HUAWEI USG6000 Series Next-Generation Firewall Product Description

HUAWEI USG6000 Next-Generation Firewall
V100R001
Product Description
Issue 01
Date 2014-10-20
HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2014. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://enterprise.huawei.com
Huawei Proprietary and Confidential

Issue 01 (2014-10-20) i
Copyright Huawei Technologies Co., Ltd.
HUAWEI Secospace USG6000 Unified Security
Gateway
Product Description About This Document
About This Document
Product Version
The following table lists the product versions of this document.
Product Name Product Version

The USG6000 series has the V100R001C20SPC200
following models:
USG6300
USG6310
USG6320
USG6330
USG6350
USG6360
USG6370
USG6380
USG6390
USG6500
USG6530
USG6550
USG6570
USG6600
USG6620
USG6630
USG6650
USG6660
USG6670
USG6680
Intended Audience
This document describes the product positioning and highlights, typical networking and
application scenarios, software and hardware architecture, functions and features, standards,
Issue 01 (2014-10-20) Huawei Proprietary and Confidential ii

Gateway
Product Description About This Document
and technical specifications of the USG6000. This document helps you to quickly familiarize
yourself with the product.
This document is intended for administrators who configure and manage NGFW. The
administrators must have good Ethernet knowledge and network management experience.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation which, if not
avoided, will result in death or serious injury.
Indicates a potentially hazardous situation which, if not

avoided, could result in death or serious injury.

avoided, may result in minor or moderate injury.

avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
NOTICE is used to address practices not related to personal
injury.
Calls attention to important information, best practices and
tips.
NOTE is used to address information not related to
personal injury, equipment damage, and environment
deterioration.
Update History
Updates between document issues are cumulative. Therefore, the latest document issue
contains all updates made in previous issues.
Updates in Issue 01 (2014-10-20) of Product Version V100R001C20SPC200

Initial commercial release.
Issue 01 (2014-10-20) Huawei Proprietary and Confidential iii

Gateway
Product Description Contents
Contents
About This Document ............................................................................................................... ii

1 Product Positioning and Features .......................................................................................... 1
1.1 New Threats on Networks...................................................................................................................................... 1
1.2 USG6000 Highlights ............................................................................................................................................. 2
1.3 USG6000 Features ................................................................................................................................................ 3
2 Application Scenarios .............................................................................................................. 6

2.1 Border Protection for Medium- and Large-sized Enterprises ................................................................................... 7
2.2 Intranet Control and Security Isolation ................................................................................................................... 8
2.3 Data Center Border Protection ............................................................................................................................... 9
2.4 VPN Remote Access and Mobile Working ............................................................................................................ 11
2.5 Cloud Computing Gateway ...................................................................................................................................12
2.6 Agile Network ......................................................................................................................................................13
3 Product Architecture .............................................................................................................. 17

3.1 Hardware Architecture ..........................................................................................................................................17
3.1.1 USG6310 ..........................................................................................................................................................17
3.1.2 USG6320 ..........................................................................................................................................................18
3.1.3 USG6330/6350/6360 .........................................................................................................................................19
3.1.4 USG6370/6380/6390 .........................................................................................................................................21
3.1.5 USG6530 ..........................................................................................................................................................23
3.1.6 USG6550/6570 ..................................................................................................................................................25
3.1.7 USG6620/6630 ..................................................................................................................................................27
3.1.8 USG6650/6660 ..................................................................................................................................................29
3.1.9 USG6670 ..........................................................................................................................................................32
3.1.10 USG6680.........................................................................................................................................................35
3.2 Software Architecture ...........................................................................................................................................38
4 Product Functions................................................................................................................... 41
4.1 USG6000 Functions .............................................................................................................................................42
4.2 Advanced Content Security Defense .....................................................................................................................47
4.2.1 Unified Detection Mechanism ............................................................................................................................47
4.2.2 SSL Decryption .................................................................................................................................................48
4.2.3 Antivirus ...........................................................................................................................................................49
Issue 01 (2014-10-20) Huawei Proprietary and Confidential iv

Gateway
Product Description Contents
4.2.4 Intrusion Prevention System (IPS) .....................................................................................................................50

4.2.5 Data Leakage Prevention ...................................................................................................................................51
4.2.6 Web Security Defense ........................................................................................................................................53
4.2.7 Application Behavior Control.............................................................................................................................54
4.2.8 Anti-Spam .........................................................................................................................................................54
4.3 Flexible User Management ...................................................................................................................................55
4.4 Complete Security Functions Inherited from Traditional Firewalls .........................................................................56
4.5 Granular Traffic Management ...............................................................................................................................58
4.6 Support for Various Routing and Switching Protocols ...........................................................................................59
4.7 Intelligent Route Selection Policy .........................................................................................................................63
4.8 Support for IPv6 ...................................................................................................................................................66
4.9 Diversified VPN Access Modes ............................................................................................................................68
4.10 High Availability Mechanism ..............................................................................................................................72
4.11 Easy-to-Use Virtual System ................................................................................................................................75
4.12 Visualized Device Management and Maintenance ...............................................................................................76
4.13 Diversified Logs and Reports ..............................................................................................................................77
4.14 Device Security Protection ..................................................................................................................................79
5 Technical Specifications........................................................................................................ 81
5.1 Hardware Specifications .......................................................................................................................................81
5.1.1 USG6310 ..........................................................................................................................................................81
5.1.2 USG6320 ..........................................................................................................................................................83
5.1.3 USG6330/6350/6360 .........................................................................................................................................84
5.1.4 USG6370/6380/6390 .........................................................................................................................................86
5.1.5 USG6530 ..........................................................................................................................................................88
5.1.6 USG6550/6570 ..................................................................................................................................................90
5.1.7 USG6620/6630 ..................................................................................................................................................92
5.1.8 USG6650/6660 ..................................................................................................................................................94
5.1.9 USG6670 ..........................................................................................................................................................97
5.1.10 USG6680.........................................................................................................................................................99
5.2 Standards and Protocols ...................................................................................................................................... 101
Issue 01 (2014-10-20) Huawei Proprietary and Confidential v

Gateway
Product Description 1 Product Positioning and Features
1 Product Positioning and Features
About This Chapter

This chapter describes the positioning and features of the NGFW.
1.1 New Threats on Networks
This section describes new threats and security risks on new network environments.
1.2 USG6000 Highlights
This section describes how the USG6000 deals with new network threats.
1.3 USG6000 Features
This section describes the functions and designs of the USG6000.
1.1 New Threats on Networks

This section describes new threats and security risks on new network environments.
Diversified new applications bring about convenient cyber life as well as more security risks.
The identity of a user at an IP address is unclear.
On new networks, attackers easily manipulate zombie hosts to use legitimate IP
addresses. Attackers can then launch network attacks or forge source IP addresses for
spoofing and obtaining permissions. The source IP address of a packet does not represent
the user identity.
In addition, teleworking and mobile working have emerged. The IP address of a user
may change at any time. Traffic control by IP address cannot accommodate new network
requirements.
The port and protocol of an application are not fixed.
Traditional network services run on fixed ports. For example, HTTP runs on port 80, and
FTP runs on ports 20 and 21. On new networks, ephemeral ports that are not assigned by
the Internet Assigned Numbers Authority (IANA) and random ports (for example, P2P
ports) are frequently used by network applications. These applications are hard to control,
exhaust bandwidths, and even cause network congestion.
Meanwhile, increasing unfixed services start to use well-known ports. With the
development of web page technologies, more and more services with different risk levels
Issue 01 (2014-10-20) Huawei Proprietary and Confidential 1

Gateway
run on ports 80 and 443 using HTTP and HTTPS, for example, WebMail, web gaming,
video streaming, and web chats.
The packet content is uncertain.
Single-packet detection analyzes only the security of individual packets. This mechanism
cannot defend against viruses or Trojan horses during the Internet access. Intranet hosts
may accidentally introduce worms, Trojan horses, and viruses, which result in
information leaks and losses. Therefore, network security management must identify and
monitor traffic contents, in addition to traffic control based on the source and destination
IP addresses.
1.2 USG6000 Highlights

This section describes how the USG6000 deals with new network threats.
The next-generation firewall addresses the new threats posed by new networks as follows:
Uses signatures and features instead of ports and protocols to define applications and
identify the actual attributes of packets and security risks.
Integrates the Service Awareness (SA) function and employs the dedicated hardware
systems to inspect the actual applications and contents of packets.
Integrates the Intrusion Prevention System (IPS) function to ensure high performance in
threat identification and blocking.
Provides comprehensive visualized management, audit, and reports functions for a
network administrator to learn the actual network status.
The USG6000 series of Huawei uses the next generation firewall features to address new
threats as follows:
Security feature
The USG6000 inherits and improves traditional security functions to effectively identify
applications and defend against application-layer threats and attacks.
Performance
The Intelligent Awareness Engine (IAE) inspects packets once and extract all
information needed for subsequent policy matching processes for data security,
increasing processing efficiency.
Control dimension
The USG6000 controls services by user, application, content, and quintuple
(source/destination IP address, source/destination port, and service).
Detection granularity
The USG6000 provides flow-based detection and real-time monitoring. It also supports
cache-free technologies to detect applications, intrusion behaviors, and virus infected
fragments and packets. This improves the security of network access.
Cloud computing and data center
The USG6000 virtualizes route forwarding, configuration management, and security
services to provide comprehensive defense capabilities for the cloud computing and data
center.
The USG6000 can be deployed to bring about significant benefits.
The USG6000 inherits the original employee management system of an enterprise to
implement user-based traffic detection and control.

Gateway
An individual USG6000 is highly integrated and offers high performance to defend

against network threats, which greatly reduces Total Cost of Ownership (TCO).
The unified detection mechanism improves network security, and does not significantly
delay or exert impacts on the transmission of network traffic, ensuring good user
experience.
The USG6000 enables visualized management over applications and contents to improve
the management efficiency, help enterprises carry out services securely, and obtain more
benefits.
1.3 USG6000 Features

This section describes the functions and designs of the USG6000.
New 10-Gigabit Multi-Core Hardware Platform

The USG6000 provides the following features:
High performance using a new, 10-Gigabit, and multi-core hardware platform
High slot density and diversified interface cards to process massive services
Key component redundancy, mature link switchover, and electrical built-in bypass cards
to deliver long Mean Time Between Failures (MTBF) and build a sustainable working
environment for users
Professional Content Security Defense

The USG6000 provides the following to maintain professional content security defense:
Unified detection mechanism to ensure highly efficient Service Awareness (SA). Based
on the predefined signature database and IAE, the USG6000 identifies more than 6000
common applications and the multi-channel applications.
SSL decryption. The NGFW can decrypt SSL traffic and implement content security
check on the decrypted traffic.
Antivirus (AV). The USG6000 identifies more than 5,000,000 common viruses.
Intrusion Prevention System (IPS). The USG6000 detects and defends against thousands
of intrusion behaviors, worms, Trojan horses, and Botnets.
URL filtering. The USG6000 blocks connections to HTTP and HTTPS URLs as
configured. URLs and URL categories can be deployed locally or on a remote real-time
query server.
Content filtering. The USG6000 filters the packets of common file transfer protocols and
mail protocols based on keywords in files and mails.
File blocking. The USG6000 filters the packets of common file transfer protocols and
mail protocols based on file types.
Application behavior control. The USG6000 supports connection control by application
to disable unwanted applications. It controls common HTTP and FTP application
behaviors, such as the file upload and download through HTTP/FTP, HTTP POST, web
page browsing, and HTTP proxy.
Mail filtering. The USG6000 interworks with the Real-time Blacklist (RBL) server to
block the spam. It filters mails by receiver address, sender address, subject, body,
attachment name, attachment content, or attachment size.

Gateway
Integration of Security, Routing, and VPN Services

The USG6000 provides the following to integrate security, routing, and VPN services:
Powerful content security capabilities. The USG6000 analyzes the contents transmitted
by applications and detects intrusion behaviors, viruses, files, URLs, and confidential
information. The administrator can formulate security policies for various services and
perform global configurations based on flows, which greatly improves management
efficiency.
All-round traditional firewall security functions. The USG6000 inherits all network-layer
security functions of traditional firewalls to easily cope with network-layer attacks or
threats.
Support for various routing and switching protocols. The USG6000 applies to various
network environments, and can replace existing routers or firewalls or be transparently
connected to the existing network.
Diversified VPN access modes. The USG6000 supports multiple VPN access modes
such as IPSec, L2TP, GRE, SSL VPN, and DSVPN for secure connections between the
headquarters, branches, partners, and mobile workers on the Internet to provide low-cost
VLAN solutions.
Highly integrated services that construct an E2E secure network environment for the
enterprise
Refined Management by Application and User

The USG6000 provides the following to refine management by application and user:
Managing users on the local, maintaining the organizational structure, implementing
centralized management over VPNs or PPPoE users
Interworking with common user servers such as the Active Directory (AD), Remote
Authentication Dial-In User Service (RADIUS), Huawei Terminal Access Controller
Access Control System (HWTACACS), Lightweight Directory Access Protocol (LDAP),
SecurID, and TSM servers to import user information and implement proxy
authentication
Pushing web pages for user authentication or collaborating with the AD server to
synchronize information about online users promptly
Single Sign-on (SSO) that simplifies configurations and user logins without increasing
security risks
Applying security policies to the authenticated users for managing traffic by user and
application
Visualized Management and Diversified Logs and Reports

The USG6000 provides the following to implement visualized management:
New web UI for the administrator to rapidly configure, manage, maintain, commission,
and troubleshoot the device.
Multiple management modes such as Web UI, CLI (Console, Telnet, or SSH), and NMS
(SNMP)
Multiple log types such as the traffic log, threat log, URL log, content log, mail filtering
log, operation log, system log, user activity log, and policy matching log for the
administrator to learn about network events

Gateway
Multiple report formats such as the traffic report, threat report, application report, URL
report, and user report for the administrator to gain visibility into the network traffic
status and security defense effect
Carrier-Class Reliability
The USG6000 provides carrier-class reliability as follows:
Huawei has used its considerable telecommunications experience to develop the
USG6000. The USG6000 provides various carrier-class reliability technologies at the
hardware, software, and link layers to ensure high availability. The USG6000 supports
technologies such as dual-system hot backup, fault detection, power supply redundancy,
and hardware bypass.
Based on multiple reliability technologies, the traffic direction is changed in time upon a
device fault to ensure normal transmission.
Flexible Scalability
The USG6000 provides flexible scalability with the following features:
Multiple expansion interface card slots for enhancing hardware forwarding capabilities
and device performance
Key content security components such as the IAE, application signature database,
antivirus signature database, threat signature database, RBL query server, and URL
category database. These components can be updated or queried online to ensure that the
USG6000 can cope with the latest security risks.
Virtual system. A physical device is divided into multiple virtual devices. Each is
independent and locally isolated to implement system-level expansion, and each meets
the requirements of device leasing and cloud computing.

Gateway
Product Description 2 Application Scenarios
2 Application Scenarios
About This Chapter

This chapter describes typical networking and application scenarios of the NGFW.
2.1 Border Protection for Medium- and Large-sized Enterprises
This section describes how to use the USG6000 as the egress gateway of a medium- or
large-sized enterprise to ensure network security.
2.2 Intranet Control and Security Isolation
This section describes how to deploy the USG6000 on the intranet to isolate networks and
implement refined control over intranet traffic.
2.3 Data Center Border Protection
Internet Data Center (IDC) is an infrastructure that involves maintenance services to collect,
store, process, and send data on the Internet. The IDC is constructed by a network server
provider to provide the server hosting and virtual domain name services for small and
medium-sized enterprises and individual customers.
2.4 VPN Remote Access and Mobile Working
Secure and low-cost remote access and mobile working can be implemented through VPN
technologies.
2.5 Cloud Computing Gateway
The USG6000 can function as the cloud computing gateway on the cloud computing network.
2.6 Agile Network
The agile network is a new enterprise networking solution for legacy enterprise networks. It is
easier, more flexible, and faster in configuration, maintenance, and service response compared
with traditional enterprise networks.

Gateway
2.1 Border Protection for Medium- and Large-sized

Enterprises
This section describes how to use the USG6000 as the egress gateway of a medium- or
large-sized enterprise to ensure network security.
The medium- or large-sized enterprise has the following service features:
Large number of employees, complex services, and various flows
Services available to external users, for example, the website and mail services
Exposure to DDoS attacks and great losses after the attacks succeed
High requirements on device reliability for service continuity when traffic is heavy or the
device is faulty
The USG6000 works as the egress gateway of a medium- or large-sized enterprise to cope
with the issues listed in this section. Figure 2-1 shows the typical application scenario.
Figure 2-1 Typical networking of border protection for large and medium-sized enterprises
You can set up border protection for large and medium-sized enterprises as follows:
Divide the network where employees reside, the network where servers reside, and the
Internet into different security zones to detect and protect flows among security zones.
Enable the content security defense function according to the services to be provided for
external users. For example, you can enable file and data filtering for the file server in
Figure 2-1, the mail file ring for the mail server, and antivirus and intrusion prevention
for all servers.
When intranet users access the Internet, enable the following to defend against Internet
threats and prevent information leaks to ensure network security:
URL filtering, file blocking, and data filtering

Gateway
Antivirus
Application behavior control
Establish VPN tunnels between the USG6000, mobile workers, and branches to protect
service data during the transmission over the Internet.
Enable the anti-DDoS function to defend against heavy-traffic attacks launched by the
Internet hosts to ensure the normal operating of services.
Apply bandwidth policies to traffic between the intranet and the Internet to control the
bandwidth and number of connections to avoid network congestion and defend against
DDoS attacks.
Deploy the eSight network management system (to be purchased independently) to log
the network operating. The logs help the administrator adjust configurations, audit traffic
and identify risks.
Deploy the dual-system hot backup network to improve availability. When a single-point
failure occurs, service traffic can be smoothly switched from the active device to the
standby device to ensure continuity.
2.2 Intranet Control and Security Isolation

This section describes how to deploy the USG6000 on the intranet to isolate networks and
implement refined control over intranet traffic.
Within the medium- or large-sized enterprise, security levels are assigned to the subnets of the
intranet. For example, the USG6000 isolates the R&D network, production network, and
marketing network and monitors traffic among the networks to:
Take different security policies for networks based on their features and risks.
Control traffic among the networks to avoid information leaks.
Isolate networks to prevent the spread of viruses.
Divide networks to reduce detection load and improve detection efficiency for network
connectivity. Most traffic is generated within one network and the traffic within one
network does not require much intervention.
The USG6000 can meet these requirements. Figure 2-2 shows the typical application
scenario.

Gateway
Figure 2-2 Typical networking of intranet control and security isolation
You can set up intranet control and security isolation as follows:

Deploy one or more USG6000s on the intranet to function as the border gateways of
different networks to isolate the networks.
Establish a user management system to control user rights on accessing intranet hosts.
Add networks of the same security level into the same security zone and configure
security functions. For example, R&D departments 1 and 2 belong to security zone
Research, and the packet filtering, blacklist and whitelist, and antivirus functions can be
applied between the two networks.
Add networks of different security levels into different security zones and configure
security functions according to actual service requirements. For example, only some
R&D hosts can access the marketing department, and the antivirus, file blocking, and
data filtering functions are applied between the Research and the Marketing,
Production, and Server.
Apply bandwidth policies to security zones to control the bandwidth and number of
connections to avoid intranet congestion.
Apply intrusion prevention, antivirus, file blocking, data filtering, application behavior
control, and URL filtering functions between the intranet security zones and the Internet.
2.3 Data Center Border Protection

Internet Data Center (IDC) is an infrastructure that involves maintenance services to collect,
store, process, and send data on the Internet. The IDC is constructed by a network server
provider to provide the server hosting and virtual domain name services for small and
medium-sized enterprises and individual customers.

Gateway
The network structure of the IDC has the following features:

Provides network services for external users, which is the key function of the IDC. The
normal access from the Internet to servers in the IDC must be guaranteed. Therefore, the
border protection device must have high performance and reliability and ensure network
access when attacks are launched on the IDC.
Protects servers in the IDC and applies security functions according to the service type.
May deploy servers of multiple enterprises in an IDC and are easily targets for hackers.
The IDC traffic is complex. The administrator cannot effectively adjust configurations if
the traffic is not clear.
The USG6000 works as the border gateway of an IDC to cope with the previous issues.
Figure 2-3 shows the typical application scenario.
Figure 2-3 Typical networking of data center border protection
You can set up border protection for data centers as follows:

Enable the traffic statistics function to collect statistics on traffic by IP address, user, and
application to formulate security policies.
Apply traffic limiting on the basis of the IP address and application to ensure the stable
operating of servers and avoid network congestion.
Enable the intrusion prevention and antivirus functions to protect servers from viruses,
Trojan horses, and worms.
Enable the anti-DDoS and other attack defense functions to defend against attacks from
the Internet.
Enable the mail filtering function to protect mail servers on the intranet from the spam
and prevent the servers from being blacklisted by anti-spam organizations due to
unintentional spam forwarding.
Enable file blocking and data filtering to prevent information leaks.

Gateway
Deploy the eSight network management system (to be purchased independently) to log
the network operating. The logs help the administrator adjust configurations, identify
risks, and check traffic.
Deploy the dual-system hot backup network to improve availability. When a single-point
failure occurs, service traffic can be smoothly switched from the active device to the
standby device to ensure continuity.
2.4 VPN Remote Access and Mobile Working

Secure and low-cost remote access and mobile working can be implemented through VPN
technologies.
Remote access and mobile working have the following features:
Branches need access to the headquarters.
Partners must be flexibly authorized to limit the accessible network resources and
transmittable data types according to the services.
Employees on the move need to be connected anywhere, anytime, and at any IP address.
In addition, employees on the move are not protected by information security measures.
Enterprises must implement strict access authentication on these employees and
accurately control their accessible resources and permissions.
Enterprises must implement encryption protection on data transferred during remote
access communications to prevent network eavesdropping, tampering, forgery, and
replay as well as information leaks.
The USG6000 works as the VPN access gateway of an enterprise to cope with the issues
listed in this section. Figure 2-4 shows the typical application scenario.
Figure 2-4 Typical networking of VPN remote access and mobile working
You can set up VPN remote access and mobile working as follows:
Establish IPSec or L2TP over IPSec permanent tunnels for the branches and partners
with fixed VPN gateways. If access account verification is required, the L2TP over
IPSec tunnel is recommended.

Gateway
Apply SSL VPN technologies to employees on the move (with unfixed addresses). The
VPN client installation is not required. These employees can use only web browsers to
establish tunnels with the headquarters, which is convenient. Meanwhile, resources
accessible to the employees on the move are controlled in a refined manner.
Use the IPSec or SSL encryption algorithm to protect network data in the previous
tunnels.
Apply access authentication on the access users of VPN tunnels to ensure user
legitimacy and apply access authorization on the basis of user permissions.
Enable the intrusion prevention, antivirus, file blocking, data filtering, and anti-DDoS
functions to prevent remote access users from introducing network threats as well as
information leaks.
Enable the user behavior audit function to discover risks promptly for future tracking.
2.5 Cloud Computing Gateway

The USG6000 can function as the cloud computing gateway on the cloud computing network.
Cloud computing can be applied in multiple modes. Typically, an ISP provides hardware
resources and computing capabilities for users. Each user can use only one terminal to access
the cloud, similar to operating a PC.
The core technology of cloud computing provides independent and complete services for a
large number of users based on the server cluster, which involves multiple virtualization
technologies. The USG6000 works as the cloud computing gateway and Figure 2-5 shows the
typical application scenario.

Gateway
Figure 2-5 Typical networking of cloud computing
In this scenario, the USG6000 is the cloud computing gateway. With the system virtualization
function, you can divide a physical device into multiple independent logical devices. Each
logical device, called a virtual system, has its own interface, system resource, and
configuration file and implements traffic forwarding and security defense independently.
Virtual systems are logically isolated and each cloud terminal has an exclusive firewall. These
virtual systems share the same physical entity. Therefore, traffic forwarding between virtual
systems is highly efficient. In the scenario shown in Figure 2-5, the USG6000 offers the rapid
data switching among virtual systems, protects traffic between the cloud terminal and the
cloud server, and provides value-added security services for cloud computing.
2.6 Agile Network

The agile network is a new enterprise networking solution for legacy enterprise networks. It is
easier, more flexible, and faster in configuration, maintenance, and service response compared
with traditional enterprise networks.
Based on customer requirements, agile networks fall into three scenarios: service mobility,
service chain, and security collaboration. The NGFW plays different roles in different
scenarios.
Service Mobility
Service mobility (also called service mobility) enables consistent enterprise resource access
permissions and experience (the same priority and bandwidth for users to access enterprise

Gateway
resources) regardless of where the users access the enterprise network. As shown in the
service mobility scenario in Figure 2-6, the firewalls are deployed at the borders of the
headquarters, branch office, and data center to provide user identification and permission
control functions. Apart from the user identification and permission control functions, the
firewalls at the borders of the headquarters and branch office provide L2TP VPN, L2TP over
IPSec VPN, and SSL VPN services for mobile employees and allocate bandwidth resources to
access users to ensure that the traffic of VIP users is preferentially forwarded.
Figure 2-6 Service mobility application scenario
Service Chain
Service chain is a scenario in which all security check devices are centrally deployed in the
security resource pool, with each device responsible for different security check tasks.
Enterprises can schedule the traffic going through the core switch in a specific order for the
core switch to send the traffic to these security devices for security checks. Figure 2-7 shows
the service chain scenario. In this scenario, the firewall resides in the security resource pool to
provide the content security check. The firewalls are deployed in off-line mode next to the
core switch and each firewall establish a GRE tunnel with each core switch. When receiving
the traffic to be checked, the core switch diverts the traffic over one GRE tunnel to the
corresponding firewall. After security checks, the firewall injects the traffic over the other
GRE tunnel to the core switch.

Gateway
Figure 2-7 Service chain scenario
Security Collaboration
Security collaboration is a solution for improving overall intranet security defense capabilities.
This solution provides visibility into network health conditions, security event quantity and
types, and security risk trends and monitors and handles security events. As shown in Figure
2-8, the firewall sends to the controller syslogs about security events, such as viruses,
intrusions, Trojans, and data leaks. After receiving security logs, the controller delivers
security warning and actions, such as isolate or block, to the aggregation switch, so that the
aggregation switch can block these risks.

Gateway
Figure 2-8 Security collaboration scenario

Gateway
Product Description 3 Product Architecture
3 Product Architecture
About This Chapter

This chapter describes the software and hardware structures of the NGFW.
3.1 Hardware Architecture
The USG6000 has a multi-core hardware architecture to ensure high performance and stable
operating.
3.2 Software Architecture
The USG6000 adopts the new multi-plane software architecture to ensure high-speed packet
processing and stability.
3.1 Hardware Architecture

The USG6000 has a multi-core hardware architecture to ensure high performance and stable
operating.
3.1.1 USG6310
The USG6310 is a 1-U desktop device with an integrated structure. The device provides fixed
ports, a built-in fan module, and uses an external power adapter to supply power. The device
does not support port expansion.
Appearance
Figure 3-1 illustrates the appearance of the USG6310.

Gateway
Figure 3-1 Appearance of USG6310
Ports
The USG6310 provides the following fixed ports:
1 console port (RJ45)
1 USB 2.0 port
8 10/100/1000M autosensing Ethernet electrical ports
3.1.2 USG6320
The USG6320 is a 1-U desktop device with an integrated structure. The device provides fixed
ports, a built-in fan module, and uses an external power adapter to supply power. The device
does not support port expansion.
Appearance

Gateway
Ports
The USG6320 provides the following fixed ports:
1 USB 2.0 port
3.1.3 USG6330/6350/6360
USG6330/6350/6360 uses an integrated chassis that contains the fixed interface board, power
module, and fan module. You can also add some optional modules, such as hard disks,
additional power module, and expansion cards, to improve system reliability and add more
ports.
Appearance
Figure 3-3 illustrates the appearance of the USG6330/6350/6360.
Figure 3-3 Appearance of USG6330/6350/6360
Table 3-1 describes the functions of the USG6330/6350/6360 components.
Table 3-1 Functions of the USG6330/6350/6360 components
Name Description
Fixed interface board The fixed interface board is the core component for system
control and management and provides the management,
forwarding, and control planes. The interface board also has an
intelligent awareness engine.
Management plane: provides ports for configuration, test,
and maintenance and implements such functions as running
status monitoring, environment monitoring, log and alarm

Gateway
Name Description
processing, system loading, and system upgrades.
Forwarding plane: parses and processes packets and
associates with other planes to forward, discard, or translate
packets.
Control plane: obtains user authentication information and
sends authentication results to the forwarding plane, so that
the forwarding plane can process packets based on user
information.
Intelligent awareness engine: is aware of the service of each
packet, parses the content to identify the application of the
packet as well as the file, virus, URL, email field, intrusion,
and attack information in the packet or flow, and provides
the forwarding plane with the detection result for further
processing.
Expansion slot Expansion slots are reserved for expansion cards to provide
more ports or functions. Table 3-2 lists the supported
expansion cards.
Power module Build-in 150 W power module is provided by default, but you
can optionally add a 170 W power module for 1+1 power
redundancy. If two power modules are used and PWR6 power
module fails, the other can support the entire system so that
you can replace the PWR6 faulty power module without
interrupting device operation.
Hard disk combination Hard disks are used to store logs and reports. The device
supports optional hard disk combination
SM-HDD-SAS300G-B.
Ports
The fixed interface board provides the following ports:
1 out-of-band management port (RJ45)
1 USB 2.0 ports
2 GE Combo ports
Table 3-2 lists the supported types of expansion cards.
Table 3-2 Supported expansion cards
Expansion Card Description

8GE WSIC Interface Card Provides eight gigabit RJ45 Ethernet ports.
2XG8GE WSIC Interface Card Provides eight gigabit RJ45 ports and two
10-gigabit SFP+ ports.

Gateway

8GEF WSIC Interface Card Provides eight gigabit SFP ports.
4GE-BYPASS WSIC Card Provides two electrical bypass links.
WSIC: Wide Service Interface Card
3.1.4 USG6370/6380/6390
The USG6370/6380/6390 uses an integrated chassis that contains the fixed interface board,
power module, and fan module. You can also add some optional modules, such as hard disks,
ports.
Appearance
Figure 3-4 illustrates the appearance of the USG6370/6380/6390.
Figure 3-4 Appearance of USG6370/6380/6390
Table 3-3 describes the functions of the USG6370/6380/6390 components.
Name Description

Gateway
Name Description
packets.
information.
processing.
expansion cards.
Power module By default, AC power module is provided. Two power
modules are supported to provide 1+1 power redundancy. If
one power module fails, the other can support the entire system
so that you can replace the faulty power module without
SM-HDD-SAS300G-B.
Ports
2 USB 2.0 ports
4 GE optical ports


Gateway

3.1.5 USG6530
The USG6530 uses an integrated chassis that contains the fixed interface board, power
ports.
Appearance
Table 3-5 describes the functions of the USG6530 components.
Name Description

Gateway
Name Description
packets.
information.
processing.
expansion cards.
Power module Build-in 150 W power module is provided by default, but you
can optionally add a 170 W power module for 1+1 power
redundancy. If two power modules are used and PWR6 power
module fails, the other can support the entire system so that
you can replace the PWR6 faulty power module without
SM-HDD-SAS300G-B.
Ports
1 USB 2.0 ports
2 GE Combo ports

Gateway


3.1.6 USG6550/6570
The USG6550/6570 uses an integrated chassis that contains the fixed interface board, power
ports.
Appearance
Figure 3-6 illustrates the appearance of the USG6550/6570.
Figure 3-6 USG6550/6570 appearance
Table 3-7 describes the functions of the USG6550/6570 components.
Table 3-7 Functions of USG6550/6570 components
Name Description

Gateway
Name Description
packets.
information.
processing.
expansion cards.
Power module By default, an AC power module is provided. Two power
supports optional SM-HDD-SAS300G-B hard disks.
Ports
2 USB 2.0 ports
4 GE optical ports

Gateway


WSIC: Wide Service Interface Card.
3.1.7 USG6620/6630
USG6620/6630 uses an integrated chassis that contains the fixed interface board, power
ports.
Appearance
Figure 3-7 Appearance of USG6620/6630

Gateway
Table 3-9 Functions of the USG6620/6630 components
Name Description
packets.
information.
processing.
expansion cards.
Power module By default, AC power module is provided. Two power
SM-HDD-SAS300G-B.
Ports
2 USB 2.0 ports
4 GE optical ports

Gateway


3.1.8 USG6650/6660
The USG6650/6660 uses an integrated chassis that contains the SPUA (main processing unit),
interface card, power module, and fan module. You can also add some optional modules, such
as hard disk and expansion cards, to improve system reliability and add more ports.
Appearance

Gateway
Figure 3-8 Appearance of USG6650/6660
Table 3-11 Functions of the USG6650/6660 components
Name Description

Gateway
Name Description
SPUA (the main SPUA is the core component for system control and
processing unit) management and provides the management, forwarding, and
control planes and an intelligent awareness engine.
processing, system loading, and system upgrades. It can use
the hard disk SM-HDD-SAS300G-A to record logs and
reports in real time.
packets.
information.
processing.
Interface card The interface card provides gigabit and 10-gigabit electrical
(mandatory) and optical ports. The interface card is installed before
shipment and can be moved to another slot. The interface card
is not hot-swappable.
expansion cards.
Power module By default, the USG6650 has two AC power modules and does
not support DC. By default, the USG6660 has two DC or AC
power modules for 1+1 power redundancy so that if one power
module is faulty, it can be hot-swapped.
Fan module The fan module provides air flow for heat dissipation. The fan
module supports hot-swapping and can be replaced without
interrupting device operation. However, to prevent
overheating, do not operate the device without a functioning
fan module for more than one minute.
Filler panel Ensures normal air flow and keeps out dust.
Ports
The SPUA provides the following fixed ports:

Gateway
1 console port (mini USB)

2 USB 2.0 ports
By default, the USG6650/6660 has a 2XG8GE interface cards and an 8GEF interface card to
provide the following service ports:
8 GE optical ports
2 10GE optical ports
The six expansion slots on the USG6650/6660 support the expansion cards listed in Table
3-12.
The slots are divided into two types: one for Wide Service Interface Cards (WSIC) and the other for
Extended Service Interface Cards (XSIC). An XSIC is twice as high as a WSIC. An XSIC slot can also
hold a WSIC card, but only in the lower part, and in this case, no other card can be installed in the upper
part.

3.1.9 USG6670
The USG6670 uses an integrated chassis that contains the SPUA (main processing unit),
interface card, power module, and fan module. You can also add some optional modules, such
as hard disk and expansion cards, to improve system reliability and add more ports.
Appearance

Gateway
Table 3-13 Functions of the USG6670 components
Name Description

Gateway
Name Description
control planes and an intelligent awareness engine.
packets.
information.
processing.
expansion cards.
Power module Two DC or AC power modules are mandatory to provide 1+1
power redundancy. If one power module fails, the other can
support the entire system so that you can replace the faulty
power module without interrupting device operation.
Filler panel Ensures normal air flow and keeps out dust.
Ports

Gateway

2 USB 2.0 ports
The USG6670 by default has two 2XG8GE interface cards and one 8GEF interface card to
8 GE optical ports
The five expansion slots on the USG6670 support the expansion cards listed in Table 3-14.
part.

3.1.10 USG6680
The USG6680 uses an integrated chassis that contains the SPUA (main processing unit),
SPUB (service engine), interface card, power module, and fan module. You can also add some
optional modules, such as hard disk and expansion cards, to improve system reliability and
add more ports.
Appearance

Gateway
Table 3-15 Functions of the USG6680 components
Name Description

Gateway
Name Description
control planes. Meanwhile, both SPUA and SPUB have an
intelligent awareness engine (IAE) and provide intelligent
awareness service.
packets.
information.
processing.
SPUB (the service SPUB has an IAE to provide content security. The CPU
engine) resources of SPUB on the USG6680 are dedicated for the IAE.
Therefore, USG6680 has a higher performance than other USG
products.
expansion cards.
Power module Two DC or AC power modules are mandatory to provide 1+1
power redundancy. If one power module fails, the other can
support the entire system so that you can replace the faulty
power module without interrupting device operation.

Gateway
Ports
2 USB 2.0 ports
The USG6680 by default has two 2XG8GE interface cards and one 8GEF interface card to
8 GE optical ports
The five expansion slots on the USG6680 support the expansion cards listed in Table 3-16.
part.

3.2 Software Architecture

The USG6000 adopts the new multi-plane software architecture to ensure high-speed packet
processing and stability.

Gateway
Figure 3-11 Software architecture
The software architecture has the following components:

Hardware and drive
Software architecture offers the hardware and drive support for packet forwarding.
Management plane
The USG6000 provides the configuration, test, and maintenance interfaces for the
administrator. The new Web UI provides diversified management functions. The
administrator can gain visibility into configurations, logs, and reports to intelligently
detect and diagnose faults.
Intelligent awareness engine (IAE)
The USG6000 implements service awareness and content parsing on packets to identity
the carried application, virus, URL, file, mail field, intrusion, and attack. The results are
transferred to the forwarding plane for further processing.
With the continuous updates of the signature database, the USG6000 can identify the
latest applications, viruses, and intrusion behaviors to improve security defense
capabilities.
Forwarding plane
The forwarding plane implements basic parsing and processing on packets. This plane
works with other planes to forward, discard, or convert the packets, covering
network-layer header parsing, transport-layer parsing, entry query, address translation,
VPN tunnel establishment, and anti-DDoS at the network layer.

Gateway
If a packet matches a security policy and the corresponding configuration file exists, the
forwarding plane forwards the packet to the IAE for service awareness. You can obtain
all the data necessary for follow-up processing after one inspection. The forwarding
plane processes the packet according to the inspection results and policies. Packets are
forwarded at a high speed and with extremely low delay, even if the forwarding plane is
isolated from the IAE. The forwarding plane preferentially forwards packets to process
burst traffic.
Control plane
The control plane interacts with a user, obtains authentication information about the user,
and sends the information to the forwarding plane. Then the forwarding plane processes
packets based on the user. The independent control plane ensures the rapid access of a
large number of users and improves the response speed.
The control plane interacts with the remote URL category server to obtain the latest URL
categories.

Gateway
Product Description 4 Product Functions
4 Product Functions
About This Chapter

This chapter describes the functions of the NGFW.
4.1 USG6000 Functions
This section describes the main functions supported by the USG6000.
4.2 Advanced Content Security Defense
The biggest advantage of the next generation firewall is the sophisticated application security
capability built on deep application and content inspection.
4.3 Flexible User Management
IP addresses no longer reflect user identities, which poses a security risk. However,
user-specific management delivers an effective solution to this issue.
4.4 Complete Security Functions Inherited from Traditional Firewalls
The USG6000 inherits the security functions from traditional firewalls at the network layer.
Although simple, these security mechanisms are effective and sufficient to tackle the threats at
the network layer.
4.5 Granular Traffic Management
Network services are ever-increasing, but network bandwidth is not. Therefore, bandwidth
usage must be controlled to reduce the bandwidth for low-priority services and ensure
available bandwidth for high-priority services.
4.6 Support for Various Routing and Switching Protocols
The USG6000 supports a wide range of routing and switching protocols, ensuring the
adaptability to various network environments and deployment requirements.
4.7 Intelligent Route Selection Policy
The USG6000 has multiple egress links and can dynamically select outbound interfaces based
on intelligent route selection policies. This implementation ensures that traffic is forwarded
based on preset policies, increases link usage, and improves users' Internet access experience.
4.8 Support for IPv6
The USG6000 supports Internet Protocol Version 6 (IPv6) and multiple IPv6 networking
modes to effectively secure IPv6 networks.

Gateway
4.9 Diversified VPN Access Modes

Virtual private network (VPN) is a low-cost solution for securing private networks, which
plays an important role on modern enterprise networks. The USG6000 supports multiple VPN
technologies.
4.10 High Availability Mechanism
The proper working of networks directly affects the revenue of enterprises, especially
enterprises that rely on the network to provide online information, online game, and
e-commerce services. Therefore, ensuring the stability and high availability of network
devices becomes critical for such enterprises.
4.11 Easy-to-Use Virtual System
A virtual system divides a physical device into multiple, logically independent, virtual devices.
Each virtual device has its own administrator, routing table, and security policy.
4.12 Visualized Device Management and Maintenance
Huawei has improved and enhanced the Web UI of the USG6000. Administrators can easily
deploy, configure, maintain, troubleshoot, monitor the status of, and upgrade the device on the
Web UI.
4.13 Diversified Logs and Reports
The USG6000 provides diversified logs and reports for administrators to trace and analyze the
events that have occurred on the device.
4.14 Device Security Protection
This section describes the security of the data system as well as operation and maintenance of
the NGFW.
4.1 USG6000 Functions

This section describes the main functions supported by the USG6000.
Table 4-1 USG6000 functions
Category Function Description

Content Application Identifies more than 6000 common applications
Security identification based on the predefined signature database.
Supports the constant update of the predefined
signature database and the user-defined
applications.
Parses the packets of tens of protocols and
identifies the contents during the protocol
negotiation and supports common multi-channel
protocols.
SSL traffic Decrypts SSL traffic and implements content security
decryption check on verified traffic.
Antivirus Identifies more than 5,000,000 common viruses.

Gateway

Updates the signature database constantly.
Intrusion Detects and defends against thousands of common
prevention intrusion behaviors, worms, Trojan horses, and
Botnets.
Updates the predefined signature database
constantly and supports user-defined signatures.
URL filtering Blocks connections to HTTP and HTTPS URLs as
required.
Adds URLs and URL categories on the local and
supports the query of the latest URLs and URL
categories from the remote URL category server.
Updates URL categories constantly.
Data filtering Supports common file transfer protocols, including
HTTP, FTP, SMTP, POP3, NFS, SMB, IMAP,
RTMPT, and FLASH.
Filters contents in the files transferred over the
previous protocols based on keywords.
Filters contents in the HTTP and FTP files based on
keywords.
File blocking Supports common file transfer protocols, including
HTTP, FTP, SMTP, POP3, NFS, SMB, IMAP,
RTMPT, and FLASH.
Identifies common documents, code files,
executable files, multimedia files, real types of the
compressed files, and file name extensions over the
previous protocols.
Identifies common files transferred over the
previous protocols based the real types and file
name extensions.
Application Controls HTTP behaviors, including the file upload
behavior control and download, POST, web page browsing, and
HTTP proxy.
Controls FTP behaviors, including FTP file upload
and download.
Mail filtering Supports the mail server whitelist and blacklist on

the local to block the spam.
Works with the RBL server to remotely query
whether a received or sent mail is spam in real
time.
Filters mails based on the sender addresses,
receiver addresses, and the size and number of mail
attachments.
User Local user Supports user creation and management and
Management management organization structure maintenance.
Supports centralized management of VPN and

Gateway

PPPoE users.
Interworking the Interworks with common user servers such as AD,
user server RADIUS, HWTACACS, LDAP, SecurID, and TSM to
import user information and implement proxy
authentication.
User Pushes web pages for user authentication or works
authentication with the AD server to, in real time, synchronize
information about online users.
Network-Lay Packet filtering Supports packet filtering based on policies.
er Security
NAT Translates the source IP addresses, destination IP
Protection
addresses, and ports of packets.
Maps private IP addresses and ports to public IP
addresses and ports, so that the internal server can
provide services for external users.
Automatically translates the IP addresses and ports
negotiated in the packets of multi-channel
protocols.
DDoS attack Defends against various DoS and DDoS attacks:
defense Non-application-layer DDoS attacks: SYN flood,
UDP flood, ICMP flood, and ARP flood
Application-layer DDoS attacks: HTTP flood,
HTTPS flood, DNS flood, and SIP flood
Single-packet Implements packet validity checking to defend against
attack defense various single-packet attacks, including IP spoofing
attacks, LAND attacks, Smurf attacks, Fraggle attacks,
Winnuke attacks, Ping of Death attacks, Teardrop
attacks, address scanning attacks, port scanning
attacks, IP option control attacks, IP fragment control
attacks, TCP label validity check attacks, ICMP packet
control attacks, ICMP redirect packet attacks, ICMP
unreachable packet attacks, and TRACERT packet
attacks.
Blacklist and Rapidly filters packets based on the whitelist and
whitelist blacklist of IP addresses.
IP-MAC address Supports IP-MAC address binding to prevent IP
binding spoofing.
Traffic IP address- and Limits the maximum bandwidth and guaranteed
Management user-based bandwidth for an IP address or a user.
bandwidth
management
IP address- and Limits the maximum number of connections for an IP
user-based address or a user.
connection
quantity

Gateway

management
Interface-based Limits the maximum bandwidth for an interface.
bandwidth
management
Traffic quota Allocate fixed online duration and traffic quota for
management specific users.
Intelligent Smart DNS Modifies DNS reply packets, so that the address
Uplink obtained by a user is in the same ISP network with the
Selection user. This implementation minimizes web access
latency and optimizes user experience.
DNS Changes the destination addresses of DNS requests
Transparent and forwards the DNS requests to different ISPs for
Proxy load balancing.
PBR Forwards packets based on applications, services,
users, inbound interfaces, source security zones, source
IP addresses, destination IP addresses, and time ranges.
Supports PBR with a single outbound interface or
multiple outbound interfaces. For PBR with multiple
outbound interfaces, intelligent uplink selection can be
performed based on link bandwidths, weights,
qualities, or priorities.
Global route Supports intelligent uplink selection based on
selection equal-cost default routes and supports route selection
policies based on link bandwidths, weights, or priorities.
ISP address Supports the selection of an outbound interface based
library link on the carrier network of the destination address.
selection
Link health Supports link availability detection based on multiple
check protocols.
Routing, Switching Supports common data-link layer protocols including
Switching, protocols ARP, VLAN protocol, PPP, and PPPoE.
and Packet
Forwarding Routing Supports static routing, routing policies, policy-based
protocols routing, RIP, IS-IS, OSPF, BGP, and multicast.
IP forwarding Supports basic IP protocols including DNS, DHCP,
ICMP, and URPF.
IPv6 Basic IPv6 Supports the resolution and forwarding of IPv6
technologies packets, the static routing, routing policies, and PBR of
IPv6, and the IPv6 dynamic routing protocols such as
RIPng, OSPFv3, BGP4+, and IS-ISv6.
IPv6 transition Supports IPv6 transition technologies such as 4to6,
technologies 6to4, and NAT64, constructs complete IPv6 networks,
and functions as the border device of IPv4 and IPv6
networks.

Gateway

IPv6 network Supports security policies based on IPv6 addresses
security to protect IPv6 networks.
protection Implements packet filtering and content security
inspection on packets based on the IPv6 addresses,
with the functions and defense effect similar to
those of IPv4.
VPN IPSec/IKE Supports IKEv1 and IKEv2.
Supports encryption algorithms such as DES,
3DES, and AES, and checksum algorithms such as
MD5 and SHA1 to provide powerful packet
encryption and verification capabilities.
Supports L2TP over IPSec and GRE over IPSec.
L2TP Functions as the LAC or LNS.
GRE Supports the across-network RIP, OSPF, and BGP
over GRE.
DSVPN Supports MGRE tunnel establishment between spokes
in normal mode or shortcut mode.
SSL VPN Supports web proxy and network extension.
MPLS Supports MPLS L3VPN.
Supports L2TP, IPSec, and GRE access to MPLS
VPN.
Supports IPSec VPN over MPLS.
High Hardware Supports 1+1 power backup.
Availability reliability Supports the hardware bypass card.
Dual-system hot Supports dual-system hot backup protocols such as
backup VRRP, VGMP, and HRP.
Provides a complete dual-system hot backup
mechanism to ensure that services are smoothly
switched to the standby device when the active
device is faulty.
Link status Checks the link connection status in real time by
check sending ARP or ICMP packets and switches traffic
when the link is faulty.
Virtual Function Virtualizes major functions except the hardware and
System virtualization network resources that must be managed in a
centralized manner. Each virtual system has its
configurations, entries, and resources.
Virtual Supports the creation of virtual administrators. Each
administrator administrator can be assigned permission to manage
the specified virtual system. Each administrator has an
independent configuration page for maintaining the
device. Virtual systems are isolated, and their

Gateway

configuration does not conflict.
Visualized New Web UI Provides a new Web UI that offers diversified,
Management easy-to-use, and virtualized management and
and maintenance functions. On the Web UI, you can easily
Maintenance view logs and reports, manage configurations, and
diagnose faults. You can rapidly configure the
common configurations of some functions by using the
configuration wizard.
Remote Supports multiple management modes such as Web
management UI, CLI (Console, Telnet, or SSH), and NMS (SNMP).
modes
Update center On the Web UI, you can update the system software,
application signature database, threat signature
database, antivirus signature database, and URL
category database in various modes to enhance defense
capabilities.
Remote You can log in to the device through the console,
management Telnet, SSH, or in Web mode for management.
Supports SNMP. You can use standard NMS
software for management.
Supports syslogs. You can use the log server to
collect and manage logs.
Supports NQA and Netstream.
Log and Log Supports multiple types of logs such as the traffic log,
Report threat log, URL log, content log, mail filtering log,
operation log, system log, user activity log, and policy
matching log for the administrator to learn about
network events.
Report Supports multiple types of reports such as the traffic
report, threat report, URL report, and policy matching
report for the administrator to gain visibility into the
network traffic status and security defense effect.
4.2 Advanced Content Security Defense

The biggest advantage of the next generation firewall is the sophisticated application security
capability built on deep application and content inspection.
4.2.1 Unified Detection Mechanism

The unified detection mechanism of the USG6000 provides effective content security function
and high performance even when these functions are completely enabled.

Gateway
The unified detection mechanism refers to the process of data retrieval for content security
functions within only one detection cycle, which greatly enhances the performance of the
device, as shown in Figure 4-1.
Figure 4-1 Unified detection mechanism
4.2.2 SSL Decryption

SSL traffic is encrypted for transmission. Therefore, the NGFW cannot directly implement
content security checks on SSL traffic. However, if you configure SSL decryption policies,
the NGFW can decrypt the SSL traffic that matches the policies and then implement content
security checks on the decrypted SSL traffic.
As shown in Figure 4-2, when the client's HTTPS request packet matches SSL decryption
policy, the NGFW functions as an SSL proxy. The NGFW functions as a proxy server to
complete the SSL handshake and establish an SSL connection with the client. At the same
time, the NGFW functions as a proxy client to complete the SSL handshake and establish an
SSL connection with the server. Upon receiving follow-up application data transmitted
between the client and server, the NGFW decrypts the HTTPS traffic from the client (or
server), implements content security checks, encrypts the traffic, and sends the encrypted
traffic to the server (or client).
The NGFW implements content security checks on only the SSL traffic with application protocol HTTP.

Gateway
Figure 4-2 Schematic diagram of SSL decryption
4.2.3 Antivirus
The antivirus function scans the files transmitted over the network and records or removes the
identified viruses in the files.
A virus is a set of self-replicable instructions or program codes compiled independently or
embedded in certain computer programs to adversely affect the computer use by damaging
certain functions or data of the computer. Commonly, viruses are embedded in files and are
spread through emails, web pages, and file transfer protocols. If hosts on the intranet are
infected with viruses, the entire system may crash, relevant services may be interrupted, and
important data may be leaked, bringing tremendous loss to enterprises.
The antivirus function of the USG6000 detects and scans the file transfer and file sharing
protocols that are commonly used to transfer viruses. The USG6000 blocks multiple
detection-evasive mechanisms used by viruses, enhancing the antivirus capability of the
network. The antivirus capabilities of the USG6000 are as follows:
Support of abundant protocols and applications at the application layer
The USG6000 supports virus scanning for files transmitted through HTTP, FTP, SMTP,
POP3, IMAP, NFS, and SMB.
In addition, the USG6000 supports the configuration of exceptions for certain
HTTP-based applications.
Virus scanning for compressed files
The USG6000 supports the decompression of ZIP or GZIP files with a maximum of 3
decompressable layers before it performs virus scanning.
Signature database with massive signatures
The predefined signature database of the USG6000 supports the detection of over 15,000
main-stream virus families, covering over 5,000,000 common viruses.

Gateway
The signature database with massive signatures ensures the advanced virus detection
capability of the USG6000. The professional virus analysis team of the Huawei traces
and analyzes the latest type of viruses and updates the virus signature database for
network administrators. This ensures that the USG6000 obtains the latest signature
database and has the capability to identify the maximum number of viruses.
Different defense measures for traffic flows of various kinds and antivirus policies based
on application and virus exceptions
Through security policy configuration, you can create and apply granular defense
policies for different traffic flows to provide pointed network protection.
In addition, the administrator can adjust the antivirus policy to ensure the transmission of
service packets by configuring extra actions for certain HTTP-based applications or
adding certain false-positive viruses to the virus exception list.
4.2.4 Intrusion Prevention System (IPS)

The IPS function prevents attacks or intrusions, such as cache overflow attacks, Trojan horses,
backdoor attacks, and worms, at the application layer.
Through the IPS function, the USG6000 monitors or analyzes system events, detects attacks
and intrusions at the application layer and, in real time, takes actions to terminate the attacks
in real time. The intrusion prevention capabilities of the USG6000 are as follows:
Different deployment modes with the configuration of unique defensive measures for
different traffic flows
The USG6000 can work in in-line and off-line modes. When in in-line mode, the
USG6000 acts as IPS device. It detects threats in real time and blocks the transmission of
relevant traffic flows to protect the intranet. When in off-line mode, the USG6000 acts as
an IDS device in off-line mode. It records suspicious events and informs the
administrator of these events but does not block the suspicious traffic.
Through the configuration of security policies, the administrator can make granular
defense policies for different traffic flows.
In-depth packet resolution at the application layer
The USG6000 has a constantly updated application signature database. It performs
in-depth packet resolution on the traffic flows from thousands of common applications
for attacks and intrusions. According to configured application-specific security policies,
the USG6000 takes corresponding actions to the traffic flows from different applications.
In this case, the administrator can flexibly deploy the IPS function.
The device supports threat detection after packet fragment reassembly and TCP stream
reassembly.
Certain attacks make use of IP packet fragments and TCP stream reassembly to evade
threat detection. To tackle this problem, the USG6000 reassembles the IP packet
fragments into original packets or streams into original traffic flows before performs
threat detection.
Signature database containing thousands of signatures, including the user-defined ones
The IPS device uses signatures to detect attack traffic. Therefore the capacity of the
signature database represents the threat identification capabilities.
To cope with endlessly emerging attacks and threats, Huawei has a professional security
team to closely trace the security bulletins of the renowned security organizations and
software vendors, analyze and verify the threats, and generate the signature database for
the protection of the software systems. These systems include operating systems,
application programs, and databases. In addition, the Huawei captures the latest attacks,
worms, viruses, and Trojan horses, extracts signatures from them, and determines the

Gateway
trend of the threats with the help of the globally scattered honeynet. (A honeynet is a
website that lures hackers and collects data for producing signatures.) Based on the
preceding features, Huawei can release the signature of a virus that attacks a newly
identified vulnerability and update the signature database in the shortest time. The
signature can prevent all attacks, known or unknown, that take advantage of the
vulnerability, delivering zero-day protection.
The predefined signature database helps the USG6000 identify thousands of attacks at
the application layer, whereas the constant updates of the signature database ensure that
the USG6000 identifies and defends against latest attacks and threats. In addition, the
administrator can define signatures of their own as required to enhance the intrusion
prevention function of the USG6000.
Low false positive rate
False positive rate is an important metric of the accuracy of signatures and the quality of
the signature database. False positives compromise legitimate services and bury valuable
information in the false information, making it harder to isolate real attacks.
False positives are usually caused by inaccurate signatures or detecting mechanisms.
Huawei has a host of security professionals and data sources to analyze samples, create
signatures, and perform false negative tests to achieve near-zero false positive rate. Due
to the extremely low false positive rate, a large percentage of the signatures are enabled
by default on the USG6000 to maximize protection without compromising legitimate
services. The administrators do not need to check a bunch of logs for false negatives or
to determine whether some signatures should be disabled.
4.2.5 Data Leakage Prevention

Data Leakage Prevention (DLP) prevents the leak of specified data or information assets.
Leaks are a violation of the security regulations and policies imposed by enterprises on their
networks.
The main purpose of DLP is to protect the key data of enterprises and individuals. DLP is
implemented through a set of technologies to defend against data leaks of various kinds.
The DLP function of the USG6000 prevents data leaks. For example, data leaks may occur
when
Secret data is transmitted from intranet to extranet through network communication tools.
Most data leaks are intentionally or accidentally caused by employees of enterprises.
Hackers from extranets invade the hosts on the intranet, obtain the permissions to control
them, and even monitor their running status for a significant time.
The hosts on the intranet are infected with viruses, Trojan horses, or other spyware and
the secret data stored on the hosts is automatically searched and spread by these
malicious programs.
The hackers listen to or intercept the communication between the hosts on the intranet
and those on the extranet.
To prevent data leaks, the USG6000 addresses the possible data leak causes as follows:
Table 4-2 Data leakage prevention technology
Data Leak Technology Description

Channel
Through file transfer Application The USG6000 uses application
protocols, such as identification, file identification to perform in-depth packet

Gateway
Data Leak Technology Description

Channel
HTTP, FTP or blocking, and data inspection on network communication
network filtering applications and file transfer protocols and
communication identify the files and information included
tools, such as the IM inside the packets.
software Data filtering helps filter out files according
to the keywords they contain, whereas file
blocking helps filter out files according to
the file properties such as file type.
Through texts or Mail filtering, file Mail filtering helps filter out mails
email attachments blocking, and data according to the addresses of the mail
filtering senders and receivers and the size and
number of email attachments.
File blocking helps filter out mails
according to the types of attached files.
Data filtering helps filter out mails
according to the keywords in email
addresses, subjects, bodies, and the names
of the attached files.
Through hacker Intrusion prevention The device monitors the network
invasion application layer attacks and intrusions,
blocks the intrusions from extranets, and
prevents data leaks from within.
For details on intrusion prevention, see 4.2.4
Intrusion Prevention System (IPS).
Through the hosts Antivirus The device scans and identifies Trojan
infected with viruses horses and other spyware to prevent the
infection and spread of viruses with the
similar intentions.
For details on antivirus, see 4.2.3 Antivirus.
Through VPN The device implements the VPN encryption
eavesdropping technology to prevent network
during the normal eavesdropping, tampering, forgery, and
data transmission replay.
between the intranet For details on the VPN encryption
and extranet technology, see 4.9 Diversified VPN Access
Modes.
In addition to proactive defense measures, the USG6000 monitors, manages, traces, and
collects evidence of data leaks through application behavior audits.
The preceding technologies of the USG6000 plus the management of storage devices, file
encryption, user authentication, and user authorization ensure the E2E data protection and
form a complete DLP solution.

Gateway
4.2.6 Web Security Defense

The development of cloud technology precipitates the migration of more and more
applications from desktop to the Web. The migration also turns the Web from a pure web
browsing service to a comprehensive platform that integrates multiple services related to
finance, social networking, music, video, and online games. The enrichment and development
of the web service bring various security threats. To avoid possible harms, the combination of
multiple technologies can protect websites and control the access to them.
Illegal and malicious websites are the most significant problems related to the Web.
An illegal website is one that contains information, such as violence or pornography, that
has been considered illegal by local laws and regulations or the management system of
enterprises. Websites of this kind adversely affect social stability, lowers work efficiency,
and consumes the bandwidth of and resources on the intranet.
A malicious website is the one that hosts Trojan horses and phishing web pages, implants
Trojan horses into the access hosts, initiates SQL injections and cross-site scripting
attacks, takes advantage of the vulnerabilities in the browsers or operating systems, and
scam money from victims. Websites of this kind may cause significant loss to users or
enterprises. A prominent feature of the malicious websites is their capability to cause
significant loss to users without their knowledge.
In that, the USG6000 provides the following technologies to tackle Web-related problems.
Table 4-3 Web security defense technology
Possible Risk Technology Description

Illegal website URL filtering URL filtering helps control the
access to certain URLs. The
administrator can define their own
URL categories and corresponding
actions according to the URLs in
the predefined URL category
database of the USG6000.
Malicious website Intrusion prevention, The intrusion prevention and
antivirus, URL filtering antivirus functions monitor web
access initiated by users in real
time. Upon the detection of virus
download or intrusion, it sends
you an alarm or blocks the access,
protecting hosts on the intranet.
In addition, the URL categories
provided by the USG6000
contains a large number of known
URLs of the Trojan horses and
phishing website. With the
preceding data, the device
automatically searches for the
URLs accessed by users in the
URL category database and takes
appropriate actions to the accesses.

Gateway
To cope with the dynamically changed URLs and the constant increase of these URLs,
Huawei traces the changes on the Internet and updates the URL category database in real time
to constantly enhance the URL filtering function.
In addition, the administrator can establish a local URL category searching server and use the
server to learn complete URL categories from the searching server of Huawei. Then, local
USG6000s perform URL queries on the local searching server. This deployment scheme
reduces bandwidth consumption, improves the query speed, and ensures the availability of the
query service even when the USG6000 is disconnected from the Internet.
4.2.7 Application Behavior Control

Application behavior control over specific network behaviors on enterprise networks helps
avoid security risks and improve management efficiency.
The network serves as an indispensable platform and instrument for modern enterprises.
However, network abuse causes many problems as follows:
Browsing and downloading non-work-related web content during working hours lowers
down work efficiency and wastes network resources of enterprises.
Outgoing transfer of texts and files by employees may leak secret information from
enterprises.
Posting inappropriate opinions violated local laws and regulations or the management
policies imposed by enterprises causes significant loss to corporate image or interests.
Application behavior control of the USG6000 effectively monitors and controls network
access behaviors, reduces the loss caused to corporate interests, and improves work efficiency
of enterprises. The details on the control are as follows:
HTTP behavior control
Supports the blocking of the operations, such as message post, form submit, and user
login, through HTTP POST.
Supports the blocking of requests to browse certain web pages.
Supports the blocking of network access through HTTP proxy.
Supports the alerting and blocking of file upload and download through HTTP
according to the size of the uploaded and downloaded files.
FTP behavior control
Supports the alerting and blocking of file upload and download through FTP
according to the size of the uploaded and downloaded files.
Supports the blocking of the operation of deleting files through FTP.
4.2.8 Anti-Spam
The anti-spam function blocks junk mails according to the IP address of the outgoing mail
server and mail content.
Any unsolicited mail sent to user inbox can be regarded as the junk mail. However, massive
junk mails nowadays bring adverse impacts to the network as follows:
Congests the mail server and lowers the performance of the entire network.
Infringes upon the privacy, consumes the storage space of the inbox, and wastes the time,
efforts, and money of receivers. Certain junk mail uses the email addresses of others as
the senders' email addresses, destroying the reputation of the actual owners of these
email address.

Gateway
Contains Trojan horses and viruses and turn to be network attacks if they are
manipulated by hackers.
Severely affects the credibility of an ISP. The hosts that frequently send junk mails are
listed in the international junk mail database by its supervisor ISP. In this case, the hosts
cannot access certain resources on the network. If the current ISP does not build a
comprehensive anti-spam mechanism, the users who receive junk mails may turn to
other ISPs.
Spreads false, anti-social, and pornographic content, causing damages to the society.
The USG6000 provides the following mail filtering mechanisms:
Controls the permitted mail server through locally defined blacklist and whitelist.
Checks whether a mail server is the one that usually forwards junk mail through a remote
RBL query server on the Internet. The RBL query server provides a comprehensive and
constantly updated list of mail servers that forward junk mails.
Filters emails based on the sender, subject, and the keywords in the mail body.
4.3 Flexible User Management

IP addresses no longer reflect user identities, which poses a security risk. However,
user-specific management delivers an effective solution to this issue.
In the initial phase of network development, an IP address was a unique identifier of a specific
host on the network, and the firewall performs traffic control based on IP addresses. However,
the popularization of telecommuting, offices on the move, and wireless offices makes the
integrated management of IP addresses a demanding task. Furthermore, IP addresses are
included in the packets in plain text and can be easily tampered with. Therefore, an increasing
number of network frauds are implemented through IP spoofing.
The user-specific security measures implemented by the USG6000 resolve the preceding
issues. Among these measures, users are required to enter user name and password to pass the
authentication process before they can access the network. The combination of user name and
password represents the identity of a real user, and the policies configured on the device are
user-specific. In such a case, the implementations of resource authorization, security defense,
and traffic management become further accurate.
Figure 4-3 User-specific policy deployment

Gateway
The USG6000 integrates the storage and management solution for user information, user
authentication, permission management, and traffic management as follows:
1. Storage and management of user information, such as user name and password
You can create users and user groups on the USG6000. A maximum of three levels of
organizations are supported.
You can manage users and user groups on a third-party authentication server and
synchronize or import the data from the server to the USG6000. The supported
authentication servers are AD, RADIUS, LDAP, HWTACACS, SecurID and TSM.
2. User authentication
Supports local authentication. You can create and manage users on the device. Then
the USG6000 pushes the authentication page to browsers to authenticate users.
Supports the authentication through proxy. You can create and manage users on a
third-party authentication server. In such a case, the USG6000 serves as an agent to
forward the authentication requests to and obtains the authentication results from the
server. You can configure policies for the users only after you import them from the
authentication server to the USG6000.
Supports the real-time synchronization from the AD server. The USG6000 can obtain
the authentication result from the AD server after the server authenticates the user. No
further authentication is required.
Supports the re-authentication of users that access the network through VPN tunnels
according to their access modes.
3. Permission control and traffic management
You can create or import the following policies:
Security policy: controls network access permissions and provides content security.
Bandwidth policy: controls the used bandwidth and number of connections and
adjusts the traffic forwarding priorities of specific users.
Policy-based routing: specifies the outgoing interface of user traffic.
Audit policy: audits user online behaviors.
4.4 Complete Security Functions Inherited from

Traditional Firewalls
The USG6000 inherits the security functions from traditional firewalls at the network layer.
Although simple, these security mechanisms are effective and sufficient to tackle the threats at
the network layer.
Packet Filtering
Packet filtering is one of the basic security functions of a firewall. It can permit or deny
packets based on certain conditions. You can add the user and application fields to the packet
filtering condition of the USG6000. This enables the administrator to perform rapid packet
filtering based on the sender of the traffic and the actual application.
The USG6000 integrates packet filtering and content security into security policy
configuration. You can perform unified configuration and management based on the
configured policies, reducing the requirement for administrative efforts to improve network
management efficiency.

Gateway
NAT
NAT changes the IP address of packets. In such a case, NAT hides intranet topology and saves
public IPv4 addresses.
The NAT functions available on the USG6000 are as follows:
Source NAT
The address translation facilitates the mutual access between intranet (private IP address)
and extranet (public IP address). Through NAT, the device can translate private IP
addresses into public IP addresses, slowing down the exhaustion of IP addresses. The
USG6000 can implements the translation in either of the following ways:
One-to-one translation: automatically assigns a public IP address to each of the hosts
on the intranet.
Many-to-one translation: ensures that multiple hosts share the same public IP address
with different ports. This translation is also termed as Port Address Translation (PAT).
Easy IP translation: ensures that multiple hosts share the public IP address of the
network egress but use different ports.
Server mapping
Although NAT hides the intranet topology and shields the hosts on the intranet, certain
hosts may need to serve as the website or FTP servers and provide services for extranet
users. Through NAT, you can flexibly add intranet users.
When extranet users access intranet servers, the device performs operations as follows:
The device translates the destination IP address of the request packet to the private IP
address of the intranet server.
Then the device translates the source IP address of the response packet to the
assigned public IP address.
NAT ALG
Certain multi-channel protocols use the control channel between the client and server to
automatically negotiate IP addresses and ports during packet transmission. These IP
addresses or ports are arbitrarily assigned, and therefore no NAT policy can be
configured in advance. In this case, the USG6000 must be able to identify the packets
during the automatic negotiation and enable corresponding policies for them. This
function is termed as NAT ALG.
The USG6000 has advanced capability to identify applications. The integration of NAT
ALG enables the USG6000 to identify the packets transmitted through common
multi-channel protocols, such as FTP, H.323, and PPTP.
Attack Defense
Defense against DDoS attacks
The USG6000 can detect DDoS attacks, prevent them by discarding the attack packets or
taking other actions, and log the attack events. Currently, the USG6000 can prevent
following DDoS attacks:
Non-application-layer DDoS attacks: SYN flood, UDP flood, ICMP flood, and ARP
flood
Application layer DDoS attacks: HTTP flood, HTTPS flood, DNS flood, and SIP
flood
Scan attack defense

Gateway
By scanning and sniffing, the attacker can roughly learn about the types of services the
target system provides and potential vulnerabilities for further intrusions. The USG6000
can detect such scanning and sniffing packets through comparison and analysis,
preventing subsequent attacks.
Malformed packet attack defense
The USG6000 can prevent the attacks through various malformed packets by checking
their validity. Attacks of this type take advantage of the defects of software systems in
packet handling and use abnormal packets, such as runt and giant packets, special
packets, and packets in abnormal formats, to crush the intranet hosts or degrade their
performance. Attacks through common malformed packets include IP spoofing, IP
fragments, teardrop, smurf, ping of death, fraggle, WinNuke, Land, packets with
illegitimate flag bits, and ARP spoofing.
Special packet attack defense
The USG6000 can defend against the attacks through giant ICMP packets, ICMP
unreachables, and ICMP redirects, sniffing network structure through tracert, IP packets
with source route option, IP packets with IP route record option, and IP packets with
timestamp option to ensure access validity.
Blacklist and whitelist

Blacklist
After adding certain users, packets to or from blacklisted users, IP addresses, and ports
will be discarded. The USG6000 can use the blacklist to perform rapid packet filtering.
Simple conditions makes packet filtering highly efficient, and the blacklist is applicable
to massive attacks from malicious users.
The users or IP addresses can be added into the blacklist as follows:
Manually added by administrators.
Automatically added after three consecutive failed login attempts.
Automatically added if a user or IP address keeps accessing different IP addresses or
ports, which will be regarded as IP address or port scanning attacks.
Automatically added if being detected of intrusion activities.
Whitelist
The whitelist is a list of trusted IP addresses. The IP addresses added to the list are
exempted from inspection.
IP-MAC Address Binding

The IP addresses are easily tampered with because they are included in the IP packets in plain
text. To prevent IP spoofing, the IP addresses can be bound with MAC addresses of the hosts
on the intranet. In this case, the device discards the packets whose source IP address and
MAC address do not match. The USG6000 forwards only packets whose source IP address
match the bound MAC addresses.
4.5 Granular Traffic Management

Network services are ever-increasing, but network bandwidth is not. Therefore, bandwidth
usage must be controlled to reduce the bandwidth for low-priority services and ensure
available bandwidth for high-priority services.

Gateway
Currently, common problems that administrators encounter are as follows:

P2P applications consume the most bandwidth.
DDoS attacks make services unavailable to legitimate users.
Stable bandwidth usage or number of connections cannot be ensured for certain special
services.
Overload traffic degrades device performance and user experience.
A few users occupy most bandwidth, causing resource waste and low work efficiency.
Use the following traffic management technologies of the USG6000 can be used to tackle the
common problems administrators encounter.
Reduce the bandwidth for P2P traffic by allocating the bandwidth and number of
connections based on IP addresses, users, applications, and time.
Limit the bandwidth for security zones or interfaces to prevent overwhelming traffic
from degrading or paralyzing servers and network devices.
Set guaranteed and maximum bandwidths for applications to ensure proper bandwidth
allocation and the availability of special services. The advanced capability of the
USG6000 in application identification ensures the granular bandwidth management.
Allocate fixed online duration and traffic quota for specific users to implement
reasonable bandwidth allocation and usage.
The USG6000 flexibly allocates bandwidth through bandwidth policies. Each bandwidth
channel represents a bandwidth range or connection number range. Each bandwidth policy
assigns a bandwidth channel for the traffic of a specific type.
If multiple bandwidth policies share a bandwidth channel, traffic flows defined in the
policies obtain the bandwidth and number of connections through preemption to ensure
the full use of the network resources. In addition, the maximum bandwidth for each IP
address or user can be restricted to ensure smooth global traffic transmission and the
individual network access experience.
If a bandwidth policy takes over a bandwidth channel, the traffic flow of certain special
services or hosts defined in the policy is not affected by other traffic flows. The takeover
of a bandwidth channel ensures the availability of high-priority services.
4.6 Support for Various Routing and Switching Protocols

The USG6000 supports a wide range of routing and switching protocols, ensuring the
adaptability to various network environments and deployment requirements.
Switching Protocols
The USG6000 supports the following protocols.
Table 4-4 Switching Protocols
Protocol Description
ARP Address Resolution Protocol (ARP) is a mechanism to map an IP
address to the corresponding MAC address.
Each host or router on the intranet has a 32-bit IP address for its
communication with other devices. The IP address is independent from

Gateway
the MAC address of the host.
On Ethernet, the host or router sends and receives Ethernet frames using
a 48-bit MAC address. The MAC address is also called a physical or
hardware address. The address is burned into the NIC during device
manufacturing. Therefore, a mechanism for address resolution is
required to map these two types of addresses.
VLAN Users can divide VLANs on the USG6000 as required to implement the
following functions:
Controlling the range of the broadcast domain: Restricting the
broadcast packets of the Local Area Network (LAN) within a VLAN
reduces bandwidth consumption and improves network processing
capability.
Enhancing intranet security: Because packets are isolated by the
broadcast domains at the data link layer, hosts of each VLAN cannot
directly communicate with each other, which ensures intranet
security.
Flexibly creating virtual workgroup: You can use VLAN to create
virtual workgroups across physical networks.
The communication within a VLAN is not controlled by the access
control policy.
The communication across VLANs is controlled by the access
control policy.
PPP/PPPoE Point-to-Point protocol (PPP): a link-layer protocol that carries the
network-layer packets on the point-to-point link. It helps authenticate
users and supports synchronous and asynchronous transmission.
PPP defines a set of protocols as follows:
Link Control Protocol (LCP): used to establish, remove, and monitor
data links.
Network Control Protocol (NCP): used for negotiating the format
and type of data packets transmitted on data links.
Password Authentication Protocol (PAP) and Challenge Handshake
Authentication Protocol (CHAP): used to authenticate network
security.
Point-to-Point Protocol over Ethernet (PPPoE) uses the Ethernet to form
a network of a large number of hosts and connects the network to the
Internet through a remote access device.
After the configuration of PPPoE, a PPP session with the remote device
can be created to implement access control and accounting.
The USG6000 serves as a PPPoE server, to which various PPPoE clients
connect in the Ethernet environment.
The USG6000 can be used as a PPPoE client to perform the dialing
function.

Gateway
Static Route
The USG6000 supports static routes.
Static routes are sufficient for simple and small networks. The proper configuration and
application of static routes improve network performance and ensure bandwidths for
important applications.
However, when a fault occurs or the network topology is changed, the static route cannot
automatically change. Therefore, the administrator must manually change the routes.
Dynamic Route
RIP The USG6000 supports the configuration of Routing Information
Protocol (RIP) to guide packet forwarding.
RIP is a simple internal gateway protocol based on the distance vector
algorithm. It uses UDP port 520.
RIP uses the hop count to measure the distance to a destination IP
address. In RIP, the hop count between the router and its directly
connected network is 0. The hop count between the router and the
network that can be reached through one router is 1. The hop count
increases by one if a router is added. To restrict the convergence time,
RIP regulates that the distance should be within the range of 0 to 15.
Hop counts of 16 or more are defined as infinity. In such cases, the
destination network or host is unreachable. Because of this restriction,
you cannot apply RIP to large-scale networks.
RIP supports the configuration of the transmission interval and
maximum number of packets to improve network performance. In
addition, RIP also supports Split Horizon and Poison Reverse to avoid
routing loops.
OSPF Open Shortest Path First (OSPF) is an internal network gateway
protocol based on link status developed by Internet Engineering Task
Force (IETF).
The features of OSPF are as follows:
Wide application scope: supports networks of various scales with
hundreds of routers.
Fast convergence: sends updated packets immediately after the
network topology changes and synchronizes the updated network
topology in the autonomous system.
Loop free: calculates routes with the shortest path tree according to
the link states collected to avoid routing loops.
Area division: allows the division on the network of the autonomous
system. Routing information among divided areas is further
abstracted, which reduces the bandwidth usage.
Equal Cost Multiple Path (ECMP): supports equivalence of multiple
routes to the same destination IP address.
Routing hierarchy: the routing falls into the intra-domain routing,
inter-domain routing, level 1external routing, and level 2 external
routing.

Gateway
Authentication: supports packet authentication based on interfaces,
which ensures the security of packet transmission.
Multicast sending: sends protocol packets with multicast IP
addresses on certain types of links to reduce bandwidth waste.
OSPF applies to medium and large networks.
BGP Border Gateway Protocol (BGP) is a protocol for dynamic route
discovery between autonomous systems. It exchanges loop-free routing
information (the reachability information with the AS attribute) between
autonomous systems to form the topology of the autonomous area,
eliminate routing loops, and implement user-defined routing policies.
Different from the Interior Gateway Protocol (IGP), such as OSPF and
RIP, that takes effect within an autonomous area, BGP is a type of the
Exterior Gateway Protocol (EGP) and can be used between ISPs.
BGP focuses on controlling route distribution, selecting optimal routes
instead of discovering and computing routes.
IS-IS Intermediate system to intermediate system (IS-IS) is a dynamic routing
protocol defined by the International Organization for Standardization
(ISO) for its Connectionless Network Protocol (CLNP).
To support IP routing, the IETF extends and modifies IS-IS in
RFC1195, ensuring that IS-IS can be applied to the TCP/IP and OSI
environments. The extended protocol is named as Integrated IS-IS or
Dual IS-IS.
IS-IS is a member of IGP and is usually used within an autonomous
system. It is a link-state routing protocol that computes routes using the
Shortest Path First (SPF) algorithm and is most similar to OSPF.
Routing Policy
Routing policy is a technology for revising routing information to change the path that
network traffic passes. Routing policy changes routing attributes (including reachability).
When advertising or receiving routing information, the USG6000 implements some policies
to filter routing information. For example, the USG6000 receives or advertises only routing
information that meets the specified conditions. In addition, a routing protocol may require
the import of the routing information discovered by other routing protocols. The imported
routing information must meet certain conditions and certain attributes of the imported
routing information must be configured. In this way, the routing information meets the
requirements of this protocol.
The USG6000 provides seven filters as follows for routing protocols to reference:
Access control list (ACL)
Address prefix list
AS path filter
Community filter
Extended community list
RD attribute list

Gateway
Route-Policy
Multicast
Multicast offers point-to-multipoint delivery with minimum bandwidth consumption. IP
multicast is suitable for real-time services such as online live broadcast, network TV, remote
education, remote medical care, network TV station, and real-time video and audio
conference.
4.7 Intelligent Route Selection Policy

The USG6000 has multiple egress links and can dynamically select outbound interfaces based
on intelligent route selection policies. This implementation ensures that traffic is forwarded
based on preset policies, increases link usage, and improves users' Internet access experience.
As shown in Figure 4-4, the USG6000 is deployed as a gateway at the egress of an enterprise
network. Users in the enterprise can access Internet resources through ISP1 and ISP2 links,
while Internet users can access enterprise resources over ISP1 and ISP2 networks.

Gateway
Figure 4-4 Intelligent uplink selection networking
Conventionally, routes direct traffic based on destination addresses. As network services

become complex and data traffic is constantly changing, route-based traffic forwarding cannot
meet requirements. The USG6000 provides multiple route selection policies for different
application scenarios. It analyzes traffic attributes and real-time link status to select an
optimal outbound interface.
Smart DNS
When an enterprise network has DNS servers, the USG6000 intelligently replies DNS
requests from different ISPs, so that the address obtained by a user is in the same ISP network
with the user. The user then initiates a request with this address being the destination address
to access the web server that the enterprise provided for this ISP. As this access does not
bypass other ISP networks, the access latency is minimal, and the service experience is
optimal.
As the red curve shown in Figure 4-4, before ISP1 users access the enterprise website
www.example.net, the DNS server on the enterprise network must parse the IP address. With

Gateway
smart DNS, the USG6000 returns 1.1.1.10 to ISP1 users. Similarly, the USG6000 returns
2.2.2.10 to ISP2 users.
DNS Transparent Proxy

The USG6000 can change the destination addresses of DNS requests from certain intranet
users to the addresses of DNS servers in other ISP networks. As DNS requests are forwarded
to different ISPs, the parsed web server addresses belong to different ISPs. Therefore, Internet
access traffic is forwarded through different ISP links, preventing congestion and improving
link usage.
As the blue curve shown in Figure 4-4, when an intranet user access an Internet website
www.example.com, the user needs the parsed address of the Internet DNS server. For example,
the IP address of the ISP2 DNS server is set on the client. With DNS transparent proxy, the
USG6000 analyzes real-time link status and changes the destination address of the DNS
request to the address of ISP1 DNS server. Then, the user accesses web server 1 in ISP1
network, not web server 2 in ISP2 network.
Policy-Based Routing
With PBR, routes are selected based on user-defined policies, not the routing table. PBR
determines packet forwarding based on more attributes, such as the application, service, user,
inbound interface, source security zone, source and destination IP addresses, and time range.
As the green and orange curves shown in Figure 4-4, PBR selects routes based on the specific
application and service, so that P2P traffic is forwarded from ISP1 link, while Email/database
service traffic is forwarded from ISP2 link.
The USG6000 supports PBR with a single outbound interface or multiple outbound interfaces.
For PBR with multiple outbound interfaces, intelligent uplink selection can be performed
based on link bandwidths, weights, qualities, or priorities.
Load balancing by link bandwidth: The NGFW forwards traffic to each link based on the
link bandwidth ratio. This mode maximizes the link bandwidth efficiency.
Load balancing by link weight: The NGFW forwards traffic to each link based on the
link weight ratio. This mode controls the ratio of traffic to be forwarded to each link and
uses specific links to forward more traffic, which maximizes the efficiency of all link
resources and enterprise interests and improves user experience.
Active/Standby backup by link priority: The NGFW preferentially uses the link with the
highest priority to transmit traffic and all the other links as backup links or load
balancing links. This mode preferentially uses some link to forward traffic, improving
forwarding availability and user experience.
Load balancing by link quality: The NGFW tunes traffic distribution dynamically based
on real-time traffic transmission quality. You can use packet loss ratio, delay, and/or jitter
to evaluate the traffic transmission quality of a link to select the link with the best quality
for traffic forwarding.
Global Route Selection Policy

The global route selection policy is based on equal-cost default routes. If the USG6000 has
multiple links to the destination, it intelligently selects a route based on link bandwidths,
weights, or priorities. The mechanism is the same as that for intelligent uplink selection based
on PBR.

Gateway
ISP Address Library Link Selection

The USG6000 forwards traffic through corresponding outbound interfaces based on
destination addresses, so that traffic is forwarded only within one ISP network, reducing web
access latency.
Link Health Check

Link health check is to probe the link availability and adjust traffic distribution based on
probe results to guarantee service quality.
Link health check can work with PBR intelligent uplink selection, the global route selection
policy, or ISP address library link selection. The USG6000 enables the link health check
function to monitor the health condition of each link and make proper adjustments to ensure
that only healthy links are used for traffic forwarding. This ensures access stability and
reliability.
4.8 Support for IPv6

The USG6000 supports Internet Protocol Version 6 (IPv6) and multiple IPv6 networking
modes to effectively secure IPv6 networks.
IPv6, a new version network-layer protocol, is a suite of standards defined by the Internet
Engineering Task Force (IETF). One IPv6 address has 128 bits.
IPv6 resolves the lack of IP addresses. In addition, with IPv6, the routing entries of routing
devices on the network decrease, improving the rate for forwarding packets.
The following two types of IPv6 technologies are involved in IPv6 network construction:
Technology for communications between IPv6 hosts, also called IPv6 basic technology
Technology for communications between IPv6 hosts and IPv4 hosts during the transition
from IPv4 networks to IPv6 networks, also called IPv6 transition technology
Table 4-5 and Table 4-6 respectively show the IPv6 basic technologies and IPv6 transition
technologies supported by the USG6000.
Table 4-5 IPv6 basic technology
Technology Description
IPv6 address Supports both IPv4 and IPv6 protocol stacks, resolves IPv6 packet
headers, and forwards the packets based on the IPv6 addresses.
Supports both manual and automatic configuration of IPv6 addresses
and IPv6 neighbor discovery.
Supports related technologies such as ICMPv6, DNSv6, DHCPv6, and
PPPoEv6.
IPv6 routing Supports IPv6 static routing, policy-based routing (PBR), and routing
policies for adjusting routing tables flexibly.
Supports RIP next generation (RIPng).
RIP next generation (RIPng) is the expanded and modified version of
RIP-2 on IPv4 networks for the application of RIP on IPv6 networks.

Gateway
Most RIP concepts also apply to RIPng.
RIPng uses UDP port 521 to exchange routing information. The
RIPng protocol uses the hop count to measure the distance (the
metric value or cost) to a destination host.
Supports OSPFv3.
OSPFv3, short for OSPF version 3, supports IPv6 and complies with
RFC2740 (OSPF for IPv6). Most OSPF concepts also apply to
OSPFv3.
OSPFv3 and OSPFv2 resemble in the following aspects:
32-bit Router ID, Area ID, and LSA Link State ID
Same types of packets: Hello packets, DD packets, LSR packets,
LSU packets, and LSAck packets
Same neighbor discovery mechanism and adjacency mechanism
Same LSA flooding and aging mechanisms
Basically same type of LSAs
OSPFv3 is different from OSPFv2 in the following respects:
OSPFv3 runs based on links whereas OSPFv2 runs based on
networks.
OSPFv3 can run multiple instances on one link.
The topology of OSPFv3 does not relate to the prefix of IPv6
addresses.
OSPFv3 uses the link-local address of IPv6 to identify adjacent
neighbors.
Three different types of LSA flooding scopes are added to
OSPFv3.
Supports BGP4+.
BGP4+, developed on the basis of BGP, is a dynamic routing
protocol applied between Autonomous Systems (ASs).
Traditional BGP4 manages only the routing information of IPv4. The
applications of other network-layer protocols (such as IPv6) are
restricted to a certain extent during the spreading of routing
information across the AS.
To support multiple network-layer protocols, the IETF extended
BGP4 and forms BGP4+. The present standard for BGP4+ is
RFC2858 (Multi-protocol Extensions for BGP4). The Next-Hop
attribute in BGP4+ is included in an IPv6 address. It can be either an
IPv6 global unicast address or a next-hop link-local address.
BGP4+ inherits the original message mechanism and routing
mechanism of BGP.
Supports IS-IS IPv6.
draft-ietf-isis-ipv6-05.txt of IETF defines the content for IS-IS to
support IPv6, including the two Type-Length-Values (TLVs)
supporting IPv6 routing information and one Network Layer
Protocol Identifier (NLPID).

Gateway
Table 4-6 IPv6 transition technology
IPv6 over IPv4 Enables two IPv6 islands isolated by the IPv4 networks to communicate.
tunnel In the early phase of IPv6, IPv6 networks are isolated by IPv4 networks
and must communicate across IPv4 networks. Therefore, IPv6 over IPv4
tunnels are established between border devices on the IPv4 and IPv6
networks to transmit IPv6 packets over IPv4 networks.
IPv4 over IPv6 Enables two IPv4 islands isolated by the IPv6 networks to communicate.
tunnel In the latter phase of IPv6, IPv6 networks become dominated and IPv4
networks are isolated by IPv6 networks. Therefore, IPv4 over IPv6
tunnels must be established between border devices on the IPv4 and
IPv6 networks for transmitting IPv4 packets over IPv6 networks.
NAT64 Enables mutual translation between IPv4 and IPv6 addresses for IPv4
and IPv6 hosts to communicate on the coexisting IPv4 and IPv6
networks. For example, the source and destination IP addresses of a
packet from an IPv6 host to an IPv4 host are translated to specified IPv4
addresses. Then the packet can be transmitted on the IPv4 network. The
source and destination IP addresses of the reply packet from the IPv4
host are translated to the specified IPv6 addresses. Then the IPv6 host
can receive the packet to complete the communication.
In addition to technologies for constructing IPv6 networks, the USG6000 supports functions
for securing IPv6 networks. The USG6000 supports security policies based on IPv6 address to
secure the IPv6 network, and implements packet filtering and content security check on
packets based on IPv6 addresses. The implemented functions and protection effects are the
same as those for IPv4 networks.
4.9 Diversified VPN Access Modes

Virtual private network (VPN) is a low-cost solution for securing private networks, which
plays an important role on modern enterprise networks. The USG6000 supports multiple VPN
technologies.
L2TP
The USG6000 establishes a virtual private dial network (VPDN) using the Layer 2 Tunneling
Protocol (L2TP) and implements the virtual private network using the dial-up functions of
public networks, such as the integrated services digital network (ISDN) and public switched
telephone network (PSTN) to provide access services for enterprises, small Internet service
providers (ISPs), and mobile workers.
NAS-Initialized
A remote dial-up user initiates a request to communicate with the headquarters. The
remote dial-up user dials in to the L2TP access concentrator (LAC) using PSTN or ISDN,
and then the LAC initiates a request to establish a tunnel with the L2TP network server
(LNS) over the Internet. The LNS assigns an IP address to the dial-up user. The
authentication and accounting can be performed by the agent on the LAC or by the LNS.
Figure 4-5 shows the typical deployment.

Gateway
Figure 4-5 NAS-initialized L2TP
Client-Initialized
An LAC client (a PC that supports L2TP) initiates communication with the headquarters.
In such cases, the LAC client directly initiates a request to establish a tunnel with the
LNS, without requiring an independent LAC. The LNS assigns an IP address to the LAC
client. Figure 4-6 shows the typical deployment.
Figure 4-6 Client-initialized L2TP
LAC-Initiated
The user can run a command to establish a permanent L2TP connection between the
LAC and the LNS. The LAC establishes a permanent L2TP tunnel with the LNS through
the virtual template interface using a local user name. In these cases, the L2TP tunnel
resembles a physical connection, and the outgoing interface is the virtual template
interface. The connection between the user and the LAC can be any IP connection, so
that the LAC can forward the IP packets of the user to the LNS. Figure 4-7 shows the
typical deployment.
Figure 4-7 LAC-Initiated L2TP
IPSec
The IP Security (IPSec) protocol suite, consisting of a series of protocols defined by the
Internet Engineering Task Force (IETF), provides a high-quality, interoperable, and
cryptology-based security protection mechanism for IP packets. Security measures such as
encryption and source authentication ensure the confidentiality, integrity, and authenticity of
packets transmitted over the networks and prevent replay attacks.

Gateway
Through Authentication Header (AH) and Encapsulating Security Payload (ESP), the
USG6000 protects IP data packets or upper layer protocols, and supports both the transport
mode and tunnel mode.
The USG6000 also supports the IPSec tunnel negotiation using IKEv2. IKEv2 reserves basic
functions of IKEv1 and resolves problems found during the research in IKE. IKEv2 is a
trade-off between conciseness, efficiency, security, and robustness. The RFC documents about
IKE are integrated as RFC 4306. By minimizing core functions and default password
algorithms, IKEv2 greatly improves the interoperability among different IPSec VPN systems.
Using IPSec, the USG6000 provides secure transmission tunnels of high reliability for users
and can also combine IPSec with L2TP and GRE to construct L2TP over IPSec VPN and
GRE over IPSec VPN.
GRE
The USG6000 can encapsulate certain network layer protocol packets using the Generic
Routing Encapsulation (GRE) protocol. In this manner, encapsulated packets are transmitted
using another network-layer protocol.
GRE, as a Layer-3 tunneling protocol, uses the tunneling technology between protocol layers.
A tunnel is a virtual point-to-point connection. Actually, the tunnel interface can be regarded
as a virtual interface that supports only point-to-point connections, and provides a tunnel
through which encapsulated packets are transmitted. GRE encapsulates or decapsulates
packets at both ends of the tunnel.
The USG6000 uses the GRE protocol to encapsulate the packets of certain network-layer
protocols. In this manner, encapsulated packets are transmitted using another network-layer
protocol.
DSVPN
Dynamic Smart Virtual Private Network (DSVPN) provides a solution to the preceding
problem. It enables branches that have dynamically changing public IP addresses to establish
VPN tunnels for communication in the Hub-Spoke networking.
Figure 4-8 shows a DSVPN network. On this network, when the source Spoke (tunnel
initiator) needs to send traffic to a destination Spoke (tunnel responder), the source Spoke
uses NHRP to obtain the public IP address of the destination Spoke and then establishes a
dynamic MGRE tunnel with the destination Spoke. After establishing the tunnel, the Spokes
forward traffic over the new MGRE tunnel directly to each other. After MGRE tunnels are
established between network nodes, you only need to configure one tunnel interface (P2PM
tunnel interface) on each VPN gateway to establish tunnels between all the VPN gateways.

Gateway
Figure 4-8 Hub-Spoke DSVPN network
SSL VPN
Virtual gateway
On the USG6000, the channel established by the SSL VPN is a virtual gateway. The
USG6000uses the virtual gateway to provide SSL VPN services. The USG6000, as a
physical entity, functions as multiple logically standalone gateways by using the virtual
gateway technology to serve multiple enterprises or multiple departments of one
enterprise.
For example, a large enterprise has several departments, and each of them has their own
employees. Resources and services accessible to these departments are different. Each
department has its own access control rules. In these cases, the administrator can assign
one virtual gateway to each department. Then each virtual gateway is under individual
management and has independent users, resources, and policies, functioning as a
standalone access system. For each department, the virtual gateway is as efficient and
secure as a standalone physical gateway.
The virtual gateways are classified by IP address and domain name into exclusive and
shared ones. An exclusive virtual gateway occupies one or multiple IP addresses and
domain names. A shared virtual gateway, however, shares one IP address with other
virtual gateways. These shared virtual gateways have the same parent domain name. You
can distinguish them by their sub-domain names.
Web proxy
A web proxy relays the communication between clients on the Internet and the web
server on the intranet to shield the server from attacks.
The web proxy function of the USG6000 enables users to securely access intranet web
resources, including the webmail and web servers. The web proxy forwards the access
request (using HTTPS) from a remote browser to the web server on the intranet, and then
relays the replies of the server to the terminal user.
Users can access web resources after installing the related control on the Web page of the
virtual gateway client of the USG6000.
Network extension

Gateway
The network extension function enables access to all IP-based services on the intranet by
setting up secure socket layer (SSL) tunnels. Users can access intranet resources
remotely just like accessing a LAN. The network extension function applies to a wide
range of complex services.
To use the network extension function, users must log in to the client of the USG6000
and install the ActiveX control or download and install a network extension client
software.
The network extension function supports three access modes:
Full tunnel
Users connect only to the USG6000 and can access only the intranet.
Split tunnel
Users can remotely access the intranet through the USG6000 and access the local
subnets.
Manual tunnel
Users can access the specific resources on the intranet, the local subnet, and the
resources on the Internet.
BGP MPLS IP VPN

The BGP/MPLS IP VPN is a PE-based L3VPN technology of Provider Provisioned VPN
(PPVPN) solutions. It employs BGP to advertise VPN routes and MPLS to forward VPN
packets on the backbone networks of service providers.
BGP/MPLS IP VPN provides flexible networking with scalability and supports MPLS QoS.
Therefore, BGP/MPLS IP VPN is increasingly employed by applications.
4.10 High Availability Mechanism

The proper working of networks directly affects the revenue of enterprises, especially
enterprises that rely on the network to provide online information, online game, and
e-commerce services. Therefore, ensuring the stability and high availability of network
devices becomes critical for such enterprises.
With the long-term design and production experience of carrier-class products, the Huawei
develops a carrier-class high availability mechanism for the USG6000, ensuring the stable
operation of the device from hardware, software, and link dimensions, as shown in Figure 4-9.

Gateway
Figure 4-9 High availability mechanism
Hardware Availability
Hardware availability means that hardware are designed to ensure the stable running of
devices and to avoid adverse effects of hardware anomalies on the devices.
Table 4-7 Hardware availability technologies
Dual-power The USG6000 provides two power modules which provide power at the
backup same time. If one power module fails, the other one can compensate for
it to ensure service continuity.
Hardware When the device is faulty or powered off, the interfaces directly connect
bypass to each other using a dedicated bypass interface card to ensure service
continuity.
Fanr The fan avoids overheating problems caused by ventilation issues and
dust buildup. Clean the fan periodically to ensure proper operation of the
USG6000. You do not need to power off the USG6000 for cleaning the
fan.
Software Availability
Software availability means that good software design, in-time fault detection, and
auto-adjustment measures are implemented to avoid adverse effects on devices because of
network anomalies and ensure service continuity upon hardware failures.
Table 4-8 Software availability technologies
Dual-system Two USG6000s are deployed in dual-system hot backup networking to
hot backup ensure a smooth service switchover to the other device when a fault
occurs on one device. Apart from hardware backup, dual-system hot

Gateway
backup employs a series of software availability protocols, such as
VRRP, VGMP, and HRP.
Two physical USG6000s form a logical device on the dual-system hot
backup network. Then the logical device detects faults, switches
services, and backs up configurations automatically without affecting
the configurations of upstream and downstream devices. The active and
standby USG6000s switch services upon faults to ensure service
continuity.
Load balancing When one server cannot process the access requests of users, use
multiple servers to share network traffic. In such cases, deploy the
USG6000 at the egress of the network where the servers resides. Users
access only one IP address. Then the USG6000 distributes access traffic
to the multiple servers according to the configured algorithm. In
addition, the USG6000 checks the healthy conditions of servers and
enables them to share the load to improve availability.
Link Availability
Link availability means that a device can detect faults on one link and adjust the routing and
forwarding accordingly to switch traffic to alternative links.
Table 4-9 Link availability technologies
IP-Link The device tests IP connectivity to any IP address on the network in real
time. If an IP address becomes unreachable, the device considers that the
link is faulty and adjusts the routes or switches the active/standby device
to switch the service traffic to the healthy backup link.
BFD Bidirectional Forwarding Detection (BFD) is a low-overhead and rapid
fault detection mechanism which implements millisecond-level link
fault detection. The bidirectional detection and small detection packet
enables BFD to implement rapid fault detection without consuming
many network resources.
Link-group Link-group binds several physical interfaces to form a logical group. If
one interface in the logical group is faulty, the system changes the status
of the other interfaces to Down. The system changes the status of all the
interfaces back to the Up state only after all the interfaces in the link
group recover. In this way, the system switches the status of multiple
links in a unified manner to ensure that service traffic is forwarded to the
health link in a timely manner.
Interface Two physical interfaces back up each other. The backup interface
backup automatically forwards traffic based on the connection status of the
active interface and bandwidth usage, achieving interface backup or load
balancing.

Gateway
4.11 Easy-to-Use Virtual System

A virtual system divides a physical device into multiple, logically independent, virtual devices.
Each virtual device has its own administrator, routing table, and security policy.
The virtual system applies to the following scenarios:
Device leasing
Some small enterprises cannot afford a network security device, the related license, and
after-sales services, but require network protection for developing services. In such cases,
network service providers or dedicated device leasing vendors can purchase a network
security device, divide this device to multiple logically independent virtual devices using
the virtual system technology, and provide security functions for different enterprises.
Multiple enterprises share the hardware resource, but the actual traffic is completely
isolated, saving the cost for purchasing and maintaining the devices and securing the
enterprise networks. For network service providers or device leasing vendors, this
service yields profits.
Network isolation of large and medium-sized enterprises
A large number of network devices are deployed on networks of large and medium-sized
enterprises, subnets are strictly divided, and rights are differentiated to protect core assets
of the enterprises. Traditional firewalls can isolate networks by dividing security zones.
However, the interface-based security zone cannot cope with the increasing complex
networking and requirements, and errors easily occur during complex policy
configuration. In addition, administrators of multiple networks have the same permission
and they operate the same device, which easily causes configuration conflicts. However,
the virtual system technology can isolate networks to implement clear and easy service
management.
For example, a large enterprise covers the R&D area, production area, and marketing
area. For security reasons, network traffic is forwarded between devices within each area.
Devices between different areas seldom communicate. An area may have multiple
subnets, and multiple users or networks may share the same interface for VPN access. In
this case, adding interfaces to security zones cannot separately control the traffic. In
addition, adding interfaces to security zones is complex. In such cases, you can divide
the networks of different areas to different virtual systems. Each area can then have a
logically independent firewall. You can create administrators for each virtual system for
them to configure functions in different areas. This approach simplifies device
configurations and improves device management efficiency without affecting services.
Cloud computing
The cloud computing technology is used to store network resources and computing
capability in a network cloud. Network users can access network resources and use
services after accessing the public network using a terminal. During this process, traffic
isolation, security, and resource allocation among users are important. The virtual system
technology enables the USG6000, deployed at the egresses of the cloud computing
center and data center, to isolate user traffic and provide security.

Gateway
Figure 4-10 Networking diagram of virtual systems
To enable correct forwarding, independent management, and isolation of services, the

USG6000 virtualizes routes, security functions, and configurations:
Route virtualization: Each virtual system maintains separate routing tables and session
tables, independent and isolated from each other.
Security function virtualization: Each virtual system has independent security policies
and other security functions which apply only to packets of the virtual system.
Configuration virtualization: Each virtual system has independent virtual system
administrators and configuration pages. Administrators can manage only the virtual
systems to which they belong.
The virtualization technology enables you to easily manage the virtual systems of the
USG6000. After virtual systems are created, administrators and users of each virtual system
can use the virtual system, similar to operating an independent firewall.
4.12 Visualized Device Management and Maintenance

Huawei has improved and enhanced the Web UI of the USG6000. Administrators can easily
deploy, configure, maintain, troubleshoot, monitor the status of, and upgrade the device on the
Web UI.
The Web UI has five plates.
Table 4-10 Plates on the Web UI
Plate Description
Dashboard Enables administrators to view the device operating status, including
viewing the system information, connection status, traffic load, traffic
statistics, and the latest logs and threat events. In addition, the
administrators can click the shortcut links to modify common
configurations.

Gateway
Plate Description
Monitor Enables administrators to view and process all logs on the device and
generate diversified reports for analyzing the network condition and
device operating condition. In addition, administrators can monitor
entries about system operating and quickly adjust the system as needed.
For example, when a fault occurs, the administrator can locate the fault
through the fault diagnosis wizard and troubleshoot network or
configuration faults to restore the device. For details on logs and session
tables, see section 4.13 Diversified Logs and Reports.
Policy Enables administrators to configure the security and traffic management
functions to secure traffic from all-round dimensions, such as from the
network layer and application layer, and implement centralized
bandwidth management.
Object Enables administrators to create a series of reference objects, such as the
content security file, IP address, service, application, and schedule.
Administrators can reference these objects repeatedly in the content
security profile to simplify the configuration of each function.
Network Enables administrators to configure and maintain the basic network of
the device, such as configuring DHCP, routing protocols, security zones,
and VPNs to ensure proper communication.
System Enables administrators to configure and maintain the basic system
parameters, such as the system time, administrator, license, software
version, and upgrade of the signature database.
Besides using the Web UI, you can also enable the USG6000 to communicate with a standard
network management system (NMS) through SNMP for implementing centralized
management.
4.13 Diversified Logs and Reports

The USG6000 provides diversified logs and reports for administrators to trace and analyze the
events that have occurred on the device.
From the logs and reports, administrators can analyze the cause for discarded packets, locate
and diagnose faults, discover security events that have occurred on the network, and analyze
bandwidth usage to learn about the network condition and to quickly adjust the device
configurations as needed.
The USG6000 displays diversified intuitive logs and reports for administrators to learn about
important information about the network.
Table 4-11 Log type
Log Description
Traffic log Records the overall traffic condition on the network by user or
application, bandwidth usage, and security policies that have taken
effect.

Gateway
Log Description
Threat log Records the detection of and defense against threats, such as viruses,
intrusions, DDoS attacks, zombies, Trojan horses, and Worms, and the
threat events occurred or occurring to adjust the policies or defend
against threats proactively.
URL log URL logs provide statistics on requested URLs. You can view URL logs
to check why access to some URLs is allowed, blocked or allowed with
an alert record.
Content log Records the alarms on and blocking of transmitted files, received and
sent mails, and accessed websites by intranet users regarding file
blocking, data filtering, and application behavior control, and the risky
behaviors of intranet users and causes of alerts and blocking.
Operation log Records the login and logout and device configuration operations of all
administrators and the history device management to enhance device
security.
System log Records the system running status and related information about the
hardware environment for administrators to determine whether the
device runs properly and locate faults if any.
User activity Records the online behaviors of users, such as the login time, online
log duration, and IP and MAC addresses used for the login for
administrators to take necessary measures upon illegitimate user login or
access.
Policy matching Records the matched policies for administrators to determine whether
log the policies are correctly configured and locate faults if any.
Mail filtering Records the protocol types used by users to send and receive emails, size
logs of a single attachment in an email, number of attachments in an email,
and reasons why valid emails are blocked. Mail filtering logs help you
locate faults in email services.
Audit log Records the specified network behaviors of users regarding the audit
function.
Table 4-12 Report type
Report Description
Traffic report Intuitive reports are generated on the basis of traffic logs from multiple
dimensions. Administrators use these reports to learn about the traffic
condition on the network to customize traffic control policies.
Threat report Intuitive reports are generated on the basis of threat logs from multiple
dimensions. Administrators use these reports to discover the most
frequently occurring threats, attackers who have launched the most
illegal network activities, and the victims that are most vulnerable to
attacks to customize security policies.
URL report Intuitive reports are generated on the basis of URL logs from multiple
dimensions. Administrators use these reports to learn about the URLs or

Gateway
Report Description
websites most frequently accessed by intranet users and the users most
frequently accessing illegitimate URLs to customize URL filtering
policies.
Policy matching Intuitive reports are generated on the basis of policy matching logs from
report multiple dimensions. Administrators use these reports to discover policy
configuration problems and learn about the effectiveness of configured
policies to adjust and optimize policy configurations.
File blocking Intuitive reports are generated on the basis of content logs by file type.
report You can view the file blocking report to check the effectiveness of file
filtering configurations and tune the configurations if necessary.
Data filtering Intuitive reports are generated on the basis of content logs by keyword
report group. You can view the content filtering report to check the
effectiveness of content filtering configurations and tune them if
necessary.
4.14 Device Security Protection

This section describes the security of the data system as well as operation and maintenance of
the NGFW.
Data System Security

The system takes the following measures to ensure data security:
Backup and recovery policy
Save the data (the system software, configuration file, log file, and database data) at a
certain time spot to other storage devices. When the system becomes faulty, import the
backup data to the system to restore the normal operation of the system.
Configuration file backup for disaster recovery
You can specify a configuration file for disaster recovery and designate the file as the
startup configuration file. In so doing, when the configuration file in use failed to be
recovered, you can still use the initial services normally.
Operation and Maintenance Security

The NGFW provides a security mechanism to ensure the security of the operation and
maintenance from multiple dimensions such as the device management, application, and log.
Administrator permission control.
The NGFW supports hierarchical management of administrators. Administrators have
different permissions. They must enter the correct user name and password to log in to
the system. After they successfully log in to the system, they can perform only the
authorized operations.
Access channel control

Gateway
The NGFW supports the isolation of the in-band management plane and provides a
dedicated management port instead of using the service ports for management.
If users connect to the NGFW from the service interface and use a management protocol,
such as Telnet, SSH, or HTTPS, to log in to the device, you can enable the access
management on the service interface or configure the security policy to prohibit the users
from managing the device. In this way, the security isolation is implemented.
The communication between the NGFW and the third-party NMS is implemented using
security protocols. You can enable the services of the security protocols, such as HTTPS.
You can disable the services of insecure protocols, such as HTTP and Telnet.
Security logging
The system can log important operations such as login and logout for future audit.
Protection mechanism for the sensitive user information
The system authenticates users through password and identity authentication, and
protects the sensitive user information using the advanced encryption algorithm. Every
user is allocated with a password for the verification before the system provides services
for the user, protecting the security of user information. When the administrator logs in
to the device, the system asks the administrator to change the default password to
enhance security management.
You can configure auditors to view the sensitive logs on HTTP behaviors, FTP behaviors,
and behaviors of receiving and sending mail, to prevent data leaks.
Anti-brute-force mechanism
Some unauthorized users attempts to hack into the system by conjecturing the
administrator's user name and password. The NGFW supports the maximum number of
login attempts. Once the number of login attempts exceed the specified threshold, the
system adds the user's IP address to the blacklist and blocks the user from accessing the
device within the lockout period.

Gateway
Product Description 5 Technical Specifications
5 Technical Specifications
About This Chapter

This chapter describes the hardware specifications, and the standard and protocol compliance
of the NGFW.
5.1 Hardware Specifications
This section describes the hardware specifications of the USG6000 for you to make purchase
decisions.
5.2 Standards and Protocols
This section describes the protocols and standards in which the USG6000 is in compliance.
5.1 Hardware Specifications

This section describes the hardware specifications of the USG6000 for you to make purchase
decisions.
5.1.1 USG6310
This section describes the dimensions, weight, and power and environment specifications of
the USG6310.
Table 5-1 lists the technical specifications of the USG6310.
Table 5-1 USG6310 Technical Specifications
Item Description
System specifications
CPU Multi-core 1.0 GHz processor
Memory DDR3 2 GB
Flash 16 MB
CF card 1 GB

Gateway
Item Description
Hard disk Not supported
SPUB (the service engine) Not supported
Dimensions and weight

Dimensions (Hb x Wa x D) 44.5 mm x 300 mm x 220 mm
Weight 1.75 kg
Power specifications
AC power Supported (external AC power adapter)
Rated input voltage (AC) 100 V to 240 V, 50 Hz/60 Hz
Maximum input voltage (AC) 90 V to 264 V, 47 Hz to 63 Hz
Maximum input current 1.0 A
Maximum output power 36 W
Heat dissipation
Fan module Built-in fan module, cannot be removed.
Air flow (hot air flow, viewed facing the Left-to-right air flow
rear panel)
Port density
Console port 1 (RJ45)
USB 2.0 port 1
Mandatory service ports 8 10/100/1000M autosensing Ethernet
electrical ports
Expansion slot None
Environment specificationsc
Short termd operating temperature 5C to 55C
Long term operating temperature 0C to 40C
Storage temperature 40C to 70C
Operating relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 95% RH,
non-condensing
Storage relative humidity Short term: 5% RH to 95% RH,
non-condensing
non-condensing
Altitude 5,000 m

Gateway
Item Description
NOTE
a. The width does not include the size of mounting ears.
b. The height is 1 U (1 U = 1.75 inches, or about 44.45 mm), which is a height unit defined in
International Electrotechnical Commission (IEC) 60297 standards.
c. Temperature and humidity are measured 1.5 m above the floor and 0.4 m in front of the rack when
no protection plate exists before or after the rack.
d. The short term operating conditions mean that the continuous operating period does not exceed 48
hours and the accumulative total period within a year does not exceed 15 days. If the continuous
operating period exceeds 48 hours or the total period within a year exceeds 15 days, it is regarded as
long term.
5.1.2 USG6320
the USG6320.
Item Description
Memory DDR3 2 GB
Flash 16 MB
CF card 1 GB
Hard disk Not supported

Weight 1.75 kg
AC power Supported (external AC power adapter)
Maximum input current 1.5 A
Heat dissipation

Gateway
Item Description
Air flow (hot air flow, viewed facing the Left-to-right air flow
rear panel)
Port density
USB 2.0 port 1
Mandatory service ports 8 10/100/1000M autosensing Ethernet
electrical ports
Expansion slot None
Short termd operating temperature 5C to 55C
Long term operating temperature 0C to 40C
non-condensing
non-condensing
non-condensing
non-condensing
Altitude 5,000 m
NOTE
long term.
5.1.3 USG6330/6350/6360
the USG6330/6350/6360.
Table 5-3 lists the technical specifications of the USG6330/6350/6360.

Gateway
Table 5-3 USG6330/6350/6360 Technical Specifications
Item Description
Memory DDR3 4 GB
Flash 16 MB
CF card 2 GB
Hard disk Optional hot-swappable 300GB 2.5-inch
SAS hard disks

Weight Standard: 6 kg
Fully configured: 10 kg
AC power Supported; 150 W built-in power module
(default) and 170 W hotswappable power
module (optional)
Maximum input current (AC) 2.5 A
DC power Not supported.
Maximum output power 150 W (default) or 170 W (optional)
Heat dissipation
Air flow (hot air flow, viewed facing the Intake on the front and left sides, exhaust on
rear panel) the right side
Port density
Out-of-band management port 1 (RJ45)
USB 2.0 port 1
Mandatory service ports 2 GE Combo ports
4 10/100/1000M autosensing Ethernet
electrical ports

Gateway
Item Description
Expansion slot 2WSIC
Types of expansion cards 8GE-WSIC-81GE RJ45 interface card
2XG8GE-WSIC-81GE RJ45+210GE
SFP+ interface card
8GEF-WSIC-81GE SFP interface card
4GE-BYPASS-WSIC-2electrical links
Bypass card
Short termd operating temperature Without hard disk: 5C to 55C
With hard disk(s): 5C to 40C
Long term operating temperature Without hard disk: 0C to 45C
non-condensing
non-condensing
non-condensing
non-condensing
Altitude Without hard disk: 5,000 m

With hard disk(s): 3,000 m
NOTE
long term.
5.1.4 USG6370/6380/6390
the USG6370/6380/6390.
Table 5-4 lists the technical specifications of the USG6370/6380/6390.

Gateway
Table 5-4 USG6370/6380/6390 Technical Specifications
Item Description
Memory DDR3 4 GB
Flash 16 MB
CF card 2 GB
SAS hard disks

AC power Supported. By default, one power module is
provided, but two power modules are
supported. If two power modules are used
and one module fails, you can hot-swap the
faulty power module.
Heat dissipation
Port density
USB 2.0 port 2
Mandatory service ports 4 GE optical ports

Gateway
Item Description
electrical ports
SFP+ interface card
Bypass card
non-condensing
non-condensing
non-condensing
non-condensing
NOTE
long term.
5.1.5 USG6530
the USG6530.

Gateway
Item Description
Memory DDR3 4 GB
Flash 16 MB
CF card 2 GB
SAS hard disks

AC power Supported; 150 W built-in power module
(default) and 170 W hotswappable power
module (optional)
Maximum output power 150 W (default) or 170 W (optional)
Heat dissipation
Port density
USB 2.0 port 1
Mandatory service ports 2 GE Combo ports
electrical ports

Gateway
Item Description
SFP+ interface card
Bypass card
non-condensing
non-condensing
non-condensing
non-condensing

NOTE
long term.
5.1.6 USG6550/6570
the USG6550/6570.
Table 5-6 lists the technical specifications of the USG6550/6570.

Gateway
Table 5-6 USG6550/6570 technical specifications
Item Description
Memory DDR3 4 GB
Flash 16 MB
CF card 2 GB
SAS hard disks

provided, but two power modules are
supported. If two power modules are used
DC power Not supported
Heat dissipation
Port density
USB 2.0 port 2

Gateway
Item Description
electrical ports
SFP+ interface card
Bypass card
non-condensing
non-condensing
non-condensing
non-condensing
NOTE
long term.
5.1.7 USG6620/6630
the USG6620/6630.

Gateway
Table 5-7 USG6620/6630 Technical Specifications
Item Description
Memory DDR3 8 GB
Flash 16 MB
CF card 2 GB
SAS hard disks

provided. If two power modules are used
Heat dissipation
Port density
USB 2.0 port 2
electrical ports

Gateway
Item Description
SFP+ interface card
Bypass card
non-condensing
non-condensing
non-condensing
non-condensing

NOTE
long term.
5.1.8 USG6650/6660
the USG6650/6660.

Gateway
Table 5-8 USG6650/6660 Technical Specifications
Item Description
Memory DDR3 16 GB
Flash 64 MB
CF card 2 GB
Hard disk Optional. The device can hold two 300GB
2.5-inch SAS hard disks to form a RAID-1
array for redundancy. The hard disks are
hot-swappable.

AC power Supported, 1+1 power redundancy,
hot-swappable
Maximum input current (AC) 5A
DC power Supported only by USG6660, 1+1 power
redundancy, hot-swappable
Rated input voltage (DC) -48 V to -60 V
Maximum input voltage (DC) -40 V to -72 V
Maximum input current (DC) 5A
Heat dissipation
Fan module Supported, hot-swappable
Port density
Console port 1 RJ45 and 1 Mini USB (only either of them

Gateway
Item Description
can be used at a time)
USB 2.0 port 2
electrical ports
Expansion slot 6 WSIC slots or 2 WSIC slot + 4 XSIC slots

SFP+ interface card
Bypass card
Short termd operating temperature Without hard disk: -5C to 55C
non-condensing
non-condensing
non-condensing
non-condensing
NOTE
long term.

Gateway
5.1.9 USG6670
the USG6670.
Table 5-9 USG6670 technical specifications
Item Description
Memory DDR3 16 GB
Flash 64 MB
CF card 2 GB
hot-swappable.

hot-swappable
DC power Supported, 1+1 power redundancy,
hot-swappable
Heat dissipation

Gateway
Item Description
Port density
USB 2.0 port 2
electrical ports
SFP+ interface card
Bypass card
Short termd operating temperature Without hard disk: -5C to 55C
non-condensing
non-condensing
non-condensing
non-condensing

Gateway
Item Description
NOTE
long term.
5.1.10 USG6680
the USG6680.
Item Description
Memory DDR3 16 GB
Flash 64 MB
CF card 2 GB
hot-swappable.
SPUB (the service engine) Supported

hot-swappable

Gateway
Item Description
DC power module Supported, 1+1 power redundancy,
hot-swappable

Heat dissipation
Port density
USB 2.0 port 2
electrical ports
SFP+ interface card
Bypass card
non-condensing

Gateway
Item Description
non-condensing
non-condensing
non-condensing
NOTE
long term.
5.2 Standards and Protocols

This section describes the protocols and standards in which the USG6000 is in compliance.
Table 5-11 ETS standards
Standard or
ETS 300 019-2-2 Equipment Engineering; Environmental conditions and environmental
tests for telecommunications equipment. Part2-2: specification of
environmental tests transportation
ETS 300 119-3 European telecommunication standard for equipment practice Part 3:
Engineering requirements for miscellaneous racks and cabinets
EN 300 386 Electromagnetic compatibility and Radio spectrum Matters (ERM);
Version 1.2.1 Telecommunication network equipment; ElectroMagnetic
Compatibility (EMC) requirements
Table 5-12 IEC standards
Standard or
IEC 61000 Electromagnetic compatibility (EMC)

Gateway
Standard or
IEC 61000-4-2 Electromagnetic compatibility (EMC) - Part 4: Testing and measuring
techniques - Section 2: Electrostatic discharge immunity test - Basic
EMC publication
IEC 61000-4-3 Electromagnetic compatibility (EMC) - Part 4-3: Testing and
measurement techniques; Radiated, radio-frequency, electromagnetic
field immunity test
IEC 61000-4-4 Electromagnetic compatibility (EMC) - Part 4: Testing and measuring
techniques - Section 4: Electrical fast transient/burst immunity test -
Basic EMC publication
IEC 61000-4-5 Electromagnetic compatibility (EMC) - Part 4: Testing and
measurement techniques - Section 5: Surge immunity test
IEC 61000-4-6 Electromagnetic compatibility (EMC) - Part 4: Testing and
measurement techniques - Section 6: Immunity to conducted
disturbances, induced by radio-frequency fields
IEC 61000-3-2 Electromagnetic compatibility (EMC) - Part 3-2: Limits; Limits for
harmonic current emissions (equipment input current <kleiner =>16 A
per phase)
IEC 61000-3-3 Electromagnetic compatibility (EMC) - Part 3: Limits; section 3:
Limitation of voltage fluctuations and flicker in low-voltage supply
systems for equipment with rated current <kleiner =>16 A
IEC 62151 Safety of equipment electrically connected to a telecommunication
network
Table 5-13 ISO standards
Standard or
ISO/IEC 11801 Information technology - Generic cabling for customer premises
ISO/IEC 15802-2 Information technology - Telecommunications and information
exchange between systems - Local and metropolitan area networks -
Common specifications - Part 2: LAN/MAN management
Table 5-14 CISPR standards
Standard or
CISPR 22 Information technology equipment - Radio disturbance characteristics
- Limits and methods of measurement

Gateway
Table 5-15 ITU-T standards
Standard or
I.430 [I.430] Recommendation I.430 (11/95) - Basic user-network interface
- Layer 1 specification
I.431 [I.431] Recommendation I.431 (03/93) - Primary rate user-network
interface - Layer 1 specification
Table 5-16 IEEE standards
Standard or
IEEE802.3 Carrier sense multiple access with collision detection (CSMA/CD)
access method and physical layer specification
IEEE802.3u Media Access Control (MAC) parameters, physical Layer, medium
attachment units, and repeater for 100 Mb/s operation, type 100Base-T
IEEE802.1D Media Access Control (MAC) Bridges
IEEE802.3af DTE Power via MDI


HUAWEI USG6000 Series Next-Generation Firewall Product Description

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HUAWEI USG6000 Series Next-Generation Firewall Product Description

Uploaded by

Copyright:

Available Formats

HUAWEI USG6000 Next-Generation Firewall

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Proprietary and Confidential

About This Document

Product Name Product Version

Issue 01 (2014-10-20) Huawei Proprietary and Confidential ii

Indicates a potentially hazardous situation which, if not

Indicates a potentially hazardous situation which, if not

Indicates a potentially hazardous situation which, if not

Updates in Issue 01 (2014-10-20) of Product Version V100R001C20SPC200

Issue 01 (2014-10-20) Huawei Proprietary and Confidential iii

About This Document ............................................................................................................... ii

2 Application Scenarios .............................................................................................................. 6

3 Product Architecture .............................................................................................................. 17

Issue 01 (2014-10-20) Huawei Proprietary and Confidential iv

4.2.4 Intrusion Prevention System (IPS) .....................................................................................................................50

Issue 01 (2014-10-20) Huawei Proprietary and Confidential v

1 Product Positioning and Features

About This Chapter

1.1 New Threats on Networks

Issue 01 (2014-10-20) Huawei Proprietary and Confidential 1

1.2 USG6000 Highlights

Issue 01 (2014-10-20) Huawei Proprietary and Confidential 2

An individual USG6000 is highly integrated and offers high performance to defend

1.3 USG6000 Features

New 10-Gigabit Multi-Core Hardware Platform

Professional Content Security Defense

Issue 01 (2014-10-20) Huawei Proprietary and Confidential 3

Integration of Security, Routing, and VPN Services

Refined Management by Application and User

Visualized Management and Diversified Logs and Reports

Issue 01 (2014-10-20) Huawei Proprietary and Confidential 4

Issue 01 (2014-10-20) Huawei Proprietary and Confidential 5

About This Chapter

Issue 01 (2014-10-20) Huawei Proprietary and Confidential 6

2.1 Border Protection for Medium- and Large-sized

Issue 01 (2014-10-20) Huawei Proprietary and Confidential 7

2.2 Intranet Control and Security Isolation

Issue 01 (2014-10-20) Huawei Proprietary and Confidential 8

Figure 2-2 Typical networking of intranet control and security isolation

You can set up intranet control and security isolation as follows:

2.3 Data Center Border Protection

Issue 01 (2014-10-20) Huawei Proprietary and Confidential 9

The network structure of the IDC has the following features:

Figure 2-3 Typical networking of data center border protection

You can set up border protection for data centers as follows:

Issue 01 (2014-10-20) Huawei Proprietary and Confidential 10

2.4 VPN Remote Access and Mobile Working

Issue 01 (2014-10-20) Huawei Proprietary and Confidential 11

2.5 Cloud Computing Gateway

Issue 01 (2014-10-20) Huawei Proprietary and Confidential 12

Figure 2-5 Typical networking of cloud computing

2.6 Agile Network

Issue 01 (2014-10-20) Huawei Proprietary and Confidential 13

Figure 2-6 Service mobility application scenario

Issue 01 (2014-10-20) Huawei Proprietary and Confidential 14

Figure 2-7 Service chain scenario

Issue 01 (2014-10-20) Huawei Proprietary and Confidential 15

Figure 2-8 Security collaboration scenario

Issue 01 (2014-10-20) Huawei Proprietary and Confidential 16

About This Chapter

3.1 Hardware Architecture