The SecPath ACG1000 series is H3C's latest generation application control gateway. This product can be deployed at critical nodes in the network in routing mode, transparent bridging mode, bypass mode, and hybrid mode. It integrates comprehensive functions such as application control, behavior auditing, and network optimization, providing users with a comprehensive and complete solution for all business application scenarios.

The SecPath ACG1000 series adopts a MIPS multi-core architecture. A virtual OS runs on the hardware architecture, and its efficient parallel scheduling algorithm and memory management mechanism improve packet forwarding efficiency while also performing comprehensive layer 2-7 checks and analyses on the data.

It can deeply identify, accurately control, and efficiently audit nearly a thousand common applications such as IM chat software, P2P download software, stock trading software, online games, streaming media, and online video.

It utilizes technologies such as multi-level seven-tuple flow control, precise blocking, and intelligent routing to give it powerful bandwidth management capabilities.

With features such as clear log management and compliance for wireless internet access, it provides users with the most comprehensive, clearest, and most intuitive solution for internet behavior.

Rapid deployment

For enterprises with multiple branches needing interconnection and a large number of front-end devices urgently needing to go live, achieving rapid business deployment and mitigating the varying skill levels of frontline personnel has become a major headache for administrators. The SecPath ACG1000 series introduces a USB drive-based zero-configuration deployment function. Based on pre-defined configuration information from the administrator, it directly decrypts and loads the configuration information via a zero-boot USB drive, significantly reducing the workload of front-end maintenance personnel and the resistance to configuration and deployment. Deployment is fast and easy, configuration is accurate, and the method is simple.

Comprehensive high-end management

Traditional account and password device management methods have low security, are easily intercepted and cracked by hackers, and the uniqueness of authentication is difficult to guarantee. The SecPath ACG1000 series products provide two-factor authentication. When logging into the device interface, users need to insert a U-Key into their PC terminal and verify their account and password simultaneously. This function greatly improves the security of network devices and is simple to operate and portable.

The SecPath ACG1000 series products have built-in Chinese and English languages, and administrators can switch the language of the user interface according to the needs of the scenario, making them fully adaptable to overseas markets.

The SecPath ACG1000 series products can switch the management mode to a three-level system. After switching, each management account is assigned different permissions, forming a permission check and balance between them, which restricts the super administrator's privileges and ensures device security. Administrators have clear division of responsibilities.

Integrated Strategy Management

The SecPath ACG1000 series products integrate application control, behavior auditing, identity authentication, and security protection into a single policy configuration. Multiple functional modules can be configured with a single policy. Different management policies can be customized for different users according to different management needs, making it flexible, convenient, and easy to maintain.

Full Identity Authentication

H3C, driven by user needs, has implemented a variety of identity authentication methods:

Local authentication: Web authentication, username/password authentication, IP/MAC/IP-MAC binding;

Single Sign-On: Standard Active Directory domain, one login, multiple authentications;

Third-party authentication: RADIUS, LDAP, etc.;

APP authentication: No need to rely on data center software, no need to modify the APP, avoiding coordination and communication costs;

WeChat verification: When connected to the merchant's WIFI, a "One-click WeChat WIFI connection" pop-up will automatically appear and you will be prompted to follow the WeChat official account;

Hybrid authentication: The interface allows users to select from multiple authentication methods, and users can change the authentication method as needed;

No authentication required: Users can go online without authentication.

Multi-service high performance

The SecPath ACG1000 series products adopt an advanced multi-core architecture, combined with H3C's secure operating system. They employ technologies such as protocol feature library tree storage, stream scanning processing, and parallel DPI/DFI to complete the entire parsing process in one go, ensuring high-speed and low-latency processing even when multiple behavior management functions are enabled.

Fast, easy, and reliable VPN secure interconnection

The SecPath ACG1000 series VPN modules feature industry-leading technology, significantly simplifying administrators' maintenance workload in complex network environments. Combined with centralized management and data analysis systems, it enables rapid, zero-configuration VPN deployment, automatic negotiation of tunnel interfaces and interested flows without configuration, fully automatic VPN network convergence, and adaptive multi-line operation, perfectly solving the problem of weak branch maintenance capabilities. It innovatively introduces IPsec VPN cold backup, improving data transmission reliability while providing data encryption. Its unique zero-packet-loss primary/backup failover technology ensures uninterrupted TCP service and perfectly achieves uninterrupted VPN service during HA failover.

The SecPath ACG1000 series products support 4G networks and 4G IPsecVPN encrypted connections without changing the original network architecture. In the event of a main line failure, they proactively take over encrypted network communication with the central end. They feature data integrity, secure data transmission, high cost-effectiveness, and no network changes, giving administrators peace of mind.

Detailed network application management

The SecPath ACG1000 series products go beyond simply blocking network applications in their internet behavior management and control; they can now more deeply identify the built-in actions of applications. For example, the control over QQ goes beyond just "login action," recognizing more granular actions such as "receiving files," "sending files," "receiving messages," "sending messages," "logout," "voice messages," and "all actions." WeChat can also recognize and control various behavioral actions, making the network more orderly through more refined application management.

Fine-grained bandwidth management

The SecPath ACG1000 series products employ technologies such as application signature database-based seven-tuple flow control, precise blocking, and intelligent routing to divide network egress bandwidth into logical channels and support further subdivision of sub-channels within each channel, perfectly achieving bandwidth limiting and bandwidth protection. It also supports distributing complex network traffic types to different network egress points for forwarding, making it the best tool for enterprises to improve bandwidth utilization and protect bandwidth investments.

User behavior tracking analysis

By performing correlation data analysis on multi-dimensional information such as user network accounts, behaviors, internet access devices, and times, H3C's Internet behavior and management products truly achieve visualization of user-based internet behavior management and auditing. They clearly and intuitively present users' internet behavior trajectories, helping network administrators to formulate more targeted network management strategies, ensuring the rational and effective use of network resources and improving work efficiency. Self-learning and fuzzy matching are its two major features.

Custom Applications

For applications (such as OA and ERP) not found in the audit device's application library, the device cannot audit or control them. The SecPath ACG1000 series products support customizing applications based on a specific characteristic of a lesser-known application, utilizing multiple dimensions such as URL, port, IP, and domain name, and support policy configuration and auditing. This expands the administrator's audit scope and enables transparent auditing of lesser-known applications.

Smart App Application Caching

The SecPath ACG1000 series innovatively caches apps locally on the device, pushing them directly to users during download. Files of tens of megabytes are downloaded in just seconds, significantly improving outbound bandwidth utilization and greatly accelerating download speeds, thus enhancing the user experience. It supports caching for both iOS and Android apps, including precise caching, dynamic caching, automatic app updates, and fuzzy matching—leading the industry in this technology. This low-cost approach opens up new avenues for customers' end-user marketing and promotion. Combined with app identity authentication, it can forcefully promote merchants' apps, increasing app installation rates and unlocking more potential customers.

Ad push

The SecPath ACG1000 series products support push advertising functionality to users. It supports customizable ad types, content, and placement; PCs support up to three ad placements, while terminals support full-screen ads. Push advertising, as an application in e-commerce marketing, is characterized by flexibility, interactivity, and accurate target audience targeting, significantly reducing advertising costs. Push advertising serves a large number of advertisers, delivering internet ads to the right consumers in the right way, resulting in high accuracy and conversion rates.

Clear post-audit

The SecPath ACG1000 series products support detailed, clear, and easy-to-use logging features, comprehensively recording and auditing user internet behavior, traffic usage, websites visited, terminal systems used, and device types and platforms. Logs support customizable filters, allowing searches based on IP address, authenticated user, accessed applications, accessed URLs, and posted content, making post-event auditing time-saving and labor-saving. Simultaneously, the SecPath ACG1000 series products provide rich and visually appealing reports, using bar charts, pie charts, percentages, and other formats to intuitively illustrate network operation status, making network management planning data-driven and targeted.

SSL website decryption & email decryption

To ensure clear post-event auditing and protect corporate secrets, the SecPath ACG1000 series products offer HTTPS auditing and email decryption capabilities. Employing unique encrypted traffic identification technology, the SecPath ACG1000 series can identify behaviors related to mainstream encrypted websites, encrypted website search history, and encrypted emails. Administrators can customize their audits to target specific users and encrypted websites, providing greater clarity and transparency regarding network operations.

DNSTransparent Agent

In multi-exit network environments, the bandwidth of each interface varies. Simply adjusting the routing ratio through load balancing can easily lead to poor internet access. This necessitates that transparent DNS proxies implement data forwarding based on weighted and priority rules to ensure proper routing ratios and network access performance. The SecPath ACG1000 series products are precisely the solution to this problem. Coupled with simple, flexible, and unified DNS management, the transparent DNS proxy function provides internal network users with a unified and seamless DNS proxy service.

The SecPath ACG1000 series products feature powerful transparent DNS proxy capabilities, enabling weighted and priority-based DNS forwarding load balancing, static domain name mapping, and targeted forwarding of specific domain names. These features optimize network routing and load balancing for users, significantly enhancing the user experience.

Business Alarms

The ACG1000 series products support business alarm functions, which can issue alarms for key device content such as CPU, memory, sessions, overall system traffic, and IPsec VPN connection disconnection. They provide page pop-up and email alarm reminders to quickly locate fault points and provide device status to network management in a timely manner, thus assisting in operation and maintenance.

Wireless non-compliant

According to the national standard GAWA3011.(1~5)-2015, "Requirements for Wireless Internet Access in Public Places," public places such as cafes, bars, and KTVs that provide network access must implement a standardized access management system and upload audit information to the network monitoring backend platform. Otherwise, they may face risks such as business shutdown, business suspension for rectification, and fines.

The SecPath ACG1000 series products offer wireless non-compliant features and are suitable for various scenarios including centralized deployment, distributed deployment, and bypass integration, facilitating smooth network upgrades for customers. While the Ministry of Public Security has set standards, varying integration standards across different cities and the presence of numerous backend vendors have created upgrade challenges for customers. The SecPath ACG1000 series supports platforms from several mainstream backend vendors, including Renzihang, Paibo, Hongxu, Aisi, and Wangbo, boasting extensive regional coverage and rich integration experience. With extensive experience in integration across various scenarios such as banking, telecommunications, and retail chains, its high application recognition rate and customized development capabilities ensure security and compliance for customer scenarios.

Networking applications

Routing deployment

Suitable for large and medium-sized enterprise users, it can be deployed online at the network egress point in a transparent manner without changing the network topology;

Monitor and manage various applications such as online communities, P2P, IM, online games, stock trading, online video, online multimedia, and illegal website access to ensure bandwidth for critical applications and services;

Analyze and audit users' online behavior;

Supports complex network environments such as VPN/MPLS/VLAN/PPPoE;

It supports local log recording and centralized analysis and processing on devices, and can be deployed and managed in a distributed manner across multiple devices.

Side-mounted deployment

Suitable for scenarios that do not change the network topology and only perform behavior auditing, it is generally deployed in the core layer;

Analyze and audit users' online behavior;

Provides logging and log export functions.

Transparent Deployment

Suitable for data center server rooms, it can be flexibly deployed at the data center server room egress in a serial routing or transparent manner, and is easy to deploy according to the actual network environment;

Provides identity authentication functionality to verify the legitimacy of internet users' identities;

Monitor and manage various applications such as online communities, P2P, IM, online games, stock trading, online video, online multimedia, and illegal website access to ensure bandwidth for critical applications and services;

It supports local logging on the device, and logs can also be sent to a centralized management and data analysis center for processing and data analysis.

Hardware Specifications

Software Specifications