Hi, guys!
I would like to share a post with you on NGFW selection recommendations. Basically, it will showcase how to select Huawei NGFW firewalls and introduce firewall hardware. Please have a read below for more information.
1 Selection criteria
Currently, the current mainstream firewall models are USG66 and USG95 series, selected according to the actual business needs of the existing network. Select a model based on the actual service requirements on the live network. The partition selection suggestions are as follows:
Location | Selection |
Campus network, SR1 non-service network, other SR partitions, Partitions with small traffic, such as VPN firewalls | USG6630 |
RDC non-service network, SR1 service network, computing cloud, desktop cloud, etc. ( about 10G traffic) | USG6680 |
RDC service network, EDC common partition | USG9520 |
EDC important partition | USG9560 |
2 Device Performance Overview
Model | Corresponding to Eudemon | Throughput ( large packet) | Throughput ( small packet ) | Concurrent sessions | New sessions per second | Device size |
USG6630 | Eudemon1000E-N5 | 16G | 5G | 6 million | 250,000 | 1U |
USG6680 | Eudemon1000E-N7E | 40G | 8G | 12 million | 400,000 | 3U |
USG9520 | E8000E-X3 | 80G | 16G | 80 million | 1 million | 4U ( DC ) / 5U ( AC ) |
USG9560 | E8000E-X8 | 480G | 96G | 4.8 billion | 6 million | 14U |
USG9580 | E8000E-X16 | 960G | 192G | 960 million | 12 million | 32U |
USG6600 series firewalls are case-shaped devices. The performance depends on the performance of the main control board and the hardware acceleration card. It is irrelevant to the inserted interface card and the performance of the entire system is fixed.
USG9500 series firewalls are frame-shaped structures. The performance of the device depends on the interface board and service board inserted on the device. Users can match their own needs according to their needs.
The device performance depends on the interface board and service board installed on the device. You can set this parameter based on the site requirements. The preceding table shows the maximum performance of the device.
3 Hardware introduction
3.1 USG66 Host
3.1.1 USG6630 Host
The USG6630 is a case-shaped device with four GE optical ports, eight GE electrical ports, one AC power supply, and two extended slots.
A power module is required when purchasing.
Code | Description | Quantity |
02359520 | Assembly components - USG6630-USG6630-AC-USG6630 AC host (8GE electric + 4GE light , 8GB memory , 1 AC power ) | 1 |
02131122 | Primary power supply -25degC-60degC-90V-290V-12V/14.2A | 1 |
For areas with a large number of interfaces, such as the Internet access zone or more than two zones, you are advised to purchase interface boards. The interface boards are selected based on the actual optical/electrical interface type. If the 10G bandwidth is required, you also need to purchase the 10G interface board. You are advised to use the electrical port for the heartbeat port.
3.1.2 USG6680 Host
By default, the USG6680 provides four 10GE optical ports, eight GE optical ports, 16 GE electrical ports, two power supplies, and five extended slots.
Code | Description | Quantity |
0235G7G7 | Assembly component- USG6680-USG6680-AC-USG6680 AC host (16GE electric +8GE light +4*10GE light , 16G memory , 2 AC power ) | 1 |
If there are special requirements, you can purchase a subcard. You are advised to use electrical interfaces for heartbeat interfaces. If the device is not only a zone, it is recommended that each zone use an independent interface board to achieve redundancy.
3.2 USG66 Interface Board
The interface card has the following types, which are selected according to the actual situation. The following boards do not support hot swap:
. 8*1G electrical interface cards
Code | Model | Description |
0302G3A4 | WSIC-8GE | 8GE electrical interface card (including Huawei general security platform software) |
. 8*1G optical interface card
Code | Model | Description |
0302G3AC | WSIC-8GEF | 8GE Optical Port Card (including Huawei general security platform software) |
. 8*1G electrical interfaces +2*10G optical interface cards(commonly used)
Code | Model | Description |
0302G3C9 | WSIC-2XG8GE | 2*10GE optical port + 8GE electrical port card (including Huawei general security platform software) |
3.3 USG95 host
3.3.1 USG9520 Host
By default, the USG9520 is configured with two MPUs, two power supplies, and three vacant slots. One vacant slot must be configured with one SPU. The other two vacant slots can be configured with LPUs based on service requirements.
The slot layout:
board type | BOM code | Description | Quantity | Remarks | |
Host | 2359479 | USG9520 AC basic configuration ( including X3 chassis , 2*MPU, 2 AC power ) | 1 | Mandatory | |
Service mother board | 0305G09N | 40G performance X3 firewall business board ( SPU-X3-40-E8KE ) with a 40G daughter card | 1 | Mandatory | |
Service mother board | 0305G09R | 40G performance firewall service processing daughter card SPC-S-40-E8KE | 1 | Mandatory | |
Interface mother board | 3056682 | Flexible card line processing board LPUF-120 can support 120G line speed forwarding | 2 | Mandatory, each at least . 1 block up to 2 block | |
Interface card 10G | 3056632 | 5 port 10GBase LAN/WAN-SFP+ flexible card A (P101, 1/2 wide, occupies two sub-slots ) | 2 | Optional, according to actual service needs | |
Interface card 40G | 3056631 | 1 port 40GBase-QSFP+ flexible card | 2 | Optional, according to actual service needs |
3.3.2 USG9560 Host
By default, the USG9560 is configured with two SRUs, one SFU, four power supplies, and eight vacant slots. It is recommended that SPUs be installed in three slots and LPUs be installed in two slots.
The slot layout:
Slot name | Slot number | Quantity | Remarks |
LPU / SPU | 1 to 8 | 8 | Plug in the service board or flexible card line processing board. |
SRU | 9 to 10 | 2 | Plug in the main control board, 1:1 backup. |
SFU | 11 | 1 | Plug in the switching network board. |
Board type | BOM code | Description | Quantity | Remarks |
Host | 0235G6TW | Assembly components - Secospace USG9560-SU9Z5ACBC-USG9560 AC basic configuration ( including X8 chassis , 2 * SRU, 1 * SFU, 4 AC power ) | 1 | Mandatory |
Servicemother board | 3057515 | Finished Board Unit - USG9500-SPUB-H- Enhanced Firewall Service Board B-60&80 | 3 | Mandatory, the number is at least 1, recommended 3 ( 2+1 backup mode) |
Service subcard | 3057521 | Finished Board Unit - USG9500-SPCB-H&M- Enhanced Firewall Service Processing Daughter Card B | 6 | Mandatory, according to the number of Service board |
Interface mother board | 3056683 | Flexible card line processing board LPUF-240 can support 240G line speed forwarding | 2 | Mandatory, at least 1 , recommended 2 |
Interface subcard 40G | 3056848 | 3- port 40GBase-QSFP+ flexible card | 2 | Optional, according to actual business needs |
Interface subcard 40G | 3056632 | 5- port 10GBase LAN/WAN-SFP+ flexible card A (P101, 1/2 wide , occupies two sub-slots ) | 2 | Optional, according to actual business needs |
3.4 USG95 Board
The USG9500 series firewalls have two types of cards: Service board (SPU) and interface board (LPU). Both the service board and the interface board are classified into the backplane and the subboard. The backplane is inserted into the slot of the device, and the mother board of each service board can be connected to two subboards.
3.4.1 SPU
SPU Mother Board
Board type | Applicable equipment | Default self-contained card | Whether to support hot swap |
SPU-X3-40-E8KE | USG9520 | SPC-S-40-E8KE(40G) | Yes |
SPUB-H | USG9560/USG9580 | no | Yes |
SPU-X8X16-80-E8KE | USG9560/USG9580 | SPC-D-80-E8KE (80G) | Yes |
SPU Card
Card type | Suitable motherboard | CPU number |
SPC-S-40-E8KE | all | 1 |
SPC-D-80-E8KE | SPU-X8X16-40-E8KE / SPS-X8X16-80-E8KE | 2 |
SPCB-H&M | SPS-X8X16-80-E8KE / SPUB-H | 2 |
Recommended configuration:
Device | SPU Mother Board | SPU Card |
USG9520 | SPU-X3-40-E8KE | SPC-S-40-E8KE |
USG9560 | SPUB-H | SPCB-H&M |
SPU Mother Board:
SPU-X3-40-E8KE
Code | Model | Description |
0305G09N | SPU-X3-40-E8KE | 40G performance X3 firewall business board |
SPUB-H
Code | Model | Description |
03057515 | SPUB-H | USG9500-SPUB-H- Enhanced Firewall Service Board B-60&80 |
SPU-X8X16-80-E8KE:
Code | Model | Description |
0305G09Q | SPU-X8X16-80-E8KE | 80G performance X8&X16 firewall business board |
SPU card
40-S--the SPC E8KE
Code | Model | Description |
0305G09R | SPC-S-40-E8KE | 40G performance firewall service processing daughter card |
M-H & SPCB :
Code | Model | Description |
03057521 | SPCB-H&M | USG9500-SPCB-H&M- Enhanced Firewall Service Processing Daughter Card B |
D-80--the SPC E8KE :
Code | Model | Description |
0305G09S | SPC-D-80-E8KE | 80G performance firewall service processing daughter card |
3.4.2 LPU
LPU mother board:
Board type | Processing capacity (one-way) | Whether to support hot swap | Whether the card supports hot swap |
LPUF-101 | 100G | Yes | not support |
LPUF-120 | 120G | Yes | not support |
LPUF-240 | 240G | Yes | not support |
There are many types of interface subcards, including 2*10G subcards, 20*1G optical interface subcards, 4*10G subcards (convergence of subcards, 10G of the two interfaces on the left, and 10G of the two interfaces on the right), 5*10G interface subcards, 24*1G optical interface cards, and 1*40G interface cards, the 5*10G interface card and 1*40G interface card are recommended. Recommended for:
Device | Interface motherboard | Interface card |
USG9520 | LPUF-120 (BOM:03056682) | 5*10G interface daughter card ( BOM: 0305G09K ) |
1*40G interface card (BOM: 03056631 ) | ||
USG9560 | LPUF-120 (BOM:03056682) | 5*10G interface daughter card ( BOM: 03056632 ) |
3*40G interface card (BOM: 03056848 ) |
LPU motherboard BOM :
Code | Model | Description |
03056683 | LPUF-240 | Flexible card line processing board (LPUF-240, two sub-slots ) |
03056682 | FW-LPUF-120 | Flexible card line processing board (LPUF-120, two sub-slots ) |
03056630 | E8KE-X-LPUF-101 | Flexible card line processing board (LPUF-101, four sub-slots ) |
LPU card BOM :
LPUF-101 :
Code | Model | Description |
0305G09L | E8KE-X-101-4X10GE-SFP+ | 4- port 10GBase LAN-SFP+ flexible card (P100, 1/4 wide , occupies one sub-slot ) |
03056631 | E8KE-X-101-1X40GE-CFP | 1- port 40GBase LAN-CFP flexible card |
03056632 | E8KE-X-101-5X10GE-SFP | 5- port 10GBase LAN/WAN-SFP+ flexible card A |
03056633 | E8KE-X-101-24XGE-SFP | 24- port 100/1000Base-X-SFP Flexible Card A |
LPUF-120&LPUF-240:
Code | Model | Description |
03056632 | E8KE-X-101-5X10GE-SFP | 5- port 10GBase LAN/WAN-SFP+ flexible card A |
03056684 | FW-6X10GE-SFP+ | 6- port 10GBase LAN/WAN-SFP+ flexible card A |
03056686 | FW-12X10GE-SFP+ | 12- port 10GBase LAN/WAN-SFP+ flexible card A |
03056631 | E8KE-X-101-1X40GE-CFP | 1- port 40GBase LAN-CFP flexible card |
03056685 | FW-1X100GE-CFP | 1- port 100GBase-CFP flexible card A |
03056848 | FW-3X40G-QSFP+ | 3- port 40GBase-QSFP+ flexible card |
This would be all on the topic of NGFW selection recommendations. If you face any issues, please post them in our Community. We are happy to solve them for you!
