Advanced network processor + multi-core CPU + distributed architecture — allowing linear increase of performance
The USG9500 uses a hardware platform that often exists in a core router to provide modularized components. Each interface module has two network processors (NPs) to provide line rate forwarding. The SPU uses multi-core CPUs and a multi-thread architecture, and each CPU has an application acceleration engine. These hardware advantages, combined with Huawei's optimized concurrent processing technology, increases CPU capacity to ensure the high speed parallel processing of multiple services, such as NAT and VPN. LPUs and SPUs function separately. The overall performance increases linearly with the addition of SPUs so that customers can easily scale up the performance at a low cost.
High firewall performance — ensuring mission-critical services
With revolutionized system architecture, the USG9500 security gateway series has the industry's highest firewall throughput and the most concurrent connections. With dedicated traffic splitting technology, the overall performance of the USG9500 increases linearly with the addition of SPUs. The USG9500 delivers a maximum of 960 Gbps large-packet throughput, 960 million concurrent connections, and 4096 virtual firewalls. The industry leading performance can meet the performance demand of high-end customers, such as television and broadcast systems, government agencies, energy companies, and education organizations.
Stable and reliable security gateway — full redundancy ensuring service continuity
Network security is a key point in enterprise operating. To ensure the service continuity on a high-speed network, the USG9500 supports active/standby and active/active redundancy, port aggregation, VPN redundancy, and SPU load balancing. Meanwhile, the USG9500 also supports dual-MPU active/standby switchover to provide high availability. The mean time between failures (MTBF) of the USG9500 is up to 200,000 hours, and the failover time is less than one second. These features ensure the service continuity.
Excellent VPN performance — meeting the needs for massive encryption
More and more services, such as mobile access, short message notification, and push mail, require secure data transmission over the Internet. To meet these needs, a VPN gateway that supports hundreds of thousands of connections is required. The USG9500 supports VPN gateway redundancy, up to 500 Gbps encryption performance, and 960,000 concurrent VPN tunnels, which are industry's highest standards. The USG9500 supports 4over6 and 6over4 VPN technologies to deal with the evolution from IPv4 to IPv6. The USG9500 also supports USG9500 Series
Cloud Data Center Security Gateway 4 IKEv2, provides improved user authentication, packet authentication, and NAT traversal functions, and prevents attacks, such as man-in-the-middle attacks and denial of service (DoS) attacks. The USG9500 also supports Extensible Authentication Protocol for GSM Subscriber Identity Module (EAP-SIM) and Extensible Authentication
Protocol – Authentication and Key Agreement (EAP-AKA) authentication to protect wireless networks.
Practical IPS feature — defending against external threats and promoting network security
The performance of an Intrusion Prevention System (IPS) relies on detection engine performance, signature identification ratio, and processing capacity. With the advanced IPS detection engine and mature signature database, the USG9500 defends against various threats, including unauthorized automatic downloads, spoofing software, spyware/adware, abnormal protocols, P2P anomalies, and exploits that target system vulnerabilities. A single vulnerability-based signature covers thousands of attacks that target at the vulnerability. Supplemented with the globally deployed honeypot system, the USG9500 can capture the latest attacks, worms, and Trojan
horses, thereby providing zero-day attack defense capability. Moreover, to improve real-world IPS performance, the USG9500 uses an internal off-line design and "one board one feature" technology to direct the traffic to be inspected by the IPS to a dedicated module. This method improves IPS performance without compromising basic firewall performance.
Comprehensive CGN Features — addressing the transition from IPv4 to IPv6
The IPv4 addresses are already exhausted and the Internet is smoothly evolving from IPv4 to IPv6. To meet the needs during the transition from IPv4 to IPv6, the USG9500 supports NAT44 (4), DS-Lite, 6RD, and NAT64, thereby providing an effective, flexible, reliable, and cost-effective transition solution for carriers. NAT44 (4) enables the high utilization of IPv4 addresses to prevent the exhaustion of IPv4 addresses; DS-Lite allows the IPv4 application to be used on the newly established IPv6 networks; 6RD provides efficient IPv6 access; and NAT64 enables an IPv6
network to communicate with an IPv4 network. The NAT44 and DS-Lite functions support NAT tracing.
Enriched virtualization — adapting to cloud networks
Cloud computing, which relies on virtualization and high-speed network connection, faces security challenges. The USG9500 delivers high throughput and enriched virtual system functions, including resource, configuration, and management virtualization to meet the requirements of different customers. Resource virtualization manages virtual host resources based on quota, management virtualization supports user-defined policies, log management, and auditing for each virtual firewall, and forwarding virtualization enables customized service processing.
| Model
|
USG9520
|
USG9560
|
USG9580
|
| Performance and Capacity
|
| Firewall throughput (maximum)
|
80 Gbps
|
480 Gbps
|
960 Gbps
|
| Firewall throughput (composite traffic)
|
80 Gbps
|
480 Gbps
|
960 Gbps
|
| Maximum number of concurrent sessions
|
80 million
|
480 million
|
960 million
|
| IPSec VPN performance (3DES)
|
48 Gbps
|
240 Gbps
|
500 Gbps
|
| IPSec VPN performance (AES)
|
48 Gbps
|
240 Gbps
|
500 Gbps
|
| Maximum number of concurrent IPSec
VPN tunnels
|
128,000
|
640,000
|
1,000,000
|
| Expansion and I/O
|
| Expansion slots
|
3 SPU and LPU slots
|
8 SPU and LPU slots
|
16 SPU and LPU slots
|
| Number of MPU slots
|
2
|
| Interface module type
|
12 x GE SFP, 12 x GE RJ45, 1 x 10GE XFP,
4 x 10GE XFP, 20xGE SFP, 2x10GE XFP,
4x10GE XFP etc.
|
| Security Functions
|
| BASIC FIREWALL
|
Routing/Transparent/Composite mode
State validation detection
Blacklist and whitelist
Access control
ASPF(Application Specific Packet Filter)
Security zone division
|
| NAT/CGN
|
Destination NAT/PAT
NAT NO-PAT
Source NAT-IP address persistency
Source IP address pool grouping
NAT Server
Bidirectional NAT
NAT-ALG(Application Layer Gateway)
Unlimited IP address expansion
Policy-based destination NAT
Port Range pre-allocated
Hair pinning mode
SMART NAT
NAT64
DS-Lite
6RD(IPv6 Rapid Deployment)
|
| SERVICE AWARENESS
|
Identify and Control Over 1,200 Applications:
P2P, IM, game, stock, VoIP, video, media stream,
mail, mobile, Web browsing, remote access, network
management, and news etc.
|
| VIRTUAL PRIVATE NETWORK (VPN)
|
DES, 3DES, and AES encryption
MD5 and SHA-1 authentication
Manually configured key, PKI (X 509), and IKEv2
Perfect forward secrecy (DH group)
Anti-replay attack
Remote VPN access
IPSec NAT Traversal
Dead Peer Detection
EAP authentication
VPN gateway redundancy
IPSec V6,IPSec 4 over 6, IPSec 6 over 4
L2TP Tunnel
GRE Tunnel
|
| PKI
|
PKI certificate requests (PKCS 10)
Certificate authority (CA)
PKI Authentication: EAP-SIM, EAP-AKA
PKI Protocol: SCEP, OCSP, CMPv2
Self-signed certificate
|
| INTRUSION PREVENTION SYSTEM
|
Protocol Anomaly Support
Custom Signature Support
Automatic Attack Database Update
Defends against worms, zero-day attacks, Trojans
horses, and malware.
|
| ANTI-DDOS
|
SYN-flood, ICMP-flood, TCP-flood,
UDP-flood, DNS-flood etc.
Port-scan, Smurf, Tear-drop, IP-Sweep etc.
IPv6-extension-header defend
TTL detection
TCP-mss detection
Attack log output
|
| HIGH AVALABILITY
|
Active-Active, Active-Standby
Stateful Failover
(Huawei Redundancy Protocol)
Configuration synchronization
Firewall and IPSec VPN session synchronization
Device fault detection
Link fault detection
Dual main board switchover
|
| NETWORKING/ROUTING
|
POS/GE/10GE link support
DHCP relay/server
Policy-based routing
Dynamic Routing for IPv4/IPv6 (RIP/OSPF/ISIS/BGP)
Multi-zone support
Route between zones/Vlans
Multi-link Aggregation (Eth-trunk, LACP)
|
| VIRTUAL FIREWALLS
|
4096 virtual firewall(VFW) definition
VLAN virtualization
Security zones virtualization
User defined virtual resources
Route between VFW
VFW based traffic CAR
|
| MANAGEMENT
|
Web UI (HTTP and HTTPS)
CLI (console/Telnet/SSH)
U2000/VSM network management
Hierarchical administrators
Software upgrade
Configuration rollback
|
| MONITORING
|
Structured Syslog
SNMP (v2)
Binary log
Trace route
Log server (eLog)
|
| Dimensions, Power Supply, and Operating Environment
|
| Dimensions (H x W x D)
|
175 x 442x 650 (4U DC model)
220 x 442 x 650 (5U AC model)
|
620 x 442 x 650
|
1420 x 442 x 650
|
| Weight
|
DC: Base chassis: 33 lbs (15 kg)
DC: Fully configured chassis: 70.5 lbs (32 kg)
AC: Base chassis: 55.1 lbs (25 kg)
AC: Fully configured chassis: 92.5 lbs (42 kg)
|
Empty chassis: 43.2 kg
Full configuration: 113kg
|
Empty chassis: 94.4 kg
Full configuration: 229 kg
|
| AC power supply
|
90 V AC to 275 V AC; 175 V AC to 275 V AC (recommended)
|
| DC power supply
|
-38 V to -72 V; Rated -48 V
|
| Maximum power consumption
|
1270 W
|
3960 W
|
7540 W
|
| Operating temperature
|
Long term: 0 °C to 45 °C
Storage: -40°C to +70 °C
|
| Ambient humidity
|
Long term: 5% RH to 85% RH, non-condensing
Short term: 5% RH to 95% RH, non-condensing
Storage: 0% RH to 95% RH, non-condensing
|
| CERTIFICATIOn
|
Safety certification, EMC, CB, Rohs, FCC, MET, C-tick,VCCI
|
Note: The list above is comprehensive and may contain features which are not
available on all USG9500 appliances. Consult USG9500 system documentation to
determine feature availability.
Security Defense in Large IDC
The USG9500 ensures security and stability of IDC services, delivers the following functions:
- Security policies such as blacklist to filter suspicious IP address.
- Intrusion prevention function to perform in-depth traffic detection, and blocks attack traffic once attacked. This function effectively defends against application-layer attacks.
- Virtual firewall to realize the virtual system separation function from level 2 to level 7 as you need.
- Resource pre-allocation to control virtual firewall traffic of inbound and outbound and the number of session connections; configure public IP address-based traffic restriction to prevent one IP address occupying too much bandwidth.
Egress of the Campus Network
The USG9500 deploys on the egress of the campus network, and delivers the following functions :
- Dual stack for IPv4 and IPv6.
- Traffic policy to allow different traffic transmit to different route.
