H3C SecPath F1000-AI

Series Firewalls
Next Generation Firewalls

Release Date: February, 2021

New H3C Technologies Co., Limited

 H3C F1000 Firewalls

H3C SecPath F1000-AI Series Firewalls

Product overview
H3C SecPath F1000-AI series firewalls bring innovative Artificial Intelligence (AI) capabilities to small and
medium enterprises, campus egress, and WAN branches.

H3C SecPath F1000-AI series meets the requirements of Web 2.0, and supports the following security and
network features:

 Security protection and access control based on users, applications, time, five tuples, and other elements.
Typical security protection features include IPS, AV, and DLP.

 VPN services, including L2TP VPN, GRE VPN, IPsec VPN, and SSL VPN.

 Routing capabilities, including static routing, RIP, OSPF, BGP, routing policies, and application- and URL-
based policy-based routing.

 IPv4 and IPv6 dual stacks, and state protection and attack prevention for IPv6.

F1000-AI-10 Front View

F1000-AI-10 Rear View

F1000-AI-60 Front View

2
H3C F1000 Firewalls

F1000-AI-60 Rear View

F1000-AI-70 Front View

F1000-AI-70 Rear View

F1000-AI-80 Front View

F1000-AI-80 Rear View

3
H3C F1000 Firewalls

F1000-AI-90 Front View

F1000-AI-90 Rear View

F1000-AI-25 Front View

F1000-AI-25 Rear View

F1000-AI-35 Front View

4
H3C F1000 Firewalls

F1000-AI-35 Rear View

F1000-AI-55 Front View

F1000-AI-55 Rear View

F1000-AI-65 Front View

F1000-AI-65 Rear View

5
 H3C F1000 Firewalls

F1000-AI-75 Front View

F1000-AI-75 Rear View

Features and Benefits

High-performance software and hardware platforms
The F1000 series uses advanced 64-bit multi-core processors and caches.

Carrier-level high availability

 Uses H3C proprietary software and hardware platforms that have been proven by Telecom carriers and
small- to medium-sized enterprises.

 Supports H3C SCF, which can virtualize multiple devices into one device for unified resources
management, service backup, and system performance improvement.

Powerful security protection

 Attack protection—Detects and prevents various attacks, including Land, Smurf, Fraggle, ping of death,
Tear Drop, IP spoofing, IP fragment, ARP spoofing, reverse ARP lookup, invalid TCP flag, large ICMP
packet, IP/port scanning, and common DDoS attacks such as SYN flood, UDP flood, DNS flood, and
ICMP flood.

 SOP N:1 virtualization—Uses the container-based virtualization technology. An F1000 series firewall
can be virtualized into multiple logical firewalls, which have the same features as the physical firewall.
Each virtual firewall can have its own security policy and can be managed independently.

 Security zone—Allows you to configure security zones based on interfaces and VLANs.

 Packet filtering—Allows you to apply standard or advanced ACLs between security zones to filter
packets based on information contained in the packets, such as UDP and TCP port numbers. You can
also configure time ranges during which packet filtering will be performed.

6
 H3C F1000 Firewalls

 Access control—Supports access control based on users and applications and integrates deep intrusion
prevention with access control.

 ASPF—Dynamically determines whether to forward or drop a packet by checking its application layer
protocol information and state. ASPF supports inspecting FTP, HTTP, SMTP, RTSP, and other TCP/UDP-
based application layer protocols.

 AAA—Supports authentication based on RADIUS/HWTACACS+, CHAP, and PAP.

 Blacklist—Supports static blacklist and dynamic blacklist.

 NAT and VRF-aware NAT.

 VPN—Supports L2TP, IPsec/IKE, GRE, and SSL VPNs. Allows smart devices to connect to the VPNs.

 Routing—Supports static routing, RIP, OSPF, BGP, routing policies, and application- and URL-based
policy-based routing.

 Security logs—Supports operation logs, zone pair policy matching logs, attack protection logs, DS-LITE
logs, and NAT444 logs.

 Traffic monitoring, statistics, and management.

Flexible and extensible, integrated and advanced DPI security

 Integrated security service processing platform—Highly integrates the basic and advanced security
protection measures to a security platform.

 Application layer traffic identification and management.

Uses the state machine and traffic exchange inspection technologies to detect traffic of P2P, IM,
network game, stock, network video, and network multi-media applications, such as Thunder, Web
Thunder, BitTorrent, eMule, eDonkey, WeChat, Weibo, QQ, MSN, and PPLive.

Uses the deep inspection technology to identify P2P traffic precisely and provides multiple policies
to control and manage the P2P traffic flexibly.

Highly precise and effective intrusion inspection engine—Uses the H3C-proprietary Full Inspection
with Rigorous State Test (FIRST) engine and various intrusion inspection technologies to implement
highly precise inspection of intrusions based on application states. The FIRST engine also supports
software and hardware concurrent inspections to improve the inspection efficiency.

Realtime virus protection—uses the stream-based antivirus engine to prevent, detect, and remove

7
 H3C F1000 Firewalls

malicious code from network traffic.

Categorized filtering of massive URLs—uses the local+cloud mode to provide 139 categorized URL
libraries and support over 20 million URL filtering rules, provides basic URL filtering blacklist and whitelist
and allows you to query the URL category filtering server on line.

Complete and updated security signature database—H3C has a senior signature database team and
professional attack protection labs that can provide a precise and up-to-date signature database.

Industry-leading IPv6 features

IPv6 stateful firewall.
IPv6 related attack protection.

IPv6 data forwarding, IPv6 static routing and dynamic routing, and IPv6 multicast.

IPv6 transition technologies, including NAT-PT, IPv6 over IPv4 GRE tunnel, manual tunnel, 6to4 tunnel, automatic IPv4-
compatible IPv6 tunnel, ISATAP tunnel, NAT444, and DS-Lite.
IPv6 ACL and RADIUS.

Next-generation multi-service features

Integrated link load balancing feature—Uses link state inspection and link busy detection technologies, and applies to a
network egress to balance traffic among links.

Integrated SSL VPN feature—Uses USB-Key, SMS messages, and the enterprise's existing authentication system to
authenticate users, providing secure access of mobile users to the enterprise network.

Data leakage prevention (DLP)—Supports email filtering by SMTP mail address, subject, attachment, and content, HTTP
URL and content filtering, FTP file filtering, and application layer filtering (including Java/ActiveX blocking and SQL injection
attack prevention).

Intrusion prevention system (IPS)—Supports identification and prevention of Web attacks, such as cross-site scripting
(XSS) and SQL injection (SQLi).

Anti-virus (AV)—Uses a high-performance virus detection engine and a daily updated virus signature database to prevent
attacks from over 5 million viruses.

Unknown threat prevention—Uses the situation awareness platform to fast detect and locate threats. This ensures that the
firewall can take global security measures as soon as a single point is under attack.

Intelligent management
Intelligent security policy management—Detects duplicate policies, optimizes policy matching rules, detects and proposes
security policies dynamically generated in the internal network.

SNMPv3—Compatible with SNMPv1 and SNMPv2.

CLI-based configuration and management.

Web-based management, with simple, user-friendly GUI.

H3C IMC SSM unified management—Collects and analyzes security information, and offers an intuitive view into network
and security conditions, saving management efforts and improving management efficiency.

Centralized log management based on advanced data drill-down and analysis technology—Requests and receives
information to generate logs, compiles different types of logs (such as syslogs and binary stream logs) in the same format,
and compresses and stores large amounts of logs. You can encrypt and export saved logs to external storage devices such

8
 H3C F1000 Firewalls

as DAS, NAS, and SAN to avoid loss of important security logs.

Abundant reports—Include application-based reports and stream-based analysis reports.

Various exported report formats—Include PDF, HTML, word, and txt.

Report customization through the Web interface—Customizable contents include time range, data source device,
generation period, and export format.

Specifications
F1000-AI-
Item F1000-AI-10 F1000-AI-60/70 F1000-AI-65/75 F1000-AI-80/90
25/35/55
Dimensions (W 440mm×
× D × H) 260mm× 440mm×435mm×44.2mm
44.2mm

USB 2 2 2 2 2

Weight —— —— 9.2kg/10.0kg —— 10.0kg

Dual hot- Dual hot- Dual hot- Dual hot-

Power Supply AC swappable, AC swappable, AC swappable, AC swappable, AC
or DC or DC or DC or DC

Power
—— 150W 250W or 450W 150W 250W or 450W
consumption

MTBF(Year) —— —— —— —— ——
1 × Console port 1 × Console port 1 × Console port
(CON) (CON) (CON)
1 × Console port 1 × Console port
2× 1× (CON) 1× (CON)
Management Management Management
port port 1× port 1×
Management Management
18 × Gigabit 6 × Gigabit port 4 × Gigabit port
Ethernet copper Ethernet fiber Ethernet fiber
ports ports 12 × Gigabit ports 8 × Gigabit
Ethernet fiber Ethernet fiber
Ports 4 × Gigabit 16 × Gigabit 16 × Gigabit
ports ports
Ethernet Bypass Ethernet copper Ethernet copper
ports ports 14 × Gigabit ports 14 × Gigabit
Ethernet copper Ethernet copper
8 × Gigabit 4 × Gigabit ports 4 × Gigabit ports
Ethernet Combo Ethernet Combo Ethernet Combo
ports ports 4 × 10-Gigabit ports 8 × 10-Gigabit
Ethernet fiber Ethernet fiber
2 × 10-Gigabit 2 × 10-Gigabit ports 6 × 10-Gigabit ports
Ethernet fiber Ethernet fiber Ethernet fiber
ports ports ports

Expansion slots 0 2 2/4 2 4

—— 4-port GE PFC —— 4-port GE PFC

interface module interface module
4-port GE fiber 4-port GE fiber
Interface
interface module interface module
modules
4-port 10-GE 4-port 10-GE
fiber interface fiber interface
module module

9
 H3C F1000 Firewalls

6-port 10-GE 6-port 10-GE

fiber interface fiber interface
module module

1 × 480G SSD/ 2 × 480G SSD/

Storage 2 × 480G SSD 500G HDD/1TB 2 × 480G SSD 500G HDD/1TB 2 × 480G SSD
HDD HDD
Flash 4GB 4GB 4GB 4GB 8GB

SDRAM 2GB 4GB/4GB/8GB 8G 8G 16G

Operating: 0°C to 45°C (32°F to 113°F)

Temperature
Storage: –40°C to +70°C (–40°F to +158°F)

Operation
Route, transparent, and hybrid
modes

Portal authentication
RADIUS authentication
HWTACACS authentication
AAA PKI/CA (X.509 format) authentication
Domain authentication
CHAP authentication
PAP authentication

SOP virtual firewall technology, which supports full virtualization of hardware resources,
including CPU, memories, and storage
Security zone allocation
Protection against malicious attacks, such as land, smurf, fraggle, ping of death, teardrop, IP
spoofing, IP fragmentation, ARP spoofing, reverse ARP lookup, invalid TCP flag, large ICMP
packet, address/port scanning, SYN flood, ICMP flood, UDP flood, and DNS query flood
Basic and advanced ACLs
Time range-based ACL
Firewall User-based and application-based access control
ASPF application layer packet filtering
Static and dynamic blacklist function
MAC-IP binding
MAC-based ACL
MAC-Limitation
802.1Q VLAN transparent transmission
Bandwidth control

Signature-based virus detection

Manual and automatic upgrade for the signature database
Stream-based processing
Antivirus
Virus detection based on HTTP, FTP, SMTP, and POP3
Virus types include Backdoor, Email-Worm, IM-Worm, P2P-Worm, Trojan, AdWare, and Virus
Virus logs and reports

Deep intrusion Prevention against common attacks such as hacker, worm/virus, Trojan, malicious code,
prevention spyware/adware, DoS/DDoS, buffer overflow, SQL injection, and IDS/IPS bypass

10
 H3C F1000 Firewalls

Attack signature categories (based on attack types and target systems) and severity levels
(including high, medium, low, and notification)
Manual and automatic upgrade for the attack signature database (TFTP and HTTP).
P2P/IM traffic identification and control

Email filtering
SMTP email address filtering
Email subject/content/attachment filtering
Email/webpage/ Webpage filtering
application layer
filtering HTTP URL/content filtering
Java blocking
ActiveX blocking
SQL injection attack prevention

Many-to-one NAT, which maps multiple internal addresses to one public address
Many-to-many NAT, which maps multiple internal addresses to multiple public addresses
One-to-one NAT, which maps one internal address to one public address
NAT of both source address and destination address
NAT External hosts access to internal servers
Internal address to public interface address mapping
NAT support for DNS
Setting effective period for NAT
NAT ALGs for NAT ALG, including DNS, FTP, H.323, ILS, MSN, NBT, PPTP, and SIP

L2TP VPN
IPSec VPN
VPN
GRE VPN
SSL VPN

ESP-DES-CBC/ESP-3DES-CBC/ESP-AES-128-CBC/ESP-AES-192-CBC/ESP-AES-256-CBC/ ESP-AES-
IPSEC VPN
128-GCM/ESP-NULL/SM1-cbc-128/SM4-cbc

IPSEC VPN
Authentication MD5/SHA1/SM3
Algorithm

IPv6 status firewall

IPv6 attack protection
IPv6 forwarding
IPv6 protocols such as ICMPv6, PMTU, Ping6, DNS6, TraceRT6, Telnet6, DHCPv6 Client, and
DHCPv6 Relay
IPv6
IPv6 routing: RIPng, OSPFv3, BGP4+, static routing, policy-based routing
IPv6 multicast: PIM-SM, and PIM-DM
IPv6 transition techniques: NAT-PT, IPv6 tunneling, NAT64 (DNS64), and DS-LITE
IPv6 security: NAT-PT, IPv6 tunnel, IPv6 packet filter, RADIUS, IPv6 zone pair policies, IPv6
connection limit

IEEE IEEE 802.1X

SCF 2:1 virtualization

High availability
Active/active and active/standby stateful failover

11
 H3C F1000 Firewalls

Configuration synchronization of two firewalls

IKE state synchronization in IPsec VPN
VRRP

Configuration management at the CLI

Remote management through Web
Configuration
Device management through H3C IMC SSM
management
SNMPv3, compatible with SNMPv2 and SNMPv1
Intelligent security policy

Environmental
EU RoHS compliance
protection

FCC Part 15 (CFR 47) CLASS A

ICES-003 CLASS A
VCCI CLASS A
CISPR 22 CLASS A
EN 55022 CLASS A
AS/NZS CISPR22 CLASS A
CISPR 32 CLASS A
EN 55032 CLASS A
EMC AS/NZS CISPR32 CLASS A
CISPR 24
EN 55024
EN 61000-3-2
EN 61000-3-3
ETSI EN 300 386
GB 9254
GB 17625.1
YD/T 993

UL 60950-1
CAN/CSA C22.2 No 60950-1
IEC 60950-1
Safety EN 60950-1
AS/NZS 60950-1
FDA 21 CFR Subchapter J
GB 4943.1

12
 H3C F1000 Firewalls

Performance
F1000 F1000 F1000 F1000 F1000 F1000 F1000 F1000 F1000 F1000
-AI- -AI- -AI- -AI- -AI- -AI- -AI- -AI- -AI- -AI-
10 25 35 55 60 70 65 75 80 90
Firewall 1.5Gb 3Gbps 4Gbps 6Gbps 8Gbps 9Gbps 10Gbp 15Gbp 20Gbp 25Gbp
Throughput ps s s s s
(1518Bytes)
NGFW 600Mb 2.5Gbp 3Gbps 3.5Gb 4.5Gbp 4.5Gbp 5Gbps 5.5Gbp 6Gbps 15Gbp
Throughput ps s ps s s s s

NGFW+IPS 600Mb 2.5Gbp 3Gbps 3.5Gbp 4.5Gbp 4.5Gbp 5Gbps 5.5Gbp 6Gbps 14Gbp
ps s s s s s s
NGFW+IPS+ 500Mb 1.5Gbp 2Gbps 2.5Gbp 4Gbps 4Gbps 4.5Gbp 5Gbps 5.5Gbp 14Gbp
AV ps s s s s s
Maximum 0.9M 2.5M 2.5M 5M 5M 5M 5M 5M 10M 10M
concurrent
sessions
Maximum 15K 30K 40K 50K 80K 80K 100K 120K 150K 240K
New
Connections
per second

Ordering Information
SecPath F1000-AI Series
NS-SecPath F1000-AI-10 H3C SecPath F1000-AI-10 Firewall Appliance
NS-F1000-AI-25 H3C SecPath F1000-AI-25 Firewall Appliance
NS-F1000-AI-35 H3C SecPath F1000-AI-35 Firewall Appliance
NS-F1000-AI-55 H3C SecPath F1000-AI-55 Firewall Appliance
NS-F1000-AI-60 H3C SecPath F1000-AI-60 Firewall Appliance
NS-F1000-AI-65 H3C SecPath F1000-AI-65 Firewall Appliance
NS-F1000-AI-70 H3C SecPath F1000-AI-70 Firewall Appliance
NS-F1000-AI-75 H3C SecPath F1000-AI-75 Firewall Appliance
NS-F1000-AI-80 H3C SecPath F1000-AI-80 Firewall Appliance
NS-F1000-AI-90 H3C SecPath F1000-AI-90 Firewall Appliance
Power Supply
PSR150-A1-B 150W AC Power Supply

13
H3C F1000 Firewalls

PSR150-D1-B 150W DC Power Supply

PSR250-12A1 250W AC Power Supply Module(Air Outlets in Panel)
PSR450-12D 450W DC Power Supply Module (Air Outlets in Panel)
450W HVDC Power Supply Module (AC/336V HVDC Input Supported, Air Outlets in
PSR450-12AHD
Panel)
Modules
NSQM1GT4PFC H3C SecPath F1000 Series PFC Card
NSQM1TG4FBA H3C SecPath F1000 Series, 4 Ports SFP+ Module
NSQM1GP4FBA H3C SecPath F1000 Series, 4 Ports SFP Module
H3C SecPath F1000 Series 6-Port Ten-Gigabit Ethernet Optical Interface
NSQM1NIMTG6A
Module(SFP+)
Hard Disk
NS-HDD-500G-SATA-
H3C SecPath Series,500GB 2.5inch SATA HDD HardDisk Module
SFF
NS-HDD-1T-SATA-SFF H3C SecPath Series,1TB 2.5inch SATA HDD HardDisk Module
NS-SSD-480G-SATA-
H3C SecPath Series,480GB 2.5inch SATA SSD HardDisk Module
SFF
License
LIS-F1000-IPS1-1Y H3C SecPath F1000,IPS Signature Update Service,1 Year
LIS-F1000-IPS3-3Y H3C SecPath F1000,IPS Signature Update Service,3 Years
LIS-F1000-AV-1Y H3C SecPath F1000,AV Anti-Virus Security License,1 Year
LIS-F1000-AV-3Y H3C SecPath F1000,AV Anti-Virus Security License,3 Years
LIS-F1000-ACG1-1Y H3C SecPath F1000,Application Signature Update Service,1 Year
LIS-F1000-ACG3-3Y H3C SecPath F1000,Application Signature Update Service,3 Years
LIS-F1000-LB H3C SecPath F1000,LB License
LIS-F1000-SSL-25 H3C SecPath F1000,SSL VPN for 25 Users
LIS-F1000-SSL-125 H3C SecPath F1000,SSL VPN for 125 Users
LIS-F1000-SSL-500 H3C SecPath F1000,SSL VPN for 500 Users
LIS-F1000-SSL-1000 H3C SecPath F1000,SSL VPN for 1000 Users
LIS-F1000-URL-1Y H3C SecPath F1000 URL Signature Update Service License,1 Year
LIS-F1000-URL-3Y H3C SecPath F1000 URL Signature Update Service License,3 Years
LIS-IMC7-SVF1KA-25 H3C iMC-SSL VPN Authentication Client-F1000-25 License
LIS-IMC7-SVF1KB-125 H3C iMC-SSL VPN Authentication Client-F1000-125 License
LIS-IMC7-SVF1KC-500 H3C iMC-SSL VPN Authentication Client-F1000-500 License
LIS-IMC7-SVF1KD-1K H3C iMC-SSL VPN Authentication Client-F1000-1000 License
LIS-F1000-WAF-1Y H3C SecPath F1000 WAF Signature Update License,1 Year
LIS-F1000-WAF-3Y H3C SecPath F1000 WAF Signature Update License,3 Year
Transceivers
SFP-GE-SX-MM850-A 1000BASE-SX SFP Transceiver, Multi-Mode (850nm, 550m, LC)
SFP-GE-LX-SM1310-A 1000BASE-LX SFP Transceiver, Single Mode (1310nm, 10km, LC)
SFP-GE-LH40-SM1310 1000BASE-LH40 SFP Transceiver, Single Mode (1310nm, 40km, LC)
SFP-GE-LH40-SM1550 1000BASE-LH40 SFP Transceiver, Single Mode (1550nm, 40km, LC)
SFP-GE-LH80-SM1550 1000BASE-LH80 SFP Transceiver, Single Mode (1550nm, 80km, LC)
SFP-GE-LH100-SM1550 1000BASE-LH100 SFP Transceiver, Single Mode (1550nm, 100km, LC)
SFP-XG-LX220-MM1310 SFP+ Module(1310nm,220m,LC)

14
H3C F1000 Firewalls

SFP-XG-SX-MM850-A SFP+ Module(850nm,300m,LC)

SFP-XG-LX-SM1310 SFP+ Module(1310nm,10km,LC)
SFP-XG-LH40-SM1550 SFP+ Module(1550nm,40km,LC)
Services
SV-PS-SES-OS Oversea Security Expert Service

Copyright © 2021 New H3C Technologies Co., Limited Reserves all rights
New H3C Technologies Co., Limited
Disclaimer: Though H3C strives to provide accurate information in this document, we cannot guarantee that details do not
Beijing Headquarters
contain any technical error or printing error. Therefore, H3C cannot accept responsibility for any inaccuracy in this documen t.
Tower 1, LSH Center, 8 Guangshun South Street, Chaoyang
H3C reserves the right for the modification of the contents herein without prior notification
District, Beijing, China

Zip: 100102

Hangzhou Headquarters
http://www.h3c.com

No.466 Changhe Road, Binjiang District, Hangzhou, Zhejiang,

China

Zip: 310052

Tel: +86-571-86760000

Fax: +86-571-86760001

15