Athena SWG (Secure Web Gateway)

Athena SWG (formerly Internet Access Gateway) ensures visibility and control across the network, detecting risks like unauthorized access, non-compliant activities, and data leaks to manage endpoints.

13.0.120

{{item.code}}

User Manual

IAG Installation

IAG Console

Web Login

Configuration

Functions

Value-Added Services

Sangfor Business Intelligence

Internet Access Analytics

Bandwidth Analytics

Electricity Waste Analytics

Real-Time Status

Real-Time Status

Proxy

Access Management

Working Principle

802.1X Authentication

Authentication

Endpoint Check

Ingress Client Settings

Online Activities

Access Control

Advanced

Bandwidth Management

Quota Control

Link Load Balancing

Activity Audit

Internet Access Audit

Ingress Client Audit

Endpoint Management

Endpoint Connection Control

Security Capabilities Configuration

Connect IAG to Endpoint Secure

Endpoint Connection Control Case Study

Internet Security

System

Object

Network

Sangfor VPN

Firewall

General

Diagnostics

Use Cases

SSO Configuration

SSO Configuration for the AD Domain

Proxy SSO Configuration

SMS Authentication

Send SMS Through an SMS Modem

Endpoint Device Management Configuration

Comprehensive Configuration

SNMP Trap Configuration

Basic Configuration

Enable Email Alert

Testing Procedure

Test with the MIB Browser Tool

Testing Results

International Bandwidth Configuration

Athena SWG (Secure Web Gateway)

User Manual

Functions

Endpoint Management

Security Capabilities Configuration

Network Security

{{sendMatomoQuery("Athena SWG (Secure Web Gateway)","Network Security")}}

Network Security

{{ $t('productDocDetail.updateTime') }}: 2025-12-29

3.9.4.2.1 Anti-DoS

A DOS attack (denial of service attack) is usually aimed at consuming server-side resources and forcing the service to stop responding. The server responds to the blocking by forging the request data that exceeds the server's processing power. The Anti-DoS function of the Sangfor device can prevent the DOS attack on the LAN from the external network and prevent the LAN poisoning or the DOS attack initiated by the attack tool.

The LAN DOS attack function of the IAG only focuses on the direction of the LAN port.

The configuration interface is as follows:

Enabled: the switch to enable Anti-DoS. There are three detection methods: SYN flooding, UDP flooding, and ICMP flooding.

SYN flooding: TCP SYN flooding occurs in the fourth layer of OSI, using the characteristics of the TCP protocol, i.e., the three-way handshake. The attacker sends a TCP SYN, which is the first packet in the TCP three-way handshake. When the server returns an ACK, the attacker does not re-confirm it. Then the TCP connection is in a suspended status called In the semi-connected status, if the server does not receive the re-confirmation, it will repeatedly send an ACK to the attacker. It will cause further resource waste to the server. The attacker sends a large number of such TCP connections to the server. Since each one cannot complete the three-way handshake, these TCP connections will consume CPU and memory due to the suspended status on the server, and the server may crash and cannot serve normal users.

UDP flooding: The attacker sends a large number of UDP packets to the server, and the server sends a large number of replies.

ICMP flooding: The attacker sending the packet's source IP address is the attacker's IP address, and the destination IP address is the broadcast address of the network segment where the attacker is located so that a large number of ICMP echo replies are sent to the attacker.

Never block the internal IP below: Do not perform DOS defense on the IP address filled in the list. For example, the intranet has a server that provides services to the public network and provides more connections to the public network. In this case, it is recommended to exclude the server's address to avoid being considered illegal by the DOS defense.

Advanced

LAN subnets: The LAN subnets refer to the LAN segment that accesses the Internet through the device. Users who are not on the list default to the attacker. When it is enabled, user data that is not in the list will be blocked, and users in the list will be blocked if there is an attack.

Block for (minutes): Sets the blocking time of the attacking host after the device detects the attack in the unit of a minute.

Select Give Alert to enable mail alert. For details, see System > General > Alert Option.[A168]

Click OK[A169] to save the configuration.

3.9.4.2.2 ARP Protection

ARP spoofing is a common LAN virus. A computer with this virus sends an ARP spoofed broadcast packet to the LAN irregularly, which will bring interference and damage to the regular communication of the LAN machines. In severe cases, the entire network is disconnected.

The device realizes the ARP Protection by cooperating with the access client of the LAN PC.

The device protects the ARP cache by refusing ARP requests or replies with attack features to achieve its own immunity.

If the access control user of the device is bound to the IP/MAC, the bound IP/MAC information will prevail in the device.

The LAN PC executes the ARP Protection through cooperation with the access client. After the access client is installed, the access client communicates with the device to obtain the correct IP/MAC relationship between the device and the gateway and perform the static binding.

The configuration interface is as below:

Enable ARP Protection: It is the master switch that enables ARP protection.

Enable static ARP: If the LAN PC's gateway is not the device's interface address, it needs to be set here. For example, if the device uses the bridge mode, the gateway address of the LAN PC should be the interface address of the front router (or firewall). Then we can fill the interface IP/MAC of the front router into the box below. Suppose the LAN PC is installed with the accessing client. In that case, it can obtain the correct gateway IP/MAC for binding, ensuring the correct IP/MAC of the PC gateway and regular communication between the PC and the gateway.

MAC Broadcast Interval (sec): Set the interval for the broadcast gateway (that is, the LAN interface of the device) MAC. The recommended interval is 10 seconds.

Select Give Alert to enable mail alert. For details, see System > General > Alert Option.[A170]

Click Save [A171]to save the configuration.

3.9.4.2.3 Malicious URLs

Based on the Sangfor Cloud Engine and multi-malware detection mechanism, comprehensive judgment can be made using static detection, dynamic sandbox, taint checking, manual analysis, and other technologies. It identifies malicious URLs in real time to protect user services from impacts, including phishing and malicious websites, vulnerability exploitation, mining page, malicious jumps, cross-site scripting attacks, and virus files.

Check the Enable Malicious URL Detection for enabling.

Excluded Addresses: IP addresses that do not need to be detected and can be added to the whitelist.

Excluded Websites: Websites that do not need to be detected and can be added to the whitelist.

Action: Select the Give alert (combination with the System > General > Alert Option) and Block access to malicious URL.

3.9.4.2.4 Sangfor Engine Zero

Sangfor Engine Zero [LCH172]combines machine learning algorithms such as deep learning and incorporates integrated learning to fully use each algorithm's detection advantages. It can capture effective file information quickly and accurately. The detection rate for ransomware reaches the industry-leading level. In addition, through the continuous convergence of Sangfor Neural-X, Sangfor Endpoint Secure, and Sangfor Network Secure products to analyze hot threats, the SAVE AI security detection engine can evolve in time to improve detection capabilities and cover the latest viruses.

Sangfor Engine Zero is mainly for virus scanning and removal of the data passing through the device to protect the security of the LAN computer. The device can perform virus scanning and removal under four common protocols: HTTP, FTP, POP3, and SMTP. The device has a built-in Sangfor Engine Zero developed by Sangfor, with a high virus recognition rate and scanning and removal efficiency. Unlike the traditional rule base update, the Sangfor Engine Zero is still in a rule base to maintain the habit. The current update cycle is two months.

The Sangfor Engine Zero settings interface includes the antivirus switch for four protocols, and websites without antivirus or file whitelist.

The Settings interface is as shown in the following figure.

Protect HTTP download against virus, Protect HTTPS download against virus, Protect FTP download against virus, Protect POP3/IMAP against virus, and Protect SMTP against virus are used to enable the antivirus switches for these four protocols.

Excluded websites (URL): Set the access data to particular websites without antivirus. The URL format input supports the wildcard and one entry per row.

Enable file whitelist: To define files that do not require antivirus.

Action: Check the Give alert and use it with the Alarm Option. For details, see Chapter 3.11.5.5 Alarm Option.[A173]

File Types: Specify the types of files to be scanned by Sangfor Zero Engine.

File Size: Specify the size of files to be scanned by Sangfor Zero Engine.[ZY174]

Click Save[A175] to save the configuration.

Antivirus Database Update page:

Update Service Expires On: It displays the automatic update expiration date of the Sangfor Engine Zero. During the expiration date, the device will automatically connect to the server of Sangfor Technologies Inc. to update the Antivirus Database.

Antivirus Database Release On: It displays the current date of the Antivirus Database.

Upload Antivirus Database: Manually import the downloaded Antivirus Database file into the device and complete the Antivirus Database update. Click Browse to select the Sangfor Engine Zero model file to be imported and complete the Antivirus Database update.

{{ $t('index.defaultHeader.logo') }}

Athena SWG (Secure Web Gateway)

Network Security