华为防火墙产品技术

华为防火墙的使用手册第一章：产品概述1.1 产品介绍本手册是为了帮助用户更好地使用华为防火墙（以下简称“防火墙”）而编写的。

防火墙是一种能够有效防范网络攻击和保护网络安全的设备，具有强大的安全防护功能和丰富的网络管理功能。

1.2 产品特点防火墙具有以下主要特点：- 能够进行安全审计和监控网络流量，实时检测和阻断潜在的威胁；- 具有灵活的策略配置和管理功能，可以根据实际需求进行定制化设置；- 支持多种安全协议和加密算法，确保网络数据的安全传输；- 具备高性能处理能力和可靠的硬件设施，能够满足大规模企业网络的安全需求。

第二章：硬件配置与安装2.1 硬件配置在使用防火墙之前，首先需要了解防火墙的硬件配置参数。

包括防火墙型号、CPU、内存、接口类型和数量等信息。

用户可以根据网络规模和安全需求选择适合的防火墙型号。

2.2 安装用户在安装防火墙时需要注意以下几点：- 将防火墙设备固定在防火墙机架上，并连接电源线；- 将防火墙设备与网络设备相连，包括连接入口路由器、交换机等；- 安全接入外部网络，并配置相关网络参数。

第三章：软件配置与管理3.1 系统初始化用户在首次接入防火墙时，需要进行系统初始化配置，包括设置管理员账号、密码、管理IP等信息。

确保只有授权的人员可以管理和操作防火墙。

3.2 策略配置配置防火墙的安全策略是非常重要的一项工作。

用户可以根据实际情况制定入站、出站、NAT、VPN等各类安全策略，以确保网络安全。

3.3 安全管理防火墙还具有安全管理功能，包括安全审计、日志记录、攻击防护等功能。

用户可以通过安全管理功能监控网络流量、分析安全事件并采取相应措施。

第四章：故障排除与维护4.1 系统状态监控防火墙设备可通过监控系统状态来查看硬件运行状况、网络流量情况等，及时发现故障并进行处理。

4.2 故障排除当防火墙出现故障时，用户可以通过系统日志、告警信息等来分析故障原因，并进行相应的处理和维护。

4.3 定期维护为了保持防火墙设备的稳定运行，用户需要对设备进行定期的维护工作，包括固件升级、系统优化、安全漏洞补丁安装等。

华为防火墙操作手册一、概述华为防火墙产品华为防火墙作为一款国内领先的安全产品，致力于为企业用户提供全方位的网络安全防护。

防火墙具备强大的安全性能和易用性，可以有效防御各类网络攻击，确保企业网络的安全稳定。

本文将详细介绍防火墙的安装、配置及使用方法。

二、防火墙的安装与配置1.硬件安装在安装防火墙之前，请确保已阅读产品说明书，并根据硬件清单检查所需组件。

安装过程如下：（1）准备好安装工具和配件。

（2）按照产品说明书将防火墙设备组装起来。

（3）将电源线接入防火墙，开启设备电源。

2.软件配置防火墙默认采用出厂配置，为确保网络安全，建议对防火墙进行个性化配置。

配置过程如下：（1）通过Console口或SSH方式登录防火墙。

（2）修改默认密码，保障设备安全。

（3）配置接口、网络参数，确保防火墙与网络正确连接。

（4）根据需求，配置安全策略、流量控制、VPN等功能。

三、防火墙的基本功能与应用1.安全策略安全策略是防火墙的核心功能之一，可以通过设置允许或拒绝特定IP地址、协议、端口等，实现对网络流量的控制。

2.流量控制防火墙支持流量控制功能，可对进出网络的流量进行限制，有效保障网络带宽资源。

3.VPN防火墙支持VPN功能，可实现远程分支机构之间的安全通信，提高企业网络的可靠性。

四、防火墙的高级功能与优化1.入侵检测与防御防火墙具备入侵检测与防御功能，可以实时检测网络中的异常流量和攻击行为，并进行报警和阻断。

2.抗拒绝服务攻击防火墙能够有效抵御拒绝服务攻击（DDoS），确保网络正常运行。

3.网页过滤防火墙支持网页过滤功能，可根据预设的过滤规则，屏蔽恶意网站和不良信息。

五、防火墙的监控与维护1.实时监控防火墙提供实时监控功能，可以查看网络流量、安全事件等实时信息。

2.系统日志防火墙记录所有系统事件和操作日志，方便管理员进行审计和分析。

3.故障排查遇到故障时，可通过防火墙的日志和监控功能，快速定位问题并进行解决。

六、防火墙的性能优化与调整1.性能测试定期对防火墙进行性能测试，确保设备在高负载情况下仍能保持稳定运行。

华为USG6000系列防⽕墙产品技术⽩⽪书（总体）华为USG6000系列下⼀代防⽕墙技术⽩⽪书⽂档版本V1.1发布⽇期2014-03-12版权所有? 华为技术有限公司2014。

保留⼀切权利。

⾮经本公司书⾯许可，任何单位和个⼈不得擅⾃摘抄、复制本⽂档内容的部分或全部，并不得以任何形式传播。

商标声明和其他华为商标均为华为技术有限公司的商标。

本⽂档提及的其他所有商标或注册商标，由各⾃的所有⼈拥有。

注意您购买的产品、服务或特性等应受华为公司商业合同和条款的约束，本⽂档中描述的全部或部分产品、服务或特性可能不在您的购买或使⽤范围之内。

除⾮合同另有约定，华为公司对本⽂档内容不做任何明⽰或暗⽰的声明或保证。

由于产品版本升级或其他原因，本⽂档内容会不定期进⾏更新。

除⾮另有约定，本⽂档仅作为使⽤指导，本⽂档中的所有陈述、信息和建议不构成任何明⽰或暗⽰的担保。

华为技术有限公司地址：深圳市龙岗区坂⽥华为总部办公楼邮编：518129⽹址：/doc/38e0646559eef8c75fbfb3f8.html客户服务邮箱：ask_FW_MKT@/doc/38e0646559eef8c75fbfb3f8.html 客户服务电话：4008229999⽬录1 概述 (1)1.1 ⽹络威胁的变化及下⼀代防⽕墙产⽣ (1)1.2 下⼀代防⽕墙的定义 (1)1.3 防⽕墙设备的使⽤指南 (2)2 下⼀代防⽕墙设备的技术原则 (1)2.1 防⽕墙的可靠性设计 (1)2.2 防⽕墙的性能模型 (2)2.3 ⽹络隔离 (3)2.4 访问控制 (3)2.5 基于流的状态检测技术 (3)2.6 基于⽤户的管控能⼒ (4)2.7 基于应⽤的管控能⼒ (4)2.8 应⽤层的威胁防护 (4)2.9 业务⽀撑能⼒ (4)2.10 地址转换能⼒ (5)2.11 攻击防范能⼒ (5)2.12 防⽕墙的组⽹适应能⼒ (6)2.13 VPN业务 (6)2.14 防⽕墙管理系统 (6)2.15 防⽕墙的⽇志系统 (7)3 Secospace USG6000系列防⽕墙技术特点 (1)3.1 ⾼可靠性设计 (1)3.2 灵活的安全区域管理 (6)3.3 安全策略控制 (7)3.4 基于流会话的状态检测技术 (9)3.5 ACTUAL感知 (10)3.6 智能策略 (16)3.7 先进的虚拟防⽕墙技术 (16)3.8 业务⽀撑能⼒ (17)3.9 ⽹络地址转换 (18)3.10 丰富的攻击防御的⼿段 (21)3.11 优秀的组⽹适应能⼒ (23)3.12 完善的VPN功能 (25)3.13 应⽤层安全 (28)3.14 完善的维护管理系统 (31)3.15 完善的⽇志报表系统 (31)4 典型组⽹ (1)4.1 攻击防范 (1)4.2 地址转换组⽹ (2)4.3 双机热备份应⽤ (2)4.4 IPSec保护的VPN应⽤ (3)4.5 SSL VPN应⽤ (5)华为USG6000系列下⼀代防⽕墙产品技术⽩⽪书关键词：NGFW、华为USG6000、⽹络安全、VPN、隧道技术、L2TP、IPSec、IKE摘要：本⽂详细介绍了下⼀代防⽕墙的技术特点、⼯作原理等，并提供了防⽕墙选择过程的⼀些需要关注的技术问题。

华为E1000E-G12/G16系列AI防火墙(盒式)1概述随着企业业务不断的数字化、云服务化，网络在企业运营中占据着重要的位置，出于各种目的，网络攻击者通过身份仿冒、网站挂马、恶意软件等多种方式进行网络渗透与攻击，影响企业网络的正常使用。

采用防火墙部署网络边界是当前防护企业网络安全的主要方式，但是防火墙通常只能基于签名实现威胁的分析和阻断，该方法对未知威胁无有效的处置方法，还会引起设备性能的降低。

这种单点、被动、事中防御的方式已经不能有效的解决未知威胁攻击，对于隐匿于加密流量中的威胁在不损坏用户隐私的情况下更是无法有效的识别。

华为E1000E-G12/G16系列AI防火墙，在提供NGFW能力的基础上，联动其他安全设备，主动防御网络威胁，增强边界检测能力，有效防御高级威胁，同时解决性能下降问题。

NP 引擎提供快速转发能力，防火墙性能显著提升。

2产品亮点极速：自研业务加速引擎，极致性能，复杂业务处理效率提升至业界2倍智能：基于智能技术，深度集成高级威胁检测，降低Capex 80%智能：采用智能技术免解密检测加密流量融合：内置“诱捕”系统降低勒索软件/APT扩散融合：可信可控的视频终端安全接入，威胁全网可视融合：云管理方式简化设备上线运维3 软件特性功能特性描述一体化防护 集传统防火墙、VPN 、入侵防御、防病毒、数据防泄漏、带宽管理、Anti-DDoS 、URL 过滤、反垃圾邮件等多种功能于一身，全局配置视图和一体化策略管理。

应用识别与管控 可识别6000+应用，访问控制精度到应用功能。

应用识别与入侵检测、防病毒、内容过滤相结合，提高检测性能和准确率。

云管理模式 设备自行向云管理平台发起认证注册，实现即插即用，简化网络创建和开局。

远程业务配置管理、设备监控故障管理，实现海量设备的云端管理。

云应用安全感知 可对企业云应用进行精细化和差异化的控制，满足企业对用户使用云应用的管控需求。

入侵防御与Web 防护 第一时间获取最新威胁信息，准确检测并防御针对漏洞的攻击。

华为防火墙华为防火墙是一种网络安全设备，用于保护企业网络免受攻击和恶意软件的侵害。

它通过对网络流量进行监控和过滤，识别和阻止潜在的威胁，从而确保网络的安全性和稳定性。

首先，华为防火墙提供了一系列的安全策略和功能，以满足不同企业的安全需求。

它可以通过访问控制列表（ACLs）来控制哪些流量可以进入企业网络，哪些流量需要被阻止。

此外，它还提供了入侵检测和预防系统（IDS/IPS）功能，可以检测和阻止未经授权的访问和恶意软件的攻击。

其次，华为防火墙可以对网络流量进行深度分析和过滤，以识别并阻止潜在的威胁。

它可以检测和拦截网络中的恶意软件、病毒、木马等，从而避免它们对企业网络的危害。

此外，它还可以识别网络攻击的行为模式，及时报警和采取相应的防御措施，保护企业的敏感信息和数据安全。

另外，华为防火墙还具备良好的可扩展性和灵活性。

它可以根据企业的网络规模和需求进行灵活的部署和配置。

无论是小型企业还是大型企业，都可以根据实际情况选择适合自己的防火墙模型和配置，以满足不同的安全需求。

同时，它还支持多种接入方式，例如以太网、无线局域网等，可以适应不同网络环境的需求。

最后，华为防火墙还具备优秀的性能和可靠性。

它采用了先进的硬件和软件技术，可以处理大量的网络流量和复杂的安全策略。

同时，它还具备冗余机制和高可用性设计，确保防火墙的稳定运行和持续保护企业网络安全。

总结起来，华为防火墙是一种强大而可靠的网络安全设备，可以保护企业网络免受攻击和恶意软件的侵害。

它提供了多种安全策略和功能，具备深度分析和过滤网络流量的能力，具有良好的可扩展性和灵活性，并具备优秀的性能和可靠性。

使用华为防火墙，企业可以提高网络的安全性和稳定性，保护敏感信息和数据安全。

华为防火墙调研报告华为防火墙调研报告一、引言防火墙是网络安全中重要的一环，它通过实施访问控制策略来保护网络不受非法访问和攻击。

华为是全球领先的信息通信技术（ICT）解决方案提供商，其防火墙产品备受市场推崇。

本报告旨在对华为防火墙进行调研，深入了解其特点、性能和应用场景。

二、产品特点1. 高性能：华为防火墙通过多核处理器和硬件加速技术实现高性能数据包处理。

其数据包转发处理速度可达百Gbps，能够满足大型企业和运营商对高吞吐量和低时延的要求。

2. 强大的安全防护能力：华为防火墙提供了多种安全防护功能，包括访问控制、应用识别和过滤、入侵检测和防御、虚拟专网等。

它采用了全面的安全策略和算法，防范各类网络攻击和威胁。

3. 灵活的部署模式：华为防火墙支持多种部署模式，包括传统的边界防火墙、分布式防火墙和云防火墙。

用户可以根据实际需求和网络架构选择适合的部署模式。

三、性能评估本报告进行了华为防火墙的性能评估，结果如下：1. 吞吐量测试：通过模拟大量数据包的传输，测试了华为防火墙的吞吐量。

结果表明，华为防火墙的吞吐量达到了其宣称的百Gbps以上，能够满足高负载环境下的网络需求。

2. 延迟测试：通过向华为防火墙发送小包和大包的传输请求，测试了其数据包处理的延迟情况。

结果显示，在小包传输中，华为防火墙可以实现较低的延迟，而在大包传输中，延迟稍有增加。

然而，整体延迟值仍然处于可接受范围内。

3. 安全防护测试：通过模拟常见的网络攻击和威胁，测试了华为防火墙的安全防护能力。

结果表明，华为防火墙能够有效地识别和阻止各类攻击，保护网络的安全。

四、应用场景华为防火墙广泛应用于企业和运营商的网络环境中，具有如下应用场景：1. 边界防火墙：作为企业网络的边界安全设备，华为防火墙可以对数据包进行过滤和检测，并设置访问控制策略，保护企业内部网络不受非法访问和攻击。

2. 应用识别与过滤：华为防火墙采用深度包检测技术，可以对网络中的应用进行识别和过滤，实现对特定应用的流量控制和管理。

华为Eudemon1000E-G系列AI防火墙（盒式）随着运营商业务不断的数字化、云服务化，网络在运营商运营中占据着重要的位置，出于各种目的，网络攻击者通过身份仿冒、网站挂马、恶意软件等多种方式进行网络渗透与攻击，影响运营商网络的正常使用。

采用防火墙部署网络边界是当前防护运营商网络安全的主要方式，但是防火墙通常只能基于签名实现威胁的分析和阻断，该方法对未知威胁无有效的处置方法，还会引起设备性能的降低。

这种单点、被动、事中防御的方式已经不能有效的解决未知威胁攻击，对于隐匿于加密流量中的威胁在不损坏用户隐私的情况下更是无法有效的识别。

华为Eudemon1000E-G系列AI防火墙，在提供NGFW能力的基础上，联动其他安全设备，主动防御网络威胁，增强边界检测能力，有效防御高级威胁，同时解决性能下降问题。

NP提供快速转发能力，防火墙性能显著提升。

产品图华为Eudemon1000E-G15/Eudemon 1000E-G25 AI防火墙华为Eudemon1000E-G35/Eudemon 1000E-G55 AI防火墙华为Eudemon1000E-G 系列AI 防火墙（盒式）卓越性能Eudemon1000E-G 系列AI 防火墙内置转发、加密、模式匹配三大协处理引擎，有效将小包转发性能，IPS 、AV 业务性能以及IPSec 业务性能提升2倍。

内置AI 芯片，具备8TOPS 16位浮点数算力，有效支撑高级威胁防御模型加速。

智能防御Eudemon1000E-G 系列AI 防火墙内置NGE 、CDE 和AIE 三大威胁防御引擎。

NGE 作为NGFW 检测引擎，提供IPS 、反病毒和URL 过滤等内容安全相关的功能，有效保证内网服务器和用户免受威胁的侵害。

CDE （Content-based Detection Engine ）可提供数据深度分析，暴露威胁的细节，快速检测恶意文件，有效提高威胁检出率。

产品亮点C&C 加密破解检测…华为Eudemon1000E-G 系列AI 防火墙（盒式）8-3AIE 作为APT 威胁检测引擎，针对暴力破解、C&C 异常流量、DGA 恶意域名和加密威胁流量进行检测，有效解决威胁快速变化、变种频繁、传统升级特征库检测响应慢以及加密攻击检测难度大等问题，构建“普惠式”AI ，帮助客户做到更全面的网络风险评估，有效应对攻击链上的网络威胁，真正实现攻击防御“智”能化。

技术白皮书目录1 概述 (1)2 常见攻击手法 (2)2.1 下一代防火墙 (4)2.2 入侵防御系统 (4)3 WAF产品介绍 (5)3.1 纵深防御 (5)3.1.1 网络主机安全 (5)3.1.2 Web服务安全透明代理 (5)3.1.3 Web应用安全三大核心技术 (6)3.1.4 内容分析与响应检查 (8)3.2 快速应用交付 (8)3.2.1 TCP协议加速 (8)3.2.2 高速缓存 (8)3.3 安全监控与服务发现 (9)3.3.1 自动服务发现 (9)3.3.2 安全监控 (9)3.3.3 性能监控 (9)3.4 多种接口兼容 (10)3.4.1 SNMP接口 (10)3.4.2 Syslog接口 (10)3.4.3 邮件与短信告警接口 (10)3.4.4 WebService接口 (10)4 功能特点 (11)4.1 使网站更安全 (11)4.1.1 双模式安全引擎 (11)4.1.2 黑名单安全技术 (11)4.1.3 白名单安全技术 (11)4.1.4 IP信誉库 (12)4.1.5 区域访问控制 (12)4.1.6 智能防护 (12)ii4.1.7 CC精准防护 (12)4.1.8 虚拟补丁 (12)4.2 使访问更快速 (12)4.2.1 服务优先原则的高性能算法 (12)4.2.2 多种加速方案 (12)4.2.3 高速缓存 (12)4.3 使运维更简单 (13)4.3.1 服务自发现 (13)4.3.2 策略自学习建模 (13)4.3.3 策略规则在线更新 (13)4.3.4 支持PCI-DSS报表功能 (13)4.3.5 规则误判分析 (13)4.4 部署模式 (14)4.4.1 透明直连模式 (14)4.4.2 反向代理 (14)4.4.3 旁路监控 (15)4.4.4 HA双机模式—透明串接 (15)4.4.5 VRRP—反向代理 (17)华为WAF5000系列Web应用防火墙技术白皮书华为WAF5000系列Web应用防火墙技术白皮书关键词：WAF、SQL注入、XSS、CSRF摘要：本文详细介绍常见攻击手段、防御技术、华为WAF功能特点和部署模式。

HiSecEngine Eudemon1000E-F Series AI FirewallsOverviewThe Eudemon1000E-F is a new series firewall developed by Huawei to meet the needs of carriers, enterprises, and next-generation data centers. It combines industry-leading security technologies such as access control, intrusion prevention (IPS), antivirus (AV), URL filtering, anti-spam, and data loss prevention with rich security, robust processing and carrier-class reliability. Inheriting the Eudemon series' outstanding firewall, VPN, and routing features, it helps you build a fast, efficient, and secure network.Product HighlightsComprehensive and Integrated Protection⚫Integrates the traditional firewall, VPN, intrusion prevention, antivirus, data leak prevention, bandwidth management, URL filtering, and online behavior management functions all in one device.⚫Implements refined bandwidth management based on applications and websites, preferentially forwards key services, and ensures bandwidth for key services.⚫Comes with an antivirus content-based detection engine (CDE) powered by intelligence technologies that helps detect unknown threats, and provides in-depth data analysis to gain insight into threat activities and quickly detect malicious files, effectively improving the threatdetection rate.Easy Security Management⚫Rapidly deploys security policies using scenario-specific templates.⚫Complies with the minimum permission control principle and automatically generates policy tuning suggestions based on network traffic and application risks.⚫Analyzes the policy matching ratio and discovers redundant and invalid policies to remove policies and simplify policy management.⚫Supports Huawei SecoManager to achieve a unified configuration, management and maintenance of all devices.High Performance⚫Uses the network processing platform, improving forwarding performance significantly.⚫Enables pattern matching and accelerates encryption/decryption, improving the performance for processing IPS, antivirus, and IPSec services. High Port Density⚫The device has multiple types of interfaces, such as 100G,40G, 10G, and 1G interfaces. Services can be flexibly expanded without extra interface cards.Note: The interface types supported by different models vary. For details, see the specification table.DeploymentExternal Threat Prevention⚫Coming along with the abundant Internet resources are threats such as DDoS attacks, maliciousintrusions, and viruses.⚫The capabilities of supporting large numbers of concurrent connections and new connections persecond help to combat the numerous DDoS attacks.Empowered by advanced IPS and antivirustechnologies as well as vulnerability-based andreal-time updated signature database, theEudemon1000E-F series implements near-zerofalse positives and negatives and a detection ratio of higher than 99%; defends against diversifiedthreats from the Internet, and ensures the security of the intranet . Network Isolation and VPN Interconnection⚫Network areas are not clearly divided, access control is insufficient, and the data transmittedbetween mobile employees or branches and theheadquarters is likely to be intercepted or tampered with.⚫Delivers high throughput to avoid bottleneck at network borders, supports security zones to clearly divide networks, offers flexible packet filteringpolicies to accurately control communication, and encapsulates and checks packets of VPN users to ensure the security of data communication.HackerMalwareInternetEudemonDatacenterBranchInternetHeadquartersUserIPSec VPNSSL VPNEudemonHardwareSoftware FeaturesFeature DescriptionIntegrated protection Integrates firewall, VPN, intrusion prevention, antivirus, data leak prevention, bandwidth management, anti-DDoS, URL filtering, and anti-spam functions. Provides a global configuration view, and manages policies in a unified manner.Application identification and control Identifies over 6000 applications and supports the access control granularity down to application functions. The firewall combines application identification with intrusion detection, antivirus, and data filtering, improving detection performance and accuracy.Intrusion prevention and web protection Accurately detects and defends against vulnerability-specific attacks based on up-to-date threat information. The firewall can defend against web-specific attacks, including SQL injection and XSS attacks.Antivirus Supports intelligent antivirus engine that helps detect hundreds of millions of virus variants.Bandwidth management Manages per-user and per-IP bandwidth in addition to identifying service applications to ensure the network access experience of key services and users. Control methods include limiting the maximum bandwidth, ensuring the minimumbandwidth, and changing application forwarding priorities.Eudemon1000E-F15/F25Eudemon1000E-F35/F55/F85Eudemon1000E-F125Eudemon1000E-F205Feature DescriptionURL filtering Supports remote query for URL categories. The URL category database contains over 140 million URL categories. URL category query servers are deployed globally to offer high-speed, low-latency category query services and meet the regulatory requirements of different countries and regions. URL category filtering can implement URL access control for users or groups based on information such as users or groups, time ranges, and security zones, accurately managing users' online behaviors.Intelligent uplink selection Supports service-specific PBR and intelligent uplink selection based on multiple load balancing algorithms (for example, based on bandwidth ratio and link health status) in multi-egress scenarios.VPN encryption Supports multiple highly available VPN features, such as IPSec VPN, SSL VPN, and GRE, as well as multiple encryption algorithms, such as DES, 3DES, AES, and SHA.Anti-DDoS Defends against more than 10+types of common DDoS attacks, including SYN flood and UDP flood attacks.Security virtualization Supports virtualization of multiple types of security services, including firewall, intrusion prevention, antivirus, and VPN. Users can separately conduct personal management on the same physical device.Security policy management Controls traffic based on the 5-tuples, security zone, application, and time range, and implements integrated content security detection.Uses predefined templates for common attack defense scenarios to rapidly deploy security policies, reducing learning costs.Diversified reports Provides visualized and multi-dimensional report display by user, application, content, time, traffic, threat, and URL.Routing Supports multiple types of routing protocols and features, such as RIP, OSPF, BGP, IS-IS, RIPng, OSPFv3, BGP4+, and IPv6 IS-IS.Deployment and reliability Supports transparent, routing, and hybrid working modes and high availability (HA), including the Active/Active and Active/Standby modes.SpecificationPerformance and Capability Eudemon1000E-F15Eudemon1000E-F25 IPv4 Firewall Throughput1(1518/512/64-byte, UDP)15/15/15 Gbit/s25/25/25 Gbit/s IPv6 Firewall Throughput1(1518/512/84-byte, UDP)15/15/15 Gbit/s25/2525 Gbit/s Firewall Throughput(Packet per Second)22.5 Mpps37.5 M pps Firewall Latency (64-byte, UDP)18 µs18 µsFW + SA* Throughput28Gbps12Gbps NGFW Throughput36Gbps10Gbps NGFW Throughput(Enterprise Mix)4 4.6Gbps 4.6Gbps Threat Protection Throughput (Enterprise Mix)54Gbps4Gbps Concurrent Sessions (HTTP1.1)110,000,00010,000,000 New Sessions/Second (HTTP1.1)1250,000250,000 IPSec VPN Throughput1 (AES-256 + SHA256, 1420-byte)10 Gbit/s15 Gbit/s Maximum IPSec VPN Tunnels (GW to GW)15,00015,000 Maximum IPSec VPN Tunnels (Client to GW)15,00015,000SSL VPN Throughput6 1 Gbit/s 1.5 Gbit/s Concurrent SSL VPN Users (Default/Maximum)100/2000100/2000 Security Policies (Maximum)40,00040,000 Virtual Firewalls 10001000URL Filtering: Categories More than 130URL Filtering: URLs Can access a database of over 120 million URLs in the cloudAutomated Threat Feed and IPS Signature Updates Yes, an industry-leading security center from Huawei (/sec/web/index.do)Centralized Management Centralized configuration, logging, monitoring, and reporting is performed by Huawei SecoManagerVLANs (Max)4094VLANIF Interfaces (Max)1000High Availability Configurations Active/Active, Active/StandbyPerformance and CapabilityNote:1. Performance is tested under ideal conditions based on RFC2544, 3511. The actual result may vary with deployment environments.2. SA performance is measured using 100 KB HTTP files.3. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using 100 KB HTTP files.4. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using the Enterprise Mix Traffic Model.5. The threat protection throughput is measured with Firewall, SA, IPS,and AV enabled; the performance is measured using the Enterprise Mix Traffic Model.6. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.*SA: Service Awareness.Hardware Specification Eudemon1000E-F15Eudemon1000E-F25 Dimensions (H x W x D) mm43.6 x 442 x 420Form Factor/Height1UFixed Interface8*GE COMBO + 4*GE(RJ45) + 4*GE(SFP)+ 6*10GE(SFP+)USB Port 1 x USB 3.0 portsWeight (Empty Configuration) 6.3 kgLocal Storage Optional, 1 * 2.5 inch 240G SSD storage, or 1 * 2.5 inch 1TB HDD storage Maximum Power Consumption222WAC Power Supply AC:100V to 240V, 50/60Hz DC: -48V to 60VPower Supplies Dual AC or dual DC power suppliesOperating Environment (Temperature/Humidity)Temperature: 0°C to 45°C (without optional HDD);5°C to 40°C (with optional HDD)Humidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingNon-operating Environment Temperature: –40°C to +70°CHumidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingOperating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD) Non-operating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD) Noise Maximum value < 72 DbaHardware SpecificationSpecificationPerformance and Capability Eudemon1000E-F35Eudemon1000E-F55Eudemon1000E-F85IPv4 Firewall Throughput1(1518/512/64-byte, UDP)35/35/35 Gbit/s50/50/40 Gbit/s80/80/40 Gbit/s IPv6 Firewall Throughput1(1518/512/84-byte, UDP)35/35/25 Gbit/s50/50/25 Gbit/s80/80/25 Gbit/s Firewall Throughput(Packet per Second)52.5 Mpps60 Mpps60 M pps Firewall Latency (64-byte, UDP)18 µs18 µs18 µsFW + SA* Throughput218Gbps25Gbps25Gbps NGFW Throughput312Gbps18Gbps18Gbps NGFW Throughput (Enterprise Mix)48Gbps8Gbps8Gbps Threat Protection Throughput (Enterprise Mix)57Gbps7Gbps7Gbps Concurrent Sessions (HTTP1.1)120,000,00020,000,00025,000,000 New Sessions/Second (HTTP1.1)1500,000500,000750,000 IPSec VPN Throughput1 (AES-256 + SHA256, 1420-byte)20 Gbit/s30 Gbit/s30Gbit/s Maximum IPSec VPN Tunnels (GW to GW)200002000020000 Maximum IPSec VPN Tunnels (Client to GW)200002000020000 SSL VPN Throughput6 3 Gbit/s 3 Gbit/s 5 Gbit/s Concurrent SSL VPN Users (Default/Maximum)50005000100/5000 Security Policies (Maximum)60,00060,00060000 Virtual Firewalls 100010001000 URL Filtering: Categories More than 130URL Filtering: URLs Can access a database of over 120 million URLs in the cloudAutomated Threat Feed and IPS Signature Updates Yes, an industry-leading security center from Huawei (/sec/web/index.do)Centralized Management Centralized configuration, logging, monitoring, and reporting is performed by Huawei SecoManagerVLANs (Max)4094VLANIF Interfaces (Max)1000High Availability Configurations Active/Active, Active/Standby Performance and CapabilityHardware SpecificationEudemon1000E-F35Eudemon1000E-F55Eudemon1000E-F85Dimensions (H x W x D) mm43.6 x 442 x 420Form Factor/Height1UFixed Interface 8*GE COMBO + 4*GE(RJ45)+ 10*10GE(SFP+)USB Port 1 x USB 3.0 portsWeight (Empty Configuration)7.3 kgLocal Storage Optional, 1 * 2.5 inch 240G SSD storage, or 1 * 2.5 inch 1TB HDD storage Maximum Power Consumption242WAC Power Supply AC:100V to 240V, 50/60Hz DC: -48V to 60VPower SuppliesDual AC or dual DC power suppliesOperating Environment (Temperature/Humidity)Temperature: 0°C to 45°C (without optional HDD); 5°C to 40°C (with optional HDD)Humidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingNon-operating Environment Temperature: –40°C to +70°CHumidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingOperating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD)Non-operating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD)Noise Maximum value < 72 DbaHardware SpecificationNote :1. Performance is tested under ideal conditions based on RFC2544, 3511. The actual result may vary with deployment environments.2. SA performance is measured using 100 KB HTTP files.3. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using 100 KB HTTP files.4. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using the Enterprise Mix Traffic Model.5. The threat protection throughput is measured with Firewall, SA, IPS, and AV enabled; the performance is measured using the Enterprise Mix Traffic Model.6. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.*SA: Service Awareness.SpecificationPerformance and Capability Eudemon1000E-F125Eudemon1000E-F205 IPv4 Firewall Throughput1(1518/512/64-byte, UDP)160/160/80 Gbit/s240/240/120 Gbit/s IPv6 Firewall Throughput1(1518/512/84-byte, UDP)160/120/50 Gbit/s240/200/75 Gbit/s Firewall Throughput(Packet per Second)120 M pps180 M pps Firewall Latency (64-byte, UDP)35 µs35 µsFW + SA* Throughput250Gbps75Gbps NGFW Throughput336Gbps54Gbps NGFW Throughput(Enterprise Mix)416Gbps24Gbps Threat Protection Throughput (Enterprise Mix)514Gbps21Gbps Concurrent Sessions (HTTP1.1)150,000,00075,000,000New Sessions/Second (HTTP1.1)11,500,0002,250,000 IPSec VPN Throughput1 (AES-256 + SHA256, 1420-byte)45Gbit/s65Git/s Maximum IPSec VPN Tunnels (GW to GW)4000060000 Maximum IPSec VPN Tunnels (Client to GW)4000060000SSL VPN Throughput610 Gbit/s12 Gbit/s Concurrent SSL VPN Users (Default/Maximum)100/10000100/15000 Security Policies (Maximum)6000060000Virtual Firewalls 10001000URL Filtering: Categories More than 130URL Filtering: URLs Can access a database of over 120 million URLs in the cloudAutomated Threat Feed and IPS Signature Updates Yes, an industry-leading security center from Huawei (/sec/web/index.do)Centralized Management Centralized configuration, logging, monitoring, and reporting is performed by Huawei SecoManagerVLANs (Max)4094VLANIF Interfaces (Max)1000High Availability Configurations Active/Active, Active/StandbyPerformance and CapabilityNote:1. Performance is tested under ideal conditions based on RFC2544, 3511. The actual result may vary with deployment environments.2. SA performance is measured using 100 KB HTTP files.3. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using 100 KB HTTP files.4. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using the Enterprise Mix Traffic Model.5. The threat protection throughput is measured with Firewall, SA, IPS, and AV enabled; the performance is measured using the Enterprise Mix Traffic Model.6. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.*SA: Service Awareness.Hardware Specification Eudemon1000E-F125Eudemon1000E-F205 Dimensions (H x W x D) mm43.6 x 442 x 600Form Factor/Height1UFixed Interface 2*100GE(QSFP28) + 2*40G(QSFP+)+8*25(ZSFP+) + 20*GE(SFP+)14*100GE(QSFP28) +16*25GE(ZSFP+) + 8*GE(SFP+)2USB Port 1 x USB 3.0 portsWeight (Empty Configuration) 6.3 kgLocal Storage Optional, 1 * 2.5 inch 240G SSD storage, or 1 * 2.5 inch 1TB HDD storage Maximum Power Consumption222WAC Power Supply AC:100V to 240V, 50/60Hz DC: -48V to 60VPower Supplies Dual AC or dual DC power suppliesOperating Environment (Temperature/Humidity)Temperature: 0°C to 45°C (without optional HDD);5°C to 40°C (with optional HDD)Humidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingNon-operating Environment Temperature: –40°C to +70°CHumidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingOperating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD) Non-operating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD) Noise Maximum value < 72 DbaHardware SpecificationNote:1. Some 100GE interfaces and 25GE interfaces of Eudemon1000E-F125 are mutually exclusive.2. Some 100GE interfaces and 25GE interfaces of Eudemon1000E-F205 are mutually exclusive.Order InformationProductEudemon1000E-F15-AC Eudemon1000E-F15 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 6*10GE SFP+, 1 AC power supply) Eudemon1000E-F15-DC Eudemon1000E-F15 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 6*10GE SFP+, 1 DC power supply) Eudemon1000E-F25-AC Eudemon1000E-F25 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 6*10GE SFP+, 1 AC power supply) Eudemon1000E-F25-DC Eudemon1000E-F25 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 6*10GE SFP+, 1 DC power supply) Eudemon1000E-F35-AC Eudemon1000E-F35 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 AC power supply) Eudemon1000E-F35-DC Eudemon1000E-F35 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 DC power supply) Eudemon1000E-F55-AC Eudemon1000E-F55 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 AC power supply) Eudemon1000E-F55-DC Eudemon1000E-F55 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 DC power supply) Eudemon1000E-F85-AC Eudemon1000E-F85 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 AC power supply) Eudemon1000E-F85-DC Eudemon1000E-F85 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 DC power supply) Eudemon1000E-F125-AC Eudemon1000E-F125 AC Host (2*QSFP28 + 2*QSFP+ + 8*ZSFP+ + 20*SFP+, 2 AC power supplies) Eudemon1000E-F125-DC Eudemon1000E-F125 DC Host (2*QSFP28 + 2*QSFP+ + 8*ZSFP+ + 20*SFP+, 2 DC power supplies) Eudemon1000E-F205-AC Eudemon1000E-F205 AC Host (4*QSFP28 + 16*ZSFP+ + 8*SFP+, 2 AC power supplies)Eudemon1000E-F205-DC Eudemon1000E-F205 DC Host (4*QSFP28 + 16*ZSFP+ + 8*SFP+, 2 DC power supplies)SSL VPN LicenseLIC-E1KF-SSLVPN-100Quantity of SSL VPN Concurrent Users(100 Users)LIC-E1KF-SSLVPN-200Quantity of SSL VPN Concurrent Users(200 Users)LIC-E1KF-SSLVPN-500Quantity of SSL VPN Concurrent Users(500 Users)LIC-E1KF-SSLVPN-1000Quantity of SSL VPN Concurrent Users(1000 Users)LIC-E1KF-SSLVPN-2000Quantity of SSL VPN Concurrent Users(2000 Users)LIC-E1KF-SSLVPN-5000Quantity of SSL VPN Concurrent Users(5000 Users)VSYS LicenseLIC-E1KF--VSYS-10Quantity of Virtual Firewall (10 Vsys)LIC-E1KF--VSYS-20Quantity of Virtual Firewall (20 Vsys)LIC-E1KF--VSYS-50Quantity of Virtual Firewall (50 Vsys)LIC-E1KF--VSYS-100Quantity of Virtual Firewall (100 Vsys)LIC-E1KF--VSYS-200Quantity of Virtual Firewall (200 Vsys)LIC-E1KF--VSYS-500Quantity of Virtual Firewall (500 Vsys)LIC-E1KF--VSYS-1000Quantity of Virtual Firewall (1000 Vsys)Threat Protection LicenseLIC-E1KE-Fxx-IPS-1YIPS Update Service Subscribe 12 MonthsLIC-E1KE-Fxx-IPS-3YIPS Update Service Subscribe 36 MonthsLIC-E1KE-Fxx-AV-1YAV Update Service Subscribe 12 MonthsLIC-E1KE-Fxx-AV-3YAV Update Service Subscribe 36 MonthsLIC-E1KE-Fxx-URL-1YURL Remote Query Service Subscribe 12MonthsLIC-E1KE-Fxx-URL-3YURL Remote Query Service Subscribe 36MonthsLIC-E1KE-Fxx-TP-1Y-OVSThreat Protection Subscription 12 MonthsLIC-E1KE-Fxx-TP-3Y-OVSThreat Protection Subscription 36 MonthsLIC-E1KE-F-CONTENTContent Security Group FunctionAbout This PublicationThis publication is for reference only and shall not constitute any commitments or guarantees. All trademarks, pictures, logos, and brands mentioned in this document are the property of Huawei Technologies Co., Ltd. or a third party.For more information, visit /en/products/enterprise-networking/security. Copyright©2021 Huawei Technologies Co., Ltd. All rights reserved.Huawei Technologies Co., Ltd.Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129, People's Republic of ChinaWebsite: Tel: 4008302118Page 7。

Huawei USG6630E/USG6650E/USG6680E Next-Generation FirewallsWith the continuous digitalization and cloudification of enterprise services, networks play an important rolein enterprise operations, and must be protected. Network attackers use various methods, such as identityspoofing, website Trojan horses, and malware, to initiate network penetration and attacks, affecting thenormal use of enterprise networks.Deploying firewalls on network borders is a common way to protect enterprise network security. However,firewalls can only analyze and block threats based on signatures. This method cannot effectively handleunknown threats and may deteriorate device performance. This single-point and passive method doesnot pre-empt or effectively defend against unknown threat attacks. Threats hidden in encrypted traffic inparticular cannot be effectively identified without breaching user privacy.Huawei's next-generation firewalls provide the latest capabilities and work with other security devicesto proactively defend against network threats, enhance border detection capabilities, effectively defendagainst advanced threats, and resolve performance deterioration problems. Network Processors providefirewall acceleration capability, which greatly improves the firewall throughput.Product AppearancesUSG6630E/USG6650E/USG6680EProduct HighlightsComprehensive and integrated protection• Integrates the traditional firewall, VPN, intrusion prevention, antivirus, data leak prevention, bandwidth management, URL filtering, and online behavior management functions all in one device.• Interworks with the local or cloud sandbox to effectively detect unknown threats and prevent zero-day attacks.• Implements refined bandwidth management based on applications and websites, preferentially forwards key services, and ensures bandwidth for key services.More comprehensive defense• The built-in traffic probe of a firewall extracts traffic information and reports it to the CIS, a security big data analysis platform developed by Huawei. The CIS analyzes threats in the traffic, without decrypting the traffic or compromising the device performance. The threat identification rate is higher than 90%.• The deception system proactively responds to hacker scanning behavior and quickly detects and records malicious behavior, facilitating forensics and source tracing.High performance• Uses the network processing chip based on the ARM architecture, improving forwarding performance significantly.• Enables chip-level pattern matching and accelerates encryption/decryption, improving the performance for processing IPS, antivirus, and IPSec services.• The throughput of a 1 U device can reach 80 Gbit/s.High port density• The device has multiple types of interfaces, such as 40G, 10G, and 1G interfaces. Services can be flexibly expanded without extra interface cards.DeploymentSmall Data center border protection• Firewalls are deployed at egresses of data centers, and functions and system resources can be virtualized.The firewall has multiple types of interfaces, such as 40G, 10G, and 1G interfaces. Services can be flexibly expanded without extra interface cards.• The 12-Gigabit intrusion prevention capability effectively blocks a variety of malicious attacks and delivers differentiated defense based on virtual environment requirements to guarantee data security.• VPN tunnels can be set up between firewalls and mobile workers and between firewalls and branch offices for secure and low-cost remote access and mobile working.Enterprise border protection• Firewalls are deployed at the network border. The built-in traffic probe extracts packets of encrypted trafficand sends the packets to the CIS, a big data analysis platform. In this way, threats in encrypted traffic are monitored in real time. Encrypted traffic does not need to be decrypted, protecting user privacy and preventing device performance deterioration.• The deception function in enabled on the firewalls to proactively respond to malicious scanning behaviorand associate with the CIS for behavior analysis to quickly detect and record malicious behavior, protecting enterprise against threats in real time.• The policy control, data filtering, and audit functions of the firewalls are used to monitor social networkapplications to prevent data breach and protect enterprise networks.Hardware1. HDD/SSD Slot2. 12 x GE (RJ45)3. 12 x 10GE (SFP+)4. 2 x 40GE (QSFP+)5. 1 x USB3.06. 1 x GE (RJ45) management port7. Console portUSG6630E/USG6650E1. HDD/SSD Slot2. 28 x10 GE (SFP+)3. 4 x 40GE (QSFP+)4. 2 x HA (SFP+)5. 1 x USB3.06. 1 x GE (RJ45) management port7. Console portUSG6680ESoftware FeaturesSpecificationsSystem Performance and Capacity1. P erformance is tested under ideal conditions based on RFC2544, 3511. The actual result may vary with deployment environments.2. Antivirus, IPS, and SA performances are measured using 100 KB HTTP files.3. F ull protection throughput is measured with Firewall, SA, IPS, Antivirus and URL Filtering enabled. Antivirus, IPS and SA performances are measured using 100 KB HTTP files.4. F ull protection throughput (Realworld) is measured with Firewall, SA, IPS, Antivirus and URL Filtering enabled, Enterprise Mix Traffic Model.5. SSL inspection throughput is measured with IPS-enabled and HTTPS traffic using TLS v1.2 with AES128-GCM-SHA256.6. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.*SA: Service Awareness.Note: All data in this document is based on USG V600R006.Hardware Specifications* Some 10G ports and 40G ports are mutually exclusive. The ports can be configured as follows: 4 x 40GE (QSFP+) + 20 x 10GE (SFP+) + 2 x 10GE (SFP+) HA + 1 x USB or 2 x 40GE (QSFP+) + 28 x 10GE (SFP+) + 2 x 10GE (SFP+) HA + 1 x USBCertificationsRegulatory, Safety, and EMC ComplianceOrdering GuideAbout This PublicationThis publication is for reference only and does not constitute any commitments or guarantees. All trademarks, pictures, logos, and brands mentioned in this document are the property of Huawei Technologies Co., Ltd. or a third party.For more information, visit /en/products/enterprise-networking/security.Copyright©2019 Huawei Technologies Co., Ltd. All rights reserved.。

Huawei USG6330/6350/6360 next-generation firewalls are security gateways designed for small- and medium-sized businesses and branch offices with 200 to 800 users. The firewalls provide VPN, intrusion prevention, and antivirus functions for comprehensive and integrated network protection, effectively reducing management costs. Refined bandwidth management improves bandwidth efficiency and ensures quality experiences for key services. These firewalls provide continuous next-generation network security in an easy and efficient way.HighlightsComprehensive and integrated protection• Multiple security functions, including firewall, VPN, intrusion prevention, and online behavior management,for complete versatility• Refined bandwidth management based on application and website category to prioritize bandwidth formission-critical services• Detection and prevention of unknown threats, such as zero-day attacks, using sandboxing and thereputation system*Simple management and rapid deployment• Zero-configuration deployment using USB disks to improve deployment efficiency• Predefined common-scenario defense templates to facilitate security policy deployment • Intelligent detection of redundant and invalid policies• Supports cloud-based management and enables Huawei Agile Controller-Cloud Manager to manage andconfigure the firewalls Flexible bandwidth management, improving Internet access experience•Differentiated user bandwidth and quota management for fair and prioritized bandwidth usageHUAWEI USG6330/6350/6360 Next-Generation Firewalls---Securely and Reliably Connect Small- and Medium-Sized Businesses• Application-based bandwidth management to prioritize bandwidth for mission-critical applications• Modification of URL category priorityDeploymentSecure interconnections between enterprise branches• Inspect services in six dimensions (application, user, content, threat, time, and location) and provide refined service access control at the Internet egress.• Establish IPsec or L2TP over IPsec permanent tunnels for branches and partners with fixed VPN gateways (L2TP over IPsec tunnel is recommended if account authentication is required).• Provide SSL VPN for remote access of people on the move and implement fine-grained control over the resources accessible to users.• Authenticate VPN tunnel users to ensure they are legitimate and authorized.• Enable intrusion prevention, antivirus, file blocking, and data filtering functions to prevent remote access users from introducing network threats or leaking information.HardwareUSG6330/6350/6360Interfaces1. USB Port2. Console Port3. 1 x GE (RJ45) Management Port4. 4 x GE (RJ45) Ports5. 2 x GE (Combo) PortsTable 1. Wide Service Interface Cards (WSICs) for USG6300 SeriesSoftware Features1: I f no hard disk is inserted, you can view and export system and service logs. By inserting a hard disk, you can also view, export, customize, and subscribe to reports.Functions marked with * are supported only in USG V500R001 and later versions.Specifications *System Performance and Capacity1. P erformance is tested under ideal conditions based on RFC 2544 and RFC 3511. The actual result may vary with deployment environments.2. Antivirus, IPS, and SA performances are measured using 100 KB of HTTP files.3. Throughput is measured with the Enterprise Traffic Model.4. SSL inspection throughput is measured with IPS-enabled and HTTPS traffic using TLS v1.2 with AES256-SHA.5. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.6. USG6000 V100R001 supports only the RESTCONF interface and cannot interwork with sandbox or third-party tools.* SA indicates Service Awareness.* This content is applicable only to regions outside mainland China. Huawei reserves the right to interpret this content. Hardware Specifications*WISC is not hot-swappable.CertificationsRegulatory, Safety, and EMC ComplianceOrdering GuideAbout This PublicationThis publication is for reference only and does not constitute any commitments or guarantees. All trademarks, pictures, logos, and brands mentioned in this document are the property of Huawei Technologies Co., Ltd. or a third party.For more information, visit /en/products/enterprise-networking/security.Copyright©2018 Huawei Technologies Co., Ltd. All rights reserved.。

华为WAF5000系列Web应用防火墙网站作为商务贸易、客户交流、信息共享平台，承载着各类虚拟业务的运营，蕴含客户账号、交易记录等重要信息。

与此同时，由于攻击技术门槛低以及可带来的巨大商业利益，网站已成为各国黑客的主要攻击目标。

通常网络中会部署防火墙、IPS等安全产品，但是这类产品对于HTTP和HTTPS的Web应用层攻击往往无法察觉，不能起到理想的防护效果。

专门针对Web应用防护的WAF(Web Application Firewall)产品应运而生。

华为WAF专注于7层防护，采用最为先进的双引擎技术，用户行为异常检测引擎、透明代理检测引擎相结合的安全防护机制实现各类SQL注入、跨站、挂马、扫描器扫描、敏感信息泄露、盗链行为等攻击防护，并有效防护0day攻击，支持网页防篡改。

适用于PCI-DSS、等级保护、企业内控等规范中信息安全的合规建设。

同时，华为WAF支持Web应用加速，支持HA/Bypass部署配置以及维护。

此外，华为WAF支持透明模式、旁路监听模式、反向代理模式等部署模式，广泛适用于“金融、运营商、政府、公安、教育、能源、税务、工商、社保、卫生、电子商务”等涉及Web应用的各个行业。

产品图华为WAF5000系列Web应用防火墙包括四款硬件型号WAF5110、WAF5250、WAF5260和WAF5510，满足不同处理性能要求。

此外，还支持WAF5000-V系列软件形态WAF产品。

华为WAF5000系列Web应用防火墙华为WAF5000系列Web 应用防火墙黑白名单•通过安全白名单检测引擎快速识别正常访问业务流量并快速转发，提供网站最优访问体验。

•通过黑名单检测引擎实现HTTP 协议完整还原，对疑似攻击流量深入检测，从根源上避免绕过及穿透攻击。

•黑白名单双引擎架构协同工作，既能有效识别和阻断Web 攻击又不影响正常的Web 业务运营。

全面检测•多项专利技术保障识别能力，精确识别OWASP Top 10等各种Web 通用攻击。

华为USG6306防火墙配置技术总结1．恢复出厂设置（1）先关闭防火墙电源开关（2）按住rest键，不要松开，打开防火墙电源开关，等待3秒左右，sys指示灯红\黄色交替闪烁时，松开rest键。

（3）等待防火墙自动恢复，大约需要10分钟时间。

2．配置网络接口（1）将PC电脑的ip地址设置为192.168.0.2，子网掩码为：255.255.255.0，默认网关为192.168.0.1。

（2）将网线一端连到MGMT网口，另一端连接到电脑上。

（3）在电脑上打开ie10以上版本的浏览器，访问https://192.168.0.1:8443 （4）在管理界面输入，用户名：admin密码：Admin@123进入管理界面。

（5）首次登录需要重置密码，输入旧密码和新密码，保存即可。

（6）首次登录Web界面之后，快速向导界面会自动弹出。

如果没有自动弹出，请选择“系统 > 快速向导”。

（7）在向导欢迎页面中，单击“下一步”。

（8）配置基本信息，包括设置主机名称和修改管理员密码，单击“下一步”。

（9）主机名称用于在网络中标识设备，在存在多台设备时非常有用。

（10）配置系统时间，单击“下一步”。

（11）选择接入互联网方式为“静态IP”，单击“下一步”。

（12）配置上网接口的IP地址以及运营商所提供的网关地址、DNS服务器地址，单击“下一步”。

（13）配置LAN接口的IP地址，单击“下一步”。

（14）开启局域网DHCP服务，并使用默认的IP地址范围。

该IP地址范围就是LAN接口所在网段。

单击“下一步”。

（15）核对配置信息无误后，勾选左下角的“下次登录不再显示”，单击“应用”。

（16）当看到操作成功提示后，说明初始化设置已经完成。

单击“完成”进入Web界面开始后续的配置。

华为AI防火墙及应用场景介绍
一、华为AI防火墙介绍
华为AI防火墙是一款由华为推出的智能防火墙解决方案，它是一款全新的基于人工智能的防火墙，采用华为自主研发的DeepCare AI引擎，可以实现自我学习、智能预测和自动化防护功能。

华为AI防火墙可以及时发现和响应复杂的网络攻击，有效地防止上网行为及安全风险，让企业安全网络。

华为AI防火墙采用具有自主知识产权的DeepCare AI引擎，它是一种基于深度机器学习技术的预测分析引擎，可以实现自我学习、智能预测和自动化防护功能。

它还可以根据实时安全威胁的活动特征，根据用户的上网行为及安全风险，对攻击行为进行分析判断，及时发现和响应复杂的网络攻击，有效地防止上网行为及安全风险。

华为AI防火墙还具备以下特性：一是具有高性能，能够在一定的环境中高效运行，特别是在大规模的网络环境中可以保持高性能；二是自动发现和响应，可以及时发现并响应可疑行为，有效保护网络安全；三是安全预警与防御，能够及时发现和响应安全威胁，并采取相应的预警和防御措施，有效提高网络安全防护效果；四是可视化管理，可视化管理界面，方便快捷。

防火墙：华为防火墙默认拒绝所有区域间的访问；默认区域内部之间互相访问，不存在安全问题，默认放行其余厂商：高优先级到低优先级区域默认可以访问，低优先级到高优先级拒绝访问防火墙支持入侵检测（主动）/入侵防御（被动）防火墙特征：逻辑区域过滤器隐藏内网网络结构自身安全保障主动防御攻击防火墙分类：包过滤防火墙：只能通过检测报文头部匹配安全策略，本质其实就是ACL 1.无法关联后续的数据包，每个数据包都需要匹配的安全策略，转发速度较慢2.无法适应多通道协议（需要协商端口的协议）（如：FTP：21控制信道，20数据信道）3.通常不检查应用层数据，安全性比较低FTP：文件传输协议端口21：建立控制信道：客户端发送服务器：SYN S.port：X D.port：21服务器发送客户端：SYN+ACK S.port：21 D.port：X客户端发送服务器：ACK S.port：X D.port：21TCP三次握手成功，代表控制信道建立完成；作用：传输用户名/密码/协商端口（数据信道）端口20：数据信道：传输信道主动：服务器发起数据信道的TCP请求（PORT）建立数据信道之前：客户端发送一个PORT告诉服务器临时开发的端口PORT：a,b,c,d,e,f a,b,c,d：客户端IP地址 e,f:临时开放的端口（e*256+f）服务器向客户端发起TCP请求建立数据信道：SYN：S.port：20 D.port：e*256+f客户端向服务器回应第二个TCP消息：SYN+ACK：S.port：e*256+f D.port：20服务器向客户端回应第三个TCP消息：ACK：S.port：20 D.port：e*256+fTCP连接建立成功代表数据信道建立完成，传输FTP数据（上传：put；下载：get）被动：客户端发起数据信道的TCP请求（PASV）建立数据信道之前：客户端向服务器发送PASV消息请求服务器的临时端口服务器向客户端回应PASV消息携带服务器的临时端口（e*256+f）客户端向服务器发起TCP请求：SYN：S.port：X（随机） D.port：e*256+f服务器向客户端回应第二个TCP消息：SYN+ACK：S.port：e*256+f D.port：X客户端向服务器回应第三个TCP消息：ACK：S.port：X D.port：e*256+fTCP连接建立成功代表数据信道建立完成，传输FTP数据（上传：put；下载：get）代理防火墙：proxy（中间人）1.防止DOS攻击（如：SYN洪水攻击）：服务器资源浪费---防火墙资源浪费---每IPTCP连接阈值/每时间TCP连接阈值2.造成访问延时增加，处理速度慢3.升级困难/应用实现难：代理防火墙针对特定的应用/服务作代理（WAF专门针对web服务器防护，WEB应用场景非常多状态检测防火墙：（NGFW）1.可以关联后续的数据包：只需要进行首包检测，创建会话表（记录TCP连接的状态），后续数据包只需要匹配会话表，提高数据包的转发效率2.可以检测应用层数据/DATA3.会话表是状态检测防火墙的转发的唯一依据（市场所有的防火墙都是状态检测防火墙）------下一代防火墙：性能，集成4.首保检测：华为TCP（SYN）,ICMP(request) UDP（每个都是首包）display firewall session table 查看防火墙会话表display firewall session table verboseCurrent Total Sessions : 1icmp VPN: public --> public ID: c487f0613587050af465f2a26f7协议没有虚拟防火墙系统会话id 唯一Zone: trust --> untrust TTL: 00:00:20 Left: 00:00:03区域流量老化时间（不同协议不同）剩余生存时间Interface: GigabitEthernet1/0/1 NextHop: 10.1.2.3 MAC:00e0-fcb1-581f出接口下一跳IP 下一跳MAC地址<--packets: 5 bytes: 420 --> packets: 5 bytes: 420数据包数量/大小10.1.1.2:52651 --> 10.1.2.3:2048 PolicyName: permit_all源目IP地址/端口---谁访问谁策略名字firewall session link-state check NGFW开启状态检测（默认开启）display firewall session aging-time 查看会话表不同协议老化时间 firewall session aging-time service-set icmp 40000 配置协议/应用会话表的老化时间int g1/0/0.1vlan-type dot1q 10ip address ……防火墙部署模式：直路部署：流量经过防火墙，防火墙相当于私网的网关设备1.路由：三层，改变原有网络的拓扑结构，对网络的影响较大2.网桥：二层，对网络影响有限，不会造成太大影响，会失去很多功能（DHCP，VPN）3.混合：既有三层接口，又有二层接口旁路部署：镜像检查，防火墙旁挂会失去大部分功能，对网络基本没有影响网络部署哪种合适：先看网络需求，再考虑网络影响防火墙配置步骤：1.配置接口：-------三层接口二层接口2.配置区域：3.配置路由4.配置策略（对象---）5.内容安全/检查数据部分的内容（可选）6.NAT包过滤技术：对需要转发的数据包，先获取包头信息，然后和设定的规则进行比较，根据比较的结果对数据包进行转发或者丢弃实现包过滤的核心技术是访问控制列表防火墙安全策略：域间定义：安全策略是按一定规则控制设备对流量转发以及对流量进行内容安全一体化检测的策略规则的本质是包过滤主要应用：对跨防火墙的网络互访进行控制。