The Hillstone X10800 Data Center Firewall offers outstanding performance, reliability, and scalability, for high-speed service providers, large enterprises and carrier networks. The product is based on an innovative fully distributed architecture that fully implements firewalls with high throughput, concurrent connections, and new sessions. Hillstone X10800 also supports large-capacity virtual firewalls, providing flexible security services for virtualized environments, and features such as application identification, traffic management, intrusion prevention, and attack prevention to fully protect data center network security.

Hillstone’s Elastic Security Architecture: A breakthrough technology for data centers

With traffic explosively increasing, data center firewalls need powerful capabilities to handle high traffic and massive concurrent user access, as well as the ability to effectively cope with sudden bursts of user activity. Therefore, data center firewalls must not only have high throughput but also extremely high concurrent connections and new session processing capabilities.

The Hillstone X10800 Data Center Firewall adopts an innovative, fully distributed architecture to implement distributed high-speed processing of service traffic on Service Modules (SSMs) and Interface Modules (IOMs) through intelligent traffic distribution algorithms. Through patented resource management algorithms, it allows for the full potential of distributed multi-core processor platforms, to further increase the performance of firewall concurrent connections, new sessions per second, and achieve a fullly linear expansion of system performance. The X10800 data center firewall can process up to 1 Tbps, up to 10 million new sessions per second, and up to 480 million concurrent connections. The device can provide up to 44 100GE interfaces, 88 10G interfaces, or 22 40GE interface, 132 10G interface expansion capabilities. Moreover, the packet forwarding delay is less than 10us, which can fully meet a data center’s demand for real-time service forwarding.

Carrier-Grade Reliability

The hardware and software of the X10800 data center firewall delivers 99.999% carrier-grade reliability. It can support active/active or active/passive mode redundant deployment solutions to ensure uninterrupted service during single failure. The entire system adopts a modular design, supporting control module redundancy, service module redundancy, interface module redundancy and switching module redundancy, and all modules are hot-swappable.

Leading virtual firewall technology

The X10800 data center firewall can logically divide a physical firewall into upwards of 1000 virtual firewalls for the data center’s virtualization needs, providing virtual firewall support capabilities for large data centers. Each virtual firewall system of X10800 data center firewalls not only has independent system resources, but also can be individually and granularly managed to provide independent security management planes for different services or users.

Granular application control and comprehensive security

The X10800 data center firewall uses advanced in-depth application identification technology to accurately identify thousands of network applications based on protocol features, behavior characteristics, and correlation analysis, including hundreds of mobile applications and encrypted P2P applications. The X10800 data center firewall provides intrusion prevention technology based on deep application identification, protocol detection, and attack principle analysis. In addition, The X10800 data center firewall supports URL filtering for tens of millions of URL signature library.

Strong network adaptability

The X10800 data center firewall fully supports next-generation Internet deployment technologies (including dual-stack, tunnel, DNS64/NAT64 and other transitional technologies). It also has mature NAT444 capabilities to support static mapping of fixed-port block of external network addresses to intranet addresses. In addition, the X10800 data center firewall provides full compliance with standard IPSec VPN capabilities and integrates third-generation SSL VPN to provide users with high-performance, high-capacity, and full-scale VPN solution.

Key features

  • Dynamic routing (OSPF, BGP, RIPv2)
  • Static and policy routing
  • Route controlled by application
  • Built-in DHCP, NTP, DNS server and DNS proxy
  • Tap mode—connect to SPAN port
  • Interface modes: sniffer, port aggregated, loopback, VLANS (802.1Q and trunking)
  • L2/L3 switching & routing
  • Virtual wire (Layer 1) transparent inline deployment
  • Operating modes: NAT/route, transparent (bridge), and mixed mode
  • Policy objects: predefined, custom, and object grouping
  • Security policy based on application, role and geo-location
  • Application Level Gateways and session support: MSRCP, PPTP, RAS, RSH, SIP, FTP, TFTP, HTTP, dcerpc, dns-tcp, dns-udp, H.245 0, H.245 1, H.323
  • NAT and ALG support: NAT46, NAT64, NAT444, SNAT, DNAT, PAT, Full Cone NAT, STUN
  • NAT configuration: per policy and central NAT table
  • VoIP: SIP/H.323/SCCP NAT traversal, RTP pin holing
  • Global policy management view
  • Security policy redundancy inspection
  • Security policy redundancy inspection, policy group, policy configuration rollback
  • Comprehensive DNS policy
  • Schedules: one-time and recurring
  • Protocol anomaly detection, rate-based detection, custom signatures, manual, automatic push or pull signature updates, integrated threat encyclopedia
  • IPS Actions: default, monitor, block, reset (attackers IP or victim IP, incoming interface) with expiry time
  • Packet logging option
  • Filter Based Selection: severity, target, OS, application or protocol
  • IP exemption from specific IPS signatures
  • IDS sniffer mode
  • IPv4 and IPv6 rate based DoS protection with threshold settings against TCP Syn flood, TCP/UDP/SCTP port scan, ICMP sweep, TCP/UDP/SCIP/ICMP session flooding (source/destination)
  • Active bypass with bypass interfaces
  • Predefined prevention configuration
  • Abnormal protocol attack defense
  • Anti-DoS/DDoS, including SYN Flood, DNS Query Flood defense
  • ARP attack defense
  • Flow-based web filtering inspection
  • Manually defined web filtering based on URL, web content and MIME header
  • Dynamic web filtering with cloud-based real-time categorization database: over 140 million URLs with 64 categories (8 of which are security related)
  • Web filtering profile override: allows administrator to temporarily assign different profiles to user/group/IP
  • Additional web filtering features:
    • Filter Java Applet, ActiveX and/or cookie
    • Block HTTP Post
    • Log search keywords
    • Exempt scanning encrypted connections on certain categories for privacy
  • Web filter local categories and category rating override
  • Botnet server IP blocking with global IP reputation database
  • Support to identify endpoint IP, endpoint quantity, on-line time, off-line time, and on-line duration
  • Support 10 operation systems
  • Support query based on IP, endpoint quantity, control policy and status etc.
  • Support the identification of accessed endpoints quantity across layer 3, logging and interference on overrun IP
  • Over 3,000 applications that can be filtered by name, category, subcategory, technology and risk
  • Each application contains a description, risk factors, dependencies, typical ports used, and URLs for additional reference
  • Actions: block, reset session, monitor, traffic shaping
  • Identify and control applications in the cloud
  • Provide multi-dimensional monitoring and statistics for applications running in the cloud, including risk category and characteristics
  • Max/guaranteed bandwidth tunnels or IP/user basis
  • Tunnel allocation based on security domain, interface, address, user/user group, server/server group, application/app group, TOS, VLAN
  • Bandwidth allocated by time, priority, or equal bandwidth sharing
  • Type of Service (TOS) and Differentiated Services (DiffServ) support
  • Prioritized allocation of remaining bandwidth
  • Maximum concurrent connections per IP
  • Bandwidth allocation based on URL category
  • Bandwidth limit by delaying access for user or IP
  • Weighted hashing, weighted least-connection, and weighted round-robin
  • Session protection, session persistence and session status monitoring
  • Server health check, session monitoring and session protection
  • Bidirectional link load balancing
  • Outbound link load balancing includes policy based routing, ECMP and weighted, embedded ISP routing and dynamic detection
  • Inbound link load balancing supports SmartDNS and dynamic detection
  • Automatic link switching based on bandwidth, latency, jitter, connectivity, application etc.
  • Link health inspection with ARP, PING, and DNS
  • IPSec VPN:
    • IPSEC Phase 1 mode: aggressive and main ID protection mode
    • Peer acceptance options: any ID, specific ID, ID in dialup user group
    • Supports IKEv1 and IKEv2 (RFC 4306)
    • Authentication method: certificate and pre-shared key
    • IKE mode configuration support (as server or client)
    • DHCP over IPSEC
    • Configurable IKE encryption key expiry, NAT traversal keep alive frequency
    • Phase 1/Phase 2 Proposal encryption: DES, 3DES, AES128, AES192, AES256
    • Phase 1/Phase 2 Proposal authentication: MD5, SHA1, SHA256, SHA384, SHA512
    • Phase 1/Phase 2 Diffie-Hellman support: 1,2,5
    • XAuth as server mode and for dialup users
    • Dead peer detection
    • Replay detection
    • Autokey keep-alive for Phase 2 SA
  • SSL VPN realm support: allows multiple custom SSL VPN logins associated with user groups (URL paths, design)
  • IPSEC VPN configuration options: route-based or policy based
  • IPSEC VPN deployment modes: gateway-to-gateway, full mesh, hub-and-spoke, redundant tunnel, VPN termination in transparent mode
  • One time login prevents concurrent logins with the same username
  • SSL portal concurrent users limiting
  • SSL VPN port forwarding module encrypts client data and sends the data to the application server
  • Supports clients that run iOS,Android,and Windows XP/Vista including 64-bit Windows OS
  • Host integrity checking and OS checking prior to SSL tunnel connections
  • MAC host check per portal
  • Cache cleaning option prior to ending SSL VPN session
  • L2TP client and server mode, L2TP over IPSEC, and GRE over IPSEC
  • View and manage IPSEC and SSL VPN connections
  • PnPVPN
  • Management over IPv6, IPv6 logging and HA
  • IPv6 tunneling, DNS64/NAT64 etc.
  • IPv6 routing protocols, static routing, policy routing, ISIS, RIPng, OSPFv3 and BGP4+
  • IPS, Application identification, URL filtering, Access control, ND attack defense
  • System resource allocation to each VSYS
  • CPU virtualization
  • Non-root VSYS support firewall, IPSec VPN, SSL VPN, IPS, URL filtering
  • VSYS monitoring and statistic
  • Redundant heartbeat interfaces
  • Active/Active and Active/Passive
  • Standalone session synchronization
  • HA reserved management interface
  • Failover:
    • Port, local & remote link monitoring
    • Stateful failover
    • Sub-second failover
    • Failure notification
  • Deployment options:
    • HA with link aggregation
    • Full mesh HA
    • Geographically dispersed HA
  • High availability mode among multiple devices
  • Multiple HA deployment modes
  • Configuration and session synchronization among multiple devices
  • Local user database
  • Remote user authentication: TACACS+, LDAP, Radius, Active
  • Single-sign-on: Windows AD
  • 2-factor authentication: 3rd party support, integrated token server with physical and SMS
  • User and device-based policies
  • User group synchronization based on AD and LDAP
  • Support for 802.1X, SSO Proxy
  • WebAuth page customization
  • Interface based Authentication
  • Agentless ADSSO (AD Polling)
  • Use authentication synchronization based on SSO-monitor
  • Support MAC-based user authentication
  • Management access: HTTP/HTTPS, SSH, telnet, console
  • Central management: Hillstone Security Manager (HSM), web service APIs
  • System integration: SNMP, syslog, alliance partnerships
  • Rapid deployment: USB auto-install, local and remote script execution
  • Dynamic real-time dashboard status and drill-in monitoring widgets
  • Language support: English
  • Logging facilities: local memory and storage (if available), multiple syslog servers and multiple Hillstone Security Audit (HSA) platforms
  • Encrypted logging and log integrity with HSA scheduled batch log uploading
  • Reliable logging using TCP option (RFC 3195)
  • Detailed traffic logs: forwarded, violated sessions, local traffic, invalid packets
  • Comprehensive event logs: system and administrative activity audits, routing & networking, VPN, user authentications, WiFi related events
  • IP and service port name resolution option
  • Brief traffic log format option
  • Three predefined reports: Security, Flow and network reports
  • User defined reporting
  • Reports can be exported in PDF via Email and FTP
  • Application, URL, threat events statistic and monitoring
  • Real-time traffic statistic and analytics
  • System information such as concurrent session, CPU, Memory and temperature
  • iQOS traffic statistic and monitoring, link status monitoring
  • Support traffic information collection and forwarding via Netflow (v9.0)

Resources