Huawei USG9000 Technical Specification

As a world leading Huawei networking products supplier, Hong Telecom Equipment Service LTD(HongTelecom) keeps regular stock of Huawei router and switch and all cards at very good price, also HongTelecom ship to worldwide with very fast delivery.

For related articles, visit the HongTelecom Blog and HongTelecom WordPress.

For real pictures of related product, visit the HongTelecom Gallery.

To buy related product, visit the HongTelecom Online Shop.

Introduction to the USG9000

At present, the USG9000 can work in three modes: routed mode, transparent mode, and composite mode.

  • routing mode In routing mode, the USG9000 uses the layer 3 for external connections, and all interfaces must be assigned with IP addresses. When the USG9000 is located between the internal network and the external network, you need to configure the interfaces, through which the USG9000 is connected with the internal network and the external network, with IP addresses on different network segments and re-plan the network topology. In this case, the USG9000 serves as a router. As shown in Figure 2-1, the USG9000 is connected with the internal network through an interface in the Trust zone, while it is connected with the external network through an interface in the Untrust zone. Note that the interface in Trust zone and the interface in Untrust zone reside in different two subnets.
    Figure 2-1  Networking in routing mode

    When working in routing mode, the USG9000 can complete ACL packet filtering. However, network topology needs to be changed. For example, internal network users need to change their gateways and routers' routing configurations need to be changed.

  • transparent mode In transparent mode, the USG9000 uses the layer 2 for external connections, and none of the interfaces can be assigned with IP addresses. In this case, the USG9000 is transparent to users in subnets and routers. That is, users do not feel the existence of the USG9000. As shown in Figure 2-2, the USG9000 is connected with the internal network through interfaces in the Trust zone, while it is connected with the external network through interfaces in the Untrust zone. Note that the internal network and the external network must reside in the same subnet.
    Figure 2-2  Networking in transparent mode

    If the USG9000 works in transparent mode, you do not need to change network topology. In transparent mode, you only need to place the USG9000 in the network like placing a bridge without need of modifying any existing configuration. Similar to the routing mode, IP packets also need to be filtered and checked in transparent mode, and internal users can be protected by the USG9000.

  • composite mode If there are both interfaces working in routing mode (such interfaces have IP addresses) and interfaces working in transparent mode (such interfaces have no IP address) in the USG9000, the USG9000 is working in composite mode. Composite mode is applied in the case of dual-system hot backup with transparent mode. The interface on which VRRP is enabled needs to be configured with an IP address, and other interfaces do not. Figure 2-3 shows a typical networking in composite mode.
    Figure 2-3  Networking in composite mode

    Master and backup USG9000s are connected with the internal network through interfaces in the Trust zone, while they are connected with the external network through interfaces in the Untrust zone. In addition, master and backup USG9000s connect each other and perform hot standby through VRRP. Note that the internal network and the external network must reside in the same subnet.

    Functions and Features

    Table 1 List of features available on the USG9000
    Feature Description
    Basic firewall features Link-layer protocol
    • ARP
    • PPP
    • HDLC
    • VLAN
    • Port mirroring
    • DHCP relay
    Network layer protocol
    • IP forwarding
    • IP option
    • ICMP
    • PING
    • TRACERT
    • DNS Client
    Routing protocol
    • IPv4/IPv6 static routing
    • IPv4/IPv6 policy-based routing
    • Routing policy
    • Route recursion
    • RIP
    • IS-IS
    • OSPF
    • BGP
    • RIPng
    • OSPFv3
    • ISISv6
    • BGP4+
    Network security
    • Routing mode, transparent mode, and hybrid mode
    • Packet filtering
    • ACL and time segment-based access control
    • ASPF
      • Universal TCP/UDP application
      • Stateful-inspection for the FTP, RTSP, H323, SIP, MGCP, QQ, MSN, PPTP, SQL.NET, and MMS protocol
      • Java/ActiveX Blocking
      • User-defined port detection
    • Blacklist
    • Attack defense
    • NAT
      • NAT NO-PAT
      • NAT PAT
      • Bidirectional NAT
      • Intra-zone NAT and NAT ALG
      • Policy-based destination NAT
      • Internal server
      • NAT Server
      • Smart NAT
      • NAT with the port pre-allocation and incremental allocation feature
    • SSH 2.0
    • Security zones
    • Application protocol identification
    • IPCAR
    • QoS features
      • Congestion management
      • Congestion avoidance
      • Policy-based QoS
      • HQoS
      • Resource Pre-assignment
    • Virtual firewall
    AAA authentication
    • Authentication function
      • Local authentication
      • Remote authentication through RADIUS
      • Remote authentication through HWTACACS
    • Authorization
      • Local authorization
      • Authorization through Hwtacacs
      • RADIUS authorization
    Availability
    • VRRP/VRRP6
    • VGMP
    • Link health check
    • HRP/HRP6
    • BFD
    • Interface state management group
    • Hot swapping
    • Dual MPUs
    VPN
    • IPSEC
      • IPv4 IPSec
      • IPv6 IPSec
      • IPSec tunnel nesting
      • IPSec multi-instance
      • IPSec dual-system hot backup
      • L2TP over IPSec
      • GRE over IPSec
    • IKEV1
      • DH exchange.
      • DPD.
      • Scheduled SA update
      • AES IKE encryption
      • Hardware encryption
      • Default IKE security proposal
      • NAT traversal of IKE IPSec SA negotiation
      • IKE negotiation using digital signature certificate
      • Pre-shared key negotiation
      • DSCP identification of IKEv1 packets
    • IKEV2
      • DH exchange
      • DPD
      • Scheduled SA update
      • AES IKE encryption
      • Pre-shared key negotiation
      • EAP authentication (serving as the NAS device)
      • DSCP identification of IKEv2 packets
    • PKI
      • RSA key pair import and export
      • SCEP online certificate application
      • CMPv2 online certificate application
      • Offline certificate application
      • Automatic certificate update
      • OCSP
      • CRL
      • Certificate access control by attributes
    • L2TP (LNS)
    • GRE
    • The PE and CE device
    Configuration management
    • Web UI
    • License control
    • SNMP V1/V2C/V3
    System information
    • Syslog
    • Binary log
    • Log server (eLog)
    UTM IPS
    • Fragment reassembly
    • Stream reassembly
    • Signature-based IDS
    • Protocol anomaly detection
    • Protocol identification.
    • User-defined IPS signature
    • Global IPS on/off control
    • Classification-based access control action
    • Single signature-based forcible action
    • Interzone (direction-irrelevant) and local zone application
    • Privilege IPS policy configuration: configuring an IPS policy as the privilege policy
    • Signature displayed by type
    • Signature search
    • Automatic update
    • Manual update
    • Local update
    • Version rollback
    Report audit
    • UTM_IPS attack logs and reports
    SA Service Awareness
    • P2P
    • IM
    • Game
    • Stock
    • VoIP
    • Video
    • Streaming
    • Email
    • Mobile
    • WebBrowsing
    • Remote_connetivity
    • Network_Administration
    • News_Groups
    Application control
    • Application object control
    • Control action upon SA identification
    • SA identification flow range control
    IPv6 features
    • IPv6 address
    • IPv6 neighbor discovery
    • SEND
    • DHCPv6
    • ICMPv6
    • ACL6
    • IPv6 packet filtering
    • IPv6 ASPF
    • IPv6 persistent connection
    • IPv6 IP-Car
    • IPv6 IPSec
    • IPSec tunnel nesting
      • IPSec 4over6 in transport mode
      • IPSec 6over4 in transport mode
      • IPSec 4over6 in tunnel mode
      • IPSec 6over4 in tunnel mode
    • IPv6 dual-system hot backup
    • IPv6 FTP
    • Path MTU
    • IPv6 virtual firewall
    CGN features
    • IPv6 Tunnel
      • IPv6 over IPv4 manual tunnel
      • IPv6 over IPv4 GRE tunnel
      • IPv6 over IPv4 automatic tunnel
      • 6to4 tunnel
      • 6RD tunnel
      • ISATAP tunnel
      • IPv4 over IPv6 tunnel
    • Endpoint Independent Mapping (EIM or 3-tupel) NAT
    • NAT ALG
    • NAT444
    • NAT64
    • DS-Lite
    • NAT with the port pre-allocation and incremental allocation feature
    • DS-Lite with the port pre-allocation and incremental allocation feature
    • Static mapping
    DDoS Multiple defense modes supported:

    • Global defense policy
    • Interface-based defense policy
    • Zone-based defense policy
    • Service-based defense policy

    Defendable attack types:

    • Single-packet attack
    • SYN flood attack
    • SYN-ACK flood attack
    • ACK flood attack
    • FIN/RST flood attack
    • TCP fragment flood attack
    • TCP abnormal flood attack
    • TCP flood attack
    • UDP flood attack
    • UDP fragment flood attack
    • ICMP flood attack
    • ICMP fragment flood attack
    • HTTP flood attack
    • CC attack
    • HTTP hijacking attack
    • HTTPS flood attack
    • SIP flood attack
    • TCP connection flood attack
    • DNS query flood attack
    • DNS reply flood attack
    • DNS reflection attack
    • DNS cache poisoning attack
    • DNS packet validity check and filtering
    • No such name packet alarm and capture
    • DNS statistics collection and monitoring
    • DNS rate limiting
    • Blacklist/whitelist

    Functions supported:

    • Interworking with third-party detecting devices
    • Diversified device forms
    • Log function
    • Zone-based destination IP address traffic statistics collection and rate limiting
    • Common destination IP address-based traffic statistics collection and rate limiting
    • Link status detection
    • Interworking with the ATIC management center for the anti-DDoS service configuration and management
    • Cleaning devices in dual-system hot backup mode
    • Loop detection. The cleaning device cancels traffic diversion policy if a loop is detected.
    • Configurable delays for enabling and disabling attack defense
    • Zone statistics query