{{ $t('index.defaultHeader.logo') }}

Athena NGFW (Next-Generation Firewall)

Athena NGFW (previously known as Network Secure) provides comprehensive protection for every network perimeter, ensuring the safety of your valuable assets, data, and users from emerging threats.

{{ $t('productSubHeader.tabs.document') }}

{{ $t('productSubHeader.tabs.bestPractice') }}

{{ $t('productSubHeader.tabs.case') }}

{{ $t('productSubHeader.tabs.software') }}

{{ $t('productSubHeader.tabs.bbs') }}

{{ $t('productSubHeader.searchLabel') }}

{{ $t('productDocDetail.guideClickSwitch') }}

{{ $t('productDocDetail.know') }}

{{ $t('productDocDetail.dontRemind') }}

8.0.107

{{item.code}}

Release Notes

Overview

Upgrade Guide

Preparations for Upgrade

Pre-Upgrade Check

Upgrade Procedures

Post-Upgrade Check

Upgrade Methods

Upgrade from the GUI

Upgrade via Central Manager

0000-0002: Pre-Upgrade Check Passed

0002-0001: Blacklist and Whitelist Compatibility Issues (No Impact on Upgrade)

0002-0003: Platform Connection Error (No Impact on Upgrade)

0002-0004: Missing Integration Key for XDR Connection (No Impact on Upgrade)

0002-0005: Some Platform-X Domains Inaccessible (No Impact on Upgrade)

0002-0006: Different CorpIDs for Connection to Platform-X and XDR (No Impact on Upgrade)

0002-0008: Abnormal Integration Bus Status (No Impact on Upgrade)

0002-0009: Potential Service Error Due to Changes in OOBM Settings (No Impact on Upgrade)

0002-0010: Simultaneous Connection to Cyber Guardian and Omni-Command Not Supported (No Impact on Upgrade)

0002-0011: Overload Risk Due to Traffic Forwarding Through DNS Proxy (No Impact on Upgrade)

0002-0012: Post-upgrade, historical custom/built-in URL category library data is preserved, but language switching fails during category conflicts between custom and built-in URL libraries. (No Impact on Upgrade)

0002-0013: Following the expiration of Neural-X New Threat Update license, the system upgrade to version 107 results in the built-in URL. (No Impact on Upgrade)

Recommendations for Installation Failure Scenarios

0001-0001

0001-0002

0001-0003

0001-0004

0001-0005

0001-0006

0002-0007

0003-0001

0003-0002

0004-0001

0004-0002

0004-0003

0004-0004

0004-0005

0004-0006

0004-0007

0004-0008

0004-0009

0005-0001

0005-0002

0005-0003

0005-0005

0005-0006

0005-0007

0005-0008

0005-0012

SP01 Release Note

SP Information

Upgrade Impacts

Customer Upgrade Preparations

Upgrade Guide

Preparations for Upgrade

Upgrade Procedure

Product Overview

Deployment

Installation Preparations

Deployment Mode

Deploying vNGFW on HCI and VMware

Deploy vNGFW in HCI

Preparation

Other

About the validity period of authorization

User Manual

Home

SOC

Security Operations

IoT Security

Business Asset Security

Summary of Business Asset Risks

Configuration Case

Summary of Attack Events

Passive Vulnerability Scan

User Security

Specialized Protection

Blacklist/Whitelist

Blacklist

Whitelist

Next-Gen Security

Product Integration

Integration Limits

Cloud-Based Protection

Endpoint Protection

Security Capabilities

Monitor

Logs

Security Logs

Access Logs

System Logs

TOP N

Configuration Procedures

Sessions

Bandwidth Management

Statistics

Application

Application Statistics Query Case

Traffic

Case of Viewing Traffic Statistics

Report

Diagnosis

Packet Tracing

Settings

Logging Options

Log Database

Policies

Network Address Translation

IPv4 NAT

IPv6 NAT

NAT64

DNS-Mapping

Configuration Example

Access Control

Application Control

GeoLocation Blocking

Configuration Steps

Local ACL

Configuration Steps

Connection Control

Configuration Example

Network Security

Policies

Anti-DoS/DDoS

Spoofed Access

Configuration Case

Decryption

Decrypt Data to Internal Server

Configuration Steps

Bandwidth Management

Channel Configuration

VPN Bandwidth Channels

Sangfor VPN Bandwidth Policy Case Study

Link Settings

Authentication

User Authentication

Custom Webpage

Objects

Threat Signature Database

Security Database

Custom Database

Content Identification Database

Application Signatures Database

URL Category Database

File Types

Email Attachment Filter

Schedule

Network

Interfaces

Physical Interfaces

Edit Physical Interface

RIP

BGP

DHCP

DHCP Servers

Configuration Case

ARP

Advanced Networking

Configuration Case

SSL VPN

Resources

Roles

Sangfor/IPSec VPN

IPsec VPN Tunnel Between Athena NGFW and Fortinet (Route Mode)

Procedures

Result Verification

IPsec VPN Tunnel Between Athena NGFW and Fortinet (Policy Mode)

Procedures

Result Verification

IPsec VPN Tunnel Between Athena NGFW and Palo Alto

Result Verification

IPsec VPN Tunnel Between Athena NGFW and Microsoft Azure (Route Mode)

Result Verification

IPsec VPN Tunnel Between Athena NGFW and AWS (Route Mode)

Result Verification

IPsec VPN Tunnel Between Athena NGFW and Juniper (Route Mode)

Result Verification

IPsec VPN Tunnel Between Athena NGFW and Cisco (Route Mode, IKEv1)

Result Verification

IPsec VPN Tunnel Between Athena NGFW and Cisco (Route Mode, IKEv2)

Result Verification

Use Cases

SD-WAN Configuration

Sangfor VPN Configuration

Result Verification

System

General Settings

Email

Configuration Steps

System Time

License Activation Method

Troubleshooting

Tools

High Availability

Virtual Systems

Overview

System Management

Example

Resource Pools

Device Management

Central Management

O&M Management

Routine Inspection

Check the Security of the Device

Shortcut Functions

Restoration of the Device Configuration and Password

Restore the Password by Rebooting with a USB Flash Drive

Restore the Factory Settings

Patch Update Guidance

Precautions

Use of Auxiliary Tools

Troubleshooting

Emergency Event Handling

Product Upgrade Guide

Offline Upgrade

Product Post-Upgrade Inspection

Acronym

Specs

SDKs, APIs

Athena NGFW (Next-Generation Firewall)

{{ breadTitle }}

Sangfor/IPSec VPN

IPsec VPN Tunnel Between Athena NGFW and Fortinet (Route Mode)

Configuration Notes

Configuration Analysis and Notes

{{sendMatomoQuery("Athena NGFW (Next-Generation Firewall)","Configuration Analysis and Notes")}}

Configuration Analysis and Notes

{{ $t('productDocDetail.updateTime') }}: 2026-04-29

• Comparison of configuration steps

The following table compares the configuration steps for the Athena NGFW firewall and those for the Fortinet firewall in detail.

Athena NGFW	Fortinet
Configure the interface IP addresses.	Configure the interface IP addresses. The configuration method is basically the same as that for Athena NGFW.
Create a VPN tunnel interface named vpntunx, and associate the interface with the corresponding zones.	Associate the tunnel interface with the corresponding zones. - This step can be skipped. You can directly reference the interface in the security policy during the policy configuration process. - After IPsec settings in Fortinet are completed, a tunnel interface can be automatically generated. We recommend that you associate the generated interface with the zones after IPsec settings are completed.
Configure an application control policy to allow business traffic from zones associated with the Internet-facing interface, internal-facing interface, and VPN tunnel interface.	Configure a security policy. The configuration method is basically the same as that for Athena NGFW.
Enable the VPN service, and add a VPN link.	Configure a default route to connect to the Internet. - By default, Athena NGFW disables the VPN service. - When a VPN link is added in Athena NGFW, a policy-based route for the interface corresponding to the VPN link will be automatically generated in the backend. You do not need to manually add a default route for Internet access. (In this case, you must configure the gateway as the next hop on the VPN link.) - For Fortinet, a default route needs to be additionally configured to access the Internet.
Create an IPsec VPN tunnel	Create an IPsec tunnel.
Configure a route to route traffic to the vpntunx interface.	Configure a route to route traffic to the tunnel interface. The configuration method is basically the same as that for Athena NGFW.

• Comparison of default IPsec VPN settings

The following table compares the default IPsec VPN settings of the Athena NGFW firewall and those of the Fortinet firewall.

Item

Athena NGFW

Fortinet

IKE SA

- IKE version: v1

- Negotiation mode: main mode

- Authentication method: pre-shared key (PSK)

- Algorithms: AES+SHA1

- Diffie-Hellman (DH) group: group2

- IKE version: v1

- Negotiation mode: main mode

Authentication method: PSK

- Algorithms: AES128 (AES)+SHA256, AES256+SHA256 (SHA2-25), AES128 (AES)+SHA1, and AES256 (SHA2-256)+SHA1

- DH groups: group14 and group5

IPsec SA

- Security protocol: Encapsulating Security Payload (ESP)

- Algorithms: AES+SHA1, AES256+SHA1, DES+SHA1, DES+SHA2-256, AES+SHA2-256, and AES256+SHA2-256

- Perfect forward secrecy (PFS): None

- Encapsulation mode: tunnel mode

- Security protocol: ESP

- Algorithms: AES128 (AES)+SHA1, AES256+SHA1, AES128 (AES)+SHA256 (SHA2-256), AES256+SHA256 (SHA2-256), AES128GCM, AES256GCM, and CHACHA20POLY1305

- PFS: group14 and group5

- Encapsulation mode: tunnel mode

• Comparison of exclusive configuration items

The following table describes the configuration items exclusive to the Athena NGFW firewall.

Configuration Item (Athena NGFW)	Description
Local ID Type: USER_FQND and DN	Fortinet does not support these ID types. If a local ID is needed, we recommend that you select ADDR or FQDN as the ID type.
DH Group: group22, group23, group24, group25, and group26	Fortinet does not support these DH groups. We recommend that you use other DH groups, which do not affect IPsec VPN tunnel establishment.
Encryption Algorithm: AES192-GCM, SANGFOR_DES, SM1, and SM4	- Fortinet does not support these encryption algorithms. We recommend that you use other encryption algorithms, which do not affect IPsec VPN tunnel establishment. - SANGFOR_DES is Sangfor's proprietary cryptographic algorithm, which applies only to Sangfor devices. - SM1 and SM4 are China's commercial cryptographic algorithms, which are mainly used in China. SM1 is supported only on physical commercial cryptographic devices. - GCM is supported only in IKEv2 mode.
Traffic of Interest	- By default, IPv4 is enabled, which is equivalent to a case where the local- and peer-end IPv6 addresses are all-0 addresses. In this case, we recommend that you configure a single selector whose IPv4 address is an all-0 address on the peer Fortinet firewall. - IPv6 is enabled, which is equivalent to a case where the local- and peer-end IPv6 addresses are all-0 addresses. In this case, we recommend that you configure a single selector whose IPv6 address is an all-0 address on the peer Fortinet firewall.
Peer Tunnel Interface	- If the referenced VPN tunnel interface is not shared with other IPsec VPN tunnels, we recommend that you leave this configuration item empty. - You must enter the address of the peer tunnel interface if OSPF or BGP is used. - When you need to specify the next hop for the static route or policy route, make sure that the next hop address is the same as the peer tunnel interface address of the IPsec VPN tunnel. Otherwise, business traffic may fail to be routed.
Encrypted Traffic	- This is equivalent to a phase 2 selector in Fortinet. The local and peer IP addresses in the encrypted traffic can be customized only in policy mode. You cannot customize the local and peer IP addresses in route mode. In addition, only two encrypted traffic entries are predefined: one using an all-0 IPv4 address and the other using an all-0 IPv6 address. By default, IPv4 is enabled, and the traffic to be actually encrypted is determined by the address specified in the traffic of interest. - In policy mode, multiple local/peer IP addresses can be configured in the encrypted traffic. To be specific, a maximum of 16 * 16 addresses can be configured. - In policy mode, if IKEv1 is used and multiple local/peer IP addresses are configured in the encrypted traffic, we recommend that you configure multiple selectors on Fortinet and set the local/peer IP address to a netmask. If you want to configure only one selector on Fortinet, we recommend that you switch to IKEv2 and set the address type to Named Address (Address Group). According to the IPSec VPN standard protocol, IKEv1 splits multiple addresses into multiple SAs for negotiation. However, Fortinet does not perform such a split according to the standard when named addresses are used.
Strict MID Check	This is a proprietary feature, which is disabled by default. It is mainly used to adapt to Microsoft Azure. We recommend that you disable it.
Local Intranet Service Peer Intranet Service	These are proprietary features, which are used to limit the types of traffic allowed on the local and peer ends. These features are available only in policy mode. We recommend that you use the default settings.
Phase 2 Proposal: AH	Fortinet does not support Authentication Header (AH). You can use ESP, which does not affect IPsec VPN tunnel establishment.
Route Priority	This is a proprietary feature, which is used to create primary and secondary IPsec VPNs. This feature is available only in policy mode.
SPI Merging	This is a proprietary feature. It is available only for IKEv2, and is used to determine whether to merge network segments when a single encryption stream includes multiple local/peer addresses. By default, security parameter index (SPI) merging is enabled.
Expiration Time	This is a proprietary feature, which is used to specify the validity period of a tunnel. By default, this feature is disabled. We recommend that you keep it disabled.

The following table describes the configuration items exclusive to the Fortinet firewall.

Configuration Item (Fortinet)	Description
Template type: site-to-site, hub-and-spoke, and remote access	- This is a proprietary feature. We recommend that you customize settings as needed. - The site-to-site and remote access types are available only for Fortinet and Cisco. - The hub-and-spoke type is available only for Fortinet.
Forward Error Correction	- This is a proprietary feature, which is disabled by default. Fortinet incorporates forward error correction (FEC) into its IPsec VPN service to enhance data transmission reliability and efficiency. FEC can detect and correct data errors during data transmission, and therefore reduces the data loss and retransmission rate. - We recommend that you disable it. Otherwise, IPsec VPN tunnel establishment may be affected.
Device creation Aggregate member	- These are proprietary features, which are disabled by default. Ignore them. - We recommend that you disable them. Otherwise, IPsec VPN tunnel establishment may be affected.
XAUTH	- Athena NGFW does not support this feature. This is an additional step for identity authentication during the IPsec VPN tunnel establishment, which can enhance security. It is supported only for IKEv1. By default, it is disabled in Fortinet. - We recommend that you disable it. Otherwise, IPsec VPN tunnel establishment may be affected.
Selector	- This is equivalent to an encrypted traffic entry in Athena NGFW in policy mode. We recommend that you configure a single selector using an all-0 address. - This is equivalent to the traffic of interest in Athena NGFW in route mode. If IPv4 is enabled in Athena NGFW, it is equivalent to a Fortinet selector using an all-0 IPv4 address. If IPV6 is enabled in Athena NGFW, it is equivalent to a Fortinet selector using an all-0 IPv6 address.
Local Address: IP address ranges, IPv6 address ranges, named addresses, and IPv6 named addresses Remote Address: IP address ranges, IPv6 address ranges, named addresses, and IPv6 named addresses	- These are proprietary features. By contrast, Athena NGFW supports only subnets, IPv6 subnets, IP addresses, and IPv6 addresses. - We recommend that you do not use IP address ranges, because Athena NGFW does not support IP address ranges. Otherwise, IPsec VPN tunnel establishment may fail. - When a named address (address group) is used in policy mode, we recommend that you use IKEv2. Otherwise, IPsec VPN tunnel establishment may fail in phase 2.
Diffie-Hellman Group: group31 and group32	Athena NGFW does not support these DH groups. Use other DH groups as needed, which do not affect IPsec VPN tunnel establishment.
Encryption: CHACHA20POLY1305	Athena NGFW does not support this encryption algorithm. Use other algorithms as needed, which do not affect IPsec VPN tunnel establishment.
Enable Replay Detection	- Athena NGFW does not support customizing reply detection settings, and disables replay detection by default. - By default, replay detection is enabled in Fortinet. If the peer end has two Fortinet firewalls deployed in active/standby mode, disable this feature. Otherwise, business may be interrupted during an active/standby switchover.
Local Port Remote Port Protocol	- These are proprietary features, which are used to configure the phase-2 local port, peer port, and protocol. By default, all local and remote ports and all protocols are selected. - We recommend that you select all local and remote ports and all protocols. Otherwise, IPsec VPN tunnel establishment may be affected.
Other	Use the default settings, which do not affect IPsec VPN tunnel establishment.