Athena NGFW (Next-Generation Firewall)

Athena NGFW (previously known as Network Secure) provides comprehensive protection for every network perimeter, ensuring the safety of your valuable assets, data, and users from emerging threats.

8.0.95

{{item.code}}

Release Notes

Network Secure V8.0.95 Version Release Notes

Overview

Enhancements

New Features

Upgrade Impacts

Upgrade Guide

Preparations for Upgrade

Pre-Upgrade Check

Upgrade Procedures

Post-Upgrade Check

Upgrade Methods

Upgrading Network Secure from the GUI

Upgrading Network Secure via Central Manager

Network Secure V8.0.95 SP03 Release Notes

SP Information

Upgrade Impacts

Customer Upgrade Preparations

Upgrade Guide

Preparations for Upgrade

Upgrade Procedure

Network Secure V8.0.95 SP01 Release Notes

Service Package(SP) Information

Upgrade Impacts

Customer Upgrade Preparations

Upgrade Guide

Preparations for Upgrade

Upgrade Procedure

Product Overview

Deployment

Installation Preparations

Deployment Mode

Deploying vNGFW on HCI and VMware

Deploy vNGFW in HCI

Preparation

Other

About the validity period of authorization

Replacing Fortigate with NGFW

Overview and Migration Process Overview

Pre-Migration Preparation (Critical)

Key Functional Differences Between Fortigate and Sangfor NGFW

VODM

IPSEC

SD-WAN and Policy-Based Routing

Firewall Policy

Automated Configuration Conversion Based on Tools – For ACL, NAT, Address Objects, and Service Objects

Manual Migration Configuration

Modify the Interface Configuration

Policy Template Migration

Security Protection Policy Migration

SSL Decryption

Logs and Alert

AD / LDAP

Fortigate IPSec Migration

SD-WAN Migration

Testing and Validation

Cutover and Rollback Plan

Cutover Procedure

Post-Cutover Optimization and Best Practices

Policy Optimization

Log and Reporting Configuration

Security Policy Audit Recommendations

Appendices and Support Information

User Manual

Home

Security Operations

IoT Security

Business Asset Security

Summary of Business Asset Risks

Configuration Case

Summary of Attack Events

Passive Vulnerability Scan

User Security

Specialized Protection

Blacklist and Whitelist

Blacklist

Whitelist

Next-Gen Security

Endpoint Protection

Security Capabilities

Monitor

Logs

Security Logs

Access Logs

System Logs

TOP N

Configuration Procedures

Sessions

Bandwidth Management

Statistics

Application

Application Statistics Query Case

Traffic

Case of Viewing Traffic Statistics

Report

Diagnosis

Packet Tracing

Settings

Logging Options

Log Database

Policies

Network Address Translation

IPv4 NAT

IPv6 NAT

NAT64

DNS-Mapping

Configuration Example

Access Control

Application Control

GeoLocation Blocking

Configuration Steps

Local ACL

Configuration Steps

Connection Control

Configuration Example

Network Security

Security Protection Policy

Anti DoS/DDoS

Unauthorized Outbound Access

Spoofed Access

Configuration Case

Decryption

Decrypt Data to Internal Server

Configuration Steps

Bandwidth Management

Channel Configuration

VPN Bandwidth Channels

Sangfor VPN Bandwidth Policy Case Study

Link Settings

Authentication

User Authentication

Custom Webpage

Objects

Threat Signature Database

Security Database

Custom Database

Content Identification Database

Application Signatures Database

URL Category Database

File Types

Email Attachment Filter

Schedule

Network

Interfaces

Physical Interfaces

Edit Physical Interface

DHCP

DHCP Servers

Configuration Case

Advanced Networking

Configuration Case

SSL VPN

Resources

Roles

Sangfor/IPSec VPN

SD-WAN Configuration

Sangfor VPN Configuration

Logs

System

General Settings

Configuration Steps

License Activation Method

Troubleshooting

Tools

High Availability

Virtual Systems

Overview

Device Management

Central Management

O&M Management

Routine Inspection

Check the Security of the Device

Shortcut Functions

Restoration of the Device Configuration and Password

Restore the Password by Rebooting with a USB Flash Drive

Restore the Factory Settings

Patch Update Guidance

Precautions

Use of Auxiliary Tools

Troubleshooting

Emergency Event Handling

Product Upgrade Guide

Offline Upgrade

Product Post-Upgrade Inspection

Acronym

SDKs, APIs

CLI Document

Athena NGFW (Next-Generation Firewall)

Deployment

Replacing Fortigate with NGFW

Manual Migration Configuration

SSL Decryption

Migrate to Sangfor NGFW

{{sendMatomoQuery("Athena NGFW (Next-Generation Firewall)","Migrate to Sangfor NGFW")}}

Migrate to Sangfor NGFW

{{ $t('productDocDetail.updateTime') }}: 2026-01-04

Because Fortigate's SSL Decryption configuration file differs significantly from NGFW, it is recommended to understand Fortigate's SSL Decryption protection capabilities before configuring it according to Sangfor NGFW's SSL decryption policy.

Decryption is used for the decryption scenarios of encrypted emails and HTTPS data for LAN users who access the internet through the device and the scenario where the LAN has an encrypted server, and the Network Secure device decrypts the traffic accessing the server to protect the server. You must enable multi-functional authorization to enable this function.

Decrypt Data to Internal Server

The service released by the decryption intranet server applies to the encryption server on the LAN. The Network Secure device detects the server's traffic by decrypting the traffic accessing the server to protect the server from attacks. See the figure below.

Configuration Steps

A web application server is deployed on the intranet of an enterprise to provide internal and external services. The web application server is transmitted via HTTPS protocols. To prevent the web server from being attacked, HTTPS traffic must be detected to ensure the security of the server. A blue rectangular object with arrows pointing to the side

Description automatically generated

Import the HTTPS server certificate. Click Server Certificate. Then, the Add Server Certificate dialog box appears. Click Add to create a server certificate, as shown in the following figure. A screenshot of a computer

Description automatically generated

Form of certificate	Note
Import Certificate	Import a certificate file suffixed with .pfx or .p12. The file contains the public key, private key, and password. Enter the password to decrypt the file.
Specify Self-Signed	Indicate the custom certificate. You need to manually specify the Name, Country, Issued To, Key Type, Key Size, and Validity Period parameters. The rest parameters are optional. A self-signed certificate can be generated after the preceding parameters are set.
Import Public/Private	Import a public or private key certificate. The public key certificate supports a file suffixed with .PEM or .DER, and the private key certificate supports a file suffixed with .PEM, .DER, or .PVK. Click OK after the certificate is imported.

Description of Form of Certificate

Click Add to create a decryption policy and enter the corresponding information, as shown in the following figure. A screenshot of a computer

Description automatically generated

Name: Enter a policy name easy to identify.

Src Zones: Select the source zone for accessing the server.

Source: Enter the network objects that will access the server.

Decryption Type: If you select Decrypt data to internal server, the encryption server is deployed in the LAN zone of Network Secure. The Decrypt data to internet option applies to the decryption of emails and HTTPS data when LAN users access the Internet.

Destination Servers: Add the IP address and port of the server to be decrypted. Web server, Mail server, FTP server, and Other servers are available.

Server Certificate: Select the certificate of the encryption server. You need to import the server certificate on the Add Server Certificate page.

Click OK to save the settings. Then, the policy is added.

Decrypt Data to Internet

Decrypting data to the internet applies to the decryption of emails and HTTPS data when LAN users access the internet through the device. See the figure below. A screenshot of a computer

Description automatically generated

Name: Enter a policy name easy to identify.

Src Zones: Select the source zone for accessing the internet.

Source: Enter the network objects that will access the server.

Decryption Type: Select Decrypt data to internet.

Dst Websites: Select All or Selected. If you select Selected, select the site category to be decrypted from the URL category database. A screenshot of a computer

Description automatically generated

Root Certificate: When the decryption function is enabled, a certificate alert message is prompted to a user who accesses the HTTPS website. To avoid this message, select this option and set the URL from which the root certificate is downloaded.

1. To enable the decryption function, multi-functional authorization must be enabled.

2. This function may impose some pressure on the device's performance. Do not enable it arbitrarily.

3. By default, the encrypted emails of LAN users accessing the WAN are decrypted. You only need to enable a policy for decrypting data accessing sites. The rest of the operations only need to be set in the content security policy.

4. Security of encrypted emails, HTTPS antivirus, HTTPS webpage filtration, and the filtration of HTTPS uploads and downloads rely on the decryption of data accessing sites.

{{ $t('index.defaultHeader.logo') }}

Athena NGFW (Next-Generation Firewall)

Migrate to Sangfor NGFW

Decrypt Data to Internal Server

Configuration Steps

Decrypt Data to Internet