Athena NGFW (Next-Generation Firewall)

Athena NGFW (previously known as Network Secure) provides comprehensive protection for every network perimeter, ensuring the safety of your valuable assets, data, and users from emerging threats.

8.0.107

{{item.code}}

Release Notes

Overview

Upgrade Guide

Preparations for Upgrade

Pre-Upgrade Check

Upgrade Procedures

Post-Upgrade Check

Upgrade Methods

Upgrade from the GUI

Upgrade via Central Manager

0000-0002: Pre-Upgrade Check Passed

0002-0001: Blacklist and Whitelist Compatibility Issues (No Impact on Upgrade)

0002-0003: Platform Connection Error (No Impact on Upgrade)

0002-0004: Missing Integration Key for XDR Connection (No Impact on Upgrade)

0002-0005: Some Platform-X Domains Inaccessible (No Impact on Upgrade)

0002-0006: Different CorpIDs for Connection to Platform-X and XDR (No Impact on Upgrade)

0002-0008: Abnormal Integration Bus Status (No Impact on Upgrade)

0002-0009: Potential Service Error Due to Changes in OOBM Settings (No Impact on Upgrade)

0002-0010: Simultaneous Connection to Cyber Guardian and Omni-Command Not Supported (No Impact on Upgrade)

0002-0011: Overload Risk Due to Traffic Forwarding Through DNS Proxy (No Impact on Upgrade)

0002-0012: Post-upgrade, historical custom/built-in URL category library data is preserved, but language switching fails during category conflicts between custom and built-in URL libraries. (No Impact on Upgrade)

0002-0013: Following the expiration of Neural-X New Threat Update license, the system upgrade to version 107 results in the built-in URL. (No Impact on Upgrade)

Recommendations for Installation Failure Scenarios

0001-0001

0001-0002

0001-0003

0001-0004

0001-0005

0001-0006

0002-0007

0003-0001

0003-0002

0004-0001

0004-0002

0004-0003

0004-0004

0004-0005

0004-0006

0004-0007

0004-0008

0004-0009

0005-0001

0005-0002

0005-0003

0005-0005

0005-0006

0005-0007

0005-0008

0005-0012

SP01 Release Note

SP Information

Upgrade Impacts

Customer Upgrade Preparations

Upgrade Guide

Preparations for Upgrade

Upgrade Procedure

Product Overview

Deployment

Installation Preparations

Deployment Mode

Deploying vNGFW on HCI and VMware

Deploy vNGFW in HCI

Preparation

Other

About the validity period of authorization

User Manual

Home

Security Operations

IoT Security

Business Asset Security

Summary of Business Asset Risks

Configuration Case

Summary of Attack Events

Passive Vulnerability Scan

User Security

Specialized Protection

Blacklist/Whitelist

Blacklist

Whitelist

Next-Gen Security

Product Integration

Integration Limits

Cloud-Based Protection

Endpoint Protection

Security Capabilities

Monitor

Logs

Security Logs

Access Logs

System Logs

TOP N

Configuration Procedures

Sessions

Bandwidth Management

Statistics

Application

Application Statistics Query Case

Traffic

Case of Viewing Traffic Statistics

Report

Diagnosis

Packet Tracing

Settings

Logging Options

Log Database

Policies

Network Address Translation

IPv4 NAT

IPv6 NAT

NAT64

DNS-Mapping

Configuration Example

Access Control

Application Control

GeoLocation Blocking

Configuration Steps

Local ACL

Configuration Steps

Connection Control

Configuration Example

Network Security

Policies

Anti-DoS/DDoS

Spoofed Access

Configuration Case

Decryption

Decrypt Data to Internal Server

Configuration Steps

Bandwidth Management

Channel Configuration

VPN Bandwidth Channels

Sangfor VPN Bandwidth Policy Case Study

Link Settings

Authentication

User Authentication

Custom Webpage

Objects

Threat Signature Database

Security Database

Custom Database

Content Identification Database

Application Signatures Database

URL Category Database

File Types

Email Attachment Filter

Schedule

Network

Interfaces

Physical Interfaces

Edit Physical Interface

DHCP

DHCP Servers

Configuration Case

Advanced Networking

Configuration Case

SSL VPN

Resources

Roles

Sangfor/IPSec VPN

IPsec VPN Tunnel Between Athena NGFW and Fortinet (Route Mode)

Procedures

Result Verification

IPsec VPN Tunnel Between Athena NGFW and Fortinet (Policy Mode)

Procedures

Result Verification

IPsec VPN Tunnel Between Athena NGFW and Palo Alto

Result Verification

IPsec VPN Tunnel Between Athena NGFW and Microsoft Azure (Route Mode)

Result Verification

IPsec VPN Tunnel Between Athena NGFW and AWS (Route Mode)

Result Verification

IPsec VPN Tunnel Between Athena NGFW and Juniper (Route Mode)

Result Verification

IPsec VPN Tunnel Between Athena NGFW and Cisco (Route Mode, IKEv1)

Result Verification

IPsec VPN Tunnel Between Athena NGFW and Cisco (Route Mode, IKEv2)

Result Verification

Use Cases

SD-WAN Configuration

Sangfor VPN Configuration

Result Verification

System

General Settings

Configuration Steps

System Time

License Activation Method

Troubleshooting

Tools

High Availability

Virtual Systems

Overview

System Management

Example

Resource Pools

Device Management

Central Management

O&M Management

Routine Inspection

Check the Security of the Device

Shortcut Functions

Restoration of the Device Configuration and Password

Restore the Password by Rebooting with a USB Flash Drive

Restore the Factory Settings

Patch Update Guidance

Precautions

Use of Auxiliary Tools

Troubleshooting

Emergency Event Handling

Product Upgrade Guide

Offline Upgrade

Product Post-Upgrade Inspection

Acronym

Specs

SDKs, APIs

Athena NGFW (Next-Generation Firewall)

Advanced Settings

{{sendMatomoQuery("Athena NGFW (Next-Generation Firewall)","Advanced Settings")}}

Advanced Settings

{{ $t('productDocDetail.updateTime') }}: 2026-02-05

To add excluded items to rules that affect services or false positives. The rules with excluded items will not go through detection or be alarmed. The rules with excluded items include botnet detection, intrusion protection exclusion, passive vulnerability scan, web protection exclusion, content security, email exclusion, and file antivirus exclusion.

Click Advanced. Then, the Advanced dialog box appears, as shown in the following figure.

Botnet Detection

You can set the advanced functions of botnet detection. See the figure below.

Apply Local DNS Server for Server Scenario: Select this option if a DNS server exists in the LAN. This function is used to locate the real IP address of the bot-infected host in the LAN.

Click Settings to redirect the IP address of a malicious URL to the following honeypot IP address, to monitor the access to the IP address, and locate the real IP address of the bot-infected host in the LAN.

Block Access to Unknown Domains: If you select this option, access to the URLs that cannot be identified by the domain name database of the Athena NGFW device will be blocked. This option is often used in scenarios with high-security requirements. If the normal service cannot be accessed, it is recommended that the service's domain name be added to the whitelist.

Domain/IP Exclusion: Excluded domain names or IP addresses will not go through detection, such as Botnet Detection, Remote Access Trojan, abnormal connections, malicious URLs, and mobile security.

Suspicious Traffic Detection Exclusion: This option is valid only for abnormal connections. If you select this operation, the excluded rules during security detection of abnormal connections for the specified destination IP addresses will not be detected.

Botnet Detection: Locate suspected botnet hosts by performing suspicious activity detection. However, all rules will only perform detection and record logs rather than blocking data traffic.

Click Save to save the advanced settings for botnet detection.

Intrusion Prevention Exclusion

To set exclusion data that does not need to be detected for intrusion prevention. See the figure below.

Click Add. Then, the Add Intrusion Prevention Exclusion dialog box appears. See the figure below.

Src IP: Specify the source IP address. You can enter a single IP address, subnet, or IP address range.

Dst IP: Specify the destination IP address.

Dst Port: Specify the destination port.

Vuln ID: Specify the vulnerability ID.

Click OK. Then, the configuration is complete.

Click Save to save the settings of intrusion prevention exclusion.

Passive Vulnerability Scan

You can enable domain name, IP address, port, or URL exclusion, and set the OA service port.

Click Save to save the advanced settings of the passive vulnerability scan.

Web Protection Exclusion

Excluded items can be added to the rules that contain false positives in web detection, including Web App Firewall Exclusion, URL Parameter Exclusion, IP Addresses Exclusion, WebShell Upload Prevention Exclusion, XXE Prevention Exclusion, SQL Injection Prevention Exclusion, XSS Prevention Exclusion, Backdoor Scanner Exclusion, etc., to reduce the occurrence of false positives, as shown in the following figure.

Web App Firewall Exclusion: Exclude the false positive rules detected by the web, thereby reducing the impact on services. Click Add. Then, the Add Web App Firewall Exclusion dialog box appears. See the figure below.

Description: Specify a custom description.

Source: Specify the source IP address. You can select Network Objects or IP Address.

Dst IP: Specify the destination IP address.

Dst Port: Specify the destination port.

URL: Specify the URLs to be excluded.

Rule ID: Specify the rule ID.

Rule Type: Specify the rule type. You can add an exclusion for a specific type of rule.

Click Save. Then, the configuration is complete.

Click Save to save the settings of the web app firewall exclusion.

URL Parameter Exclusion: Add the URL parameters to be excluded. See the figure below.

Click Add. Then, the AddURL Parameter dialog box appears. See the figure below.

URL: Specify the URL.

URL Parameters: Specify the parameter information.

Click Save. Then, the configuration is complete.

Click Save to save the settings of the URL parameter exclusion.

IP Addresses Exclusion: Exclude IP addresses. See the figure below.

Click Sample File to download the file template. Enter the IP addresses to be excluded in the required format and import the file.

Click Save to save the IP address exclusion settings.

WebShell Upload Prevention Exclusion: If the WebShell upload detected by the smart web engine has a false positive, add WebShell upload prevention to the whitelist to reduce the impact caused by the false positive. See the figure below.

Click Add to go to the Security Logs tab and add an exclusion after the security log, which can be added to the whitelist.

XXE Prevention Exclusion: If the XXE prevention detected by the smart web engine has a false positive, add the XXE prevention to the corresponding whitelist, as shown in the following figure.

Enter the corresponding domain name and click Save. Then, the configuration takes effect.

SQL Injection Prevention Exclusion: When the SQL semantics detected by the smart web engine has a false positive, add the SQL injection prevention to the whitelist to reduce the impact caused by the false positive. See the figure below.

Click Add to go to the Security Logs tab and add an exclusion after the security log, which can be added to the whitelist.

XSS Prevention Exclusion: If the XSS semantics detected by the smart web engine has a false positive, the XSS prevention can be added to the whitelist to reduce the impact caused by the false positive. See the figure below.

Click Add to go to the Security Logs tab, and add an exclusion after the security log, which can be added to the whitelist.

Backdoor Scanner Exclusion: If the backdoor scanning detected by the smart web engine has a false positive, the backdoor scanning can be added to the whitelist to reduce the impact caused by the false positive. See the figure below.

Click Add to go to the Security Logs tab and add an exclusion after the security log, which can be added to the whitelist.

Content Security

Content security mainly restricts the detection content of virus files, such as file size and compression degree, which can be adjusted accordingly. See the figure below.

File Size Limit: Limit the size of the antivirus file. By default, the value is 10 MB. The maximum value is 20 MB. See the figure below.

Click the name of the file type in the File Type column and change the file size, as shown in the following figure.

Max Compression Layers: Set the file's layers to be decompressed to detect viruses in the decompressed file. The default value of the Max Compression Layers parameter is 4, and the maximum value is 16.

The Max Layers parameter is 4, and the maximum value is 16.

Email Detection Timeout: Specify the email protection detection timeout period. If the timeout period is exceeded, it will not continue to detect.

Max Email Attachment Size: Set the maximum email attachment size that will be sent to Engine Zero for file verification.

Antivirus Process Detection Timeout: Set the timeout period for waiting for Engine Zero results. After the timeout, the result will not be continued.

Email Exclusion

This can be set to exclude source IP addresses, destination IP addresses, recipient addresses, and sender addresses. For addresses added to the list below, all email security functions will be invalid. See the figure below.

Click Save to save the settings of email exclusion.

File Antivirus Exclusion

The specified file or URL is not subject to virus scanning and killing, as shown in the following figure.

Click Add. Then, the Add File Antivirus Exclusion dialog box appears. See the figure below.

File Name: Specify the file name of the object to be excluded.

MD5/URL: Specify the MD5 value of the object or a URL to be excluded. You can select MD5 or File Upload/Download.

Description: Specify the description of the object.

Click OK. Then, the configuration is complete.

Click Save to save the settings of file antivirus exclusion.

{{ $t('index.defaultHeader.logo') }}

Athena NGFW (Next-Generation Firewall)

Advanced Settings

Botnet Detection

Intrusion Prevention Exclusion

Passive Vulnerability Scan

Web Protection Exclusion

Content Security

Email Exclusion

File Antivirus Exclusion