HP 10500 series User manual
Datasheet
HP 10500/11900/7500 20Gbps VPN Firewall
Module
Key features
•
High-performance, 20Gbps firewall throughput
•
Comprehensive security protection
•
Rich VPN functions; IPSec/GRE/L2TP
•
Advanced virtual firewall
•
Lowoperatingcost
Product overview
TheHP10500/11900/7500 20Gbps VPN Firewall Module is a high
performance, integrated network security that can deliver more than
20Gbps of throughput. The scalable stateful firewalls can be
aggregated in a single switch chassis (up to 16 modules), delivering up
to400Gbpsfirewallthroughput.
Thefirewallsunifytheadministration
of the network and firewall,
enabling customers to have simplified
management, and learn once
for administrating the network and
firewallsecurity. These advanced
features provide high return on investment as you will be taking
advantage of the existing switches
for the blades.
The Firewall modules have the following features:
•Integratedsecurityfunctions,includingfirewall,VPN,NAT, URL
filtering, and application layer filtering
•Application Specific Packet Filter (ASPF), used to detect application
layer connection state in real time, implementing security protection
from Layer 3 through Layer 7
•Operation logs, attack logs, stream logs, and network management
andmonitoring functions
•Plug-and-play withgreatscalability,
allowing for insertion of one
or more firewall modules into the
network device
2
Features and benefits
Firewall
•
High Performance
20 Gbps throughput secures traffic without compromising network
performance.Support for 2 million concurrent connections and
60,000 new connections per second enables high-volume networks
to remain secure under peak traffic
•
Application Specific Packet Filter (ASPF)
Dynamically determines whether to forward or drop a packet by
checking its application layer protocol information (such as FTP,
HTTP, SMTP, RTSP and other application layer protocols based on
TCP/UDP) and monitoring the connection-based application layer
protocol status.
•
Virtualization
Multi-core architecture enables both multiple zones and multiple
separate firewall instances to be created on the same device.
Support for 256 security zones, 256 virtual firewalls and 4,094
virtual LANs (VLANs) offers robust protection to all corners of your
network. Centralized deployment of a single device offering
multiple virtual firewalls lowers total cost of ownership through
streamlinedtraining,simplified deployment and management and
reducedpowerconsumption
•
Zone-based access policies
groups virtual LANs (VLANs) logically into zones that share common
security policies; allows both unicast and multicast policy settings
by zones instead of by individual VLANs
•
Application-level gateway (ALG)
discovers the IP address and service port information embedded in
the application data using deep packet inspection in the firewall;
firewall then dynamically opens appropriate connections for specific
applications
•
NAT
Fully support of NAT applications including many-to-one,
many-to-many, static NAT, dual translation, easy IP and DNS
mapping. It supports NAT traversal with multiple protocols, and
deliversNATALGfunctionssuchasDNS, FTP,H.323,andNBT.
Virtual private network (VPN)
•
IPSec
provides secure tunneling over an untrusted network such as the
Internet or a wireless network; offers data confidentiality,
authenticity, and integrity between two network endpoints
•
Layer 2 Tunneling Protocol (L2TP)
an industry standard-based traffic encapsulation mechanism
supported by many common operating systems such as Windows®
XP and Windows Vista®; will tunnel the Point-to-Point Protocol
(PPP) traffic over the IP and non-IP networks; may use the IP/UDP
transport mechanism in IP networks
•
Generic Routing Encapsulation (GRE)
transports Layer 2 connectivity over a Layer 3 path in asecured
way; enables the segregation of traffic from site to site
•
Manual or automatic Internet Key Exchange (IKE)
provides both manual or automatic key exchange required for the
algorithms used in encryption or authentication; auto-IKE allows
automated management of the public key exchange, providing the
highest levels of encryption
Management
•
Secure Web GUI
provides a secure, easy-to-use graphical interface for configuring
the module via HTTPS
•
Command-line interface (CLI)
provides a secure, easy-to-use
CLI
for configuring the module via
SSH or a switch console; provides direct real-time session visibility
•
SNMPv1, v2c, and v3
facilitatecentralizeddiscovery,monitoring,andsecure
management of networking devices
•
Complete session logging
provides detailed information for problem identification and
resolution
•
Manager and operator privilege levels
provides read-only (operator) and read/write (manager) access on
CLI
and Web browser management interfaces
•
Remote monitoring (RMON)
usesstandard SNMPto monitor essential networkfunctions;
supports events, alarm, history, and statistics group plus a private
alarmextensiongroup
•
FTP, TFTP, and SFTP support
offers different mechanisms for configuration updates; FTP allows
bidirectionaltransfersover aTCP/IPnetwork;trivial FTP(TFTP)isa
simpler method using User Datagram Protocol (UDP); Secure File
Transfer Protocol (SFTP) runs over an SSH tunnel to provide
additional security
Layer 3 routing
•
Static IP routing
provides manually configured routing; includes ECMP capability
•
Routing Information Protocol (RIP)
providesRIPv1 andRIPv2routing
•
OSPF
includes host-based ECMP to provide link redundancy/scalable
bandwidth and NSSA
•
Border Gateway Protocol 4 (BGP-4)
delivers an implementation of the Exterior Gateway Protocol (EGP)
utilizingpath vectors;usesTCP forenhancedreliabilityforthe route
discoveryprocess;reduces bandwidthconsumptionbyadvertising
only incremental updates; supports extensive policies for increased
flexibility; scales to very large networks
•
Dual IP stack
maintains separate stacks for IPv4 and IPv6 to ease the transition
froman IPv4-only network to anIPv6-onlynetworkdesign
3
•
Policy routing
allows custom filters for increased performance and security;
supports ACLs, IP prefix, AS paths, community lists, and aggregate
policies
•
Layer 3 IPv6 routing
provides routing of IPv6 at media speed; supports static routes,
RIPng, OSPFv3, BGP+,policy route and PIM-SM/DM
Security
•
Defense against attacks
Firewall provides defense against various attacks, such as
DoS/DDoS, ARP spoofing, large ICMP packet, address/port scanning,
Tracert, IP packets with the Record Route option, static and dynamic
blacklists. It also supports binding of MAC address and IP address,
and supports intelligent defense of worm viruses.
•
Application layer content filtering
Firewall supports mail filtering, based on SMTP mail address, titles,
attachments, and contents; supports Web page filtering including
HTTP URL and content filtering.
•
Multiple security authentication services
Firewall supports RADIUS and HWTACACS authentications,
certificate-based (x.509 format) PKI/CA authentication, supports
user identity management (different users own different rights to
execute commands), supports levels of user views (users of
different levels have different management rights).
•
Centralized management and auditing
Firewall provides logging, traffic statistics and analysis, events
monitoring and statistics, and mail notification of alarms.
Warranty and support
•
Electronic and telephone support
limited electronic and business-hours telephone support is
availablefromHPfor theentirewarrantyperiod;toreachour
support centers, refer to
www.hp.com/networking/contact-support
; for details on the
duration of support provided with your product purchase, refer to
www.hp.com/networking/warrantysummary
•
Software releases
to find software for your product, refer to
www.hp.com/networking/support
;fordetailsonthesoftware
releases available with your product purchase, refer to
www.hp.com/networking/warrantysummary
•
1-year warranty
advancehardwarereplacement with10-calendar-daydelivery
(available inmost countries)
4
HP 10500/11900/7500 20Gbps VPN Firewall Module
Specifications
HP 10500/11900/7500 20Gbps VPN Firewall Module (JG372A)
Ports
2 RJ-45 auto-negotiating 10/100/1000 ports (IEEE 802.3 Type 10BASE-T, IEEE 802.3u Type 100BASE-TX, IEEE 802.3ab Type 1000BASE-T)
2 dual-personality ports; auto-sensing 10/100/1000BASE-T or SFP
1 RJ-45 serial console port
1 Compact Flash port
Physical characteristics
15.71(w) x 14.84(d) x 1.57(h) in (39.9 x 37.7 x 4 cm)
Weight 7.72 lb (3.5 kg)
Environment
Operating temperature 32°F to 113°F (0°C to 45°C)
Operating relative humidity 10% to 95%, noncondensing
Management
IMC - Intelligent Management Center; command-line interface; Web browser; SNMP Manager; Telnet; HTTPS; RMON1; FTP
Features
Performance
-
6.5 Gbps firewall throughput
-
2million concurrentconnections
-
60,000 new connections per second
-
Maximum20,480security policies
-
2 Gbps 3DES/AES VPN throughput
-
5,000 IPSec tunnels
-
4,000 VLANs
Firewall operation mode
-
Routing mode
-
Transparent mode
-
Hybrid mode
AAAservice
-
Local authentication
-
Standard RADIUS
-
HWTACACS+
-
RADIUS domain authentication
ASPF
-
General TCP/UDP application
-
FTP/SMTP/HTTP/RTSP/H323 Protocol State Detection
-
SIP/MGCP/QQ/MSN Protocol State Detection
-
Java/ActiveX blocking and detection
-
Port mapping
-
Support for the fragmented packets
Virtualization
-
256virtualfirewalls
-
4 default security zones
-
Maximum 256 security zones
NAT
-
NAPT
-
PAT
-
NAT server
-
Port mapping
-
Bidirectional NAT
-
StaticNAT
Network security
-
Add blacklist by hand or automatically
-
IP+MAC binding
-
ARP Reverse Query
-
ARP Cheat Check
-
Management ports closed by default
DDOS
-
DNS Query flood
-
SYN flood
5
HP 10500/11900/7500 20Gbps VPN Firewall Module
Specifications (continued)
HP 10500/11900/7500 20Gbps VPN Firewall Module (JG372A)
-
Autostarts TCP Proxy when detects SYN flood
-
ICMP flood
-
UDPflood
-
IP spoofing
-
SQL injection filter
L2TPVPN
-
LNS, LAC
-
L2TP Multi-instance
GRE
-
GRE tunneling protocol
IPSec
-
AH/ESP
-
ESP
-
Transport/tunnel
-
NAT traversal
-
Strategy template
IKE
-
DH
-
Preshare key authentication method
-
Support aggressive mode and main exchange mode
-
IKE DPD, PKI/CA
Network feature
-
IEEE 802.1q VLAN
-
4,000 subinterfaces
-
Static anddynamicARP
-
Multicast, PIM
-
IGMPv1/v2/v3
Routing
-
RIP
-
OSPF
-
BGP
-
Staticroute
-
Policy route
High availability
-
Active-activemode
-
Active-passive mode
-
Session synchronization forfirewall
System management
-
Web management support for Internet Explorer/Firefox
-
Command-line interface (Console/Telnet/SSH)
-
Classification Manager
-
Unified management through iMC
-
SNMPv1/v2c/v3
Administration
-
Softwareupgrades
-
Configuration backup and restore
Logging/Monitoring
-
Syslog
-
Mini RMON
-
NTP
-
NAT/ASPF/firewall log stream (Binary log)
IPv6 routing and multicast
-
RIPng
-
OSPFv3
-
BGP4+
-
Staticroute
HP 10500/11900/7500 20Gbps VPN Firewall Module
Specifications (continued)
6
HP 10500/11900/7500 20Gbps VPN Firewall Module (JG372A)
-
Policy route
-
PIM-SM/DM
IPv6 security
-
NAT-PT
-
Manualtunnel
-
IPv6 over IPv4 GRE tunnel
-
6to4 tunnel (RFC 3056)
-
ISATAP tunnel
-
IPv6 packet filter
-
RADIUS
-
NAT64
Services
3-year, parts only, global next-day advance exchange (UZ896E)
3-year, 4-hour onsite, 13x5 coverage for hardware (UZ897E)
3-year, 4-hour onsite, 24x7 coverage for hardware (UZ900E)
3-year, 4-hour onsite, 24x7 coverage for hardware, 24x7 SW phone support and SW updates (UZ904E)
3-
year, 24x7 SW phone support, software updates (UZ907E)
1-year, post-warranty, 4-hour onsite, 13x5 coverage for hardware (HR735E)
1-
year, post-warranty, 4-hour onsite, 24x7coverage for hardware (HR736E)
1-year, post-warranty, 4-hour onsite, 24x7 coverage for hardware, 24x7 software phone support (HR737E)
4-
year, 4-hour onsite, 13x5 coverage for hardware (UZ898E)
4-year, 4-hour onsite, 24x7 coverage for hardware (UZ901E)
4-
year, 4-hour onsite, 24x7 coverage for hardware, 24x7 software phone (UZ905E)
4-year, 24x7 SW phone support, software updates (UZ908E)
5-
year, 4-hour onsite, 13x5 coverage for hardware (UZ899E)
5-year, 4-hour onsite, 24x7 coverage for hardware (UZ902E)
5-year, 4-hour onsite, 24x7 coverage for hardware, 24x7 software phone (UZ906E)
5-year, 24x7 SW phone support, software updates (UZ909E)
3
Yr 6 hr Call-to-Repair Onsite (UZ910E)
4
Yr 6 hr Call-to-Repair Onsite (UZ911E)
5 Yr 6 hr Call-to-Repair Onsite (UZ912E)
1-year, 6 hour Call-To-Repair Onsite for hardware(HR739E)
1-year, 24x7 software phone support, software updates (HR738E)
Refer to the HP website at
www.hp.com/networking/services
for details on the service-level descriptions and product numbers. For details about services and response times
in your area, please contact your local HP sales office.
7
Standards and Protocols
(applies to all products in series)
IPv6
RFC 1981 IPv6 Path MTU Discovery RFC 2465 Management Information Base for IP Version
RFC 3587IPv6 Global Unicast Address Format
RFC 2460 IPv6 Specification
6:Textual Conventions and General Group(partially
support, only "IPv6 Interface Statistics table")
RFC 3484 Default Address Selection for IPv6
RFC 3513 IPv6 Addressing Architecture
RFC 4007 IPv6 Scoped Address Architecture
RFC 4862 IPv6 Stateless Address Auto-configuration
Security
IEEE 802.1X:Port-Based Network Access Control (2001) RFC 2104 Keyed-Hashing for Message Authentication RFC2866RADIUS Accounting
RFC 1321 The MD5 Message-Digest Algorithm RFC 2138 RADIUS Authentication RFC 2867 RADIUS Accounting Modifications for Tunnel
RFC 1334 PPP Authentication Protocols (PAP) RFC2618 RADIUS Authentication Client MIB
Protocol Support
RFC 1994 PPP Challenge Handshake Authentication
Protocol (CHAP)
RFC 2620 RADIUS Accounting Client MIB
RFC 2716 PPP EAP TLS Authentication Protocol
RFC 2865 RADIUS Authentication
RFC 2868 RADIUS Attributes for Tunnel Protocol Support
RFC 2869 RADIUS Extensions
draft-grant-tacacs-02 (TACACS)
VPN
RFC 1701 Generic Routing Encapsulation (GRE) RFC 2402 IP Authentication Header RFC 2473 Generic Packet Tunneling in IPv6 Specification
RFC 1702 Generic Routing Encapsulation over IPv4
RFC 2403 The Use of HMAC-MD5-96 within ESP and AH RFC 2529 Transmission of IPv6 over IPv4 Domains
networks.
RFC 1828 IP Authentication using Keyed MD5
RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH
RFC2405 The ESP DES-CBC Cipher Algorithm With
without Explicit Tunnels
RFC 2661 Layer Two Tunneling Protocol "L2TP"
RFC 1829 The ESP DES-CBC Transform
Explicit IV RFC 2784 Generic Routing Encapsulation (GRE)
RFC 1853 IP in IP Tunneling RFC 2406 IP Encapsulating Security Payload (ESP) RFC 2868 RADIUS Attributes for Tunnel Protocol Support
RFC 2085 HMAC-MD5 IP Authentication with Replay
Prevention
RFC 2410 The NULL Encryption Algorithm and Its Use
With IPSec
RFC 2893 Transition Mechanisms for IPv6 Hosts and
Routers
RFC 2401 Security Architecture for the Internet Protocol RFC 2411 IP Security Document Roadmap RFC 3602 The AES-CBC Cipher Algorithm and Its Use with
RFC 2451 The ESP CBC-Mode Cipher Algorithms
IPSec
IKEv1
RFC 2407 The Internet IP Security Domain of
Interpretation for ISAKMP
RFC 2408 Internet Security Association and Key
Management Protocol (ISAKMP).
RFC 3526 More Modular Exponential (MODP)
Diffie-Hellman groups for Internet Key Exchange (IKE)
RFC 2409 The Internet Key Exchange (IKE) RFC 3706 A Traffic-Based Method of Detecting Dead
RFC 2412 The OAKLEY Key Determination Protocol
Internet Key Exchange (IKE) Peers
PKI
RFC 2510 Internet X.509 Public Key Infrastructure
Certificate Management Protocols
RFC 2511 Internet X.509 Certificate Request Message
RFC 3279 Algorithms and Identifiers for the Internet
X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile
PKCS#10
PKCS#12
PKCS#7
Format RFC 3280 Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL) Profile
draft-nourse-scep-06:
PKCS#1
To learn more, visit hp.com/networking
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only
warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing
herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained
herein.
September 2013
Other manuals for 10500 series
13
This manual suits for next models
2
Table of contents
Other HP Firewall manuals
