Athena NGFW (Next-Generation Firewall)

Athena NGFW (previously known as Network Secure) provides comprehensive protection for every network perimeter, ensuring the safety of your valuable assets, data, and users from emerging threats.
{{ $t('productDocDetail.guideClickSwitch') }}
{{ $t('productDocDetail.know') }}
{{ $t('productDocDetail.dontRemind') }}
8.0.107
Athena NGFW (Next-Generation Firewall) {{ breadTitle }} User Manual Objects Security Policy Template Content Security
{{sendMatomoQuery("Athena NGFW (Next-Generation Firewall)","Content Security")}}

Content Security

{{ $t('productDocDetail.updateTime') }}: 2026-03-18

The content security policy includes Email Protection, URL Filter, and File Protection. Email Protection detects email content, filters attachments, and verifies emails with Engine Zero. URL Filter filters the URL addresses of web pages that meet the preset conditions. File Protection filters and verifies files with Engine Zero. See the figure below.

Click Objects > Security Policy Template > Content Security to enter the Content Security page to add or delete content security policy templates. Click Add. The Add Template page appears, as shown below.

addtp

Name: Specify the name of the template.

Description: Enter a description for the template.

Email Protection: Detect email content, filter attachments, and verify emails with Engine Zero.

Server Port: There are three ports (25, 110, and 143) by default. For an encrypted email protocol, enable decryption for Internet access.

Malicious Email Alert: When the user receives a malicious email, this alert will be added to the email subject.

URL Filter: Filter the URL addresses of web pages meeting the preset conditions.

Enhanced Filtering[sa18]

Enable DNS filtering: Select whether to identify the selected sites during DNS lookup for URL filtering.

Disable DoH on Firefox: Select whether to override the default security policies of the Firefox browser so that the domain name resolution requests of the browser will not be transmitted by using the DoH encryption protocol.

Strip ECH parameters: Select whether to remove the encryption parameters in DNS to disable ClientHello encryption and keep the SNI field in plaintext. This helps effectively identify the actually accessed websites that may be concealed by a CDN service.

Enable safe search: Select whether to forcibly enable the safe search feature on Google Chrome, Bing, and YouTube. Please ensure that the NGFW itself can access the internet or connect to a DNS server to resolve the domain names required for the safe search function. Otherwise, the NGFW will resolve the IP address of the safe search domain name to modify the DNS response message. 

Decrypt DoT/DoH traffic: Select whether to decrypt the encrypted domain name resolution requests during internet access, to identify the actually accessed websites.

1.To enable Decrypt DoT/DoH traffic, make sure that you have installed the root certificate on the client in advance. Otherwise, all network access whose domain name resolution requests are encrypted by using DoT or DoH will fail.

2.For encrypted DNS protocols such as DoT/DoH, the NGFW cannot directly modify DNS packets. Therefore, please configure a policy to decrypt DoT/DoH. Without configuring a DNS decryption policy and installing the certificate. Otherwise, the "Enable DNS filtering/Disable DoH on Firefox/Strip ECH parameters/Enable safe search" functions will not work.

File Protection: Filter files and verify files with Engine Zero.

Schedule: Indicate a filter condition. The policy can take effect only if filtering is performed within a specified point in time. It will call the defined time object on the Objects > Schedule page.

Advanced: Set relevant filter conditions, filter types, and thresholds for Email Protection, URL Filter, and File Protection.

advanced

Email Protection

Detect content: If consecutive detection failures of an abnormal account exceed the threshold, the account will be identified as a threat. If Deny is selected on the network security policy, e-mails from the abnormal account will be rejected.

Filter attachments: Set the types of email attachments to be filtered. If Deny is selected on the network security policy, e-mails with attachments containing the file types specified in this list will be rejected.

Verify files with Engine Zero: Define the types of attachments requiring antivirus treatment. Only the attachment types in this list are subject to antivirus treatment.

URL Filter

Protocol Type: Select HTTP (get), HTTP (post), or HTTPS filter for specified URL categories. For example, to prevent LAN users from browsing certain types of web pages, select HTTP (get). For another example, to allow LAN users to browse web pages but ban file upload (BBS posting), select HTTP (post).

Select HTTPS and HTTP (get), or HTTPS and HTTP (post) to restrict access to the HTTPS website or only allow browsing, while file uploading is not allowed.

Redirect Portal Address: Select whether to redirect the access request to the Sangfor portal or a custom address. Specifically, if an access request triggers the URL filter policy, the system will redirect the access request to the Sangfor portal or the specified custom address based on the DNS record in the request. [sa19]

The HTTPS option is not enabled by default. It is necessary to enable the HTTPS option so that the content security function is working with the HTTPS protocol.

File Protection

Filter file: Filter files of certain formats uploaded or downloaded through HTTP.

Verify files with Engine Zero: Define the extensions of files requiring antivirus treatment. Only the file types in this list are subject to antivirus treatment.

Protect downloads to internal servers: If the protected server attempts to connect to an external HTTP server, the download behavior will be subject to Engine Zero Based File Verification.