Athena NGFW (Next-Generation Firewall)

Athena NGFW (previously known as Network Secure) provides comprehensive protection for every network perimeter, ensuring the safety of your valuable assets, data, and users from emerging threats.

8.0.85

{{item.code}}

Product Overview

Deployment

Installation Preparations

Deployment Mode

User Manual

Home

Security Operations

IoT Security

Business Asset Security

Summary of Business Asset Risks

Configuration Case

Summary of Attack Events

Passive Vulnerability Scan

User Security

Specialized Protection

Blacklist and Whitelist

Blacklist

Whitelist

Next-Gen Security

Endpoint Protection

Security Capabilities

Monitor

Logs

Security Logs

Security Logs

Access Logs

System Logs

TOP N

Configuration Procedures

Sessions

Bandwidth Management

Statistics

Application

Application Statistics Query Case

Traffic

Case of Viewing Traffic Statistics

Report

Diagnosis

Packet Tracing

Settings

Logging Options

Log Database

Policies

Network Address Translation

IPv4 NAT

IPv6 NAT

NAT64

DNS-Mapping

Configuration Example

Access Control

Application Control

GeoLocation Blocking

Configuration Steps

Local ACL

Configuration Steps

Connection Control

Configuration Example

Network Security

Security Protection Policy

Anti DoS/DDoS

Decryption

Decrypt Data to Internal Server

6.4.1.1Configuration Steps

Bandwidth Management

Channel Configuration

Link Settings

Authentication

User Authentication

Custom Webpage

Objects

Threat Signature Database

Security Database

Custom Database

Content Identification Database

Application Signatures Database

URL Category Database

File Types

Email Attachment Filter

Schedule

Network

Interfaces

Physical Interfaces

Edit Physical Interface

DHCP

DHCP Servers

Configuration Case

Advanced Networking

Configuration Case

SSL VPN

Resources

Roles

Sangfor/IPSec VPN

SD-WAN Configuration

Sangfor VPN Configuration

Logs

System

General Settings

Configuration Steps

License Activation Method

Troubleshooting

Tools

High Availability

Virtual Systems

Overview

System Management

Example

Resource Pools

Device Management

Central Management

O&M Management

Routine Inspection

Check the Security of the Device

Shortcut Functions

Restoration of the Device Configuration and Password

Restore the Password by Rebooting with a USB Flash Drive

Restore the Factory Settings

Patch Update Guidance

Precautions

Use of Auxiliary Tools

Troubleshooting

Emergency Event Handling

Product Upgrade Guide

Offline Upgrade

Product Post-Upgrade Inspection

Acronym

SDKs, APIs

API Document

Athena NGFW (Next-Generation Firewall)

User Manual

Network

Sangfor/IPSec VPN

Sangfor VPN Configuration

Basic Settings

{{sendMatomoQuery("Athena NGFW (Next-Generation Firewall)","Basic Settings")}}

Basic Settings

{{ $t('productDocDetail.updateTime') }}: 2026-01-06

The Basics page contains three sections, namely Address & Secret Key, Local Subnet, and Advanced.

Address & Secret Key

A screenshot of a computer

Description automatically generated

Parameters in the Address & Secret Key section:

Primary IP Address: Set a primary IP address in one of the following three formats:

Static IP:port: You can set up to four static IP addresses. Separate multiple IP addresses with pound signs (#). For example, 202.96.137.75#60.28.239.21:4009. The IP addresses are outbound IP addresses of the VPN HQ device.

Dynamic domain:port: This format is applicable when the VPN HQ device has a dynamic domain name pointing to its outbound IP address. Example: www.sangfor.com:4009.

WebAgent Server: This format is applicable when the VPN HQ device has no static IP address. For example, when Asymmetric Digital Subscriber Line (ADSL) is used, such as www.sangfor.com/NG4.0/test.php and 202.96.137.75/test.php. If you select WebAgent Server, you can set a WebAgent password that is the same as that of the WebAgent server to be accessed. Click Change Password and set a WebAgent password to prevent unauthorized users from using the WebAgent to configure fake IP addresses. The WebAgent password is optional.

A screenshot of a computer

Description automatically generated

Secondary IP Address: Set a secondary IP address in the same format as the primary IP address. The matching rules are as follows:

The priority of the primary IP address is higher than that of the secondary IP address. The secondary IP address takes effect only when the primary IP address is unavailable. If you want to connect a branch device to the local device, either the primary or secondary IP address of the branch device must be the same as that of the local device.

Secret Key (Optional): The authentication password for a branch device to access the VPN HQ device. If this field is specified, you must enter the same password on the branch device to establish a VPN connection.

Connectivity Test: Check whether the format of the primary IP address is valid and whether the TCP port is accessible.

Click Save.

1. The WebAgent password cannot be restored if it is lost. You can only contact Sangfor Technical Support to generate a file without a WebAgent password and replace the original file.

2. In case of multiple paths with static IP addresses, you can set WebAgent Server in the IP address 1#IP address 2:port number format.

Local Subnet

If the LAN where the device resides contains a Layer 3 switch or router and the LAN is divided into multiple subnets, you must add all the subnets other than the subnet to which the intranet interface belongs.

In the Local Subnet section, click Add. In the Add Local Subnet dialog box, enter other local subnets in IP/netmask(/priority) format, as shown in the following figure.

A screenshot of a computer

Description automatically generated

Click OK.

The subnet to which the intranet interface belongs does not need to be added as a local subnet. You need to add other subnets as local subnets only when the LAN is divided into multiple subnets.

Advanced

In the Advanced section, the Intranet Interface, VPN Interface, and Listening Port parameters need to be configured, as shown in the following figure.

A screenshot of a computer

Description automatically generated

The parameters are described as follows:

Intranet Interface: Interfaces with the LAN attribute, which are used to set VPN subnets. IP addresses within the subnets of the LAN interfaces are defined as VPN data, and IP addresses in other subnets are defined as non-VPN data.

Options for Intranet Interface include interfaces on the Network > Interfaces page that are not configured with the WAN attribute or default gateways. Interfaces with the WAN attribute will not be displayed in the Intranet Interface field.

VPN Interface: Set an IP address for the VPN interface of the local device. Two modes are available: Auto Assign and Specific.

Listening Port: Set a listening port for the VPN service as required. The default value is 4009.

MTU: Set the MTU for VPN data. The default value is 1500.

MSS: Set the MSS for VPN data in UDP mode.

Retain the default values of MTU and MSS. If you want to modify them, contact Sangfor Technical Support representatives for instructions.

Broadcast: Specify whether to enable broadcast. If you enable broadcast, you must enter a port range for broadcast packets.

Multicast: Specify whether to enable multicast. If you enable multicast, multicast packets received from the branch LAN can be transparently transmitted to the HQ device through the Sangfor VPN tunnel. This feature takes effect only when it is enabled on both the HQ and branch devices.

Click Save for the configurations to take effect.

{{ $t('index.defaultHeader.logo') }}

Athena NGFW (Next-Generation Firewall)

Basic Settings

Address & Secret Key

Local Subnet

Advanced