Athena NGFW (Next-Generation Firewall)

Athena NGFW (previously known as Network Secure) provides comprehensive protection for every network perimeter, ensuring the safety of your valuable assets, data, and users from emerging threats.

8.0.106

{{item.code}}

Release Notes

Overview

Major Features

Version Values

New Features

Upgrade Impacts

Implementation Procedure

Upgrade Guide

Preparations for Upgrade

Pre-Upgrade Check

Upgrade Procedures

Post-Upgrade Check

Upgrade Methods

Upgrading Network Secure from the GUI

Upgrading Network Secure via Central Manager

0000-0002: Pre-Upgrade Check Passed

0002-0001: Blacklist and Whitelist Compatibility Issues (No Impact on Upgrade)

0002-0003: Platform Connection Error (No Impact on Upgrade)

0002-0004: Missing Integration Key for XDR Connection (No Impact on Upgrade)

0002-0005: Some Platform-X Domains Inaccessible (No Impact on Upgrade)

0002-0006: Different CorpIDs for Connection to Platform-X and XDR (No Impact on Upgrade)

0002-0008: Abnormal Integration Bus Status (No Impact on Upgrade)

0002-0009: Potential Service Error Due to Changes in OOBM Settings (No Impact on Upgrade)

0002-0010: Simultaneous Connection to Cyber Guardian and Omni-Command Not Supported (No Impact on Upgrade)

0002-0011: Overload Risk Due to Traffic Forwarding Through DNS Proxy (No Impact on Upgrade)

Recommendations for Installation Failure Scenarios

0001-0001

0001-0002

0004-0001

0004-0002

0004-0003

0004-0004

0004-0005

0004-0006

0004-0007

0004-0008

0004-0009

Rollback Instructions

Product Overview

Overview

Installation and Deployment

Installation Preparations

Deployment Mode

DHCP

High Availability

Product Integration

Cloud-Based Protection

Logging Options and Cyber Command Integration

Product Upgrade Guide

Product Post-Upgrade Inspection

Acronym

Deployment

Installation Preparations

Deployment Mode

Deploying vNGFW on HCI and VMware

Deploy vNGFW in HCI

Preparation

Other

About the validity period of authorization

Replacing Fortigate with NGFW

Overview and Migration Process Overview

Pre-Migration Preparation (Critical)

Key Functional Differences Between Fortigate and Sangfor NGFW

VODM

IPSEC

SD-WAN and Policy-Based Routing

Firewall Policy

Automated Configuration Conversion Based on Tools – For ACL, NAT, Address Objects, and Service Objects

Manual Migration Configuration

Modify the Interface Configuration

Policy Template Migration

Security Protection Policy Migration

SSL Decryption

Logs and Alert

AD / LDAP

Fortigate IPSec Migration

SD-WAN Migration

Testing and Validation

Cutover and Rollback Plan

Cutover Procedure

Post-Cutover Optimization and Best Practices

Policy Optimization

Log and Reporting Configuration

Security Policy Audit Recommendations

Appendices and Support Information

User Manual

Home

Security Operations

IoT Security

Business Asset Security

Summary of Business Asset Risks

Configuration Case

Summary of Attack Events

Passive Vulnerability Scan

User Security

Specialized Protection

Blacklist and Whitelist

Blacklist

Whitelist

Next-Gen Security

Endpoint Protection

Security Capabilities

Monitor

Logs

Security Logs

Access Logs

System Logs

TOP N

Configuration Procedures

Sessions

Bandwidth Management

Statistics

Application

Application Statistics Query Case

Traffic

Case of Viewing Traffic Statistics

Report

Diagnosis

Packet Tracing

Settings

Logging Options

Log Database

Policies

Network Address Translation

IPv4 NAT

IPv6 NAT

NAT64

DNS-Mapping

Configuration Example

Access Control

Application Control

GeoLocation Blocking

Configuration Steps

Local ACL

Configuration Steps

Connection Control

Configuration Example

Network Security

Policies

Anti-DoS/DDoS

Spoofed Access

Configuration Case

Decryption

Decrypt Data to Internal Server

Configuration Steps

Bandwidth Management

Channel Configuration

VPN Bandwidth Channels

Sangfor VPN Bandwidth Policy Case Study

Link Settings

Authentication

User Authentication

Custom Webpage

Objects

Threat Signature Database

Security Database

Custom Database

Content Identification Database

Application Signatures Database

URL Category Database

File Types

Email Attachment Filter

Schedule

Network

Interfaces

Physical Interfaces

Edit Physical Interface

DHCP

DHCP Servers

Configuration Case

Advanced Networking

Configuration Case

SSL VPN

Resources

Roles

Sangfor/IPSec VPN

SD-WAN Configuration

Sangfor VPN Configuration

Logs

System

General Settings

Configuration Steps

License Activation Method

Troubleshooting

Tools

High Availability

Virtual Systems

Overview

System Management

Example

Resource Pools

Device Management

Central Management

O&M Management

Routine Inspection

Check the Security of the Device

Shortcut Functions

Restoration of the Device Configuration and Password

Restore the Password by Rebooting with a USB Flash Drive

Restore the Factory Settings

Patch Update Guidance

Precautions

Use of Auxiliary Tools

Troubleshooting

Emergency Event Handling

Product Upgrade Guide

Offline Upgrade

Product Post-Upgrade Inspection

Acronym

Specs

SDKs, APIs

Athena NGFW (Next-Generation Firewall)

Product Overview

Get Started

Installation and Deployment

Product Integration

Cloud-Based Protection

{{sendMatomoQuery("Athena NGFW (Next-Generation Firewall)","Cloud-Based Protection")}}

Cloud-Based Protection

{{ $t('productDocDetail.updateTime') }}: 2026-01-04

The Cloud-Based Protection module consists of the following features: Threat Intelligence Gateway, Neural-X Subscription, and Phishing Email Protection.

Threat Intelligence Gateway

Threat Intelligence Gateway leverages Sangfor's active detection engine along with extensive threat intelligence in the existing network to detect and block threat traffic in real time. This ensures that all traffic is detected and identified by Threat Intelligence Gateway before Network Secure forwards the traffic. Therefore, malicious traffic can be blocked before it is forwarded, and asset security is protected.

Step 29.Integrate Network Secure with cloud products. For more information, see the "Product Integration" section.

Step 30.After Network Secure is integrated with the cloud products, you further need to properly configure botnet detection and content security policies to ensure that Threat Intelligence Gateway can take effect. After the botnet detection policy is enabled, Threat Intelligence Gateway will send the domain names that cannot be identified locally to the extensive threat intelligence library in the cloud for security detection. After the content security policy is enabled, Threat Intelligence Gateway will send the file features that cannot be identified locally to the extensive threat intelligence library in the cloud for security detection.

If a required security policy is not configured, a message will appear on the Threat Intelligence Gateway page, as shown in the following figure. You can click Configure Now in the message to go to the Policies page to configure the required security policy.

The following figure shows a security policy for which botnet detection is enabled. The Source and Destination columns display the source and destination areas and IP addresses. The Detection and Response column displays Botnet Detection. When you move the pointer over Botnet Detection, you can view that the action is Deny.

After Network Secure detects threat intelligence, the Block Summary section of the Threat Intelligence Gateway page will summarize the detection results, such as the block counts and the latest 30 blocked requests. You can click View Logs in the upper-right corner of the Block Summary section to go to the Security Logs tab to view the detailed threat logs. On the Security Logs tab, Threat Intelligence Gateway in the Detection Type column indicates that the threat log is detected by Threat Intelligence Gateway.

Neural-X Subscription

Sangfor Neural-X Unknown Threat Update is a comprehensive detection and protection service built on multiple engines, including cloud-based sandbox, behavior analytics, and threat intelligence. It provides powerful cloud security capabilities to detect and protect against unknown threats, including advanced variants and emerging threats that traditional rule-based signatures cannot defend against.

To integrate Network Secure with Neural-X Unknown Threat Update, ensure your device has Internet access and has activated the Neural-X Unknown Threat Update license.

Sangfor Neural-X Subscription offers enhanced capabilities to detect emerging, unknown, and advanced threats through continuous autonomous learning. It maintains deep integration with Network Secure to improve device security capabilities and ensure user network security.

Devices are automatically integrated with Neural-X Subscription once they have access to the Internet, and you obtain the license for Neural-X Subscription. After the integration, you can view information related to threat intelligence on the Neural-X Subscription page, as shown in the following figure.

Phishing Email Protection

The Phishing Email Protection feature of Network Secure deeply integrates the powerful language comprehension capabilities of AI large models (GPT) with extensive data from the cloud intelligence library to construct a dynamic security defense system that efficiently coordinates local and cloud services. Phishing Email Protection can parse inbound email content in real time, and accurately identify spoofing, phishing links, and malicious attachments. In addition, this feature can issue real-time alerts for abnormal emails based on the risk assessment result, dynamically block access to malicious URLs, and coordinate with Endpoint Secure to synchronously quarantine high-risk attachments to fully eliminate the threats. Phishing Email Protection can automatically thwart attack chains without affecting user operations, and can effectively prevent enterprise financial losses and data leakage risks, thereby ensuring enterprise asset security.

Before you use the Phishing Email Protection feature, make sure that Network Secure is properly connected to Platform-X and that Phishing Email Protection in SOC > Next-Gen Security > Product Integration > Cloud Products is in the Normal state.

In addition, you need to go to SOC > Next-Gen Security > Cloud-Based Protection > Phishing Email Protection > Mailbox Protection to properly configure enterprise mailbox settings, to ensure that Network Secure can receive emails and coordinate with the GPT large model in the cloud to perform security checks.

• Mailbox Type: Select the mailbox type used by your enterprise or add a custom mailbox type.

• Protocol: Select IMAP or POP3 as needed.

• Account: Enter the email account that Network Secure uses to receive enterprise emails.

• Password: Enter the password of the email account that Network Secure uses to receive enterprise emails.

• Email Server: Enter the address of the IMAP or POP3 mail server corresponding to the foregoing email account.

• Port: Enter the port used by the mail server.

• SSL: Select this check box if the email account uses SSL for encrypted communication.

• STARTTLS: Select this check box if the email account uses STARTTLS for encrypted communication.

• Test Connectivity: Click Test Connectivity to test the connectivity to the mail server. If the connectivity test is successful, the configurations are correct.

• Auto Deletion: If this check box is selected, the emails synchronized to the corresponding account used by Network Secure will be automatically deleted after Network Secure forwards these emails to the cloud GPT large model for detection.

After the mailbox settings are properly configured, click OK. Then, you can view that the connection status of the mailbox is Normal on the Mailbox Protection tab.

Quarantine Phishing Attachments

Alert Settings

To ensure that the recipients and administrators can be timely alerted when Network Secure detects a phishing email, you need to further configure alert settings. Specifically, on the Mailbox Protection tab, click Edit next to Alert Settings to configure alert settings as needed, as shown in the following figure.

Sender settings:

• Mailbox Type: Select the mailbox type used by your enterprise or add a custom mailbox type.

• Account: Enter the email account that Network Secure uses to send alert emails.

• Password: Enter the password of the email account that Network Secure uses to send alert emails.

• Email Server: Enter the address of the SMTP mail server corresponding to the foregoing email account.

• Port: Enter the port used by the mail server.

• SSL: Select this check box if the email account uses SSL for encrypted communication.

• STARTTLS: Select this check box if the email account uses STARTTLS for encrypted communication.

• Test Connectivity: Click Test Connectivity to test the connectivity to the mail server. If the connectivity test is successful, the configurations are correct.

Recipients settings:

• Alert Scope: Select All Recipients and/or Only Administrators as needed.

• All Recipients: If this check box is selected, Network Secure will send an alert email to all recipients of a phishing email when the phishing email is detected by Network Secure.

• Only Administrators: If this check box is selected, Network Secure will send an alert email to the specified administrator email account when a phishing email is detected by Network Secure.

• Send Test Email: After Only Administrators is selected, you can click Send Test Email to send a test email to the specified administrator email account to verify whether the configuration is correct.

Phishing Links

The Phishing Email Protection feature can detect whether an email contains a malicious URL or a malicious file. If the email contains a malicious URL or malicious file, this malicious element will be automatically synchronized to the on-premises security database of Network Secure.

To effectively prevent users from accessing malicious URLs or downloading malicious files, you need to configure botnet detection and content security policies based on the user scope in advance.

The following figure shows that a phishing link is detected.

The following figure shows that the phishing link is automatically added to the on-premises URL category.

The following figure shows that the access to the phishing link from the PC is blocked by Network Secure.

Phishing Attachments

After identifying that an attachment in an email is a malicious file, the Phishing Email Protection feature can synchronize the MD5 hash of the file to the on-premises security database of Network Secure. If Network Secure is integrated with Endpoint Secure (V6.0.4ENR4 or later), Endpoint Secure will automatically quarantine the malicious file downloaded by the user without the need for additional configurations.

Network Secure pushes the MD5 hash of the malicious file to Endpoint Secure.

Endpoint Secure quarantines the malicious file.

{{ $t('index.defaultHeader.logo') }}

Athena NGFW (Next-Generation Firewall)

Cloud-Based Protection

Threat Intelligence Gateway

Neural-X Subscription

Phishing Email Protection

Alert Settings

Phishing Links

Phishing Attachments