With the continuous popularization and development of network technology, network attacks are becoming increasingly frequent. Through various attack software, even beginners with general computer knowledge can launch attacks on networks. At the same time, the proliferation of various network viruses has exacerbated the danger of network attacks.

The H3C SecPath F1000-AI series firewalls are high-performance multi-gigabit and ultra-10-gigabit firewall VPN integrated gateway products targeting the industry market. Hardware-wise, they are based on a multi-core, multi-threaded MIPS/ARM processor + ASIC hardware architecture, and are 1U standalone box firewalls. This series of firewalls offers rich interface expansion capabilities, and the devices simultaneously support Telemetry and Netconf network extension protocols, adapting to various network deployment requirements. As an NGFW product, this series of firewalls provides rich interface expansion capabilities, supporting dual-hard drive RAID0/RAID1. It also offers a wealth of service features, including IPS/AV/ACG/WAF/TI/URL, to meet differentiated competitive needs.

In terms of security features, as an NGFW product, this series not only supports firewall security functions such as security control, VPN, NAT, and DOS/DDOS defense, but also integrates in-depth security defense functions such as IPS (Intrusion Prevention), AV (Antivirus), ACG (Application Control), WAF (Web Vulnerability Detection), TI (Threat Intelligence), and URL (Classification and Filtering), realizing multi-dimensional policy control functions based on users, applications, time, geographical location, and security status.

The product series integrates AI computing capabilities, providing robust protection against unknown threats and APT attacks. Simultaneously, AI technology simplifies the product's operation and maintenance experience.

In terms of virtualization and reliability, it is based on H3C's leading Comware V7 platform, supporting multi-device clusters and 1:N virtualization. It also offers better elastic scalability to meet the requirements of cloud computing.

1. Characteristics of Artificial Intelligence

The F1000-AI firewall is a next-generation firewall that integrates an AI analysis engine. In addition to effectively addressing traditional network security threats, it can also:

Identify encryption and new applications, and provide more accurate, refined and flexible security control strategies;

Identify malicious encrypted traffic and discover malicious behavior hidden within normal encrypted traffic;

Identify security risks such as anomalies, threats, and attacks to provide decision-making support and a basis for emergency response;

It integrates with cloud and situational awareness platforms to provide comprehensive collaborative defense.

It has strategy optimization and analysis capabilities, supporting the analysis of configured strategies and the identification of problems with the strategies;

The F1000-AI firewall is a continuously evolving product, a key component of the comprehensive AI network security solution, and an essential link in the proactive network security defense system. It will continue to advance towards a resilient architecture, encrypted analysis, AI empowerment, and collaborative defense.

2. High reliability of telecom-grade equipment

It utilizes H3C's proprietary software and hardware platform. The product has undergone years of market testing, with applications ranging from telecom operators to small and medium-sized enterprises.

It supports H3C SCF virtualization technology, which can virtualize multiple devices into a single logical device, presenting it as a single network node to the outside world. This enables unified resource management, business backup, and improved overall system performance.

Virtualization: Supports the creation, startup, shutdown, and deletion of virtual firewalls.

3. Powerful security protection functions

It supports IPv4/IPv6 dual-stack security policy functions and multi-dimensional access control based on five-tuples, security domains, time periods, etc.

It supports a wide range of attack prevention features, including: protection against Land, Smurf, Fraggle, Ping of Death, Tear Drop, IP Spoofing, IP fragmentation, ARP spoofing, ARP reverse lookup, invalid TCP packet flags, oversized ICMP packets, address scanning, and port scanning. It also includes detection and defense against common DDoS attacks such as SYN Flood, UPD Flood, ICMP Flood, and DNS Flood.

The latest version supports SOP 1:N full virtualization. Multiple logical virtual firewalls can be partitioned on the H3C SecPath F1000-AI device. Based on containerized virtualization technology, the virtual system has the same characteristics as the actual physical system, and performance allocation such as throughput, concurrency, creation, and policies can be performed based on the virtual system.

Supports security zone management. Security zones can be divided based on interfaces and VLANs.

Packet filtering is supported. Data packets can be filtered using standard or extended access control rules between secure zones, leveraging information such as UDP or TCP port numbers within the packets. Furthermore, filtering can be performed based on time periods.

It supports application identification and can implement next-generation access control functions based on applications and users, using applications and users as the basic elements of security policies and combining them with defense in depth.

Supports Application Layer Stateful Packet Filtering (ASPF). By inspecting application layer protocol information (such as FTP, HTTP, SMTP, RTSP, and other TCP/UDP-based application layer protocols) and monitoring the connection-based application layer protocol status, it dynamically determines whether packets are allowed to pass through the firewall or are dropped.

Supports authentication, authorization, and accounting (AAA) services. This includes authentication based on RADIUS/HWTACACS+, CHAP, PAP, etc.

Supports both static and dynamic blacklists.

Supports NAT and NAT multiple instances.

VPN functionality is supported, including L2TP, IPSec/IKE, GRE, SSL, and integration with smart terminals.

It supports a wide range of routing protocols, including static routing, policy-based routing, and dynamic routing protocols such as RIP and OSPF.

Supports security logs.

Supports traffic monitoring, statistics, and management.

National Cryptographic Algorithms: Supports national cryptographic algorithms SM1/2/3/4.

4. Flexible and scalable integrated DPI deep security

An integrated security business processing platform that is highly integrated with basic security protection.

Comprehensive application-layer traffic identification and management: Leveraging H3C's long-standing expertise in state machine detection and traffic interaction detection technologies, it can accurately detect applications such as Thunder/Web Thunder, BitTorrent, eMule/eDonkey, WeChat, Weibo, QQ, MSN, and PPLive, including P2P/IM/online games/stock trading/online video/online multimedia. It supports P2P traffic control by employing deep traffic detection methods, matching network packets with P2P protocol packet characteristics to accurately identify P2P traffic and manage it. Different control strategies are also available for flexible P2P traffic control.

A high-precision, high-efficiency intrusion detection engine. It employs H3C's proprietary FIRST (Full Inspection with Rigorous State Test) engine. The FIRST engine integrates multiple detection technologies, achieving comprehensive inspection based on precise state conditions, resulting in extremely high intrusion detection accuracy. Simultaneously, the FIRST engine utilizes parallel detection technology, allowing for flexible software and hardware adaptation, significantly improving intrusion detection efficiency.

Real-time virus protection: Employing stream engine virus detection technology, it can quickly and accurately detect and eliminate viruses and other malicious code in network traffic.。

Massive URL Category Filtering: The device supports URL filtering based on URL category, supporting both local and cloud-based methods, with 139 category libraries and over 20 million URL rules.

A comprehensive and timely security signature database. Through years of operation and accumulation, H3C has developed an industry-leading attack signature database team, equipped with a professional attack and defense laboratory, to keep abreast of the latest developments in the cybersecurity field, thereby ensuring the timely and accurate updating of the signature database.

5. Industry-leading IPv6

It supports IPv6 stateful firewall, truly realizing firewall functionality under IPv6 conditions, and simultaneously preventing IPv6 attacks.

It supports IPv4/IPv6 dual protocol stacks and functions such as IPv6 data packet forwarding, static routing, dynamic routing, and multicast routing.

Supports various IPv6 transition technologies, including NAT-PT, IPv6 over IPv4 GRE tunnel, manual tunnel, 6to4 tunnel, IPv4 compatible IPv6 automatic tunnel, ISATAP tunnel, NAT444, DS-Lite, etc.

Supports security technologies such as IPv6 ACL and Radius.

6. Next-generation multi-service features

Intrusion Prevention System (IPS) supports web attack identification and protection, such as cross-site scripting attacks and SQL injection attacks, and its virus signature database is updated periodically.

Antivirus (AV) features a high-performance virus engine that can protect against more than 6 million types of viruses and Trojans, with a periodically updated virus signature database.

Application Identification and Control (ACG) accurately identifies accessing applications, effectively allowing or blocking them, improving work efficiency, and the application identification feature database is updated periodically.

Web security protection (WAF) can effectively identify and protect against DDoS attacks, and supports feature classification of network devices, web servers, databases and other devices.

Threat Intelligence Detection (TI) supports IP reputation databases, domain reputation databases, and URL reputation databases, efficiently identifying threatening traffic and recording alerts. The threat intelligence signature database is updated regularly.

URLs are categorized and managed to improve the efficient use of network broadband resources.

The load balancing function integrates link load balancing features and effectively achieves automatic balancing and switching of multiple links at the enterprise's Internet egress through technologies such as link status detection and link busy protection.

It integrates SSL VPN features to meet the secure access needs of mobile office workers and employees on business trips. It can not only combine USB-Key and SMS for mobile user authentication, but also integrate with the enterprise's existing authentication system to achieve unified authentication access.

7. Professional intelligent management

Supports intelligent security policies: Supports policy risk tuning, security policy optimization analysis, policy redundancy and hit analysis, automatic batch and manual policy tuning based on application risk, can display fine-grained information based on traffic, application, risk type, etc., and provide an overall security score, making it easier for users to manage security policies, dynamically detect internal network services, dynamically generate security policies and recommend them.

It supports standard network management SNMPv3 and is compatible with SNMP v1 and v2.

It provides a graphical interface and easy-to-use web management.

Device management and firewall configuration can be performed through the command-line interface, meeting the needs of professional management and large-scale configuration.

The H3C IMC SSM Security Management Center enables unified management, integrating functions such as security information and event collection, analysis, and response. It solves problems such as the isolation between network and security devices, the lack of intuitive network security status, slow response to security events, and difficulty in locating network faults. This frees IT and security administrators from tedious management work, greatly improves work efficiency, and allows them to focus on core business.

Leveraging advanced deep mining and analysis technologies, and employing both proactive collection and passive reception methods, this system provides users with centralized log management capabilities and normalizes logs of different formats (Syslog, binary stream logs, etc.). Simultaneously, it utilizes high-aggregation compression technology to store massive amounts of events and can automatically compress, encrypt, and save log files to external storage systems such as DAS, NAS, or SAN to prevent the loss of critical security events.

It provides a rich set of reports, mainly including application-based reports and network flow analysis reports.

It supports output in multiple formats such as PDF, HTML, WORD, and TXT.

Reports can be customized via a web interface, with customization options including the time range of the data, the source device of the data, the generation cycle, and the output type.

ISSU (In-Service Software Upgrade) is a highly reliable method for upgrading device startup software. ISSU upgrades ensure uninterrupted or minimally interrupted service during the upgrade process.

The BLS, ATK, and CFGLOG logs are further divided into five categories, supporting true pagination, adding a clearing function, and allowing independent modules to set log parameters, perform paginated queries, and configure logs.

H3C SecPath F1000-AI Series Network Application Diagram

SCF 2:1 virtualization technology, high-reliability network design

It has powerful processing capabilities and supports GE and 10GE networking.

Enriching routing protocols to achieve security and network convergence

It has powerful VPN encryption capabilities.

Comprehensive and in-depth security defense prevents malicious attacks, while also enabling filtering of emails, web pages, and files.

Enriching routing protocols to achieve security and network convergence

Networking applications

H3C SecPath F1000-AI Series Network Application Diagram

SCF 2:1 virtualization technology, high-reliability network design

It has powerful processing capabilities and supports GE and 10GE networking.

Enriching routing protocols to achieve security and network convergence

It has powerful VPN encryption capabilities.

Comprehensive and in-depth security defense prevents malicious attacks, while also enabling filtering of emails, web pages, and files.

Enriching routing protocols to achieve security and network convergence

Specifications