Athena NGFW (Next-Generation Firewall)

Athena NGFW (previously known as Network Secure) provides comprehensive protection for every network perimeter, ensuring the safety of your valuable assets, data, and users from emerging threats.

8.0.85

{{item.code}}

Product Overview

Deployment

Installation Preparations

Deployment Mode

User Manual

Home

Security Operations

IoT Security

Business Asset Security

Summary of Business Asset Risks

Configuration Case

Summary of Attack Events

Passive Vulnerability Scan

User Security

Specialized Protection

Blacklist and Whitelist

Blacklist

Whitelist

Next-Gen Security

Endpoint Protection

Security Capabilities

Monitor

Logs

Security Logs

Security Logs

Access Logs

System Logs

TOP N

Configuration Procedures

Sessions

Bandwidth Management

Statistics

Application

Application Statistics Query Case

Traffic

Case of Viewing Traffic Statistics

Report

Diagnosis

Packet Tracing

Settings

Logging Options

Log Database

Policies

Network Address Translation

IPv4 NAT

IPv6 NAT

NAT64

DNS-Mapping

Configuration Example

Access Control

Application Control

GeoLocation Blocking

Configuration Steps

Local ACL

Configuration Steps

Connection Control

Configuration Example

Network Security

Security Protection Policy

Anti DoS/DDoS

Decryption

Decrypt Data to Internal Server

6.4.1.1Configuration Steps

Bandwidth Management

Channel Configuration

Link Settings

Authentication

User Authentication

Custom Webpage

Objects

Threat Signature Database

Security Database

Custom Database

Content Identification Database

Application Signatures Database

URL Category Database

File Types

Email Attachment Filter

Schedule

Network

Interfaces

Physical Interfaces

Edit Physical Interface

DHCP

DHCP Servers

Configuration Case

Advanced Networking

Configuration Case

SSL VPN

Resources

Roles

Sangfor/IPSec VPN

SD-WAN Configuration

Sangfor VPN Configuration

Logs

System

General Settings

Configuration Steps

License Activation Method

Troubleshooting

Tools

High Availability

Virtual Systems

Overview

System Management

Example

Resource Pools

Device Management

Central Management

O&M Management

Routine Inspection

Check the Security of the Device

Shortcut Functions

Restoration of the Device Configuration and Password

Restore the Password by Rebooting with a USB Flash Drive

Restore the Factory Settings

Patch Update Guidance

Precautions

Use of Auxiliary Tools

Troubleshooting

Emergency Event Handling

Product Upgrade Guide

Offline Upgrade

Product Post-Upgrade Inspection

Acronym

SDKs, APIs

API Document

Athena NGFW (Next-Generation Firewall)

Deployment

Deployment Mode

Virtual Wire Mode

{{sendMatomoQuery("Athena NGFW (Next-Generation Firewall)","Virtual Wire Mode")}}

Virtual Wire Mode

{{ $t('productDocDetail.updateTime') }}: 2026-01-06

Virtual Wire deployment is similar to transparent deployment. The differences lie in:

The interface is also a layer 2 interface, but it is defined as a virtual cable interface:

• The virtual network interfaces must be in pairs. When forwarding data, it does not need to check the MAC table and directly forwards it from the interface paired with the virtual network cable.

• The forwarding performance of the Virtual Wire is higher than that of the Layer 2 interface, so deploying the virtual wire interface in a general network bridge environment is recommended.

• The deployment of virtual network cables has occupied two interfaces. Hence, to connect a management device, you should select another interface.

Deployment Case of Virtual WireMode

The network environment of an enterprise is shown below.

A diagram of a router

Description automatically generated

LAN has two layer 3 switch and two routers for load balancing. This enterprise wants to deploy the Network Secure device transparently on the environment but does not want to change the original Internet access mode. In this case, two-layer isolation must be provided between eth4 & eth2 networking interfaces and eth1 & eth3 networking interfaces. In other words, the data transmitted to eth4 must be forwarded from eth2, and that transmitted to eth1 must be forwarded from eth3, which can be realized through configuring a virtual cable interface.

The deployment methods of the two Network Secure devices are the same. We have illustrated the steps by taking one as an example.

Step 1.Log in to the device through the default IP address of the management interface (ETH0). The default IP address of the management interface is 10.251.251.251/24. You need to configure an IP address in the same network segment on the computer and log in to the device via https://10.251.251.251.

Step 2.On the Network > Interfaces > Physical Interface page, click the interface to be set as a WAN interface. Select eth2 as the uplink WAN interface and select the Virtual Wire type and the custom uplink zone, as shown below:

Step 3.On the Network > Interfaces > Physical Interface page, click an interface and set it as a LAN interface. Select eth4 as the downlink LAN interface, select the Virtual Wire type and the custom downlink zone, and set eth2, as defined in Step 1 for Interface Pair 2, as shown below.

Step 4.Configure eth1 and eth3 interfaces according to the method described in steps 2 and 3.

Step 5.Configure the management interface. On the Network > Interfaces > Physical Interface page, select eth0 as the management interface. Do not modify the default IP address of eth0 10.251.251.251/24. Add an IP address belonging to the same network segment as the LAN switch as the management IP address so that the LAN administrator can conveniently manage the device.

Step 6.In this case, enable interface correlation on Network > Interfaces > Link State Propagation page to realize active and standby switching between LAN switches and routers. Check the Enable link state propagation on the page and select eth1 & eth3 and eth2 & eth4 for interface correlation, as shown below:

Step 7.Configure routing. You need to configure a default route to 0.0.0.0/0.0.0.0, pointing to the LAN switch 192.168.1.1. Then, go to the Network > Route > Static Route page and click Add to add a static route. Specifically, configure the default routing Dst IP/Netmask as 0.0.0.0/0 and the Next-Hop IP as 192.168.1.1. See the figure below.

Step 8.Configure the application control policy. Assign the Internet access permissions to LAN users. On the Policies > Access Control > Application Control Policy page, add an application control policy, and assign the LAN-WAN data access permissions. Then, on the displayed page, select the custom downlink zone as the Src Zone, the custom LAN address as Src Address, the custom uplink zone as Dst Zone, All in Dst Address, any in Services, and All in Applications.

Step 9.After completing the basic configuration, connect the device to the network, eth2 and eth3 interfaces to the preceding router, and eth1 and eth4 interfaces to the two-layer 3 LAN switches.

{{ $t('index.defaultHeader.logo') }}

Athena NGFW (Next-Generation Firewall)

Virtual Wire Mode