H3C SecPath NGFW series firewall is the latest incarnation of high performance security gateway. The series is developed with the advent of Web 2.0 era, integrating the latest security trends and network deep inspection technologies and is designed for SMEs, campus network egress and WAN branches.
Cutting edge hardware and software specifications
- H3C SecPath NGFW series is equipped with the latest 64-bit multi-core processor and high speed storage.
Telecommunication carrier guide reliability
- H3C patented and self-developed software and hardware platform have adopted and trusted by customers ranging from SMEs to telecommunication carriers.
- H3C SCF virtualization combines multiple physical devices as a single logical device, which can be managed as a single network node. Resource could be managed as a whole, application backup could be completed in batch and overall system performance is doubled.
- Protection from a wide range of attacks including but not limited to: Land, Smurf, Fraggle, Ping of Death, Tear Drop, IP Spoofing, IP fragment packets, ARP spoofing, reverse ARP lookup, TCP packet illegal flag bit attack defense, oversized ICMP packets, address/port scanning, detection and protection against common DDoS attacks such as SYN Flood, UPD Flood, ICMP Flood and DNS Flood.
- SOP (Security One Platform) 1:N complete virtualization added. Container based virtualization makes logical device configuration consistent with its physical counterpart. One might create multiple virtual firewalls in an H3C SecPath F10X0 device and can configure throughput, concurrent session, policy and more based on virtual system.
- Security zone let you configure security zones based on interfaces and VLANs.
- Packet filtering allows you to apply standard or advanced ACLs between security zones to filter packets based on information contained in the packets, such as UDP and TCP port numbers. Configuration of time range based ACL is also allowed.
- Support application and user based ACL combined with in-depth protection to implement the next generation access control functions
- ASPF (Application specific Packet Filter) dynamically determines whether to forward or drop a packet by checking its application layer protocol information and state (such as FTP, HTTP, SMPT, RTSP and other application layer protocols based on TCP/UDP).
- Supports AAA,including authentication based on RADIUS/HWTACACS+, CHAP,PAP and more.
- Supports static and dynamic blacklist.
- NAT and multiple NAT instances.
- VPN—Supports L2TP, IPsec/IKE, GRE, and SSL VPNs, and implements smart terminal connection.
- Supports rich routing protocol, including static routing, policy based routing, and dynamic routing protocols such as RIP and OSPF.
- Security logs
- Traffic monitoring, statistics, and management
Flexible, expandable built-in DPI
- Integrated security application processing platform is fully coupled with essential security protection.
- Comprehensive application layer traffic identification and management: with H3C’s longtime expertise in stateful inspection and traffic cross-checking technology, NGFW can accurately detect P2P/IM/online game/equity trading/video stream/multimedia applications such as Thunder/Web Thunder, BitTorrent, eMule, eDonkey, QQ, MSN, PPLive; supports P2P throttle through deep packet inspection which matches network packets with P2P packet characteristics. This effectively detects P2P traffic, achieves necessary P2P traffic management and provides different control strategies to flexibly limit P2P traffic.
- Highly precise and efficient intrusion detection engine using H3C patented and self-developed FIRST (Full Inspection with Rigorous State Test). FIRST engine consolidates multiple detection technologies to realize comprehensive inspection based on status with highly accurate intrusion detection.FIRST also uses parallel inspection technology that can be flexibly deployed with software and hardware to increase the detection efficiency.
- Realtime anti-virus protection: Kaspersky stream-based virus scanning engine results in quick, accurate scanning and removal of viral code in network stream.
- Fast URL filtering: Apart from basic URL blacklist and white list filtering, URL lookup server can be set for online query.
- Comprehensive and up-to-date security signature database. With years of operation and experience, H3C hires the best team in identifying attack signatures, set up professional defense lab that keeps the team at the forefront of network security, and ensures timely update of signature database.
Industry-leading IPv6 features
- IPv6 stateful inspection truly implements IPv6 firewall, and completes IPv6 protection against attacks.
- Supports IPv4/IPv6 dual protocol stacks and supports IPv6 packet forwarding, static routing, dynamic routing and multicast routing.
- IPv6 transition technologies consist of NAT-PT, IPv6 over IPv4 GRE tunnel, manual tunnel, 6to4 tunnel, automatic IPv4-compatible IPv6 tunnel, ISATAP tunnel, NAT444, and DS-Lite.
- Supports IPv6 ACL and Radius.
Next generation applications
- Load Balancing: Implement auto switch and auto load-balancing of enterprise Internet egress through links status check and links busy status protection.
- SSL VPN: Integrated SSL VPN fulfils the secure remote access needs for mobile office and roaming employees. Additional authentication factor can be implemented with USB-Key or mobile SMS, and integrates with existing enterprise authentication system to create a fully integrated access authentication system.
- Basic support for DLP (Data Leak Prevention) includes E-mail filtering, SMTP E-mail address, subject and attachment filtering, Web page filtering, HTTP URL and content filtering, files filtering based on network transportation protocol, application layer filtering such as Java/ActiveX blocking and SQL injection attack blocking.
- Intelligent security policy: policy redundancy check, policy mapping optimization advice, dynamic internal network application check and appropriate policy creations and recommendations.
- Supports SNMPv3 and compatible with SNMPv1 and SNMPv2.
- Graphical interface with simple and easy to use Web based management.
- CLI-based device management and firewall configuration that fulfils the professional management and batch deployment requirements.
- Security Service Manager (SSM) is an iMC component for centralized network security management. SSM monitors firewall devices on the network in real time, collects and analyzes security events and logs and feedback in a single console. It breaks the silos between network security devices, provides an intuitive interface for network security, gives real time feedback to security events and pinpoints the exact location of network outage. It frees IT and security administrators from the chore of management, significantly improves their productivity and let them focus on core business instead.
- Centralized log management functions based on advanced data drill-down and analysis technology. It can request and receive information to generate logs, compile different types of logs (such as syslogs and binary stream logs) in the same format, and compress and store large amounts of logs. You can encrypt and export saved logs to external storage devices such as DAS, NAS, and SAN to avoid loss of important security logs.
- Choices of reports:, application-based reports and stream-based analysis reports.
- Export of reports in different formats, such as PDF, HTML, Microsoft Word, and txt.
- Report customization through the Web interface. Customizable contents include time range, data source device, generation period, and export format.