Ship to USA and Canada ONLY

Huawei Dater Center Firewalls

Huawei Data Center firewall is purposely built to solve security problems in high performance cloud data center. It is a great combination of high throughput, rich feature and easy management. Huawei USG9500 is the lagship product of Data Center firewalls.

Data center firewall USG9500

Characteristic

Advanced network processor + multi-core CPU + distributed architecture — allowing linear increase of performance

The USG9500 uses a hardware platform that often exists in a core router to provide modularized components. Each interface module has two network processors (NPs) to provide line rate forwarding. The SPU uses multi-core CPUs and a multi-thread architecture, and each CPU has an application acceleration engine. These hardware advantages, combined with Huawei's optimized concurrent processing technology, increases CPU capacity to ensure the high speed parallel processing of multiple services, such as NAT and VPN. LPUs and SPUs function separately. The overall performance increases linearly with the addition of SPUs so that customers can easily scale up the performance at a low cost.

High firewall performance — ensuring mission-critical services

With revolutionized system architecture, the USG9500 security gateway series has the industry's highest firewall throughput and the most concurrent connections. With dedicated traffic splitting technology, the overall performance of the USG9500 increases linearly with the addition of SPUs. The USG9500 delivers a maximum of 960 Gbps large-packet throughput, 960 million concurrent connections, and 4096 virtual firewalls. The industry leading performance can meet the performance demand of high-end customers, such as television and broadcast systems, government agencies, energy companies, and education organizations.

Stable and reliable security gateway — full redundancy ensuring service continuity

Network security is a key point in enterprise operating. To ensure the service continuity on a high-speed network, the USG9500 supports active/standby and active/active redundancy, port aggregation, VPN redundancy, and SPU load balancing. Meanwhile, the USG9500 also supports dual-MPU active/standby switchover to provide high availability. The mean time between failures (MTBF) of the USG9500 is up to 200,000 hours, and the failover time is less than one second. These features ensure the service continuity.

Excellent VPN performance — meeting the needs for massive encryption

More and more services, such as mobile access, short message notification, and push mail, require secure data transmission over the Internet. To meet these needs, a VPN gateway that supports hundreds of thousands of connections is required. The USG9500 supports VPN gateway redundancy, up to 500 Gbps encryption performance, and 960,000 concurrent VPN tunnels, which are industry's highest standards. The USG9500 supports 4over6 and 6over4 VPN technologies to deal with the evolution from IPv4 to IPv6. The USG9500 also supports USG9500 Series

Cloud Data Center Security Gateway 4 IKEv2, provides improved user authentication, packet authentication, and NAT traversal functions, and prevents attacks, such as man-in-the-middle attacks and denial of service (DoS) attacks. The USG9500 also supports Extensible Authentication Protocol for GSM Subscriber Identity Module (EAP-SIM) and Extensible Authentication

Protocol – Authentication and Key Agreement (EAP-AKA) authentication to protect wireless networks.

Practical IPS feature — defending against external threats and promoting network security

The performance of an Intrusion Prevention System (IPS) relies on detection engine performance, signature identification ratio, and processing capacity. With the advanced IPS detection engine and mature signature database, the USG9500 defends against various threats, including unauthorized automatic downloads, spoofing software, spyware/adware, abnormal protocols, P2P anomalies, and exploits that target system vulnerabilities. A single vulnerability-based signature covers thousands of attacks that target at the vulnerability. Supplemented with the globally deployed honeypot system, the USG9500 can capture the latest attacks, worms, and Trojan

horses, thereby providing zero-day attack defense capability. Moreover, to improve real-world IPS performance, the USG9500 uses an internal off-line design and "one board one feature" technology to direct the traffic to be inspected by the IPS to a dedicated module. This method improves IPS performance without compromising basic firewall performance.

Comprehensive CGN Features — addressing the transition from IPv4 to IPv6

The IPv4 addresses are already exhausted and the Internet is smoothly evolving from IPv4 to IPv6. To meet the needs during the transition from IPv4 to IPv6, the USG9500 supports NAT44 (4), DS-Lite, 6RD, and NAT64, thereby providing an effective, flexible, reliable, and cost-effective transition solution for carriers. NAT44 (4) enables the high utilization of IPv4 addresses to prevent the exhaustion of IPv4 addresses; DS-Lite allows the IPv4 application to be used on the newly established IPv6 networks; 6RD provides efficient IPv6 access; and NAT64 enables an IPv6

network to communicate with an IPv4 network. The NAT44 and DS-Lite functions support NAT tracing.

Enriched virtualization — adapting to cloud networks

Cloud computing, which relies on virtualization and high-speed network connection, faces security challenges. The USG9500 delivers high throughput and enriched virtual system functions, including resource, configuration, and management virtualization to meet the requirements of different customers. Resource virtualization manages virtual host resources based on quota, management virtualization supports user-defined policies, log management, and auditing for each virtual firewall, and forwarding virtualization enables customized service processing.

 

Specification

Model USG9520 USG9560 USG9580
Performance and Capacity
Firewall Throughput (maximum)
120 Gbit/s
720 Gbit/s
1,440 Gbit/s
Firewall Throughput (IMIX Traffic)
120 Gbit/s
720 Gbit/s
1,440 Gbit/s
Maximum Number of Concurrent Sessions
120 million
720 million
1.44 billion
IPSec VPN Performance (1,420 Bytes)
84 Gbit/s
336 Gbit/s
720 Gbit/s
Maximum Number of Concurrent IPSec Tunnels
128,000
640,000
1,000,000
IPS Performance
40 Gbit/s
220 Gbit/s
440 Gbit/s
Antivirus Performance
34 Gbit/s
187 Gbit/s
374 Gbit/s
Expansion and I/O
Expansion Slots 3 slots 8 slots 16 slots
Number of MPU Slots 2
Interface Types
GE, 10 GE, 40 GE, and 100 GE interfaces
SPU

Firewall and application security SPUs

Dimensions, Power Supply, and Operating Environment
Dimensions (H x W x D)

175 mm x 442 mm x 650 mm DC

220 mm x 442 mm x 650 mm DC

620 mm x 442 mm x 650 mm 1420 mm x 442 mm x 650 mm
Weight

Vacant chassis: 15 kg, DC

Full configuration: 32 kg, DC

Vacant chassis: 25 kg, AC

Full configuration: 42 kg, AC

Vacant chassis: 43.2 kg

Full configuration: 113 kg

Vacant chassis: 94.4 kg

Full configuration: 229 kg

AC Power Supply 90V AC to 275V AC; 175V AC to 275V AC (recommended)
DC Power Supply -38V to -72V; Rated -48V
Power consumption 1,270W 3,960W 7,540W
Operating Temperature

Long-term: 0 °C to 45 °C

Short-term: -5 °C to +55 °C

Storage: -40 °C to +70 °C

Ambient Humidity

Long-term: 5% RH to 85% RH, non-condensing

Short-term: 5% RH to 95% RH, non-condensing

Storage: 0% RH to 95% RH, non-condensing

Security Functions

Basic Firewall Functions
  • Transparent, routing, and hybrid modes
  • Stateful inspection
  • Blacklist and whitelist
  • Access control
  • Application Specific Packet Filter (ASPF)
  • Security zones
NAT/CGN
  • Destination NAT/PAT
  • NAT NO-PAT
  • Source NAT-IP address persistency
  • Source IP address pool groups
  • NAT Server
  • Bi-directional NAT
  • NAT-ALG
  • Unlimited IP address expansion
  • Policy-based destination NAT
  • Port range allocation
  • Hairpin connections
  • SMART NAT
  • NAT64, DS-Lite, and IPv6 rapid deployment (6RD)
Egress Load Balancing
  • ISP-based routing
  • Intelligent uplink selection
  • Transparent DNS proxy at egress
  • User-based traffic control
  • Application-based traffic control
  • Link-based traffic control
  • Time-based traffic control
Ingress Load Balancing
  • Intelligent DNS at ingress
  • Server load balancing
  • Application-based QoS
Service Awareness Identification and prevention of over 6,000 protocols: 
P2P, IM, game, stock charting/trading, VoIP, video, stream media, email, mobile phone services, Web browsing, remote access, network management, and news applications
Intrusion Prevention System
  • Protocol anomaly detection
  • User-defined signatures
  • Automatic update of the knowledge bases
  • Zero-day attack defense
  • Prevention of worms, Trojan horses, and malware attacks
URL Filtering
  • URL database of 85 million URLs
  • 130+ URL categories
  • Trend and top N statistics based on users, IP addresses, categories, and counts Query of URL filtering logs
Antivirus
  • Detection of 5 million viruses
  • Flow-based inspection for higher performance
  • Inspection of encrypted traffic
  • Trend and top N statistics by virus family
VPN
  • DES, 3DES, and AES encryption
  • MD5 and SHA-1 authentication
  • Manual key, PKI (X509), and IKEv2
  • Perfect forward secrecy (DH group)
  • Anti-replay
  • Transport and tunnel modes
  • IPSec NAT traversal
  • Dead Peer Detection (DPD)
  • EAP authentication
  • EAP-SIM, EAP-AKA
  • VPN gateway redundancy
  • IPSec v6, IPSec 4 over 6, and IPSec 6 over 4
  • L2TP tunnel
  • GRE tunnel
PKI
  • Online CA certificate enrollment
  • Online CRL check
  • Hierarchical CA certificates
  • Support for public-key cryptography standards (PKCS#10 protocol)
  • CA certificate
  • Support for SCEP, OCSP, and CMPv2 protocols
  • Self-signed certificates
Anti-DDoS Features
  • Prevention of SYN, ICMP, TCP, UDP, and DNS floods
  • Prevention of port scan, Smurf, teardrop, and IP sweep attacks
  • Prevention of attacks exploiting IPv6 extension headers
  • TTL detection
  • TCP-mss detection
  • Attack logs
Networking/Routing
  • Support for POS, GE, and 10 GE interfaces
  • DHCP relay/server
  • Policy-based routing
  • IPv4/IPv6 dynamic routing protocols, such as RIP, OSPF, BGP, and IS-IS
  • Interzone/inter-VLAN routing
  • Link aggregation, such as Eth-trunk and LACP
High Availability
  • Active/active and active/standby modes
  • Hot standby (Huawei redundancy protocol)
  • Configuration synchronization
  • Firewall and IPSec VPN session synchronization
  • Device fault detection
  • Link fault detection
  • Dual-MPU switch-over
Virtual System
  • Up to 4,096 Virtual Systems (VSYS)
  • VLAN on virtual systems
  • Security zones on virtual systems
  • User-configurable resources on virtual systems
  • Inter-virtual system routing
  • Virtual system-specific Committed Access Rate (CAR)
  • Separate management of virtual systems
Management
  • Web UI (HTTP/HTTPS)
  • CLI (console, remote login, and SSH)
  • U2000/VSM network management system
  • Hierarchical administrators
  • Software upgrade
  • Configuration rollback
  • STelnet and SFTP
Logging/Monitoring
  • Structured system logs
  • SNMPv2
  • Binary logs
  • Traceroute
  • Log server (eLog)
Certification
  • Safety certification
  • Electro Magnetic Compatibility (EMC) certification
  • CB, Rohs, FCC, MET, C-tick, and VCCI certification
User Authentication and Access Control
  • Built-in (internal) database
  • RADIUS accounting
  • Web-based authentication

Ordering Information

Host
USG9520-BASE-AC-51
USG9520 AC Standard Configuration (includes X3 AC Chassis and 2 x MPU)
USG9520-BASE-DC-51
USG9520 DC Standard Configuration (includes X3 DC Chassis and 2 x MPU)
USG9560-BASE-DC-51
USG9560 DC Basic Configuration (include X8 DC Chassis, 2 x SRU, and 1 x SFU)
USG9580-BASE-DC-51
USG9580 DC Standard Configuration (includes X16 DC Chassis, 2 x MPU, and 4 x SFU)

USG9500 SPUs
SPU-X3-40-E8KE
40G X3 Firewall Service Processing Unit
SPU-X8X16-80-E8KE
80G X8 & X16 Firewall Service Processing Unit
SPC-S-40-E8KE
40G Firewall Processing Card
SPC-D-80-E8KE
80G Firewall Processing card
SPC-APPSEC-FW
Application Security Service Processing Card

USG9500 Flexible Line Processing Units
E8KE-X-LPUF-101
Flexible Card Line Processing Unit (LPUF-101, 4 sub-slots)
E8KE-X-101-1X40GE-CFP
1-Port 40G Base LAN CFP Flexible Card (P101, 1/2 wide, occupies 2 sub-slots)
E8KE-X-101-5X10GE-SFP+
5-Port 10G Base LAN/WAN-SFP + Flexible Card A (P101, 1/2 wide, occupies 2 sub-slots) Spare Part
E8KE-X-101-24XGE-SFP
24-Port 100/1,000 Base-X-SFP Flexible Card (P101, 1/2 wide, occupies 2 sub-slots)
FW-LPUF-120
120G Line Processing Unit
FW-LPUF-240
Flexible Card Line Processing Unit (LPUF-240, 2 sub-slots) Spare Part
FW-6X10G-SFP+
6-Port 10G Base LAN/WAN-SFP + Flexible Card A Spare Part
FW-1X100G-CFP
1 x 100 GE CFP Daughter Card
FW-12X10G-SFP+
12-Port 10G Base LAN/WAN-SFP + Flexible Card A (P120-A) Spare Part
E8KE-X-101-1X100GE-CFP
1-Port 100G Base-CFP Integrated Line Processing Unit (LPUI-101)