Athena SWG (Secure Web Gateway)

Athena SWG (formerly Internet Access Gateway) ensures visibility and control across the network, detecting risks like unauthorized access, non-compliant activities, and data leaks to manage endpoints.

13.0.120

{{item.code}}

User Manual

IAG Installation

IAG Console

Web Login

Configuration

Functions

Value-Added Services

Sangfor Business Intelligence

Internet Access Analytics

Bandwidth Analytics

Electricity Waste Analytics

Real-Time Status

Real-Time Status

Proxy

Access Management

Working Principle

802.1X Authentication

Authentication

Endpoint Check

Ingress Client Settings

Online Activities

Access Control

Advanced

Bandwidth Management

Quota Control

Link Load Balancing

Activity Audit

Internet Access Audit

Ingress Client Audit

Endpoint Management

Endpoint Connection Control

Security Capabilities Configuration

Connect IAG to Endpoint Secure

Endpoint Connection Control Case Study

Internet Security

System

Object

Network

Sangfor VPN

Firewall

General

Diagnostics

Use Cases

SSO Configuration

SSO Configuration for the AD Domain

Proxy SSO Configuration

SMS Authentication

Send SMS Through an SMS Modem

Endpoint Device Management Configuration

Comprehensive Configuration

SNMP Trap Configuration

Basic Configuration

Enable Email Alert

Testing Procedure

Test with the MIB Browser Tool

Testing Results

International Bandwidth Configuration

Athena SWG (Secure Web Gateway)

SDWAN Path Selection

{{sendMatomoQuery("Athena SWG (Secure Web Gateway)","SDWAN Path Selection")}}

SDWAN Path Selection

{{ $t('productDocDetail.updateTime') }}: 2025-12-29

The SDWAN function is an update of the original Sangfor VPN multi-lines, which increases the QOE identification by service classification to the specified link and link quality, supports the designated key services to take the designated line, or selects the optimal line according to the link quality.

Main SDWAN functions:

Identify applications based on LAN services.

It supports three routing modes. If the peer device has no routing, the path is wan1-wan1 by default. Otherwise, the optimal path is preferred (If the line label is not configured, it should be processed as per the wan1-wan1 by the same ISP).

a)Specified path: Select a path according to the LAN service. It is often used in video conferencing services or some services that have some requirement for lines.

b)Residual bandwidth load: The connection is allocated according to the idle bandwidth ratio of the real-time line. It is often used for file uploading or downloading services and services with fewer requirements for line quality.[LCH255]

c)Service Priority: Select the top-quality line based on the real-time quality of the line. It is often used for services that have high requirements for line quality.

In case of a line fault, the line will switch within 1s, without disconnecting the service.
Traffic-control priority function (five levels: Highest; High; Medium; Low; Lowest). The bandwidth should be ensured for the service of the higher priority.
Fully-loaded line switching function. If the loaded path is used, one fully-loaded line will automatically switch to another line.

Before configuring the SDWAN Path Selection, you must complete the Multi-line Options first.

The default Global line selection policy cannot be deleted. Add a new SDWAN Path Selection policy:

Name: Define the name of the policy, which can be customized to strengthen memory and deepen understanding.

LAN Service: Select the LAN service that activates the line.

Mode: You can choose Specified or Multiline Options.

Specified Path

Prioritize the use of the preferred. If the preferred path is busy or fails, it attempts to match the next one after it.

For example, the headquarters and branches have the specified and VPN links. The video conference will select the specified path, while other services will use VPN paths.

If Line 1 is the static Internet IP and Line 2 is the specified path, the devices wan1 and wan2 correspond to Line 1 and Line 2.

A VPN connection is set up between the headquarters and branches.

Add a video conference service in Advanced > Edit LAN Service.

Add the OTHERS use VPN under the Advanced> Edit LAN Service, and select all services.

Select the Specified path selection mode. Select the Line 1 for VPN Path. Next, select the OTHERS use VPN.

Create an SDWAN policy Video. Select the Selected Video for LAN Service. Select Specified for the Mode. Select the specified path.

Make sure that the Video SDWAN path selection policy is on the interface.

In this way, the branch can use the specified path to have a video conference with the headquarters through the VPN. Others in the VPN tunnel go through the Internet line to guarantee the video conference traffic.

Notes on path selection:

1. Paths of the same ISP will be chosen preferentially

2. If all the specified paths are busy or fail, it will choose the optimal one from the remaining lines

Multi-line Load

3.11.3.3.2.1 Based on Bandwidth Ratio

The headquarters and the branch have two VPN links. The branch accesses the headquarters' service according to the dynamic loads based on the residual bandwidth.

Create an SDWAN policy; select all services for the service, Multiline Options for the mode, two lines of the branch for the load path, and Based on bandwidth ratio for the LB method.

1. Through the check, the flow rate displayed by the VPN detailed connection information is lower than the configured bandwidth because the VPN will be encrypted, and the data packet will be added with the VPN header field.

2. The current version does not display the status of each connection line in the foreground. The tool cannot control the flow rate of each TCP connection, so it only can be seen that two lines are fully loaded with bandwidth in the foreground.

3. It only supports multi-connection loads, not single-connection loads.

3.11.3.3.2.2 Prefer the Optimal Path

The headquarters and the branch have two VPN links. The branch accesses headquarters services according to the path selection based on the link quality.

Create an SDWAN policy; select all services for the service, Multiline Options for the mode, two lines of the branch for the load path, and Prefer the optimal path for the LB Method.

1. The delay statistics of the detailed connection information line will have an error of less than 5ms; the out-of-order packets will be counted into the packet loss rate, so sometimes the packet loss rate value will be displayed without the packet loss, which may be due to the out-of-order packet.

2. When the link quality changes, the current connection information will not perform the path selection, and only the newly-built connection will perform the path selection.

Service Priority

Under the SDWAN Path Selection, the service priority is classified into five levels: Highest, High, Medium, Low, and Lowest. SDWAN performs traffic control (QoS priority) on data through service priority.

For the usage scenario, the headquarters and the branch have two VPN links: ISP1 and ISP2. Generally, the branch accesses the headquarters' service according to the dynamic load based on the residual bandwidth. Thus, when the video conference needs traffic, the traffic of the video conference is guaranteed preferentially.

Add a video conference service in Advanced > LAN Service.

Add the OTHERS use VPN under the Advanced > LAN Service, and select All Services for LAN Service.

[ZY256]

Create an SDWAN policy OTHERS use VPN, select the current branch, and select All Services for LAN Service, Multiline Options for the mode, two lines of the branch for the load path, Based on bandwidth ratio for the LB Method, and Low for Service Priority.

Create an SDWAN policy Video, select the current branch, and select the Video for LAN Service, Specified for the mode, Telecom for the line, and Highest for Service Priority.

{{ $t('index.defaultHeader.logo') }}

Athena SWG (Secure Web Gateway)

SDWAN Path Selection

Specified Path

Multi-line Load

Service Priority