Athena NGFW (Next-Generation Firewall)

Athena NGFW (previously known as Network Secure) provides comprehensive protection for every network perimeter, ensuring the safety of your valuable assets, data, and users from emerging threats.
{{ $t('productDocDetail.guideClickSwitch') }}
{{ $t('productDocDetail.know') }}
{{ $t('productDocDetail.dontRemind') }}
8.0.39
Athena NGFW (Next-Generation Firewall) {{ breadTitle }} User Manual Network Advanced Networking Second-Passthrough Traffic
{{sendMatomoQuery("Athena NGFW (Next-Generation Firewall)","Second-Passthrough Traffic")}}

Second-Passthrough Traffic

{{ $t('productDocDetail.updateTime') }}: 2026-01-07

It is used when a data packet passes through the same NGAF device many times. The NGAF device sets the data packet to ensure that the security function is effective and does not repeatedly check the packet.

Click Enable to enable the second-passthrough function, and then click Add to add a record.

Src Address: the source IP address of the packet. Suppose a data stream passes through "bridge 1" (composed of eth1 and eth2 of NGAF) and "bridge 2" (composed of eth3 and eth4), and the current security protection policy is configured in the LAN/WAN zone of "bridge 2". In that case, you should set the source IP address of the packet passing through "bridge 1" here.

Dst Address: the destination IP address of the packet. Suppose a data stream passes through "bridge 1" (composed of eth1 and eth2 of NGAF) and "bridge 2" (composed of eth3 and eth4), and the current security protection policy is configured in the LAN/WAN zone of "bridge 2". In that case, you should set the destination IP address of the packet passing through "bridge 1" here.

Inbound Interface: the inbound interface for the packet. Suppose a data stream passes through "bridge 1" (composed of eth1 and eth2 of NGAF) and "bridge 2" (composed of eth3 and eth4), and the current security protection policy is configured in the LAN/WAN zone of "bridge 2". In that case, you should set the inbound interface for the packet passing through "bridge 1" here.

Advance: Only applied for NGAF deployed in layer 2 mode support to auto recognize the traffic passthrough NGAF more than once.

1. Configuring a second-passthrough requires a permit for traffic passing through both inbound and outbound paths.

2. After configuring the second-passthrough, similar to bypass/whitelist, the traffic can pass through without being intercepted.

Configuration Case

The network environment of a company is shown in the figure below. The NGAF device is deployed at the front end of a server to protect against internal and external attacks. The NGAF device is deployed in a virtual network with 1 & 2 serving as a pair of virtual lines and 3 & 4 serving as a pair of virtual lines. When an Internet terminal PC (100.100.100.1) accesses a server (172.16.10.1), it cannot open the page normally. The troubleshooting result reveals that the session abnormality occurred since the traffic passed through the NGAF twice. Therefore, a second-passthrough needs to be enabled to avoid this issue.

Step 1.Check to enable second-passthrough and click Add to create multi-passthrough traffic. See the figure below.

Step 2.Second-passthrough needs to be configured for both inbound and outbound traffic. The configuration results are shown in the following figure.

Step 3.The Internet terminal PC (100.100.100.1) accesses the server (172.16.10.1) again and can open the page normally.