The platform is available as hardware appliances (HSR) and software images (VSR). The software version runs on x86 servers or as a virtual machine.
Wouldn't it be nice with serious routing in a firewall? We thought so too. It features BGP (with support for TCP MD5 and VPNs using extended communities), LDP/MPLS (provider edge), OSPFv2 and OSPFv3 (IPv6), VRFs using routing domains, equal-cost multi-path routing and much more.
It was as designed for IPv6, and makes no assumptions of IPv4 being more preferred than its newer counterpart. Everything, including maintenance tasks and software update, are supported in IPv6-only configurations. Several transition technologies are available, such as layer 3 address family translation, NAT64, tunneling and relaying.
Don't allow the firewall to be the network's bottleneck. With VLAN and increased segmentation, a gigabit firewall has become a necessity. Enjoy wire-speed throughput and hardware-accelerated AES IPSec VPN.
Load balancing and failover
Fight downtime with hardware failover, internet failover and a very capable load balancer featuring both the very fast layer 3 forwarding with many probe conditions and the layer 7 proxy with SSL acceleration.
- Virtual (VSR), software and hardware (HSR): Call it cloud ready if you will. The platform is anyway available as ready-to-use hardware appliances, virtual machine images ideal for intra-VM security, and raw disk images which you can write to for example USB sticks which will boot your x86 server of choice.
- Clustering: Deploy redundant appliances with ease. The optional zero-config cluster port gets you started in no time. Both active/passive and active/active high availability is available, with synchronization of the configuration, firewall states, IPsec SAs and DHCP leases.
- Management: The hierarchical human-readable configuration file format is both easy to manipulate, but also elegant enough to serve as the firewall's documentation. Changes to the configuration file (commits) are atomic, and thus no reboots are necessary, even when importing an entire configuration. This is ideal for clustering, and also makes it possible to test configurations during a specified time (since it always reverts perfectly). Every modification is saved as a new configuration revision (with author, timestamp and a message) which makes accounting and tracking changes (diffs) a breeze. Every aspect of the system is made available through an easy-to-use SOAP API, which as a matter of fact serves as the foundation for the entire HTTPS administration.
- VPN: H/OS offers IPsec VPN, both IKEv1/v2 and using manual keys. Enterprise layer2 IPsec tunneling. Remote user VPN is offered using MOBIKE, L2TP and PPTP.
- Transparency: The terminology and administration philosophy of H/OS is excessively inspired by standard networking concepts, making it transparent and debuggable for the administrator. We realize the importance of being able to understand the inner workings of the firewall in order to successfully deploy secure networks.
- Open source: Time has proven openness to be the best choice for producing trusted, security software. Therefore, we are not only using OpenBSD as foundation; we are also publishing all the changes we make. If you like, you can find out exactly what code is running on your router.