MSG4000-X16 (V1) Firewall
MPSec MSG4000 is a high-performance next-generation firewall that can comprehensively deal with application-layer threats. Through in-depth insight into users, applications and content in network traffic, MPSec MSG4000 can provide users with effective application-layer integrated security protection, help users to conduct services safely and simplify their network security architecture.
MPSec MSG4000 can accurately identify thousands of network applications, and provide detailed application traffic analysis and flexible policy control. Combined with user identification, application identification and content identification, it can provide users with visual and refined application security management. At the same time, MPSec MSG4000 has built-in threat detection engine, which can resist various network attacks including viruses, Trojans, SQL injection, XSS cross-site scripts and CC attacks, and effectively protect users' network health and Web server security.
MPSec MSG4000 provides comprehensive application security protection and flexible expansion mode, which can be deployed in various industries, such as government, finance, enterprises, and education, and is widely used in various application scenarios, such as Internet exit, data center, and network and server security isolation.
Autonomous and controllable hardware platform
The hardware platform of MPSec MSG4000 adopts Maipu's self-controllable hardware, integrates Maipu's self-designed and manufactured, and shares Maipu's 20-year router hardware manufacturing process, which can get a good value guarantee in terms of product reliability and life cycle continuation.
Hardware platform is stable and reliable: It shares Maipu’s 20-year the router hardware manufacturing process, and has been in the market for 20 years, and more than 250,000 units have been verified for a long time, thus ensuring the stable operation and reliability of MPSec MSG4000.
Controllable product life cycle: MPSec MSG4000 adopts Maipu's independent hardware instead of the X86 industrial computer platform of traditional security vendors, which can better control the product life cycle compared with the X86 industrial computer platform of traditional security vendors.
Refined application access control
MPSec MSG4000 supports deep application identification technology, which can accurately identify thousands of network applications, including hundreds of mobile terminal applications, according to protocol characteristics, behavior characteristics and association analysis. On this basis, MPSec MSG4000 provides users with fine and flexible application security access control.
Integrated access control: integrated control and defense from user, application, content, time, threat and location. The defense of the content layer is combined with the depth of application identification. For example, it is more efficient and less false positives to identify Oracle traffic and then carry out corresponding intrusion prevention.
Accurate application identification: provides a refined application identification mechanism. Users can accurately screen out interested application types according to application name, application category, risk level, used technology, application characteristics, etc., such as communication software with file transfer function, or WEB video application based on browser with known vulnerabilities, etc., so as to realize fine application management and control.
Flexible application control: based on deep application identification and fine application screening, it supports flexible security control functions, including policy blocking, session restriction, flow control, application drainage or time restriction, etc.
Comprehensive safety protection capability
MPSec MSG4000 provides intrusion prevention technology based on deep application identification, protocol detection and attack principle analysis, which can effectively filter security threats such as viruses, Trojans, worms, spyware, vulnerability attacks and escape attacks, and provide users with L2-L7 network security protection.
Optimized attack recognition algorithm: It can effectively resist DoS/DDoS attacks such as SYN Flood, UDP Flood, HTTP Flood, etc., and ensure the security and availability of network and application systems.
Professional Web attack protection function: Support SQL injection, cross-site script, CC attack and other detection and filtering, to avoid the attack damage of Web server;
High-performance virus filtering function: The leading detection engine based on stream scanning technology can realize low-delay and high-performance filtering. It supports the killing of viruses in HTTP, FTP, SMTP, POP3, IMAP and other traffic and compressed files (zip, gzip, rar, etc.).
Support URL filtering function of tens of millions of URL feature libraries: It can help network administrators easily realize web browsing access control, and avoid threat infiltration caused by malicious URLs.
Firewall throughput (bps)
Standard concurrent connections
New connections per second
Standard SSL VPN online users
64 (Windows Clients Only)
Maximum number of SSL VPN online users
1000 (Windows client only)
Standard IPsec VPN tunnels
Maximum number of IPsec VPN tunnels
Onboard electrical ports 10/100/1000Base-T
Number of expansion slots
Number of onboard SFP Gigabit optical ports
Asynchronous serial management interface
Out-of-band management port (MGT)
Chassis Specifications & Dimensions
440mm (width) × 600mm (depth) × 133mm (height)
Temperature and humidity
Work temperature: 0~40℃, storage temperature: -25~70℃, Relative humidity: 5~90%, no-condensing
Redundant power supply, input voltage: 100-240VAC, maximum output power: 300W
Basic networking function
Support routing mode, transparent mode, switching mode, mixed mode and bypass mode access
Default route, static route, policy route, supporting RIP, RIPng, OSPF, BGP, and other dynamic routes
Support IPV4 and IPV6 dual stack
Support the conversion of source and destination addresses and ports, including one-to-one, one-to-multiple, multiple-to-one and multiple-to-multiple address translation modes;
Support multi-link load balancing based on IP, ISP, application, user, service, etc., support load balancing of DNS traffic, and support load balancing based on server address; Support multi-link backup and load of IPSec VPN
Support DHCP server, DNS transparent proxy, ARP proxy and other network services
IPSec VPN, SSL VPN, L2TP, PPTP, GRE and IPSecVPN
Support virtual system routing, switching, monitoring, auditing, security, protection and other full isolation.
Support dual-system hot backup function, "master-standby" and "master-master" modes in routing and transparent mode, interface linkage and link detection.
Refined access control
Support access control based on IP, security domain, VLAN, time, user, geographical area, service protocol and application, and support advanced access control functions such as application control, intrusion prevention, URL filtering, virus detection, content filtering, network behavior management, etc. configured by one security policy, and support rapid searching of security policies and redundant policy analysis.
It can accurately identify more than 5,000 Internet applications and more than 700 mobile applications, and supports application cloud identification.
It supports fine-grained control of HTTP, SMTP, POP3, IMAP, FTP and TELNET protocols to filter untrusted network behaviors.
Support web-based client-less user authentication, and have third-party authentication integrating AD active directory, LDAP and RADIUS
It can filter more than 30 common document types in three categories: document, compression and archiving without suffix
Support filtering of mail senders and receivers, and anti-spam support based on RBL blacklist and custom IP address blacklist
There are 86 categories of URL resource libraries preset, which can be updated manually offline or automatically online. It supports URL cloud query, cloud URL query analysis and custom URL filtering.
Implement bi-directional content transmission filtering of five application protocols: HTTP, FTP, POP3, SMTP and IMAP, and support the definition of sensitive information in two ways: predefined sensitive information base and custom sensitive information base
It supports dividing virtual QoS channels according to IP address, user, service, application, time and other information for bandwidth management, and supports the maximum bandwidth limit and minimum bandwidth guarantee of multi-level scheduling class nesting
Integrated threat protection
Supported attack protection types include: Flood (SYN Flood, ICMP Flood, UDP Flood, IP Flood), malicious scanning (prohibiting tracert, IP address scanning attack, port scanning), spoofing protection (IP spoofing, DHCP monitoring auxiliary check), abnormal packet attack (Ping of Death, Teardrop, IP option, TCP exception, Smurf, Fraggle, Land, Winnuke, DNS exception, IP fragmentation, ICMP control (prohibiting ICMP fragmentation, prohibiting route redirection packet, prohibiting unreachable packet, prohibiting super-time text, ICMP packet size limit), application layer Flood (DNS Flood, HTTP Flood), SYN cookie.
Equipped with artificial intelligence engine, it can immunize more than 90% of shelled and variant viruses, and support virus cloud killing technology to kill and kill viruses on HTTP, FTP, SMTP, POP3 and IMAP traffic.
It can identify and block more than 3,000 kinds of vulnerability intrusions and spyware, support the defense against intrusion behaviors such as denial of service, buffer overflow, malicious scanning, Trojan backdoor, virus worm, botnet, cross-site script, SQL injection, WEB attack, weak password scanning, and support the generation of dynamic policies.
Visual intelligent management
Web interface (Http, Https), command line interface (SSH, Console, CLI)
Support the separation of powers among super administrator, policy administrator and audit administrator, and support custom administrator authority.
From the perspective of application program, user, IP address and country/region, show the current active state of user network and the usage of policies to locate the abnormal behaviors in the network by ranking statistics in five dimensions: byte number, session, threat, content and URL.
From the perspective of threats, hosts accessing malicious URLs, hosts accessing malicious domain names, etc., pay attention to the advanced threats in the network captured by firewalls, so as to judge whether the host in the intranet has fallen or whether the current security policy of the firewall has security loopholes.
By displaying blocking events of application, user, threat, content, domain name and URL, the firewall can judge malicious behaviors and problematic users in the network, and can also judge whether there is a situation of blocking normal behaviors by mistake in the security policy.
It supports multi-dimensional English visual analysis and log outgoing, such as traffic log, threat log, domain name log, URL filtering log, mail filtering log and behavior log, and supports fuzzy search of historical logs in a customized time period based on more than 90 filtering conditions such as IP, user, interface, region and application.
Support sorting the number of bytes and sessions of the corresponding types within the specified time range according to the types of application, IP, user, etc., and support the historical statistics of the number of new connections and concurrent connections based on interfaces and security domains.
Support ranking statistics based on traffic trends and increasing applications, decreasing applications, bandwidth consumption and threats in the network. It also supports threat maps to help users understand the risk of geographic distribution of threats in the network.
Support session monitoring, user monitoring, asset monitoring, route monitoring and system resource monitoring
Network-layer throughput 160G, concurrent connections ≥14 million, new connections per second 2,200,000, standard 3U chassis, redundant power supply, standard configuration of one console port, one HA interface, one MGT interface, and eight interface board card expansion slots
One-year license for upgrading IPS, AV, AM three-in-one function module feature library of MPSec MSG4000-X16-AC
Three-year license for upgrading IPS, AV, AM three-in-one function module feature library of MPSec MSG4000-X16-AC
2-port 40G QSFP board (optional): two QSFP slots;
2-port 10 Gigabit optical port board (optional): two SFP + slots
2-port 10 Gigabit optical port board (optional): two SFP + slots, supporting one pair of 10 Gigabit hardware bypass
4-port Gigabit SFP board (optional): four SFP slots
4-port Gigabit SFP board (optional): fixed 4 SFP Gigabit multimode optical modules (non-replaceable), supporting two pairs of Gigabit optical port hardware bypass
4-port 10/100/1000Base-T Board (optional): four 10/100/1000BASE-T
4-port 10/100/1000Base-T board (optional): four 10/100/1000Base-T, supporting two pairs of hardware bypass
4-port 10 Gigabit optical interface card (optional): four SFP+ slots
8-port Gigabit SFP board (optional): eight SFP slots
8-port 10/100/1000Base-T boards (optional): eight 10/100/1000BASE-T
8-port 10/100/1000Base-T board (optional): eight 10/100/1000BASE-T, support four pairs of hardware bypass
1T hard disk card, log report and other functions need to be configured with hard disk card