Security |
Access control |
Access control based on network interface, security zones, source/destination IP, domain name, port, application and customer; support time-based policy. Support DPI identification in access control. |
|
|
Support security policies pre-compile during committing configuration, complex security policies will not reduce chassis performance |
|
|
Support default policy, permit all or deny all is available for all policies |
|
|
Support logging for policy match, include flow and hitting |
|
|
Support shadowing checking in security policies |
|
|
Support session management for special security policy |
|
|
Support group based security policies management |
|
APT (Advanced Persistent Threat) protection |
Chassis has another dedicated hardware based APT engine. Sandbox is used to detect malicious code. APT engine has abilities for protecting long-term detection attack and 0 DAY attack |
|
|
APT engine can process at least 20 types of files, such as exe, rtf, Office file, rar, zip, pdf and so forth. |
|
Raven Eye cloud security protection |
Raven can sync all system libraries from Raven Eye. Raven is able to prevent either known or unknown threaten when it is captured by Raven Eye in past 6 hours |
|
|
Support both IPv4 and IPv6 environment. |
|
|
Support one-key process for captured host |
|
IPS |
Support flow based protocol analysis and protocol tree algorithm, support both IPv4 and IPv6 |
|
|
Attack sample library has more than 3600 entries, weekly update, and support online user manual |
|
|
Support online, bypass and complex deployment |
|
Anti-Virus |
Based on Raven eye cloud security center, Raven has more than 36k virus samples, weekly update |
|
|
Support HTTP, FTP, POP3, IMAP and SMTP attachment scanning |
|
|
Support customized scan template |
|
|
Anti-virus policy can base on interface, security zone, address, user, service and time |
|
|
Support online, bypass and complex deployment, support both IPv4 and IPv6 |
|
Web application protection |
Support protection for SQL injection and XSS script attack, support Web application security in IPv4/IPv6 protection |
|
DDoS |
Support TCP flooding protection, include packet rate, source host packet rate and destination packet rate limitation. SYN cookie, dropping violation packets or only alarm are available protection actions |
|
|
Support UDP flooding protection, include packet rate, source host packet rate and destination packet rate. Dropping violation packets and only alarm are available protection actions |
|
|
Support ICMP flooding protection, include packet rate, source host packet rate and destination packet rate. Dropping violation packets and only alarm are available protection actions |
|
|
Support inhibition for malicious scanning, such as TCP scanning, UDP scanning and ICMP scanning |
|
|
Support protection for Jolt2, Land-Base, Ping of death, Syn flag, Tear drop, Winnuke, Smurf |
|
Session Control |
Total connection control based on interface, address, user, application and time |
|
|
CPS control based on interface, address, user, application and time |
|
|
Source total connection control based on interface, address, user, application and time |
|
|
Source CPS suppression control based on interface, address, user, application and time |
|
|
Destination total connection control based on interface, address, user, application and time |
|
|
Destination CPS control based on interface, address, user, application and time |
|
ARP protection |
Support IP-MAC mapping protection and unique mapping validation |
|
|
Support protection of ARP spoofing. Raven support static MAC learning or reverse flooding to correct ARP to strike back the attacker |
|
|
Support ARP suppression to defense ARP flooding |
|
Deny List |
Support IP based deny list, deny list up to 30K entries |
|
|
Support import/export operation for deny list |
Application-based control |
Application Identification |
App ID engine based on DPI, DFI and network behavior analysis |
|
Application control |
Support application identification by classes, such as: IM, class-based URL management, social media, download tools, video application and so forth |
|
Email application control |
Support deep email inspection based on parameters such as email title, email body, attachments and protocol commands |
|
Application library |
Application library support at least 1000 applications |
|
Application library update |
Application library update support both online and offline operation, weekly update |
|
IPv4/IPv6 support |
Support application behavior management in IPv4/IPv6 |
Traffic control |
Token bucket |
Multi-level token bucket mechanism, minimum particle size 1K bps |
|
Flexible QoS |
Support QoS policy on physical interface and VLAN interface |
|
Application based QoS |
QoS policy support application traffic inspection |
|
Hierarchical QoS |
Support 4-level nesting HQoS, each level has 64 queue |
|
Per-user bandwidth control |
Support assign per-user bandwidth schedule in customer communication for upstream traffic and downstream traffic |
|
Bandwidth reserve |
Support to configure upstream bandwidth and downstream bandwidth |
|
Priority queue |
Support priority queue |
|
Shaping |
Support shaping |
Network |
Deployment |
Support routing mode and transparent mode firewall, support complex deployment |
|
IPv4/IPv6 dual stack |
Support IPv4/IPv6 dual stack, all functions can work both under IPv4 and IPv6 |
|
Physical interface |
Support static IP address and DHCP client, support multiple addresses under interface |
|
802.1Q VLAN |
Support 4096 VLANs |
|
LAG |
Support LACP and static LAG. Load balancing mode can be configured. |
|
GRE |
Support GRE tunnel |
|
Static route |
Support static route and ECMP under static route. Support various methods of static route health check |
|
Routing protocol |
Support RIP, OSPF and BGP |
|
Policy based route |
Support PBR based on ingress port, source IP, destination IP, port, service and domain name, multiple next-hops are also supported |
|
BFD |
Support BFD function. |
|
Load balance in WAN |
Support load balance for multiple WAN interface, include PPPoE |
|
Health check |
Support link health check via ICMP, TCP, DNS and HTTP request |
|
Routing control |
Support ECMP, PBR and link-load balance |
|
NAT |
Support source NAT, destination NAT, static NAT and policy NAT. Support CG-NAT. |
|
NAT46/NAT64 |
Support NAT between IPv4 and IPv6 |
|
ALG |
NAT pin-hole support on application layer |
|
NAT address pool |
Support multiple address pool and discontinuous address pool |
|
VPN |
Support IPSec VPN and L2TP VPN |
|
|
Support SSLVPN in proxy mode and tunnel mode. Support nested access policy in SSLVPN |
|
STP |
Support STP protocol |
|
DHCP |
Support DHCP server, support IP-MAC binding entry |
|
DNS Server |
Support DNS server, Support DNS zone |
|
DNS record |
Support DNS record, include A, AAA, NS, CNAME, TXT, MX and PTR |
|
DNS transparent agent |
Support DNS transparent agent, support multiple algorithms for load balancing |
Virtualization |
Hardware based virtualization |
Raven support hardware based virtualization acceleration |
|
Virtual FW configuration |
Support full functional vFW deployment. vFW support different software, feature and HA policy |
|
Virtual FW management |
Each vFW has private resource template and configuration |
HA |
Hot-standby |
Support active-active and active-backup mode |
|
Backup node management |
Backup node support OOB management |
|
VRRP |
Support VRRP for gateway backup |
|
Multi-standard failure detection |
Failure detection based on heart-beat detection, link flapping, remote failure. |
|
Session sync |
Support session sync between nodes, failover will not interrupt service |
|
HA preempt |
Support priority configuration for certain active node |
Monitoring |
Threaten visualization |
Support threaten visualization for attack. Visualization based on threat level, country and victim, include TOP10 table and diagram. |
|
Application based traffic visualization |
Support application visualization for TOP100 application. Diagram include traffic detail and per app/per user traffic statistics. |
|
User based traffic visualization |
Support user based visualization for TOP100 users. Diagram include user traffic detail. |
|
Interface based traffic visualization |
Support collecting detail information of interfaces, based on physical interface or virtual interface (VNI or GRE) |
|
System report |
Support to generate system report in system usage. CPU usage, memory usage, concurrent connection, CPS field during real time, 1 hour, 1 day, 7 days and 1 month |
Logging |
Local syslog |
Support local storage for system log |
|
Remote syslog |
Support multiple syslog server |
|
Log level |
Support standard level 0~7 |
|
Report |
System can generate traffic report and threaten report. |
|
Email alarm |
System alarm can trigger email to certain receivers. |
Address management |
Address object management |
Support address objects up to 8K, each object has address records up to 2K. Support domain name as address record. |
|
Address object bulk operation |
Support import/export address objects/record for bulk operation. |
|
Customized application |
Support customized application |
System configuration |
Web UI(HTTP/HTTPS) |
Internationalization Web UI |
|
Control/VTY |
Support console port, SSH and telnet for remote CLI management |
|
SNMP |
Support SNMP v1/v2/v3 |
|
User login management |
Support local account, Radius and LDAP authentication |
|
User role management |
Support different user roles to implement user management and operation audit. |
|
NTP |
Support external NTP server |
|
System configuration backup/restore |
Support export/import configuration file as plain text. |
|
Packet dump |
Support WebUI for packet dumping |