Installation Manual
H3C SecPath F1000-E Firewall Chapter 1 Product Overview
1-2
II. Diversified security protection functions
z Security zone management. The F1000-E supports security zone division based
on physical interfaces, logical interfaces, L2 Ethernet sub-interfaces, and L2
Ethernet interfaces + VLANs. Interfaces in the same security zone typically have
the same security requirements for security policy control. With the concept of
security zone introduced, the security administrator can divide interfaces with
different security requirements into different zones. This hierarchical management
of policies simplifies policy maintenance and enables the separation of networking
services from security services.
z Packet filtering. The F1000-E supports static access control of users by filtering
each IP packet as per the defined the access control list (ACL) rules.
z Application-specific packet filtering (ASPF), also known as stateful packet
inspection (SPI). ASPF is an advanced communication filtering function that
checks the information of application layer protocols, such as the File Transfer
Protocol (FTP), Hypertext Transfer Protocol (HTTP), Simple Mail Transfer
Protocol (SMTP) and Real-Time Streaming Protocol (RTSP), monitors the state of
connection-oriented application layer protocols to maintain the state information of
each connection, and dynamically decides whether to permit or drop a packet.
z P2P flow control. The F1000-E uses the deep inspection method, namely by
matching packets with the characteristics of P2P packets, to accurately identify
P2P traffic. In addition, the F1000-E provides different control policies to allow
flexible control of P2P traffic.
z Virtual firewall. A firewall can be logically divided into multiple virtual firewalls,
each configured with a different security policy. By default, different virtual firewall
devices are isolated from one another and can be separately managed.
z Anti-attack features. The F1000-E supports a diversity of attack prevention
techniques to guard again various attacks, including Land, Smurf, Fraggle,
WinNuke, Ping of Death, Tear Drop, IP Spoofing, address sweep, and port scan
attacks. In addition, F1000-E can also guard against various DDoS attacks,
including SYN Flood, UDP Flood, ICMP Flood, ACK Flood, RST Flood, DNS
Query Flood, and CC.
z URL filtering. The F1000-E allows you to block specific Websites to improve the
utilization of network resources.
III. Powerful VPN functions
z The F1000-E supports IPsec and GRE.
z The F1000-E supports IKE and PKI.
z The F1000-E employs a built-in VPN encryption engine to ensure
high-performance VPN processing.
IV. High reliability
The F1000-E supports hot standby redundancy backup.