HUAWEI USG6650/6660/6670/6680 Next-Generation Firewalls

USG6650/6660/6670/6680 Next-Generation Firewalls

Product characteristics

Huawei USG6650/6660/6670/6680 next-generation firewalls are designed for small data centers and large or medium-sized enterprises. The firewalls provide full-fledged application identification and application-layer threat and attack defense capabilities, and deliver high performance even when multiple security functions are enabled. The firewalls also offer multiple interface card slots that support various interface cards, such as GE electrical/optical and 10 GE interface cards. These cards allow users to flexibly expand services and enable the firewalls to evolve with enterprise networks, making USG6650/6660/6670/6680 firewalls highly cost-effective and protecting customer investment.

Comprehensive protection

  • Integrate firewall, VPN, intrusion prevention, antivirus, data leak prevention, bandwidth management, and online behavior management functions all in one device
  • Obtained Firewall, IPS, IPsec, and SSL VPN certifications from the ICSA Labs
  • Obtained the highest-level CC certificate (EAL4+), ranked among the highest security levels in the world
  • The USG6650 earned the “Recommended” rating with 98.1 percent comprehensive security effectiveness and 99.95 percent CAWS (Live) Exploit Block Rate, leading the industry in terms of security capabilities

Visualized and fine-grained management and control

  • Deliver diversified reports to provide all-around visibility into service status, network environment, security posture, and user behavior
  • Identify application-layer threats from application, content, time, user, attack, and location dimensions
  • Accurately identify more than 6,000 applications to deliver fine-grained access control and improve the quality of key services

High port density

  • Support various types of interface cards, such as GE electrical/optical and 10 GE interface cards, providing up to 78 interfaces, including 56 GE electrical, 8 SFP optical, and 14 x 10 GE optical interfaces
  • Provide multiple high-density interface card slots, enabling users to flexibly expand the hardware and performance to suit service requirements
  • Support dual AC or DC hot-swappable power supplies

Networking and applications

Data center border protection

  • Firewalls are deployed at egresses of data centers, and functions and system resources can be virtualized.
  • The 10-Gigabit intrusion prevention capability effectively blocks a variety of malicious attacks and delivers differentiated defense based on virtual environment requirements to guarantee data security.
  • VPN tunnels can be set up between firewalls and mobile workers and between firewalls and branch offices for secure and low-cost remote access and mobile working.
USG6650/6660/6670/6680 Data center border protection 

Enterprise border protection

  • Block all unauthorized access attempts at enterprise network egresses.
  • Provide real-time 10-Gigabit-level application-layer threat prevention, even when IPS is enabled.
  • Perform data filtering and auditing on files transmitted through sources such as email and IM to monitor social network applications and prevent data leaks.
  • Deliver user- and application-specific bandwidth management to guarantee service quality for core users and of mission-critical services.
  • Support online behavior management based on URL categories and applications to block access to malicious websites and websites irrelevant to work.
USG6650/6660/6670/6680 Enterprise border protection

Product appearance

Model Interfaces

USG6650/6660-AC

USG6650/6660-AC 01
USG6650/6660-AC 02

USG6660-DC

USG6660-DC 01
USG6660-DC 02

1. Eight x GE (RJ45) and 2 x 10 GE (SFP+) Ports
2. Eight x GE (SFP) Ports
3. Two x USB Ports
4. One x GE (RJ45) Management Port
5. Console Port (RJ45)
6. Console Port (Mini-USB)

USG6670/6680-AC

USG6670/6680-AC 01
USG6670/6680-AC 02

USG6670/6680-DC

USG6670/6680-DC 01
USG6670/6680-DC 02

1. Eight x GE (RJ45) and Two x 10 GE (SFP+) Ports
2. Eight x GE (RJ45) and Two x 10 GE (SFP+) Ports
3. Eight x GE (SFP) Ports
4. Two x USB Ports
5. One x GE (RJ45) Management Port
6. Console Port (RJ45)
7. Console Port (Mini-USB)

Product specifications

Software Features

Function Description
Integrated Protection Provides firewall, VPN, intrusion prevention, antivirus, data leak prevention, bandwidth management, Anti-DDoS, URL filtering, and anti-spam functions
Application Identification and Control Identifies common applications, supports application-specific access control, and combines application identification with intrusion prevention, antivirus, and data filtering to improve detection performance and accuracy
Intrusion Prevention and Web Protection Obtains the latest threat information in a timely manner for accurate detection and prevention of vulnerability exploits and web attacks, such as cross-site scripting and SQL injection attacks
Antivirus Rapidly detects over five million types of viruses through the daily-updated signature database
Anti-APT* Interworks with the sandbox to detect and block malicious files
Data Leak Prevention Inspects files to identify the file type, such as Word, Excel, PowerPoint, and PDF, based on file contents, and filters sensitive content
Bandwidth Management Manages per-user and per-IP bandwidth in addition to identifying service applications to prioritize mission-critical services and users through methods such as peak bandwidth and committed bandwidth, Policy-Based Routing (PBR), and application forwarding priority adjustment
URL Filtering Can access a URL category database of over 120 million URLs to manage access by URL category, such as blocking malicious URLs and accelerating access to specified categories
Behavior and Content Audit Audits and traces the sources of URL access based on the user IP address and requested content
Load Balancing Supports server load balancing and link load balancing, fully utilizing existing network resources
Intelligent Uplink Selection Supports service-specific PBR and intelligent uplink selection based on multiple load balancing algorithms (for example, based on bandwidth ratio and link health status) in multi-homing scenarios
VPN Encryption Supports multiple highly reliable VPN features, such as IPsec VPN, SSL VPN, L2TP VPN, and GRE
Supports IPsec intelligent link selection and dynamic IPsec tunnel switchover to improve link availability
SSL Encrypted Traffic Detection Serves as a proxy to detect and defend against threats in SSL-encrypted traffic using application-layer protection methods such as intrusion prevention, antivirus, data filtering, and URL filtering
Anti-DDoS Defends against more than 10 types of common DDoS attacks, including SYN flood and UDP flood attacks
User Authentication Supports multiple user authentication methods, including local, RADIUS, HWTACACS, SecurID, AD, CA, LDAP, and Endpoint Security
Security Virtualization Allows users to create and manage virtual security services, including firewall, intrusion prevention, and antivirus services, on the same physical device
Policy Management Provides predefined common-scenario defense templates to facilitate security policy deployment
Automatically evaluates risks in security policies and provides tuning suggestions
Detects redundant and conflicting policies to remove unnecessary and incorrect policies
Provides the firewall policy management solution in partnership with FireMon to reduce O&M costs and potential faults*
Diversified Reports Provides visualized and multi-dimensional reports by user, application, content, time, traffic, threat, and URL1
Generates network security analysis reports on the Huawei security center platform to evaluate the current network security status and provide optimization suggestions*
Routing Supports IPv4 static routes, policy-based routing, routing policies, multicast, RIP, OSPF, BGP, and IS-IS
Supports IPv6 static routes, policy-based routing, routing policies, RIPng, OSPFv3, BGP4+, and IPv6 IS-IS
Working Mode and High Availability Supports multiple working modes (transparent, routing, and hybrid), high availability modes (active/active and active/standby), and link high-availability technologies (IP-Link, BFD, and Link-group)
Device Management Capability Built-in Web UI: Provides abundant device management and maintenance functions, including log report, configuration, and troubleshooting
eSight network management: Manages the performance, alarms, resources, configurations, and topology of the entire network
Agile Controller: Implements application- and user-specific security policy control in the Huawei SDN Agile Network Solution*
LogCenter security event management system: Provides functions such as security posture awareness, report management, log audit, and centralized alarm management
API: Supports both NETCONF* and RESTCONF northbound APIs to enable users to centrally configure and maintain firewalls via an upper-level controller to simply the O&M

1. If no hard disk is inserted, you can view and export system and service logs. By inserting a hard disk, you can also view, export, customize, and subscribe to reports

Functions marked with * are supported only in USG V500R001 and later versions


System Performance and Capacity

Model USG6650 USG6660 USG6670 USG6680
IPv4 Firewall Throughput(1,518/512/64-byte, UDP) 20 Gbit/s, 20 Gbit/s, 8 Gbit/s 25 Gbit/s, 25 Gbit/s, 8 Gbit/s 35 Gbit/s, 35 Gbit/s, 8 Gbit/s 40 Gbit/s, 35 Gbit/s, 8 Gbit/s
IPv6 Firewall Throughput(1,518/512/84-byte, UDP) 20 Gbit/s, 20 Gbit/s, 8 Gbit/s 25 Gbit/s, 25 Gbit/s, 8 Gbit/s 35 Gbit/s, 35 Gbit/s, 8 Gbit/s 40 Gbit/s, 35 Gbit/s, 8 Gbit/s
Firewall Throughput (packets per second) 12 Mpps 12 Mpps 12 Mpps 12 Mpps
Firewall Latency (64-byte, UDP) 16 µs 16 µs 16 µs 16 µs
FW + SA* Throughput2 15 Gbit/s 18 Gbit/s 19 Gbit/s 20 Gbit/s
FW + SA + IPS Throughput2 8.8 Gbit/s 8.8 Gbit/s 8.8 Gbit/s 15 Gbit/s
FW + SA + Antivirus Throughput2 8 Gbit/s 8 Gbit/s 8 Gbit/s 13 Gbit/s
FW + SA + IPS + Antivirus + URL Throughput2 6 Gbit/s 7 Gbit/s 8 Gbit/s 13 Gbit/s
FW + SA + IPS + Antivirus Throughput (realworld)3 5 Gbit/s 5.5 Gbit/s 6 Gbit/s 11 Gbit/s
Concurrent Sessions (HTTP 1.1)1 8,000,000 10,000,000 10,000,000 12,000,000
New Sessions/Second (HTTP 1.1)1 300,000 350,000 400,000 400,000
IPsec VPN Throughput1 (AES-128 + SHA1, 1,420-byte) 15 Gbit/s 18 Gbit/s 18 Gbit/s 18 Gbit/s
Maximum IPsec VPN Tunnels (GW to GW) 15,000 15,000 15,000 15,000
Maximum IPsec VPN Tunnels (client to GW) 15,000 15,000 15,000 15,000
SSL Inspection Throughput4 320 Mbit/s 360 Mbits 360 Mbit/s 400 Mbit/s
SSL VPN Throughput5 1.5 Gbit/s 1.5 Gbit/s 1.6 Gbit/s 1.6 Gbit/s
Concurrent SSL VPN Users (default/maximum) 100/5,000 100/5,000 100/5,000 100/5,000
Security Policies (maximum) 40,000 40,000 40,000 40,000
Virtual Firewalls (default/maximum) 10/500 10/500 10/500 10/1,000
URL Filtering: Categories More than 130
URL Filtering: URLs Can access a database of over 120 million URLs in the cloud
Automated Threat Feed and IPS Signature Updates Yes, an industry-leading security center from Huawei
(http://sec.huawei.com/sec/web/index.do)
Third-Party and Open-Source Ecosystem6 Open APIs for integration with third-party products through RESTCONF and NETCONF interfaces
Other third-party management software based on SNMP, SSH, and syslog
Collaboration with third-party tools, such as FireMon
Collaboration with Anti-APT solution
Centralized Management

Centralized configuration, logging, monitoring, and reporting is performed by Huawei eSight and LogCenter

VLANs (maximum) 4,094
Virtual Interfaces (maximum) 1,024
High Availability Configurations Active/Active, Active/Standby

1. Performance is tested under ideal conditions based on RFC 2544 and RFC 3511. The actual result may vary with deployment environments

2. Antivirus, IPS, and SA performances are measured using 100 KB of HTTP files

3. Throughput is measured with the Enterprise Traffic Model

4. SSL inspection throughput is measured with IPS-enabled and HTTPS traffic using TLS v1.2 with AES256-SHA

5. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA

6. USG6000 V100R001 supports only the RESTCONF interface and cannot interwork with sandbox or third-party tools

*SA indicates Service Awareness


Hardware Specifications

Model USG6650 USG6660 USG6670 USG6680
Dimensions (H x W x D) 130.5 mm x 442 mm x 470 mm 130.5 mm x 442 mm x 470 mm
Form Factor/Height 3U 3U
Fixed Interfaces 2 x 10 GE (SFP+) + 8 x GE (RJ45) + 8 x GE (SFP) 4 x 10 GE (SFP+) + 16 x GE (RJ45) + 8 x GE (SFP)
USB 2.0 Ports 2 x USB Ports 2 x USB Ports
Expansion Slots 6 WSIC* 5 WSIC AC: 5 WSIC
DC: 3 WSIC1
Expansion I/O WSIC: 2 x 10 GE (SFP+) + 8 x GE (RJ45), 8 x GE (RJ45), 8 x GE (SFP), 4 x GE (RJ45) BYPASS
Maximum Number of Interfaces 56 x GE (RJ45) + 14 x 10 GE (SFP+) + 8 x GE (SFP) or 56 x GE (SFP) + 2 x 10 GE (SFP+) + 8 x GE (RJ45) 56 x GE (RJ45) + 14 x 10 GE (SFP+) + 8 x GE (SFP) or 48 x GE (SFP) + 4 x 10 GE (SFP+) + 16 x GE (RJ45)2
MTBF 27.07 years 23.67 years 19.18 years
Weight (full configuration) 24 kg 24 kg 26 kg
Local Storage Optional. Supports 300 GB or 600 GB3 hard disks (RAID1 and hot-swappable).
AC Power Supply 100V to 240V, 50 Hz/60 Hz
DC Power Supply NA –48V to –60V
Power Supplies Dual AC Power Supply Dual AC or dual DC power supplies
Maximum Power 350W 350W AC: 700W
DC: 350W
Power Consumption (average/maximum) 132W/350W 152W/350W 190W/419W
Heat Dissipation 1,194 BTU/h 1,194 BTU/h 1,429 BTU/h
Operating Environment
(temperature/humidity)
Temperature: 0°C to 45°C (without optional HDD);
5°C to 40°C (with optional HDD)
Humidity: 5% to 95% (without optional HDD), non-condensing;
5% to 90% (with optional HDD), non-condensing
Non-operating Environment Temperature: –40°C to 70°C
Humidity: 5% to 95% (without optional HDD), non-condensing;
5% to 90% (with optional HDD), non-condensing
Operating Altitude 5,000 meters (without optional HDD); 3,000 meters (with optional HDD)
Non-operating Altitude 5,000 meters (without optional HDD); 3,000 meters (with optional HDD)
Noise 64.2 dBA

1. With DC power input, the USG6680 supports up to three WSICs without 2XG8GE or two WSICs with 2XG8GE

2. USG6680 (DC): 40 x GE (RJ45) + 4 × 10 GE (SFP+) + 8 × GE (SFP) or 32 x GE (SFP) + 4 x 10 GE (SFP+) + 16 x GE (RJ45)

3. The 600 GB hard disk is supported only in USG V500R001 and later versions and is not supported in USG6680 DC model

*WISC is not hot-swappable


Certifications

Certifications
Software ICSA Labs: Firewall, IPS, IPsec, and SSL VPN
CC: EAL4+
NSS Labs: Recommended (USG6650)
Hardware CB, CE-SDOC, ROHS, REACH & WEEE (EU), RCM, ETL, FCC&IC, VCCI, and BSMI
Regulatory Compliance Products comply with CE markings per directives 2014/30/EU and 2014/35/EU
Safety UL 60950-1
CSA-C22.2 No. 60950-1
EN 60950-1
IEC 60950-1
EMC: Emissions CNS 13438 Class A
EN 5022 Class A
CISPR 22 Class A
TSI EN 300 386
AS/NZS CISPR 22
CAN/CSA-CISPR 22-10
IEC 61000-6-4/EN 61000-6-4
IEC 61000-3-2/EN 61000-3-2
IEC 61000-3-3/EN 61000-3-3
FCC CFR47 Part 15 Subpart B Class A
ICES-003 Class A
VCCI V-3 Class A
EMC: Immunity CNS 13438 Class A
EN 55024
CISPR 24
ETSI EN 300 386
IEC 61000-6-2/EN 61000-6-2

Ordering information

Product Model Description
USG6650 USG6650-AC USG6650 AC Host (8 GE (RJ45) + 8 GE (SFP) + 2 x 10 GE (SFP+), 16G Memory, 2 AC Power)
USG6650-BDL USG6650-BDL-AC USG6650 AC Host (8 GE (RJ45) + 8 GE (SFP) + 2 x 10 GE (SFP+), 16G Memory, 2 AC Power, with IPS-AV-URL Function Group Update Service Subscription 12 Months)
USG6660 USG6660-AC USG6660 AC Host (8 GE (RJ45) + 8 GE (SFP) + 2 x 10 GE (SFP+), 16G Memory, 2 AC Power)
USG6660-BDL USG6660-BDL-AC USG6660 AC Host (8 GE (RJ45) + 8 GE (SFP) + 2 x 10 GE (SFP+), 16G Memory, 2 AC Power, with IPS-AV-URL Function Group Update Service Subscription 12 Months)
USG6660 USG6660-DC USG6660 DC Host (8 GE (RJ45) + 8 GE (SFP) + 2 x 10 GE (SFP+), 16G Memory, 2 DC Power)
USG6670 USG6670-AC USG6670 AC Host (16 GE (RJ45) + 8 GE (SFP) + 4 x 10 GE (SFP), 16G Memory, 2 AC Power)
USG6670-BDL USG6670-BDL-AC USG6670 AC Host (16 GE (RJ45) + 8 GE (SFP) + 4 x 10 GE (SFP), 16G Memory, 2 AC Power, with IPS-AV-URL Function Group Update Service Subscription 12 Months)
USG6670 USG6670-DC USG6670 DC Host (16 GE (RJ45) + 8 GE (SFP) + 4 x 10 GE (SFP), 16G Memory, 2 DC Power)
USG6680- USG6680-AC USG6680 AC Host (16 GE (RJ45) + 8 GE (SFP) + 4 x 10 GE (SFP+), 16G Memory, 2 AC Power)
USG6680-BDL USG6680-BDL-AC USG6680 AC Host (16 GE (RJ45) + 8 GE (SFP) + 4 x 10 GE (SFP+), 16G Memory, 2 AC Power, with IPS-AV-URL Function Group Update Service Subscription 12 Months)
USG6680 USG6680-DC USG6680 DC Host (16 GE (RJ45) + 8 GE (SFP) + 4 x 10 GE (SFP+), 16G Memory, 2 DC Power)
Business Module Group
WSIC WSIC-8GE 8 GE Electric Ports Interface Card

WSIC-4GEBYPASS

4 GE Electric Ports Bypass Card

WSIC-8GEF 8 GE Optical Ports Interface Card
WSIC-2XG8GE 2 x 10 GE Optical Ports + 8 GE Electric Ports Interface Card
Hard Disk Group
HDD SM-HDD-SAS300G-A 300 GB 10K RPM SAS Hard Disk Unit
SM-HDD-SAS600G-A 600 GB 10K RPM SAS Hard Disk Unit (only for USG6650-AC/DC, USG6660-AC/DC, USG6670-AC/DC, and USG6680-AC)
Function License
Virtual Firewall LIC-VSYS-10-USG6000 Quantity of Virtual Firewall (10 Vsys)
LIC-VSYS-20-USG6000 Quantity of Virtual Firewall (20 Vsys)
LIC-VSYS-50-USG6000 Quantity of Virtual Firewall (50 Vsys)
LIC-VSYS-100-USG6000 Quantity of Virtual Firewall (100 Vsys)
LIC-VSYS-200-USG6000 Quantity of Virtual Firewall (200 Vsys)
LIC-VSYS-500-USG6000 Quantity of Virtual Firewall (500 Vsys)
LIC-VSYS-1000-USG6000 Quantity of Virtual Firewall (1,000 Vsys)
SSL VPN Concurrent Users LIC-SSL-100-USG6000 Quantity of SSL VPN Concurrent Users (100 Users)
LIC-SSL-200-USG6000 Quantity of SSL VPN Concurrent Users (200 Users)
LIC-SSL-500-USG6000 Quantity of SSL VPN Concurrent Users (500 Users)
LIC-SSL-1000-USG6000 Quantity of SSL VPN Concurrent Users (1,000 Users)
LIC-SSL-2000-USG6000 Quantity of SSL VPN Concurrent Users (2,000 Users)
LIC-SSL-5000-USG6000 Quantity of SSL VPN Concurrent Users (5,000 Users)
NGFW License
IPS Update Service LIC-IPS-12-USG6600 IPS Update Service Subscription 12 Months
LIC-IPS-36-USG6600 IPS Update Service Subscription 36 Months
URL Filtering Update Service LIC-URL-12-USG6600 URL Filtering Update Service Subscription 12 Months
LIC-URL-36-USG6600 URL Filtering Update Service Subscription 36 Months
Anti-Virus Update Service LIC-AV-12-USG6600 Anti-Virus Update Service Subscription 12 Months
LIC-AV-36-USG6600 Anti-Virus Update Service Subscription 36 Months
IPS-AV-URL Function Group LIC-IPSAVURL-12-USG6600 IPS-AV-URL Function Group Subscription 12 Months
LIC-IPSAVURL-36-USG6600 IPS-AV-URL Function Group Subscription 36 Months
Basic License
Content Filtering LIC-CONTENT Content Filtering Function

For more information, visit http://e.huawei.com/en or contact your local Huawei sales office.