Athena NGFW (Next-Generation Firewall)

Athena NGFW (previously known as Network Secure) provides comprehensive protection for every network perimeter, ensuring the safety of your valuable assets, data, and users from emerging threats.

8.0.95

{{item.code}}

Release Notes

Network Secure V8.0.95 Version Release Notes

Overview

Enhancements

New Features

Upgrade Impacts

Upgrade Guide

Preparations for Upgrade

Pre-Upgrade Check

Upgrade Procedures

Post-Upgrade Check

Upgrade Methods

Upgrading Network Secure from the GUI

Upgrading Network Secure via Central Manager

Network Secure V8.0.95 SP03 Release Notes

SP Information

Upgrade Impacts

Customer Upgrade Preparations

Upgrade Guide

Preparations for Upgrade

Upgrade Procedure

Network Secure V8.0.95 SP01 Release Notes

Service Package(SP) Information

Upgrade Impacts

Customer Upgrade Preparations

Upgrade Guide

Preparations for Upgrade

Upgrade Procedure

Product Overview

Deployment

Installation Preparations

Deployment Mode

Deploying vNGFW on HCI and VMware

Deploy vNGFW in HCI

Preparation

Other

About the validity period of authorization

Replacing Fortigate with NGFW

Overview and Migration Process Overview

Pre-Migration Preparation (Critical)

Key Functional Differences Between Fortigate and Sangfor NGFW

VODM

IPSEC

SD-WAN and Policy-Based Routing

Firewall Policy

Automated Configuration Conversion Based on Tools – For ACL, NAT, Address Objects, and Service Objects

Manual Migration Configuration

Modify the Interface Configuration

Policy Template Migration

Security Protection Policy Migration

SSL Decryption

Logs and Alert

AD / LDAP

Fortigate IPSec Migration

SD-WAN Migration

Testing and Validation

Cutover and Rollback Plan

Cutover Procedure

Post-Cutover Optimization and Best Practices

Policy Optimization

Log and Reporting Configuration

Security Policy Audit Recommendations

Appendices and Support Information

User Manual

Home

Security Operations

IoT Security

Business Asset Security

Summary of Business Asset Risks

Configuration Case

Summary of Attack Events

Passive Vulnerability Scan

User Security

Specialized Protection

Blacklist and Whitelist

Blacklist

Whitelist

Next-Gen Security

Endpoint Protection

Security Capabilities

Monitor

Logs

Security Logs

Access Logs

System Logs

TOP N

Configuration Procedures

Sessions

Bandwidth Management

Statistics

Application

Application Statistics Query Case

Traffic

Case of Viewing Traffic Statistics

Report

Diagnosis

Packet Tracing

Settings

Logging Options

Log Database

Policies

Network Address Translation

IPv4 NAT

IPv6 NAT

NAT64

DNS-Mapping

Configuration Example

Access Control

Application Control

GeoLocation Blocking

Configuration Steps

Local ACL

Configuration Steps

Connection Control

Configuration Example

Network Security

Security Protection Policy

Anti DoS/DDoS

Unauthorized Outbound Access

Spoofed Access

Configuration Case

Decryption

Decrypt Data to Internal Server

Configuration Steps

Bandwidth Management

Channel Configuration

VPN Bandwidth Channels

Sangfor VPN Bandwidth Policy Case Study

Link Settings

Authentication

User Authentication

Custom Webpage

Objects

Threat Signature Database

Security Database

Custom Database

Content Identification Database

Application Signatures Database

URL Category Database

File Types

Email Attachment Filter

Schedule

Network

Interfaces

Physical Interfaces

Edit Physical Interface

DHCP

DHCP Servers

Configuration Case

Advanced Networking

Configuration Case

SSL VPN

Resources

Roles

Sangfor/IPSec VPN

SD-WAN Configuration

Sangfor VPN Configuration

Logs

System

General Settings

Configuration Steps

License Activation Method

Troubleshooting

Tools

High Availability

Virtual Systems

Overview

Device Management

Central Management

O&M Management

Routine Inspection

Check the Security of the Device

Shortcut Functions

Restoration of the Device Configuration and Password

Restore the Password by Rebooting with a USB Flash Drive

Restore the Factory Settings

Patch Update Guidance

Precautions

Use of Auxiliary Tools

Troubleshooting

Emergency Event Handling

Product Upgrade Guide

Offline Upgrade

Product Post-Upgrade Inspection

Acronym

SDKs, APIs

CLI Document

Athena NGFW (Next-Generation Firewall)

Deployment

Replacing Fortigate with NGFW

Manual Migration Configuration

SD-WAN Migration

SD-WAN

{{sendMatomoQuery("Athena NGFW (Next-Generation Firewall)","SD-WAN")}}

SD-WAN

{{ $t('productDocDetail.updateTime') }}: 2026-01-04

Fortigate Configuration Example

config system virtual-wan-link

set status enable # Enable SD-WAN

config members

edit 1

set interface "vpn_to_HQ_1" # Member uses VPN tunnel interface 1

edit 2

set interface "vpn_to_HQ_2" # Member uses VPN tunnel interface 2

end

config health-check

edit "HQ_Tunnel_Monitor"

set server "10.10.10.1" # Probe target in HQ network

set protocol ping # Use ping to check tunnel health

set interval 5 # Probe every 5 seconds

set failtime 3 # Mark down after 3 failures

end

config service

edit 1

set name "HQ_Application_Traffic" # Service that should go to HQ

set dst "10.10.10.0/24" # Destination network at HQ

set priority-members 1 2 # Prefer vpn_to_HQ_1, then vpn_to_HQ_2

set mode priority # Use priority (not load-balance)

end

Fortigate Parameter Explanation and Conversion Suggestions

FortiGate Parameter	FortiGate Parameter Description	Corresponding Sangfor NGAF Module/Parameter	Migration Notes
set status enable	Enable SD-WAN feature	Network > Sangfor/IPsec VPN > SD-WAN Configuration > Path Selection Templates	If using Sangfor VPN, use NGAF’s SD-WAN module
config members / set interface "vpn_to_HQ_x"	Add VPN tunnel as SD-WAN member	Network > Sangfor/IPsec VPN > SD-WAN Configuration > Path Selection Templates	Configure in the Path Selection Policy
config health-check / set server	Probe remote/internal IP to check tunnel availability	Network > Sangfor/IPsec VPN > SD-WAN Configuration > Path Selection Templates	Configure in the Path Selection Policy
set protocol ping	Use ICMP to probe tunnel health	Network > Sangfor/IPsec VPN > SD-WAN Configuration > Path Selection Templates	Configure in the Path Selection Policy
set dst "10.10.10.0/24"	Define service target (e.g., HQ subnet)	Network > Sangfor/IPsec VPN > SD-WAN Configuration > Path Selection Templates	Configure in the Path Selection Policy
set mode priority	Priority mode (primary/backup)	Network > Sangfor/IPsec VPN > SD-WAN Configuration > Path Selection Templates	Configure in the Path Selection Policy
set priority-members 1 2	Specify priority order of members	Network > Sangfor/IPsec VPN > SD-WAN Configuration > Path Selection Templates	Configure in the Path Selection Policy
health-check interval/failtime	Probe interval and failure threshold	Network > Sangfor/IPsec VPN > SD-WAN Configuration > Path Selection Templates	Configure in the Path Selection Policy

Migrate to Sangfor NGFW

SD-WAN Path Selection Templates

You can create a local SD-WAN path selection template or download one from the Branch Business Center (BBC). You can also create path selection policies for the VPN HQ device or view path selection policies for the VPN HQ and branch devices, as shown in the following figure.

A close-up of a computer screen

Description automatically generated

Step 1.On the VPN HQ tab, click Add. In the Add Path Selection Template dialog box, set the template name and select a branch, then click OK, as shown in the following figure. A screenshot of a computer

Description automatically generated

Step 2.Click Configure Path Selection Policy in the Operation column for the created template, as shown in the following figure. A white and blue text box

Description automatically generated with medium confidence

Step 3.On the page that appears, click Add, as shown in the following figure.

Step 4.In the Add Policy dialog box, select Specified for Mode in the App Identification section. Auto Ident is selected by default. The auto identification algorithm identifies the types and priorities of apps and automatically selects paths from them based on their service types and priorities. Herein, Specified is selected for ease of demonstration. A red and black text box

Description automatically generated with medium confidence

Step 5.Select apps for SD-WAN path selection in App Categories. A red rectangle with blue and black text

Description automatically generated A screenshot of a computer

Description automatically generated

Step 6.Click Settings next to Specify Src/Dst IP and specify the IP range for SD-WAN path selection. All is selected by default. A screenshot of a computer

Description automatically generated

Step 7.In the Path Selection Settings section, select AutoGO Smart Path Selection for Mode and select Paths for path selection. If no paths are selected, all paths are included by default. Click OK. A screenshot of a computer

Description automatically generated

The configured VPN paths are available for Local Path, and four paths are available for Peer Path by default. You can click Delete in the Operation column to delete the VPN paths that do not exist.

If your device is not added to the BBC, you can configure SD-WAN path selection templates and policies on your local console. If your device is added to the BBC, you must configure SD-WAN path selection templates and policies on the BBC and push them down to your device. The configuration method in the BBC is the same as that in your local console.

{{ $t('index.defaultHeader.logo') }}

Athena NGFW (Next-Generation Firewall)

SD-WAN

Fortigate Configuration Example

Fortigate Parameter Explanation and Conversion Suggestions

Migrate to Sangfor NGFW