Professional Documents
Culture Documents
1
Security Challenges for Data Centers
Performance
• More traffic
• More users
• More servers
Security
• Adapt security to evolving Security as a
infrastructure (virtualization, Service
cloud, SDN/NFV)
• Respond to rapidly evolving
threat environments
Security Module
IOM IOM
Hillstone EFA
A highly reliable networking Firewalls in different DCs are The two groups of firewalls are If asymmetric flow is found in a
able to synchronize the session group of firewalls, they will send
solution based on traditional connected through dedicated and configuration information with traffic to to the firewall it originally
device HA data link and control link each other. passed
Virtualized Protection
Vsys Vsys
Virtual Firewall
Support up to 1000 Virtual Systems
NAT444
DS-Lite
Support traditional NAT&ALG, Support Support NAT444 to meet Carriers’ CGN Support multiple IPv6 transition
full-cone NAT and Port multiplexing, to standard functionality, relieve IP technologies -- Dual-Stack, DS-Lite tunnel,
improve multiplexing rate of IPV4 address depletion problem and resolve NAT64/DNS64, IPv6 ISATAP, IPv6 GRE,
address. IP address traceability. etc., fully support next-generation internet
Intelligent QoS
• QoS based on granular application identification and nested user identification.
• Support priority management and elastic QoS, flexibly optimizes links.
Block unlawful
Refine a general traffic while not
Encountered policy into Observe the hit
abnormal traffic count and trend blocking legal
detailed policy
traffic
Policy Assistant Policy Analysis
• High Performance
• Carrier-Grade Reliability
n ce
Concurrent
a
r m i l i ty
e rfo lab Throughput:680G
p ca
h
g rs
H i ea New Sessions:4.8M
lin
New sessions
Concurrent Sessions:
240M
Throughput
© 2022 Hillstone Networks All Rights Reserved | 17
Lower Energy Consumption, Cost Reduction
14U
8U
5U
136G/U
120G/U
8.25W/G
4.27W/G
34G/U
2.87W/G
Backbone Switch
IOM-2Q8SFP+
Fan Module
IOM-8SFP+
IOM-2SM-BE/IOM-2MM-
BE
6 general slots,
12 in total
• Single-width module use one slot only, while double-width modules use two slots, please see details on “Module Capacity”
• Double-width modules include IOM-2Q8SFP+, IOM-8SFP+, IOM-2Q8SFP+-200, SSM-200 and QSM-200
4 XFP IO Module
Fan Module
2x SSM Server Module
• If use 200 Series modules, must use at least 3 power supply (3+1 redundancy only)
SCM-100!SSM-100!SSM-200!QSM-100!QSM-200!IOM-16SFP-100!IOM-2MM-BE!
Extension Modules
IOM-2SM-BE!IOM-2Q8SFP+!IOM-2Q8SFP+-200!IOM-8SFP+
2+2 redundant, Max.1300W ; 3+1 redundant, Max.1950W (SSM200 must use 3+1
Maximum Power Consumption
redundancy)
Power Supply AC 100-240V (50/60Hz), DC -40 to -72V
Dimension (W×D×H) 5U 17.3×23.2×8.9 in (440×590×225 mm)
Weight <116.6 lb (52 kg)
Temperature 32-104 °F (0-40 °C)
Relative Humidity 10-95%
Real-world Performance
NAT Link throughput 30Gbps (6 SSM-100) 60Gbps (3 SSM-200)
IPSec throughput 18Gbps (6 SSM-100) 40Gbps (4 SSM-200)
IPS Link throughput 18Gbps (6 SSM-100) 40Gbps (4 SSM-200)
(1) IPSec need decryption, so # of SSM must equal to # of IOM, the highest IPSec performance need 5*IOM100+5*SSM100 (18*5=90)
(2) Backplane bandwidth limitation is 32G between SSM to IOM,the highest IPS throughput need 2*IOM-200+3*SSM-200 (32*3=96)
Product Name!SG-6000-X10800
Size!18U
Performance!1.2Tbps throughput"10 million new sessions per second"480 million concurrent sessions
HW highlights!Front and rear air supply, 100GE interface, switching Module redundancy, and 12 full-width slots
Software features: application identification and control, IPS, URL filtering, AV, Cloud sandbox, etc.
Redundant Service Control Module Console, AUX, USB, MGT and 2*HA interface
Maximum power consumption 4400W, N+M(1) redundant hot swap power supply
Power Supply AC 100-240 (50/60 Hz), DC -40 ~ -72V
Management Interfaces 1 Console port, 1 AUX port, 1 MGT management, 1 USB
2.0 port (single SCM-300 module)
Network Interfaces 2 Gigabit optical interfaces (2 HA interfaces, single SCM-
300 module)
Expansion Module Slot 12 universal expansion slots, 2 system control module
expansion slots, 2 switching module expansion slots
Dimension (W ! D ! H) 18U 17.3 ! 31.4 ! 25 in (440mm x797mm x 635mm)
Weight 253 lb (114.75kg)
Compliance and Certificate CE, CB, FCC, ROHS, IEC/EN61000-4-5 Power Surge
Protection, ISO 9001:2015, ISO 14001:2015, CVE
Compatibility, IPv6 Ready, ICSA Firewalls
Note: (1) At least 3 AC power modules are required for full load operation with AC power, and at least 4 DC power modules are required for full load
operation with DC power. © 2022 Hillstone Networks All Rights Reserved | 29
Performance Matrix
Actual link(Gbps)
300G
10M Connections/s,480M CC
X10800
180G
4.8M Connections/s, 240M CC X10800
X7180\X10800
80G X7180
(New IOM/SSM/QSM-200) *-200 module
60G X7180
2.4M Connections/s, 120M CC *-100 module
30G X7180
(IOM/SSM/QSM-100) E6360
20G E6160
E6360
E6160/6360
10G 700K-900K
60/0G Connections/s,
FW 20M-30M CC
E6160 UDP Throughput (Gbps)
Configuration Performance
40GE, 10GE interface 100GE, 10GE interface Security Service QoS service module
module module module
Slot 1 1 1 1
CPU/Slot 1 1 2 2
40GE, 10GE service and I/O 100GE, 10GE service and I/O 100GE, 10GE service and
module module I/O module
Slot 1 1 1
CPU/Slot 1 1 1
PS AC (1600) / DC(1100)
IOM-P40-300 232
SCM-300 116
SWM-300 150
SSM-300 257
QSM-300 257
SIOM-P40-300 232
SIOM-P100-300 262
SIOM-P100D-300 262
Fan 175 *2
Note 1: At least 3 AC power modules are required for full load operation with AC power, and at least 4 DC power modules are required
for full load operation with DC power. It is based on the boards in use to determine whether the power supply is redundant. If the power
is twice more than need of boards, then it’s redundant. 1600/1100 is for single AC/DC power.
© 2022 Hillstone Networks All Rights Reserved | 35
Hillstone Data Center
Firewall Portfolio X9180
Product Name$SG-6000-X9180
Product: 7U, front panel 6 horizontal slots, rear panel 4 vertical slots, 4 power supplies, 20 fans, maximum power 2300W
Performance: 600 Gbps throughput, 4M new sessions per second, 200M concurrent sessions, IPSec 250G, IPS 200G
HA: Carrier grade reliability at 99.999%; support twin-mode HA deployment for redundant data centers
Architecture: Fully distributed architecture; same HW & SW architecture with X10800; can use X10800 expansion modules
HW highlights$Fully redundant architecture; front and rear air supply; 100GE interface; support future upgrade and expansion
Software features: 3000+ applications identification and control, tens of millions of URL filtering; support up to1000 vSys
Universal
expansion Power module Fan tray (10 fans)
slot *6
Carrying handle
Modules:
IOM-P40-300,
IOM-P100-300,
SSM-300,
QSM-300,
SIOM-P40-300, Power control:
SIOM-P100-300, Power button &
SIOM-P100D-300 CLR button
• A set of front fan trays are hidden inside the air vents. Both the two air vents support live cleaning and replacement.
Does not support future Support future module Support future module 6. Strong upgrade capability
Upgrade capability
module upgrade upgrade upgrade
7. Reduce overall costs and
Cost Low Relatively high Low improve overall performance
Compared Items X7180 X9180 Difference Compared Items X10800 X9180 Difference
FW Throughput FW Throughput
680 Gbps 600 Gbps 1.2 Tbps 600 Gbps
(Maximum) (Maximum)
IPSec Throughput IPSec Throughput
90 Gbps 250 Gbps 500 Gbps 250 Gbps
(Maximum) (Maximum)
IMIX Throughput 500 Gbps 300 Gbps IMIX Throughput 600 Gbps 300 Gbps
NGFW Throughput 70 Gbps 140 Gbps NGFW Throughput 280 Gbps 140 Gbps
Half of
Threat Protection Threat Protection X10800
50 Gbps 100 Gbps 200 Gbps 100 Gbps
Throughput Throughput
Concurrent Sessions Concurrent Sessions
240 Million 200 Million 480 Million 200 Million
(Maximum) (Maximum)
X9180 provides half of X10800’s capacity with smaller than half of X10800 size and higher power efficiency. It can utilize X10800’s IOM, SSM, QSM and SIOM.
180G
X7180(200 Module)
Throughput: 680G, Actual Link: 180G
150G New Sessions/s: 4.8 Million
Concurrent Sessions: 240 Million
100G
E6360
X7180 (100 Module)
Throughput: 80G, Actual Link: 20G
60G New Sessions/s: 900k, Concurrent Sessions: Throughput: 360G, Actual Link: 60G
New Sessions/s: 2.4 Million, Concurrent Sessions: 120 Million
30 Million
E6160
20G Throughput: 60G, Actual Link: 10G
10G New Sessions/s: 700k, Concurrent Sessions: 20 Million FW Throughput (bps)
60G80G 200G 300G 360G 500G 680G 1200G
© 2022 Hillstone Networks All Rights Reserved | 42
X9180 Performance Configuration
FW Max.
Expansion IPSec IPS Max. New
Throughpu Concurrent 100GE 40GE SFP+
Modules Throughput Throughput Sessions/s
t Sessions
IOM-P40-300 98G 51G / 60M 2.2M 0 2 12
IOM-P100-300 107G 51G / 60M 2.2M 4 0 8
SSM-300 / 50G 50G 120M 1.8M / / /
QSM-300 99G / / 20M / / / /
SIOM-P100-300 105G 56G 43G 34M 0.77M 4 / 8
Configuration Performance
40GE, 10GE 100GE, 10GE Security Service QoS Service System Control Switching
interface module interface module Module Module Module Module
Slot 1 1 1 1 1 1
CPU/Slot 1 1 2 2 1 N/A
IPSec Throughput
54 56 55
(Gbps)
PS AC (1600) / DC(1100)
IOM-P40-300 232
IOM-P100-300 262
SCM-280 100
SWM-280 100
SSM-300 257
QSM-300 257
SIOM-P40-300 232
SIOM-P100-300 262
SIOM-P100D-300 262
Fan 175 *2
Note: At least 2 AC power modules are required for full load operation with AC power, and at least 2 DC power modules are required for
full load operation with DC power.
© 2022 Hillstone Networks All Rights Reserved | 46
Hillstone Data Center
Firewall Portfolio X8180
Product Name$SG-6000-X8180
Product: 3U, front 3 horizontal slots, rear 2 horizontal slots, 1+1 redundant power supplies, 4 fans, maximum power 1300W
Performance: 450 Gbps throughput, 2.5M new sessions/s, 130M concurrent sessions, IPS 180G
HA: Carrier grade reliability at 99.999%; support twin-mode HA deployment for redundant data centers
Architecture: Fully distributed architecture; same HW & SW architecture with X9180 & X10800
HW highlights$Fully redundant architecture; front and rear air supply; 100GE interface
Software features: 3000+ applications identification and control, tens of millions of URL filtering; support up to1000 vSys
SIOM-P100-260
16 SFP+, 2 QSFP28
Note: The 100GE port can be reduced to 40GE via command line. It can also be divided into 4 * 25GE via command line.
SCM-260
1 * USB 2.0 port, 1 * Console port, 1 * MGT management, 2 * Gigabit optical ports (HA)
Note: PWR – power indicator; STA – system status indicator; CLR button - to restore the factory configuration.
© 2022 Hillstone Networks All Rights Reserved | 51
X8180 Specification
Model SG-6000-X8180
1. industry’s leading throughput (150
Firewall Throughput (Maximum) 450 Gbps
IPSec Throughput (Maximum) N/A (under testing)
Gbps throughput per U, 43 Million
IMIX Throughput N/A (under testing) Concurrent Sessions and 800,000 New
NGFW Throughput N/A (under testing)
Sessions/s per U)
Threat Protection Throughput N/A (under testing)
2. Powerful application layer protection
Concurrent Sessions (Maximum) 130 Million
New Sessions/s 2.5 Million (60 Gbps IPS Throughput per U)
IPS Throughput (Maximum) 180 Gbps 3. Simple module configuration, better
Expansion Modules SCM-260, SIOM-P100-260
redundancy
Maximum Interfaces Maximum 6*100GE + 48*10GE
Maximum power consumption Max. 1300W, 1+1 redundant 4. Support 100GE
Power Supply AC 100-127 V / 200-240 V (50/60 Hz), DC -48 ~ -60 V 5. Front and rear ventilation that satisfy
Management Interfaces 1 Console port, 1 MGT management, 1 USB 2.0 port (single SCM-260 module)
the energy efficiency needs of modern
Network Interfaces 2 Gigabit optical interfaces (2 HA interfaces, single SCM-260 module)
DC
Expansion Module Slot 3 universal expansion slots, 2 system control module expansion slots
6. Hot swap power supply, low power
Dimension (W × D × H) 3U W 17.3 in × D 21.7 in × H 5.2 in (W 440 mm × D 552 mm × H 132 mm)
Weight 44.5 lb (20.2 kg) consumption
ROHS, IEC/EN61000-4-5 Power Surge Protection, ISO 9001:2015, ISO 14001:2015, CVE
Compliance and Certificate
Compatibility, IPv6 Ready, ICSA Firewalls
X10800
Throughput: 1.2T, IPS: 400G
New Sessions/s: 10 Million
Concurrent Sessions: 480 Million
X8180
Throughput:450G
IPS:180G
X7180(200 Module)
New Sessions/s:2.5M Throughput: 680G, IPS: 100G
4.8 Million Concurrent Sessions: New Sessions/s: 4.8 Million
130 Million Concurrent Sessions: 240 Million
4 Million
X9180
Throughput: 600G, IPS: 250G
New Sessions/s: 4 Million
Concurrent Sessions: 200 Million
2.5 Million
X7180 (100 Module)
2.4 Million Throughput: 360G, IPS: 90G
New Sessions/s: 2.4 Million,
Concurrent Sessions: 120 Million
FW Throughput (bps)
360G 450G 600G 680G 1,200G
© 2022 Hillstone Networks All Rights Reserved | 53
X8180 Performance Configuration
Note: The performance of max configuration is rounded number based on 3 SIOM-P100-260 modules.
Height 5U 3U 7U 18U
Max. Concurrent Session 240 Million 130 Million 200 Million 480 Million
IPS Throughput 100 Gbps 180 Gbps 250 Gbps 400 Gbps
Height 3U 9U 3U 5U 3U 3U
FW Throughput 450 Gbps 430 Gbps 316 Gbps 285 Gbps 239 G 239 G
Max. Concurrent
130 Million 192 Million 32 Million 90 Million 120 Million 200 Million
Session
New sessions/s 2.5 Million 2.9 Million 550,000 1.75 Million 2 Million 3 Million
IPSec VPN
N/A 144 Gbps 40 Gbps 60 Gbps 96 Gbps 160 Gbps
Throughput
IPS Throughput 180 Gbps 210 Gbps 43 Gbps 230 Gbps 110 Gbps 170 Gbps
Product: 3U, front 3 horizontal slots, rear 2 horizontal slots, 1+1 redundant power supplies, 4 fans, maximum power 1300W
Performance: 450 Gbps throughput, 2.5M new sessions/s, 130M concurrent sessions, IPS 180G
HA: Carrier grade reliability at 99.999%; support twin-mode HA deployment for redundant data centers
Architecture: Fully distributed architecture; same HW & SW architecture with X9180 & X10800
HW highlights$Fully redundant architecture; front and rear air supply; 100GE interface
Software features: 3000+ applications identification and control, tens of millions of URL filtering; support up to1000 vSys
Advanced Security
High Performance High Availability Compact & Energy Saving
Technologies
© 2022 Hillstone Networks All Rights Reserved | 58
Deployment Scenarios &
Winning Cases
Internet Partners
North/South
BYOD Data Center Branch Offices
Hillstone Offerings
üHigh performance firewall
üHigh reliability architecture
üScalable architecture
üVirtual System
Hillstone Offerings
üHigh performance DC firewall
üVirtual System (vSYS) solution
üGranular application identification
MAN Exit
Customer Pain Points
Hillstone Offerings
üHigh performance NAT
Active Standby
vSYS support segmentation of different business
department and business applications
Internet
Active Standby
• A transaction sends traffic from servers in data center A (on the left) to servers in data center B (right).
• IT policy requires all Data Center A traffic to traverse Data Center A firewalls (see green line).
• Instantly Twin-Mode Link synchronizes the Data Center A Firewall session configuration and state information with Data Center B
firewalls (Red dotted line labeled Twin-Mode ).
• The return flow hits the Data Center B firewalls, which, thanks to Twin-Mode , are aware of the session established on firewalls in Data
Center A. They forward the return flow to Data Center A firewalls.
• The return flow passes through the Data Center A firewalls successfully and completes the transaction (red line), providing access to
the requested information.
• Dual data link ports supports for twin mode connections to reduce the single point failure. © 2022 Hillstone Networks All Rights Reserved | 68
X-Series Winning Cases
ISP1 ISP2
X10800 ØNEDETEL is one of largest ISP and carriers in
ISP City4
interface.
ØNEDETEL deployed Hillstone X10800 Next
Generation Data Center Firewall with 100G interfaces,
ISP City1 ISP City3
ISP City2 together with security service including IPS, QoS and
URL filtering.
Unified solution: CGN + Security ØWith Hillstone X10800, NEDETEL provides high
performance network and trusted security to its end
High performance and reliability users.
Unified solution: CGN + Security ØThe high-end Hillstone 100G firewall not only settled
the security but also solved the shortage of CTWAP
High performance and reliability safeguard the secure Ø Hillstone provided 2 Hillstone Data center firewall
operation of the disaster recovery datacenter
during the current period of the project, to provide high
Performance scalability can help the bank protect its performance and scalable protection.
existing investment