下一代防火墙
产品描述
ISG系列下一代防火墙产品是安徽皖通邮电推出的集高性能网关、IPS、防病毒和上网行为管理等多种功能于一体的下一代防火墙产品,可广泛应用于政府、医疗、企业、运营商、金融、教育等网络场景,配合安徽皖通邮电的路由器、交换机、无线等产品,可为用户提供完整的端到端解决方案,是网络出口和不同策略区域之间安全互联的理想选择。
ISG系列下一代防火墙产品包括F1005-W、F1008、F2004、F1102、F1112、F2212、F3208和F5624等产品,满足不同网络规模的用户需求。
关键特性
- 高性能架构,基于第三代多核并行化架构,提供超万兆实网性能
- 多维度安全控制,基于七元组、多维度的安全控制能力,涵盖访问控制、会话控制、行为控制和流量控制
- 全面的安全防护,集防火墙、入侵检测、病毒检测、Web安全分类、内容过滤和应用行为管理于一体,降低投资成本
- 下一代敏捷运维,丰富的图形化展示方式,从应用和用户视角多层面呈现网络应用状态
技术规格
| F1005-W(桌面型) | F1008 | F2004 | |
| 物理特性 | |||
| 尺寸W×D×H mm | 240×182×28 | 435×330×44.5 | 435×330×44.5 |
| 固定接口 | 5×GE RJ45 | 8×GE RJ45+ 2×GE SFP | 16×GE RJ45+ 2×GE SFP+ 4×10GE SFP+ |
| 电源 | 外置单电源 | AC单电源 | 冗余电源 |
| Wi-Fi | 支持802.11b/g/n,2.4GHz | NA | NA |
| 工作温度 | 0°C~50°C | ||
| 存储温度 | -20°C~70°C | ||
| 存储湿度 | 5% ~ 90% | ||
| 网络特性 | |||
| 部署模式 | 支持透明、路由、混合及单臂部署 | ||
| VLAN | 支持 | ||
| DHCP | 支持 | ||
| 路由协议 | 静态路由、RIPv1/v2、OSPF、BGP | ||
| NAT | NAT、PAT、NAT穿越(FTP、TFTP、H.323、SQL*NET等)、NAT地址池、NAT46/NAT64等 | ||
| DNS | 支持DNS Server/Client、DNS记录、DNS透明代理等 | ||
| VPN | 支持L2TP VPN、IPSec VPN和SSL VPN | ||
| PPPoE客户端 | 支持 | ||
| 安全防护 | |||
| 防火墙 | 支持基于接口/安全域、源/目的地址、源/目的端口、用户、服务、应用和时间的防火墙策略 | ||
| 入侵防御IPS | 支持基于状态的协议分析和协议树匹配算法,同时支持IPV4及IPV6环境下的入侵防御功能 | ||
| 系统预定义数千种攻击特征库,每周更新,并支持用户自定义特征 | |||
| 支持基于接口/安全域、地址、用户、服务和时间参数的入侵防护策略 | |||
| 防病毒 | 支持对HTTP、POP3等协议下的文件进行病毒扫描 | ||
| 防攻击 | 支持常见的DOS/DDOS攻击防护、基于TCP、UDP和ICMP的扫描防护、智能TCP Flood防御、TCPFlood、UDPFlood、ICMPFlood攻击防护、ARP攻击防护等 | ||
| 会话控制 | 支持基于协议的长连接管理 | ||
| 上网行为管理 | |||
| 智能应用识别 | 基于深度包检测(DPI)、深度流检测(DFI)和网络行为分析(NBA)技术,实现对主流应用的准确识别 | ||
| 应用控制 | 社交网络类应用控制(微博、百度贴吧等)、搜索引擎类应用控制(百度、谷歌等)、P2P下载类应用控制、视频类应用控制(优酷、斗鱼等)、电子邮件类应用控制等 | ||
| 特征库 | 支持应用特征库、自定义特征库、特征库升级等 | ||
| URL过滤 | 支持基于预定义或自定义分类,对网站访问进行分类管理和控制 | ||
| 应用分类 | 支持基于业务行为模式、应用大类或自定义应用组的应用控制 | ||
| 流量控制及QoS | |||
| 流量识别 | 基于物理接口或VLAN接口的线路带宽设定 | ||
| 支持基于源IP地址、目的IP地址、应用、服务端口和时间的流分类 | |||
| 流量管控 | 限制最大带宽和保障最小带宽,设置转发优先级等 | ||
| 系统管理与配置 | |||
| Web管理 | 支持,HTTP/HTTPS,支持中文及英文WEB界面 | ||
| 命令行管理 | 支持,支持TELNET、SSH及串口等方式 | ||
| SNMP | 支持SNMPv1/v2/v3 | ||
| NTP时间同步 | 支持 | ||
| 管理员登录 | 支持基于本地帐号、Radius、LDAP的管理员登录认证,支持设定每个管理员帐号的可登录IP范围 | ||
| 管理员权限分级 | 支持 | ||
| 设备管理 | 支持本地管理、集中管理,远程管理 | ||
| 日志和监控 | |||
| 本地日志 | 支持各类日志的本地存储 | ||
| 远程日志 | 支持Syslog服务器 | ||
| 日志级别 | 用户可以根据级别和日志来源过滤日志的记录 | ||
| 日志报表 | 系统提供流量报表和威胁报表,时间周期为最近1小时/1天/7天/30天 | ||
| 邮件报警 | 支持,自定义特定日志情况下触发邮件报警 | ||
| 可视化监控 | 支持威胁可视化、用户/应用流量可视化、接口流量可视化监控 | ||
| 系统监控 | 支持指定时间段的系统总流量、CPU使用率,内存使用率,设备温度、总连接数,每秒新建连接数的统计图表 | ||
| 高可用性 | |||
| 双机热备 | 支持 | ||
| 备机可管理 | 支持 | ||
| VRRP协议 | 支持 | ||
| F1005-W(Desktop version) | F1008 | F2004 | |
| physical properties | |||
| size W×D×H mm | 240×182×28 | 435×330×44.5 | 435×330×44.5 |
| Fixed interface | 5×GE RJ45 | 8×GE RJ45+ 2×GE SFP | 16×GE RJ45+ 2×GE SFP+ 4×10GE SFP+ |
| power supply | External single power supply | AC single power supply | Redundant power supply |
| Wi-Fi | Supports 802.11b/g/n, 2.4GHz | NA | NA |
| Operating temperature | 0°C~50°C | ||
| Storage temperature | -20°C~70°C | ||
| Storage humidity | 5% ~ 90% | ||
| Network characteristics | |||
| Deployment mode | Supports transparent, routed, hybrid, and single-arm deployments. | ||
| VLAN | Supports | ||
| DHCP | Supports | ||
| Routing protocols | Static routing, RIPv1/v2, OSPF, BGP | ||
| NAT | NAT, PAT, NAT traversal (FTP, TFTP, H.323, SQL*NET, etc.), NAT address pool, NAT46/NAT64, etc. | ||
| DNS | Supports DNS Server/Client, DNS records, and transparent DNS proxy. | ||
| VPN | Supports L2TP VPN, IPSec VPN and SSL VPN | ||
| PPPoE client | Supports | ||
| Safety protection | |||
| Firewall | Supports firewall policies based on interface/security domain, source/destination address, source/destination port, user, service, application, and time. | ||
| Intrusion Prevention IPS | It supports state-based protocol analysis and protocol tree matching algorithms, and also supports intrusion prevention functions in both IPv4 and IPv6 environments. | ||
| The system has a predefined database of thousands of attack signatures, updated weekly, and also supports user-defined signatures. | |||
| Supports intrusion prevention policies based on interface/security domain, address, user, service, and time parameters. | |||
| Antivirus | Supports virus scanning of files using protocols such as HTTP and POP3. | ||
| Anti-attack | Supports protection against common DOS/DDOS attacks, scanning protection based on TCP, UDP, and ICMP, intelligent TCP Flood defense, TCP Flood, UDP Flood, ICMP Flood attack protection, ARP attack protection, etc. | ||
| Session control | Supports protocol-based long-lived connection management | ||
| Internet behavior management | |||
| Intelligent application recognition | Based on Deep Packet Inspection (DPI), Deep Flow Inspection (DFI), and Network Behavior Analysis (NBA) technologies, accurate identification of mainstream applications is achieved. | ||
| Application Control | Controls for social networking applications (Weibo, Baidu Tieba, etc.), search engine applications (Baidu, Google, etc.), P2P download applications, video applications (Youku, Douyu, etc.), and email applications, etc. | ||
| Feature library | Supports application feature libraries, custom feature libraries, and feature library upgrades. | ||
| URL filtering | Supports categorized management and control of website access based on predefined or custom categories. | ||
| Application Classification | Supports application control based on business behavior patterns, application categories, or custom application groups. | ||
| Flow control and QoS | |||
| Traffic identification | Line bandwidth settings based on physical interface or VLAN interface | ||
| Supports flow classification based on source IP address, destination IP address, application, service port, and time. | |||
| Traffic control | Limiting maximum bandwidth and guaranteeing minimum bandwidth, setting forwarding priorities, etc. | ||
| System Management and Configuration | |||
| Web Management | Supports HTTP/HTTPS and Chinese and English web interfaces. | ||
| Command line management | Supports TELNET, SSH, and serial port connections. | ||
| SNMP | Supports SNMPv1/v2/v3 | ||
| NTP Time Synchronization | Supports | ||
| Administrator Login | Supports administrator login authentication based on local accounts, RADIUS, and LDAP, and allows setting the IP range that each administrator account can log in to. | ||
| Administrator privilege levels | Supports | ||
| Equipment Management | Supports local management, centralized management, and remote management. | ||
| Logs and monitoring | |||
| Local logs | Supports local storage of various logs | ||
| Remote Logs | Support Syslog server | ||
| Log levels | Users can filter log records based on level and log source. | ||
| Log Report | The system provides traffic reports and threat reports, with time periods of the most recent hour/day/7 days/30 days. | ||
| Email alerts | Supports triggering email alerts for specific log entries. | ||
| Visual monitoring | Supports threat visualization, user/application traffic visualization, and API traffic visualization monitoring. | ||
| System monitoring | Supports statistical charts of total system traffic, CPU utilization, memory utilization, device temperature, total connections, and new connections per second for a specified time period. | ||
| High availability | |||
| Dual-machine hot standby | Supports | ||
| Backup machine is manageable | Supports | ||
| VRRP protocol | Supports | ||
| F1102 | F1112 | F2212 | F3208 | F5624 | |
| 物理特性 | |||||
| 尺寸W×D×H mm | 440×330×44 | 435×330×44.5 | 450×440×44 | 440×501×88 | 440×600×88 |
| 固定接口 | 8×GE RJ45 ++2×GE SFP+2×10GE SFP+ | 8×GE RJ45+ 4×GE SFP | 16×GE RJ45+ 4×GE SFP+ 4×10GE SFP+ | 16×GE RJ45+ 2×GE SFP+ 4×10GE SFP+ | 8×GE RJ45+ 4×GE SFP+ 4×10GE SFP+ |
| 扩展槽 | 1 | 1 | 2 | 2 | 6 |
| 电源 | 冗余电源 | 单电源 | 冗余电源 | 冗余电源 | 冗余电源 |
| 工作温度 | 0~40°C | ||||
| 存储温度 | -25~70°C | ||||
| 存储湿度 | 20%~95% | ||||
| 网络特性 | |||||
| 部署模式 | 支持透明、路由、混合及单臂部署 | ||||
| VLAN | 支持 | ||||
| DHCP | 支持 | ||||
| 路由协议 | 静态路由、RIPv1/v2、OSPF、BGP | ||||
| NAT | NAT、PAT、NAT穿越(FTP、TFTP、H.323、SQL*NET等)、NAT地址池、NAT46/NAT64等 | ||||
| DNS | 支持DNS Server/Client、DNS记录、DNS透明代理等 | ||||
| VPN | 支持L2TP VPN、IPSec VPN和SSL VPN | ||||
| PPPoE客户端 | 支持 | ||||
| 安全防护 | |||||
| 防火墙 | 支持基于接口/安全域、源/目的地址、源/目的端口、用户、服务、应用和时间的防火墙策略 | ||||
| 入侵防御IPS | 支持基于状态的协议分析和协议树匹配算法,同时支持IPV4及IPV6环境下的入侵防御功能 | ||||
| 系统预定义数千种攻击特征库,每周更新,并支持用户自定义特征 | |||||
| 支持基于接口/安全域、地址、用户、服务和时间参数的入侵防护策略 | |||||
| 防病毒 | 支持对HTTP、POP3等协议下的文件进行病毒扫描 | ||||
| 防攻击 | 支持常见的DOS/DDOS攻击防护、基于TCP、UDP和ICMP的扫描防护、智能TCP Flood防御、TCPFlood、UDPFlood、ICMPFlood攻击防护、ARP攻击防护等 | ||||
| 会话控制 | 支持基于协议的长连接管理 | ||||
| 上网行为管理 | |||||
| 智能应用识别 | 基于深度包检测(DPI)、深度流检测(DFI)和网络行为分析(NBA)技术,实现对主流应用的准确识别 | ||||
| 应用控制 | 社交网络类应用控制(微博、百度贴吧等)、搜索引擎类应用控制(百度、谷歌等)、P2P下载类应用控制、视频类应用控制(优酷、斗鱼等)、电子邮件类应用控制等 | ||||
| 特征库 | 支持应用特征库、自定义特征库、特征库升级等 | ||||
| URL过滤 | 支持基于预定义或自定义分类,对网站访问进行分类管理和控制 | ||||
| 应用分类 | 支持基于业务行为模式、应用大类或自定义应用组的应用控制 | ||||
| 流量控制及QoS | |||||
| 流量识别 | 基于物理接口或VLAN接口的线路带宽设定 | ||||
| 支持基于源IP地址、目的IP地址、应用、服务端口和时间的流分类 | |||||
| 流量管控 | 限制最大带宽和保障最小带宽,设置转发优先级等 | ||||
| 系统管理与配置 | |||||
| Web管理 | 支持,HTTP/HTTPS,支持中文及英文WEB界面 | ||||
| 命令行管理 | 支持,支持TELNET、SSH及串口等方式 | ||||
| SNMP | 支持SNMPv1/v2/v3 | ||||
| NTP时间同步 | 支持 | ||||
| 管理员登录 | 支持基于本地帐号、Radius、LDAP的管理员登录认证,支持设定每个管理员帐号的可登录IP范围 | ||||
| 管理员权限分级 | 支持 | ||||
| 设备管理 | 支持本地管理、集中管理,远程管理 | ||||
| 日志和监控 | |||||
| 本地日志 | 支持各类日志的本地存储 | ||||
| 远程日志 | 支持Syslog服务器 | ||||
| 日志级别 | 用户可以根据级别和日志来源过滤日志的记录 | ||||
| 日志报表 | 系统提供流量报表和威胁报表,时间周期为最近1小时/1天/7天/30天 | ||||
| 邮件报警 | 支持,自定义特定日志情况下触发邮件报警 | ||||
| 可视化监控 | 支持威胁可视化、用户/应用流量可视化、接口流量可视化监控 | ||||
| 系统监控 | 支持指定时间段的系统总流量、CPU使用率,内存使用率,设备温度、总连接数,每秒新建连接数的统计图表 | ||||
| 高可用性 | |||||
| 双机热备 | 支持 | ||||
| 备机可管理 | 支持 | ||||
| VRRP协议 | 支持 | ||||
| F1102 | F1112 | F2212 | F3208 | F5624 | |
| 物理特性 | |||||
| sizeW×D×H mm | 440×330×44 | 435×330×44.5 | 450×440×44 | 440×501×88 | 440×600×88 |
| Fixed interface | 8×GE RJ45 ++2×GE SFP+2×10GE SFP+ | 8×GE RJ45+ 4×GE SFP | 16×GE RJ45+ 4×GE SFP+ 4×10GE SFP+ | 16×GE RJ45+ 2×GE SFP+ 4×10GE SFP+ | 8×GE RJ45+ 4×GE SFP+ 4×10GE SFP+ |
| Expansion slot | 1 | 1 | 2 | 2 | 6 |
| power supply | Redundant power supply | Single power supply | Redundant power supply | Redundant power supply | Redundant power supply |
| Operating temperature | 0~40°C | ||||
| Storage temperature | -25~70°C | ||||
| Storage humidity | 20%~95% | ||||
| Network characteristics | |||||
| Deployment mode | Supports transparent, routed, hybrid, and single-arm deployments. | ||||
| VLAN | Supports | ||||
| DHCP | Supports | ||||
| Routing protocols | Static routing, RIPv1/v2, OSPF, BGP | ||||
| NAT | NAT, PAT, NAT traversal (FTP, TFTP, H.323, SQL*NET, etc.), NAT address pool, NAT46/NAT64, etc. | ||||
| DNS | Supports DNS Server/Client, DNS records, and transparent DNS proxy. | ||||
| VPN | Supports L2TP VPN, IPSec VPN and SSL VPN | ||||
| PPPoE client | Supports | ||||
| Safety protection | |||||
| Firewall | Supports firewall policies based on interface/security domain, source/destination address, source/destination port, user, service, application, and time. | ||||
| Intrusion Prevention IPS | It supports state-based protocol analysis and protocol tree matching algorithms, and also supports intrusion prevention functions in both IPv4 and IPv6 environments. | ||||
| The system has a predefined database of thousands of attack signatures, updated weekly, and also supports user-defined signatures. | |||||
| Supports intrusion prevention policies based on interface/security domain, address, user, service, and time parameters. | |||||
| Antivirus | Supports virus scanning of files using protocols such as HTTP and POP3. | ||||
| Anti-attack | Supports protection against common DOS/DDOS attacks, scanning protection based on TCP, UDP, and ICMP, intelligent TCP Flood defense, TCP Flood, UDP Flood, ICMP Flood attack protection, ARP attack protection, etc. | ||||
| Session control | Supports protocol-based long-lived connection management | ||||
| Internet behavior management | |||||
| Intelligent application recognition | Based on Deep Packet Inspection (DPI), Deep Flow Inspection (DFI), and Network Behavior Analysis (NBA) technologies, accurate identification of mainstream applications is achieved. | ||||
| Application Control | Controls for social networking applications (Weibo, Baidu Tieba, etc.), search engine applications (Baidu, Google, etc.), P2P download applications, video applications (Youku, Douyu, etc.), and email applications, etc. | ||||
| Feature library | Supports application feature libraries, custom feature libraries, and feature library upgrades. | ||||
| URL filtering | Supports categorized management and control of website access based on predefined or custom categories. | ||||
| Application Classification | Supports application control based on business behavior patterns, application categories, or custom application groups. | ||||
| Flow control and QoS | |||||
| Traffic identification | Line bandwidth settings based on physical interface or VLAN interface | ||||
| Supports flow classification based on source IP address, destination IP address, application, service port, and time. | |||||
| Traffic control | Limiting maximum bandwidth and guaranteeing minimum bandwidth, setting forwarding priorities, etc. | ||||
| System Management and Configuration | |||||
| Web Management | Supports HTTP/HTTPS and Chinese and English web interfaces. | ||||
| Command line management | Supports TELNET, SSH, and serial port connections. | ||||
| SNMP | Supports SNMPv1/v2/v3 | ||||
| NTP Time Synchronization | Supports | ||||
| Administrator Login | Supports administrator login authentication based on local accounts, RADIUS, and LDAP, and allows setting the IP range that each administrator account can log in to. | ||||
| Administrator privilege levels | Supports | ||||
| Equipment Management | Supports local management, centralized management, and remote management. | ||||
| Logs and monitoring | |||||
| Local logs | Supports local storage of various logs | ||||
| Remote Logs | Support Syslog server | ||||
| Log levels | Users can filter log records based on level and log source. | ||||
| Log Report | The system provides traffic reports and threat reports, with time periods of the most recent hour/day/7 days/30 days. | ||||
| Email alerts | Supports triggering email alerts for specific log entries. | ||||
| Visual monitoring | Supports threat visualization, user/application traffic visualization, and API traffic visualization monitoring. | ||||
| System monitoring | Supports statistical charts of total system traffic, CPU utilization, memory utilization, device temperature, total connections, and new connections per second for a specified time period. | ||||
| High availability | |||||
| Dual-machine hot standby | Supports | ||||
| Backup machine is manageable | Supports | ||||
| VRRP protocol | Supports | ||||