4
Figure 5
Firewall module for A6600/A8800 routers
Application scenarios
The A-F1000-E and A-F5000 have similar software functions.
The firewall modules also have similar software functions to the A-F1000-E. You can regard a firewall
module as an A-F1000-E firewall that is connected to the main network device through their 10 GE ports.
The difference lies in that the A-F1000-E firewall uses physical ports to forward data, and the firewall
module uses logical interfaces (subinterfaces and VLAN interfaces) of the 10 GE port to forward data.
The configuration on a firewall module is similar to that on an A-F1000-E firewall.
•
Configurations for zone-based security functions, such as attack protection and object-oriented
ACLs, are the same on the two firewalls. The difference is that the A-F1000-E adds physical ports to
security zones, and the firewall module adds logical interfaces (subinterfaces and VLAN interfaces)
of the 10 GE port to security zones.
•
Configurations for interface-based security functions are the same on the two firewalls. The
difference is that the A-F1000-E supports these functions on physical ports and the firewall module
support these functions on the logical interfaces of the 10 GE port.
For more information about the configuration differences, see the Layer 2 and Layer 3 forwarding
configurations in
Network Management Configuration Guide
.
A-F1000-E application
Deployed at the egress of an enterprise network, A-F1000-E firewalls can protect against external attacks,
ensure security access from the external network to the internal network resources (such as servers in the
DMZ zone) through NAT and VPN functions, and control access to the internal network by using security
zones. You can deploy two firewalls in the network for redundancy backup to avoid a single point failure.