For Hong Kong, China

        H3C SecPath M9000 Series Firewall

        HomeProducts & TechnologyEnterprise ProductsSecurityH3C SecPath M9000 Series Firewall
        H3C SecPath M9000 Series

        The H3C SecPath M9000 series products are new-generation multi-service network security gateways developed by H3C. The H3C SecPath M9000 series is designed for cloud computation data centers, service provider CGN, large-scale enterprises, and residential LANs. The series has received third-party certifications from ICSA Labs.

        The H3C SecPath M9000 series supports the following functions:

        * Attack protection, access control, security zone, blacklist, traffic monitoring, mail filtering, webpage filtering, and application layer filtering, which effectively ensure the network security.

        * Application Specific Packet Filter (ASPF), which can inspect the connection status and detect exceptional commands.

        * VPN services, including L2TP VPN, GRE VPN, IPsec VPN, and MPLS VPN.

        * Carrier Grade NAT services.

        * Routing capabilities, including static routing, dynamic routing (RIP/OSPF/BGP/ISIS), policy-based routing, and routing policies.

        * IPv4 and IPv6 dual stacks.

        The H3C SecPath M9000 series features the following to meet the network availability, maintenance, upgrade, and optimization requirements:

        * Uses multi-core, fully distributed hardware architecture.

        * The MPUs provide 1+1 redundancy, unified configuration management for the entire device, and security cluster support. The fan trays provide redundancy. The fan trays support fan status monitoring. The fans support stepless speed regulation, which can automatically adjust the fan speed according to the environment temperature and card configuration.

        * The power modules support M+N backup. AC and DC power modules support hot swapping and load sharing. You can configure the power modules according to the system power consumption.

        * The service engine and interface units support mix insertion. You can deploy them as needed to meet various performance requirements.

        * All units of the device support hot swapping.

        High-performance software and hardware platforms

        The H3C SecPath M9000 series uses a fully distributed hardware architecture and a built-in modularized software system.

        * The hardware architecture decouples the key system components to improve system reliability. The MPU, switching fabric modules, service engine, and interface unit have separate hardware, implementing the separation of control, service, and data.

        * The hardware switching fabric modules is capable of processing and forwarding security services at a high speed.

        * The high-performance MPU implements unified system configuration management and security cluster.

        * The service engine uses an updated multicore processor to provide 40G/100G processing capability for security services. It uses hardware TCAM to ensure high speed searching of a great number of policy entries.

        * The software system supports multi-process scheduling to improve system reliability. Processes are running separately. The failure of a single process does not affect other processes of the system.

        * The software system supports privilege management to improve system security. It defines users read and write privileges based on features, command lines, system resources, and Web management levels.

        * The software system supports hot patching and ISSU to allow system upgrading without interrupting services, improving system usability. Carrier-level high availability

        * Uses H3C highly-available proprietary software and hardware platforms that have been proven by Telecom carriers and medium- to large-sized enterprises.

        * Supports 1:1 stateful failover: active/active stateful failover for load sharing and active/standby stateful failover for backup.

        * Supports N:N stateful failover, providing load sharing and service backup.

        * Supports Security Cluster Framework (SCF), including multi-chassis cluster and heterogeneous cluster.

        Powerful security protection features

        * Attack protection—Detects and prevents various attacks, including Land, Smurf, UDP Snork attack, UDP Chargen DoS attack (Fraggle), large ICMP packet, ping of death, tiny fragment, Tear Drop, IP spoofing, IP fragment, ARP spoofing, reverse ARP lookup, invalid TCP flag, IP/port scanning, and common DDoS attacks such as SYN flood, UDP flood, ICMP flood, DNS flood, and CC.

        * Unified management—Manages the host and service modules as a single network element. You do not need to plan IP addresses for each card. This function saves IP addresses, facilitates deployment, and realizes comprehensive configuration management, performance monitoring, and log auditing.

        * IFF—Intelligent Flow Forwarding, which balances traffic on the deployed service engines to implement distributed traffic processing.

        * SCF——Supports multi-chassis cluster, which simplifies management and deployment, and implements resilient extensions of security services and security performances. Supports heterogeneous cluster, making the cluster system more flexible. For example, M9006, M9010, and M9014 can form a cluster.

        * SOP—Security ONE platform. It implements the virtual firewall function by using the container based virtualization technology.

        * SOP implement process-based isolation.

        * SOP can divide static and dynamic system resources at a high level of granularity based on the unified OS kernel.

        * The number of SOP can be adjusted according to system requirements.

        * The SOP capabilities can be adjusted according to user requirements.

        * Security zone—Allows you to configure security zones based on interfaces and VLANs.

        * Packet filtering—Allows you to apply standard or advanced ACLs between security zones to filter packets based on information contained in the packets, such as UDP and TCP port numbers. You can also configure time ranges during which packet filtering will be performed.

        * ASPF—Dynamically determines whether to forward or drop a packet by checking its application layer protocol information and state (such as RAWIP, ICMP, ICMPv6, UDP-LITE, SCTP, and other application layer protocols based on TCP/UDP).

        * AAA—Supports authentication based on RADIUS/HWTACACS+/LDAP(AD), CHAP, and PAP.

        * Blacklist—Supports static blacklist and dynamic blacklist.

        * NAT—Supports static NAT, source address NAT, destination address NAT, static CGN NAT, dynamic CGN NAT, and NAT ALG.

        * P2P traversal—Supports Fullcone and Hairpin.

        * VPN—Supports L2TP, IPsec/IKE, GRE, and MPLS VPN.

        * Routing—Supports IPv4 and IPv6 static routing, ECMP routing, policy-based routing, IPv4 routing protocols (such as BGP, RIPv2, OSPF, and ISIS), and IPv6 routing protocols (such as BGP4+, OSPFv3, and ISISv6).

        * Multicasting—Supports IGMP v1/v2/v3, PIM-SM, and PIM-DM.

        * Security logsSupports operation logs, interzone policy matching logs, attack protection logs, DS-LITE logs, and NAT444 logs.

        * Traffic monitoring, statistics, and management.

        * Industry-leading protection—ICSA validated security and performance.

        Industry-leading IPv6 features

        * Basic IPv6 protocols, including TCP6, UDP6, RAWIP6, ICMPV6, PPPoEv6, DHCPV6 Server, DHCPv6 Client, DHCPV6 Relay, DNSv6, and RADIUS6.

        * IPv6 routing protocols, including IPv6 static routing, IPv6 dynamic routing (BGP4+\OSPFv3\ISISV6), policy-based routing, and routing policy.

        * IPv6 ASPF.

        * IPv6 attack protection.

        * IPv6 multicast.

        * IPv6 transition technologies, including NAT-PT, IPv6 over IPv4 GRE tunnel, manual tunnel, 6to4 tunnel, automatic IPv4-compatible IPv6 tunnel, ISATAP tunnel, NAT444, and DS-Lite.

        Intelligent management

        * Support for SNMPv3, which is backward compatible with SNMPv1 and SNMPv2.

        * CLI-based configuration and management.

        * Unified management functions provided by the H3C iMC, which can collect and analyze security information, and offer an intuitive view into network and security conditions, saving management efforts and improving management efficiency.

        * Centralized log management functions based on advanced data drill-down and analysis technology. It can request and receive information to generate logs, compile different types of logs (such as syslogs and binary stream logs) in the same format, and compress and store large amounts of logs. You can encrypt and export saved logs to external storage devices such as DAS, NAS, and SAN to avoid loss of important security logs.

        * Abundant reports, including application-based reports and stream-based analysis reports.

        * Export of reports in different formats, such as PDF, HTML, word, and txt.

        * Report customization through the Web interface. Customizable contents include time range, data source device, generation period, and export format.





        MPU slots




        LPU slots


        8 (vertical)


        Switching fabric module slots




        Redundancy design

        Redundant MPUs, switching fabric modules, power modules, and fan trays

        Redundant MPUs, switching fabric modules, power modules, and fan trays

        Redundant MPUs, switching fabric modules, power modules, and fan trays

        Size (W X H X D)

        440mm x 353mm x 660 mm(8RU)

        440mm x 886mm x 660mm(20RU)

        440mm x 797mm x 660mm



        < 85kg

        < 143kg

        < 145kg





        Throughputs (*With two I/O modules)




        Maximum Concurrent connections per single firewall blade




        Connections per second per single firewall blade




        IPSEC Throughputs (3DES,1400bytes) per single firewall blade




        IPSEC concurrent tunnel per single firewall blade




        Ambient temperature

        Operating: 0°C to 45°C (32°F to 113°F)

        Non operating: –40°C to +70°C (–40°F to +158°F)

        Operating mode



        Portal authentication

        RADIUS authentication

        HWTACACS authentication

        PKI/CA (X.509 format) authentication

        Domain authentication

        CHAP authentication

        PAP authentication

        Multi-service security gateway

        Virtual multi-service security gateway

        Security zone

        Attack protection against malicious attacks, such as land, smurf, fraggle, ping of death, tear drop, IP spoofing, IP fragmentation, ARP spoofing, reverse ARP lookup, invalid TCP flag, large ICMP packet, address/port scanning, SYN flood, ICMP flood, UDP flood, and DNS query flood

        Basic and advanced ACL

        Time range-based ACL

        Dynamic packet filtering

        ASPF application layer packet filtering

        Static and dynamic blacklist function

        MAC-IP binding

        MAC-based ACL

        802.1Q VLAN transparent transmission


        Many-to-one NAT, which maps multiple internal addresses to one public address

        Many-to-many NAT, which maps multiple internal addresses to multiple public addresses

        One-to-one NAT, which maps one internal address to one public address

        NAT of both source address and destination address

        External hosts access to internal servers

        Internal address to public interface address mapping

        NAT support for DNS

        Setting effective period for NAT

        NAT ALGs for NAT ALG, including DNS, FTP, H.323, ILS, MSN, NBT, PPTP, and SIP


        L2TP VPN

        IPSec VPN

        GRE VPN

        SSL VPN


        IPv6 status firewall

        IPv6 interzone policy

        IPv6 attack protection

        IPv6 connection limit

        IPv6 protocols such as ICMPv6, PMTU, Ping6, DNS6, TraceRT6, Telnet6, DHCPv6 Client, and DHCPv6 Relay.

        IPv6 routing: RIPng, OSPFv3, BGP4+, static routing, policy-based routing, PIM-SM, and PIM-DM

        IPv6 transition techniques: NAT-PT, IPv6 tunneling, NAT64 (DNS64), and DS-LITE

        High availability

        Active/active and active/standby stateful failover



        Asymmetric-path mode stateful failover

        IKE-based IPsec


        Static and dynamic link aggregation



        Patch images

        Configuration management

        Configuration management at the CLI

        Remote management through Web

        Device management through H3C IMC

        SNMPv3, compatible with SNMPv2c and SNMPv1

        Environmental protection



        ICSA Labs

        H3C SecPath M9000 with data center application scenario

        * Stateful failover and reliable network design

        * Powerful process capabilities

        * Powerful VPN encryption capabilities

        * Excellent attack protection capabilities to prevent single packet and flood attacks

        * Abundant routing protocols, implementing integration of security and network




        H3C SecPath M9006


        H3C SecPath M9010


        H3C SecPath M9014


        M9000 Main Control Engine

        At least one is required.

        Sevrice enginess

        Security engine


        SecBlade Enhanced FW engine


        SecBlade Enhanced IPS engine


        SecBlade LB engine


        Secblade NetStream engine


        Secblade ACG engine


        Secblade SSL engine


        Interface unitss

        Interface unit


        48-port Gigabit electrical Ethernet interface unit


        48-port Gigabit optical Ethernet interface unit


        16-port Gigabit + 8-port combo + 2-port 10-Gigabit optical Ethernet interface unit


        4-port 10-Gigabit optical Ethernet interface unit


        8-port 10-Gigabit optical Ethernet interface unit


        32-port 10-Gigabit optical Ethernet interface unit


        4-port 40-Gigabit optical Ethernet interface unit


        Switching fabric modules

        Switching fabric module


        H3C SecPath M9006 switching fabric module


        3 + 1 redundancy.

        H3C SecPath M9010 switching fabric module


        3 + 1 redundancy.

        H3C SecPath M9014 switching fabric module


        3 + 1 redundancy.

        Power modules

        Power module


        AC power module (2500 W)


        DC power module (2400 W)


        Are you an H3C partner? Log in to see additional resources.
        You can find excellent H3C partners, or you can become one of them to build a
        partnership with H3C and share success together.