华为Eudemon一道门防火墙

6-1华为Eudemon1000E-N 下一代防火墙华为Eudemon1000E-N 下一代防火墙Eudemon1000E-N 下一代防火墙随着互联网技术的不断发展，智能手机、iPad 等终端被更多地应用到办公中，移动应用程序、Web2.0、社交网络应用于生产生活的方方面面。

网络边界变得模糊，信息安全问题日益复杂。

传统的安全网关通常只能通过IP 和端口进行安全防护，难以完全应对层出不穷的应用威胁和Web 威胁。

Eudemon1000E-N 系列是华为公司为解决运营商、企业、政府、数据中心等机构的网络安全问题自主研发的下一代防火墙产品。

它基于业界领先的软、硬件体系架构，通过对应用、用户、威胁、时间、位置的全面感知，将网络环境清晰的映射为业务环境。

在应用识别的基础上提供精准的管控能力，融合了IPS 攻击防护、AV 防病毒、URL 过滤，Web 内容过滤，反垃圾邮件和邮件过滤等行业领先的专业安全技术，支持IPv6防护及过渡技术，为用户提供强大、可扩展、持续的安全能力。

在运营商、政府、金融、电力、石油、教育、工业制造等行业得到广泛应用。

下一代防火墙，地址才能“应用（Application ）、时间（Time ）、用户多个维度解析企业的业务流量，并结合各种维度进行、行为识别等技术手段，准确识别超过6000个网络应用。

• 用户：通过Radius 、LDAP 、AD 等8种用户识别手段，将流量中的IP 地址与现实世界中的用户信息联系起来。

基于用户对网络流量进行管控。

• 威胁：支持超过5000+特征的攻击检测和防御。

支持Web 攻击识别和防护，如跨站脚本攻击、SQL注入攻击等。

可以识别和防范SYN flood 、UDP flood 等10+种DDoS 攻击，识别500多万种病毒。

采用基于云的URL 分类过滤，预定义的URL 分类库已超过8500万，阻止访问恶意网站带来的威胁。

• 位置：与全球位置信息结合，识别流量及威胁发起的位置信息；使用流量地图和威胁地图快速发现异常，进而制定对应的防护策略。

目录第1章防火墙概述1-11.1 网络安全概述 ..................................................................................................................... 1-11.1.1 安全威胁.................................................................................................................. 1-11.1.2 网络安全服务分类 ................................................................................................... 1-11.1.3 安全服务的实现方法................................................................................................ 1-21.2 防火墙概述......................................................................................................................... 1-31.2.1 安全防范体系的第一道防线——防火墙................................................................... 1-31.2.2 防火墙发展历史....................................................................................................... 1-41.3 Eudemon产品简介 ............................................................................................................ 1-61.3.1 Eudemon产品系列.................................................................................................. 1-61.3.2 Eudemon500/1000防火墙简介............................................................................... 1-61.3.3 Eudemon500/1000防火墙功能特性列表 ................................................................ 1-8第2章 Eudemon防火墙配置基础............................................................................................ 2-12.1 通过Console接口搭建本地配置环境................................................................................. 2-12.1.1 通过Console接口搭建............................................................................................ 2-12.1.2 实现设备和Eudemon防火墙互相ping通............................................................... 2-42.1.3 实现跨越Eudemon防火墙的两个设备互相ping通 ................................................ 2-52.2 通过其他方式搭建配置环境................................................................................................ 2-62.2.1 通过AUX接口搭建.................................................................................................. 2-72.2.2 通过Telnet方式搭建............................................................................................... 2-92.2.3 通过SSH方式搭建................................................................................................ 2-112.3 命令行接口....................................................................................................................... 2-122.3.1 命令行级别 ............................................................................................................ 2-122.3.2 命令行视图 ............................................................................................................ 2-132.3.3 命令行在线帮助..................................................................................................... 2-242.3.4 命令行错误信息..................................................................................................... 2-252.3.5 历史命令................................................................................................................ 2-262.3.6 编辑特性................................................................................................................ 2-262.3.7 查看特性................................................................................................................ 2-272.3.8 快捷键.................................................................................................................... 2-272.4 防火墙的基本配置............................................................................................................ 2-302.4.1 进入和退出系统视图.............................................................................................. 2-302.4.2 切换语言模式......................................................................................................... 2-302.4.3 配置防火墙名称..................................................................................................... 2-312.4.4 配置系统时钟......................................................................................................... 2-312.4.5 配置命令级别......................................................................................................... 2-312.4.6 查看系统状态信息 ................................................................................................. 2-322.5 用户管理........................................................................................................................... 2-332.5.1 用户管理概述......................................................................................................... 2-332.5.2 用户管理的配置..................................................................................................... 2-342.5.3 用户登录相关信息的配置....................................................................................... 2-372.5.4 典型配置举例......................................................................................................... 2-382.6 用户界面（User-interface）............................................................................................. 2-392.6.1 用户界面简介......................................................................................................... 2-392.6.2 进入用户界面视图 ................................................................................................. 2-402.6.3 配置异步接口属性 ................................................................................................. 2-412.6.4 配置终端属性......................................................................................................... 2-422.6.5配置Modem属性 ................................................................................................. 2-442.6.6 配置重定向功能..................................................................................................... 2-452.6.7 配置VTY类型用户界面的呼入呼出限制 ............................................................... 2-462.6.8 用户界面的显示和调试 .......................................................................................... 2-472.7 终端服务........................................................................................................................... 2-472.7.1 Console接口终端服务........................................................................................... 2-472.7.2 AUX接口终端服务 ................................................................................................ 2-472.7.3 Telnet终端服务..................................................................................................... 2-482.7.4 SSH终端服务........................................................................................................ 2-51第3章 Eudemon防火墙工作模式............................................................................................ 3-13.1 防火墙工作模式简介 .......................................................................................................... 3-13.1.1 工作模式介绍........................................................................................................... 3-13.1.2 路由模式工作过程 ................................................................................................... 3-33.1.3 透明模式工作过程 ................................................................................................... 3-33.1.4 混合模式工作过程 ................................................................................................... 3-73.2 防火墙路由模式配置 .......................................................................................................... 3-83.2.1 配置防火墙工作在路由模式..................................................................................... 3-83.2.2 配置路由模式其它参数 ............................................................................................ 3-83.3 防火墙透明模式配置 .......................................................................................................... 3-83.3.1 配置防火墙工作在透明模式..................................................................................... 3-93.3.2 配置地址表项........................................................................................................... 3-93.3.3 配置对未知MAC地址的IP报文的处理方式 ........................................................... 3-93.3.4 配置MAC地址转发表的老化时间 ......................................................................... 3-103.4 防火墙混合模式配置 ........................................................................................................ 3-103.4.1 配置防火墙工作在混合模式................................................................................... 3-103.4.2 配置混合模式其它参数 .......................................................................................... 3-11 3.5 防火墙工作模式的切换..................................................................................................... 3-11 3.6 防火墙工作模式的查看和调试.......................................................................................... 3-11 3.7 防火墙工作模式典型配置举例.......................................................................................... 3-123.7.1 处理未知MAC地址的IP报文............................................................................... 3-123.7.2 透明防火墙连接多个局域网................................................................................... 3-12第1章防火墙概述1.1 网络安全概述随着Internet的迅速发展，越来越多的企业借助网络服务来加速自身的发展，此时，如何在一个开放的网络应用环境中守卫自身的机密数据、资源及声誉已越来越为人们所关注。

华为Eudemon1000E-G系列AI防火墙（盒式）随着运营商业务不断的数字化、云服务化，网络在运营商运营中占据着重要的位置，出于各种目的，网络攻击者通过身份仿冒、网站挂马、恶意软件等多种方式进行网络渗透与攻击，影响运营商网络的正常使用。

采用防火墙部署网络边界是当前防护运营商网络安全的主要方式，但是防火墙通常只能基于签名实现威胁的分析和阻断，该方法对未知威胁无有效的处置方法，还会引起设备性能的降低。

这种单点、被动、事中防御的方式已经不能有效的解决未知威胁攻击，对于隐匿于加密流量中的威胁在不损坏用户隐私的情况下更是无法有效的识别。

华为Eudemon1000E-G系列AI防火墙，在提供NGFW能力的基础上，联动其他安全设备，主动防御网络威胁，增强边界检测能力，有效防御高级威胁，同时解决性能下降问题。

NP提供快速转发能力，防火墙性能显著提升。

产品图华为Eudemon1000E-G15/Eudemon 1000E-G25 AI防火墙华为Eudemon1000E-G35/Eudemon 1000E-G55 AI防火墙华为Eudemon1000E-G 系列AI 防火墙（盒式）卓越性能Eudemon1000E-G 系列AI 防火墙内置转发、加密、模式匹配三大协处理引擎，有效将小包转发性能，IPS 、AV 业务性能以及IPSec 业务性能提升2倍。

内置AI 芯片，具备8TOPS 16位浮点数算力，有效支撑高级威胁防御模型加速。

智能防御Eudemon1000E-G 系列AI 防火墙内置NGE 、CDE 和AIE 三大威胁防御引擎。

NGE 作为NGFW 检测引擎，提供IPS 、反病毒和URL 过滤等内容安全相关的功能，有效保证内网服务器和用户免受威胁的侵害。

CDE （Content-based Detection Engine ）可提供数据深度分析，暴露威胁的细节，快速检测恶意文件，有效提高威胁检出率。

产品亮点C&C 加密破解检测…华为Eudemon1000E-G 系列AI 防火墙（盒式）8-3AIE 作为APT 威胁检测引擎，针对暴力破解、C&C 异常流量、DGA 恶意域名和加密威胁流量进行检测，有效解决威胁快速变化、变种频繁、传统升级特征库检测响应慢以及加密攻击检测难度大等问题，构建“普惠式”AI ，帮助客户做到更全面的网络风险评估，有效应对攻击链上的网络威胁，真正实现攻击防御“智”能化。

Quidway Eudemon100 防火墙产品概述Quidway Eudemon100 守护神防火墙提供Quidway Eudemon100 守护神防火墙是华为技术有限公司的一款专用防火墙设备 完善的防火墙安全特性和 VPN 服务 连接能力和更高的处理能力 要求 此外 提供比路由器更加强大的网络地址转换服务 还支持 H.323 等应用网关具有更大的可以全面支持视频会议的组网提供完善的视频会议解决方案Quidway Eudemon100 防火墙硬件结构采用盒式结构平台 的结构一致 扩展模块采用插拔式 安装与维护操作简单 方便与 Quidway R 系列路由器 Quidway Eudemon100 防火墙提供两个固定快速以太网端口 同时具有模块可扩展性 可以通过扩展 1FE 1 端口快速以 太网 模块来扩充以太网接口 最多可以扩展两块 1FE 模块 直流两种供电方式 即最多共支持四个 10/100Mbit/s自适应以太网接口整机支持交流产品特性软件操作系统采用 VRP Versatile Routing Platform 通用路由平台 系统 其市场定位为 具有安全特性 NAT 特性 VPN 等特性的防火墙设备 业务网关设备 作为重要数据服务器前端的防火墙设备和企业网出口的安全防护Quidway Eudemon100 防火墙也是客户开展多媒体业务的必备设备 该设备可以解决公用网地址不足的问题 满足企业网内部多个专用网之间的 互通 实现三网合一方案 为业务提供有效的安全保障 还可以作为 VPN 网关 实现远程访问 网络到网络等多种 VPN 组网安全特性 l 支持包过滤 提供标准或扩展的 ACL Access Control List 访问控制列表 可根据 IP报文多种信息进行包过滤 l 基于接口和时间段的包过滤防火墙 应用标准或扩展访问控制规则过滤数据包 不仅保护内 部网络免遭外来攻击 还可以有效控制内部主机对外部资源的访问 形成内外网络之间的安 全保护屏障 l 并对违反规则的报文进行日志记录 针对分片报文指定过滤规则华为技术有限公司数据通信产品部1Quidway Eudemon100 防火墙产品概述l支持状态检测 应用代理等防火墙功能 华为 ASPF(Applied Specific Packet Filter) 技术可 实现对每一个连接状态信息的维护监测并动态地决定数据包过滤 ASPF 是一种高级通信过 滤 它检查应用层协议信息并且监控基于连接的应用层协议状态 对于所有连接 每一个连 接状态信息都将被 ASPF 维护并用于动态地决定数据包是否被允许通过防火墙或丢弃l通过 ASPF 可以为内部网络的提供更高级的安全保护 通过 ASPF 的检测 可以保证所有 建立的连接都是合法连接 防止地址欺骗 身份伪造等恶意攻击行为l l通过 ＡＳＰＦ，可支持对 TCP UDP SMTP HTTP FTP RTSP H.323 等协议的状态监控 可支持 IDS 检测和防 DoS 功能 程序进行检测 Denial of Service 服务拒绝 可以对 http 中的 java 小防止恶意的 java 小程序对主机造成的损害l可以通过灵活的配置实现对 DMZ 区的需求,可以选择四个 FE 口中的任何一个 FE 口作为 DMZ 区端口l包过滤防火墙 状态防火墙应用在接口的输入或输出方向上 不仅保护内部网络免遭外来攻 击 还可以有效控制内部主机对外部资源的访问 形成内外网络之间的安全保护屏障 Authorization and Accounting Passwordl按照 ITU-T RADIUS 协议规范实现 AAAAuthentication验证 授权和计费 功能 构建分布式的客户/服务器安全访问应用 依据 PAPAuthentication Protocol 口令验证协议 和 CHAP Challenge Handshake Authentication Protocol 盘问握手验证协议 认证规范 为用户提供安全的认证 授权和计费服务 避免未授权访问 l 支持 IPSec IP Security 网际协议的安全 加密标准 法5 l 3DES 的加密算法 也提供 MD5 提供 DES Data Encryption Standard 数据 Message Digest Algorithm 5 消息分类算的加密认证算法 在传输或隧道模式支持的 IPSec 系列协议可通过采用手工配置或自动协商密钥两种方式 下能够单独或组合应用 AH Authentication Header确认报头 和 ESP Extended ServicesProcessor 扩展业务处理器 安全协议 对整个 IP 报文或数据载荷内容进行不同粒度级别 的加密和认证 密 l 功能 从而提供验证数据源 校验数据完整性和防止报文重放等 ESP 还提供加结合 ACL 访问控制列表共同确保数据信息在 Internet 上传送的安全保密性 Internet Security Association and Key Management Protocol 因特网相遵照 ISAKMP关安全和密钥管理协议 协议框架和 IKE Internet Key Exchange 因特网密钥交换 协议 实现自动密钥交换功能 简化了 IPSec 的使用和管理NAT 服务 l 提供完善的地址转换服务,可实现多对多的地址转换 限制局部地址转换 内部服务器等服华为技术有限公司数据通信产品部2Quidway Eudemon100 防火墙产品概述务 l 支持 ITU-T H.323 协议族 前提下 l 因此可以在不增加任何其他非会议电视设备 H.323 组件 的实现跨 NAT 的 H.323 通讯NAT 支持 RAS Reliability Availability and Serviceability 可靠性 可获得性 可服务性 Q.931 H245 消息 网守 能够和多媒体 MCU Multipoint Control Unit 多点控制单元 GKGatekeeper 间的呼叫 l l l以及终端等设备灵活组网 支持公用网到专用网专用网到专用网可支持 ICMP NBT 协议 支持 DNS Domain Name System 域名系统 最大同时连接数为 50 万个 Netmeeting 网络会议 服务 转提供优质的 NAT 性能 发性能大于 70kpps每秒发起 TCP 连接数为 2000 个VPN 特性 l 利用 Quidway Eudemon100 防火墙可以实现构建多种 VPN 网络 网络到网络等多种 VPN 组网 l Intranet VPN 通过公用网络互连企业各个分布点 作为传统专线网络或其它企业网的扩展及 替代形式 l Access VPN 为 SOHO Small Office,Home Office, 小办公室 家庭办公室 等小型用 支持远程访问 VPN 和户搭建通过 PSTN/ISDN 网络访问公司总部资源的安全通路 l Extranet VPN 将企业网络延伸至合作伙伴与客户处 专用的通讯 l 支 持 L2TP(Layer Two Tunneling Protocol Encapsulation l l 通用路由封装)协议 二层隧道协议) GRE(Generic Routing 使不同企业间通过公用网安全地进行支持 VPN 内部和 VPN 之间的会议电视互通 支持 IPSec 提供 DES 3DES MD5 的加密算法 现自动密钥交换功能 可构建远程访问 遵照 ISAKMP 协议框架和 IKE 协议实网络到网络等多种 VPN 组网QoS 特性 l QoS Quality of Service 服务质量 主要通过流量分类 流量监管 拥塞管理 拥塞避免 和流量整形等措施对广域网或局域网络上的流量进行管理 最大限度地降低延迟 抖动等因 素对传输信息的影响 l 针对不同需求提供多种不同的服务质量 字段识别不同优先级的流量QoS 可以按照 IP 报文头 TOS Type Of Service 业务类型华为技术有限公司数据通信产品部3Quidway Eudemon100 防火墙产品概述或结合链路层 网络层 传输层的相关信息对报文进行分类 从而可以对不同类别的数据流 量提供有区别的服务 CAR Committed Access Rate 保证接入速率 技术正式将网络流 量划分为多个优先级别或服务类型 通过丢弃报文或重新设置报文优先级等措施来限制某类 报文的流量 l 从而实现流量监管的目的 先进先出) PQ Priority Queue 优先级排队 加权公平排队QoS 可以实现 FIFO(First In First Out CQ Custom Queuing 习惯排队和 WFQWeighted Fair Queueing四种队列进行流量管理 分别提供报文先进先出 高优先级被优先处理 为指定流量预留带 宽 l 对流量进行加权公平处理等拥塞管理策略 灵活的满足各类报文的服务质量为了避免拥塞发生 QoS 采用 WRED Weighted Random Early Detection 加权随机早期 检测 技术监控缓冲区的使用情况 对即将发生的拥塞进行预防 从而有效地避免了拥塞的 发生lQoS 采用令牌桶机制实现流量整形 如采用 GTS(Generic Traffic Shaping 通用业务整型) 限制流出某一网络的某一突发流量 从而确保报文以比较均匀的速度向外发送 消除了部分 造成拥塞的前提条件l支持 ＤｉｆｆＳｅｒｖｅｒ 以实现会议电视应用和非会议电视应用的分流 会议电视应用的 Ｑｏｓ在带宽有限的情况下保证l采用 QOS 特性可实现对于用户约定流量攻击流量等特征流的带宽管制服务操作维护系统功能及特点 l 硬件结构采用盒式结构平台 式 l 安装与维护操作简单 与 Quidway R 系列路由器的结构一致 方便 系统 VRP 是华为 扩展模块采用插拔软件操作系统采用 VRP Versatile Routing Platform 通用路由平台公司具有完全自主知识产权的网络操作系统 可以运行在多种硬件平台之上并拥有一致的网 络界面 l 用户界面和管理界面 便于用户使用和管理采用专用 ＶＲＰ 网络操作平台和硬件平台架构 避免采用通用平台架构防火墙的自身漏洞和不 安全性 不可靠性 与 Quidway R 系列路由器产品命令行一致 与主流命令lVRP 系统操作采用命令行方式 行配置方式相兼容提供了丰富的命令参数在线帮助信息l l l l系统支持中英文两种语言 支持完全帮助和部分帮助 配置管理界面支持命令行和网管两种用户接口方式 支持 SNMP Simple Network Management Protocol 简单网络管理协议 可以通过网管华为技术有限公司数据通信产品部4Quidway Eudemon100 防火墙产品概述来实现对设备的日常管理和维护 l l监控设备状态设置设备基本参数可以通过拨号或远程登录对系统进行远程维护 软件系统具有可安装 可升级性网管系统 l 支持 SNMP V3 NMS Network Management System 网管站 和 Agent 代理 之间通过该协议通讯 NMS 通过向 Agent 发送请求来进行对 Agent 上的管理变量的操作 Agent 接到请求后通过发送 Response 来向 NMS 返回操作的结果 当 Agent 上发生异常时 Agnet 通过向 NMS 发送 Trap 或者 Notification 来通知 NMS l 提供 SNMP 中的 Agent 侧的功能 即接收 NMS 的请求报文 处理完毕后返回应答报文 报告设备当前的状当设备发生异常或者运行状态发生变化时 况 l将向 NMS 发送 Trap 报文可通过网管来实现对设备的日常管理和维护 监控设备状态 设置设备基本参数 可通过拨 号或远程登录对系统进行远程维护l l l支持 MIB 监控和管理 还可支持 VPN 隧道的远程管理 配置管理界面支持命令行和网管两种用户接口方式 其中命令行方式与 Quidway R 系列路 由器产品命令行一致 与业界主流命令行配置方式兼容 支持中英文两种语言 支持完全帮助和部分帮助l l提供了丰富的命令参数在线帮助支持防火墙日志 NAT 日志等功能 可通过控制台进行输出显示 日志信息可送到 SYSLOG 服务器 可通过控制台 SYSLOG 以及 SNMP 陷阱进行通知 特定流跟踪记录功能可靠性 l l 产品平均无故障间隔时间 MTBF 设计指标 46.74 年 可以在一定时间内重置系统 完全恢系统具有 WatchDog 看门狗 复系统的所有功能当系统出现异常时近可能减小系统和通讯中断的时间l提供整机热备份机制 系统提供 VRRP Virtual Router Redundancy Protocol 虚拟路由器 容错协议 特性 通过虚拟路由器技术可以构建备份设备组 当主用设备出现故障时 备份 设备能够自动运行并取代故障设备而成为新的主用设备l防火墙之间的双机热备不需要独立的 HA 接口连接 只要两台备份防火墙之间的正常业务接 口路由可达即可 有效节省用户投资 UL TUV 安规认证和 CE 认证lQuidway Eudemon100 防火墙获得了公安部华为技术有限公司数据通信产品部5Quidway Eudemon100 防火墙产品概述Quidway Eudemon100 组网应用防火墙应用方案 Quidway Service Eudemon100 防火墙支持包过滤 功能 状态检测防火墙和防 DoS Denial of拒绝服务基于接口和时间段的包过滤防火墙应用标准或扩展访问控制规则过滤数据包 不仅保护内部网络免遭外来攻击 还可以有效控制内部主机对外部资源的访问 形 成内外网络之间的安全保护屏障 状态防火墙是一种高级的通信过滤 它不仅检测网络层和传输层的信息 而且能够检测应用 层协议的信息 如 FTP 连接信息 从而获取 TCP 或 UDP 会话的状态 状态防火墙监控基于连接的应用层协议状态 并维护每个连接的状态信息 并根据此状态信息来动态决定数据报文是否 被允许通过防火墙 状态防火墙能够检测防火墙任意一侧发起的会话 可以防止来自网络外部的 恶意攻击防火墙应用组网图华为技术有限公司数据通信产品部6Quidway Eudemon100 防火墙产品概述多媒体应用组网方案 拥有私有地址的局域网 经由具有合法公有 IP 地址的 Quidway Eudemon100 防火墙设备 可以和其他局域网的视频终端 Internet 网络上的视频终端进行视频会议通信 从而提供完善的 多媒体视频会议的解决方案 提供多个 10M/100M 自适用的以太网接口 R3600/2600 机 Quidway NE16/08 上行通道可以通过以太网接入到 Quidway 下行通道可以通过交换Quidway 以太网交换机等设备HUB 等设备连接一个局域网Quidway Eudemon100 防火墙设备提供的丰富的业务和安 如安全 VPN QOS 等 可以识别 H.225.0 RAS全特性满足企业局域网接入 Internet 的各种需求Quidway Eudemon100 防火墙的 NAT 特性支持 H.323 协议 Q.931 H.245 消息 完成对这些报文载荷的地址转换从而使得 Quidway Eudemon100 防火墙设备可以完全透明地支持多媒体应用多媒体应用组网图VPN 解决方案 Quidway Eudemon100 防火墙支持丰富的 VPN QOS 加密特性 可以做为企业的 VPN 网关 构建企业高效 安全的 VPN 网络Intranet VPN 通过公用网络互连企业各个分布点 作为传统专线网络或其它企业网的扩展及 替代形式 Access VPN 为 SOHO 等小型用户搭建通过 PSTN/ISDN 网络访问公司总部资源的华为技术有限公司数据通信产品部7Quidway Eudemon100 防火墙产品概述安全通路 安全Extranet VPN 将企业网络延伸至合作伙伴与客户处使不同企业间通过公用网进行私有的通讯VPN 解决方案组网图数据加密解决方案 Quidway Eudemon100 防火墙支持 IPSec 通过采用加密 数据源验证 完整和真实性检查 确保数据信息在 Internet 上安全传送 因此可以避免 Internet 网络中的数据被窃听和篡改 在公司总部和分公司 墙作为数据加密/解密设备 办事处的局域网出口处各设置一台 Quidway 为 Internet 网络上的数据传输提供安全保障 Eudemon100 防火数据加密组网图Eudemon100 防火墙性能指标表 1 Eudemon100 防火墙系统特性华为技术有限公司 数据通信产品部8Quidway Eudemon100 防火墙产品概述项目 扩展插槽数量 防火墙性能 ACL 规则数 会话连接数 每秒种会话建立数 VPN 连接数 处理器 NVRAM Non-Volatile Random Access Memory 非易失随机读写存储器 Boot ROM (启动只读存储器) SDRAM 同步动态随机存储器 Flash 重量 输入电压 最大输入电流 最大功率 工作环境温度 工作环境相对湿度 产品平均无故障间隔时间 MTBF Memory (闪速存储器)Eudemon100 描 述 两个固定快速以太网端口 同时具备 2 个扩展插 槽 可扩展两块 1FE 模块 最多 4 个 FE 端口 70KPPS 2000 条 100,000 连接数 2000 连接数/秒 2000 条 MPC8240 250MHz 128KB 512KB 缺省 128MB 最大 256MB 8MB 442mm 6kg AC 100 240V (50/60Hz) DC -48V -65V AC 2A DC 5A 60W 0 40 10 90% 不结露 46.74 年 44.4mm 413mm 不含脚垫外型尺寸(W H D)表 2 Eudemon100 防火墙业务特性 功能模块 特性说明 局域网 广域网 拨号网络 互连协议 VPN 支 持 Ethernet_II 和 Ethernet_SNAP Protocol 子网接入协议 帧结构 支持 PPP 及 PPPOE 支持按需拨号 支持二层隧道协议 L2TP 实现 VPDN (Virtual Private Dialup Network,虚拟专用拨入网) 支持 DNIS Digital Number Identification Service 数字号码识别业务 用户 域名用户 全 名用户 支持三层隧道协议 GRE Generic Routing Encapsulation 通用 路由封装 支持 IPSec Subnetwork Access华为技术有限公司数据通信产品部9Quidway Eudemon100 防火墙产品概述功能模块特性说明 支持 ARP Address Resolution Protocol 地址解析协议 支持静态域名解析 IP 地址借用 支持 IP 包过滤 IP 服务 支持 IP 快速转发 支持 IP 选项报文 支持 DHCP Dynamic Host Configuration Protocol 动态主机配 置协议 中继 支持 TCP(Transmission Control Protocol,传输控制协议)报文头 IP 性能 压缩 支持静态路由 IP 路由 支持 IP 策略路由 提供组播路由表 实现 ＩＰ 报文组播转发 组播路由 内部设备能收到组播报文 同时也可以加入组播组 提供 PPP Login 登录用户认证 AAA 认 支持 RADIUS 证 授权和 支持本地认证 计费 支持 PAP CHAP 验证 支持 SMTP Simple Mail Transfer Protocol 简单邮件传送协 议 H.323 HTTP Hyper Text Transport Protocol 超级文本 状 态 防 火 传送协议 FTP File Transfer Protocol 文件传送协议 TCP 墙 UDP User Datagram Protocol 用户数据报协议 SMTP 等状 态检测 支持防 DoS 攻击 支持标准访问控制列表 包 过 滤 防 支持扩展访问控制列表 火墙 支持基于接口的访问控制列表 支持基于时间段的访问控制列表 支持局域网内用户使用地址池中的 IP 地址访问外部网络 支持利用访问控制列表控制地址转换 支持直接利用接口的地址进行地址转换 Easy IP 支持外部网络主机访问内部的服务器 支持地址转换的有效时间 NAT 支持 H.323 支持 ICMP 支持 DNS 协议 支持 NetMeeting 支持 NBT NetBios over TCP 支持终端访问安全 用户分级保护 EXEC 用户登录认证 支持 IPSec 提供隧道 传输两种封装模式 支持 AH 和 ESP 安 数据安全 全认证 支持 IKE 自动协商安全密钥并建立安全联盟 支持 VRRP 虚拟路由器容错协议网络协议网络安全网络可靠 热备份 性华为技术有限公司数据通信产品部10功能模块 特性说明流量分类和流量监管 支持CAR ºÍ±¨ÎÄÓÅÏȼ¶物理接口限速限制物理接口发送报文的总速率流量整形利用缓冲区和令牌桶通用流量整形先进先出队列优先级队列定制队列加权公平队列ＱｏＳ加权随机早期检测实现基于流的拥塞避免命令行接口通过Console 口未授权用户无法侵入设备提供详尽的调试信息如tracert ѸËÙÕï¶ÏÍøÂçÊÇ·ñÕý³£提供日志功能 配置管理终端服务网络管理支持SNMP v3115200bps,缺省9600bps 115200bps,缺省9600bps配置指南主机选配表4 Eudemon100 防火墙主机选购一览表 描述 数量 备注 防火墙主机1 必配(1) 扩展快速以太网接口板2 选配 扩展SDRAM128M选配电缆选配表5 Eudemon100 防火墙线缆选购一览表 项目描述 数量 备注 标准网线 2 选配 配置口电缆 1 必配 备份口电缆 1 必配 交流电源线 1 选配 直流电源线1选配项目描述数量备注接地线 1 必配。

HUAWEI TECHNOLOGIES CO., LTD.Burgeoning services such as high-speed Internet access, video, and media stream lead to the rocketing of network traffic and ever-increasing service requirements of large organizations, intranets, and data centers in the 10-Gigabit epoch. New applications emerge and occupy the fixed ports of traditional services, making traditional port-dependent firewalls inadequate to cope with such applications. For the sake of illegal profits, hacker attacks and malware are spreading at will. Under this background, false positive and false negative are frequently seen in traditional traffic-based attacks. IT administrators find it difficult to deal with so many problems; therefore, large organizations, intranets, and data centers have to be confronted with such predicaments:How to select a cost-effective product to deal with ever- •increasing service requirements at present and in the future?How to block abuse and provide sufficient bandwidths for mission-•critic applications in the case of so many new applications?How to deal with flooding worms, effectively protecting intranets •and securing office environments?With in-depth understanding of service and customer requirements, Huawei launches its Eudemon1000E-X series. This series employs the new 10-Gigabit multi-core hardware platform and constructs a more high-speed network with no delay for processing mass services. By integrating advanced Symantec intrusion prevention and anti-virus technologies, it delivers content security protection and builds a secure network; with Huawei industry-leading deep packet inspection (DPI) technology, it manages thousands of application programs subtly and provides an effective network. All in all, the Eudemon1000E-X series brings "continuous, cost-effective, and secure" network experiencefor large organizations, intranets, and data centers.Eudemon1000E-X3Eudemon1000E-X5Eudemon1000E-X6Highlights10-Gigabit Multi-Core Hardware PlatformProminent performance, realizing mass service processing ■Provides 15G firewall throughput, 200,000 new connections •per second, 4,000,000 concurrent connections, and 15,000 concurrent VPN tunnels.Supports high-capacity NAT.•High-density 10G interfaces, suiting different application ■scenariosDelivers 64 Gigabit+14 x 10-Gigabit high-density interfaces. •Super-long mean time between failures (MTBF), safeguarding ■service continuitySupplies redundant key components and mature link conversion. •Provides built-in bypass cards for both optical and electrical links. •Relies on a stable software platform for over 10 years' •commercial use, and more than 100,000 devices concurrently online in the world.1Refined Management over Thousands of Application Programs, Building an Efficient NetworkWide application identification, providing visibility into the ■applications running on your networkPossesses 150 application identification experts, and over 850 •identifiable categories.Massive Web site categories, constructing a green Internet ■access environmentEquips with 65 million Web sites and over 130 content •categories, blocking Trojan horse-embedded and phishing Web sites, isolating pornographic and gambling Web sites, and preventing employees against maloperations.Refined application management, creating an efficient ■working networkOffers multi-dimensional control measures specific to time, •application, user, bandwidth, and connection number, effectively providing bandwidths for mission-critic applications, improving bandwidth usage and working efficiency, and making P2P/IM//Web sites at your mercy.Professional Content Security Defense, Providing a Secure NetworkIndustry-leading anti-virus engine with 99% high identification ■accuracyBases on Symantec accumulative anti-virus technologies, •adopts the anti-virus engine with file-level content scanning, combines the globally leading emulation environment and virtual execution technology, provides a 99% identification ratio, and gains good reputation from the international assessment organization.Dedicated vulnerability patching, making transformation ■illuminatedMaintains and updates the huge signature database by the •traditional attack code-based defense mode due to the transformation of attack types, which imposes overload on the IPS engine and leads to low detection performance and high false negative and false positive ratios. The Eudemon1000E-X is backed by advanced Symantec vulnerability defense technology and delivers virtual patches for vulnerabilities (not attack code), disabling various attacks from transforming.Real-time update by a professional team, realizing zero-day ■attack defenseSupplies the honeynet system deployed globally together •with a professional team of over 300 experts to keep tracking the latest, hottest, and most dangerous system and software vulnerabilities, and to defend against zero-day attacks quickly.One-Key Configuration, Freeing You from Complicated Policy OptimizationGUI, a farewell to CLI■Delivers the Web page–based configuration and management, •visualized and simple.Professional configuration wizard, simplifying policy configuration ■Provides a professional configuration wizard for each independent •service.One-key enabling of IPS and anti-virus, reducing maintenance ■workloadBuilds the IPS/anti-virus rule base, with a 99% detection •ratio, which can be directly enabled without commissioning. Therefore, administrators are freed from time-consuming, strenuous, and complicated policy optimization, and quick deployment comes true, that is, plug and play.Application ScenariosNetwork Isolation and VPN InterconnectionCustomer challenges■Because user networks reside in different network areas, •problems such as unclear borders, improper access control management, and disordered mutual access may occur. When branches and mobile employees communicate with the headquarters, data may be intercepted or tampered.Solution strengths ■Delivers 15G processing performance, avoiding the bottleneck •of border deployment.Divides security zones on demand, clearly planning network •borders.Provides the flexible packet filtering policies, accurately •controlling mutual access.Comes with 15,000 concurrent VPN tunnels, 7G VPN •encryption and decryption capabilities, ensuring mass secure interconnection and securing data communication.2External Threat PreventionCustomer challenges■Coming along with the abundant Internet resources are •threats such as DDoS attacks, malicious intrusions, and viruses.Solution strengths■Supplies 200,000 new connections per second and 4,000,000•concurrent connections, easily coping with millions of DDoS attack packets per second.Empowered by advanced IPS and anti-virus technologies •of Symantec as well as vulnerability-based and abundant signature database, ensuring near-zero false positives and negatives, and a detection ratio of higher than 99%; providespowerful security defense against diversified security threats.Office networkOnline Behavior ManagementCustomer challenges■None-work-related Internet surfing, P2P download, online •games, and stock transaction waste bandwidths for business, reduce productivity, and increase the risks of potential malicious code and hacker attacks.Solution strengths■Provides over 850 identifiable application categories, providing•visibility into the applications running on your network.Equips with 65 million Web sites, blocking Trojan horse- •embedded and phishing Web sites, isolating pornographic and gambling Web sites, and preventing employees against maloperations.Offers multi-dimensional control measures specific to the •time, application, user, and bandwidth, effectively providing bandwidths for mission-critic applications, improving working efficiency, and making P2P/IM//Web sites at your mercy.P2POffice networkProduct Specifications456Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.General DisclaimerThe information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factorsthat could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such informationis provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.HUAWEI TECHNOLOGIES CO., LTD.Huawei Industrial BaseBantian LonggangShenzhen 518129, P.R. ChinaTel: +86-755-28780808 Version No.: M3-110019999-20110805-C-1.0。

HiSecEngine Eudemon1000E-F Series AI FirewallsOverviewThe Eudemon1000E-F is a new series firewall developed by Huawei to meet the needs of carriers, enterprises, and next-generation data centers. It combines industry-leading security technologies such as access control, intrusion prevention (IPS), antivirus (AV), URL filtering, anti-spam, and data loss prevention with rich security, robust processing and carrier-class reliability. Inheriting the Eudemon series' outstanding firewall, VPN, and routing features, it helps you build a fast, efficient, and secure network.Product HighlightsComprehensive and Integrated Protection⚫Integrates the traditional firewall, VPN, intrusion prevention, antivirus, data leak prevention, bandwidth management, URL filtering, and online behavior management functions all in one device.⚫Implements refined bandwidth management based on applications and websites, preferentially forwards key services, and ensures bandwidth for key services.⚫Comes with an antivirus content-based detection engine (CDE) powered by intelligence technologies that helps detect unknown threats, and provides in-depth data analysis to gain insight into threat activities and quickly detect malicious files, effectively improving the threatdetection rate.Easy Security Management⚫Rapidly deploys security policies using scenario-specific templates.⚫Complies with the minimum permission control principle and automatically generates policy tuning suggestions based on network traffic and application risks.⚫Analyzes the policy matching ratio and discovers redundant and invalid policies to remove policies and simplify policy management.⚫Supports Huawei SecoManager to achieve a unified configuration, management and maintenance of all devices.High Performance⚫Uses the network processing platform, improving forwarding performance significantly.⚫Enables pattern matching and accelerates encryption/decryption, improving the performance for processing IPS, antivirus, and IPSec services. High Port Density⚫The device has multiple types of interfaces, such as 100G,40G, 10G, and 1G interfaces. Services can be flexibly expanded without extra interface cards.Note: The interface types supported by different models vary. For details, see the specification table.DeploymentExternal Threat Prevention⚫Coming along with the abundant Internet resources are threats such as DDoS attacks, maliciousintrusions, and viruses.⚫The capabilities of supporting large numbers of concurrent connections and new connections persecond help to combat the numerous DDoS attacks.Empowered by advanced IPS and antivirustechnologies as well as vulnerability-based andreal-time updated signature database, theEudemon1000E-F series implements near-zerofalse positives and negatives and a detection ratio of higher than 99%; defends against diversifiedthreats from the Internet, and ensures the security of the intranet . Network Isolation and VPN Interconnection⚫Network areas are not clearly divided, access control is insufficient, and the data transmittedbetween mobile employees or branches and theheadquarters is likely to be intercepted or tampered with.⚫Delivers high throughput to avoid bottleneck at network borders, supports security zones to clearly divide networks, offers flexible packet filteringpolicies to accurately control communication, and encapsulates and checks packets of VPN users to ensure the security of data communication.HackerMalwareInternetEudemonDatacenterBranchInternetHeadquartersUserIPSec VPNSSL VPNEudemonHardwareSoftware FeaturesFeature DescriptionIntegrated protection Integrates firewall, VPN, intrusion prevention, antivirus, data leak prevention, bandwidth management, anti-DDoS, URL filtering, and anti-spam functions. Provides a global configuration view, and manages policies in a unified manner.Application identification and control Identifies over 6000 applications and supports the access control granularity down to application functions. The firewall combines application identification with intrusion detection, antivirus, and data filtering, improving detection performance and accuracy.Intrusion prevention and web protection Accurately detects and defends against vulnerability-specific attacks based on up-to-date threat information. The firewall can defend against web-specific attacks, including SQL injection and XSS attacks.Antivirus Supports intelligent antivirus engine that helps detect hundreds of millions of virus variants.Bandwidth management Manages per-user and per-IP bandwidth in addition to identifying service applications to ensure the network access experience of key services and users. Control methods include limiting the maximum bandwidth, ensuring the minimumbandwidth, and changing application forwarding priorities.Eudemon1000E-F15/F25Eudemon1000E-F35/F55/F85Eudemon1000E-F125Eudemon1000E-F205Feature DescriptionURL filtering Supports remote query for URL categories. The URL category database contains over 140 million URL categories. URL category query servers are deployed globally to offer high-speed, low-latency category query services and meet the regulatory requirements of different countries and regions. URL category filtering can implement URL access control for users or groups based on information such as users or groups, time ranges, and security zones, accurately managing users' online behaviors.Intelligent uplink selection Supports service-specific PBR and intelligent uplink selection based on multiple load balancing algorithms (for example, based on bandwidth ratio and link health status) in multi-egress scenarios.VPN encryption Supports multiple highly available VPN features, such as IPSec VPN, SSL VPN, and GRE, as well as multiple encryption algorithms, such as DES, 3DES, AES, and SHA.Anti-DDoS Defends against more than 10+types of common DDoS attacks, including SYN flood and UDP flood attacks.Security virtualization Supports virtualization of multiple types of security services, including firewall, intrusion prevention, antivirus, and VPN. Users can separately conduct personal management on the same physical device.Security policy management Controls traffic based on the 5-tuples, security zone, application, and time range, and implements integrated content security detection.Uses predefined templates for common attack defense scenarios to rapidly deploy security policies, reducing learning costs.Diversified reports Provides visualized and multi-dimensional report display by user, application, content, time, traffic, threat, and URL.Routing Supports multiple types of routing protocols and features, such as RIP, OSPF, BGP, IS-IS, RIPng, OSPFv3, BGP4+, and IPv6 IS-IS.Deployment and reliability Supports transparent, routing, and hybrid working modes and high availability (HA), including the Active/Active and Active/Standby modes.SpecificationPerformance and Capability Eudemon1000E-F15Eudemon1000E-F25 IPv4 Firewall Throughput1(1518/512/64-byte, UDP)15/15/15 Gbit/s25/25/25 Gbit/s IPv6 Firewall Throughput1(1518/512/84-byte, UDP)15/15/15 Gbit/s25/2525 Gbit/s Firewall Throughput(Packet per Second)22.5 Mpps37.5 M pps Firewall Latency (64-byte, UDP)18 µs18 µsFW + SA* Throughput28Gbps12Gbps NGFW Throughput36Gbps10Gbps NGFW Throughput(Enterprise Mix)4 4.6Gbps 4.6Gbps Threat Protection Throughput (Enterprise Mix)54Gbps4Gbps Concurrent Sessions (HTTP1.1)110,000,00010,000,000 New Sessions/Second (HTTP1.1)1250,000250,000 IPSec VPN Throughput1 (AES-256 + SHA256, 1420-byte)10 Gbit/s15 Gbit/s Maximum IPSec VPN Tunnels (GW to GW)15,00015,000 Maximum IPSec VPN Tunnels (Client to GW)15,00015,000SSL VPN Throughput6 1 Gbit/s 1.5 Gbit/s Concurrent SSL VPN Users (Default/Maximum)100/2000100/2000 Security Policies (Maximum)40,00040,000 Virtual Firewalls 10001000URL Filtering: Categories More than 130URL Filtering: URLs Can access a database of over 120 million URLs in the cloudAutomated Threat Feed and IPS Signature Updates Yes, an industry-leading security center from Huawei (/sec/web/index.do)Centralized Management Centralized configuration, logging, monitoring, and reporting is performed by Huawei SecoManagerVLANs (Max)4094VLANIF Interfaces (Max)1000High Availability Configurations Active/Active, Active/StandbyPerformance and CapabilityNote:1. Performance is tested under ideal conditions based on RFC2544, 3511. The actual result may vary with deployment environments.2. SA performance is measured using 100 KB HTTP files.3. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using 100 KB HTTP files.4. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using the Enterprise Mix Traffic Model.5. The threat protection throughput is measured with Firewall, SA, IPS,and AV enabled; the performance is measured using the Enterprise Mix Traffic Model.6. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.*SA: Service Awareness.Hardware Specification Eudemon1000E-F15Eudemon1000E-F25 Dimensions (H x W x D) mm43.6 x 442 x 420Form Factor/Height1UFixed Interface8*GE COMBO + 4*GE(RJ45) + 4*GE(SFP)+ 6*10GE(SFP+)USB Port 1 x USB 3.0 portsWeight (Empty Configuration) 6.3 kgLocal Storage Optional, 1 * 2.5 inch 240G SSD storage, or 1 * 2.5 inch 1TB HDD storage Maximum Power Consumption222WAC Power Supply AC:100V to 240V, 50/60Hz DC: -48V to 60VPower Supplies Dual AC or dual DC power suppliesOperating Environment (Temperature/Humidity)Temperature: 0°C to 45°C (without optional HDD);5°C to 40°C (with optional HDD)Humidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingNon-operating Environment Temperature: –40°C to +70°CHumidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingOperating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD) Non-operating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD) Noise Maximum value < 72 DbaHardware SpecificationSpecificationPerformance and Capability Eudemon1000E-F35Eudemon1000E-F55Eudemon1000E-F85IPv4 Firewall Throughput1(1518/512/64-byte, UDP)35/35/35 Gbit/s50/50/40 Gbit/s80/80/40 Gbit/s IPv6 Firewall Throughput1(1518/512/84-byte, UDP)35/35/25 Gbit/s50/50/25 Gbit/s80/80/25 Gbit/s Firewall Throughput(Packet per Second)52.5 Mpps60 Mpps60 M pps Firewall Latency (64-byte, UDP)18 µs18 µs18 µsFW + SA* Throughput218Gbps25Gbps25Gbps NGFW Throughput312Gbps18Gbps18Gbps NGFW Throughput (Enterprise Mix)48Gbps8Gbps8Gbps Threat Protection Throughput (Enterprise Mix)57Gbps7Gbps7Gbps Concurrent Sessions (HTTP1.1)120,000,00020,000,00025,000,000 New Sessions/Second (HTTP1.1)1500,000500,000750,000 IPSec VPN Throughput1 (AES-256 + SHA256, 1420-byte)20 Gbit/s30 Gbit/s30Gbit/s Maximum IPSec VPN Tunnels (GW to GW)200002000020000 Maximum IPSec VPN Tunnels (Client to GW)200002000020000 SSL VPN Throughput6 3 Gbit/s 3 Gbit/s 5 Gbit/s Concurrent SSL VPN Users (Default/Maximum)50005000100/5000 Security Policies (Maximum)60,00060,00060000 Virtual Firewalls 100010001000 URL Filtering: Categories More than 130URL Filtering: URLs Can access a database of over 120 million URLs in the cloudAutomated Threat Feed and IPS Signature Updates Yes, an industry-leading security center from Huawei (/sec/web/index.do)Centralized Management Centralized configuration, logging, monitoring, and reporting is performed by Huawei SecoManagerVLANs (Max)4094VLANIF Interfaces (Max)1000High Availability Configurations Active/Active, Active/Standby Performance and CapabilityHardware SpecificationEudemon1000E-F35Eudemon1000E-F55Eudemon1000E-F85Dimensions (H x W x D) mm43.6 x 442 x 420Form Factor/Height1UFixed Interface 8*GE COMBO + 4*GE(RJ45)+ 10*10GE(SFP+)USB Port 1 x USB 3.0 portsWeight (Empty Configuration)7.3 kgLocal Storage Optional, 1 * 2.5 inch 240G SSD storage, or 1 * 2.5 inch 1TB HDD storage Maximum Power Consumption242WAC Power Supply AC:100V to 240V, 50/60Hz DC: -48V to 60VPower SuppliesDual AC or dual DC power suppliesOperating Environment (Temperature/Humidity)Temperature: 0°C to 45°C (without optional HDD); 5°C to 40°C (with optional HDD)Humidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingNon-operating Environment Temperature: –40°C to +70°CHumidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingOperating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD)Non-operating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD)Noise Maximum value < 72 DbaHardware SpecificationNote :1. Performance is tested under ideal conditions based on RFC2544, 3511. The actual result may vary with deployment environments.2. SA performance is measured using 100 KB HTTP files.3. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using 100 KB HTTP files.4. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using the Enterprise Mix Traffic Model.5. The threat protection throughput is measured with Firewall, SA, IPS, and AV enabled; the performance is measured using the Enterprise Mix Traffic Model.6. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.*SA: Service Awareness.SpecificationPerformance and Capability Eudemon1000E-F125Eudemon1000E-F205 IPv4 Firewall Throughput1(1518/512/64-byte, UDP)160/160/80 Gbit/s240/240/120 Gbit/s IPv6 Firewall Throughput1(1518/512/84-byte, UDP)160/120/50 Gbit/s240/200/75 Gbit/s Firewall Throughput(Packet per Second)120 M pps180 M pps Firewall Latency (64-byte, UDP)35 µs35 µsFW + SA* Throughput250Gbps75Gbps NGFW Throughput336Gbps54Gbps NGFW Throughput(Enterprise Mix)416Gbps24Gbps Threat Protection Throughput (Enterprise Mix)514Gbps21Gbps Concurrent Sessions (HTTP1.1)150,000,00075,000,000New Sessions/Second (HTTP1.1)11,500,0002,250,000 IPSec VPN Throughput1 (AES-256 + SHA256, 1420-byte)45Gbit/s65Git/s Maximum IPSec VPN Tunnels (GW to GW)4000060000 Maximum IPSec VPN Tunnels (Client to GW)4000060000SSL VPN Throughput610 Gbit/s12 Gbit/s Concurrent SSL VPN Users (Default/Maximum)100/10000100/15000 Security Policies (Maximum)6000060000Virtual Firewalls 10001000URL Filtering: Categories More than 130URL Filtering: URLs Can access a database of over 120 million URLs in the cloudAutomated Threat Feed and IPS Signature Updates Yes, an industry-leading security center from Huawei (/sec/web/index.do)Centralized Management Centralized configuration, logging, monitoring, and reporting is performed by Huawei SecoManagerVLANs (Max)4094VLANIF Interfaces (Max)1000High Availability Configurations Active/Active, Active/StandbyPerformance and CapabilityNote:1. Performance is tested under ideal conditions based on RFC2544, 3511. The actual result may vary with deployment environments.2. SA performance is measured using 100 KB HTTP files.3. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using 100 KB HTTP files.4. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using the Enterprise Mix Traffic Model.5. The threat protection throughput is measured with Firewall, SA, IPS, and AV enabled; the performance is measured using the Enterprise Mix Traffic Model.6. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.*SA: Service Awareness.Hardware Specification Eudemon1000E-F125Eudemon1000E-F205 Dimensions (H x W x D) mm43.6 x 442 x 600Form Factor/Height1UFixed Interface 2*100GE(QSFP28) + 2*40G(QSFP+)+8*25(ZSFP+) + 20*GE(SFP+)14*100GE(QSFP28) +16*25GE(ZSFP+) + 8*GE(SFP+)2USB Port 1 x USB 3.0 portsWeight (Empty Configuration) 6.3 kgLocal Storage Optional, 1 * 2.5 inch 240G SSD storage, or 1 * 2.5 inch 1TB HDD storage Maximum Power Consumption222WAC Power Supply AC:100V to 240V, 50/60Hz DC: -48V to 60VPower Supplies Dual AC or dual DC power suppliesOperating Environment (Temperature/Humidity)Temperature: 0°C to 45°C (without optional HDD);5°C to 40°C (with optional HDD)Humidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingNon-operating Environment Temperature: –40°C to +70°CHumidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingOperating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD) Non-operating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD) Noise Maximum value < 72 DbaHardware SpecificationNote:1. Some 100GE interfaces and 25GE interfaces of Eudemon1000E-F125 are mutually exclusive.2. Some 100GE interfaces and 25GE interfaces of Eudemon1000E-F205 are mutually exclusive.Order InformationProductEudemon1000E-F15-AC Eudemon1000E-F15 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 6*10GE SFP+, 1 AC power supply) Eudemon1000E-F15-DC Eudemon1000E-F15 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 6*10GE SFP+, 1 DC power supply) Eudemon1000E-F25-AC Eudemon1000E-F25 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 6*10GE SFP+, 1 AC power supply) Eudemon1000E-F25-DC Eudemon1000E-F25 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 6*10GE SFP+, 1 DC power supply) Eudemon1000E-F35-AC Eudemon1000E-F35 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 AC power supply) Eudemon1000E-F35-DC Eudemon1000E-F35 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 DC power supply) Eudemon1000E-F55-AC Eudemon1000E-F55 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 AC power supply) Eudemon1000E-F55-DC Eudemon1000E-F55 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 DC power supply) Eudemon1000E-F85-AC Eudemon1000E-F85 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 AC power supply) Eudemon1000E-F85-DC Eudemon1000E-F85 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 DC power supply) Eudemon1000E-F125-AC Eudemon1000E-F125 AC Host (2*QSFP28 + 2*QSFP+ + 8*ZSFP+ + 20*SFP+, 2 AC power supplies) Eudemon1000E-F125-DC Eudemon1000E-F125 DC Host (2*QSFP28 + 2*QSFP+ + 8*ZSFP+ + 20*SFP+, 2 DC power supplies) Eudemon1000E-F205-AC Eudemon1000E-F205 AC Host (4*QSFP28 + 16*ZSFP+ + 8*SFP+, 2 AC power supplies)Eudemon1000E-F205-DC Eudemon1000E-F205 DC Host (4*QSFP28 + 16*ZSFP+ + 8*SFP+, 2 DC power supplies)SSL VPN LicenseLIC-E1KF-SSLVPN-100Quantity of SSL VPN Concurrent Users(100 Users)LIC-E1KF-SSLVPN-200Quantity of SSL VPN Concurrent Users(200 Users)LIC-E1KF-SSLVPN-500Quantity of SSL VPN Concurrent Users(500 Users)LIC-E1KF-SSLVPN-1000Quantity of SSL VPN Concurrent Users(1000 Users)LIC-E1KF-SSLVPN-2000Quantity of SSL VPN Concurrent Users(2000 Users)LIC-E1KF-SSLVPN-5000Quantity of SSL VPN Concurrent Users(5000 Users)VSYS LicenseLIC-E1KF--VSYS-10Quantity of Virtual Firewall (10 Vsys)LIC-E1KF--VSYS-20Quantity of Virtual Firewall (20 Vsys)LIC-E1KF--VSYS-50Quantity of Virtual Firewall (50 Vsys)LIC-E1KF--VSYS-100Quantity of Virtual Firewall (100 Vsys)LIC-E1KF--VSYS-200Quantity of Virtual Firewall (200 Vsys)LIC-E1KF--VSYS-500Quantity of Virtual Firewall (500 Vsys)LIC-E1KF--VSYS-1000Quantity of Virtual Firewall (1000 Vsys)Threat Protection LicenseLIC-E1KE-Fxx-IPS-1YIPS Update Service Subscribe 12 MonthsLIC-E1KE-Fxx-IPS-3YIPS Update Service Subscribe 36 MonthsLIC-E1KE-Fxx-AV-1YAV Update Service Subscribe 12 MonthsLIC-E1KE-Fxx-AV-3YAV Update Service Subscribe 36 MonthsLIC-E1KE-Fxx-URL-1YURL Remote Query Service Subscribe 12MonthsLIC-E1KE-Fxx-URL-3YURL Remote Query Service Subscribe 36MonthsLIC-E1KE-Fxx-TP-1Y-OVSThreat Protection Subscription 12 MonthsLIC-E1KE-Fxx-TP-3Y-OVSThreat Protection Subscription 36 MonthsLIC-E1KE-F-CONTENTContent Security Group FunctionAbout This PublicationThis publication is for reference only and shall not constitute any commitments or guarantees. All trademarks, pictures, logos, and brands mentioned in this document are the property of Huawei Technologies Co., Ltd. or a third party.For more information, visit /en/products/enterprise-networking/security. Copyright©2021 Huawei Technologies Co., Ltd. All rights reserved.Huawei Technologies Co., Ltd.Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129, People's Republic of ChinaWebsite: Tel: 4008302118Page 7。

华为Eudemon防火墙-详细配置配置各接口IP地址、网络参数、缺省路由。

Eudemon防火墙连接Trust、DMZ和Untrust三个安全区域，因此需要配置相关连接接口的IP地址、链路层、网络层、路由的参数，从而实现Eudemon网络层与其他设备互通。

# 配置Eudemon防火墙Ethernet0/0/0接口的IP地址。

[Eudemon] interface ethernet 0/0/0[Eudemon-Ethernet0/0/0] ip address 10.110.1.11 255.255.255.0[Eudemon-Ethernet0/0/0] quit# 配置Eudemon防火墙Etherent1/0/0接口的IP地址。

外网[Eudemon] interface ethernet 1/0/0[Eudemon-Ethernet1/0/0] ip address 202.38.160.1 255.255.0.0[Eudemon-Ethernet1/0/0] quit# 配置Eudemon防火墙Etherent2/0/0接口的IP地址。

[Eudemon] interface ethernet 2/0/0[Eudemon-Ethernet2/0/0] ip address 10.110.5.11 255.255.255.0[Eudemon-Ethernet2/0/0] quit# 配置Eudemon防火墙到达Internet的缺省路由。

[Eudemon] ip route-static 0.0.0.0 0.0.0.0 202.38.160.15 到外网网关[Eudemon] ip route-static 10.110.1.0 255.255.255.0 10.110.1.2 到三层第三步：创建或配置安全区域，为安全区域增加隶属接口。

Eudemon防火墙三个Ethernet接口分别连接Trust、DMZ和Untrust三个系统保留的安全区域，因此仅需要为安全区域增加隶属的接口即可。

Eudemon防火墙双机热备业务特性与配置Eudemon防火墙是华为公司推出的一款高性能、高可靠性的网络安全设备。

在网络架构中，防火墙是非常重要的部分，其主要作用是监控和控制数据流量，保护网络安全。

而双机热备技术则是防火墙设备中的一项重要功能，能够在主设备故障的情况下，自动进行切换，保障网络的连续性和可靠性。

Eudemon防火墙的双机热备技术具有以下几个特性：1、高可用性：双机热备技术使得主备设备之间的状态保持实时同步，当主设备发生故障时，备设备可以立即接管主设备的工作，保证网络的持续运行。

2、高性能：双机热备技术采用硬件加速和负载均衡技术，可以将数据流量均匀地分发到主备设备上进行处理，提高防火墙的处理能力和响应速度。

3、灵活的部署方式：双机热备技术支持主备设备的本地部署和远程部署，可以根据实际情况进行选择，灵活满足不同网络环境的需求。

4、恢复能力强：双机热备技术具备自动切换和自动恢复功能，当主设备恢复正常运行时，能够自动将工作从备设备切换回主设备，实现系统的自动恢复和平滑过渡。

5、稳定可靠：双机热备技术采用了多种冗余设计，包括硬件冗余、软件冗余和数据冗余等，可以有效地提高防火墙的稳定性和可靠性，有效避免单点故障的发生。

对于Eudemon防火墙双机热备的配置，可以按照以下步骤进行：1、设备连接和初始化：将主备设备之间进行物理连接，确保两者之间的网络畅通，然后进行设备的初始化配置，包括设置IP地址、子网掩码、网关等，以及进行设备的授权和许可证的导入。

2、主备设备的信息同步：在主备设备之间进行信息同步，包括配置文件、路由表、状态信息等。

这是保证主备设备之间能够实时同步状态的基础。

3、配置双机热备功能：在主设备上开启双机热备功能，并设置备设备的优先级，配置主备设备的心跳检测参数，以便能够实时监测主备设备的状态。

4、测试和验证：在配置完成后，进行测试和验证，包括主备设备之间的切换测试、数据流量的负载均衡测试等，确保双机热备功能的正常运行和可靠性。

华为技术有限公司华为Eudemon1000E-N 下一代防火墙华为Eudemon1000E-N 下一代防火墙产品特点精准的应用访问控制•全面创新的下一代环境感知和访问控制。

通过应用、内容、时间、用户、威胁和位置6个维度的组合，全局感知日益增多的应用层威胁，实现应用层安全防护。

•丰富的报表将业务状态、网络环境、安全态势、用户行为等可视化展现，让用户全方位感知，安全运营。

•安全能力与业务感知深度融合，防范借助应用进行的恶意代码植入、网络入侵等破坏行为。

简单的安全管理•根据应用场景提供策略模板，实现策略快速部署。

•根据网络中的实际流量和应用的风险，遵循最小权限控制原则，自动生成策略优化建议。

•分析策略命中率，发现冗余、失效的策略，有效控制策略规模，简化管理。

高性能全面威胁防护•功能全面，兼具防火墙、VPN 、入侵防御、防病毒、带宽管理、URL 过滤、Anti-DDoS 等全面的安全功能。

•专用软硬件平台架构，IAE 单次解析引擎。

智能感知应用信息后，各安全特性并行处理。

•内容检测硬件加速，提升应用层防护效率，保障安全特性开启下的最佳性能。

•联动沙箱，高效发现未知威胁，有效防范零日攻击。

产品概述Eudemon1000E-N 系列下一代防火墙是华为公司面向运营商、企业和下一代数据中心推出的新一代安全网关产品。

它集大容量交换与专业安全于一体，融合了访问控制、IPS 、AV 、URL 过滤、邮件过滤等行业领先的专业安全技术，可精细化管控超过6000种网络应用。

同时传承了Eudemon 产品族优异的防火墙、VPN 及路由特性，为用户打造更高速、更高效、更安全的网络。

Eudemon1000E-N6Eudemon1000E-N3/N5Eudemon1000E-N7/N7E Eudemon1000E-N 下一代防火墙产品规格* 在直流电源下，Eudemon1000E-N7E最多只能扩展不含X2G8GE在内的3块WSIC卡或扩展含X2G8GE在内的2块WSIC卡。

华为Eudemon1000E-F系列AI防火墙（盒式）数字化浪潮正在席卷全球，广泛的连接、爆炸式增长的数据以及蓬勃发展的智能应用正在深刻改变人类的生活和工作方式，运营商业务的数字化和云服务化推动着网络的变革，同时也给网络安全带来了更大的挑战：威胁增多，未知威胁变异加快且隐蔽度高；用户对安全业务需求逐渐增长，性能和时延成为瓶颈；海量的安全策略和日志，威胁处置和运维耗时巨大。

防火墙作为网络边界的“第一道门”是当前安全防护的首选，然而传统防火墙通常只能基于签名实现威胁的分析和阻断，该方法对未知威胁无有效的处置方法，同时威胁的实效依赖运维人员的专业度。

这种单点、被动、事中防御的方式已经不能有效的解决未知威胁攻击，对于隐匿于加密流量中的威胁更是难以有效的识别。

终端接入城域&回传核心骨干&关口局云业务产品图华为Eudemon1000E-F35/Eudemon1000E-F55/Eudemon1000E-F85华为Eudemon1000E-F125华为Eudemon1000E-F205华为Eudemon1000E-F15/Eudemon1000E-F25华为推出Eudemon1000E-F系列AI防火墙，通过全新软硬件架构，打造具备智能防御、卓越性能、极简运维三大关键能力的新一代AI防火墙，有效应对挑战。

Eudemon1000E-F系列使用智能技术赋能边界防御，精准阻断已知和未知威胁；内置多个安全专用加速引擎有效提升转发、内容安全检测、IPSec等关键业务处理性能；通过安全运维平台实现防火墙、入侵防御、抗DDoS等多类安全产品的统一管理和运维，降低安全运维OPEX。

华为HiSecEngine Eudemon1000E-F系列AI防火墙（盒式）华为HiSecEngine Eudemon1000E-F 系列AI 防火墙（盒式）10-3产品亮点•全新软硬件架构，大幅提升防火墙业务处理能力卓越性能•网络边缘威胁实时处置，未知威胁检测准确率高达99%以上智能防御•控制器统一纳管，基于业务部署与变更策略，安全运维OPEX 降低80%以上极简运维智能防御Eudemon1000E-F 系列AI 防火墙提供应用识别、入侵防御（IPS ）、反病毒和URL 过滤等内容安全相关的功能，有效保证内网服务器和用户免受威胁的侵害。