HUAWEI NGFW Security Software Datasheet ---Precise and Comprehensive Protection In addition to all the functions of conventional firewalls, Huawei NGFW also provides more advanced security functions, such as IPS and anti-malware functions, to identify applications and prevent application-layer threats. Huawei NGFW provides a global context awareness architecture for granular controls based on application, content, time, user, attack, and location (ACTUAL). The innovative SmartPolicy technology and management interfaces that can be easily integrated simplify the O&M management. The Intelligence Awareness Engine (IAE) uses an integrated architecture to perfectly balance security and performance. Huawei NGFW provides next-generation security featuring comprehensive protection, granular control, and O&M simplicity to meet the requirements of enterprise networks on access control, scope of protection, usability, and performance in the new ICT landscape. Comprehensive security and trustworthy capability With professional content security functions, such as application identification, IPS, antivirus, and DLP, Huawei NGFW provides comprehensive and integrated protection to reduce both network security risks and management costs. Huawei NGFW’s security capability has been tested by trustworthy third-party organizations, such as CC, ICSA, and NSS Labs in the industry, and has earned the “Recommended” rating of NSS Labs for its outstanding and industry-leading 98.1% overall security effectiveness and 99.95% live network threat detection rate. Powerful knowledge base and diverse reports The integrated inspection mechanism, preinstalled signature database, and powerful IAE accurately identify over 6300 applications and distinguish different functions of applications, and the knowledge base can be constantly updated to keep current on emerging threats. The diverse reports provide visibility into service status, network environment, security postures, and user behaviors. Meanwhile, the web UI allows administrators to quickly view and understand the activities and threats on networks in real time. Efficient and reliable platforms Huawei has many years of experience in the design and manufacturing of carrier-class products, such as the carrier-class hardware and proprietary VRP network operating system, which are used in NGFW products to provide carrier-class high availability in hardware, software, and links. The proprietary high-performance IAE and automatic analysis and signature extraction platform can quickly react to emerging threats to provide intime, accurate, and effective protection. Feature Security The ACTUAL-based awareness of Huawei NGFW provides accurate access control and comprehensive threat prevention. Accurate Access Control • Innovative next-generation context awareness and access control. The global awareness by application, content, time, user, attack, and location detects and prevents application-layer threats. • Integrated next-generation content security. The IAE integrates security functions and application identification to protect application exploits and consequent breaches, such as malware infection, network intrusion, and data theft. Comprehensive threat prevention • Advanced content security. The application identification, IPS, antivirus, and DLP prevent complex application-layer threats. • Quick response to unknown threats. The security sandbox and reputation system prevent zero-day attacks and other unknown threats. Feature Description The USG Advantage Specification Firewall NGFWs can perform security detection based on the protocol status of protocols in multiple layers and support integrated security policies based on networks, users, and applications. • The multi-core hardware platform builds high-performance firewalls. The all-in-one mechanism is costeffective and meets all-round network security requirements. • Comprehensive protocol awareness and filtering mechanisms enable administrators to rapidly filter packets based on users and actual environments. • NGFWs can identify over 6300 web protocols and web apps, including mobile apps. They can also identify encrypted P2P, IM, and VoIP apps for granular management and control. • Working modes: transparent, routing, and hybrid • ASPF for application protocols: FTP, RTSP, H323, SIP, QQ, ICQ, MSN, PPTP, SQL.NET, MMS, DNS, NetBIOS, ILS, RSH, SCCP, Java Blocking, ActiveX Blocking, SMTP, and HTTP • Port mapping • Protocol status check for TCP, UDP, SCTP, and ICMP • Blacklist and whitelist • Multi-dimensional security policies: source/destination IP address, source/ destination port, service, time range, user, application, and source/ destination security zone • Application identification: 6300+ applications, including user-defined, micro, and enterprise applications • Security zone: four default zones (untrust, trust, local, and DMZ) and user-defined security zones IPS Intrusion prevention detects intrusions, such as buffer overflow attacks, Trojan horses, and worms, by analyzing network traffic and takes actions to quickly terminate the intrusions. • Recommended NGFW by NSS Labs • Obtained ICSA Network IPS certification • Vulnerability-based detection for more effective defense • Applicable to different types of network deployment requirements: IPS blocking, IDS alerting but not blocking • • • • Regulate online behavior by controlling which URLs users can access to protect enterprise networks from malicious websites. • Support a URL category database over 100 million URLs in 45 categories and 137 sub-categories for granular management and control for various access requests. • URL filtering allows you to manage users' online behavior on an individual basis, by user or user group, by schedule, and through security zones. • URL filtering technology allows you to change the DSCP priorities of URL access packets based on categories of requested URLs, so that other network devices can take differentiated actions. • • • • • • • URL filtering • • • • • • Vulnerability signature database: 6000+ User-defined signatures Matching based on regular expressions for higher matching capabilities Detection of evasion techniques, such as IP fragmentation, TCP segmentation, and other application layer evasion techniques Web defense, such as SQL injection and XSS detection Detection on abnormal behavior, such as brute force cracking Detection on C&C malicious domain names, botnets, worms, and Trojan horses Response actions alert, block, and isolate (isolation period) Attack forensics and post-event audit Filtering signatures based on operating systems, directions, severities, applications, protocols, and categories and setting an action URLs in the URL category database: 120 million+ Filtering based on user-defined blacklists and whitelists Filtering of malicious URLs Filtering of HTTPS URLs A maximum of 256 user-defined URL categories A maximum of 8192 user-defined URLs Local deployment of URL servers Feature Description The USG Advantage Specification Antivirus Identify and remove viruses to secure the network and prevent problems, such as corruption, privilege escalation, and system crash. • The high-performance flow detection antivirus engine can defend against 5 million types of viruses and Trojan horses. • The antivirus function is integrated into a firewall without extra hardware systems, providing a lowcost antivirus solution for small- and medium-sized enterprises. • Virus database: 5 million • Antivirus detection on files transferred using HTTP, FTP, SMTP, POP3, IMAP4, SMB, NFS, and HTTPS • Antivirus detection on compressed files in .zip, .gzip, and .tar formats • Actions on attachments including block, alert, declare, and delete • Application exceptions in antivirus detection • Virus exceptions • A maximum of eight levels of file compression (By default, three levels of file compression are supported.) DLP Prevent the sending of confidential files attempted through modifying the file name extension and filter the content of files to prevent leaks of enterprise key information. • Reduce the risks of confidential information leaks. • Reduce enterprises' legal risks caused by employees' browsing, publishing, or transmitting illegal information. • Prevent employees from browsing and searching for contents irrelevant to work, improving working efficiency. • Identified file types: 120+ • Identification of real file types to prevent evasion attempted by changing file name extension • Data filtering for common types of files, such as Office and PDF files • Filtering of web pages, search keywords, microblogs, and Internet posts • Filtering of file types and data for decompressed files • A maximum of eight levels of file compression (By default, three levels of file compression are supported.) • Setting of the maximum decompression size of a compressed file (1 to 200 MB). The default value is 100 MB Mail filtering Check IP addresses and filters mail content to enhance mail system security. • By cooperating with a third-party DNSBL server, the firewall can block spam and consequent security risks. • Provide the email address check function. You can set mail sending and download permissions based on employees' email addresses. In addition, you can control mail attachments to prevent information leaks through attachments. • • • • • Application behavior control Accurately control and audit user online behavior, including upload, download, and browsing. • Application behavior control can combine with objects, such as users and time ranges, for differentiated management of application behavior. • Control over such behavior as HTTP upload, download, and browsing • Control over such behavior as FTP upload, download, and deletion • Control over the size of transferred files. You can set the POST alarm or blocking threshold to 1 MB and set the threshold to 1 GB for other types of download and upload. • Online behavior audit, including mail behavior, IM login and logout, HTTP audit (microblog, posting, web page browsing, file transfer, and search), and audit of FTP commands and file transfer Anti-APT Interwork with Huawei sandbox to detect and defend against malicious files. • Support integration of third-party antivirus software into the sandbox to detect known viruses in files • Support detection of unknown threats in files • Reduce latency through the high detection performance of the sandbox • Sandbox detection on files transferred using HTTP(S)/FTP/SMTP(S)/ POP3(S)/IMAP4(S)/SMB/NFS • Sharing of detection results with URL and antivirus modules • Detection on PE, PDF, Office, web page, image, and flash files • PE static heuristic detection • Web static detection and web sandbox detection • Virtual environment detection • DGA domain name detection • Botnet, Trojan horse, and worm traffic detection • Detection using third-party antivirus engines • Automatic updates of engines • Cloud sandbox detection Anti-DDoS Detect multiple types of network attacks and protect the hosts in intranets. • High-performance anti-DDoS algorithms • Auto-learning of defense policy baselines • IP reputation database that can be dynamically updated and block zombie hosts • Defense against scanning attacks, including IP sweep and port scanning attacks • Defense against malformed-packet attacks including IP spoofing, IP fragment detection, Teardrop, Smurf, Ping of Death, Fraggle, WinNuke, Land, TCP flag validity check Spam filtering Mail recipient, sender, and title filtering Filtering of keywords in mail bodies Filtering of mail attachment names and content keywords Filtering based on the number of sent or received mail attachments (0 to 10) • Filtering based on the size of sent or received mail attachments (1 to 20,480 KB) • Mail transfer encoding formats: 7bit, 8bit, Base64, QP, and MS TNFF • Mail encapsulation formats: MIME and UUEncode Feature Description The USG Advantage Specification • Defense against special packet control attacks, including oversized ICMP packet control, ICMP unreachable packet control, ICMP redirect packet control, Tracert, IP source route packet control, IP route record packet control, IP timestamp packet control • Defense against DDoS attacks, including SYN-flood, UDP-flood, UDPfrag-flood, HTTP-flood, HTTPS-flood, DNS-request-flood, DNS-reply-flood, and SIP-flood • IP reputation database • Baseline learning VPN Provide secure and reliable connections without changing network status. Users can configure different types of VPNs for branches to access the headquarters or for employees to access enterprise networks. • Provide high-performance hardware encryption and decryption capabilities • Support automatic negotiation of IKE parameters, simplifying customers' tunnel configuration; support IKE mode selection and extended authentication, meeting requirements for communication with multiple vendors • Support IPsec hot standby to avoid service interruption if the active firewall fails • Support DHCP over IPsec, meeting the requirement for interconnection with base stations in LTE scenarios • Support IKEv2 redirection, implementing IPsec tunnel and VPN traffic load balancing through IPsec clusters • Support DSVPN, the branch with mutative IP address can access to VPN network dynamically. • IPsec VPN: - IKEv1 and IKEv2 (RFC 4306) - Remote peer: static IP, dynamic DNS, and configuration of two IP addresses or host names at the same time - Authentication method: certificate, RSA key, and pre-shared key - IPsec phase 1 mode: aggressive and main mode; NAT traversal - IPsec phase 2 encapsulation mode: tunnel and transport modes - Phase 1/Phase 2 proposal encryption: DES | 3DES | AES-128 | AES-192 | AES-256 | SM4 | AES-GCM-128 | AES-GCM-256 - Phase 1/Phase 2 proposal authentication: MD5 | SHA1 | SHA2-256 | SHA2-384 | SHA2-512 | SM3 - Phase 1/Phase 2 Diffie-Hellman group: 1, 2, 5, 14, 15, 16, 19, 20, 21 - IKEv2 PRF: AES-XCBC-128 | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA2256 | HMAC-SHA2-384 | HMAC-SHA2-512 - IKEv1 XAuth support as client or server mode - IKEV2+EAP authentication - Dead peer detection - Replay detection: configurable width of the anti-replay window. - Network resource pushing: IP, WINS, and DNS server addresses, domain names, and DHCP server addresses. - Reverse route injection. • IPsec VPN deployment modes: Gateway to gateway, Client to Gateway, DSVPN (Hub-spoke). • IPsec VPN configuration options: route-based or policy-based. • IPsec VPN QoS: Per-tunnel traffic limiting: DSCP priorities of IKE packets, DSCP negotiation for traffic to be encrypted or decrypted, and QoS preclassification • IPsec VPN high availability: Link redundancy, hot standby, and cluster • VPN monitoring and diagnosis: IPsec connection status monitoring, statistics on encrypted and decrypted traffic, and diagnosis of tunnel negotiation failure causes • Other VPN support: DSVPN, LAC/LNS, L2TP over IPsec, GRE, GRE over IPsec, DHCP over IPsec. SSL VPN Enable users to remotely access resources in an internal network. Administrators can configure SSL VPN virtual gateways to control the access of remote users to the internal network in refined granularity. • SSL VPNs in different virtual systems can share public IP addresses in the public system. - Two-factor authentication: user name + certificate; user name + password + soft/hard token code. - Selection of optimal links. - Isolation between virtual gateways. • Virtual gateway isolation: Each virtual gateway can have its own access address and authentication mode and manage its own users, roles, and resources. • Customization: Users can customize the login page, home page, logo, welcome message, and title. • Multiple authentication modes: local user authentication, third-party server authentication (including AD, LDAP, RADIUS, and HWTACACS), certificate authentication, and two-factor authentication. • Role-based resource authorization and access control. • Host environment check: Check antivirus software, operating systems, firewall software, ports, and processes on hosts and allow only qualified clients to access. • Cache and file cleanup: Clear caches and specific files generated during SSL VPN logins in a timely manner. Feature Description The USG Advantage Specification • Multiple access modes for access to different types of resources: - Web proxy mode: allows remote users to access web applications on the internal network and supports two types of resources: web-link and web-rewrite. The access to web-link resources requires a browser plugin. Mobile devices and PCs can directly access web-rewrite resources through browsers, such as the Internet Explorer, Chrome, FireFox, and UC. - File sharing mode: allows remote users to use browsers to access SMB and NFS file sharing resources on an internal network. - Port forwarding mode: allows remote users to access TCP applications in C/S architecture on an internal network. The applications include Telnet, SSH, VNC, Outlook, and FTP (passive mode) applications. - Network extension mode: allows remote users to access IP resources on an internal network and supports three tunnel splitting modes: full tunnel, split tunnel, and user-defined. • Automatic selection of optimal links. PKI As PKI entities, firewalls use public key technology to ensure identity authentication, confidentiality, data integrity, and nonrepudiation during transmission. PKI provides certificate management security services for network applications. • Certificates used on Huawei firewalls can be managed in a unified manner and used for encryption and decryption functions. - Support four common formats: DER, PEM, PKCS12, and PKCS7. Huawei firewalls can apply for and update certificates through SECP and CMPv2 in online mode. • Certificate formats: DER, PEM, PKCS12, and PKCS7 • Certificate application methods: SCEP-based certificate application and update, CMPv2-based certificate application and update, offline application of device certificates, and LDAP-based certificate download (LDAPv2 and LDAPv3 supported) • Certificate status check modes: HTTP, LDAP, SCEP-based CRL download, and OCSP • RSA key pair management: Multiple RSA key pairs can be created. RSA key pairs can be imported and exported in standard formats (PEM and PKCS#12). Key pairs can be backed up and restored. RSA key pairs can be backed up in batches in hot standby scenarios. MPLS VPN MPLS L3VPN is supported. Firewalls can serve as PEs. • Interconnect IP and MPLS networks. Firewalls are deployed at MPLS VPN borders to provide security, access control, and IPsec VPN access services. • Firewalls can also serve as PEs to simply network deployment. • MPLS VPN: - L3VPN: Static LSP, MPLS LDP - MPLSv4, MPLSv6 - BGP/MPLS IP VPN, BGP/MPLS IPv6 VPN Signaling security Support security check and filtering for GTP signaling on the wireless core network and SCTP attack defense. • Support the check and filtering of various GTP protocol fields and defense against overbilling attacks, protecting packets on GPRS networks. • Support SCTP basic status check, SCTP attack defense, and SCTP NAT, meeting security requirements of the core network. • GTP packet validity check; filtering based on type, length, IE, and extension header; log statistics • Defense against GTP overbilling attacks • SCTP multihoming management • SCTP status check, validity check, and filtering • SCTP NAT Visualized management Diverse reports • The traffic, threat, application, URL, and user reports provide visibility into service status, network environment, security postures, and user behaviors. • The network security analysis reports generated by Huawei security center display the analysis of traffic, threats, and web browsing and data disclosure activities for administrators to understand security vulnerabilities and take mitigation measures. Simple security management • Supports cloud-based management and enables Huawei Agile Controller-Cloud Manager to manage and configure the firewalls. • The built-in security policy templates simplify policy configuration, and the Huawei-proprietary SmartPolicy technology help administrators optimize and clean up security policies, reducing TCO by 30%. • The USB deployment technology allows for zero-experience deployment and requires nothing more than plugging the preinstalled USB flash drive to complete the initial configuration, reducing deployment time by 90%. • The built-in full-featured web UI, network management system and controller, northbound APIs that can be easily integrated, and third-party optimization tools simplify O&M management. Feature Description The USG Advantage Specification Virtual system Multiple logical firewalls can be created on one physical firewall. • Support many virtual systems with minimum performance degradation, meeting the requirements of a network with many tenants. • Support virtual system resource allocation, meeting operating requirements. • Support communication between virtual systems. • Virtual system administrators, rights- and domain-based management • Import, export, and saving of virtual system configuration files • Virtual system resource allocation and limitation (bandwidth, concurrent connections, connection rate, policies, users/user groups, online users, security groups, and SSL VPN concurrent users) • Virtual system traffic diversion modes: VLAN, interface, IP address • Allocating interfaces and VLANs to virtual systems • 100 virtual systems for free (only for USG6000s) Feature Description The USG Advantage Specification Internet access user management With various authentication methods, firewalls directly apply policies to users for granular user management. • Control network behavior and permissions by user or IP address, providing user-based management for network behavior control and network permission allocation, implementing refined management. • Provide visibility into and statistics on threats and traffic for auditing network behaviors of users. • Map users to dynamic IP addresses and implement policy control based on users. • • • • • Device management Configure and manage individual devices using the CLI or GUI or centrally manage devices using the eSight network management system (NMS), which is connected to the cloud platform for automatic management. • Provide convenient and friendly manmachine configuration interfaces. • Centrally manage both firewalls and Huawei network devices, such as routers and switches, through the NMS. • Using the NETCONF or RESTCONF interface based on the YANG model, firewalls can interconnect with thirdparty cloud management platforms or the open-source OpenStack, simplifying O&M. • Login to the CLI through the console port, Telnet, SSH, or the CLI console on the web UI • Access to the web UI through HTTPS • Local, HWTACACS server, and RADIUS server authentication for administrators • Firewall monitoring and management through eSight, which can receive firewall logs and alarms as well as perform NAT source tracing • Support for two types of northbound interfaces: NETCONF and RESTCONF interfaces Intelligent management Provide multiple basic configuration optimization capabilities to help administrators better design and optimize device and service management. • Use predefined or user-defined objects and policy templates to simplify policy definition and make policies easy to understand and maintain. • SmartPolicy helps administrators in policy redundancy analysis, policy matching analysis, and policy tuning, facilitating security management. • Intrusion prevention profiles can be automatically generated using security posture awareness based on application and OS information used by assets on enterprise networks, improving management efficiency. • Policy object: geographical region or region group, application or application group, service or service group, domain name group, endpoint or endpoint group • Predefined policy templates • Policy redundancy analysis: identifying duplicate and overlapping policies • Policy matching analysis: simplifying policies based on dynamic policy matching statistics • Policy tuning: defining security policies in compliance with the least privilege principle • Security posture awareness: automatically generating intrusion prevention profiles based on application and OS information used by enterprise assets Logs and reports Administrators can view logs and reports to obtain the characteristics of users, applications, security events, and traffic, and take actions based on log details and reports. • Powerful log processing capability of LogCenter that can store a large number of logs and display threats • Support syslog, binary, netflow, and multiple third-party log formats, all of which can be encrypted • Support scheduled report sending, report customization, and automatic report sending. • Display threat sources and targets through threat and traffic maps • • • • • • • Local Portal Authentication 3rd-party authentication: RADIUSs/LDAP/AD Welcome/authentication/questionnaire pages customization Remote portal authentication Single sign-on (SSO) supported only in RADIUS, AD, and TSM authentication Local log storage (when local disks are available) and log sending Dedicated log server (LogCenter) for processing large-volume logs Supported log formats: syslog and binary Encrypted transmission of logs of all formats Configurable storage ratio of different types of logs Log report by saving time, period, type, or email recipient Scheduled report sending, report customization, and automatic report sending • Reports on traffic statistics, threats, URLs, policy matching, file blocking, and data filtering • Display of global traffic distribution with details, such as traffic ranking, volume, direction, source IP address, and destination IP address on traffic maps • Display of global threat distribution with details, including the attack source and destination regions and detailed attack information on threat maps Platform Reliable and efficient hardware and software platforms • The support for IPv4 and IPv6 stacks and various routing and switching protocols, diverse interface types, and virtual interfaces accommodate to different networking environments and deployment requirements. • The new and integrated architecture of the IAE allows the parsing results to be used in multiple subsequent parallel processes to maintain high performance even when multiple defense functions are enabled. The constant update of the signature database keeps enterprises current on emerging security threats. Carrier-class availability • The high-availability hardware design, robust software system, hot standby, link redundancy, and hot backup technologies ensure the stability and high availability. • The optimal route selection for IPsec allows for dynamic switchover between IPsec tunnels, coupled with intelligent ISP link selection, policy-based routing, and global routing policies in multihoming scenarios, improving the stability and availability of network services. Feature Description The USG Advantage Specification Interface management Support various physicallayer and link-layer access modes. • Support many types of interfaces and diversified interface features, meeting various networking requirements. • Ethernet interfaces: GE, 10 GE, 40 GE (supported only by USG9000s), and 100 GE (supported only by USG9000s) • Eth-Trunk and LACP • Ethernet subinterfaces and VLANs • POS interfaces and IP-Trunk (POS interfaces bundled, supported only by USG9000s) • 4G LTE Cellular WAN interfaces • WLAN interfaces Basic network Support basic L2 and L3 networks and application protocols. • Support various network protocols and provide basic routing capabilities without routers and switches, reducing deployment costs. • Measure the performance of various protocols running on networks through the NQA function. • Collect statistics on network traffic through NetStream for accounting, network management, and attack analysis. • Basic physical and link-layer protocols: VLAN, PPP, PPPoE, HDLC, and 4G LTE • Basic network protocols: ARP, ICMP, DNS, DHCP, and DHCP Snooping • Support for IPv6: static routes, RIPng, OSPFv3, BGP4+, PBR, IPv6 over IPv4, IPv4 over IPv6, NAT64, hot standby, IPsec, ACL6, bandwidth management, security policies, and various security functions • NQA • NetStream Routing Support IPv4 and IPv6 routing protocols and abundant routing features for network connectivity. • Based on Huawei VRP, firewalls support abundant routing features to meet various networking requirements. • Comprehensive IPv4 and IPv6 routing features ensure smooth transition from IPv4 to IPv6. • • • • • Static routes Routing protocols, RIP/RIPng, OSPF/OSPFv3, IS-IS, and BGP/BGP4+ Routing policies Equal-cost multi-path routes Route iteration PBR Select routes based on user-defined policies. • PBR takes precedence over routing tables. Compared with routes in routing tables, PBR specifies forwarding paths for special services based on more dimensions, including the incoming interface, source/ destination security zone, source/ destination IP address, user, service, and application, increasing flexibility in packet forwarding control. • • • • Single-next-hop forwarding Multi-next-hop load balancing Uplink selection based on bandwidth, priority, or link quality User- or application-based PBR Feature Description The USG Advantage Specification NAT Support multiple address and port translation technologies as well as the NAT ALG function. • Support multiple address and port translation technologies for communication between private and public networks. • Support the NAT ALG function for application-layer packet parsing and address translation. • NAT No-PAT, NAPT, Smart NAT, EasyIP, NAT Server, triplet NAT, hairpin access, and Destination NAT • NAT ALG for DNS, FTP, H.323, ICQ, ILS, MMS, MSN, NetBIOS, PPTP, QQ, RSH, RTSP, SCCP, SIP, SQLNET, and STUN IPv6/CGN Use NAT444, NAT64, DS-Lite, and CGN for smooth transition from IPv4 to IPv6. • Support NAT444, DS-Lite, and NAT64. • Support port pre-allocation and incremental allocation. Port ranges can be pre-allocated to users before NAT to improve data source tracing efficiency for log servers. • Support the PCP mechanism to control packet forwarding through upstream devices, reducing keepalive traffic between applications. • Support static mapping for rapid source tracing. • IPv6: IPv6 over IPv4 tunnel, IPv4 over IPv6 tunnel • CGN: NAT444, NAT64, DS-Lite, PCP, Port range allocation, static NAT mappings High Availability Ensure the stable running of firewalls in three aspects: hardware, software, and links. • Provide carrier-class high availability mechanisms, such as dual MPUs and SFU redundancy (USG9000). • Ensure service continuity through dual power module backup, hardware bypass, external link detection, and internal software monitoring switchover. • • • • • • Dual power modules Hardware bypass card Dual MPUs and SFU redundancy (USG9000) Hot standby: active/standby, active/active, and mirror modes, supporting automatic and manual backup of sessions VRRP: simple, MD5 authentication, VRRP6 Link-level high availability mechanisms, such as link-group, IP-link, and BFD (interworking with multiple types of routing protocols) Health check for intelligent uplink selection Configuration files for disaster recovery Priority mapping (dot1p-dscp, dscp-dot1p, dscp-dscp, and dot1p-dot1p) CAR Traffic shaping WRED HQoS for multi-level queue scheduling based on hardware Application-specific QoS • • QoS (available only on USG9000) Use traffic policing, traffic shaping, and queuing to forward service traffic based on priorities. • Implement high-performance multi-level queue scheduling based on hardware, improving forwarding efficiency. • Adjust bandwidth allocation based on traffic types to ensure that missioncritical services are prioritized. • • • • • • Bandwidth management Limit or prioritize bandwidth to improve the efficiency of bandwidth and prevent bandwidth exhaustion. • Bandwidth management helps administrators properly allocate bandwidth resources to improve network operating quality. • Global bandwidth limitation: maximum bandwidth, guaranteed bandwidth, and maximum number of concurrent connections • Per-user bandwidth limitation: maximum bandwidth, guaranteed bandwidth, and maximum number of concurrent connections • Per-IP bandwidth limitation: maximum bandwidth, guaranteed bandwidth, and maximum number of concurrent connections • Bandwidth limitation based on interfaces, applications, and public IP addresses • Traffic priority in traffic profile: re-marking DSCP values in packets • Query of traffic details based on traffic policies Feature Description The USG Advantage Specification Intelligent uplink selection In a multihoming scenario, a firewall can intelligently select ISP links for load balancing. • Distribute DNS packets to ISP DNS Servers based on security policies, implementing load balancing from sources. • Provide sticky load balancing. That is, forward and return traffic is sent through the same ISP link. This mechanism accelerates access to internal servers. • When serving as an IPsec gateway, a firewall uses IPsec intelligent uplink selection to dynamically switch IPsec tunnels for load balancing based on IPsec tunnel quality. • WAN load balancing - Algorithm: bandwidth weight/link quality - Health check: ICMP, TCP, DNS, RADIUS, and HTTP - ISP route preference based - DNS transparent proxy - DNS Rewriting with inbound traffic - IPsec tunnel quality detection and intelligent uplink selection SLB SLB improves service processing capabilities of servers in a server cluster. • Server Load Balancing (SLB) helps improve the service processing capability of enterprises, improve server performance expansion, and facilitate network operation, maintenance, and adjustment. • High-performance Layer-4 SLB improves forwarding efficiency. • Support multiple load balancing algorithms and support applicationspecific load balancing. • Support multiple server health detection capabilities for service continuity. • Layer-4 SLB • Load balancing algorithms: source IP hash, weighted source IP hash, round robin, weighted round robin, least connections, and weighted least connections • Load balancing protocols: TCP, UDP, and IP • Sticky session based on source IP addresses • Health check for real servers: ICMP, TCP, DNS, HTTP, and RADIUS • Real-time statistics on concurrent connections on virtual servers • Five-minute statistics on traffic, sessions, and traffic ratio on real servers About This Publication This publication is for reference only and does not constitute any commitments or guarantees. All trademarks, pictures, logos, and brands mentioned in this document are the property of Huawei Technologies Co., Ltd. or a third party. For more information, visit http://e.huawei.com/en/products/enterprise-networking/security. Copyright©2017 Huawei Technologies Co., Ltd. All rights reserved.