Home Companies Uonel Co.Limtied

USG9500 Data Center Firewall

Active Member

Contact Us

[China]

Address: B-1906,Zhantao-Tech mansion ,Minzhi road 1079,longhua Dis,shenzhen 518110 China

Contact name:Leo yang

Uonel Co.Limtied

USG9500 Data Center Firewall

Country/Region	china
City & Province	shenzhen

Product Details

USG9500 Data Center Firewall Data Sheet

The USG9500 Data Center Firewall is the world’s fastest and provides services for large data centers, cloud computing environments, and enterprise campus networks. Integrated switching, routing, and security make upgrades smooth, virtualization easy, and its TB-level processing capability comes in a compact unit with carrier-grade reliability.

Its multiple core network processor and distributed architecture integrates security and virtualization while continual database updates optimize protection.

Minimize security risks, get reliable protection, and reduce TCO with Huawei’s NSS-tested data center firewall

Product characteristics

Accurate access control and comprehensive ACTUAL-based protection

Traditional firewall access control is based on port and IP addresses, but the USG9500 provides more fine-grained controls like these:

ACTUAL-based: USG9500 series firewalls provide integrated control and protection based on the Application, Content, Time, User, Attack, and Location (ACTUAL) model and combine application-layer protection and identification. For example, the USG9500 can identify Oracle-specific traffic and implement selective intrusion prevention to increase efficiency and reduce false positives
Application-based: USG9500s can accurately identify more than 6,000 applications and services and adjust access control and service acceleration as needed. For example, USG9500s can identify an instant messaging application's voice and data services, then apply appropriate control policies to each service
User-based: The firewall supports 8 user authentication methods, including RADIUS, LDAP, and Active Directory (AD) authentication. It also provides synchronized user information from existing authentication systems, user-based access control, and QoS management
Location-based: The unit identifies application and attack traffic origins using IP address geolocation. It also detects network problems and uses differentiated user-defined access control for traffic from different locations

Practical features reduce TCO

The USG9500 provides comprehensive protection against rampant cyber-attacks and information theft:

Versatility: A single USG9500 integrates VPNs, intrusion prevention, antivirus, Data Leak Prevention (DLP), and bandwidth and online behavior management for simple deployment and better efficiency
Intrusion Prevention System (IPS): Detect and prevent more than 5,000 vulnerabilities, such as cross-site scripting and SQL injection
Antivirus protection: A high-performance antivirus engine, with a virus signature database updated daily, detects and repels more than 5 million viruses and Trojan horses
DLP support: The USG9500 identifies more than 120 file types, even if their extensions are maliciously changed. In addition, it can restore and implement content filtering for more than 30 file types, including Word, Excel, PPT, PDF, and RAR files, to prevent critical information leaks
SSL decryption: USG9500s serve as proxies for application-layer protection, such as intrusion prevention, antivirus, DLP, and URL filtering for SSL-encrypted traffic
Anti-DDoS attacks: The firewall identifies and prevents 10 types of DDoS attacks, such as SYN and UDP flood attacks
Secure connections: USG9500s support VPN features, such as IPSec, SSL, L2TP, MPLS, and GRE VPN for secure and reliable connections
QoS management: USG9500s manage upper and lower traffic thresholds and supports application-specific, policy-based routing. It also preferentially marks and forwards traffic of specified URL categories, such as financial websites
Online behavior management: The USG9500 uses a cloud-based URL category database containing 85 million URLs to prevent threats. Additionally, it audits and controls online behaviors, such as social media posting and FTP uploads and downloads
Load balancing: In multiple egress scenarios, USG9500 firewalls provide server load balancing based on link quality, bandwidth, and data volume

Linear performance overcomes bottlenecks

The USG9500 uses a hardware platform that is often used in core routers to provide modularized components. Each Line Protection Unit (LPU) has two Network Processors (NPs) to provide line rate forwarding. LPUs and Stream Processing Unites (SPUs) function separately. The SPU uses multi-core CPUs and multi-threaded architecture, and each CPU has an application acceleration engine. These hardware advantages, combined with Huawei’s optimized concurrent processing technology, increase CPU capacity to ensure high-speed, parallel processing of multiple services, such as NAT and VPN. Overall performance increases linearly with the number of SPUs, enabling customers to scale up performance at low cost.

The system’s unique architecture and hardware design delivers industry-leading performance; up to 144 Tbit/s, large-packet throughput, 1.44 billion concurrent sessions, and 4,096 virtual firewalls. Meets requirements of high-end customers, such as television and broadcast companies, government agencies, energy companies, and educational institutions.

Stable, reliable security gateway with full redundancy

To ensure service continuity on mission-critical, high-performance networks, the USG9500 supports active/standby and active/active redundancy, port aggregation, VPN redundancy, and SPU load balancing. The USG9500 also supports dual-MPU active/standby switch-over normally available in high-end routers, for high availability. Mean-Time-Between-Failures (MTBF) is up to 200,000 hours, and fail-over time is less than one second.

Comprehensive virtualization functions for cloud networks

Secure, high-speed network connections and rich virtualization features support cloud computing systems with dedicated resources, independently forwarding traffic, and separately managing configurations to meet the requirements of different customers. Resources can be easily assigned to different virtual systems as needed, with different security policies, log management, forwarding processes, and audit functions based on tenant requirements. Forwarding planes of virtual systems are separated to ensure data security of tenants and eliminate the impact of performance degradation of one virtual system affecting other virtual systems.

Product specifications

Model	USG9520	USG9560	USG9580
Performance and Capacity
Firewall Throughput (maximum)	120 Gbit/s	720 Gbit/s	1,440 Gbit/s
Firewall Throughput (IMIX Traffic)	120 Gbit/s	720 Gbit/s	1,440 Gbit/s
Maximum Number of Concurrent Sessions	120 million	720 million	1.44 billion
IPSec VPN Performance (1,420 Bytes)	84 Gbit/s	336 Gbit/s	720 Gbit/s
Maximum Number of Concurrent IPSec Tunnels	128,000	640,000	1,000,000
IPS Performance	40 Gbit/s	220 Gbit/s	440 Gbit/s
Antivirus Performance	34 Gbit/s	187 Gbit/s	374 Gbit/s
Expansion and I/O
Expansion Slots	3 slots	8 slots	16 slots
Number of MPU Slots	2
Interface Types	GE, 10 GE, 40 GE, and 100 GE interfaces
SPU	Firewall and application security SPUs
Dimensions, Power Supply, and Operating Environment
Dimensions (H x W x D)	175 mm x 442 mm x 650 mm DC 220 mm x 442 mm x 650 mm DC	620 mm x 442 mm x 650 mm	1,420 mm x 442 mm x 650 mm
Weight	Vacant chassis: 15 kg, DC Full configuration: 32 kg, DC Vacant chassis: 25 kg, AC Full configuration: 42 kg, AC	Vacant chassis: 43.2 kg Full configuration: 113 kg	Vacant chassis: 94.4 kg Full configuration: 229 kg
Redundant Power Supply	Standard configuration
AC Power Supply	90V AC to 275V AC; 175V AC to 275V AC (recommended)
DC Power Supply	-38V to -72V; Rated -48V
Power consumption	1,270W	3,960W	7,540W
Operating Temperature	Long-term: 0°C to 45°C Short-term: -5°C to 55°C Storage: -40°C to 70°C
Ambient Humidity	Long-term: 5% RH to 85% RH, non-condensing Short-term: 5% RH to 95% RH, non-condensing Storage: 0% RH to 95% RH, non-condensing

Security Functions

Basic Firewall Functions	Transparent, routing, and hybrid modes Stateful inspection Blacklist and whitelist Access control Application Specific Packet Filter (ASPF) Security zones
NAT/CGN	Destination NAT/PAT NAT NO-PAT Source NAT-IP address persistency Source IP address pool groups NAT Server Bi-directional NAT NAT-ALG Unlimited IP address expansion Policy-based destination NAT Port range allocation Hairpin connections SMART NAT NAT64, DS-Lite, and IPv6 rapid deployment (6RD)
Egress Load Balancing	ISP-based routing Intelligent uplink selection Transparent DNS proxy at egress User-based traffic control Application-based traffic control Link-based traffic control Time-based traffic control
Ingress Load Balancing	Intelligent DNS at ingress Server load balancing Application-based QoS
Service Awareness	Identification and prevention of over 6,000 protocols: P2P, IM, game, stock charting/trading, VoIP, video, stream media, email, mobile phone services, Web browsing, remote access, network management, and news applications
Intrusion Prevention System	Protocol anomaly detection User-defined signatures Automatic update of the knowledge bases Zero-day attack defense Prevention of worms, Trojan horses, and malware attacks
URL Filtering	URL database of 85 million URLs 130+ URL categories Trend and top N statistics based on users, IP addresses, categories, and counts Query of URL filtering logs
Antivirus	Detection of 5 million viruses Flow-based inspection for higher performance Inspection of encrypted traffic Trend and top N statistics by virus family
VPN	DES, 3DES, and AES encryption MD5 and SHA-1 authentication Manual key, PKI (X509), and IKEv2 Perfect forward secrecy (DH group) Anti-replay Transport and tunnel modes IPSec NAT traversal Dead Peer Detection (DPD) EAP authentication EAP-SIM, EAP-AKA VPN gateway redundancy IPSec v6, IPSec 4 over 6, and IPSec 6 over 4 L2TP tunnel GRE tunnel
PKI	Online CA certificate enrollment Online CRL check Hierarchical CA certificates Support for public-key cryptography standards (PKCS#10 protocol) CA certificate Support for SCEP, OCSP, and CMPv2 protocols Self-signed certificates
Anti-DDoS Features	Prevention of SYN, ICMP, TCP, UDP, and DNS floods Prevention of port scan, Smurf, teardrop, and IP sweep attacks Prevention of attacks exploiting IPv6 extension headers TTL detection TCP-mss detection Attack logs
Networking/Routing	Support for POS, GE, and 10 GE interfaces DHCP relay/server Policy-based routing IPv4/IPv6 dynamic routing protocols, such as RIP, OSPF, BGP, and IS-IS Interzone/inter-VLAN routing Link aggregation, such as Eth-trunk and LACP
High Availability	Active/active and active/standby modes Hot standby (Huawei redundancy protocol) Configuration synchronization Firewall and IPSec VPN session synchronization Device fault detection Link fault detection Dual-MPU switch-over
Virtual System	Up to 4,096 Virtual Systems (VSYS) VLAN on virtual systems Security zones on virtual systems User-configurable resources on virtual systems Inter-virtual system routing Virtual system-specific Committed Access Rate (CAR) Separate management of virtual systems
Management	Web UI (HTTP/HTTPS) CLI (console, remote login, and SSH) U2000/VSM network management system Hierarchical administrators Software upgrade Configuration rollback STelnet and SFTP
Logging/Monitoring	Structured system logs SNMPv2 Binary logs Traceroute Log server (eLog)
Certification	Safety certification Electro Magnetic Compatibility (EMC) certification CB, Rohs, FCC, MET, C-tick, and VCCI certification
User Authentication and Access Control	Built-in (internal) database RADIUS accounting Web-based authentication

Note: The list above is comprehensive and may contain features that are not available on all USG9500 appliances. View USG9500 system documentation to determine feature availability.

Networking and applications

In-line and off-line deployment of USGs at the egress of a large data center

Customer requirements

The throughput of the traditional firewall is low, and bandwidth congestion easily occurs at the egress, which affects service access. Therefore, a firewall with high throughput is required, and the line rate of the firewall needs to be extended to over 40 Gbit/s
In the case of multiple egresses, customers want to use the links with low costs to reduce operating costs
In the case of multiple tenants, customers want to isolate the services provided to each tenant. Resources can be distributed on demand
When USGs are deployed at the egress of a large Internet Data Center (IDC), customers specify high reliability requirements

Solution highlights

For high-performance link bandwidth and firewall processing capability, the USG9500 series supports a maximum of 200 Gbit/s processing capability and 80 million concurrent connections, with capacity for expansion
For tenants with multiple ISP links, load balancing can be configured based on link bandwidth or data volume — preference given to lowest cost link. Using the application identification function, flow control can be implemented for traffic, such as P2P traffic that consumes higher bandwidth
In the case of multiple tenants, a virtual system is assigned to each tenant. The bandwidth and number of sessions can be predefined for each user based on service requirements to improve the usage efficiency of key resources. Tenants are isolated from each other to ensure security
Redundant design for MPUs, SPUs, power supplies, and fans, plus support for hot standby and Hybrid Routing Protocol (HRP), provide 99.999% uptime reliability

USG protection in colleges, broadcasting & TV, & large enterprise egresses

Customer requirements

The Ministry of Industry and Information Technology (MIIT) requires that user access logs should be reserved for over 60 days. The logs can be viewed by URL, IP address, and time. Based on the Order of the Ministry of Public Security (Order No. 82), the providers of the Internet services should reserve log records for NAT users and identify the mappings between public and private network addresses based on the log records
The throughput of the traditional firewall is low, and bandwidth congestion easily occurs at the egress, which affects service access. Therefore, a firewall with high throughput is required, and the line rate of the firewall needs to be extended to over 40 Gbit/s
In the case of multiple egresses, customers want to use the links with low costs to reduce the operation cost
When USGs are deployed at the egress of a large IDC, customers require that the devices can meet the reliability requirement

Solution highlights

Provide the eSight, storage devices, and firewalls to record all NAT service traffic, implement source tracing by URL, locate the URL that a specific IP address accesses, which meets the requirements on log source tracing of Ministry of Industry and Information Technology and Ministry of Public Security. The source tracing function is implemented by firewall SPUs, and no extra source tracing board is required
To meet the requirements on the link bandwidth and firewall processing capability, deploy USG9500 series that supports a maximum of 200 Gbit/s processing capability, 80 million concurrent connections, and expansion

Ordering information

	Host
USG9520-BASE-AC-51	USG9520 AC Standard Configuration (includes X3 AC Chassis and 2 x MPU)
USG9520-BASE-DC-51	USG9520 DC Standard Configuration (includes X3 DC Chassis and 2 x MPU)
USG9560-BASE-DC-51	USG9560 DC Basic Configuration (include X8 DC Chassis, 2 x SRU, and 1 x SFU)
USG9580-BASE-DC-51	USG9580 DC Standard Configuration (includes X16 DC Chassis, 2 x MPU, and 4 x SFU)
	USG9500 SPUs
SPU-X3-40-E8KE	40G X3 Firewall Service Processing Unit
SPU-X8X16-80-E8KE	80G X8 & X16 Firewall Service Processing Unit
SPC-S-40-E8KE	40G Firewall Processing Card
SPC-D-80-E8KE	80G Firewall Processing Card
SPC-APPSEC-FW	Application Security Service Processing Card
	USG9500 Flexible Line Processing Units
E8KE-X-LPUF-101	Flexible Card Line Processing Unit (LPUF-101, 4 sub-slots)
E8KE-X-101-1X40GE-CFP	1-Port 40G Base LAN CFP Flexible Card (P101, 1/2 wide, occupies 2 sub-slots)
E8KE-X-101-5X10GE-SFP+	5-Port 10G Base LAN/WAN-SFP + Flexible Card A (P101, 1/2 wide, occupies 2 sub-slots) Spare Part
E8KE-X-101-24XGE-SFP	24-Port 100/1,000 Base-X-SFP Flexible Card (P101, 1/2 wide, occupies 2 sub-slots)
FW-LPUF-120	120G Line Processing Unit
FW-LPUF-240	Flexible Card Line Processing Unit (LPUF-240, 2 sub-slots) Spare Part
FW-6X10G-SFP+	6-Port 10G Base LAN/WAN-SFP + Flexible Card A Spare Part
FW-1X100G-CFP	1 x 100 GE CFP Daughter Card
FW-12X10G-SFP+	12-Port 10G Base LAN/WAN-SFP + Flexible Card A (P120-A) Spare Part
E8KE-X-101-1X100GE-CFP	1-Port 100G Base-CFP Integrated Line Processing Unit (LPUI-101)