Athena NGFW (Next-Generation Firewall)

Athena NGFW (previously known as Network Secure) provides comprehensive protection for every network perimeter, ensuring the safety of your valuable assets, data, and users from emerging threats.
{{ $t('productDocDetail.guideClickSwitch') }}
{{ $t('productDocDetail.know') }}
{{ $t('productDocDetail.dontRemind') }}
8.0.107
Athena NGFW (Next-Generation Firewall) {{ breadTitle }} User Manual Network Sangfor/IPSec VPN IPsec VPN Tunnel Between Athena NGFW and Palo Alto Procedures Configure the Athena NGFW Firewall
{{sendMatomoQuery("Athena NGFW (Next-Generation Firewall)","Configure the Athena NGFW Firewall")}}

Configure the Athena NGFW Firewall

{{ $t('productDocDetail.updateTime') }}: 2026-04-29

Steps

Step 1.Configure the interface IP addresses.

  1. eth1 is the internal-facing interface, and is associated with the zone named lan.
  2. eth3 is the Internet-facing interface, and is associated with the zone named wan.

Step 2.Create a VPN tunnel interface named vpntunx, and associate it with the zone named vpn.

  1. By default, the WAN attributes are disabled. The WAN attributes need to be enabled only if bandwidth management is required.
  1. By default, IPv4 and IPv6 addresses are left empty. The IPv4 and IPv6 addresses need to be configured only if they serve as business IP addresses or an OSPF/BGP connection needs to be established with the peer end.

Step 3.Configure an application control policy to allow business traffic from zones associated with the Internet-facing interface, internal-facing interface, and VPN tunnel interface.

To facilitate testing, traffic from all zones is allowed. In actual scenarios, you need to allow traffic only from the zones associated with the foregoing interfaces.

Step 4.Enable the VPN service, and add a VPN link.

  1. By default, the VPN service is disabled. You need to enable it first, which takes about 10 seconds.

  1. Add a VPN link and select eth3 as the interface. In this case, you do not need to pay attention to other settings, which need to be configured only if Sangfor VPN is involved.

Step 5.Create an IPsec VPN tunnel.

  1. Configure the basic settings, as shown in the following figure.

  1. Click Advanced to configure advanced settings.

By default, NAT-T is disabled. NAT-T needs to be enabled only if there is a NAT between the local and peer firewalls. If NAT-T is enabled, you need to further specify the local ID.

  1. Click the Route Mode tab to configure phase 2 settings.

VPN Tunnel Interface: We recommend that you use a dedicated interface (an interface not shared with other connections), unless the available VPN tunnel interfaces are insufficient or interaction is needed between branches.

Step 6.Configure a route to route traffic to the vpntunx interface.

Next-hop IP address: If the peer tunnel interface address is specified in the IPsec VPN settings, the next-hop IP address must be the same as the peer tunnel interface address. Otherwise, business traffic cannot be routed to the IPsec VPN tunnel. If no peer tunnel interface address is specified, leave this parameter empty.

Link detection: If two IPsec VPN tunnels in standby/active mode are configured or tunnel liveness detection needs to be performed, we recommend that you set the source detection interface to the VPN tunnel interface referenced by the IPsec VPN tunnel and the destination detection interface to the peer tunnel interface or the peer internal business IP address.