错误!未定义书签。

3.3 产品优势....................... 错误!未定义书签。

1安全风险分析1.1来自公网的安全风险分析由于内部网络中其办公系统及各人主机上都有涉密信息。

假如内部网络的一台机器安全受损（被攻击或者被病毒感染），就会同时影响在同一网络上的许多其他系统。

透过网络传播，还会影响到与本系统网络有连接的外单位网络。

如果系统内部局域网络与系统外部网络间没有采取一定的安全防护措施，内部网络容易造到来自外网一些不怀好意的入侵者的攻击。

如：●入侵者通过漏洞扫描、Sniffer嗅探等工具来探测扫描网络及操作系统存在的安全漏洞，如网络IP地址、应用操作系统类型、开放哪些服务端口号、系统保存用户名和口令等安全信息的关键文件等，并通过相应攻击程序对内网进行攻击；●入侵者通过网络监听等先进手段获得内部网用户的用户名、口令等信息，进而假冒内部合法身份进行非法登录，窃取内部网重要信息；●恶意攻击:入侵者通过发送大量PING包对内部网重要服务器进行攻击，使得服务器超负荷工作以至拒绝服务甚至系统瘫痪；●发送大量包含恶意代码或病毒程序的邮件。

网域ACF下一代防火墙产品白皮书Version 2.0深圳市网域科技有限公司www.n 2015年11月目录1 概述 (3)2 产品简介 (4)3 互联网给网络管理带来的挑战 (5)3.1应用网络时代，网络面临的问题 (5)4 产品优势技术 (7)4.1精细的应用层安全防护 (7)4.2WEB应用的安全防护 (7)4.3应用层带宽管理 (8)4.4IPS漏洞防护 (8)4.5网络病毒防护 (8)4.6线速的状态检测防火墙 (8)5 主要功能 (9)5.1识别与控制 (9)5.1.1用户身份识别 (9)5.1.2日志记录和统计报表 (9)5.2应用层防护 (9)5.2.1入侵防护 (9)5.2.2URL过滤 (10)5.2.3防病毒 (10)5.2.4内容过滤 (10)6 产品部署方式 (11)6.1旁路模式 (11)6.2网桥模式 (11)6.3路由模式 (11)1概述尽管国际著名IT咨询机构Gartner在对网域ACF下一代防火墙进行了定义，但随着云计算、Web2.0、移动互联网、物联网等新兴应用技术一起被广泛使用，我国的网络安全形势变得日益严峻，Gartner在2009年白皮书中对定义NGFW的定义已无法覆盖细节技术需求时的认知已经明显不足，定义的网域ACF下一代防火墙产品在国内的网络环境下并不能产生很好的防护效果。

我司深入解读公安部推出的GA/T1177-2014《信息安全技术第二代防火墙安全技术要求》的网域ACF 下一代防火墙标准，在赞同Gartner给出网域ACF下一代防火墙的定义与观点的基础上，又针对应用和用户识别、应用安全控制、内容安全防护、性能处理能力四个方面对网域ACF下一代防火墙进行改进与优化。

据Verizon 发布的《2014 年数据泄漏调查报告》显示，企业需要花费数月或更长时间才能发现66% 的安全违规事件。

对于受经济利益驱使的攻击，客户、合作伙伴、执法部门或其他外部机构发现了其中的91%。

Data SheetCisco Firepower Next-Generation Firewall (NGFW) Prevent breaches, get deep visibility to detect and stop threats fast, and automate your network and security operations to save time and work smarter.Model OverviewCisco Firepower 2100 SeriesThe industry’s first midrange NGFWs delivering sustainable performance when threat inspection is enabledCisco Firepower 4100 Series:The industry’s first 1RU NGFWs with 40-GbpsinterfacesCisco Firepower 9300:Ultra-high-performance NGFW, expandable as yourneeds growCisco ASA 5500-X Series:Models for branch offices, industrial applications, and the Internet edgeFirepower NGFWv:The NGFW for virtual and cloud environmentsPlatform Image SupportThe Cisco Firepower NGFW includes Application Visibility and Control (AVC), optional Next-Gen IPS (NGIPS), Cisco® Advanced Malware Protection (AMP) for Networks, and URL Filtering. The Cisco Firepower 2100 Series, 4100 Series, and 9300 appliances use the Cisco Firepower Threat Defense software image. Alternatively, Cisco Firepower 2100 Series, 4100 Series, and 9300 appliances can support the Cisco Adaptive Security Appliance (ASA) software image.Management OptionsCisco Firepower NGFWs may be managed in a variety of ways depending on the way you work, your environment, and your needs.The Cisco Firepower Management Center (formerly FireSIGHT) provides centralized management of the Cisco Firepower NGFW, the Cisco Firepower NGIPS, and Cisco AMP for Networks. It also provides threat correlation for network sensors and Advanced Malware Protection (AMP) for Endpoints.The Cisco Firepower Device Manager is available for local management of 2100 Series and select 5500-X Series devices running the Cisco Firepower Threat Defense software image.The Cisco Adaptive Security Device Manager is available for local management of the Cisco Firepower 2100 Series, 4100 Series, Cisco Firepower 9300 Series, and Cisco ASA 5500-X Series devices running the ASA software image.Cisco Defense Orchestrator cloud-based management is also available for consistent policy management across Cisco security devices running the ASA software image, enabling greater management efficiency for the distributed enterprise.Firepower DDoS MitigationAlso available on the Cisco Firepower 4100 Series and 9300 appliances is tightly integrated, comprehensive, behavioral DDoS mitigation for both network and application infrastructure protection. This DDoS mitigation is Radware’s Virtual DefensePro (vDP). It is available from and supported directly by Cisco.Cisco Firepower 2100 Series AppliancesThe Cisco Firepower 2100 Series is a family of four threat-focused NGFW security platforms that deliver business resiliency through superior threat defense. It offers exceptional sustained performance when advanced threat functions are enabled. These platforms uniquely incorporate an innovative dual multicore CPU architecture that optimizes firewall, crypto graphic, and threat inspection functions simultaneously. The series’ firewall throughput range addresses use cases from the Internet edge to the data center. Network Equipment Building Standards (NEBS)- compliance is supported by the Cisco Firepower 2100 Series platform.Cisco Firepower 4100 Series AppliancesThe Cisco Firepower 4100 Series is a family of four threat-focused NGFW security platforms. Their throughput range addresses data center and internet edge use cases. They deliver superior threat defense, at faster speeds, with a smaller footprint. Cisco Firepower 4100 Series supports flow-offloading, programmatic orchestration, and the management of security services with RESTful APIs. Network Equipment Building Standards (NEBS)-compliance is supported by the Cisco Firepower 4120 platform.Cisco Firepower 9300 Security ApplianceThe Cisco Firepower 9300 is a scalable (beyond 1 Tbps when clustered), carrier-grade, modular platform designed for service providers, high-performance computing centers, large data centers, campuses, high-frequency trading environments, and other environments that require low (less than 5-microsecond offload) latency and exceptional throughput. Cisco Firepower 9300 supports flow-offloading, programmatic orchestration, and the management of security services with RESTful APIs. It is also available in Network Equipment Building Standards (NEBS)-compliant configurations.Cisco ASA 5500-FTD-X Series AppliancesThe Cisco ASA 5500-FTD-X Series is a family of eight threat-focused NGFW security platforms. Their throughput range addresses use cases from the small or branch office to the Internet edge. They deliver superior threat defense in a cost-effective footprint.Cisco Firepower NGFW Virtual (NGFWv) AppliancesCisco Firepower NGFWv is available on VMware, KVM, and the Amazon Web Services (AWS) and Microsoft Azure environments for virtual, public, private, and hybrid cloud environments. Organizations employing SDN can rapidly provision and orchestrate flexible network protection with Firepower NGFWv. As well, organizations using NFV can further lower costs utilizing Firepower NGFWv.Performance Testing MethodologiesCisco uses a variety of testing methodologies in a lab environment to ensure the performance specifications we report are as close to real world as possible. Firewall performance is affected by many factors including network environment, packet sizes, packet type, TLS encryption, and more.Two modes of firewall testing exist: static or real world. Static testing leverages performance and security testing tools in a simulated environment. Real-world testing uses samples of live traffic on a production or side-car network. While static testing does not completely mimic performance in a real-world networking environment, we review and modify the static methodology to ensure the results are as close to real-world as possible.The following are test methodologies used for measurements listed in Table 1. Change in performance vs change in packet size is not linear, so extrapolation from a single test is not possible for the almost unlimited variety of network environments. Testing security efficacy or security service performance under loaded conditions adds even more complexity. For these reasons we rely on the 1024B HTTP Test.1024B HTTP Test (256KB Object)This number is to compare with other vendors at a 256KB object size. It uses a larger and commonly tested packet size for every simulated session. With the protocol overhead, the average frame size is around 1024 bytes. This represents typical production conditions for most firewall deployments.1500B UDP vs 64B UDPThis test uses a transactional UDP profile with either 1500B or 64B frames. Due to the stateless nature of UDP, it creates very little impact on a stateful NGFW. Many vendors use this profile to measure maximum firewall performance, however it is only practical as a comparison point. This test does not represent real-world conditions, therefore Cisco only uses it as a legacy metric for ASA performance. For NGFW products, various UDP packet size should only be used to test latency and not overall performance.Performance Specifications and Feature HighlightsTable 1 summarizes the capabilities of the Cisco Firepower NGFWv, Firepower 2100 Series, and 4100 Series and 9300 appliances as well as the Cisco ASA 5500-FTD-X appliances when running the Cisco Firepower Threat Defense image. All numbers are derived with two-way traffic evaluation to replicate the best security posture.Table 1. Cisco Firepower Threat Defense (FTD) Performance Specifications and Feature Highlights for Physical and Virtual AppliancesNote: Throughput assumes HTTP sessions.Performance will vary depending on features activated, and network traffic protocol mix, packet size characteristics and hypervisor employed (NGFWv). Performance is subject to change with new software releases. Consult your Cisco representative for detailed sizing guidance.Table 2 summarizes the performance and capabilities of the Cisco Firepower 2100, 4100 Series and 9300 appliances when running the ASA image. For Cisco ASA 5500-X Series performance specifications with the ASA image, please visit the Cisco ASA with FirePOWER Services data sheet.Table 2. ASA Performance and Capabilities on Firepower Appliances211021202130214041104120414041509300 9300 9300 9300Newconnections per second 18000 28000 40000 75000 150,000 250,000 350,000 800,000 800,0001.2 million 1.8 million 4 millionIPsec VPN throughput (450B UDP L2L test) 500 Mbps 700 Mbps 1 Gbps 2 Gbps 8 Gbps 10 Gbps 14 Gbps 15 Gbps 15 Gbps 18 Gbps 20 Gbps60 Gbps 3/ 40 GbpsIPsec/Cisco AnyConnect/Apex site-to-site VPN peers 1500 3500 7500 10000 10,000 15,000 20,000 20,000 20,000 20,000 20,000 60,0003/ 20,000Maximum number of VLANs 400 600 750 1024 1024 1024 1024 1024 1024 1024 1024 1024Security contexts (included; maximum) 2; 25 2; 25 2; 30 2; 40 10; 250 10; 250 10; 250 10; 250 10; 250 10; 250 10; 250 10; 250HighavailabilityActive/acti ve and active/sta ndby Active/acti ve and active/sta ndby Active/acti ve and active/sta ndbyActive/a ctive and active/st andby Active/acti ve and active/stan dby Active/acti ve and active/stan dby Active/acti ve and active/stan dby Active/acti ve and active/stan dby Active/acti ve and active/sta ndby Active/acti ve and active/sta ndby Active/acti ve and active/sta ndby Active/acti ve and active/sta ndbyClustering - - --Up to 16 appliances Up to 16 appliances Up to 16 appliances Up to 16 appliances Up to 5 appliances with 3 security modules each Up to 5 appliance s with three security modules each Up to 5 appliance s with three security modules eachUp to 5 appliance s with 3 security modules eachScalability VPN Load BalancingVPN Load Balancing, Firewall ClusteringCentralized management Centralized configuration, logging, monitoring, and reporting are performed by Cisco Security Manager or alternatively in the cloud with Cisco Defense Orchestrator Adaptive Security Device ManagerWeb-based, local management for small-scale deployments1 Throughput measured with 1500B User Datagram Protocol (UDP) traffic measured under ideal test conditions.2“Multiprotocol” refers to a traffic profile consisting primarily of TCP -based protocols and applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS. 3In unclustered configuration.Table 3.Operating Requirements for Firepower NGFWv Virtual AppliancesHardware SpecificationsTables 4, 5, and 6 summarize the hardware specifications for the 2100 Series, 4100 Series, and 9300 Series, respectively. Table 7 summarizes regulatory standards compliance. For Cisco ASA 5500-X Series hardware specifications, please visit the Cisco ASA with FirePOWER Services data sheet.Table 4. Cisco Firepower 2100 Series Hardware Specifications1 Dual power supplies are hot-swappable.2 Fans operate in a 3+1 redundant configuration where the system will continue to function with only3 operational fans. The 3 remaining fans will run at full speed.3 FPR-2130 platform is designed to be NEBS ready. The availability of NEBS certification is pending.Table 5. Cisco Firepower 4100 Series Hardware Specifications1 Dual power supplies are hot-swappable.Table 6. Cisco Firepower 9300 Hardware Specifications* Minimum turn-on voltage is -44V DCTable 7. Cisco Firepower 2100 Series, 4100 Series and Cisco Firepower 9300 NEBS, Regulatory, Safety, and EMC ComplianceCisco Trust Anchor TechnologiesCisco Trust Anchor Technologies provide a highly secure foundation for certain Cisco products. They enable hardware and software authenticity assurance for supply chain trust and strong mitigation against a man-in-the-middle compromise of software and firmware.Trust Anchor capabilities include:●Image signing: Cryptographically signed images provide assurance that the firmware, BIOS, and othersoftware are authentic and unmodified. As the system boots, the system’s software signatures are checked for integrity.●Secure Boot: Secure Boot anchors the boot sequence chain of trust to immutable hardware, mitigatingthreats against a system’s foundational state and the software that is to be loaded, regardless of a user’s privilege level. It provides layered protection against the persistence of illicitly modified firmware.●Trust Anchor module: A tamper-resistant, strong-cryptographic, single-chip solution provides hardwareauthenticity assurance to uniquely identify the product so that its origin can be confirmed to Cisco, providing assurance that the product is genuine.Firepower DDoS MitigationFirepower DDoS Mitigation is provided by Radware Virtual DefensePro (vDP), available and supported directly from Cisco on the following Cisco Firepower 9300 and 4100 series appliances:Radware vDP is an award-winning, real-time, behavioral DDoS attack mitigation solution that protects organizations against multiple DDoS threats. Firepower DDoS mitigation defends your application infrastructure against network and application degradation and outage.DDoS Mitigation: Protection SetFirepower’s vDP DDoS mitigation consists of patent-protected, adaptive, behavioral-based real-time signature technology that detects and mitigates zero-day network and application DDoS attacks in real time. It eliminates the need for human intervention and does not block legitimate user traffic when under attack.The following attacks are detected and mitigated:●SYN flood attacks●Network DDoS attacks, including IP floods, ICMP floods, TCP floods, UDP floods, and IGMP floods●Application DDoS attacks, including HTTP floods and DNS query floods●Anomalous flood attacks, such as nonstandard and malformed packet attacksPerformanceThe performance figures in Table 8 apply to all Cisco Firepower 4100 series models.Table 8. Key DDoS Performance Metrics for Cisco Firepower 4100 SeriesThe performance figures in Table 9 are for Cisco Firepower 9300 with 1 to 3 Security Modules irrespective of Security Module type (SM-24, SM-36 or SM-44).Table 9. Key DDoS Performance Metrics for Cisco Firepower 9300 with 1, 2, or 3 Security Modules.Ordering InformationCisco Smart LicensingThe Cisco Firepower NGFW is sold with Cisco Smart Licensing. Cisco understands that purchasing, deploying, managing, and tracking software licenses is complex. As a result, we are introducing Cisco Smart Software Licensing, a standardized licensing platform that helps customers understand how Cisco software is used across their network, thereby reducing administrative overhead and operating expenses.With Smart Licensing, you have a complete view of software, licenses, and devices from one portal. Licenses are easily registered and activated and can be shifted between like hardware platforms. Additional information is available here: https:///web/ordering/smart-software-licensing/index.html. Related information, on Smart Licensing Smart Accounts, is available here: https:///web/ordering/smart-software-manager/smart-accounts.html.Cisco Smart Net Total Care Support: Move Quickly with Anytime Access to Cisco Expertise and ResourcesCisco Smart Net Total Care™ is an award-winning technical support service that gives your IT staff direct anytime access to Technical Assistance Center (TAC) engineers and resources. You receive the fast, expert response and the dedicated accountability you require to resolve critical network issues.Smart Net Total Care provides the following device-level support:●Global access 24 hours a day, 365 days a year to specialized engineers in the Cisco TAC●Anytime access to the extensive online knowledge base, resources, and tools●Hardware replacement options include 2-hour, 4-hour, Next-Business-Day (NDB) advance replacement, aswell as Return For Repair (RFR)●Ongoing operating system software updates, including both minor and major releases within your licensedfeature set●Proactive diagnostics and real-time alerts on select devices with Smart Call HomeIn addition, with the optional Cisco Smart Net Total Care Onsite Service, a field engineer installs replacement parts at your location and helps ensure that your network operates optimally. For more information on Smart Net Total Care please visit: https:///c/en/us/services/portfolio/product-technical-support/smart-net-total-care.html.Select Part NumbersTables 10, 11, and 12 provide details on part numbers for Cisco Firepower NGFW solutions. Please consult the Ordering Guide for additional configuration options and accessories.Table 10. Cisco Firepower 2100 Series: Select Product ComponentsTable 11. Cisco Firepower 4100 Series: Select Product ComponentsTable 12. Cisco Firepower 9300: Select Product Components*Note: Firepower 9300 may also be deployed as a dedicated threat sensor, with fail-to-wire network modules. Please contact your Cisco representative for details.Table 13. Cisco Firepower NGFW VirtualNote: These optional security services licenses can be ordered with 1-, 3-, or 5-year subscriptions.Warranty InformationFind warranty information on at the Product Warranties page.Cisco ServicesCisco offers a wide range of service programs to accelerate customer success. These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco Services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco services for security, visit https:///go/services/security.Cisco CapitalFlexible payment solutions to help you achieve your objectivesCisco Capital makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy, predictable payments. Learn more.More Information for Service ProvidersFor information about Cisco Firepower in service provider environments, please visit:●https:///c/en/us/solutions/enterprise-networks/service-provider-security-solutions/More Information about Firepower NGFWsFor further information about Cisco Firepower NGFWs, please visit:●https:///go/ngfwMore Information about Cisco Anyconnect●Cisco AnyConnect Secure Mobility Clienthttps:///go/anyconnect●Cisco AnyConnect Ordering Guidehttps:///c/dam/en/us/products/security/anyconnect-og.pdf。

网康NF-1000-40F
网康NF-1000-40F下一代防火墙（NGFW）是一款可以全面应对应用层威胁的高性能防火墙。

通过深入洞察网络流量中的用户、应用和内容，并借助全新的高性能单路径异构并行处理引擎，NGFW能够为用户提供有效的应用层一体化安全防护，帮助用户安全地开
展业务并简化用户的网络安全架构。

主要功能：基本防火墙功能、应用洞察与控制、应用层一体化集成防护、主动防御技术、数据防泄漏。

参数
主要参数
适用范围中型企业并发连接数800000
VPN支持支持网络吞吐量(Mpps)IPS吞吐量：160Mbps，应用吞吐量：400Mbps，IPSec吞吐量：200Mbps
基本参数（VPN支持）
防火墙类型下一代防火墙适用范围中型企业
并发连接数范围50万-100万并发连接数800000
网络端口可支持板载6个GE网络吞吐量(Mpps) IPS吞吐量：160Mbps，。

Hillstone T-Series Intelligent Next-Generation FirewallT3860 / T5060 / T5860According to the latest research 66 percent of security breaches go undetected for 7-8 months. And, more than 85 percent of breaches originate from the web with drive-by downloads being the top web threat. This implies two things: First, a user does not have to click on anything to become infected with malware; and second, all organizations have infected hosts inside their network.Hillstone ,s T-Series intelligent Next-Generation Firewall (iNGFW) is an application-aware firewall that continuously monitors the network. It can identify attacks on all operating systems, applications, devices and browsers. It provides visibility into every stage of an attack and it can detect security breaches within minutes/seconds. It prioritizes hosts with the greatest security risks and provides contextual information about the threat. Security administrators can drill-down into the attack, including packet captures, to analyze all threat details.Hillstone ,s T-Series is designed for mid to large sized enterprises that need advanced levels of security, enhanced visibility, and continuous network uptime.TM- Outbound link load balancing includes policy based routing, ECMPand weighted, embedded ISP routing and dynamic detection- Inbound link load balancing supports SmartDNS and dynamicdetection- Automatic link switching based on bandwidth and latency- Link health inspection with ARP, PING, and DNSVPN• IPSec VPN:- IPSEC Phase 1 mode: aggressive and main ID protection mode- Peer acceptance options: any ID, specific ID, ID in dialup user group - Supports IKEv1 and IKEv2 (RFC 4306)- Authentication method: certificate and pre-shared key- IKE mode configuration support (as server or client)- DHCP over IPSEC- Configurable IKE encryption key expiry, NAT traversal keep alivefrequency- Phase 1/Phase 2 Proposal encryption: DES, 3DES, AES128, AES192,AES256- Phase 1/Phase 2 Proposal authentication: MD5, SHA1, SHA256,SHA384, SHA512- Phase 1/Phase 2 Diffie-Hellman support: 1,2,5- XAuth as server mode and for dialup users- Dead peer detection- Replay detection- Autokey keep-alive for Phase 2 SA• IPSEC VPN realm support: allows multiple custom SSL VPN logins associated with user groups (URL paths, design)• IPSEC VPN configuration options: route-based or policy based• IPSEC VPN deployment modes: gateway-to-gateway, full mesh,hub-and-spoke, redundant tunnel, VPN termination in transparent mode• One time login prevents concurrent logins with the same username • SSL portal concurrent users limiting• SSL VPN port forwarding module encrypts client data and sends the data to the application server• SSL VPN tunnel mode supports clients that run iOS, Android, and Windows XP/Vista including 64-bit Windows OS’• Host integrity checking and OS checking prior to SSL tunnel connections • MAC host check per portal• Cache cleaning option prior to ending SSL VPN session• L2TP client and server mode, L2TP over IPSEC, and GRE over IPSEC• View and manage IPSEC and SSL VPN connectionsUser and Device Identity• Local user database• Remote user authentication: LDAP, Radius, Active Directory• Single-sign-on: Windows AD• 2-factor authentication: 3rd party support, integrated token server with physical and SMS• User and device-based policiesIPS• 7,000+ signatures, protocol anomaly detection, rate-based detection, custom signatures, manual, automatic push or pull signature updates, integrated threat encyclopedia• IPS Actions: default, monitor, block, reset (attackers IP or victim IP, incoming interface) with expiry time• Packet logging option• Filter Based Selection: severity, target, OS, application or protocol• IP exemption from specific IPS signatures• IDS sniffer mode• IPv4 and IPv6 rate based DOS protection with threshold settings against TCP Syn flood, TCP/UDP/SCTP port scan, ICMP sweep,TCP/UDP/SCIP/ICMP session flooding (source/destination)• Active bypass with bypass interfaces• Provides predefined template of defense configuration• Predefined prevention configurationThreat Protection• Breach Detection- Near real-time breach detection (seconds/minutes)- Detailed description and severity of malware closely resembling attack - Pcap files and log files provide corroborating evidence- Confidence level provides certainty of attack• Network Behavior Analysis- L3-L7 baseline traffic compared to real-time traffic to revealanomalous network behavior- Built-in mitigations technologies include: session limits, bandwidthlimits and blocking- Graphical depiction of anomalous behavior compared to baseline and upper and lower thresholds• Network Risk Index quantifies the threat level of the network based on the aggregate host index.• Host Risk Index quantifies the host threat level based on attack severity, detection method, and confidence level.• Over 1.3 million AV signatures• Botnet server IP blocking with global IP reputation database• Flow-based Antivirus: protocols include HTTP, SMTP, POP3, IMAP,FTP/SFTP• Flow-based web filtering inspection• Manually defined web filtering based on URL, web content and MIME header• Dynamic web filtering with cloud-based real-time categorization database: over 140 million URLs with 64 categories (8 of which are security related)• Additional web filtering features:- Filter Java Applet, ActiveX or cookie- Block HTTP Post- Log search keywords- Exempt scanning encrypted connections on certain categories forprivacy• Web filtering profile override: allows administrator to temporarily assign different profiles to user/group/IP• Web filter local categories and category rating override• Proxy avoidance prevention: proxy site category blocking, rate URLs by domain and IP address, block redirects from cache & translation sites, proxy avoidance application blocking, proxy behavior blocking (IPS)• Inspect SSL encrypted traffic.Application Control• Over 3,000 applications that can be filtered by name, category, subcategory, technology and risk• Each application contains a description, risk factors, dependencies, typical ports used, and URLs for additional reference• Actions: block, reset session, monitor, traffic shapingHigh Availability• Redundant heartbeat interfaces• Active/Passive• Standalone session synchronization• HA reserved management interface• Failover:- Port, local & remote link monitoring- Stateful failover- Sub-second failover- Failure notification• Deployment Options:- HA with link aggregation- Full mesh HA- Geographically dispersed HAAdministration• Management access: HTTP/HTTPS, SSH, telnet, console• Central Management: Hillstone Security Manager (HSM), web service APIs• System Integration: SNMP, syslog, alliance partnerships• Rapid deployment: USB auto-install, local and remote script execution • Dynamic real-time dashboard status and drill-in monitoring widgets • Language support: EnglishLogs & Reporting• Logging facilities: local memory and storage (if available), multiple syslog servers and multiple Hillstone Security Audit (HSA) platforms • Encrypted logging and log integrity with HSA scheduled batch log uploading• Reliable logging using TCP option (RFC 3195)• Detailed traffic logs: forwarded, violated sessions, local traffic, invalid packets• Comprehensive event logs: system and administrative activity audits, routing & networking, VPN, user authentications, WiFi related events • IP and service port name resolution option• Brief traffic log format optionProduct Specification4GE Bypass Extension ModuleIOC-4XFP8SFP+ Extension Module4SFP+ Extension Module4 x SFP+, SFP+ module not included(1)IPS Throughput data is obtained under 1M-byte-payload HTTP traffic with test of 32K-byte scanning.(2) AV Throughput data is obtained under 1M-byte-payload HTTP traffic with file attachment.(3) IPSec Throughput data is obtained under Preshare Key AES256+SHA-1 configuration and 1400-byte packet size packet .Unless specified otherwise, all performance, capacity and functionality are based on StoneOS 5.5R1. Results may vary based on StoneOS® version and deployment.。