With the continuous popularization and development of network technology, network attacks are becoming increasingly frequent. Through various attack software, even beginners with general computer knowledge can launch attacks on networks. At the same time, the proliferation of various network viruses has exacerbated the danger of network attacks.

The H3C SecPath F5000-AI-15, F5000-AI-20, and F5000-AI-40 are high-performance, ultra-10 Gigabit firewall VPN integrated gateway products for the industry market. Hardware-wise, they are based on multi-core, multi-threaded ARM/MIPS architecture processors. The F5000-AI-15 is a 1U standalone box firewall, while the F5000-AI-20 and F5000-AI-40 are 2U standalone box firewalls. This series of firewall products offers rich interface expansion capabilities.

The H3C SecPath F5000-AI120, F5000-AI160, F5000-AI360, and F5000-E are high-performance firewall products targeting the industrial and carrier markets, respectively. Hardware-wise, they are based on a multi-core, multi-threaded x86 processor + FPGA architecture, and are high-density 1U standalone box firewalls, supporting 6 100G interfaces, 8 25G interfaces, and 20 10G interfaces, giving them a leading interface advantage. This series of firewalls also offers rich interface expansion capabilities, supporting dual-hard drive RAID0/RAID1. They also provide a wealth of service features, including IPS/AV/ACG/WAF/TI/URL, to meet differentiated competitive needs.

In terms of security features, as an NGFW product, this series not only supports firewall security functions such as security control, VPN, NAT, and DOS/DDOS defense, but also integrates in-depth security defense functions such as IPS (Intrusion Prevention), AV (Antivirus), ACG (Application Control), WAF (Web Vulnerability Detection), TI (Threat Intelligence), and URL (Classification and Filtering), realizing multi-dimensional policy control functions based on users, applications, time, geographical location, and security status.

In terms of virtualization and reliability, it is based on H3C's leading Comware V7 platform, supporting multi-device clusters and 1:N virtualization. It also offers better elastic scalability to meet the requirements of cloud computing.

In terms of scalability, this series of firewall products provides rich RESTful API and NETCONF API interface extension capabilities, which can adapt to various network deployment requirements and support the integration and adaptation of various platforms through API interfaces.

1. High-performance hardware and software processing platform

The H3C SecPath F5000-AI features an advanced, latest 64-bit multi-core high-performance processor and high-speed memory.

2. High reliability of telecom-grade equipment

It utilizes H3C's proprietary software and hardware platform. The product has undergone years of market testing, with applications ranging from telecom operators to small and medium-sized enterprises.

It supports H3C SCF virtualization technology, which can virtualize two devices into one logical device, presenting it as a single network node to the outside world. This enables unified resource management, business backup, and improved overall system performance.

It supports virtual firewall functionality, including the creation, startup, shutdown, and deletion of virtual firewalls; virtual firewalls can be managed independently and their configurations can be saved independently; virtual firewalls have independent session management, NAT, routing, and other functions.

3. Powerful security protection functions

It supports a wide range of attack prevention features, including: protection against Land, Smurf, Fraggle, Ping of Death, Tear Drop, IP Spoofing, IP fragmentation, ARP spoofing, ARP reverse lookup, invalid TCP packet flags, oversized ICMP packets, address scanning, and port scanning. It also includes detection and defense against common DDoS attacks such as SYN Flood, UPD Flood, ICMP Flood, and DNS Flood.

The latest version supports SOP 1:N full virtualization. Multiple logical virtual firewalls can be partitioned on the H3C SecPath F5000-AI device. Based on containerized virtualization technology, the virtual system has the same characteristics as the actual physical system, and performance allocation such as throughput, concurrency, creation, and policies can be performed based on the virtual system.

Supports security zone management. Security zones can be divided based on interfaces and VLANs.

Packet filtering is supported. Data packets can be filtered using standard or extended access control rules between secure zones, leveraging information such as UDP or TCP port numbers within the packets. Furthermore, filtering can be performed based on time periods.

It supports application- and user-based access control, using applications and users as the basic elements of security policies, and combines them with defense in depth to achieve next-generation access control functions.

Supports Application Layer Stateful Packet Filtering (ASPF). By inspecting application layer protocol information (such as FTP, HTTP, SMTP, RTSP, and other TCP/UDP-based application layer protocols) and monitoring the connection-based application layer protocol status, it dynamically determines whether packets are allowed to pass through the firewall or are dropped.

Supports authentication, authorization, and accounting (AAA) services. This includes authentication based on RADIUS/HWTACACS+, CHAP, PAP, etc.

Supports both static and dynamic blacklists.

Supports NAT and NAT multiple instances.

VPN functionality is supported, including L2TP, IPSec/IKE, GRE, SSL, and integration with smart terminals.

It supports a wide range of routing protocols, including static routing, policy-based routing, and dynamic routing protocols such as RIP and OSPF.

Supports security logs.

Supports traffic monitoring, statistics, and management.

4. Flexible and scalable integrated DPI deep security

An integrated security business processing platform that is highly integrated with basic security protection.

Comprehensive application-layer traffic identification and management: Leveraging H3C's long-standing expertise in state machine detection and traffic interaction detection technologies, it can accurately detect applications such as Thunder/Web Thunder, BitTorrent, eMule/eDonkey, WeChat, Weibo, QQ, MSN, and PPLive, including P2P/IM/online games/stock trading/online video/online multimedia. It supports P2P traffic control by employing deep traffic detection methods, matching network packets with P2P protocol packet characteristics to accurately identify P2P traffic and manage it. Different control strategies are also available for flexible P2P traffic control.

A high-precision, high-efficiency intrusion detection engine. It employs H3C's proprietary FIRST (Full Inspection with Rigorous State Test) engine. The FIRST engine integrates multiple detection technologies, achieving comprehensive inspection based on precise state conditions, resulting in extremely high intrusion detection accuracy. Simultaneously, the FIRST engine utilizes parallel detection technology, allowing for flexible software and hardware adaptation, significantly improving intrusion detection efficiency.

Real-time virus protection: Employing stream engine virus detection technology, it can quickly and accurately detect and eliminate viruses and other malicious code in network traffic.。

Massive URL categorization and filtering: Supports local and cloud-based methods, 141 category libraries, and over 20 million URL rules.

A comprehensive and timely security signature database. Through years of operation and accumulation, H3C has developed an industry-leading attack signature database team, equipped with a professional attack and defense laboratory, to keep abreast of the latest developments in the cybersecurity field, thereby ensuring the timely and accurate updating of the signature database.

5. Industry-leading IPv6

It supports IPv6 stateful firewall, truly realizing firewall functionality under IPv6 conditions, and simultaneously preventing IPv6 attacks.

It supports IPv4/IPv6 dual protocol stacks and functions such as IPv6 data packet forwarding, static routing, dynamic routing, and multicast routing.

Supports various IPv6 transition technologies, including NAT-PT, IPv6 over IPv4 GRE tunnel, manual tunnel, 6to4 tunnel, IPv4 compatible IPv6 automatic tunnel, ISATAP tunnel, NAT444, DS-Lite, etc.

Supports security technologies such as IPv6 ACL and Radius.

6. Next-generation multi-service features

Intrusion Prevention System (IPS) supports web attack identification and protection, such as cross-site scripting attacks and SQL injection attacks, and its virus signature database is updated periodically.

Antivirus (AV) features a high-performance virus engine that can protect against more than 6 million types of viruses and Trojans, with a periodically updated virus signature database.

Application Identification and Control (ACG) accurately identifies accessing applications, effectively allowing or blocking them, improving work efficiency, and the application identification feature database is updated periodically.

Web security protection (WAF) can effectively identify and protect against DDoS attacks, and supports feature classification of network devices, web servers, databases and other devices.

Threat Intelligence Detection (TI) supports IP reputation databases, domain reputation databases, and URL reputation databases, efficiently identifying threatening traffic and recording alerts. The threat intelligence signature database is updated regularly.

URLs are categorized and managed to improve the efficient use of network broadband resources.

The load balancing function integrates link load balancing features and effectively achieves automatic balancing and switching of multiple links at the enterprise's Internet egress through technologies such as link status detection and link busy protection.

It integrates SSL VPN features to meet the secure access needs of mobile office workers and employees on business trips. It can not only combine USB-Key and SMS for mobile user authentication, but also integrate with the enterprise's existing authentication system to achieve unified authentication access.

Data Loss Prevention (DLP) supports email filtering, providing filtering for SMTP email addresses, headers, attachments, and content; supports web page filtering, providing filtering for HTTP URLs and content; supports file filtering for network transmission protocols; and supports application layer filtering, providing protection against Java/ActiveX Blocking and SQL injection attacks.

7. Professional intelligent management

Supports intelligent security policies: Enables policy redundancy detection, policy matching optimization suggestions, dynamic detection of internal network services to dynamically generate and recommend security policies.

It supports standard network management SNMPv3 and is compatible with SNMP v1 and v2.

It provides a graphical interface and easy-to-use web management.

Device management and firewall configuration can be performed through the command-line interface, meeting the needs of professional management and large-scale configuration.

The H3C IMC SSM Security Management Center enables unified management, integrating functions such as security information and event collection, analysis, and response. It solves problems such as the isolation between network and security devices, the lack of intuitive network security status, slow response to security events, and difficulty in locating network faults. This frees IT and security administrators from tedious management work, greatly improves work efficiency, and allows them to focus on core business.

Leveraging advanced deep mining and analysis technologies, and employing both proactive collection and passive reception methods, this system provides users with centralized log management capabilities and normalizes logs of different formats (Syslog, binary stream logs, etc.). Simultaneously, it utilizes high-aggregation compression technology to store massive amounts of events and can automatically compress, encrypt, and save log files to external storage systems such as DAS, NAS, or SAN to prevent the loss of critical security events.

It provides a rich set of reports, mainly including application-based reports and network flow analysis reports.

It supports output in multiple formats such as PDF, HTML, WORD, and TXT.

Reports can be customized via a web interface, with customization options including the time range of the data, the source device of the data, the generation cycle, and the output type.

Networking applications

H3C SecPath F5000-AI Series Networking Application Diagram

SCF 2:1 virtualization technology, high-reliability network design

It has powerful processing capabilities and supports GE, 10GE, and 100G networking.

Enriching routing protocols to achieve security and network convergence

It has powerful VPN encryption capabilities.

Comprehensive and in-depth security defense prevents malicious attacks, while also enabling filtering of emails, web pages, and files.

Enriching routing protocols to achieve security and network convergence

Product Specifications