Abstract

New H3C Technologies commissioned Tolly to evaluate the performance, capacity, and feature set of the H3C SecPath F5000-AI series firewall family. The main focus of the project was to validate firewall throughput and latency, connection scale, DPI and VPN performance, and the platform’s policy, threat-intelligence, virtualization, and centralized-management capabilities for vertical, carrier, campus, and branch security deployments.  

The report covers the H3C SecPath F5000-AI series, including the F5000-AI-15, F5000-AI-20, F5000-AI-40, F5000-AI120, F5000-AI160, and F5000-AI360. Tolly’s primary performance measurements were taken on the F5000-AI160. In RFC2544 testing with Spirent TestCenter, the firewall delivered up to 200Gbps IPv4 and IPv6 UDP throughput at 256-byte frames and above, with no frame loss. Average 100GbE port-to-port IPv4 UDP latency ranged from 6.8µs to 10.0µs depending on frame size, with 8.0µs reported for the tested iMIX profile.  

Connection-scale and inspection testing showed substantial headroom. Using Keysight BreakingPoint, the F5000-AI160 established 800,000 new TCP connections per second and supported 80,000,000 concurrent TCP sessions. With firewall, anti-virus, IPS, URL filtering, and application recognition enabled, it sustained 35.8Gbps of Layer 7 HTTP throughput. VPN testing showed support for 48,000 concurrent SSL VPN users and up to 47.44Gbps IPsec throughput with 1400-byte frames, or 10.37Gbps with the tested iMIX profile.  

The report also emphasizes deep policy control and advanced security analytics. Tolly verified support on the F5000-AI160 for 120,000 IPv4 and 120,000 IPv6 security policies, including country- and region-based access control, security-policy redundancy analysis, hit analysis, and policy optimization. Additional validated features included flood-attack defense across multiple attack types, IP sweep defense, new-connection rate limiting, application audit, email/file/HTTP content filtering, updatable IP/domain/URL reputation databases, and botnet analysis.  

Operationally, the platform supports link-group load balancing, MPLS and SRv6 traffic recognition for policy enforcement, centralized management through H3C Security Management Platform, evidence collection, packet trace, attack and source tracing analysis, and application analysis. One F5000-AI160 can also be partitioned into up to 2,048 virtual firewalls with independently managed resources. Overall, the report presents the F5000-AI family as a high-performance next-generation firewall platform that combines very high throughput and session scale with rich inspection, analytics, and multitenant security controls.  

Firewalls tested:

• H3C F5000-AI-15 — Entry model in the SecPath F5000-AI family, positioned as a high-performance VPN-integrated 10GE fixed-port firewall for vertical markets.  
• H3C F5000-AI-20 — 10GE fixed-port firewall in the F5000-AI series for vertical markets, with support for 40GE ports and interface expansion.  
• H3C F5000-AI-40 — Higher-capacity 10GE fixed-port firewall in the F5000-AI family, also supporting 40GE ports and flexible expansion.  
• H3C F5000-AI120 — 100GE fixed-port firewall model in the F5000-AI series for vertical and carrier deployments.  
• H3C F5000-AI160 — 100GE fixed-port firewall used for the report’s main performance, DPI, VPN, and policy-scale testing; supports six 100GE ports and twenty-eight 10GE ports, with eight convertible to 25GE.  
• H3C F5000-AI360 — Higher-end 100GE fixed-port firewall model in the F5000-AI family for larger vertical and carrier security environments.