Built on the latest state-of-the-art multicore CPU platform and with advanced hardware acceleration, the HP Firewall Series enables advanced scalable network protection from the network core to the network edge with firewall throughput at up to 40 Gbps. The series also features rich VPN abilities, including GRE, L2TP, and IPSec tunneling technologies, which makes it ideal for building VPN gateways. The appliances combine built-in protection against denial-of-service (DoS) attacks, hacking attacks, zonal and virtual stateful packet inspection firewalls, application bandwidth management, audio/video IP multicast routing, and email attachment filtering. The series includes all the advanced security capabilities found in the unified software platform of HP switches and routers that deliver easy integration, simple management, and network deployment infrastructure, lowering a network's total cost of ownership.
- High performance with up to 40 Gbps throughput
- Advanced virtual firewall
- Rich VPN functions, IPSec/GRE/L2TP
- Comprehensive security protection
- Carrier-grade reliability
Firewall
- High performance — up to 40 Gbps throughput secures traffic without compromising network performance; a maximum of 4 million concurrent connections and 180,000 new connections per second enables high-volume networks to remain secure under peak traffic
- Application Specific Packet Filter (ASPF) — dynamically determines whether to forward or drop a packet by checking its application layer protocol information (such as FTP, HTTP, SMTP, RTSP, and other application layer protocols based on TCP/UDP) and monitoring the connection-based application layer protocol status
- Zone-based access policies — logically groups virtual LANs (VLANs) into zones that share common security policies; allows both unicast and multicast policy settings by zones instead of by individual VLANs
- Virtualization — multicore architecture enables both multiple zones and multiple separate firewall instances to be created on the same device; support for 256/512 security zones, 256 virtual firewalls, and 4,094 VLANs offers robust protection to all corners of the network; centralized deployment of a single device offering multiple virtual firewalls lowers total cost of ownership through streamlined training, simplified deployment and management, and reduced power consumption
- Application-level gateway (ALG) — deep packet inspection in the firewall discovers the IP address and service port information embedded in the application data; the firewall then dynamically opens appropriate connections for specific applications
- NAT — fully support NAT applications, including many-to-one, many-to-many, static NAT, dual translation, easy IP, and DNS mapping; supports NAT traversal with multiple protocols, and delivers NAT ALG functions such as DNS, FTP, H.323, and NBT
Virtual private network (VPN)
- IPSec — provides secure tunneling over an untrusted network such as the Internet or a wireless network; offers data confidentiality, authenticity, and integrity between two endpoints of the network
- Layer 2 Tunneling Protocol (L2TP) — an industry standard-based traffic encapsulation mechanism supported by many common operating systems such as Windows® XP and Windows Vista®; will tunnel the Point-to-Point Protocol (PPP) traffic over the IP and non-IP networks; may use the IP/UDP transport mechanism in IP networks
- Generic Routing Encapsulation (GRE) — can be used to transport Layer 2 connectivity over a Layer 3 path in a secured way; enables the segregation of traffic from site to site
- Manual or automatic Internet Key Exchange (IKE) — provides both manual or automatic key exchange required for the algorithms used in encryption or authentication; auto-IKE allows automated management of the public key exchange, providing the highest levels of encryption
Management
- Complete session logging — provides detailed information for problem identification and resolution
- Manager and operator privilege levels — enable read-only (operator) and read/write (manager) access on CLI and Web browser management interfaces
- Secure Web GUI — provides a secure, easy-to-use graphical interface for configuring the module via HTTPS
- Command-line interface (CLI) — provides a secure, easy-to-use command-line interface for configuring the module via SSH or a switch console; provides direct real-time session visibility
- SNMPv1, v2c, and v3 — facilitate centralized discovery, monitoring, and secure management of networking devices
- Remote monitoring (RMON) — uses standard SNMP to monitor essential network functions; supports events, alarm, history, and statistics group plus a private alarm extension group
- FTP, TFTP, and SFTP support — FTP allows bidirectional transfers over a TCP/IP network and is used for configuration updates; Trivial FTP is a simpler method using User Datagram Protocol (UDP)
Layer 3 routing
- Static IP routing — provides manually configured routing; includes ECMP capability
- Routing Information Protocol (RIP) — provides RIPv1 and RIPv2 routing
- OSPF — includes host-based ECMP to provide link redundancy'scalable bandwidth and NSSA
- Border Gateway Protocol 4 (BGP-4) — Exterior Gateway Protocol (EGP) with path vector protocol uses TCP for enhanced reliability for the route discovery process, reduces bandwidth consumption by advertising only incremental updates, and supports extensive policies for increased flexibility, as well as scales to very large networks
- Dual IP stack — maintains separate stacks for IPv4 and IPv6 to ease transition from an IPv4-only network to an IPv6-only network design
- Policy routing — allows custom filters for increased performance and security; supports ACLs, IP prefix, AS paths, community lists, and aggregate policies
- Layer 3 IPv6 routing — provides routing of IPv6 at media speed; supports static routes, RIPng, OSPFv3, BGP+, policy route, and PIM-SM/DM
Security
- Defense against attacks — provides defense against various attacks, such as DoS/DDoS, ARP spoofing, large ICMP packet, address/port scanning, Tracert, IP packets with the Record Route option, and static and dynamic blacklists; also supports binding of MAC address and IP addresses, as well as intelligent defense of worm viruses
- Application layer content filtering — supports mail filtering based on SMTP mail address, titles, attachments, and content; supports Web page filtering, including HTTP URL and content filtering
- Multiple security authentication services — support RADIUS and HWTACACS authentications, certificate-based (x.509 format) PKI/CA authentication, user identity management (different users own different rights to execute commands), and levels of user views (users of different levels have different management rights)
- Centralized management and auditing — provide logging, traffic statistics and analysis, events monitoring and statistics, and mail notification of alarms
