Huawei USG6630E/USG6650E/USG6680E/

USG6712E/USG6716E Next-Generation Firewalls

More comprehensive defense

•• The built-in traffic probe of a firewall extracts traffic information and reports it
to the CIS, a security big data analysis platform developed by Huawei. The CIS
analyzes threats in the traffic, without decrypting the traffic or compromising
the device performance. The threat identification rate is higher than 90%.
•• The deception system proactively responds to hacker scanning behavior
and quickly detects and records malicious behavior, facilitating forensics and
source tracing.

High performance
•• Uses the network processing chip based on the ARM architecture, improving
forwarding performance significantly.
USG6630E/USG6650E/USG6680E/USG6712E/USG6716E •• Enables chip-level pattern matching and accelerates encryption/decryption,
improving the performance for processing IPS, antivirus, and IPSec services.
•• The throughput of a 1 U device can reach 160 Gbit/s.
Overview High port density
With the continuous digitalization and cloudification of enterprise services, networks
•• The device has multiple types of interfaces, such as 100G, 40G, and 10G
play an important role in enterprise operations, and must be protected. Network
interfaces. Services can be flexibly expanded without extra interface cards.
attackers use various methods, such as identity spoofing, website Trojan horses, and
malware, to initiate network penetration and attacks, affecting the normal use of
enterprise networks.

Deploying firewalls on network borders is a common way to protect enterprise

Deployment
network security. However, firewalls can only analyze and block threats based Data center border protection
on signatures. This method cannot effectively handle unknown threats and may •• Firewalls are deployed at egresses of data centers, and functions and system
deteriorate device performance. This single-point and passive method does not resources can be virtualized. The firewall has multiple types of interfaces, such
pre-empt or effectively defend against unknown threat attacks. Threats hidden in as 100G, 40G, and 10G interfaces. Services can be flexibly expanded without
encrypted traffic in particular cannot be effectively identified without breaching user extra interface cards.
privacy. •• The 18-Gigabit intrusion prevention capability effectively blocks a variety
of malicious attacks and delivers differentiated defense based on virtual
Huawei's next-generation firewalls provide the latest capabilities and work with environment requirements to guarantee data security.
other security devices to proactively defend against network threats, enhance •• VPN tunnels can be set up between firewalls and mobile workers and
border detection capabilities, effectively defend against advanced threats, and between firewalls and branch offices for secure and low-cost remote access
resolve performance deterioration problems. Network Processors provide firewall and mobile working.
acceleration capability, which greatly improves the firewall throughput.
Enterprise border protection
•• Firewalls are deployed at the network border. The built-in traffic probe extracts
Product Highlights packets of encrypted traffic and sends the packets to the CIS, a big data
analysis platform. In this way, threats in encrypted traffic are monitored in real
Comprehensive and integrated protection time. Encrypted traffic does not need to be decrypted, protecting user privacy
•• Integrates the traditional firewall, VPN, intrusion prevention, antivirus, data and preventing device performance deterioration.
leak prevention, bandwidth management, URL filtering, and online behavior •• The deception function in enabled on the firewalls to proactively respond to
management functions all in one device. malicious scanning behavior and associate with the CIS for behavior analysis
•• Interworks with the local or cloud sandbox to effectively detect unknown to quickly detect and record malicious behavior, protecting enterprise against
threats and prevent zero-day attacks. threats in real time.
•• Implements refined bandwidth management based on applications and •• The policy control, data filtering, and audit functions of the firewalls are used
websites, preferentially forwards key services, and ensures bandwidth for key to monitor social network applications to prevent data breach and protect
services. enterprise networks.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei USG6630E/USG6650E/USG6680E/USG6712E/USG6716E
Next-Generation Firewalls

Specifications
System Performance and Capacity
Model USG6630E USG6650E USG6680E USG6712E USG6716E
IPv4 Firewall Throughput1 (1518/512/64-byte, UDP) 30/30/30 Gbit/s 40/40/35 Gbit/s 80/80/80 Gbit/s 120/120/100 Gbit/s 160/160/100 Gbit/s
FW+SA*+IPS Throughput2 13 Gbit/s 15 Gbit/s 24 Gbit/s 40 Gbit/s 40 Gbit/s
Full Protection Throughput3 10 Gbit/s 11 Gbit/s 22 Gbit/s 33 Gbit/s 36 Gbit/s
Concurrent Sessions1 (TCP) 12,000,000 12,000,000 25,000,000 35,000,000 50,000,000
New Sessions/Second1 (TCP) 400,000 400,000 800,000 1,400,000 1,600,000
IPSec VPN Throughput1 (AES-256+SHA256, 1420-byte) 20 Gbit/s 30 Gbit/s 70 Gbit/s 100 Gbit/s 120 Gbit/s
Maximum IPSec VPN Tunnels 15,000 15,000 60,000 120,000 120,000
SSL Inspection Throughput4 6 Gbit/s 6 Gbit/s 12 Gbit/s 18 Gbit/s 18 Gbit/s
SSL VPN Throughput5 2.8 Gbit/s 3 Gbit/s 6 Gbit/s 10 Gbit/s 12 Gbit/s
Concurrent SSL VPN Users (Default/Maximum) 100/5000 100/5000 100/15000 100/30000 100/30000
Firewall Policies (Maximum) 40,000 40,000 60,000 60,000 60,000
Virtual Firewalls (Maximum) 500 1,000 1,000 1,000 1,000
Dimensions (H×W×D) mm 44×442×420 44×442×600
Form Factor/Height 1U
2*100G(QSFP28)+2*40G(QSFP+)+20*
Fixed Interface 2*40G(QSFP+)+12*10GE(SFP+)+12*GE 4*40GE(QSFP+)+28*10GE(SFP+) 2*10GE(SFP+) HA6
10GE(SFP+)+2*10GE(SFP+) HA7
USB Port 1×USB 3.0 Ports
MTBF 29.34 years 25years
Weight (Full Configuration) 7.6 kg 12 kg
Local Storage Optional, SSD (1×2.5inch) supported, 240GB/HDD (1×2.5inch) supported, 1TB
AC: 100V to 240V, 50/60Hz
AC Power Supply 100V to 240V, 50/60Hz
DC: -48V ~ -60V
AC: 138.4W/195.8W
Power Consumption (Average/Maximum) 138.4W/195.8W 346W/488.3W 382.9W/566W
DC: 125.5W/177.0W
Power Supplies Dual AC or dual DC power supplies Dual AC power supplies
Temperature: 0°C to 45°C (without optional HDD);
5°C to 40°C (with optional HDD)
Operating Environment (Temperature/Humidity)
Humidity: 5% to 95% (without optional HDD), non-condensing;
5% to 95% (with optional HDD), non-condensing
URL Filtering: URLs Can access a database of over 120 million URLs in the cloud
Yes, an industry-leading security center from Huawei
Automated Threat Feed and IPS Signature Updates
(http://sec.huawei.com/sec/web/index.do)
High Availability Configurations Active/Active, Active/Standby
Certifications
Hardware CB, CE-SDOC, ROHS, REACH&WEEE(EU), RCM, NRTL, FCC&IC, CCC, VCCI
Feature Description
Integrates firewall, VPN, intrusion prevention, antivirus, data leak prevention, bandwidth management, anti-DDoS, URL filtering, and anti-spam functions.
Integrated protection
Provides a global configuration view, and manages policies in a unified manner.
Identifies over 6000 applications and supports the access control granularity down to application functions. The firewall combines application identification with
Application identification and control
intrusion detection, antivirus, and data filtering, improving detection performance and accuracy.
The firewall initiates authentication and registration to the cloud management platform to implement plug-and-play and simplify network creation and deployment.
Cloud-based management mode
Service configuration, device monitoring, and fault management can be performed remotely, implementing the management of mass devices in the cloud.
Cloud application security awareness Controls enterprise cloud applications in a refined and differentiated manner to meet enterprises' requirements for cloud application management.
Accurately detects and defends against vulnerability-specific attacks based on up-to-date threat information. The firewall can defend against web-specific attacks,
Intrusion prevention and web protection
including SQL injection and XSS attacks.
Antivirus Rapidly detects over 5 million types of viruses based on the daily-updated virus signature database.
Collaborates with the local or cloud sandbox to detect and block malicious files.
Supports the flow probe information collection function to collect traffic information and send the collected information to the CIS(Cybersecurity Intelligence System)
for analysis, evaluation, and identification of threats and APT attacks.
Anti-APT
Encrypted traffic does not need to be decrypted. The firewall can work with the CIS to detect threats in encrypted traffic.
The firewall can proactively respond to malicious scanning behavior and work with the CIS to analyze behavior, quickly detect and record malicious behavior, and
protect enterprises against threats in real time.
Data leak prevention (DLP) Inspects files to identify the file types, such as WORD, EXCEL, POWERPOINT, and PDF, based on file content, and filters the file content.
Manages per-user and per-IP bandwidth in addition to identifying service applications to ensure the network access experience of key services and users. Control
Bandwidth management
methods include limiting the maximum bandwidth, ensuring the minimum bandwidth, and changing application forwarding priorities.
Provides a URL category database with over 120 million URLs and accelerates access to specific categories of websites, improving access experience of high-priority websites.
URL filtering Supports DNS filtering, in which accessed web pages are filtered based on domain names.
Supports the SafeSearch function to filter resources of search engines, such as Google, to guarantee access to only healthy network resources.
Behavior and content audit Audits and traces the sources of the accessed content based on users.
Load balancing Supports server load balancing and link load balancing, fully utilizing existing network resources.
Supports service-specific PBR and intelligent uplink selection based on multiple load balancing algorithms (for example, based on bandwidth ratio and link health
Intelligent uplink selection
status) in multi-egress scenarios.
Supports multiple highly available VPN features, such as IPSec VPN, SSL VPN, L2TP VPN, MPLS VPN, and GRE, and provides the Huawei-developed VPN client
VPN encryption
SecoClient for SSL VPN, L2TP VPN, and L2TP over IPSec VPN remote access.
DSVPN Dynamic smart VPN (DSVPN) establishes VPN tunnels between branches whose public addresses are dynamically changed, reducing the networking and O&M costs of the branches.
SSL-encrypted traffic detection Detects and defends against threats in SSL-encrypted traffic using application-layer protection methods, such as intrusion prevention, antivirus, data filtering, and URL filtering.
SSL offloading Replaces servers to implement SSL encryption and decryption, effectively reducing server loads and implementing HTTP traffic load balancing.
Anti-DDoS Defends against more than 10 types of common DDoS attacks, including SYN flood and UDP flood attacks.
Supports multiple user authentication methods, including local, RADIUS, HWTACACS, AD, and LDAP. The firewall supports built-in Portal and Portal redirection
User authentication
functions. It can work with the Agile Controller to implement multiple authentication modes.
Supports virtualization of multiple types of security services, including firewall, intrusion prevention, antivirus, and VPN. Users can separately conduct personal
Security virtualization
management on the same physical device.
Manages and controls traffic based on VLAN IDs, quintuples, security zones, regions, applications, URL categories, and time ranges, and implements integrated
content security detection.
Security policy management
Provides predefined common-scenario defense templates to facilitate security policy deployment.
Provides security policy management solutions in partnership with FireMon and AlgoSec to reduce O&M costs and potential faults.
Provides visualized and multi-dimensional report display by user, application, content, time, traffic, threat, and URL.
Diversified reports
Generates network security analysis reports on the Huawei security center platform to evaluate the current network security status and provide optimization suggestions.
Routing Supports multiple types of routing protocols and features, such as RIP, OSPF, BGP, IS-IS, RIPng, OSPFv3, BGP4+, and IPv6 IS-IS.
Deployment and reliability Supports transparent, routing, and hybrid working modes and high availability (HA), including the Active/Active and Active/Standby modes.

1. The performance is tested under ideal conditions based on RFC2544, 3511. The actual result may vary with deployment environments.
2. Antivirus, IPS, and SA performances are measured using 100 KB HTTP files.
3. Full protection throughput is measured with Firewall, SA, IPS, Antivirus and URL Filtering enabled. Antivirus, IPS and SA performances are measured using 100 KB HTTP files.
4. SSL inspection throughput is measured with IPS enabled and HTTPS traffic using TLS v1.2 with AES128-GCM-SHA256.
5. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.
6. Some 10G ports and 40G ports are mutually exclusive. The ports can be configured as follows: 4×40GE(QSFP+)+20×10GE(SFP+)+2×10GE(SFP+) HA+1×USB3.0 or 2×40GE(QSFP+)+28×10GE(SFP+)+2×10GE(SFP+) HA+1×USB3.0.
7. Some 10G ports and 100G ports are mutually exclusive. The ports can be configured as follows: 2×100G(QSFP28)+2×40G(QSFP+)+12×10GE(SFP+)+2×10GE(SFP+) HA+1×USB3.0 or 4×40G(QSFP+)+20×10GE(SFP+)+2×10GE(SFP+) HA+1×USB3.0.
*SA: Service Awareness.

About This Publication

This publication is for reference only and does not constitute any commitments or guarantees. All trademarks, pictures, logos, and brands mentioned in this document are the
property of Huawei Technologies Co., Ltd. or a third party.

Copyright©2019 Huawei Technologies Co., Ltd. All rights reserved.