Athena NGFW (Next-Generation Firewall)

Athena NGFW (previously known as Network Secure) provides comprehensive protection for every network perimeter, ensuring the safety of your valuable assets, data, and users from emerging threats.

8.0.107

{{item.code}}

Release Notes

Overview

Upgrade Guide

Preparations for Upgrade

Pre-Upgrade Check

Upgrade Procedures

Post-Upgrade Check

Upgrade Methods

Upgrade from the GUI

Upgrade via Central Manager

0000-0002: Pre-Upgrade Check Passed

0002-0001: Blacklist and Whitelist Compatibility Issues (No Impact on Upgrade)

0002-0003: Platform Connection Error (No Impact on Upgrade)

0002-0004: Missing Integration Key for XDR Connection (No Impact on Upgrade)

0002-0005: Some Platform-X Domains Inaccessible (No Impact on Upgrade)

0002-0006: Different CorpIDs for Connection to Platform-X and XDR (No Impact on Upgrade)

0002-0008: Abnormal Integration Bus Status (No Impact on Upgrade)

0002-0009: Potential Service Error Due to Changes in OOBM Settings (No Impact on Upgrade)

0002-0010: Simultaneous Connection to Cyber Guardian and Omni-Command Not Supported (No Impact on Upgrade)

0002-0011: Overload Risk Due to Traffic Forwarding Through DNS Proxy (No Impact on Upgrade)

0002-0012: Post-upgrade, historical custom/built-in URL category library data is preserved, but language switching fails during category conflicts between custom and built-in URL libraries. (No Impact on Upgrade)

0002-0013: Following the expiration of Neural-X New Threat Update license, the system upgrade to version 107 results in the built-in URL. (No Impact on Upgrade)

Recommendations for Installation Failure Scenarios

0001-0001

0001-0002

0001-0003

0001-0004

0001-0005

0001-0006

0002-0007

0003-0001

0003-0002

0004-0001

0004-0002

0004-0003

0004-0004

0004-0005

0004-0006

0004-0007

0004-0008

0004-0009

0005-0001

0005-0002

0005-0003

0005-0005

0005-0006

0005-0007

0005-0008

0005-0012

SP01 Release Note

SP Information

Upgrade Impacts

Customer Upgrade Preparations

Upgrade Guide

Preparations for Upgrade

Upgrade Procedure

Product Overview

Deployment

Installation Preparations

Deployment Mode

Deploying vNGFW on HCI and VMware

Deploy vNGFW in HCI

Preparation

Other

About the validity period of authorization

User Manual

Home

Security Operations

IoT Security

Business Asset Security

Summary of Business Asset Risks

Configuration Case

Summary of Attack Events

Passive Vulnerability Scan

User Security

Specialized Protection

Blacklist/Whitelist

Blacklist

Whitelist

Next-Gen Security

Product Integration

Integration Limits

Cloud-Based Protection

Endpoint Protection

Security Capabilities

Monitor

Logs

Security Logs

Access Logs

System Logs

TOP N

Configuration Procedures

Sessions

Bandwidth Management

Statistics

Application

Application Statistics Query Case

Traffic

Case of Viewing Traffic Statistics

Report

Diagnosis

Packet Tracing

Settings

Logging Options

Log Database

Policies

Network Address Translation

IPv4 NAT

IPv6 NAT

NAT64

DNS-Mapping

Configuration Example

Access Control

Application Control

GeoLocation Blocking

Configuration Steps

Local ACL

Configuration Steps

Connection Control

Configuration Example

Network Security

Policies

Anti-DoS/DDoS

Spoofed Access

Configuration Case

Decryption

Decrypt Data to Internal Server

Configuration Steps

Bandwidth Management

Channel Configuration

VPN Bandwidth Channels

Sangfor VPN Bandwidth Policy Case Study

Link Settings

Authentication

User Authentication

Custom Webpage

Objects

Threat Signature Database

Security Database

Custom Database

Content Identification Database

Application Signatures Database

URL Category Database

File Types

Email Attachment Filter

Schedule

Network

Interfaces

Physical Interfaces

Edit Physical Interface

DHCP

DHCP Servers

Configuration Case

Advanced Networking

Configuration Case

SSL VPN

Resources

Roles

Sangfor/IPSec VPN

IPsec VPN Tunnel Between Athena NGFW and Fortinet (Route Mode)

Procedures

Result Verification

IPsec VPN Tunnel Between Athena NGFW and Fortinet (Policy Mode)

Procedures

Result Verification

IPsec VPN Tunnel Between Athena NGFW and Palo Alto

Result Verification

IPsec VPN Tunnel Between Athena NGFW and Microsoft Azure (Route Mode)

Result Verification

IPsec VPN Tunnel Between Athena NGFW and AWS (Route Mode)

Result Verification

IPsec VPN Tunnel Between Athena NGFW and Juniper (Route Mode)

Result Verification

IPsec VPN Tunnel Between Athena NGFW and Cisco (Route Mode, IKEv1)

Result Verification

IPsec VPN Tunnel Between Athena NGFW and Cisco (Route Mode, IKEv2)

Result Verification

Use Cases

SD-WAN Configuration

Sangfor VPN Configuration

Result Verification

System

General Settings

Configuration Steps

System Time

License Activation Method

Troubleshooting

Tools

High Availability

Virtual Systems

Overview

System Management

Example

Resource Pools

Device Management

Central Management

O&M Management

Routine Inspection

Check the Security of the Device

Shortcut Functions

Restoration of the Device Configuration and Password

Restore the Password by Rebooting with a USB Flash Drive

Restore the Factory Settings

Patch Update Guidance

Precautions

Use of Auxiliary Tools

Troubleshooting

Emergency Event Handling

Product Upgrade Guide

Offline Upgrade

Product Post-Upgrade Inspection

Acronym

Specs

SDKs, APIs

Athena NGFW (Next-Generation Firewall)

Deployment

Deployment Mode

Transparent Mode (Layer 2)

{{sendMatomoQuery("Athena NGFW (Next-Generation Firewall)","Transparent Mode (Layer 2)")}}

Transparent Mode (Layer 2)

{{ $t('productDocDetail.updateTime') }}: 2026-02-05

When the data-transmitting networking interface of the Athena NGFW device is in the transparent interface mode, the device is deployed in the transparent mode and regarded as a network cable with a filtering function. This deployment mode is used when changing the original network topology is inconvenient. The device is connected between the original gateway and LAN users without changing the gateway and LAN users' configuration.

This deployment mode is ready after some basic configurations are completed on the Athena NGFW device. The main feature of the transparent mode is that it is entirely transparent to users. Transparent interfaces include the Access interface and the Trunk interface.

Deployment Case of Access Interface in Layer 2 Mode

There is a layer 3 enterprise network, and routers are deployed as the edge devices of the network. As the original environment cannot be changed, the Athena NGFW device needs to be transparently deployed on the network, as shown below:

Step 1.Log in to the device through the default IP address of the management interface (ETH0). The default IP address of the management interface is 10.251.251.251/24. You need to configure an IP address in the same network segment on the computer and log in to the device via https://10.251.251.251.

Step 2.On the Network > Interfaces > Physical Interfaces page, click the interface to be set as a WAN interface. Select eth2 as the uplink WAN interface, select Layer 2 for Type, choose a WAN zone, check the WAN attribute checkbox, and set IP Assignment to Access VLAN 1, as shown below:

Step 3.On the Network > Interfaces > Physical Interfaces page, click the interface to be set as a LAN interface. Select eth3 as the downlink LAN interface, select Layer 2 for Type, choose the LAN zone, and set IP Assignment to Access 1, as shown below:

Step 4.Configure the management interface. Navigate to Network > Interfaces > VLAN Interfaces, and configure the logical interface of the VLAN interface as the management interface. Set the VLAN ID field to 1, and assign a management IP address 192.168.1.2/24. See the figure below:

Step 5.Configure routing. You need to configure a default route to 0.0.0.0/0.0.0.0 pointing to the pre-gateway 192.168.1.254. Meanwhile, in this case, as the LAN interface is connected to multiple network segments spanning three layers, you need to configure another static route containing each network segment to the layer 3 switch. Go to Network > Routes > Static Routes and click Add to add a static route. Specifically, configure the default routing Dst IP/Netmask as 0.0.0.0/0 and the Next-Hop IP as 192.168.1.254, and configure the backhaul routing Dst IP/Netmask as 192.168.2.0/24 and the Next-Hop IP as 192.168.1.1. See the figure below:

Step 6.Configure the application control policy. Assign the Internet access permissions to LAN users. On the Policies > Access Control > Application Control page, add an application control policy and assign the LAN-WAN data access permissions. Then, select the custom downlink zone as the Src Zone, the custom LAN address as Src Address, the custom uplink zone as Dst Zone, All for Dst Address, any for Services, and All for Applications.

Step 7.After completing the basic configuration, connect the device to the network, the eth2 interface to the preceding router, and the eth3 interface to the layer 3 LAN switch.

Deployment Case of Trunk Interface in Transparent Mode

The users' network topology is shown in the figure below.

The device is deployed in transparent mode. The VLAN is configured for the LAN switch, but the routing function is disabled. The preceding router serves as the gateway of each VLAN. The LAN segments include 192.168.2.0/255.255.255.0 and 192.168.3.0/255.255.255.0, belonging to VLAN2 and VLAN3. The TRUNK protocol works between the switch and the router.

Step 1.You need to log in to the device through the default IP address of the management interface (ETH0). The default IP address of the management interface is 10.251.251.251/24. You need to configure an IP address in the same network segment on the computer and log in to the device via https://10.251.251.251.

Step 2.On the Network > Interfaces > Physical Interfaces page, click the interface to be set as a WAN interface. Select eth2 as the uplink WAN interface, select Layer 2 for Type and a custom uplink zone for Zone. Then, check the WAN attribute checkbox, and set IP Assignment to Trunk, as shown below:

Step 3.On the Network > Interfaces > Physical Interfaces page, click the interface to be set as a LAN interface. Select eth3 as the downlink LAN interface, select Layer 2 for Type and configure the LAN zone, and set IP Assignment to Trunk, as shown below.

Step 4.Configure the management interface. On the Network > Interfaces > VLAN Interfaces page, configure the logic interface of the VLAN interface as the management interface, set the VLAN ID field to 2, and assign a management IP address 192.168.2.2/24. See the figure below.

Step 5.Configure routing. You need to configure a default route to 0.0.0.0/0.0.0.0, pointing to the next-hop192.168.2.1 that belongs to the same network segment as the management IP address. Then, go to Network > Routes > Static Routes and click Add to add a static route. Specifically, configure the default routing Dst IP/Netmask as 0.0.0.0/0 and the Next-Hop IP as 192.168.2.1, as shown below.

Step 7.After completing the basic configuration, connect the device to the network, the eth2 interface to the preceding router, and the eth3 interface to the layer 2 LAN switch.

{{ $t('index.defaultHeader.logo') }}

Athena NGFW (Next-Generation Firewall)

Transparent Mode (Layer 2)