Athena NGFW (Next-Generation Firewall)

Athena NGFW (previously known as Network Secure) provides comprehensive protection for every network perimeter, ensuring the safety of your valuable assets, data, and users from emerging threats.

8.0.85

{{item.code}}

Product Overview

Deployment

Installation Preparations

Deployment Mode

User Manual

Home

Security Operations

IoT Security

Business Asset Security

Summary of Business Asset Risks

Configuration Case

Summary of Attack Events

Passive Vulnerability Scan

User Security

Specialized Protection

Blacklist and Whitelist

Blacklist

Whitelist

Next-Gen Security

Endpoint Protection

Security Capabilities

Monitor

Logs

Security Logs

Security Logs

Access Logs

System Logs

TOP N

Configuration Procedures

Sessions

Bandwidth Management

Statistics

Application

Application Statistics Query Case

Traffic

Case of Viewing Traffic Statistics

Report

Diagnosis

Packet Tracing

Settings

Logging Options

Log Database

Policies

Network Address Translation

IPv4 NAT

IPv6 NAT

NAT64

DNS-Mapping

Configuration Example

Access Control

Application Control

GeoLocation Blocking

Configuration Steps

Local ACL

Configuration Steps

Connection Control

Configuration Example

Network Security

Security Protection Policy

Anti DoS/DDoS

Decryption

Decrypt Data to Internal Server

6.4.1.1Configuration Steps

Bandwidth Management

Channel Configuration

Link Settings

Authentication

User Authentication

Custom Webpage

Objects

Threat Signature Database

Security Database

Custom Database

Content Identification Database

Application Signatures Database

URL Category Database

File Types

Email Attachment Filter

Schedule

Network

Interfaces

Physical Interfaces

Edit Physical Interface

DHCP

DHCP Servers

Configuration Case

Advanced Networking

Configuration Case

SSL VPN

Resources

Roles

Sangfor/IPSec VPN

SD-WAN Configuration

Sangfor VPN Configuration

Logs

System

General Settings

Configuration Steps

License Activation Method

Troubleshooting

Tools

High Availability

Virtual Systems

Overview

System Management

Example

Resource Pools

Device Management

Central Management

O&M Management

Routine Inspection

Check the Security of the Device

Shortcut Functions

Restoration of the Device Configuration and Password

Restore the Password by Rebooting with a USB Flash Drive

Restore the Factory Settings

Patch Update Guidance

Precautions

Use of Auxiliary Tools

Troubleshooting

Emergency Event Handling

Product Upgrade Guide

Offline Upgrade

Product Post-Upgrade Inspection

Acronym

SDKs, APIs

API Document

Athena NGFW (Next-Generation Firewall)

Resource Assignment

{{sendMatomoQuery("Athena NGFW (Next-Generation Firewall)","Resource Assignment")}}

Resource Assignment

{{ $t('productDocDetail.updateTime') }}: 2026-01-06

Properly assigning resources to VSYSs can prevent a single VSYS from occupying excessive resources and other VSYSs from failing to obtain resources or properly run their services.

Basic resources required for running VSYS services, such as zones, policies, and sessions, support quota assignment or manual assignment.

Quota assignment: This assignment method automatically assigns fixed resources (such as zones, objects, and administrators) based on the system specifications.

Manual assignment: This assignment method allows you to manually assign resources (such as sessions and policies) through the command line or Web UI.

The resources that do not support quota assignment or manual assignment are shared by all VSYSs, and the VSYSs preempt the resources.

The following table describes the resources that support quota assignment and manual assignment.

Resource	Assignment Method	Description
Interfaces	Manual assignment	1. Layer 3 Ethernet interfaces, Layer 3 Ethernet subinterfaces, Layer 3 aggregate subinterfaces, and virtual interfaces can be assigned to VSYSs. 2. Layer 2 interfaces cannot be directly assigned to VSYSs. When you run the assign vlan command to assign a VLAN to a VSYS, the corresponding Layer 2 interface will be assigned to the VSYS along with the VLAN. A Layer 2 trunk interface can be assigned to multiple VSYSs along with the VLAN and configured in each VSYS, for example, added to the security zone. 3. When you run the assign vlan command to assign a VLAN to a VSYS, the corresponding Layer 3 VLAN interface (if any) will be assigned to the VSYS along with the VLAN. You can also directly assign a Layer 3 interface to a VSYS. 4. The eth0 management interface cannot be assigned to VSYSs.
VLANs	Manual assignment	When you assign a VLAN to a VSYS, the corresponding Layer 3 VLAN interface will be assigned to the VSYS along with the VLAN.
IPv4 Sessions	Manual assignment
IPv6 Sessions	Manual assignment
Application Control Policies	Manual assignment
NAT44 Policies	Manual assignment
NAT66 Policies	Manual assignment
NAT64 Policies	Manual assignment
Local Access Control	Quota assignment	Default: 2 Maximum: 32
Network Objects	Quota assignment	50-2048, depending on the device model.
Services	Quota assignment	Predefined services: 73 Custom services: 512
Schedules	Quota assignment	64
Zones	Quota assignment	30
Static Routes	Quota assignment	512-2048, depending on the device model.
Policy-Based Routes	Quota assignment	256-2048, depending on the device model.
Administrators	Quota assignment	Public system: 30 VSYS: 5 (No administrator is configured by default.)

Table 24:Resource Assignment Table

When an administrator manually assigns resources to a VSYS, the administrator configures a resource class, specifies the guaranteed and maximum values for each resource in the resource class, and binds the resource class to the VSYS. The number of resources available for the VSYS is controlled by the guaranteed and maximum values configured in the resource class.

Guaranteed value indicates the minimum number of resources available for the VSYS. After this part of resources are assigned to the VSYS, they are exclusively used by the VSYS.

1. IPv4 and IPv6 sessions of Network Secure are shared resources. For example, if the number of system sessions available is N, the number of IPv4 sessions available is N, and that of IPv6 sessions available is N/2.

2. When the number of available (used + guaranteed) sessions is greater than the guaranteed value, the guaranteed value takes effect; otherwise, the guaranteed value does not take effect, and a session will be preferentially preserved when it is released.

3. Guaranteed value of policy usage = Maximum value = Maximum number of policies available.

Maximum value indicates the maximum number of resources available for the VSYS. Whether the resource usage of a VSYS can reach the maximum value depends on the resource usage of other VSYSs.

For example, 10 VSYSs are configured on Network Secure. Assume that the total number of sessions available on Network Secure is 500,000, the guaranteed value of session usage for VSYS A is 10,000, and the maximum value of session usage for VSYS A is 50,000. In this case, at least 10,000 sessions can be established in VSYS A, but whether the number of sessions in VSYS A can reach 50,000 depends on the session usage in other VSYSs. If the total number of sessions in the other nine VSYSs and the public system is less than 450,000, you can establish up to 50,000 sessions in VSYS A.

If no resource class is bound to a VSYS, resources of the VSYS are not limited, and such VSYSs and the public system preempt the shared resources available. If the resource class bound to a VSYS does not specify the maximum or guaranteed value for some resources, these resources are not limited, and such VSYSs and the public system preempt the shared resources available.

Shared resources include CPUs, memory, link detection, OSPF, and tables, such as ARP tables and MAC address tables.

{{ $t('index.defaultHeader.logo') }}

Athena NGFW (Next-Generation Firewall)

Resource Assignment