Hp 10500 series User manual

Datasheet

HP 10500/11900/7500 20Gbps VPN Firewall

Module

Key features

•

High-performance, 20Gbps firewall throughput

•

Comprehensive security protection

•

Rich VPN functions; IPSec/GRE/L2TP

•

Advanced virtual firewall

•

Lowoperatingcost

Product overview

TheHP10500/11900/7500 20Gbps VPN Firewall Module is a high

performance, integrated network security that can deliver more than

20Gbps of throughput. The scalable stateful firewalls can be

aggregated in a single switch chassis (up to 16 modules), delivering up

to400Gbpsfirewallthroughput.

Thefirewallsunifytheadministration

of the network and firewall,

enabling customers to have simplified

management, and learn once

for administrating the network and

firewallsecurity. These advanced

features provide high return on investment as you will be taking

advantage of the existing switches

for the blades.

The Firewall modules have the following features:

•Integratedsecurityfunctions,includingfirewall,VPN,NAT, URL

filtering, and application layer filtering

•Application Specific Packet Filter (ASPF), used to detect application

layer connection state in real time, implementing security protection

from Layer 3 through Layer 7

•Operation logs, attack logs, stream logs, and network management

andmonitoring functions

•Plug-and-play withgreatscalability,

allowing for insertion of one

or more firewall modules into the

network device

Features and benefits

Firewall

•

High Performance

20 Gbps throughput secures traffic without compromising network

performance.Support for 2 million concurrent connections and

60,000 new connections per second enables high-volume networks

to remain secure under peak traffic

•

Application Specific Packet Filter (ASPF)

Dynamically determines whether to forward or drop a packet by

checking its application layer protocol information (such as FTP,

HTTP, SMTP, RTSP and other application layer protocols based on

TCP/UDP) and monitoring the connection-based application layer

protocol status.

•

Virtualization

Multi-core architecture enables both multiple zones and multiple

separate firewall instances to be created on the same device.

Support for 256 security zones, 256 virtual firewalls and 4,094

virtual LANs (VLANs) offers robust protection to all corners of your

network. Centralized deployment of a single device offering

multiple virtual firewalls lowers total cost of ownership through

streamlinedtraining,simplified deployment and management and

reducedpowerconsumption

•

Zone-based access policies

groups virtual LANs (VLANs) logically into zones that share common

security policies; allows both unicast and multicast policy settings

by zones instead of by individual VLANs

•

Application-level gateway (ALG)

discovers the IP address and service port information embedded in

the application data using deep packet inspection in the firewall;

firewall then dynamically opens appropriate connections for specific

applications

•

NAT

Fully support of NAT applications including many-to-one,

many-to-many, static NAT, dual translation, easy IP and DNS

mapping. It supports NAT traversal with multiple protocols, and

deliversNATALGfunctionssuchasDNS, FTP,H.323,andNBT.

Virtual private network (VPN)

•

IPSec

provides secure tunneling over an untrusted network such as the

Internet or a wireless network; offers data confidentiality,

authenticity, and integrity between two network endpoints

•

Layer 2 Tunneling Protocol (L2TP)

an industry standard-based traffic encapsulation mechanism

supported by many common operating systems such as Windows®

XP and Windows Vista®; will tunnel the Point-to-Point Protocol

(PPP) traffic over the IP and non-IP networks; may use the IP/UDP

transport mechanism in IP networks

•

Generic Routing Encapsulation (GRE)

transports Layer 2 connectivity over a Layer 3 path in asecured

way; enables the segregation of traffic from site to site

•

Manual or automatic Internet Key Exchange (IKE)

provides both manual or automatic key exchange required for the

algorithms used in encryption or authentication; auto-IKE allows

automated management of the public key exchange, providing the

highest levels of encryption

Management

•

Secure Web GUI

provides a secure, easy-to-use graphical interface for configuring

the module via HTTPS

•

Command-line interface (CLI)

provides a secure, easy-to-use

CLI

for configuring the module via

SSH or a switch console; provides direct real-time session visibility

•

SNMPv1, v2c, and v3

facilitatecentralizeddiscovery,monitoring,andsecure

management of networking devices

•

Complete session logging

provides detailed information for problem identification and

resolution

•

Manager and operator privilege levels

provides read-only (operator) and read/write (manager) access on

CLI

and Web browser management interfaces

•

Remote monitoring (RMON)

usesstandard SNMPto monitor essential networkfunctions;

supports events, alarm, history, and statistics group plus a private

alarmextensiongroup

•

FTP, TFTP, and SFTP support

offers different mechanisms for configuration updates; FTP allows

bidirectionaltransfersover aTCP/IPnetwork;trivial FTP(TFTP)isa

simpler method using User Datagram Protocol (UDP); Secure File

Transfer Protocol (SFTP) runs over an SSH tunnel to provide

additional security

Layer 3 routing

•

Static IP routing

provides manually configured routing; includes ECMP capability

•

Routing Information Protocol (RIP)

providesRIPv1 andRIPv2routing

•

OSPF

includes host-based ECMP to provide link redundancy/scalable

bandwidth and NSSA

•

Border Gateway Protocol 4 (BGP-4)

delivers an implementation of the Exterior Gateway Protocol (EGP)

utilizingpath vectors;usesTCP forenhancedreliabilityforthe route

discoveryprocess;reduces bandwidthconsumptionbyadvertising

only incremental updates; supports extensive policies for increased

flexibility; scales to very large networks

•

Dual IP stack

maintains separate stacks for IPv4 and IPv6 to ease the transition

froman IPv4-only network to anIPv6-onlynetworkdesign

•

Policy routing

allows custom filters for increased performance and security;

supports ACLs, IP prefix, AS paths, community lists, and aggregate

policies

•

Layer 3 IPv6 routing

provides routing of IPv6 at media speed; supports static routes,

RIPng, OSPFv3, BGP+,policy route and PIM-SM/DM

Security

•

Defense against attacks

Firewall provides defense against various attacks, such as

DoS/DDoS, ARP spoofing, large ICMP packet, address/port scanning,

Tracert, IP packets with the Record Route option, static and dynamic

blacklists. It also supports binding of MAC address and IP address,

and supports intelligent defense of worm viruses.

•

Application layer content filtering

Firewall supports mail filtering, based on SMTP mail address, titles,

attachments, and contents; supports Web page filtering including

HTTP URL and content filtering.

•

Multiple security authentication services

Firewall supports RADIUS and HWTACACS authentications,

certificate-based (x.509 format) PKI/CA authentication, supports

user identity management (different users own different rights to

execute commands), supports levels of user views (users of

different levels have different management rights).

•

Centralized management and auditing

Firewall provides logging, traffic statistics and analysis, events

monitoring and statistics, and mail notification of alarms.

Warranty and support

•

Electronic and telephone support

limited electronic and business-hours telephone support is

availablefromHPfor theentirewarrantyperiod;toreachour

support centers, refer to

www.hp.com/networking/contact-support

; for details on the

duration of support provided with your product purchase, refer to

www.hp.com/networking/warrantysummary

•

Software releases

to find software for your product, refer to

www.hp.com/networking/support

;fordetailsonthesoftware

releases available with your product purchase, refer to

www.hp.com/networking/warrantysummary

•

1-year warranty

advancehardwarereplacement with10-calendar-daydelivery

(available inmost countries)

HP 10500/11900/7500 20Gbps VPN Firewall Module

Specifications

HP 10500/11900/7500 20Gbps VPN Firewall Module (JG372A)

Ports

2 RJ-45 auto-negotiating 10/100/1000 ports (IEEE 802.3 Type 10BASE-T, IEEE 802.3u Type 100BASE-TX, IEEE 802.3ab Type 1000BASE-T)

2 dual-personality ports; auto-sensing 10/100/1000BASE-T or SFP

1 RJ-45 serial console port

1 Compact Flash port

Physical characteristics

15.71(w) x 14.84(d) x 1.57(h) in (39.9 x 37.7 x 4 cm)

Weight 7.72 lb (3.5 kg)

Environment

Operating temperature 32°F to 113°F (0°C to 45°C)

Operating relative humidity 10% to 95%, noncondensing

Management

IMC - Intelligent Management Center; command-line interface; Web browser; SNMP Manager; Telnet; HTTPS; RMON1; FTP

Features

Performance

6.5 Gbps firewall throughput

2million concurrentconnections

60,000 new connections per second

Maximum20,480security policies

2 Gbps 3DES/AES VPN throughput

5,000 IPSec tunnels

4,000 VLANs

Firewall operation mode

Routing mode

Transparent mode

Hybrid mode

AAAservice

Local authentication

Standard RADIUS

HWTACACS+

RADIUS domain authentication

ASPF

General TCP/UDP application

FTP/SMTP/HTTP/RTSP/H323 Protocol State Detection

SIP/MGCP/QQ/MSN Protocol State Detection

Java/ActiveX blocking and detection

Port mapping

Support for the fragmented packets

Virtualization

256virtualfirewalls

4 default security zones

Maximum 256 security zones

NAT

NAPT

PAT

NAT server

Port mapping

Bidirectional NAT

StaticNAT

Network security

Add blacklist by hand or automatically

IP+MAC binding

ARP Reverse Query

ARP Cheat Check

Management ports closed by default

DDOS

DNS Query flood

SYN flood

HP 10500/11900/7500 20Gbps VPN Firewall Module

Specifications (continued)

HP 10500/11900/7500 20Gbps VPN Firewall Module (JG372A)

Autostarts TCP Proxy when detects SYN flood

ICMP flood

UDPflood

IP spoofing

SQL injection filter

L2TPVPN

LNS, LAC

L2TP Multi-instance

GRE

GRE tunneling protocol

IPSec

AH/ESP

ESP

Transport/tunnel

NAT traversal

Strategy template

IKE

Preshare key authentication method

Support aggressive mode and main exchange mode

IKE DPD, PKI/CA

Network feature

IEEE 802.1q VLAN

4,000 subinterfaces

Static anddynamicARP

Multicast, PIM

IGMPv1/v2/v3

Routing

RIP

OSPF

BGP

Staticroute

Policy route

High availability

Active-activemode

Active-passive mode

Session synchronization forfirewall

System management

Web management support for Internet Explorer/Firefox

Command-line interface (Console/Telnet/SSH)

Classification Manager

Unified management through iMC

SNMPv1/v2c/v3

Administration

Softwareupgrades

Configuration backup and restore

Logging/Monitoring

Syslog

Mini RMON

NTP

NAT/ASPF/firewall log stream (Binary log)

IPv6 routing and multicast

RIPng

OSPFv3

BGP4+

Staticroute

HP 10500/11900/7500 20Gbps VPN Firewall Module

Specifications (continued)

HP 10500/11900/7500 20Gbps VPN Firewall Module (JG372A)

Policy route

PIM-SM/DM

IPv6 security

NAT-PT

Manualtunnel

IPv6 over IPv4 GRE tunnel

6to4 tunnel (RFC 3056)

ISATAP tunnel

IPv6 packet filter

RADIUS

NAT64

Services

3-year, parts only, global next-day advance exchange (UZ896E)

3-year, 4-hour onsite, 13x5 coverage for hardware (UZ897E)

3-year, 4-hour onsite, 24x7 coverage for hardware (UZ900E)

3-year, 4-hour onsite, 24x7 coverage for hardware, 24x7 SW phone support and SW updates (UZ904E)

year, 24x7 SW phone support, software updates (UZ907E)

1-year, post-warranty, 4-hour onsite, 13x5 coverage for hardware (HR735E)

year, post-warranty, 4-hour onsite, 24x7coverage for hardware (HR736E)

1-year, post-warranty, 4-hour onsite, 24x7 coverage for hardware, 24x7 software phone support (HR737E)

year, 4-hour onsite, 13x5 coverage for hardware (UZ898E)

4-year, 4-hour onsite, 24x7 coverage for hardware (UZ901E)

year, 4-hour onsite, 24x7 coverage for hardware, 24x7 software phone (UZ905E)

4-year, 24x7 SW phone support, software updates (UZ908E)

year, 4-hour onsite, 13x5 coverage for hardware (UZ899E)

5-year, 4-hour onsite, 24x7 coverage for hardware (UZ902E)

5-year, 4-hour onsite, 24x7 coverage for hardware, 24x7 software phone (UZ906E)

5-year, 24x7 SW phone support, software updates (UZ909E)

Yr 6 hr Call-to-Repair Onsite (UZ910E)

Yr 6 hr Call-to-Repair Onsite (UZ911E)

5 Yr 6 hr Call-to-Repair Onsite (UZ912E)

1-year, 6 hour Call-To-Repair Onsite for hardware(HR739E)

1-year, 24x7 software phone support, software updates (HR738E)

Refer to the HP website at

www.hp.com/networking/services

for details on the service-level descriptions and product numbers. For details about services and response times

in your area, please contact your local HP sales office.

Standards and Protocols

(applies to all products in series)

IPv6

RFC 1981 IPv6 Path MTU Discovery RFC 2465 Management Information Base for IP Version

RFC 3587IPv6 Global Unicast Address Format

RFC 2460 IPv6 Specification

6:Textual Conventions and General Group(partially

support, only "IPv6 Interface Statistics table")

RFC 3484 Default Address Selection for IPv6

RFC 3513 IPv6 Addressing Architecture

RFC 4007 IPv6 Scoped Address Architecture

RFC 4862 IPv6 Stateless Address Auto-configuration

Security

IEEE 802.1X:Port-Based Network Access Control (2001) RFC 2104 Keyed-Hashing for Message Authentication RFC2866RADIUS Accounting

RFC 1321 The MD5 Message-Digest Algorithm RFC 2138 RADIUS Authentication RFC 2867 RADIUS Accounting Modifications for Tunnel

RFC 1334 PPP Authentication Protocols (PAP) RFC2618 RADIUS Authentication Client MIB

Protocol Support

RFC 1994 PPP Challenge Handshake Authentication

Protocol (CHAP)

RFC 2620 RADIUS Accounting Client MIB

RFC 2716 PPP EAP TLS Authentication Protocol

RFC 2865 RADIUS Authentication

RFC 2868 RADIUS Attributes for Tunnel Protocol Support

RFC 2869 RADIUS Extensions

draft-grant-tacacs-02 (TACACS)

VPN

RFC 1701 Generic Routing Encapsulation (GRE) RFC 2402 IP Authentication Header RFC 2473 Generic Packet Tunneling in IPv6 Specification

RFC 1702 Generic Routing Encapsulation over IPv4

RFC 2403 The Use of HMAC-MD5-96 within ESP and AH RFC 2529 Transmission of IPv6 over IPv4 Domains

networks.

RFC 1828 IP Authentication using Keyed MD5

RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH

RFC2405 The ESP DES-CBC Cipher Algorithm With

without Explicit Tunnels

RFC 2661 Layer Two Tunneling Protocol "L2TP"

RFC 1829 The ESP DES-CBC Transform

Explicit IV RFC 2784 Generic Routing Encapsulation (GRE)

RFC 1853 IP in IP Tunneling RFC 2406 IP Encapsulating Security Payload (ESP) RFC 2868 RADIUS Attributes for Tunnel Protocol Support

RFC 2085 HMAC-MD5 IP Authentication with Replay

Prevention

RFC 2410 The NULL Encryption Algorithm and Its Use

With IPSec

RFC 2893 Transition Mechanisms for IPv6 Hosts and

Routers

RFC 2401 Security Architecture for the Internet Protocol RFC 2411 IP Security Document Roadmap RFC 3602 The AES-CBC Cipher Algorithm and Its Use with

RFC 2451 The ESP CBC-Mode Cipher Algorithms

IPSec

IKEv1

RFC 2407 The Internet IP Security Domain of

Interpretation for ISAKMP

RFC 2408 Internet Security Association and Key

Management Protocol (ISAKMP).

RFC 3526 More Modular Exponential (MODP)

Diffie-Hellman groups for Internet Key Exchange (IKE)

RFC 2409 The Internet Key Exchange (IKE) RFC 3706 A Traffic-Based Method of Detecting Dead

RFC 2412 The OAKLEY Key Determination Protocol

Internet Key Exchange (IKE) Peers

PKI

RFC 2510 Internet X.509 Public Key Infrastructure

Certificate Management Protocols

RFC 2511 Internet X.509 Certificate Request Message

RFC 3279 Algorithms and Identifiers for the Internet

X.509 Public Key Infrastructure Certificate and

Certificate Revocation List (CRL) Profile

PKCS#10

PKCS#12

PKCS#7

Format RFC 3280 Internet X.509 Public Key Infrastructure

Certificate and Certificate Revocation List (CRL) Profile

draft-nourse-scep-06:

PKCS#1

To learn more, visit hp.com/networking

warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing

herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained

herein.

September 2013

Other manuals for 10500 series

This manual suits for next models

Table of contents

Other HP Firewall manuals

HP ProCurve Access Controller 720wl Installation instructions

HP LST1FW3A1 User manual

HP F5000-C Instruction Manual

HP A-F1000-E User manual

HP A-F1000-E Assembly instructions

HP F5000 User manual

HP F5000-S User manual

HP A-F5000 User manual

Popular Firewall manuals by other brands

Fortinet

Fortinet FSM-500F Configuration guide

Cisco

Cisco Meraki MX100 installation guide

Cisco

Cisco S190 quick start guide

Fortinet

Fortinet FortiGate Voice Series install guide

SecureLogix

SecureLogix ETM System installation guide

Huawei

Huawei USG6000 Series Upgrade guide

NETGEAR

NETGEAR ProSafe FVX538 Reference manual

Lanner

Lanner FW-8877 user manual

Nexcom

Nexcom DNA 1150 user manual

Cisco

Cisco 3110 Hardware installation guide

Fortinet

Fortinet FortiGate-60 series install guide

ADTRAN

ADTRAN NetVanta 2300 Specifications

Swisscom

Swisscom Internet Backup manual

SonicWALL

SonicWALL NSa 5700 quick start guide

DPtech

DPtech FW1000 SERIES Maintenance manual

FEITIAN

FEITIAN MultiPass FIDO product manual

Trend Micro

Trend Micro Deep Edge quick start guide

Smoothwall

Smoothwall S10 Appliance Getting started guide

HP 10500 series User manual

Popular Firewall manuals by other brands