Professional Documents
Culture Documents
V100R001
Product Description
Issue 01
Date 2014-10-20
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Product Version
The following table lists the product versions of this document.
Intended Audience
This document describes the product positioning and highlights, typical networking and
application scenarios, software and hardware architecture, functions and features, standards,
and technical specifications of the USG6000. This document helps you to quickly familiarize
yourself with the product.
This document is intended for administrators who configure and manage NGFW. The
administrators must have good Ethernet knowledge and network management experience.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation which, if not
avoided, will result in death or serious injury.
Update History
Updates between document issues are cumulative. Therefore, the latest document issue
contains all updates made in previous issues.
Contents
4 Product Functions................................................................................................................... 41
4.1 USG6000 Functions .............................................................................................................................................42
4.2 Advanced Content Security Defense .....................................................................................................................47
4.2.1 Unified Detection Mechanism ............................................................................................................................47
4.2.2 SSL Decryption .................................................................................................................................................48
4.2.3 Antivirus ...........................................................................................................................................................49
5 Technical Specifications........................................................................................................ 81
5.1 Hardware Specifications .......................................................................................................................................81
5.1.1 USG6310 ..........................................................................................................................................................81
5.1.2 USG6320 ..........................................................................................................................................................83
5.1.3 USG6330/6350/6360 .........................................................................................................................................84
5.1.4 USG6370/6380/6390 .........................................................................................................................................86
5.1.5 USG6530 ..........................................................................................................................................................88
5.1.6 USG6550/6570 ..................................................................................................................................................90
5.1.7 USG6620/6630 ..................................................................................................................................................92
5.1.8 USG6650/6660 ..................................................................................................................................................94
5.1.9 USG6670 ..........................................................................................................................................................97
5.1.10 USG6680.........................................................................................................................................................99
5.2 Standards and Protocols ...................................................................................................................................... 101
run on ports 80 and 443 using HTTP and HTTPS, for example, WebMail, web gaming,
video streaming, and web chats.
The packet content is uncertain.
Single-packet detection analyzes only the security of individual packets. This mechanism
cannot defend against viruses or Trojan horses during the Internet access. Intranet hosts
may accidentally introduce worms, Trojan horses, and viruses, which result in
information leaks and losses. Therefore, network security management must identify and
monitor traffic contents, in addition to traffic control based on the source and destination
IP addresses.
Multiple report formats such as the traffic report, threat report, application report, URL
report, and user report for the administrator to gain visibility into the network traffic
status and security defense effect
Carrier-Class Reliability
The USG6000 provides carrier-class reliability as follows:
Huawei has used its considerable telecommunications experience to develop the
USG6000. The USG6000 provides various carrier-class reliability technologies at the
hardware, software, and link layers to ensure high availability. The USG6000 supports
technologies such as dual-system hot backup, fault detection, power supply redundancy,
and hardware bypass.
Based on multiple reliability technologies, the traffic direction is changed in time upon a
device fault to ensure normal transmission.
Flexible Scalability
The USG6000 provides flexible scalability with the following features:
Multiple expansion interface card slots for enhancing hardware forwarding capabilities
and device performance
Key content security components such as the IAE, application signature database,
antivirus signature database, threat signature database, RBL query server, and URL
category database. These components can be updated or queried online to ensure that the
USG6000 can cope with the latest security risks.
Virtual system. A physical device is divided into multiple virtual devices. Each is
independent and locally isolated to implement system-level expansion, and each meets
the requirements of device leasing and cloud computing.
2 Application Scenarios
Figure 2-1 Typical networking of border protection for large and medium-sized enterprises
You can set up border protection for large and medium-sized enterprises as follows:
Divide the network where employees reside, the network where servers reside, and the
Internet into different security zones to detect and protect flows among security zones.
Enable the content security defense function according to the services to be provided for
external users. For example, you can enable file and data filtering for the file server in
Figure 2-1, the mail file ring for the mail server, and antivirus and intrusion prevention
for all servers.
When intranet users access the Internet, enable the following to defend against Internet
threats and prevent information leaks to ensure network security:
URL filtering, file blocking, and data filtering
Antivirus
Application behavior control
Establish VPN tunnels between the USG6000, mobile workers, and branches to protect
service data during the transmission over the Internet.
Enable the anti-DDoS function to defend against heavy-traffic attacks launched by the
Internet hosts to ensure the normal operating of services.
Apply bandwidth policies to traffic between the intranet and the Internet to control the
bandwidth and number of connections to avoid network congestion and defend against
DDoS attacks.
Deploy the eSight network management system (to be purchased independently) to log
the network operating. The logs help the administrator adjust configurations, audit traffic
and identify risks.
Deploy the dual-system hot backup network to improve availability. When a single-point
failure occurs, service traffic can be smoothly switched from the active device to the
standby device to ensure continuity.
Deploy the eSight network management system (to be purchased independently) to log
the network operating. The logs help the administrator adjust configurations, identify
risks, and check traffic.
Deploy the dual-system hot backup network to improve availability. When a single-point
failure occurs, service traffic can be smoothly switched from the active device to the
standby device to ensure continuity.
Figure 2-4 Typical networking of VPN remote access and mobile working
You can set up VPN remote access and mobile working as follows:
Establish IPSec or L2TP over IPSec permanent tunnels for the branches and partners
with fixed VPN gateways. If access account verification is required, the L2TP over
IPSec tunnel is recommended.
Apply SSL VPN technologies to employees on the move (with unfixed addresses). The
VPN client installation is not required. These employees can use only web browsers to
establish tunnels with the headquarters, which is convenient. Meanwhile, resources
accessible to the employees on the move are controlled in a refined manner.
Use the IPSec or SSL encryption algorithm to protect network data in the previous
tunnels.
Apply access authentication on the access users of VPN tunnels to ensure user
legitimacy and apply access authorization on the basis of user permissions.
Enable the intrusion prevention, antivirus, file blocking, data filtering, and anti-DDoS
functions to prevent remote access users from introducing network threats as well as
information leaks.
Enable the user behavior audit function to discover risks promptly for future tracking.
In this scenario, the USG6000 is the cloud computing gateway. With the system virtualization
function, you can divide a physical device into multiple independent logical devices. Each
logical device, called a virtual system, has its own interface, system resource, and
configuration file and implements traffic forwarding and security defense independently.
Virtual systems are logically isolated and each cloud terminal has an exclusive firewall. These
virtual systems share the same physical entity. Therefore, traffic forwarding between virtual
systems is highly efficient. In the scenario shown in Figure 2-5, the USG6000 offers the rapid
data switching among virtual systems, protects traffic between the cloud terminal and the
cloud server, and provides value-added security services for cloud computing.
Service Mobility
Service mobility (also called service mobility) enables consistent enterprise resource access
permissions and experience (the same priority and bandwidth for users to access enterprise
resources) regardless of where the users access the enterprise network. As shown in the
service mobility scenario in Figure 2-6, the firewalls are deployed at the borders of the
headquarters, branch office, and data center to provide user identification and permission
control functions. Apart from the user identification and permission control functions, the
firewalls at the borders of the headquarters and branch office provide L2TP VPN, L2TP over
IPSec VPN, and SSL VPN services for mobile employees and allocate bandwidth resources to
access users to ensure that the traffic of VIP users is preferentially forwarded.
Service Chain
Service chain is a scenario in which all security check devices are centrally deployed in the
security resource pool, with each device responsible for different security check tasks.
Enterprises can schedule the traffic going through the core switch in a specific order for the
core switch to send the traffic to these security devices for security checks. Figure 2-7 shows
the service chain scenario. In this scenario, the firewall resides in the security resource pool to
provide the content security check. The firewalls are deployed in off-line mode next to the
core switch and each firewall establish a GRE tunnel with each core switch. When receiving
the traffic to be checked, the core switch diverts the traffic over one GRE tunnel to the
corresponding firewall. After security checks, the firewall injects the traffic over the other
GRE tunnel to the core switch.
Security Collaboration
Security collaboration is a solution for improving overall intranet security defense capabilities.
This solution provides visibility into network health conditions, security event quantity and
types, and security risk trends and monitors and handles security events. As shown in Figure
2-8, the firewall sends to the controller syslogs about security events, such as viruses,
intrusions, Trojans, and data leaks. After receiving security logs, the controller delivers
security warning and actions, such as isolate or block, to the aggregation switch, so that the
aggregation switch can block these risks.
3 Product Architecture
3.1.1 USG6310
The USG6310 is a 1-U desktop device with an integrated structure. The device provides fixed
ports, a built-in fan module, and uses an external power adapter to supply power. The device
does not support port expansion.
Appearance
Figure 3-1 illustrates the appearance of the USG6310.
Ports
The USG6310 provides the following fixed ports:
1 console port (RJ45)
1 USB 2.0 port
8 10/100/1000M autosensing Ethernet electrical ports
3.1.2 USG6320
The USG6320 is a 1-U desktop device with an integrated structure. The device provides fixed
ports, a built-in fan module, and uses an external power adapter to supply power. The device
does not support port expansion.
Appearance
Figure 3-2 illustrates the appearance of the USG6320.
Ports
The USG6320 provides the following fixed ports:
1 console port (RJ45)
1 USB 2.0 port
8 10/100/1000M autosensing Ethernet electrical ports
3.1.3 USG6330/6350/6360
USG6330/6350/6360 uses an integrated chassis that contains the fixed interface board, power
module, and fan module. You can also add some optional modules, such as hard disks,
additional power module, and expansion cards, to improve system reliability and add more
ports.
Appearance
Figure 3-3 illustrates the appearance of the USG6330/6350/6360.
Name Description
Fixed interface board The fixed interface board is the core component for system
control and management and provides the management,
forwarding, and control planes. The interface board also has an
intelligent awareness engine.
Management plane: provides ports for configuration, test,
and maintenance and implements such functions as running
status monitoring, environment monitoring, log and alarm
Name Description
processing, system loading, and system upgrades.
Forwarding plane: parses and processes packets and
associates with other planes to forward, discard, or translate
packets.
Control plane: obtains user authentication information and
sends authentication results to the forwarding plane, so that
the forwarding plane can process packets based on user
information.
Intelligent awareness engine: is aware of the service of each
packet, parses the content to identify the application of the
packet as well as the file, virus, URL, email field, intrusion,
and attack information in the packet or flow, and provides
the forwarding plane with the detection result for further
processing.
Expansion slot Expansion slots are reserved for expansion cards to provide
more ports or functions. Table 3-2 lists the supported
expansion cards.
Power module Build-in 150 W power module is provided by default, but you
can optionally add a 170 W power module for 1+1 power
redundancy. If two power modules are used and PWR6 power
module fails, the other can support the entire system so that
you can replace the PWR6 faulty power module without
interrupting device operation.
Hard disk combination Hard disks are used to store logs and reports. The device
supports optional hard disk combination
SM-HDD-SAS300G-B.
Ports
The fixed interface board provides the following ports:
1 out-of-band management port (RJ45)
1 console port (RJ45)
1 USB 2.0 ports
2 GE Combo ports
4 10/100/1000M autosensing Ethernet electrical ports
Table 3-2 lists the supported types of expansion cards.
3.1.4 USG6370/6380/6390
The USG6370/6380/6390 uses an integrated chassis that contains the fixed interface board,
power module, and fan module. You can also add some optional modules, such as hard disks,
additional power module, and expansion cards, to improve system reliability and add more
ports.
Appearance
Figure 3-4 illustrates the appearance of the USG6370/6380/6390.
Name Description
Fixed interface board The fixed interface board is the core component for system
control and management and provides the management,
forwarding, and control planes. The interface board also has an
intelligent awareness engine.
Management plane: provides ports for configuration, test,
Name Description
and maintenance and implements such functions as running
status monitoring, environment monitoring, log and alarm
processing, system loading, and system upgrades.
Forwarding plane: parses and processes packets and
associates with other planes to forward, discard, or translate
packets.
Control plane: obtains user authentication information and
sends authentication results to the forwarding plane, so that
the forwarding plane can process packets based on user
information.
Intelligent awareness engine: is aware of the service of each
packet, parses the content to identify the application of the
packet as well as the file, virus, URL, email field, intrusion,
and attack information in the packet or flow, and provides
the forwarding plane with the detection result for further
processing.
Expansion slot Expansion slots are reserved for expansion cards to provide
more ports or functions. Table 3-4 lists the supported
expansion cards.
Power module By default, AC power module is provided. Two power
modules are supported to provide 1+1 power redundancy. If
one power module fails, the other can support the entire system
so that you can replace the faulty power module without
interrupting device operation.
Hard disk combination Hard disks are used to store logs and reports. The device
supports optional hard disk combination
SM-HDD-SAS300G-B.
Ports
The fixed interface board provides the following ports:
1 out-of-band management port (RJ45)
1 console port (RJ45)
2 USB 2.0 ports
4 GE optical ports
8 10/100/1000M autosensing Ethernet electrical ports
Table 3-4 lists the supported types of expansion cards.
3.1.5 USG6530
The USG6530 uses an integrated chassis that contains the fixed interface board, power
module, and fan module. You can also add some optional modules, such as hard disks,
additional power module, and expansion cards, to improve system reliability and add more
ports.
Appearance
Figure 3-5 illustrates the appearance of the USG6530.
Name Description
Fixed interface board The fixed interface board is the core component for system
control and management and provides the management,
forwarding, and control planes. The interface board also has an
Name Description
intelligent awareness engine.
Management plane: provides ports for configuration, test,
and maintenance and implements such functions as running
status monitoring, environment monitoring, log and alarm
processing, system loading, and system upgrades.
Forwarding plane: parses and processes packets and
associates with other planes to forward, discard, or translate
packets.
Control plane: obtains user authentication information and
sends authentication results to the forwarding plane, so that
the forwarding plane can process packets based on user
information.
Intelligent awareness engine: is aware of the service of each
packet, parses the content to identify the application of the
packet as well as the file, virus, URL, email field, intrusion,
and attack information in the packet or flow, and provides
the forwarding plane with the detection result for further
processing.
Expansion slot Expansion slots are reserved for expansion cards to provide
more ports or functions. Table 3-6 lists the supported
expansion cards.
Power module Build-in 150 W power module is provided by default, but you
can optionally add a 170 W power module for 1+1 power
redundancy. If two power modules are used and PWR6 power
module fails, the other can support the entire system so that
you can replace the PWR6 faulty power module without
interrupting device operation.
Hard disk combination Hard disks are used to store logs and reports. The device
supports optional hard disk combination
SM-HDD-SAS300G-B.
Ports
The fixed interface board provides the following ports:
1 out-of-band management port (RJ45)
1 console port (RJ45)
1 USB 2.0 ports
2 GE Combo ports
4 10/100/1000M autosensing Ethernet electrical ports
Table 3-6 lists the supported types of expansion cards.
3.1.6 USG6550/6570
The USG6550/6570 uses an integrated chassis that contains the fixed interface board, power
module, and fan module. You can also add some optional modules, such as hard disks,
additional power module, and expansion cards, to improve system reliability and add more
ports.
Appearance
Figure 3-6 illustrates the appearance of the USG6550/6570.
Name Description
Name Description
Fixed interface board The fixed interface board is the core component for system
control and management and provides the management,
forwarding, and control planes. The interface board also has an
intelligent awareness engine.
Management plane: provides ports for configuration, test,
and maintenance and implements such functions as running
status monitoring, environment monitoring, log and alarm
processing, system loading, and system upgrades.
Forwarding plane: parses and processes packets and
associates with other planes to forward, discard, or translate
packets.
Control plane: obtains user authentication information and
sends authentication results to the forwarding plane, so that
the forwarding plane can process packets based on user
information.
Intelligent awareness engine: is aware of the service of each
packet, parses the content to identify the application of the
packet as well as the file, virus, URL, email field, intrusion,
and attack information in the packet or flow, and provides
the forwarding plane with the detection result for further
processing.
Expansion slot Expansion slots are reserved for expansion cards to provide
more ports or functions. Table 3-8 lists the supported
expansion cards.
Power module By default, an AC power module is provided. Two power
modules are supported to provide 1+1 power redundancy. If
one power module fails, the other can support the entire system
so that you can replace the faulty power module without
interrupting device operation.
Hard disk combination Hard disks are used to store logs and reports. The device
supports optional SM-HDD-SAS300G-B hard disks.
Ports
The fixed interface board provides the following ports:
1 out-of-band management port (RJ45)
1 console port (RJ45)
2 USB 2.0 ports
4 GE optical ports
8 10/100/1000M autosensing Ethernet electrical ports
Table 3-8 lists the supported types of expansion cards.
3.1.7 USG6620/6630
USG6620/6630 uses an integrated chassis that contains the fixed interface board, power
module, and fan module. You can also add some optional modules, such as hard disks,
additional power module, and expansion cards, to improve system reliability and add more
ports.
Appearance
Figure 3-7 illustrates the appearance of the USG6620/6630.
Name Description
Fixed interface board The fixed interface board is the core component for system
control and management and provides the management,
forwarding, and control planes. The interface board also has an
intelligent awareness engine.
Management plane: provides ports for configuration, test,
and maintenance and implements such functions as running
status monitoring, environment monitoring, log and alarm
processing, system loading, and system upgrades.
Forwarding plane: parses and processes packets and
associates with other planes to forward, discard, or translate
packets.
Control plane: obtains user authentication information and
sends authentication results to the forwarding plane, so that
the forwarding plane can process packets based on user
information.
Intelligent awareness engine: is aware of the service of each
packet, parses the content to identify the application of the
packet as well as the file, virus, URL, email field, intrusion,
and attack information in the packet or flow, and provides
the forwarding plane with the detection result for further
processing.
Expansion slot Expansion slots are reserved for expansion cards to provide
more ports or functions. Table 3-10 lists the supported
expansion cards.
Power module By default, AC power module is provided. Two power
modules are supported to provide 1+1 power redundancy. If
one power module fails, the other can support the entire system
so that you can replace the faulty power module without
interrupting device operation.
Hard disk combination Hard disks are used to store logs and reports. The device
supports optional hard disk combination
SM-HDD-SAS300G-B.
Ports
The fixed interface board provides the following ports:
1 out-of-band management port (RJ45)
1 console port (RJ45)
2 USB 2.0 ports
4 GE optical ports
8 10/100/1000M autosensing Ethernet electrical ports
Table 3-10 lists the supported types of expansion cards.
3.1.8 USG6650/6660
The USG6650/6660 uses an integrated chassis that contains the SPUA (main processing unit),
interface card, power module, and fan module. You can also add some optional modules, such
as hard disk and expansion cards, to improve system reliability and add more ports.
Appearance
Figure 3-8 illustrates the appearance of the USG6650/6660.
Name Description
Name Description
SPUA (the main SPUA is the core component for system control and
processing unit) management and provides the management, forwarding, and
control planes and an intelligent awareness engine.
Management plane: provides ports for configuration, test,
and maintenance and implements such functions as running
status monitoring, environment monitoring, log and alarm
processing, system loading, and system upgrades. It can use
the hard disk SM-HDD-SAS300G-A to record logs and
reports in real time.
Forwarding plane: parses and processes packets and
associates with other planes to forward, discard, or translate
packets.
Control plane: obtains user authentication information and
sends authentication results to the forwarding plane, so that
the forwarding plane can process packets based on user
information.
Intelligent awareness engine: is aware of the service of each
packet, parses the content to identify the application of the
packet as well as the file, virus, URL, email field, intrusion,
and attack information in the packet or flow, and provides
the forwarding plane with the detection result for further
processing.
Interface card The interface card provides gigabit and 10-gigabit electrical
(mandatory) and optical ports. The interface card is installed before
shipment and can be moved to another slot. The interface card
is not hot-swappable.
Expansion slot Expansion slots are reserved for expansion cards to provide
more ports or functions. Table 3-12 lists the supported
expansion cards.
Power module By default, the USG6650 has two AC power modules and does
not support DC. By default, the USG6660 has two DC or AC
power modules for 1+1 power redundancy so that if one power
module is faulty, it can be hot-swapped.
Fan module The fan module provides air flow for heat dissipation. The fan
module supports hot-swapping and can be replaced without
interrupting device operation. However, to prevent
overheating, do not operate the device without a functioning
fan module for more than one minute.
Filler panel Ensures normal air flow and keeps out dust.
Ports
The SPUA provides the following fixed ports:
1 out-of-band management port (RJ45)
1 console port (RJ45)
The slots are divided into two types: one for Wide Service Interface Cards (WSIC) and the other for
Extended Service Interface Cards (XSIC). An XSIC is twice as high as a WSIC. An XSIC slot can also
hold a WSIC card, but only in the lower part, and in this case, no other card can be installed in the upper
part.
3.1.9 USG6670
The USG6670 uses an integrated chassis that contains the SPUA (main processing unit),
interface card, power module, and fan module. You can also add some optional modules, such
as hard disk and expansion cards, to improve system reliability and add more ports.
Appearance
Figure 3-9 illustrates the appearance of the USG6670.
Name Description
Name Description
SPUA (the main SPUA is the core component for system control and
processing unit) management and provides the management, forwarding, and
control planes and an intelligent awareness engine.
Management plane: provides ports for configuration, test,
and maintenance and implements such functions as running
status monitoring, environment monitoring, log and alarm
processing, system loading, and system upgrades. It can use
the hard disk SM-HDD-SAS300G-A to record logs and
reports in real time.
Forwarding plane: parses and processes packets and
associates with other planes to forward, discard, or translate
packets.
Control plane: obtains user authentication information and
sends authentication results to the forwarding plane, so that
the forwarding plane can process packets based on user
information.
Intelligent awareness engine: is aware of the service of each
packet, parses the content to identify the application of the
packet as well as the file, virus, URL, email field, intrusion,
and attack information in the packet or flow, and provides
the forwarding plane with the detection result for further
processing.
Interface card The interface card provides gigabit and 10-gigabit electrical
(mandatory) and optical ports. The interface card is installed before
shipment and can be moved to another slot. The interface card
is not hot-swappable.
Expansion slot Expansion slots are reserved for expansion cards to provide
more ports or functions. Table 3-14 lists the supported
expansion cards.
Power module Two DC or AC power modules are mandatory to provide 1+1
power redundancy. If one power module fails, the other can
support the entire system so that you can replace the faulty
power module without interrupting device operation.
Fan module The fan module provides air flow for heat dissipation. The fan
module supports hot-swapping and can be replaced without
interrupting device operation. However, to prevent
overheating, do not operate the device without a functioning
fan module for more than one minute.
Filler panel Ensures normal air flow and keeps out dust.
Ports
The SPUA provides the following fixed ports:
1 out-of-band management port (RJ45)
1 console port (RJ45)
The slots are divided into two types: one for Wide Service Interface Cards (WSIC) and the other for
Extended Service Interface Cards (XSIC). An XSIC is twice as high as a WSIC. An XSIC slot can also
hold a WSIC card, but only in the lower part, and in this case, no other card can be installed in the upper
part.
3.1.10 USG6680
The USG6680 uses an integrated chassis that contains the SPUA (main processing unit),
SPUB (service engine), interface card, power module, and fan module. You can also add some
optional modules, such as hard disk and expansion cards, to improve system reliability and
add more ports.
Appearance
Figure 3-10 illustrates the appearance of the USG6680.
Name Description
Name Description
SPUA (the main SPUA is the core component for system control and
processing unit) management and provides the management, forwarding, and
control planes. Meanwhile, both SPUA and SPUB have an
intelligent awareness engine (IAE) and provide intelligent
awareness service.
Management plane: provides ports for configuration, test,
and maintenance and implements such functions as running
status monitoring, environment monitoring, log and alarm
processing, system loading, and system upgrades. It can use
the hard disk SM-HDD-SAS300G-A to record logs and
reports in real time.
Forwarding plane: parses and processes packets and
associates with other planes to forward, discard, or translate
packets.
Control plane: obtains user authentication information and
sends authentication results to the forwarding plane, so that
the forwarding plane can process packets based on user
information.
Intelligent awareness engine: is aware of the service of each
packet, parses the content to identify the application of the
packet as well as the file, virus, URL, email field, intrusion,
and attack information in the packet or flow, and provides
the forwarding plane with the detection result for further
processing.
SPUB (the service SPUB has an IAE to provide content security. The CPU
engine) resources of SPUB on the USG6680 are dedicated for the IAE.
Therefore, USG6680 has a higher performance than other USG
products.
Interface card The interface card provides gigabit and 10-gigabit electrical
(mandatory) and optical ports. The interface card is installed before
shipment and can be moved to another slot. The interface card
is not hot-swappable.
Expansion slot Expansion slots are reserved for expansion cards to provide
more ports or functions. Table 3-16 lists the supported
expansion cards.
Power module Two DC or AC power modules are mandatory to provide 1+1
power redundancy. If one power module fails, the other can
support the entire system so that you can replace the faulty
power module without interrupting device operation.
Fan module The fan module provides air flow for heat dissipation. The fan
module supports hot-swapping and can be replaced without
interrupting device operation. However, to prevent
overheating, do not operate the device without a functioning
fan module for more than one minute.
Ports
The SPUA provides the following fixed ports:
1 out-of-band management port (RJ45)
1 console port (RJ45)
1 console port (mini USB)
2 USB 2.0 ports
The USG6680 by default has two 2XG8GE interface cards and one 8GEF interface card to
provide the following service ports:
8 GE optical ports
16 10/100/1000M autosensing Ethernet electrical ports
4 10GE optical ports
The five expansion slots on the USG6680 support the expansion cards listed in Table 3-16.
The slots are divided into two types: one for Wide Service Interface Cards (WSIC) and the other for
Extended Service Interface Cards (XSIC). An XSIC is twice as high as a WSIC. An XSIC slot can also
hold a WSIC card, but only in the lower part, and in this case, no other card can be installed in the upper
part.
If a packet matches a security policy and the corresponding configuration file exists, the
forwarding plane forwards the packet to the IAE for service awareness. You can obtain
all the data necessary for follow-up processing after one inspection. The forwarding
plane processes the packet according to the inspection results and policies. Packets are
forwarded at a high speed and with extremely low delay, even if the forwarding plane is
isolated from the IAE. The forwarding plane preferentially forwards packets to process
burst traffic.
Control plane
The control plane interacts with a user, obtains authentication information about the user,
and sends the information to the forwarding plane. Then the forwarding plane processes
packets based on the user. The independent control plane ensures the rapid access of a
large number of users and improves the response speed.
The control plane interacts with the remote URL category server to obtain the latest URL
categories.
4 Product Functions
The unified detection mechanism refers to the process of data retrieval for content security
functions within only one detection cycle, which greatly enhances the performance of the
device, as shown in Figure 4-1.
The NGFW implements content security checks on only the SSL traffic with application protocol HTTP.
4.2.3 Antivirus
The antivirus function scans the files transmitted over the network and records or removes the
identified viruses in the files.
A virus is a set of self-replicable instructions or program codes compiled independently or
embedded in certain computer programs to adversely affect the computer use by damaging
certain functions or data of the computer. Commonly, viruses are embedded in files and are
spread through emails, web pages, and file transfer protocols. If hosts on the intranet are
infected with viruses, the entire system may crash, relevant services may be interrupted, and
important data may be leaked, bringing tremendous loss to enterprises.
The antivirus function of the USG6000 detects and scans the file transfer and file sharing
protocols that are commonly used to transfer viruses. The USG6000 blocks multiple
detection-evasive mechanisms used by viruses, enhancing the antivirus capability of the
network. The antivirus capabilities of the USG6000 are as follows:
Support of abundant protocols and applications at the application layer
The USG6000 supports virus scanning for files transmitted through HTTP, FTP, SMTP,
POP3, IMAP, NFS, and SMB.
In addition, the USG6000 supports the configuration of exceptions for certain
HTTP-based applications.
Virus scanning for compressed files
The USG6000 supports the decompression of ZIP or GZIP files with a maximum of 3
decompressable layers before it performs virus scanning.
Signature database with massive signatures
The predefined signature database of the USG6000 supports the detection of over 15,000
main-stream virus families, covering over 5,000,000 common viruses.
The signature database with massive signatures ensures the advanced virus detection
capability of the USG6000. The professional virus analysis team of the Huawei traces
and analyzes the latest type of viruses and updates the virus signature database for
network administrators. This ensures that the USG6000 obtains the latest signature
database and has the capability to identify the maximum number of viruses.
Different defense measures for traffic flows of various kinds and antivirus policies based
on application and virus exceptions
Through security policy configuration, you can create and apply granular defense
policies for different traffic flows to provide pointed network protection.
In addition, the administrator can adjust the antivirus policy to ensure the transmission of
service packets by configuring extra actions for certain HTTP-based applications or
adding certain false-positive viruses to the virus exception list.
trend of the threats with the help of the globally scattered honeynet. (A honeynet is a
website that lures hackers and collects data for producing signatures.) Based on the
preceding features, Huawei can release the signature of a virus that attacks a newly
identified vulnerability and update the signature database in the shortest time. The
signature can prevent all attacks, known or unknown, that take advantage of the
vulnerability, delivering zero-day protection.
The predefined signature database helps the USG6000 identify thousands of attacks at
the application layer, whereas the constant updates of the signature database ensure that
the USG6000 identifies and defends against latest attacks and threats. In addition, the
administrator can define signatures of their own as required to enhance the intrusion
prevention function of the USG6000.
Low false positive rate
False positive rate is an important metric of the accuracy of signatures and the quality of
the signature database. False positives compromise legitimate services and bury valuable
information in the false information, making it harder to isolate real attacks.
False positives are usually caused by inaccurate signatures or detecting mechanisms.
Huawei has a host of security professionals and data sources to analyze samples, create
signatures, and perform false negative tests to achieve near-zero false positive rate. Due
to the extremely low false positive rate, a large percentage of the signatures are enabled
by default on the USG6000 to maximize protection without compromising legitimate
services. The administrators do not need to check a bunch of logs for false negatives or
to determine whether some signatures should be disabled.
In addition to proactive defense measures, the USG6000 monitors, manages, traces, and
collects evidence of data leaks through application behavior audits.
The preceding technologies of the USG6000 plus the management of storage devices, file
encryption, user authentication, and user authorization ensure the E2E data protection and
form a complete DLP solution.
To cope with the dynamically changed URLs and the constant increase of these URLs,
Huawei traces the changes on the Internet and updates the URL category database in real time
to constantly enhance the URL filtering function.
In addition, the administrator can establish a local URL category searching server and use the
server to learn complete URL categories from the searching server of Huawei. Then, local
USG6000s perform URL queries on the local searching server. This deployment scheme
reduces bandwidth consumption, improves the query speed, and ensures the availability of the
query service even when the USG6000 is disconnected from the Internet.
4.2.8 Anti-Spam
The anti-spam function blocks junk mails according to the IP address of the outgoing mail
server and mail content.
Any unsolicited mail sent to user inbox can be regarded as the junk mail. However, massive
junk mails nowadays bring adverse impacts to the network as follows:
Congests the mail server and lowers the performance of the entire network.
Infringes upon the privacy, consumes the storage space of the inbox, and wastes the time,
efforts, and money of receivers. Certain junk mail uses the email addresses of others as
the senders' email addresses, destroying the reputation of the actual owners of these
email address.
Contains Trojan horses and viruses and turn to be network attacks if they are
manipulated by hackers.
Severely affects the credibility of an ISP. The hosts that frequently send junk mails are
listed in the international junk mail database by its supervisor ISP. In this case, the hosts
cannot access certain resources on the network. If the current ISP does not build a
comprehensive anti-spam mechanism, the users who receive junk mails may turn to
other ISPs.
Spreads false, anti-social, and pornographic content, causing damages to the society.
The USG6000 provides the following mail filtering mechanisms:
Controls the permitted mail server through locally defined blacklist and whitelist.
Checks whether a mail server is the one that usually forwards junk mail through a remote
RBL query server on the Internet. The RBL query server provides a comprehensive and
constantly updated list of mail servers that forward junk mails.
Filters emails based on the sender, subject, and the keywords in the mail body.
The USG6000 integrates the storage and management solution for user information, user
authentication, permission management, and traffic management as follows:
1. Storage and management of user information, such as user name and password
You can create users and user groups on the USG6000. A maximum of three levels of
organizations are supported.
You can manage users and user groups on a third-party authentication server and
synchronize or import the data from the server to the USG6000. The supported
authentication servers are AD, RADIUS, LDAP, HWTACACS, SecurID and TSM.
2. User authentication
Supports local authentication. You can create and manage users on the device. Then
the USG6000 pushes the authentication page to browsers to authenticate users.
Supports the authentication through proxy. You can create and manage users on a
third-party authentication server. In such a case, the USG6000 serves as an agent to
forward the authentication requests to and obtains the authentication results from the
server. You can configure policies for the users only after you import them from the
authentication server to the USG6000.
Supports the real-time synchronization from the AD server. The USG6000 can obtain
the authentication result from the AD server after the server authenticates the user. No
further authentication is required.
Supports the re-authentication of users that access the network through VPN tunnels
according to their access modes.
3. Permission control and traffic management
You can create or import the following policies:
Security policy: controls network access permissions and provides content security.
Bandwidth policy: controls the used bandwidth and number of connections and
adjusts the traffic forwarding priorities of specific users.
Policy-based routing: specifies the outgoing interface of user traffic.
Audit policy: audits user online behaviors.
Packet Filtering
Packet filtering is one of the basic security functions of a firewall. It can permit or deny
packets based on certain conditions. You can add the user and application fields to the packet
filtering condition of the USG6000. This enables the administrator to perform rapid packet
filtering based on the sender of the traffic and the actual application.
The USG6000 integrates packet filtering and content security into security policy
configuration. You can perform unified configuration and management based on the
configured policies, reducing the requirement for administrative efforts to improve network
management efficiency.
NAT
NAT changes the IP address of packets. In such a case, NAT hides intranet topology and saves
public IPv4 addresses.
The NAT functions available on the USG6000 are as follows:
Source NAT
The address translation facilitates the mutual access between intranet (private IP address)
and extranet (public IP address). Through NAT, the device can translate private IP
addresses into public IP addresses, slowing down the exhaustion of IP addresses. The
USG6000 can implements the translation in either of the following ways:
One-to-one translation: automatically assigns a public IP address to each of the hosts
on the intranet.
Many-to-one translation: ensures that multiple hosts share the same public IP address
with different ports. This translation is also termed as Port Address Translation (PAT).
Easy IP translation: ensures that multiple hosts share the public IP address of the
network egress but use different ports.
Server mapping
Although NAT hides the intranet topology and shields the hosts on the intranet, certain
hosts may need to serve as the website or FTP servers and provide services for extranet
users. Through NAT, you can flexibly add intranet users.
When extranet users access intranet servers, the device performs operations as follows:
The device translates the destination IP address of the request packet to the private IP
address of the intranet server.
Then the device translates the source IP address of the response packet to the
assigned public IP address.
NAT ALG
Certain multi-channel protocols use the control channel between the client and server to
automatically negotiate IP addresses and ports during packet transmission. These IP
addresses or ports are arbitrarily assigned, and therefore no NAT policy can be
configured in advance. In this case, the USG6000 must be able to identify the packets
during the automatic negotiation and enable corresponding policies for them. This
function is termed as NAT ALG.
The USG6000 has advanced capability to identify applications. The integration of NAT
ALG enables the USG6000 to identify the packets transmitted through common
multi-channel protocols, such as FTP, H.323, and PPTP.
Attack Defense
Defense against DDoS attacks
The USG6000 can detect DDoS attacks, prevent them by discarding the attack packets or
taking other actions, and log the attack events. Currently, the USG6000 can prevent
following DDoS attacks:
Non-application-layer DDoS attacks: SYN flood, UDP flood, ICMP flood, and ARP
flood
Application layer DDoS attacks: HTTP flood, HTTPS flood, DNS flood, and SIP
flood
Scan attack defense
By scanning and sniffing, the attacker can roughly learn about the types of services the
target system provides and potential vulnerabilities for further intrusions. The USG6000
can detect such scanning and sniffing packets through comparison and analysis,
preventing subsequent attacks.
Malformed packet attack defense
The USG6000 can prevent the attacks through various malformed packets by checking
their validity. Attacks of this type take advantage of the defects of software systems in
packet handling and use abnormal packets, such as runt and giant packets, special
packets, and packets in abnormal formats, to crush the intranet hosts or degrade their
performance. Attacks through common malformed packets include IP spoofing, IP
fragments, teardrop, smurf, ping of death, fraggle, WinNuke, Land, packets with
illegitimate flag bits, and ARP spoofing.
Special packet attack defense
The USG6000 can defend against the attacks through giant ICMP packets, ICMP
unreachables, and ICMP redirects, sniffing network structure through tracert, IP packets
with source route option, IP packets with IP route record option, and IP packets with
timestamp option to ensure access validity.
Switching Protocols
The USG6000 supports the following protocols.
Protocol Description
ARP Address Resolution Protocol (ARP) is a mechanism to map an IP
address to the corresponding MAC address.
Each host or router on the intranet has a 32-bit IP address for its
communication with other devices. The IP address is independent from
Protocol Description
the MAC address of the host.
On Ethernet, the host or router sends and receives Ethernet frames using
a 48-bit MAC address. The MAC address is also called a physical or
hardware address. The address is burned into the NIC during device
manufacturing. Therefore, a mechanism for address resolution is
required to map these two types of addresses.
VLAN Users can divide VLANs on the USG6000 as required to implement the
following functions:
Controlling the range of the broadcast domain: Restricting the
broadcast packets of the Local Area Network (LAN) within a VLAN
reduces bandwidth consumption and improves network processing
capability.
Enhancing intranet security: Because packets are isolated by the
broadcast domains at the data link layer, hosts of each VLAN cannot
directly communicate with each other, which ensures intranet
security.
Flexibly creating virtual workgroup: You can use VLAN to create
virtual workgroups across physical networks.
The communication within a VLAN is not controlled by the access
control policy.
The communication across VLANs is controlled by the access
control policy.
PPP/PPPoE Point-to-Point protocol (PPP): a link-layer protocol that carries the
network-layer packets on the point-to-point link. It helps authenticate
users and supports synchronous and asynchronous transmission.
PPP defines a set of protocols as follows:
Link Control Protocol (LCP): used to establish, remove, and monitor
data links.
Network Control Protocol (NCP): used for negotiating the format
and type of data packets transmitted on data links.
Password Authentication Protocol (PAP) and Challenge Handshake
Authentication Protocol (CHAP): used to authenticate network
security.
Point-to-Point Protocol over Ethernet (PPPoE) uses the Ethernet to form
a network of a large number of hosts and connects the network to the
Internet through a remote access device.
After the configuration of PPPoE, a PPP session with the remote device
can be created to implement access control and accounting.
The USG6000 serves as a PPPoE server, to which various PPPoE clients
connect in the Ethernet environment.
The USG6000 can be used as a PPPoE client to perform the dialing
function.
Static Route
The USG6000 supports static routes.
Static routes are sufficient for simple and small networks. The proper configuration and
application of static routes improve network performance and ensure bandwidths for
important applications.
However, when a fault occurs or the network topology is changed, the static route cannot
automatically change. Therefore, the administrator must manually change the routes.
Dynamic Route
Protocol Description
RIP The USG6000 supports the configuration of Routing Information
Protocol (RIP) to guide packet forwarding.
RIP is a simple internal gateway protocol based on the distance vector
algorithm. It uses UDP port 520.
RIP uses the hop count to measure the distance to a destination IP
address. In RIP, the hop count between the router and its directly
connected network is 0. The hop count between the router and the
network that can be reached through one router is 1. The hop count
increases by one if a router is added. To restrict the convergence time,
RIP regulates that the distance should be within the range of 0 to 15.
Hop counts of 16 or more are defined as infinity. In such cases, the
destination network or host is unreachable. Because of this restriction,
you cannot apply RIP to large-scale networks.
RIP supports the configuration of the transmission interval and
maximum number of packets to improve network performance. In
addition, RIP also supports Split Horizon and Poison Reverse to avoid
routing loops.
OSPF Open Shortest Path First (OSPF) is an internal network gateway
protocol based on link status developed by Internet Engineering Task
Force (IETF).
The features of OSPF are as follows:
Wide application scope: supports networks of various scales with
hundreds of routers.
Fast convergence: sends updated packets immediately after the
network topology changes and synchronizes the updated network
topology in the autonomous system.
Loop free: calculates routes with the shortest path tree according to
the link states collected to avoid routing loops.
Area division: allows the division on the network of the autonomous
system. Routing information among divided areas is further
abstracted, which reduces the bandwidth usage.
Equal Cost Multiple Path (ECMP): supports equivalence of multiple
routes to the same destination IP address.
Routing hierarchy: the routing falls into the intra-domain routing,
inter-domain routing, level 1external routing, and level 2 external
routing.
Protocol Description
Authentication: supports packet authentication based on interfaces,
which ensures the security of packet transmission.
Multicast sending: sends protocol packets with multicast IP
addresses on certain types of links to reduce bandwidth waste.
OSPF applies to medium and large networks.
BGP Border Gateway Protocol (BGP) is a protocol for dynamic route
discovery between autonomous systems. It exchanges loop-free routing
information (the reachability information with the AS attribute) between
autonomous systems to form the topology of the autonomous area,
eliminate routing loops, and implement user-defined routing policies.
Different from the Interior Gateway Protocol (IGP), such as OSPF and
RIP, that takes effect within an autonomous area, BGP is a type of the
Exterior Gateway Protocol (EGP) and can be used between ISPs.
BGP focuses on controlling route distribution, selecting optimal routes
instead of discovering and computing routes.
IS-IS Intermediate system to intermediate system (IS-IS) is a dynamic routing
protocol defined by the International Organization for Standardization
(ISO) for its Connectionless Network Protocol (CLNP).
To support IP routing, the IETF extends and modifies IS-IS in
RFC1195, ensuring that IS-IS can be applied to the TCP/IP and OSI
environments. The extended protocol is named as Integrated IS-IS or
Dual IS-IS.
IS-IS is a member of IGP and is usually used within an autonomous
system. It is a link-state routing protocol that computes routes using the
Shortest Path First (SPF) algorithm and is most similar to OSPF.
Routing Policy
Routing policy is a technology for revising routing information to change the path that
network traffic passes. Routing policy changes routing attributes (including reachability).
When advertising or receiving routing information, the USG6000 implements some policies
to filter routing information. For example, the USG6000 receives or advertises only routing
information that meets the specified conditions. In addition, a routing protocol may require
the import of the routing information discovered by other routing protocols. The imported
routing information must meet certain conditions and certain attributes of the imported
routing information must be configured. In this way, the routing information meets the
requirements of this protocol.
The USG6000 provides seven filters as follows for routing protocols to reference:
Access control list (ACL)
Address prefix list
AS path filter
Community filter
Extended community list
RD attribute list
Route-Policy
Multicast
Multicast offers point-to-multipoint delivery with minimum bandwidth consumption. IP
multicast is suitable for real-time services such as online live broadcast, network TV, remote
education, remote medical care, network TV station, and real-time video and audio
conference.
Smart DNS
When an enterprise network has DNS servers, the USG6000 intelligently replies DNS
requests from different ISPs, so that the address obtained by a user is in the same ISP network
with the user. The user then initiates a request with this address being the destination address
to access the web server that the enterprise provided for this ISP. As this access does not
bypass other ISP networks, the access latency is minimal, and the service experience is
optimal.
As the red curve shown in Figure 4-4, before ISP1 users access the enterprise website
www.example.net, the DNS server on the enterprise network must parse the IP address. With
smart DNS, the USG6000 returns 1.1.1.10 to ISP1 users. Similarly, the USG6000 returns
2.2.2.10 to ISP2 users.
Policy-Based Routing
With PBR, routes are selected based on user-defined policies, not the routing table. PBR
determines packet forwarding based on more attributes, such as the application, service, user,
inbound interface, source security zone, source and destination IP addresses, and time range.
As the green and orange curves shown in Figure 4-4, PBR selects routes based on the specific
application and service, so that P2P traffic is forwarded from ISP1 link, while Email/database
service traffic is forwarded from ISP2 link.
The USG6000 supports PBR with a single outbound interface or multiple outbound interfaces.
For PBR with multiple outbound interfaces, intelligent uplink selection can be performed
based on link bandwidths, weights, qualities, or priorities.
Load balancing by link bandwidth: The NGFW forwards traffic to each link based on the
link bandwidth ratio. This mode maximizes the link bandwidth efficiency.
Load balancing by link weight: The NGFW forwards traffic to each link based on the
link weight ratio. This mode controls the ratio of traffic to be forwarded to each link and
uses specific links to forward more traffic, which maximizes the efficiency of all link
resources and enterprise interests and improves user experience.
Active/Standby backup by link priority: The NGFW preferentially uses the link with the
highest priority to transmit traffic and all the other links as backup links or load
balancing links. This mode preferentially uses some link to forward traffic, improving
forwarding availability and user experience.
Load balancing by link quality: The NGFW tunes traffic distribution dynamically based
on real-time traffic transmission quality. You can use packet loss ratio, delay, and/or jitter
to evaluate the traffic transmission quality of a link to select the link with the best quality
for traffic forwarding.
Technology Description
IPv6 address Supports both IPv4 and IPv6 protocol stacks, resolves IPv6 packet
headers, and forwards the packets based on the IPv6 addresses.
Supports both manual and automatic configuration of IPv6 addresses
and IPv6 neighbor discovery.
Supports related technologies such as ICMPv6, DNSv6, DHCPv6, and
PPPoEv6.
IPv6 routing Supports IPv6 static routing, policy-based routing (PBR), and routing
policies for adjusting routing tables flexibly.
Supports RIP next generation (RIPng).
RIP next generation (RIPng) is the expanded and modified version of
RIP-2 on IPv4 networks for the application of RIP on IPv6 networks.
Technology Description
Most RIP concepts also apply to RIPng.
RIPng uses UDP port 521 to exchange routing information. The
RIPng protocol uses the hop count to measure the distance (the
metric value or cost) to a destination host.
Supports OSPFv3.
OSPFv3, short for OSPF version 3, supports IPv6 and complies with
RFC2740 (OSPF for IPv6). Most OSPF concepts also apply to
OSPFv3.
OSPFv3 and OSPFv2 resemble in the following aspects:
32-bit Router ID, Area ID, and LSA Link State ID
Same types of packets: Hello packets, DD packets, LSR packets,
LSU packets, and LSAck packets
Same neighbor discovery mechanism and adjacency mechanism
Same LSA flooding and aging mechanisms
Basically same type of LSAs
OSPFv3 is different from OSPFv2 in the following respects:
OSPFv3 runs based on links whereas OSPFv2 runs based on
networks.
OSPFv3 can run multiple instances on one link.
The topology of OSPFv3 does not relate to the prefix of IPv6
addresses.
OSPFv3 uses the link-local address of IPv6 to identify adjacent
neighbors.
Three different types of LSA flooding scopes are added to
OSPFv3.
Supports BGP4+.
BGP4+, developed on the basis of BGP, is a dynamic routing
protocol applied between Autonomous Systems (ASs).
Traditional BGP4 manages only the routing information of IPv4. The
applications of other network-layer protocols (such as IPv6) are
restricted to a certain extent during the spreading of routing
information across the AS.
To support multiple network-layer protocols, the IETF extended
BGP4 and forms BGP4+. The present standard for BGP4+ is
RFC2858 (Multi-protocol Extensions for BGP4). The Next-Hop
attribute in BGP4+ is included in an IPv6 address. It can be either an
IPv6 global unicast address or a next-hop link-local address.
BGP4+ inherits the original message mechanism and routing
mechanism of BGP.
Supports IS-IS IPv6.
draft-ietf-isis-ipv6-05.txt of IETF defines the content for IS-IS to
support IPv6, including the two Type-Length-Values (TLVs)
supporting IPv6 routing information and one Network Layer
Protocol Identifier (NLPID).
Technology Description
IPv6 over IPv4 Enables two IPv6 islands isolated by the IPv4 networks to communicate.
tunnel In the early phase of IPv6, IPv6 networks are isolated by IPv4 networks
and must communicate across IPv4 networks. Therefore, IPv6 over IPv4
tunnels are established between border devices on the IPv4 and IPv6
networks to transmit IPv6 packets over IPv4 networks.
IPv4 over IPv6 Enables two IPv4 islands isolated by the IPv6 networks to communicate.
tunnel In the latter phase of IPv6, IPv6 networks become dominated and IPv4
networks are isolated by IPv6 networks. Therefore, IPv4 over IPv6
tunnels must be established between border devices on the IPv4 and
IPv6 networks for transmitting IPv4 packets over IPv6 networks.
NAT64 Enables mutual translation between IPv4 and IPv6 addresses for IPv4
and IPv6 hosts to communicate on the coexisting IPv4 and IPv6
networks. For example, the source and destination IP addresses of a
packet from an IPv6 host to an IPv4 host are translated to specified IPv4
addresses. Then the packet can be transmitted on the IPv4 network. The
source and destination IP addresses of the reply packet from the IPv4
host are translated to the specified IPv6 addresses. Then the IPv6 host
can receive the packet to complete the communication.
In addition to technologies for constructing IPv6 networks, the USG6000 supports functions
for securing IPv6 networks. The USG6000 supports security policies based on IPv6 address to
secure the IPv6 network, and implements packet filtering and content security check on
packets based on IPv6 addresses. The implemented functions and protection effects are the
same as those for IPv4 networks.
L2TP
The USG6000 establishes a virtual private dial network (VPDN) using the Layer 2 Tunneling
Protocol (L2TP) and implements the virtual private network using the dial-up functions of
public networks, such as the integrated services digital network (ISDN) and public switched
telephone network (PSTN) to provide access services for enterprises, small Internet service
providers (ISPs), and mobile workers.
NAS-Initialized
A remote dial-up user initiates a request to communicate with the headquarters. The
remote dial-up user dials in to the L2TP access concentrator (LAC) using PSTN or ISDN,
and then the LAC initiates a request to establish a tunnel with the L2TP network server
(LNS) over the Internet. The LNS assigns an IP address to the dial-up user. The
authentication and accounting can be performed by the agent on the LAC or by the LNS.
Figure 4-5 shows the typical deployment.
Client-Initialized
An LAC client (a PC that supports L2TP) initiates communication with the headquarters.
In such cases, the LAC client directly initiates a request to establish a tunnel with the
LNS, without requiring an independent LAC. The LNS assigns an IP address to the LAC
client. Figure 4-6 shows the typical deployment.
LAC-Initiated
The user can run a command to establish a permanent L2TP connection between the
LAC and the LNS. The LAC establishes a permanent L2TP tunnel with the LNS through
the virtual template interface using a local user name. In these cases, the L2TP tunnel
resembles a physical connection, and the outgoing interface is the virtual template
interface. The connection between the user and the LAC can be any IP connection, so
that the LAC can forward the IP packets of the user to the LNS. Figure 4-7 shows the
typical deployment.
IPSec
The IP Security (IPSec) protocol suite, consisting of a series of protocols defined by the
Internet Engineering Task Force (IETF), provides a high-quality, interoperable, and
cryptology-based security protection mechanism for IP packets. Security measures such as
encryption and source authentication ensure the confidentiality, integrity, and authenticity of
packets transmitted over the networks and prevent replay attacks.
Through Authentication Header (AH) and Encapsulating Security Payload (ESP), the
USG6000 protects IP data packets or upper layer protocols, and supports both the transport
mode and tunnel mode.
The USG6000 also supports the IPSec tunnel negotiation using IKEv2. IKEv2 reserves basic
functions of IKEv1 and resolves problems found during the research in IKE. IKEv2 is a
trade-off between conciseness, efficiency, security, and robustness. The RFC documents about
IKE are integrated as RFC 4306. By minimizing core functions and default password
algorithms, IKEv2 greatly improves the interoperability among different IPSec VPN systems.
Using IPSec, the USG6000 provides secure transmission tunnels of high reliability for users
and can also combine IPSec with L2TP and GRE to construct L2TP over IPSec VPN and
GRE over IPSec VPN.
GRE
The USG6000 can encapsulate certain network layer protocol packets using the Generic
Routing Encapsulation (GRE) protocol. In this manner, encapsulated packets are transmitted
using another network-layer protocol.
GRE, as a Layer-3 tunneling protocol, uses the tunneling technology between protocol layers.
A tunnel is a virtual point-to-point connection. Actually, the tunnel interface can be regarded
as a virtual interface that supports only point-to-point connections, and provides a tunnel
through which encapsulated packets are transmitted. GRE encapsulates or decapsulates
packets at both ends of the tunnel.
The USG6000 uses the GRE protocol to encapsulate the packets of certain network-layer
protocols. In this manner, encapsulated packets are transmitted using another network-layer
protocol.
DSVPN
Dynamic Smart Virtual Private Network (DSVPN) provides a solution to the preceding
problem. It enables branches that have dynamically changing public IP addresses to establish
VPN tunnels for communication in the Hub-Spoke networking.
Figure 4-8 shows a DSVPN network. On this network, when the source Spoke (tunnel
initiator) needs to send traffic to a destination Spoke (tunnel responder), the source Spoke
uses NHRP to obtain the public IP address of the destination Spoke and then establishes a
dynamic MGRE tunnel with the destination Spoke. After establishing the tunnel, the Spokes
forward traffic over the new MGRE tunnel directly to each other. After MGRE tunnels are
established between network nodes, you only need to configure one tunnel interface (P2PM
tunnel interface) on each VPN gateway to establish tunnels between all the VPN gateways.
SSL VPN
Virtual gateway
On the USG6000, the channel established by the SSL VPN is a virtual gateway. The
USG6000uses the virtual gateway to provide SSL VPN services. The USG6000, as a
physical entity, functions as multiple logically standalone gateways by using the virtual
gateway technology to serve multiple enterprises or multiple departments of one
enterprise.
For example, a large enterprise has several departments, and each of them has their own
employees. Resources and services accessible to these departments are different. Each
department has its own access control rules. In these cases, the administrator can assign
one virtual gateway to each department. Then each virtual gateway is under individual
management and has independent users, resources, and policies, functioning as a
standalone access system. For each department, the virtual gateway is as efficient and
secure as a standalone physical gateway.
The virtual gateways are classified by IP address and domain name into exclusive and
shared ones. An exclusive virtual gateway occupies one or multiple IP addresses and
domain names. A shared virtual gateway, however, shares one IP address with other
virtual gateways. These shared virtual gateways have the same parent domain name. You
can distinguish them by their sub-domain names.
Web proxy
A web proxy relays the communication between clients on the Internet and the web
server on the intranet to shield the server from attacks.
The web proxy function of the USG6000 enables users to securely access intranet web
resources, including the webmail and web servers. The web proxy forwards the access
request (using HTTPS) from a remote browser to the web server on the intranet, and then
relays the replies of the server to the terminal user.
Users can access web resources after installing the related control on the Web page of the
virtual gateway client of the USG6000.
Network extension
The network extension function enables access to all IP-based services on the intranet by
setting up secure socket layer (SSL) tunnels. Users can access intranet resources
remotely just like accessing a LAN. The network extension function applies to a wide
range of complex services.
To use the network extension function, users must log in to the client of the USG6000
and install the ActiveX control or download and install a network extension client
software.
The network extension function supports three access modes:
Full tunnel
Users connect only to the USG6000 and can access only the intranet.
Split tunnel
Users can remotely access the intranet through the USG6000 and access the local
subnets.
Manual tunnel
Users can access the specific resources on the intranet, the local subnet, and the
resources on the Internet.
Hardware Availability
Hardware availability means that hardware are designed to ensure the stable running of
devices and to avoid adverse effects of hardware anomalies on the devices.
Technology Description
Dual-power The USG6000 provides two power modules which provide power at the
backup same time. If one power module fails, the other one can compensate for
it to ensure service continuity.
Hardware When the device is faulty or powered off, the interfaces directly connect
bypass to each other using a dedicated bypass interface card to ensure service
continuity.
Fanr The fan avoids overheating problems caused by ventilation issues and
dust buildup. Clean the fan periodically to ensure proper operation of the
USG6000. You do not need to power off the USG6000 for cleaning the
fan.
Software Availability
Software availability means that good software design, in-time fault detection, and
auto-adjustment measures are implemented to avoid adverse effects on devices because of
network anomalies and ensure service continuity upon hardware failures.
Technology Description
Dual-system Two USG6000s are deployed in dual-system hot backup networking to
hot backup ensure a smooth service switchover to the other device when a fault
occurs on one device. Apart from hardware backup, dual-system hot
Technology Description
backup employs a series of software availability protocols, such as
VRRP, VGMP, and HRP.
Two physical USG6000s form a logical device on the dual-system hot
backup network. Then the logical device detects faults, switches
services, and backs up configurations automatically without affecting
the configurations of upstream and downstream devices. The active and
standby USG6000s switch services upon faults to ensure service
continuity.
Load balancing When one server cannot process the access requests of users, use
multiple servers to share network traffic. In such cases, deploy the
USG6000 at the egress of the network where the servers resides. Users
access only one IP address. Then the USG6000 distributes access traffic
to the multiple servers according to the configured algorithm. In
addition, the USG6000 checks the healthy conditions of servers and
enables them to share the load to improve availability.
Link Availability
Link availability means that a device can detect faults on one link and adjust the routing and
forwarding accordingly to switch traffic to alternative links.
Technology Description
IP-Link The device tests IP connectivity to any IP address on the network in real
time. If an IP address becomes unreachable, the device considers that the
link is faulty and adjusts the routes or switches the active/standby device
to switch the service traffic to the healthy backup link.
BFD Bidirectional Forwarding Detection (BFD) is a low-overhead and rapid
fault detection mechanism which implements millisecond-level link
fault detection. The bidirectional detection and small detection packet
enables BFD to implement rapid fault detection without consuming
many network resources.
Link-group Link-group binds several physical interfaces to form a logical group. If
one interface in the logical group is faulty, the system changes the status
of the other interfaces to Down. The system changes the status of all the
interfaces back to the Up state only after all the interfaces in the link
group recover. In this way, the system switches the status of multiple
links in a unified manner to ensure that service traffic is forwarded to the
health link in a timely manner.
Interface Two physical interfaces back up each other. The backup interface
backup automatically forwards traffic based on the connection status of the
active interface and bandwidth usage, achieving interface backup or load
balancing.
Plate Description
Dashboard Enables administrators to view the device operating status, including
viewing the system information, connection status, traffic load, traffic
statistics, and the latest logs and threat events. In addition, the
administrators can click the shortcut links to modify common
configurations.
Plate Description
Monitor Enables administrators to view and process all logs on the device and
generate diversified reports for analyzing the network condition and
device operating condition. In addition, administrators can monitor
entries about system operating and quickly adjust the system as needed.
For example, when a fault occurs, the administrator can locate the fault
through the fault diagnosis wizard and troubleshoot network or
configuration faults to restore the device. For details on logs and session
tables, see section 4.13 Diversified Logs and Reports.
Policy Enables administrators to configure the security and traffic management
functions to secure traffic from all-round dimensions, such as from the
network layer and application layer, and implement centralized
bandwidth management.
Object Enables administrators to create a series of reference objects, such as the
content security file, IP address, service, application, and schedule.
Administrators can reference these objects repeatedly in the content
security profile to simplify the configuration of each function.
Network Enables administrators to configure and maintain the basic network of
the device, such as configuring DHCP, routing protocols, security zones,
and VPNs to ensure proper communication.
System Enables administrators to configure and maintain the basic system
parameters, such as the system time, administrator, license, software
version, and upgrade of the signature database.
Besides using the Web UI, you can also enable the USG6000 to communicate with a standard
network management system (NMS) through SNMP for implementing centralized
management.
Log Description
Traffic log Records the overall traffic condition on the network by user or
application, bandwidth usage, and security policies that have taken
effect.
Log Description
Threat log Records the detection of and defense against threats, such as viruses,
intrusions, DDoS attacks, zombies, Trojan horses, and Worms, and the
threat events occurred or occurring to adjust the policies or defend
against threats proactively.
URL log URL logs provide statistics on requested URLs. You can view URL logs
to check why access to some URLs is allowed, blocked or allowed with
an alert record.
Content log Records the alarms on and blocking of transmitted files, received and
sent mails, and accessed websites by intranet users regarding file
blocking, data filtering, and application behavior control, and the risky
behaviors of intranet users and causes of alerts and blocking.
Operation log Records the login and logout and device configuration operations of all
administrators and the history device management to enhance device
security.
System log Records the system running status and related information about the
hardware environment for administrators to determine whether the
device runs properly and locate faults if any.
User activity Records the online behaviors of users, such as the login time, online
log duration, and IP and MAC addresses used for the login for
administrators to take necessary measures upon illegitimate user login or
access.
Policy matching Records the matched policies for administrators to determine whether
log the policies are correctly configured and locate faults if any.
Mail filtering Records the protocol types used by users to send and receive emails, size
logs of a single attachment in an email, number of attachments in an email,
and reasons why valid emails are blocked. Mail filtering logs help you
locate faults in email services.
Audit log Records the specified network behaviors of users regarding the audit
function.
Report Description
Traffic report Intuitive reports are generated on the basis of traffic logs from multiple
dimensions. Administrators use these reports to learn about the traffic
condition on the network to customize traffic control policies.
Threat report Intuitive reports are generated on the basis of threat logs from multiple
dimensions. Administrators use these reports to discover the most
frequently occurring threats, attackers who have launched the most
illegal network activities, and the victims that are most vulnerable to
attacks to customize security policies.
URL report Intuitive reports are generated on the basis of URL logs from multiple
dimensions. Administrators use these reports to learn about the URLs or
Report Description
websites most frequently accessed by intranet users and the users most
frequently accessing illegitimate URLs to customize URL filtering
policies.
Policy matching Intuitive reports are generated on the basis of policy matching logs from
report multiple dimensions. Administrators use these reports to discover policy
configuration problems and learn about the effectiveness of configured
policies to adjust and optimize policy configurations.
File blocking Intuitive reports are generated on the basis of content logs by file type.
report You can view the file blocking report to check the effectiveness of file
filtering configurations and tune the configurations if necessary.
Data filtering Intuitive reports are generated on the basis of content logs by keyword
report group. You can view the content filtering report to check the
effectiveness of content filtering configurations and tune them if
necessary.
The NGFW supports the isolation of the in-band management plane and provides a
dedicated management port instead of using the service ports for management.
If users connect to the NGFW from the service interface and use a management protocol,
such as Telnet, SSH, or HTTPS, to log in to the device, you can enable the access
management on the service interface or configure the security policy to prohibit the users
from managing the device. In this way, the security isolation is implemented.
The communication between the NGFW and the third-party NMS is implemented using
security protocols. You can enable the services of the security protocols, such as HTTPS.
You can disable the services of insecure protocols, such as HTTP and Telnet.
Security logging
The system can log important operations such as login and logout for future audit.
Protection mechanism for the sensitive user information
The system authenticates users through password and identity authentication, and
protects the sensitive user information using the advanced encryption algorithm. Every
user is allocated with a password for the verification before the system provides services
for the user, protecting the security of user information. When the administrator logs in
to the device, the system asks the administrator to change the default password to
enhance security management.
You can configure auditors to view the sensitive logs on HTTP behaviors, FTP behaviors,
and behaviors of receiving and sending mail, to prevent data leaks.
Anti-brute-force mechanism
Some unauthorized users attempts to hack into the system by conjecturing the
administrator's user name and password. The NGFW supports the maximum number of
login attempts. Once the number of login attempts exceed the specified threshold, the
system adds the user's IP address to the blacklist and blocks the user from accessing the
device within the lockout period.
5 Technical Specifications
5.1.1 USG6310
This section describes the dimensions, weight, and power and environment specifications of
the USG6310.
Table 5-1 lists the technical specifications of the USG6310.
Item Description
System specifications
CPU Multi-core 1.0 GHz processor
Memory DDR3 2 GB
Flash 16 MB
CF card 1 GB
Item Description
Hard disk Not supported
SPUB (the service engine) Not supported
Power specifications
AC power Supported (external AC power adapter)
Rated input voltage (AC) 100 V to 240 V, 50 Hz/60 Hz
Maximum input voltage (AC) 90 V to 264 V, 47 Hz to 63 Hz
Maximum input current 1.0 A
Maximum output power 36 W
Heat dissipation
Fan module Built-in fan module, cannot be removed.
Air flow (hot air flow, viewed facing the Left-to-right air flow
rear panel)
Port density
Console port 1 (RJ45)
USB 2.0 port 1
Mandatory service ports 8 10/100/1000M autosensing Ethernet
electrical ports
Expansion slot None
Environment specificationsc
Short termd operating temperature 5C to 55C
Long term operating temperature 0C to 40C
Storage temperature 40C to 70C
Operating relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 95% RH,
non-condensing
Storage relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 85% RH,
non-condensing
Altitude 5,000 m
Item Description
NOTE
a. The width does not include the size of mounting ears.
b. The height is 1 U (1 U = 1.75 inches, or about 44.45 mm), which is a height unit defined in
International Electrotechnical Commission (IEC) 60297 standards.
c. Temperature and humidity are measured 1.5 m above the floor and 0.4 m in front of the rack when
no protection plate exists before or after the rack.
d. The short term operating conditions mean that the continuous operating period does not exceed 48
hours and the accumulative total period within a year does not exceed 15 days. If the continuous
operating period exceeds 48 hours or the total period within a year exceeds 15 days, it is regarded as
long term.
5.1.2 USG6320
This section describes the dimensions, weight, and power and environment specifications of
the USG6320.
Table 5-2 lists the technical specifications of the USG6320.
Item Description
System specifications
CPU Multi-core 1.0 GHz processor
Memory DDR3 2 GB
Flash 16 MB
CF card 1 GB
Hard disk Not supported
SPUB (the service engine) Not supported
Heat dissipation
Item Description
Fan module Built-in fan module, cannot be removed.
Air flow (hot air flow, viewed facing the Left-to-right air flow
rear panel)
Port density
Console port 1 (RJ45)
USB 2.0 port 1
Mandatory service ports 8 10/100/1000M autosensing Ethernet
electrical ports
Expansion slot None
Environment specificationsc
Short termd operating temperature 5C to 55C
Long term operating temperature 0C to 40C
Storage temperature 40C to 70C
Operating relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 95% RH,
non-condensing
Storage relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 85% RH,
non-condensing
Altitude 5,000 m
NOTE
a. The width does not include the size of mounting ears.
b. The height is 1 U (1 U = 1.75 inches, or about 44.45 mm), which is a height unit defined in
International Electrotechnical Commission (IEC) 60297 standards.
c. Temperature and humidity are measured 1.5 m above the floor and 0.4 m in front of the rack when
no protection plate exists before or after the rack.
d. The short term operating conditions mean that the continuous operating period does not exceed 48
hours and the accumulative total period within a year does not exceed 15 days. If the continuous
operating period exceeds 48 hours or the total period within a year exceeds 15 days, it is regarded as
long term.
5.1.3 USG6330/6350/6360
This section describes the dimensions, weight, and power and environment specifications of
the USG6330/6350/6360.
Table 5-3 lists the technical specifications of the USG6330/6350/6360.
Item Description
System specifications
CPU Multi-core 1.0 GHz processor
Memory DDR3 4 GB
Flash 16 MB
CF card 2 GB
Hard disk Optional hot-swappable 300GB 2.5-inch
SAS hard disks
Power specifications
AC power Supported; 150 W built-in power module
(default) and 170 W hotswappable power
module (optional)
Rated input voltage (AC) 100 V to 240 V, 50 Hz/60 Hz
Maximum input voltage (AC) 90 V to 264 V, 47 Hz to 63 Hz
Maximum input current (AC) 2.5 A
DC power Not supported.
Maximum output power 150 W (default) or 170 W (optional)
Heat dissipation
Fan module Built-in fan module, cannot be removed.
Air flow (hot air flow, viewed facing the Intake on the front and left sides, exhaust on
rear panel) the right side
Port density
Out-of-band management port 1 (RJ45)
Console port 1 (RJ45)
USB 2.0 port 1
Mandatory service ports 2 GE Combo ports
4 10/100/1000M autosensing Ethernet
electrical ports
Item Description
Expansion slot 2WSIC
Types of expansion cards 8GE-WSIC-81GE RJ45 interface card
2XG8GE-WSIC-81GE RJ45+210GE
SFP+ interface card
8GEF-WSIC-81GE SFP interface card
4GE-BYPASS-WSIC-2electrical links
Bypass card
Environment specificationsc
Short termd operating temperature Without hard disk: 5C to 55C
With hard disk(s): 5C to 40C
Long term operating temperature Without hard disk: 0C to 45C
With hard disk(s): 5C to 40C
Storage temperature 40C to 70C
Operating relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 95% RH,
non-condensing
Storage relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 85% RH,
non-condensing
NOTE
a. The width does not include the size of mounting ears.
b. The height is 1 U (1 U = 1.75 inches, or about 44.45 mm), which is a height unit defined in
International Electrotechnical Commission (IEC) 60297 standards.
c. Temperature and humidity are measured 1.5 m above the floor and 0.4 m in front of the rack when
no protection plate exists before or after the rack.
d. The short term operating conditions mean that the continuous operating period does not exceed 48
hours and the accumulative total period within a year does not exceed 15 days. If the continuous
operating period exceeds 48 hours or the total period within a year exceeds 15 days, it is regarded as
long term.
5.1.4 USG6370/6380/6390
This section describes the dimensions, weight, and power and environment specifications of
the USG6370/6380/6390.
Table 5-4 lists the technical specifications of the USG6370/6380/6390.
Item Description
System specifications
CPU Multi-core 1.1 GHz processor
Memory DDR3 4 GB
Flash 16 MB
CF card 2 GB
Hard disk Optional hot-swappable 300GB 2.5-inch
SAS hard disks
Power specifications
AC power Supported. By default, one power module is
provided, but two power modules are
supported. If two power modules are used
and one module fails, you can hot-swap the
faulty power module.
Rated input voltage (AC) 100 V to 240 V, 50 Hz/60 Hz
Maximum input voltage (AC) 90 V to 264 V, 47 Hz to 63 Hz
Maximum input current (AC) 2.5 A
DC power Not supported.
Maximum output power 170 W
Heat dissipation
Fan module Built-in fan module, cannot be removed.
Air flow (hot air flow, viewed facing the Intake on the front and left sides, exhaust on
rear panel) the right side
Port density
Out-of-band management port 1 (RJ45)
Console port 1 (RJ45)
USB 2.0 port 2
Mandatory service ports 4 GE optical ports
8 10/100/1000M autosensing Ethernet
Item Description
electrical ports
Expansion slot 2WSIC
Types of expansion cards 8GE-WSIC-81GE RJ45 interface card
2XG8GE-WSIC-81GE RJ45+210GE
SFP+ interface card
8GEF-WSIC-81GE SFP interface card
4GE-BYPASS-WSIC-2electrical links
Bypass card
Environment specificationsc
Short termd operating temperature Without hard disk: 5C to 55C
With hard disk(s): 5C to 40C
Long term operating temperature Without hard disk: 0C to 45C
With hard disk(s): 5C to 40C
Storage temperature 40C to 70C
Operating relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 95% RH,
non-condensing
Storage relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 85% RH,
non-condensing
Altitude Without hard disk: 5,000 m
With hard disk(s): 3,000 m
NOTE
a. The width does not include the size of mounting ears.
b. The height is 1 U (1 U = 1.75 inches, or about 44.45 mm), which is a height unit defined in
International Electrotechnical Commission (IEC) 60297 standards.
c. Temperature and humidity are measured 1.5 m above the floor and 0.4 m in front of the rack when
no protection plate exists before or after the rack.
d. The short term operating conditions mean that the continuous operating period does not exceed 48
hours and the accumulative total period within a year does not exceed 15 days. If the continuous
operating period exceeds 48 hours or the total period within a year exceeds 15 days, it is regarded as
long term.
5.1.5 USG6530
This section describes the dimensions, weight, and power and environment specifications of
the USG6530.
Table 5-5 lists the technical specifications of the USG6530.
Item Description
System specifications
CPU Multi-core 1.0 GHz processor
Memory DDR3 4 GB
Flash 16 MB
CF card 2 GB
Hard disk Optional hot-swappable 300GB 2.5-inch
SAS hard disks
Power specifications
AC power Supported; 150 W built-in power module
(default) and 170 W hotswappable power
module (optional)
Rated input voltage (AC) 100 V to 240 V, 50 Hz/60 Hz
Maximum input voltage (AC) 90 V to 264 V, 47 Hz to 63 Hz
Maximum input current (AC) 2.5 A
DC power Not supported.
Maximum output power 150 W (default) or 170 W (optional)
Heat dissipation
Fan module Built-in fan module, cannot be removed.
Air flow (hot air flow, viewed facing the Intake on the front and left sides, exhaust on
rear panel) the right side
Port density
Out-of-band management port 1 (RJ45)
Console port 1 (RJ45)
USB 2.0 port 1
Mandatory service ports 2 GE Combo ports
4 10/100/1000M autosensing Ethernet
electrical ports
Item Description
Expansion slot 2WSIC
Types of expansion cards 8GE-WSIC-81GE RJ45 interface card
2XG8GE-WSIC-81GE RJ45+210GE
SFP+ interface card
8GEF-WSIC-81GE SFP interface card
4GE-BYPASS-WSIC-2electrical links
Bypass card
Environment specificationsc
Short termd operating temperature Without hard disk: 5C to 55C
With hard disk(s): 5C to 40C
Long term operating temperature Without hard disk: 0C to 45C
With hard disk(s): 5C to 40C
Storage temperature 40C to 70C
Operating relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 95% RH,
non-condensing
Storage relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 85% RH,
non-condensing
NOTE
a. The width does not include the size of mounting ears.
b. The height is 1 U (1 U = 1.75 inches, or about 44.45 mm), which is a height unit defined in
International Electrotechnical Commission (IEC) 60297 standards.
c. Temperature and humidity are measured 1.5 m above the floor and 0.4 m in front of the rack when
no protection plate exists before or after the rack.
d. The short term operating conditions mean that the continuous operating period does not exceed 48
hours and the accumulative total period within a year does not exceed 15 days. If the continuous
operating period exceeds 48 hours or the total period within a year exceeds 15 days, it is regarded as
long term.
5.1.6 USG6550/6570
This section describes the dimensions, weight, and power and environment specifications of
the USG6550/6570.
Table 5-6 lists the technical specifications of the USG6550/6570.
Item Description
System specifications
CPU Multi-core 1.1 GHz processor
Memory DDR3 4 GB
Flash 16 MB
CF card 2 GB
Hard disk Optional hot-swappable 300GB 2.5-inch
SAS hard disks
Power specifications
AC power Supported. By default, one power module is
provided, but two power modules are
supported. If two power modules are used
and one module fails, you can hot-swap the
faulty power module.
Rated input voltage (AC) 100 V to 240 V, 50 Hz/60 Hz
Maximum input voltage (AC) 90 V to 264 V, 47 Hz to 63 Hz
Maximum input current (AC) 2.5 A
DC power Not supported
Maximum output power 170 W
Heat dissipation
Fan module Built-in fan module, cannot be removed.
Air flow (hot air flow, viewed facing the Intake on the front and left sides, exhaust on
rear panel) the right side
Port density
Out-of-band management port 1 (RJ45)
Console port 1 (RJ45)
USB 2.0 port 2
Mandatory service ports 4 GE optical ports
8 10/100/1000M autosensing Ethernet
Item Description
electrical ports
Expansion slot 2WSIC
Types of expansion cards 8GE-WSIC-81GE RJ45 interface card
2XG8GE-WSIC-81GE RJ45+210GE
SFP+ interface card
8GEF-WSIC-81GE SFP interface card
4GE-BYPASS-WSIC-2electrical links
Bypass card
Environment specificationsc
Short termd operating temperature Without hard disk: 5C to 55C
With hard disk(s): 5C to 40C
Long term operating temperature Without hard disk: 0C to 45C
With hard disk(s): 5C to 40C
Storage temperature 40C to 70C
Operating relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 95% RH,
non-condensing
Storage relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 85% RH,
non-condensing
Altitude Without hard disk: 5,000 m
With hard disk(s): 3,000 m
NOTE
a. The width does not include the size of mounting ears.
b. The height is 1 U (1 U = 1.75 inches, or about 44.45 mm), which is a height unit defined in
International Electrotechnical Commission (IEC) 60297 standards.
c. Temperature and humidity are measured 1.5 m above the floor and 0.4 m in front of the rack when
no protection plate exists before or after the rack.
d. The short term operating conditions mean that the continuous operating period does not exceed 48
hours and the accumulative total period within a year does not exceed 15 days. If the continuous
operating period exceeds 48 hours or the total period within a year exceeds 15 days, it is regarded as
long term.
5.1.7 USG6620/6630
This section describes the dimensions, weight, and power and environment specifications of
the USG6620/6630.
Table 5-7 lists the technical specifications of the USG6620/6630.
Item Description
System specifications
CPU Multi-core 1.0 GHz processor
Memory DDR3 8 GB
Flash 16 MB
CF card 2 GB
Hard disk Optional hot-swappable 300GB 2.5-inch
SAS hard disks
Power specifications
AC power Supported. By default, one power module is
provided. If two power modules are used
and one module fails, you can hot-swap the
faulty power module.
Rated input voltage (AC) 100 V to 240 V, 50 Hz/60 Hz
Maximum input voltage (AC) 90 V to 264 V, 47 Hz to 63 Hz
Maximum input current (AC) 2.5 A
DC power Not supported.
Maximum output power 170 W
Heat dissipation
Fan module Built-in fan module, cannot be removed.
Air flow (hot air flow, viewed facing the Intake on the front and left sides, exhaust on
rear panel) the right side
Port density
Out-of-band management port 1 (RJ45)
Console port 1 (RJ45)
USB 2.0 port 2
Mandatory service ports 4 GE optical ports
8 10/100/1000M autosensing Ethernet
electrical ports
Item Description
Expansion slot 2WSIC
Types of expansion cards 8GE-WSIC-81GE RJ45 interface card
2XG8GE-WSIC-81GE RJ45+210GE
SFP+ interface card
8GEF-WSIC-81GE SFP interface card
4GE-BYPASS-WSIC-2electrical links
Bypass card
Environment specificationsc
Short termd operating temperature Without hard disk: 5C to 55C
With hard disk(s): 5C to 40C
Long term operating temperature Without hard disk: 0C to 45C
With hard disk(s): 5C to 40C
Storage temperature 40C to 70C
Operating relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 95% RH,
non-condensing
Storage relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 85% RH,
non-condensing
NOTE
a. The width does not include the size of mounting ears.
b. The height is 1 U (1 U = 1.75 inches, or about 44.45 mm), which is a height unit defined in
International Electrotechnical Commission (IEC) 60297 standards.
c. Temperature and humidity are measured 1.5 m above the floor and 0.4 m in front of the rack when
no protection plate exists before or after the rack.
d. The short term operating conditions mean that the continuous operating period does not exceed 48
hours and the accumulative total period within a year does not exceed 15 days. If the continuous
operating period exceeds 48 hours or the total period within a year exceeds 15 days, it is regarded as
long term.
5.1.8 USG6650/6660
This section describes the dimensions, weight, and power and environment specifications of
the USG6650/6660.
Table 5-8 lists the technical specifications of the USG6650/6660.
Item Description
System specifications
CPU Multi-core 1.2 GHz processor
Memory DDR3 16 GB
Flash 64 MB
CF card 2 GB
Hard disk Optional. The device can hold two 300GB
2.5-inch SAS hard disks to form a RAID-1
array for redundancy. The hard disks are
hot-swappable.
SPUB (the service engine) Not supported
Heat dissipation
Fan module Supported, hot-swappable
Air flow (hot air flow, viewed facing the Intake on the front and left sides, exhaust on
rear panel) the right side
Port density
Out-of-band management port 1 (RJ45)
Console port 1 RJ45 and 1 Mini USB (only either of them
Item Description
can be used at a time)
USB 2.0 port 2
Mandatory service ports 8 GE optical ports
8 10/100/1000M autosensing Ethernet
electrical ports
2 10GE optical ports
Environment specificationsc
Short termd operating temperature Without hard disk: -5C to 55C
With hard disk(s): 5C to 40C
Long term operating temperature Without hard disk: 0C to 45C
With hard disk(s): 5C to 40C
Storage temperature 40C to 70C
Operating relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 95% RH,
non-condensing
Storage relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 85% RH,
non-condensing
Altitude Without hard disk: 5,000 m
With hard disk(s): 3,000 m
NOTE
a. The width does not include the size of mounting ears.
b. The height is 3 U (1 U = 1.75 inches, or about 44.45 mm), which is a height unit defined in
International Electrotechnical Commission (IEC) 60297 standards.
c. Temperature and humidity are measured 1.5 m above the floor and 0.4 m in front of the rack when
no protection plate exists before or after the rack.
d. The short term operating conditions mean that the continuous operating period does not exceed 48
hours and the accumulative total period within a year does not exceed 15 days. If the continuous
operating period exceeds 48 hours or the total period within a year exceeds 15 days, it is regarded as
long term.
5.1.9 USG6670
This section describes the dimensions, weight, and power and environment specifications of
the USG6670.
Table 5-9 lists the technical specifications of the USG6670.
Item Description
System specifications
CPU Multi-core 1.2 GHz processor
Memory DDR3 16 GB
Flash 64 MB
CF card 2 GB
Hard disk Optional. The device can hold two 300GB
2.5-inch SAS hard disks to form a RAID-1
array for redundancy. The hard disks are
hot-swappable.
SPUB (the service engine) Not supported
Power specifications
AC power Supported, 1+1 power redundancy,
hot-swappable
Rated input voltage (AC) 100 V to 240 V, 50 Hz/60 Hz
Maximum input voltage (AC) 90 V to 264 V, 47 Hz to 63 Hz
Maximum input current (AC) 5A
DC power Supported, 1+1 power redundancy,
hot-swappable
Rated input voltage (DC) -48 V to -60 V
Maximum input voltage (DC) -40 V to -72 V
Maximum input current (DC) 5A
Maximum output power 350 W
Heat dissipation
Fan module Supported, hot-swappable
Item Description
Air flow (hot air flow, viewed facing the Intake on the front and left sides, exhaust on
rear panel) the right side
Port density
Out-of-band management port 1 (RJ45)
Console port 1 RJ45 and 1 Mini USB (only either of them
can be used at a time)
USB 2.0 port 2
Mandatory service ports 8 GE optical ports
16 10/100/1000M autosensing Ethernet
electrical ports
4 10GE optical ports
Expansion slot 5 WSIC slots or 1 WSIC slot + 4 XSIC slots
Types of expansion cards 8GE-WSIC-81GE RJ45 interface card
2XG8GE-WSIC-81GE RJ45+210GE
SFP+ interface card
8GEF-WSIC-81GE SFP interface card
4GE-BYPASS-WSIC-2electrical links
Bypass card
Environment specificationsc
Short termd operating temperature Without hard disk: -5C to 55C
With hard disk(s): 5C to 40C
Long term operating temperature Without hard disk: 0C to 45C
With hard disk(s): 5C to 40C
Storage temperature 40C to 70C
Operating relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 95% RH,
non-condensing
Storage relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 85% RH,
non-condensing
Altitude Without hard disk: 5,000 m
With hard disk(s): 3,000 m
Item Description
NOTE
a. The width does not include the size of mounting ears.
b. The height is 3 U (1 U = 1.75 inches, or about 44.45 mm), which is a height unit defined in
International Electrotechnical Commission (IEC) 60297 standards.
c. Temperature and humidity are measured 1.5 m above the floor and 0.4 m in front of the rack when
no protection plate exists before or after the rack.
d. The short term operating conditions mean that the continuous operating period does not exceed 48
hours and the accumulative total period within a year does not exceed 15 days. If the continuous
operating period exceeds 48 hours or the total period within a year exceeds 15 days, it is regarded as
long term.
5.1.10 USG6680
This section describes the dimensions, weight, and power and environment specifications of
the USG6680.
Table 5-10 lists the technical specifications of the USG6680.
Item Description
System specifications
CPU Multi-core 1.2 GHz processor
Memory DDR3 16 GB
Flash 64 MB
CF card 2 GB
Hard disk Optional. The device can hold two 300GB
2.5-inch SAS hard disks to form a RAID-1
array for redundancy. The hard disks are
hot-swappable.
SPUB (the service engine) Supported
Power specifications
AC power Supported, 1+1 power redundancy,
hot-swappable
Rated input voltage (AC) 100 V to 240 V, 50 Hz/60 Hz
Maximum input voltage (AC) 90 V to 264 V, 47 Hz to 63 Hz
Item Description
Maximum input current (AC) 5A
DC power module Supported, 1+1 power redundancy,
hot-swappable
Heat dissipation
Fan module Supported, hot-swappable
Air flow (hot air flow, viewed facing the Intake on the front and left sides, exhaust on
rear panel) the right side
Port density
Out-of-band management port 1 (RJ45)
Console port 1 RJ45 and 1 Mini USB (only either of them
can be used at a time)
USB 2.0 port 2
Mandatory service ports 8 GE optical ports
16 10/100/1000M autosensing Ethernet
electrical ports
4 10GE optical ports
Expansion slot 5 WSIC slots or 1 WSIC slot + 4 XSIC slots
Types of expansion cards 8GE-WSIC-81GE RJ45 interface card
2XG8GE-WSIC-81GE RJ45+210GE
SFP+ interface card
8GEF-WSIC-81GE SFP interface card
4GE-BYPASS-WSIC-2electrical links
Bypass card
Environment specificationsc
Short termd operating temperature Without hard disk: 5C to 55C
With hard disk(s): 5C to 40C
Long term operating temperature Without hard disk: 0C to 45C
With hard disk(s): 5C to 40C
Storage temperature 40C to 70C
Operating relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 95% RH,
Item Description
non-condensing
Storage relative humidity Short term: 5% RH to 95% RH,
non-condensing
Long term: 5% RH to 85% RH,
non-condensing
Altitude Without hard disk: 5,000 m
With hard disk(s): 3,000 m
NOTE
a. The width does not include the size of mounting ears.
b. The height is 3 U (1 U = 1.75 inches, or about 44.45 mm), which is a height unit defined in
International Electrotechnical Commission (IEC) 60297 standards.
c. Temperature and humidity are measured 1.5 m above the floor and 0.4 m in front of the rack when
no protection plate exists before or after the rack.
d. The short term operating conditions mean that the continuous operating period does not exceed 48
hours and the accumulative total period within a year does not exceed 15 days. If the continuous
operating period exceeds 48 hours or the total period within a year exceeds 15 days, it is regarded as
long term.
Standard or
Protocol Description
ETS 300 019-2-2 Equipment Engineering; Environmental conditions and environmental
tests for telecommunications equipment. Part2-2: specification of
environmental tests transportation
ETS 300 119-3 European telecommunication standard for equipment practice Part 3:
Engineering requirements for miscellaneous racks and cabinets
EN 300 386 Electromagnetic compatibility and Radio spectrum Matters (ERM);
Version 1.2.1 Telecommunication network equipment; ElectroMagnetic
Compatibility (EMC) requirements
Standard or
Protocol Description
IEC 61000 Electromagnetic compatibility (EMC)
Standard or
Protocol Description
IEC 61000-4-2 Electromagnetic compatibility (EMC) - Part 4: Testing and measuring
techniques - Section 2: Electrostatic discharge immunity test - Basic
EMC publication
IEC 61000-4-3 Electromagnetic compatibility (EMC) - Part 4-3: Testing and
measurement techniques; Radiated, radio-frequency, electromagnetic
field immunity test
IEC 61000-4-4 Electromagnetic compatibility (EMC) - Part 4: Testing and measuring
techniques - Section 4: Electrical fast transient/burst immunity test -
Basic EMC publication
IEC 61000-4-5 Electromagnetic compatibility (EMC) - Part 4: Testing and
measurement techniques - Section 5: Surge immunity test
IEC 61000-4-6 Electromagnetic compatibility (EMC) - Part 4: Testing and
measurement techniques - Section 6: Immunity to conducted
disturbances, induced by radio-frequency fields
IEC 61000-3-2 Electromagnetic compatibility (EMC) - Part 3-2: Limits; Limits for
harmonic current emissions (equipment input current <kleiner =>16 A
per phase)
IEC 61000-3-3 Electromagnetic compatibility (EMC) - Part 3: Limits; section 3:
Limitation of voltage fluctuations and flicker in low-voltage supply
systems for equipment with rated current <kleiner =>16 A
IEC 62151 Safety of equipment electrically connected to a telecommunication
network
Standard or
Protocol Description
ISO/IEC 11801 Information technology - Generic cabling for customer premises
ISO/IEC 15802-2 Information technology - Telecommunications and information
exchange between systems - Local and metropolitan area networks -
Common specifications - Part 2: LAN/MAN management
Standard or
Protocol Description
CISPR 22 Information technology equipment - Radio disturbance characteristics
- Limits and methods of measurement
Standard or
Protocol Description
I.430 [I.430] Recommendation I.430 (11/95) - Basic user-network interface
- Layer 1 specification
I.431 [I.431] Recommendation I.431 (03/93) - Primary rate user-network
interface - Layer 1 specification
Standard or
Protocol Description
IEEE802.3 Carrier sense multiple access with collision detection (CSMA/CD)
access method and physical layer specification
IEEE802.3u Media Access Control (MAC) parameters, physical Layer, medium
attachment units, and repeater for 100 Mb/s operation, type 100Base-T
IEEE802.1D Media Access Control (MAC) Bridges
IEEE802.3af DTE Power via MDI