Athena NGFW (Next-Generation Firewall)

Athena NGFW (previously known as Network Secure) provides comprehensive protection for every network perimeter, ensuring the safety of your valuable assets, data, and users from emerging threats.

8.0.95

{{item.code}}

Release Notes

Network Secure V8.0.95 Version Release Notes

Overview

Enhancements

New Features

Upgrade Impacts

Upgrade Guide

Preparations for Upgrade

Pre-Upgrade Check

Upgrade Procedures

Post-Upgrade Check

Upgrade Methods

Upgrading Network Secure from the GUI

Upgrading Network Secure via Central Manager

Network Secure V8.0.95 SP03 Release Notes

SP Information

Upgrade Impacts

Customer Upgrade Preparations

Upgrade Guide

Preparations for Upgrade

Upgrade Procedure

Network Secure V8.0.95 SP01 Release Notes

Service Package(SP) Information

Upgrade Impacts

Customer Upgrade Preparations

Upgrade Guide

Preparations for Upgrade

Upgrade Procedure

Product Overview

Deployment

Installation Preparations

Deployment Mode

Deploying vNGFW on HCI and VMware

Deploy vNGFW in HCI

Preparation

Other

About the validity period of authorization

Replacing Fortigate with NGFW

Overview and Migration Process Overview

Pre-Migration Preparation (Critical)

Key Functional Differences Between Fortigate and Sangfor NGFW

VODM

IPSEC

SD-WAN and Policy-Based Routing

Firewall Policy

Automated Configuration Conversion Based on Tools – For ACL, NAT, Address Objects, and Service Objects

Manual Migration Configuration

Modify the Interface Configuration

Policy Template Migration

Security Protection Policy Migration

SSL Decryption

Logs and Alert

AD / LDAP

Fortigate IPSec Migration

SD-WAN Migration

Testing and Validation

Cutover and Rollback Plan

Cutover Procedure

Post-Cutover Optimization and Best Practices

Policy Optimization

Log and Reporting Configuration

Security Policy Audit Recommendations

Appendices and Support Information

User Manual

Home

Security Operations

IoT Security

Business Asset Security

Summary of Business Asset Risks

Configuration Case

Summary of Attack Events

Passive Vulnerability Scan

User Security

Specialized Protection

Blacklist and Whitelist

Blacklist

Whitelist

Next-Gen Security

Endpoint Protection

Security Capabilities

Monitor

Logs

Security Logs

Access Logs

System Logs

TOP N

Configuration Procedures

Sessions

Bandwidth Management

Statistics

Application

Application Statistics Query Case

Traffic

Case of Viewing Traffic Statistics

Report

Diagnosis

Packet Tracing

Settings

Logging Options

Log Database

Policies

Network Address Translation

IPv4 NAT

IPv6 NAT

NAT64

DNS-Mapping

Configuration Example

Access Control

Application Control

GeoLocation Blocking

Configuration Steps

Local ACL

Configuration Steps

Connection Control

Configuration Example

Network Security

Security Protection Policy

Anti DoS/DDoS

Unauthorized Outbound Access

Spoofed Access

Configuration Case

Decryption

Decrypt Data to Internal Server

Configuration Steps

Bandwidth Management

Channel Configuration

VPN Bandwidth Channels

Sangfor VPN Bandwidth Policy Case Study

Link Settings

Authentication

User Authentication

Custom Webpage

Objects

Threat Signature Database

Security Database

Custom Database

Content Identification Database

Application Signatures Database

URL Category Database

File Types

Email Attachment Filter

Schedule

Network

Interfaces

Physical Interfaces

Edit Physical Interface

DHCP

DHCP Servers

Configuration Case

Advanced Networking

Configuration Case

SSL VPN

Resources

Roles

Sangfor/IPSec VPN

SD-WAN Configuration

Sangfor VPN Configuration

Logs

System

General Settings

Configuration Steps

License Activation Method

Troubleshooting

Tools

High Availability

Virtual Systems

Overview

Device Management

Central Management

O&M Management

Routine Inspection

Check the Security of the Device

Shortcut Functions

Restoration of the Device Configuration and Password

Restore the Password by Rebooting with a USB Flash Drive

Restore the Factory Settings

Patch Update Guidance

Precautions

Use of Auxiliary Tools

Troubleshooting

Emergency Event Handling

Product Upgrade Guide

Offline Upgrade

Product Post-Upgrade Inspection

Acronym

SDKs, APIs

CLI Document

Athena NGFW (Next-Generation Firewall)

Deployment

Replacing Fortigate with NGFW

Manual Migration Configuration

Policy Template Migration

IPS

{{sendMatomoQuery("Athena NGFW (Next-Generation Firewall)","IPS")}}

IPS

{{ $t('productDocDetail.updateTime') }}: 2026-01-04

Fortigate Configuration Example

config ips sensor

edit "<Profile-Name>" # Name of the IPS sensor/profile

set comment "Default IPS" # Description or comment

config entries # Define specific IPS rules

edit 1

set rule <rule-id> # IPS rule ID (signature ID)

set action {default|block|monitor} # Action for this rule

end

Fortigate Parameter Explanation and Conversion Suggestions

FortiGate Parameter	FortiGate Parameter Description	Corresponding Sangfor NGAF Module/Parameter	Migration Notes
name	IPS policy name	Objects > Security Policy Template > Intrusion Prevention	It is recommended to keep the name consistent
comment	Policy description	Objects > Security Policy Template > Intrusion Prevention	Can be migrated directly
entries	Signature entry configuration	Objects > Security Policy Template > Intrusion Prevention	Sangfor uses a combination of built-in and custom rule sets
rule	IPS rule ID (signature number)	Objects > Security Policy Template > Intrusion Prevention	NGAF has a built-in signature database; individual import is not required
action	Rule action (default/block/monitor)	Policies > Network Security > Policies	No need to configure actions in the template; actions are set in the Network Security Policy

Migrate to Sangfor NGFW

Because Fortigate's IPS configuration file differs significantly from NGFW, it is recommended to understand the protection capabilities of Fortigate's IPS before configuring it according to Sangfor NGFW's IPS template and referencing it in the policy.

This function checks packets for latent threats against the LAN system. Two internal templates are configured, Internet access control and business protection:

Default Template_Internet Access Scenario is to protect LAN users.

Default Template_Server Scenario is to protect servers.

Click Add to create a vulnerability attack prevention template, as shown in the figure below. A screenshot of a computer

Description automatically generated

Template Name: Define the name of the template to prevent the attack behavior.

Description: Define the description of the template to prevent the attack behavior.

Protection Features: Specify the protection parameters.

Select Server Protection and click Selected System, Shellcode, Scan, Custom IPS Rules, Database, Mail, Web, FTP, TFTP, DNS, Telnet, IoT, Media. In the Select Attack Type dialog box, select vulnerability types according to the service type published by the server. The server will prevent attacks against vulnerabilities of this service type.

A screenshot of a computer

Description automatically generated

Check Endpoint Protection and click Selected System, Shellcode, Scan, Custom IPS Rules, Web ActiveX, Web Browser, File, Application. Then, the Select Attack Type dialog box will pop up, where you can check corresponding vulnerability types, and the server will perform intrusion prevention against the vulnerabilities related to this type of client. A screenshot of a computer

Description automatically generated

Select Brute-Force Attack Protection and click Selected TELNET_Ubuntu, IMAP_Standard, RLOGIN, TELNET_Microsoft_Server…. In the Select Attack Type dialog box, select vulnerability types. The server will prevent attacks against this type of brute-force attack. A screenshot of a computer

Description automatically generated

Click a brute-force attack to enter the Edit Signature dialog box (the vulnerability attack signature database) to set the maximum number of attacks allowed, detection interval, and status (Enable or Disable).

A screenshot of a computer screen

Description automatically generated

Check Anti-malware and meanwhile click Selected Backdoor, Spyware, Trojan, Worm. Then, the Select Attack Type dialog box will pop up, where you can check corresponding vulnerability types, and the server will perform intrusion prevention against this type of malware. A screenshot of a computer

Description automatically generated

Check the option C&C Attack Detection Engine and click Select C&C attack detection engine. Then, the C&C Attack Detection Engine dialog box will pop up, where you can select corresponding detection engine, and the server will perform intrusion prevention against such C&C attacks.

A screenshot of a computer

Description automatically generated

Check Semantic Web Engine and click Selected Enable Java deserialization prevention. In the Semantic Web Engine dialog box, you can check Enable Java deserialization prevention for the server to prevent Java deserialization. A screenshot of a computer

Description automatically generated

Click Save to finish establishing vulnerability attack protection.

On the Intrusion Prevention page, click Advanced to navigate to the advanced options configuration page. See the figure below. A screenshot of a computer

Description automatically generated

Select Enable smart IPS to identify vulnerability attacks and protect vulnerabilities based on applications. If this option is not selected, the system identifies IPS vulnerabilities based on ports.

HTTP port: Add multiple HTTP ports to identify HTTP attacks more accurately.

{{ $t('index.defaultHeader.logo') }}

Athena NGFW (Next-Generation Firewall)

IPS

Fortigate Configuration Example

Fortigate Parameter Explanation and Conversion Suggestions

Migrate to Sangfor NGFW