Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
General Disclaimer
The information in this document may contain predictive statements including,
without limitation, statements regarding the future financial and operating results,
future product portfolio, new technology, etc. There are a number of factors
that could cause actual results and developments to differ materially from those
expressed or implied in the predictive statements. Therefore, such information
is provided for reference purpose only and constitutes neither an offer nor an
acceptance. Huawei may change the information at any time without notice.
Trademark Notice
, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co.,
Other trademarks, product, service and company names mentioned are the property of their respective owners.
HUAWEI TECHNOLOGIES CO., LTD.
Huawei Industrial Base
Bantian Longgang
Shenzhen 518129, P.R. China
Tel: +86-755-28780808
Version No.: M3-008360399-20110510-C-1.0
www.huawei.com HUAWEI TECHNOLOGIES CO., LTD.
USG9500 SeriesCloud Data Center Security Gateway
USG9500 SeriesCloud Data Center Security Gateway1
USG9500 SeriesCloud Data Center Security Gateway
USG9520 USG9560 USG9580
Product Overview
The full-IP network is expanding rapidly and is integrating more and more applications into the traditional
broadband network. Network bandwidth is increasing exponentially, but so are the types of network threats
and the intensity of attacks. As a result, enterprises and carriers must constantly adapt their network structures to
change network environments. Data communication devices have stepped into the Terabit era. The USG9500, a
highly scalable, reliable, and comprehensive security service platform, is such a Terabit device. It supports a wide
range of security services, such as IPv6 security, virtual security systems, VPN, and IPS. It addresses the requirements
of customers (including data centers, carriers, ISPs, and government agencies) for integrated security, rapid
responses, fast processing, and continuous evolution.
USG9500 SeriesCloud Data Center Security Gateway 2
Product Description
The USG9500 series comprises the USG9520, USG9560, and USG9580, and provides industry-leading security
capabilities and scalability. The firewall throughput of the series reaches 0.96 Tbps, the maximum number of
concurrent connections exceeds 960 million, and the VPN performance is up to 500 Gbps.
By using dedicated multi-core chips and the distributed hardware platform, the USG9500 provides industry-leading
service processing and expansion capabilities. Moreover, all components are redundant, providing a high reliability
that normally exists a core router to ensure continuous service on high-speed networks. The distributed technology
uses line-rate intelligent traffic splitting for data forwarding. All data flows are equally distributed to service
processing modules. Therefore, the service processing performance increases linearly with service modules.
The USG9500 provides multiple types of I/O interface modules (Line Process Unit, LPU) for external connection and
data transmission. The I/O interface modules and service processing modules use the same interface slot. You can
mix and match the I/O interfaces modules and service processing modules as needed. The USG9500 provides GE
and 10GE interfaces and supports cross-board port bundling to improve throughput and port density.
The Service Process Unit (SPU) of the USG9500 processes all services. The SPU has a motherboard that can hold
two expansion cards. The SPU uses the multi-core CPUs on the expansion cards and the software modules to
process services. The heartbeat detection mechanism between the SPU and LPU and SPU redundancy ensure in-
service switchover. If one SPU fails, all functions are quickly switched to other SPUs without service interruption.
USG9500 SeriesCloud Data Center Security Gateway 2
USG9500 SeriesCloud Data Center Security Gateway3
Highlights
Advanced network processor + multi-core CPU + distributed architecture — allowing linear increase of performance
The USG9500 uses a hardware platform that often exists in a core router to provide modularized components. Each
interface module has two network processors (NPs) to provide line rate forwarding. The SPU uses multi-core CPUs
and a multi-thread architecture, and each CPU has an application acceleration engine. These hardware advantages,
combined with Huawei's optimized concurrent processing technology, increases CPU capacity to ensure the high
speed parallel processing of multiple services, such as NAT and VPN. LPUs and SPUs function separately. The overall
performance increases linearly with the addition of SPUs so that customers can easily scale up the performance at a
low cost.
High firewall performance — ensuring mission-critical services
With revolutionized system architecture, the USG9500 security gateway series has the industry's highest firewall
throughput and the most concurrent connections. With dedicated traffic splitting technology, the overall
performance of the USG9500 increases linearly with the addition of SPUs. The USG9500 delivers a maximum of
960 Gbps large-packet throughput, 960 million concurrent connections, and 4096 virtual firewalls. The industry-
leading performance can meet the performance demand of high-end customers, such as television and broadcast
systems, government agencies, energy companies, and education organizations.
Stable and reliable security gateway — full redundancy ensuring service continuity
Network security is a key point in enterprise operating. To ensure the service continuity on a high-speed network,
the USG9500 supports active/standby and active/active redundancy, port aggregation, VPN redundancy, and SPU
load balancing. Meanwhile, the USG9500 also supports dual-MPU active/standby switchover to provide high
availability. The mean time between failures (MTBF) of the USG9500 is up to 200,000 hours, and the failover time
is less than one second. These features ensure the service continuity.
Excellent VPN performance — meeting the needs for massive encryption
More and more services, such as mobile access, short message notification, and push mail, require secure data
transmission over the Internet. To meet these needs, a VPN gateway that supports hundreds of thousands
of connections is required. The USG9500 supports VPN gateway redundancy, up to 500 Gbps encryption
performance, and 960,000 concurrent VPN tunnels, which are industry's highest standards. The USG9500 supports
4over6 and 6over4 VPN technologies to deal with the evolution from IPv4 to IPv6. The USG9500 also supports
USG9500 SeriesCloud Data Center Security Gateway 4
IKEv2, provides improved user authentication, packet authentication, and NAT traversal functions, and prevents
attacks, such as man-in-the-middle attacks and denial of service (DoS) attacks. The USG9500 also supports
Extensible Authentication Protocol for GSM Subscriber Identity Module (EAP-SIM) and Extensible Authentication
Protocol – Authentication and Key Agreement (EAP-AKA) authentication to protect wireless networks.
Practical IPS feature — defending against external threats and promoting network security
The performance of an Intrusion Prevention System (IPS) relies on detection engine performance, signature
identification ratio, and processing capacity. With the advanced IPS detection engine and mature signature
database, the USG9500 defends against various threats, including unauthorized automatic downloads, spoofing
software, spyware/adware, abnormal protocols, P2P anomalies, and exploits that target system vulnerabilities.
A single vulnerability-based signature covers thousands of attacks that target at the vulnerability. Supplemented
with the globally deployed honeypot system, the USG9500 can capture the latest attacks, worms, and Trojan
horses, thereby providing zero-day attack defense capability. Moreover, to improve real-world IPS performance,
the USG9500 uses an internal off-line design and "one board one feature" technology to direct the traffic to be
inspected by the IPS to a dedicated module. This method improves IPS performance without compromising basic
firewall performance.
Comprehensive CGN Features — addressing the transition from IPv4 to IPv6
The IPv4 addresses are already exhausted and the Internet is smoothly evolving from IPv4 to IPv6. To meet the
needs during the transition from IPv4 to IPv6, the USG9500 supports NAT44 (4), DS-Lite, 6RD, and NAT64, thereby
providing an effective, flexible, reliable, and cost-effective transition solution for carriers. NAT44 (4) enables the
high utilization of IPv4 addresses to prevent the exhaustion of IPv4 addresses; DS-Lite allows the IPv4 application
to be used on the newly established IPv6 networks; 6RD provides efficient IPv6 access; and NAT64 enables an IPv6
network to communicate with an IPv4 network. The NAT44 and DS-Lite functions support NAT tracing.
Enriched virtualization — adapting to cloud networks
Cloud computing, which relies on virtualization and high-speed network connection, faces security challenges. The
USG9500 delivers high throughput and enriched virtual system functions, including resource, configuration, and
management virtualization to meet the requirements of different customers. Resource virtualization manages virtual
host resources based on quota, management virtualization supports user-defined policies, log management, and
auditing for each virtual firewall, and forwarding virtualization enables customized service processing.
USG9500 SeriesCloud Data Center Security Gateway5
Model USG9520 USG9560 USG9580
Performance and Capacity
Firewall throughput (maximum) 80 Gbps 480 Gbps 960 Gbps
Firewall throughput (composite traffic) 80 Gbps 480 Gbps 960 Gbps
Maximum number of concurrent sessions 80 million 480 million 960 million
IPSec VPN performance (3DES) 48 Gbps 240 Gbps 500 Gbps
IPSec VPN performance (AES) 48 Gbps 240 Gbps 500 Gbps
Maximum number of concurrent IPSec VPN tunnels
128,000 640,000 1,000,000
Expansion and I/O
Expansion slots 3 SPU and LPU slots 8 SPU and LPU slots16 SPU and LPU slots
Specifications
USG9500 SeriesCloud Data Center Security Gateway5
USG9500 SeriesCloud Data Center Security Gateway 6
Dimensions, Power Supply, and Operating Environment
Dimensions
(H x W x D:mm)
175 x 442x 650 (4U DC model)
220 x 442 x 650 (5U620 x 442 x 650 1420 x 442 x 650
DC model)
Weight
Empty chassis: 15 kg, DC
Full configuration: 32 kg, DC
Empty chassis: 25 kg, AC
Full configuration: 42 kg, AC
Empty chassis: 43.2 kg
Full configuration: 113 kg
Empty chassis: 94.4 kg
Full configuration: 229 kg
AC power supply 90 V AC to 275 V AC; 175 V AC to 275 V AC (recommended)
DC power supply -38 V to -72 V; Rated -48 V
Power consumption 1270 W 3960 W 7540 W
Operating temperature
Long term: 0°C to 45°C
Storage: -40°C to +70°C
Ambient humidity
Long term: 5% RH to 85% RH, non-condensing
Short term: 5% RH to 95% RH, non-condensing
Storage: 0% RH to 95% RH, non-condensing
Number of MPU slots 2
Interface
Interface board LPUF-21 LPU-40 LPUF-101
Ethernet interfaces
12 x GE SFP
12 x GE RJ45
1 x 10GE XFP
4 x 10GE XFP
20xGE SFP
2x10GE XFP
4x10GE XFP
1x40GE CSFP
5x10GE XFP
4x10GE SFP+
24x1GE SFP
POS 12 x GE RJ45 Not support Not support
SPU SPUC SPUD
USG9500 SeriesCloud Data Center Security Gateway7
Security FunctionsBASIC FIREWALLRouting/Transparent/Composite mode
State validation detection
Blacklist and whitelist
Access control
ASPF(Application Specific Packet Filter)
Security zone division
SERVICE AWARENESSIdentify and Control Over 1,200 Applications:
P2P, IM, game, stock, VoIP, video, media stream,
mail, mobile, Web browsing, remote access, network
management, and news etc.
VIRTUAL PRIVATE NETWORK (VPN)DES, 3DES, and AES encryption
MD5 and SHA-1 authentication
Manually configured key, PKI (X 509), and IKEv2
Perfect forward secrecy (DH group)
Anti-replay attack
Remote VPN access
IPSec NAT Traversal
Dead Peer Detection
EAP authentication
VPN gateway redundancy
IPSec V6,IPSec 4 over 6, IPSec 6 over 4
L2TP Tunnel
GRE Tunnel
NAT/CGNDestination NAT/PAT
NAT NO-PAT
Source NAT-IP address persistency
Source IP address pool grouping
NAT Server
Bidirectional NAT
NAT-ALG(Application Layer Gateway)
Unlimited IP address expansion
Policy-based destination NAT
Port Range pre-allocated
Hair pinning mode
SMART NAT
NAT64
DS-Lite
6RD(IPv6 Rapid Deployment)
PKIPKI certificate requests (PKCS 10)
Certificate authority (CA)
PKI Authentication: EAP-SIM, EAP-AKA
PKI Protocol: SCEP, OCSP, CMPv2
Self-signed certificate
INTRUSION PREVENTION SYSTEMProtocol Anomaly Support
Custom Signature Support
Automatic Attack Database Update
Defends against worms, zero-day attacks, Trojans
horses, and malware.
USG9500 SeriesCloud Data Center Security Gateway 8
ANTI-DDOSSYN-flood, ICMP-flood, TCP-flood,
UDP-flood, DNS-flood etc.
Port-scan, Smurf, Tear-drop, IP-Sweep etc.
IPv6-extension-header defend
TTL detection
TCP-mss detection
Attack log output
HIGH AVALABILITYActive-Active, Active-Standby
Stateful Failover
(Huawei Redundancy Protocol)
Configuration synchronization
Firewall and IPSec VPN session synchronization
Device fault detection
Link fault detection
Dual main board switchover
ManagementWeb UI (HTTP and HTTPS)
CLI (console/Telnet/SSH)
U2000/VSM network management
Hierarchical administrators
Software upgrade
Configuration rollback
CertificationSafety certification, EMC, CB, Rohs, FCC, MET, C-tick,
VCCI
NETWORKING/ROUTINGPOS/GE/10GE link support
DHCP relay/server
Policy-based routing
Dynamic Routing for IPv4/IPv6 (RIP/OSPF/ISIS/BGP)
Multi-zone support
Route between zones/Vlans
Multi-link Aggregation (Eth-trunk, LACP)
VIRTUAL FIREWALLS4096 virtual firewall(VFW) definition
VLAN virtualization
Security zones virtualization
User defined virtual resources
Route between VFW
VFW based traffic CAR
Logging/MonitoringStructured syslog
SNMP (v2)
Binary log
Traceroute
Log server (eLog)
Note: The list above is comprehensive and may contain features which are not available on all USG9500 appliances. Consult USG9500 system documentation to determine feature availability.
USG9500 SeriesCloud Data Center Security Gateway9
Application ScenarioSecurity Defense in Large IDCs Communicates through VPN
The USG9500 ensures security and stability of IDC services, with the configuration of the following services:
Configuration of security policies such as • blacklist to filter suspicious IP address.
Configuration of intrusion prevention function • to perform in-depth traffic detection, and blocks attack traffic once attacked. This function effectively defends against application-layer attacks.
Configure virtual firewall to realize the virtual • system separation function from level 2 to level 7 as you need.
Configure resource pre-allocation to control • virtual firewall traffic of inbound and outbound and the number of session connections; configure public IP address-based traffic restriction to prevent one IP address occupying too much bandwidth.
The enterprise headquarters communicates with branches of the enterprise through the Internet. VPN tunnels (such as IPSec VPN, L2TP over IPSec VPN, GRE over IPSec VPN) can be established between the egress gateway of the headquarters and the egress gateways of the branches and between the egress gateway of the headquarters and the egress gateway of the regional offices. The employees on business trips can also access the headquarters egress gateway through the PC. The data flows produced when all users of the enterprise remotely access each other are carried by the secure VPN tunnel. Although the data flow is transmitted in the public network, it is protected through encryption and authentication, which ensures the security of the data transmission.
In this networking, the IP addresses of branches can be fixed public IP addresses, or dynamically obtained through 3G, ADSL, PPPoE dial-up, or DHCP. Configure IPSec, L2TP over IPSec, or GRE over IPSec based on actual requirements.
USG9500
Basic servicesarea
10-Gigabit link
Large-scale IDC
Other areaManagement andmaintenance area
Value-addedservices area
USG9000_A
PC
Headquarters
USG9000_C
USG9000_B
IPSec Tunnel
IPSec Tunnel
Branch1
Branch2
USG9500 SeriesCloud Data Center Security Gateway 10
Order Information
E8KE-X3-BASE-DCE8000E X3 DC Standard Configuration(include X3 DC Chassis,2*MPU),with HS General Security Platform Software
E8KE-X3-BASE-ACE8000E X3 AC Standard Configuration(include X3 AC Chassis,2*MPU),with HS General Security Platform Software
E8KE-X8-BASE-DC-200E8000E X8 DC Standard Configuration(include X8 DC Chassis,2*SRU,1*200G SFU),with HS General Security Platform Software
E8KE-X8-BASE-AC-200E8000E X8 AC Standard Configuration(include X8 DC Chassis,2*SRU,1*200G SFU,4*AC Power Module),with HS General Security Platform Software
E8KE-X16-BASE-DC-200E8000E X16 DC Standard Configuration(include X16 DC Chassis,2*MPU,4*200G SFU),with HS General Security Platform Software
E8KE-X16-BASE-AC-200E8000E X16 AC Standard Configuration(include X16 DC Chassis,2*MPU,4*200G SFU,8*AC Power Module),with HS General Security Platform Software
SPU-X3-20-O-E8KE20G X3 Firewall Processing Card(oversea),with HS General Security Platform Software
SPU-X8X16-20-O-E8KE20G X8&X16 Firewall Processing Card(oversea),with HS General Security Platform Software
FWCD0LPUKD01Flexible Card Line Processing Unit(LPUF-21,2 Sub-Slots) B,With HS General Security Platform Software
FWCD00L1XX01 1-Port 10GBase WAN/LAN XFP Flexible Interface Daughter Card
FWCD00EBGF01 12-Port 100/1000Base-X SFP Flexible Interface Daughter Card
FWCD00EBGE01 12-Port 10/100/1000Base-TX RJ45 Flexible Interface Daughter Card
FWCD0LPUND01Flexible Card Line Processing Unit(LPUF-40,2 sub-slots) A,with HS General Security Platform Software
FWCD00L2XX01 2-Port 10GBase LAN/WAN-XFP Flexible Card(P40)
FWCD00EFGF01 20-Port 100/1000Base-X-SFP Flexible Card(P40)
Note: The order information only lists the main components of USG9500 series, please contact Huawei engineer for detailed information.
Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
General Disclaimer
The information in this document may contain predictive statements including,
without limitation, statements regarding the future financial and operating results,
future product portfolio, new technology, etc. There are a number of factors
that could cause actual results and developments to differ materially from those
expressed or implied in the predictive statements. Therefore, such information
is provided for reference purpose only and constitutes neither an offer nor an
acceptance. Huawei may change the information at any time without notice.
Trademark Notice
, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co.,
Other trademarks, product, service and company names mentioned are the property of their respective owners.
HUAWEI TECHNOLOGIES CO., LTD.
Huawei Industrial Base
Bantian Longgang
Shenzhen 518129, P.R. China
Tel: +86-755-28780808
Version No.: M3-008360399-20110510-C-1.0
www.huawei.com HUAWEI TECHNOLOGIES CO., LTD.
USG9500 SeriesCloud Data Center Security Gateway