maipu maipu

Security > Firewall > MSG4000-X16 (V1) Firewall

MSG4000-X16 (V1) Firewall

MPSec MSG4000 is a high-performance next-generation firewall that can comprehensively deal with application-layer threats. Through in-depth insight into users, applications and content in network traffic, MPSec MSG4000 can provide users with effective application-layer integrated security protection, help users to conduct services safely and simplify their network security architecture.

MPSec MSG4000 can accurately identify thousands of network applications, and provide detailed application traffic analysis and flexible policy control. Combined with user identification, application identification and content identification, it can provide users with visual and refined application security management. At the same time, MPSec MSG4000 has built-in threat detection engine, which can resist various network attacks including viruses, Trojans, SQL injection, XSS cross-site scripts and CC attacks, and effectively protect users' network health and Web server security.

MPSec MSG4000 provides comprehensive application security protection and flexible expansion mode, which can be deployed in various industries, such as government, finance, enterprises, and education, and is widely used in various application scenarios, such as Internet exit, data center, and network and server security isolation.

Product Features

    Autonomous and controllable hardware platform

    The hardware platform of MPSec MSG4000 adopts Maipu's self-controllable hardware, integrates Maipu's self-designed and manufactured, and shares Maipu's 20-year router hardware manufacturing process, which can get a good value guarantee in terms of product reliability and life cycle continuation.

    Hardware platform is stable and reliable: It shares Maipu’s 20-year the router hardware manufacturing process, and has been in the market for 20 years, and more than 250,000 units have been verified for a long time, thus ensuring the stable operation and reliability of MPSec MSG4000.

    Controllable product life cycle: MPSec MSG4000 adopts Maipu's independent hardware instead of the X86 industrial computer platform of traditional security vendors, which can better control the product life cycle compared with the X86 industrial computer platform of traditional security vendors.

    Refined application access control

    MPSec MSG4000 supports deep application identification technology, which can accurately identify thousands of network applications, including hundreds of mobile terminal applications, according to protocol characteristics, behavior characteristics and association analysis. On this basis, MPSec MSG4000 provides users with fine and flexible application security access control.

    Integrated access control: integrated control and defense from user, application, content, time, threat and location. The defense of the content layer is combined with the depth of application identification. For example, it is more efficient and less false positives to identify Oracle traffic and then carry out corresponding intrusion prevention.

    Accurate application identification: provides a refined application identification mechanism. Users can accurately screen out interested application types according to application name, application category, risk level, used technology, application characteristics, etc., such as communication software with file transfer function, or WEB video application based on browser with known vulnerabilities, etc., so as to realize fine application management and control.

    Flexible application control: based on deep application identification and fine application screening, it supports flexible security control functions, including policy blocking, session restriction, flow control, application drainage or time restriction, etc.

     Comprehensive safety protection capability

    MPSec MSG4000 provides intrusion prevention technology based on deep application identification, protocol detection and attack principle analysis, which can effectively filter security threats such as viruses, Trojans, worms, spyware, vulnerability attacks and escape attacks, and provide users with L2-L7 network security protection.

    Optimized attack recognition algorithm: It can effectively resist DoS/DDoS attacks such as SYN Flood, UDP Flood, HTTP Flood, etc., and ensure the security and availability of network and application systems.

    Professional Web attack protection function: Support SQL injection, cross-site script, CC attack and other detection and filtering, to avoid the attack damage of Web server;

    High-performance virus filtering function: The leading detection engine based on stream scanning technology can realize low-delay and high-performance filtering. It supports the killing of viruses in HTTP, FTP, SMTP, POP3, IMAP and other traffic and compressed files (zip, gzip, rar, etc.).

    Support URL filtering function of tens of millions of URL feature libraries: It can help network administrators easily realize web browsing access control, and avoid threat infiltration caused by malicious URLs.

Product Specifications

Hardware specifications


MPSec MSG4000-X16-AC

Firewall throughput (bps)


Standard concurrent connections

≥14 million

New connections per second


Standard SSL VPN online users

64   (Windows Clients Only)

Maximum number of SSL VPN online users

1000   (Windows client only)

Standard IPsec VPN tunnels


Maximum number of IPsec VPN tunnels


Onboard electrical ports 10/100/1000Base-T


Number of expansion slots


Number of onboard SFP Gigabit optical ports


Asynchronous serial management interface


Out-of-band management port (MGT)




USB interfaces


Chassis Specifications & Dimensions


440mm (width) × 600mm (depth) × 133mm (height)

Rack specifications

19 inches

Temperature and humidity

Work temperature: 0~40℃, storage temperature: -25~70℃, Relative humidity: 5~90%, no-condensing

Power supply

Redundant power supply, input voltage: 100-240VAC, maximum output power: 300W


Software function

Basic networking function

Deployment mode

Support routing mode, transparent mode, switching mode, mixed mode and bypass mode access

Routing characteristics

Default route, static route, policy route, supporting   RIP, RIPng, OSPF, BGP, and other dynamic routes

IP protocol

Support IPV4 and IPV6 dual stack


Support the conversion of source and destination addresses and ports, including one-to-one, one-to-multiple, multiple-to-one and multiple-to-multiple address translation modes;

load balancing

Support multi-link load balancing based on IP, ISP, application, user, service, etc., support load balancing of DNS traffic, and support load balancing based on server address; Support multi-link backup and load of IPSec VPN

Network service

Support DHCP server, DNS transparent proxy, ARP proxy and other network services



Virtual system

Support virtual system routing, switching, monitoring, auditing, security, protection and other full isolation.

High reliability

Support dual-system hot backup function, "master-standby" and "master-master" modes in routing and transparent mode, interface linkage and link detection.

Refined access control

Access control

Support access control based on IP, security domain, VLAN, time, user, geographical area, service protocol and application, and support advanced access control functions such as application control, intrusion prevention, URL filtering, virus detection, content filtering, network behavior management, etc. configured by one security policy, and   support rapid searching of security policies and redundant policy analysis.

Application recognition

It can accurately identify more than 5,000 Internet applications and more than 700 mobile applications, and supports application cloud identification.

Behavior control

It supports fine-grained control of HTTP, SMTP, POP3, IMAP, FTP and TELNET protocols to filter untrusted network behaviors.

User authentication

Support web-based client-less user authentication, and have third-party authentication integrating AD active directory, LDAP and RADIUS

File filtering

It can filter more than 30 common document types in three categories: document, compression and archiving without suffix

Mail filtering

Support filtering of mail senders and receivers, and anti-spam support based on RBL blacklist and custom IP address blacklist

URL filtering

There are 86 categories of URL resource libraries preset, which can be updated manually offline or automatically online. It supports URL cloud query, cloud URL query analysis   and custom URL filtering.

Content filtering

Implement bi-directional content   transmission filtering of five application protocols: HTTP, FTP, POP3, SMTP and IMAP, and support the definition of sensitive information in two ways: predefined sensitive information base and custom sensitive information base

Bandwidth management

It supports dividing virtual QoS channels according to IP address, user, service, application, time and other information for bandwidth management, and supports the maximum bandwidth limit and minimum bandwidth guarantee of multi-level scheduling class nesting

Integrated threat protection

Attack protection

Supported attack protection types include: Flood (SYN   Flood, ICMP Flood, UDP Flood, IP Flood), malicious scanning (prohibiting tracert, IP address scanning attack, port scanning), spoofing protection (IP spoofing, DHCP monitoring auxiliary check), abnormal packet attack (Ping of Death, Teardrop, IP option, TCP exception, Smurf, Fraggle, Land, Winnuke, DNS exception, IP fragmentation, ICMP control (prohibiting ICMP fragmentation, prohibiting route redirection packet, prohibiting unreachable packet,   prohibiting super-time text, ICMP packet size limit), application layer Flood (DNS Flood, HTTP Flood), SYN cookie.

Virus protection

Equipped with artificial intelligence engine, it can immunize more than 90% of shelled and variant viruses, and support virus cloud killing technology to kill and kill viruses on HTTP, FTP,   SMTP, POP3 and IMAP traffic.

Intrusion prevention

It can identify and block more than 3,000 kinds of vulnerability intrusions and spyware, support the defense against intrusion behaviors such as denial of service, buffer overflow, malicious scanning, Trojan backdoor, virus worm, botnet, cross-site script, SQL injection, WEB attack, weak password scanning, and support the generation   of dynamic policies.

Visual intelligent management

Device management

Web interface (Http, Https), command line interface (SSH, Console, CLI)

Management authority

Support the separation of powers   among super administrator, policy administrator and audit administrator, and support custom administrator authority.

Network analysis

From the perspective of application   program, user, IP address and country/region, show the current active state of user network and the usage of policies to locate the abnormal behaviors in   the network by ranking statistics in five dimensions: byte number, session, threat, content and URL.

Threat analysis

From the perspective of threats, hosts accessing malicious URLs, hosts accessing malicious domain names, etc., pay attention to the advanced threats in the network captured by firewalls, so as to judge whether the host in the intranet has fallen or whether the   current security policy of the firewall has security loopholes.

Blocking analysis

By displaying blocking events of application, user, threat, content, domain name and URL, the firewall can judge malicious behaviors and problematic users in the network, and can also   judge whether there is a situation of blocking normal behaviors by mistake in   the security policy.

Log output

It supports multi-dimensional English visual analysis and log outgoing, such as traffic log, threat log, domain name log, URL filtering log, mail filtering log and behavior log, and   supports fuzzy search of historical logs in a customized time period based on more than 90 filtering conditions such as IP, user, interface, region and application.

Statistical analysis

Support sorting the number of bytes and sessions of the corresponding types within the specified time range according to the types of application, IP, user, etc., and support the  historical statistics of the number of new connections and concurrent connections based on interfaces and security domains.

Support ranking statistics based on traffic trends and increasing applications, decreasing applications, bandwidth consumption and threats in the network. It also supports threat maps to help users understand the risk of geographic distribution of threats   in the network.

Monitoring analysis

Support session monitoring, user monitoring, asset monitoring, route monitoring and system resource monitoring

Order Information

Host model


MPSec   MSG4000-X16-AC

Network-layer throughput 160G, concurrent connections ≥14 million, new connections per second 2,200,000, standard 3U chassis, redundant power supply, standard configuration of one console port, one HA interface, one MGT interface, and eight interface board card expansion slots


Module name



One-year license  for upgrading IPS, AV, AM three-in-one function module feature library of MPSec MSG4000-X16-AC


Three-year license  for upgrading IPS, AV, AM three-in-one function module feature library of MPSec MSG4000-X16-AC

Card board

Board model



2-port 40G QSFP board (optional): two QSFP slots;


2-port 10 Gigabit optical port board (optional): two SFP + slots


2-port 10 Gigabit optical port board (optional): two SFP + slots, supporting one pair of 10 Gigabit hardware bypass


4-port Gigabit SFP board (optional): four SFP slots


4-port Gigabit SFP board (optional): fixed 4 SFP Gigabit multimode optical modules (non-replaceable), supporting two pairs of Gigabit optical port hardware   bypass


4-port 10/100/1000Base-T Board (optional): four 10/100/1000BASE-T


4-port 10/100/1000Base-T board (optional): four 10/100/1000Base-T, supporting two pairs of hardware bypass


4-port 10 Gigabit optical interface card (optional): four SFP+ slots


8-port Gigabit SFP board (optional): eight SFP slots


8-port 10/100/1000Base-T boards (optional): eight 10/100/1000BASE-T


8-port 10/100/1000Base-T board (optional): eight 10/100/1000BASE-T, support four pairs of hardware bypass


1T hard disk card, log report and other functions need to be configured with hard disk card