NGAF V6.4 User Manual
Contents
1. Keyword All Search Among All Authentication All OK Cancel Search criteria are keyword type of keyword type of users authentication method and expiry date of the user account Viewing Associated Resources of Use To see what resources are available to certain user or group select that user or group and click Associated Resource The resources available to the selected user or group are as shown below Resources Available to Resource Name Description Page 1jofi P Fi E Show 25 page Resources The resources mentioned in this section are the resources that can be accessed by specified users over SSL VPN The only resource type available for SSLVPN in NGAF is TCP application Navigate to SSL VPN gt Resources SANGFOR NGAF 6 4 User Manual 80 and Resources page appears as shown below Resources Q Add Delete e Edit RA Select La Move View Association gyMore Filter All w Search by Name Enter keyword P Search P lw EE O Name 2 Type Description IP Address Port Status 3 All resources O Default group Resour It is predefined group and cannot be removed Y E Default group A resource group could contain a number of resources entries Similar trouser management resources could be grouped according to categories and associated user or group etc Majority of administrators welcomes this ki2. Rule Name P 2P Behavior Category P2P Description Identify P2P software and P2P according te Rule Options mW Sensitivity High Medium Low Very low Excluded Port i OK Cancel Enable Rule Select this check box to enable the rule Rule Name name of the intelligent identification rule Category application type of the rule Description brief description of the rule The previous three items cannot be edited Sensitivity sensitivity of the rule It can be set to High Medium Low or Very Low as required Errors may occur during intelligent P2P identification Therefore set Sensitivity to adjust the identification criteria Sensitivity decreases as the value is set from High to Very Low Adjust the sensitivity based on specific data identification conditions For example if a large amount data needs to be identified the data is connected to random high end ports and the destination IP addresses are unknown the data may be unidentified P2P data In this case increase the sensitivity If other types of data are mistaken as P2P data the sensitivity may be too high In this case decrease the sensitivity Excluded Port excluded ports If destination ports of data are excluded ports the equipment does not perform intelligent P2P identification on the data which avoids identification errors App Ident Rules The App Ident Rules panel is used to define application identifica
3. Y gt Game 25 C Application Rule Status Operation gt IM 7 O OS 28 v Allenabled Settings P2P Stream Media 2 Web QQ l No description 7 v All enabled Settings gt Remote Login 1 Botan oice Video 7 gt Soft update 2 No description 6 Y All enabled Settings gt Stock Quotation 1 E pacos ae 13 v Allenabled Settings Living services 3 QQtTalk AAA 2 Y Allenabled Settings O a 2 Y All enabled Settings E Sua 3 v All enabled Settings Page ofi Entries Per Page 15 Select QQ and click Enable or Disable All rules for QQ are enabled or disabled If you want to enable or disable a certain rule for a specific application for example disable a certain rule for QQ click Settings The QQ Identification Rule dialog box is displayed and lists all QQ related rules Select a rule click Enable or Disable The selected rule is enabled or disabled 00 Identification Rule Rule Name QQ UDP QO TCP TM2008 udpsock QQ P2P U QQIT Q0 TM U Q0 P2P T Q0 TM data Q0 TM data D Q0 TM data U QQ TM UDP QQ TM TCP Q0 MSG U Q0 MSG T Pl Pl la Fl Fl ll li Pl Pl Fl eS KIRA IA A ISIN INIA INIA AE OK Cancel SANGFOR NGAF 6 4 User Manual 136 e Application identification rules for some basic protocols cannot be disabled For example if application identification rules for HTTP are disabled HTTP based data identification may be affected
4. High W Allow C Open in new tab i Medium Deny Step 2 Click Go Data that meets the search criteria is displayed i Low Filter Period 2014 03 03 00 00 2014 03 20 23 59 Src zone All Src IP user All Dst zone All ID AIN Type All Threat level High Medium Low Action Allow Deny Anti Malware Filter 3 Export Logs No Time Type 1 2014 03 14 18 35 58 Botnet 2 2014 03 14 18 24 37 Botnet 3 2014 03 14 18 22 50 Botnet 4 2014 03 14 18 14 32 Botnet 5 2014 03 13 18 48 13 Botnet 6 2014 03 13 18 12 12 Botnet 7 2014 03 13 17 38 18 Botnet Source IP User 10 0 0 2 10 0 0 2 10 0 0 2 10 0 0 2 10 0 0 2 10 0 0 2 10 0 0 2 mn nm Dst IP 131 253 40 10 131 253 40 10 157 55 34 242 157 55 34 242 131 253 40 10 157 56 229 209 131 253 40 10 AS APP aan mn Action Deny Deny Deny Deny Deny Deny Deny Pi aw eee Description The host 10 0 0 2 may be infected B The host 10 0 0 2 may be infected B The host 10 0 0 2 may be infected B The host 10 0 0 2 may be infected B The host 10 0 0 2 may be infected B The host 10 0 0 2 may be infected B The host 10 0 0 2 may be infected B The Lash 1A NAN NA aam Le he ete dd T Step 3 Click Details to view the information that matches the APT policy SANGFOR NGAF 6 4 User Manual 392 Details View View View View View View View Data Pa View View View View View View View Bypass A
5. tad X Max URL Lengthi B No data available Step 8 Set Action to Deny and Logging to Log Event and click OK Action Action 5 Allow 2 Deny i IP Lockout E Lock source IP 1 Logging Log event Settings PP es Add X Y t 3 Refresh No Name Source Zone Dst Zone Dst IP Protection Status Website based Attack os command injection SQL injection XSS attack CSRF Path trav 1 Server Prote WAN LAN server Farm Application Hiding Y 4 FTP HTTP Password Example 2 Data Leak Protection The following figure shows a network topology where the NGAF is deployed as a router at the network egress and a web server cluster is deployed on the intranet The servers store the personal information of enterprise customers for users to query The data must be protected to prevent leak of non personal information to users Bank account numbers mobile phone numbers and identity card numbers must not be contained in queried data and files in doc and xls formats must not be downloaded from the servers SANGFOR NGAF 6 4 User Manual 468 NGAF Layer 3 switch Step 1 Choose Network gt Interface and define the zones of interfaces before configuring a policy Choose Objects gt IP Group and define the IP address group of servers For details see section 3 4 8 Set ETH2 to LAN ETH1 to WAN and 172 16 1 0 24 to Server Farm IP Group Add x amp Refresh import Export No Name Description
6. View All v P Total Applications 1093 Total Rules 2575 Current Database Released On 2013 04 02 Update Service Expires On 2014 07 29 Catego Streaming Media 50 ANY gt File Transfer 109 C Application Included Rules Rule Status Operation li gt Game 243 S n i 8 Y All enabled Settings gt IM 151 A h Socket a ba ris 4 Y All enabled Settings gt P2P Stream Media 55 E gt P2P 25 ME node i 28 Y All enabled Settings Download Tools 20 O eya l 9 v Allenabled Settings HTTP Application 5 d i 7 Y All enabled Settings gt FTP S gt Mail 6 n 2 v Allenabled Settings gt DNS 2 a sare 2 Y All enabled Settings gt Remote Login 35 ES T ala o s Page lof11 gt M amp Entries Per Page 15 1 15 of 151 Enabling Disabling Application Identification Rules In the navigation area choose Objects gt Application Ident DB The Application Ident Database page is displayed on the right Query an application whose rules you want to set For details see section 3 4 2 For example if you want to disable the rules for QQ query QQ related applications as follows SANGFOR NGAF 6 4 User Manual 135 Application Ident Database Total Applications 1093 Total Rules 2575 View All v ad xio A nn ee Current Database Released On 2013 04 02 Update Service Expires On 2014 07 29 File Transfer 4 Included Rules
7. or its variant is added Information disclosure is often brought by the security vulnerabil Special vulnerabilities in well known websites The rule can fulfill OK Cancel Step 5 Configure application hiding Perform setting as shown in the following figures and click OK so that FTP server version information and the server field of the HTTP server are hidden Protection Website based Attack Selected SOL injection XSS attack Parameters FP CSRF defense Settings Restrictive URL access Settings A Proactive protection Settings Custom parameter protection Settings Application Hiding FTP SANGFOR NGAF 6 4 User Manual HTTP Settings 465 HTTP Packet Header Filter Hide specified fields in HTTP response header Server Ww a Add Type server x powered by Replace server error pagel Soc o Replace request error page 4xx i ok Cancel Step 6 Select URL Protection and click Set Set Action to Allow for view indicating the URLs containing view are not checked URL Access Right x Add X me a E ta URL Description Action Log Auto Added view g Y E Step 7 Configure HTTP abnormality detection and buffer overflow detection In the Buffer Overflow Detection SANGFOR NGAF 6 4 User Manual 466 dialog box select Check for URL overflow and Check for POST entity
8. DNS Proxy It can be set to Enable or Disable After the DNS proxy function is enabled the DNS of internal users is set to the IP address of an interface of the NGAF equipment The proxy responds to the DNS requests of internal users and forwards the requests to the preferred and alternate DNS servers DHCP On the DHCP tab page you can set the NGAF equipment as a DHCP server or DHCP relay NGAF 5 2 DHCP server does not support IPv6 3 2 4 3 1 DHCP Server The DHCP Server tab page is shown below SANGFOR NGAF 6 4 User Manual 49 Advanced Network Settings DHCP DHCP Server DHCP Relay Enable DHCP eth Lease min 120 i ethi DHCP Parameters veth 1 Gateway 0 0 0 0 Subnet Mask 0 0 0 0 Preferred DNS 0 0 0 0 Alternate DNS 0 0 0 0 Preferred WINS 0 0 0 0 Alternate WINS 0 0 0 0 OK Select Enable DHCP The prompt shown in the figure below is displayed X Click Yes to enable the DHCP service The Network Interface pane displays all route interfaces sub interfaces and VLAN interfaces on the equipment You can assign IP addresses through these interfaces For details about the configuration description of the DHCP server see section 5 4 1 3 2 4 3 2 DHCP Relay The DHCP relay function applies when the IP addresses of the DHCP server and DHCP client are on different IP network segments See the figure below SANGFOR NGAF 6 4 User Manual 50 Advanced Network Settings S
9. Globally Excluded Address sets the IP addresses that are free from monitor and control Such IP address can be intranet user IP addresses or the IP addresses of the visited destination servers Domain name exclusion is supported Globally Excluded Address Predefined Excluded Address cl Pl PM Pl FF YA FFM PP FY Pl FY Excluded Address 360 cn rising com cn 360safe com Update microsoft com download windowsupdate com windowsupdate microsoft com pocchk trendmicro com activeupdate trendmicro com kaspersky labs com jlangmin com liveupdate symantecliveupdate c db kingsoft com y c A AAA eee Custom Excluded Address Description 360 cn rising com cn 360safe com update microsoft com download windowsupdate com windowsupdate microsoft com peocchk trendmicro com activeupdate trendmicro com kaspersky labs com jjangmin com lveupdate symantecliveupdate c db kingsoft com eS See Se aS aS eee Status v SININ ISIN IRIN IRIN ARTS hy ml m OK Predefined Excluded Address Specifies predefined excluded addresses to prevent failure of antivirus software and firewall updates including IP addresses of these servers Predefined excluded addresses can be disabled but cannot be deleted SANGFOR NGAF 6 4 User Manual 350 Custom Excluded Address Sets the excluded addresses Click Add On the displayed Add Excluded Address dialog box enter description and
10. Sendmail Heade Linux Vendor rp Sendmail Heade Sendmail Heade Sendmail Heade Sendmail Heade Sendmail Heade Sendmail Heade Sendmail Heade Sendmail Heade Sendmail Heade Description Could lead to a loss o The issue occurs in t The issue occurs in t This event indicates t Microsoft Windows 2 A vulnerability exists i rpc statd in the nfs u A vulnerability exists i A vulnerability exists i A vulnerability exists i A vulnerability exists i A vulnerability exists i A vulnerability exists i A vulnerability exists i A vulnerability exists i A vulnerability exists i Reference http www securityf http www securityf http www securityf http www securityf http www securityf http www securityf http www securityf http www securityf http www securityf http www securityf http www securityf http www securityf http wwww securityf http www securityf Threa Medium Medium Medium Medium Medium High High High High High High High High High High High Acti Allow Allow Allow Allow Allow Deny Deny Deny Deny Deny Deny Deny Deny Deny Deny Deny Det View View View View View View View View View View View View View View View View Columns P Y To enable the data center to record logs create a rule on the IPS page of the console and click Log
11. Add X Refresh Physical Interface v Edit Delete Enable link state propagation is the main switch for enabling link state propagation After it is selected the following screen will appear Link State Propagation x Are you sure to enable link state propagation Click Yes to enable link state propagation Click Add to add an interface propagation group Add Interface Group Physical Interfaces Available Selected add gt 4 Delete a TR Name specifies the name of the interface propagation group Physical Interfaces specifies interfaces to be added to the propagation group Only physical interfaces are supported A propagation group can contain multiple interfaces You can click Add or Delete to add or delete interfaces Click OK to save the settings SANGFOR NGAF 6 4 User Manual 32 If the IP address of an interface is set to be in the format of IP mask HA this interface cannot be added to a propagation group Routing The Routing page contains the Static Route Policy Based Routing OSPF RIP and All Routes tab pages When the equipment needs to communicate with IP addresses on different network segments data forwarding needs to be implemented through routing Static Route In the navigation area choose Network gt Routing and access the Static Route tab page In NGAF 5 2 Static Route supports both IPv4 and IPv6 addresses IPv4 is shown in the figure below Stati
12. Aggregate Interface Zone Link State Propagation Add X E Refresh 0 Zone Name Zone Type Interfaces Device Mat Privilege Allowed Address Delete LAN Route layer 3 eth2 WebUI snmp All In use WAN Route layer 3 eth WebUI snmp All In use IP Group Add X amp Refresh import A Export IC No Name Description Delete E 1 All All IP addresses In use 2 LAN IF Range In use Step 2 Click Add on the NAT page and choose Source NAT The Add Source NAT Rule page shown in the following figure appears Select Enable and enter a rule name and description If you do not select Enable the rule does not take effect See the following figure SANGFOR NGAF 6 4 User Manual 246 Add Source NAT Rule Enable Name Internet access Description Step 3 Set Zone and IP Group to specify the IP addresses used for source NAT Source NAT is implemented according to the rule only the data is from the specified IP addresses in the specified zone If Internet access of the intranet 1s provided through a router interface set the zone to the intranet and the IP group to intranet segments or all network segments In this example Zone is set to LAN and IP Group is set to LAN IP Range See the following figure Source Zone LAN ia IP Group LAN IP Range a Step 4 Set Zone Interface and IP Group in the Destination area to specify the destination zones and IP groups or interfaces to which the rule is applicable If Internet
13. Deployment Mode Gateway Single Arm The device connects to Internet via front end device Interface Settings LAN Interface eth2 w OK Interface Settings If Gateway mode is selected LAN interface and WAN interface need to be configured For single arm mode configure only LAN interface SANGFOR NGAF 6 4 User Manual 66 Users Users and groups are managed in a hierarchic structure The users with similar attributes could be classified into a group which is further included in another higher level user group This kind of management is similar to and compatible with the interior organization structure of an enterprise facilitating management of VPN users User Management page is shown below oe add Delete ej Edit kA Select Hardware ID Import Move More DAssociated Resources Unfold All Search by Name Enter keyword pP w D Search P EJ Group a B Path Default E Es A Members Immediate subgroups 1 total subgroups 1 immediate users 0 total users 0 View Edit Attributes O Name Type Description Public Private Status O A Default group Group Itis predefined group and cannot be removed Public user group 8 In the left pane there is a tree of user groups Click on a group name and the subgroups and direct users of that group will be seen in the right pane with group information Group Location number of members displaying above right pane To search for a group
14. Direction Save and Add 13990000 Type here Type here High Enable Block if attack detected Match all data x Case Sensitive 7 Type here Match all data ed Case Sensitive RegEx Tester Type here Rule Name Description and Impacts can be defined by user Threat Level Able to select High Medium and Low Action The 3 actions are Enable Block if attack detected Enable Allow if attack detected and Disable SANGFOR NGAF 6 4 User Manual 63 Character String Regular Expression and Direction are used to configure Rule content first 2 fields can be left blank Enable Allow if attack detected Attack will be logged and allowed Custom IPS Rule Click Add to add new IPS rule in Custom IPS Rule Add IPS Rule Rule ID 12990000 Rule Name Description Type here Type here Threat Level High Action Enable Block if attack detected Character String Case Sensitive 7 Type here Regular Expression Case Sensitive RegEx Tester Type here Direction Protocol Port Type Server Protection Rule Name Description and Impacts can be defined by user Threat Level Able to select High Medium and Low Action The 3 actions are Enable Block if attack detected Enable Allow if attack detected and Disable Enable Block if attack detected Attack will be logged and blocked Enable Allow if attack detected Attack will be logged and allowed Disable
15. Gl Default group Members F add X Refresh k Select impor F Export 3 C No Name Address Expiry Date C 1 A guest 192 168 1 2 192 168 1 100 Newer expire Fi 2 a manager 192 168 1 217 00 1c 25 ac 4c 12 Never expire Ol 3 a test 192 168 1 117 00 1c 25 ac 4c 44 Never expire Step 6 Access the network on the equipment to verify the IP address MAC address If the IP address MAC address are correct the authentication is successful and the authentication page is not displayed If the IP address MAC address are inconsistent with the bound IP address MAC address the authentication fails no reminder message 1s displayed and the client fails to connect to the network SANGFOR NGAF 6 4 User Manual 174 Adding Multiple Users You can add multiple users at a time In this case the bidirectional binding mode for Bind IP MAC is unavailable when you set user attributes for multiple users because the bidirectional binding mode is unique When you add multiple users at a time the attributes and policies of the users are the same except the user names Type multiple user names in the Username s text box and separate them by commas For details about other settings see the process for adding a single user Enable user Username s userl user2 user3 userd users Description Added To Group Admin a Deleting Users Groups You can delete users or groups as required by using this function Step 1 Select
16. Script Hame sso logoff Browse Script Parameters fi 0 251 251 254 men 4 Choose Start gt Run Enter gpupdate and click OK The group policy takes effect Step 5 Set the authentication policy Choose User Authentication gt Policy and click Add Set the authentication mode to SSO using IP or MAC addresses See section 3 6 2 1 3 Step 6 Log in to the domain on a computer and check whether you can access the Internet successfully The primary DNS of the PC must be set to the IP address of the domain server Otherwise the domain IP address cannot be resolved resulting in domain server login failure If the DNS or IP address is changed after first successful login the computer can log in to the computer and the domain with the correct password However as the Windows OS remembers the previous correct password the login to the domain is not successful actually Thus the SSO fails and an SANGFOR NGAF 6 4 User Manual 220 authentication dialog box requesting the user name and password is displayed when the user tries to access the Internet eo The domain server NGAF and PC can be communicated properly Domain SSO in monitoring mode In monitoring mode the SSO is implemented with the user login information obtained from the data packet captured by monitoring the process of a PC logging in to the domain server SSO in monitoring mode does not require any software to be installed on the domain server how
17. Target Server Attack Type Attack Source Show Top 10 E Chart Type Ranking Trend Ranking amp Trend Less lt lt E Go E Open in new tab le System Example Application scenario A user needs to show the number and percentage of web application attacks on all servers on the intranet on May 30 The statistics are displayed based on the top 10 attacked servers Step 1 Set statistic criteria SANGFOR NGAF 6 4 User Manual 369 Server Security F Specify the following and click Go to retrieve data Filter Period Server IP Attack Type Threat Level Action Others Statistics Show Top Chart Type Less lt lt Go 4 Open in new tab Step 2 Click Go A report is generated automatically Server Security 4 Filter Server Security Today 2013 08 15 8 2013 08 15 3 Al lo WAR High Medium Low Allow Deny Target Server O Attack Source 10 Ranking Attack Type Trend Ranking amp Trend Lh LA li 69 Filter Period 2013 08 15 Server IP All Threat level High Medium Low Attack type WAF Action Allow Deny Statistics Target Server Chart type Ranking Show Top 10 Period Today y Target Server 192 200 17 200 202 96 137 75 192 254 234 101 123 126 68 166 173 254 28 87 184 154 14 24 216 92 220 211 192 254 205 29 Threat Level High Medium Low Y Statistics Target Server Show Top10w
18. 1 After DNS Mapping is set server access data from the intranet is not transferred through the firewall Instead it is directly transferred to the IP address of the internal server Bidirectional NAT transfers all data through the firewall Therefore DNS Mapping reduces workload of the firewall 2 DNS Mapping can be set in an easier way than bidirectional NAT It does not involve zones IP groups or port numbers See the following figure Add DNS Mapping Domain Name i Public IP Internal IP OK Cancel Domain Name It specifies the domain name accessed by users Public IP It specifies the public IP address corresponding to the domain name accessed by intranet users Internal IP It specifies the internal IP address to be actually accessed 3 8 1 4 1 DNS Mapping Configuration Example A customer has the topology shown in the following figure There is an internal web server whose IP address is 172 16 1 100 The customer has applied for the domain name www xxx com and it points to 1 2 1 1 The customer requires that intranet users 192 168 1 0 24 can access the server by accessing www xxx com In this case DNS Mapping can be used to enable the intranet users to access the web server through the domain name SANGFOR NGAF 6 4 User Manual 259 ETHI 1 2 1 1 24 NGFW ETH2 10 10 10 1 30 a Ey 192 168 1 0 24 Y 172 16 1 100 WWW 00 cOm WEB Server LAN USER e e
19. 1m URL Keyword i Type here OK Cancel Services Services are a group of specific protocols and ports They generally indicate certain network applications and can be invoked by the Application Control Policy panel of the Access Control configuration module to allow or reject certain network services Predefined Services Common network services are embedded on the Predefined Service tab page See the figure below SANGFOR NGAF 6 4 User Manual 145 Services Predefined Service Name Protocol any TCP 0 65535 UDP 0 65535 ICMP type 0 255 code 0 255 bgp TCP 1739 cluster UD0P 3343 dns t TCP 53 dns u UDP 53 ftp TCP 21 h 225 TCP 17 40 h 225ras UDP 1719 http TCP 80 https TCP 443 irc TCP 194 l2tp UDP 1701 Idap TCP 389 ms q m TCP 1434 ms sql r UDP 1434 ms sql s TCP 1433 mysql TCP 3306 netbios ns UDP 137 The Predefined Service tab page displays default ports of common protocols which cannot be edited or modified If the predefined services do not meet your requirements set Custom Services Custom Services On the Custom Services tab page click Add The Add Custom Service dialog box is displayed Add Custom Service Name Description Protocol Gi Type here Name service name SANGFOR NGAF 6 4 User Manual 146 Description service description Protocol protocol type and port number of the service Click TCP UDP ICMP and Other in sequenc
20. 2 Max Attempts 3 OK Cancel Select Enable to enable link failure detection Set Detection Method to DNS lookup or PING If it is set to DNS lookup set DNS Server 1 DNS Server 2 and Resolve Domain If it is set to PING set Destination IP 1 and Destination IP 2 Either DNS lookup or PING can be selected for the same interface Set Detection Method to PING and Destination IP 1 to 202 96 137 23 The Advanced option enables users to set the operating mode MTU and MAC address of the network interface To modify the settings click Settings SANGFOR NGAF 6 4 User Manual 414 Advanced Link Mode Auto negotiation MTU 1500 MAC 00 E0 4C 46 FA 6E Restore Default MAC OK Cancel The next hop gateway of the interface is only used for link failure detection and PBR of the interface When a next hop gateway is configured the default route 0 0 0 0 0 is not generated on the NGAF The default route must be configured manually Oo The line bandwidth configuration of the interface is not related to the bandwidth configuration of traffic management The former is used for PBR scheduling For more information about PBR see section 3 2 2 2 Step 3 Configure an intranet interface Select an idle network interface and click the interface name to access the Edit Physical Interface dialog box Set Type to Route unselect WAN attribute and configure an IP address SANGFOR NGAF 6 4 User Manual 415 Edit Physical Interface E E
21. 30000012 Trojan Banker Win32 Banker Trojan High Enable C 30000013 Trojan Win32 Yakes Trojan Medium Enable C 30000014 Trojan Win32 Yakes Trojan Medium Enable 30000015 TR Graftor Elzob 15338 Trojan Lo Enable 30000016 Trojan Dropper Win32 Daws Trojan Low Enable You can view all enabled or disabled rules The malware signature database contains a variety of protection types including Trojan AdWare Malware Spy Backdoor Worm Exploit HackTool and Virus SANGFOR NGAF 6 4 User Manual 61 type Al am All i Trojan AdWare Malware Spy BackDoor Worm Exploit HackTool Virus You can click Enable to enable a selected rule You can click Disable to disable a selected rule SANGFOR NGAF 6 4 User Manual 62 Custom Rules Custom Rules contains Custom WAF Signature and Custom IPS Rule See the figure below Navigation Security Databases Vulnerability WAF Signature gt Vulnerability Analysis Rule Data Leak Protection Malware Signature Custom Rules Custom WAF Signature t Network lt lt Custom Rules Custom WAF Signature Custom IPS Rule cd Add X Delete w Enable w a Rule ID Rule Name Click Add to add new Custom WAF Signature in Custom WAF Signature Add Web Application Protection Rule Rule ID Rule Name Description Threat Level Action Character String Regular Expression
22. Inbound Policy Status Policy Name Source IP Peer Device Inbound Service Description Operation New Outbound Policy Status Policy Name Source IP Peer Device Outbound Service Security Option Description Operation New OK In the Inbound Policy pane set the policy for routing packets sent from the peer end to the local end Click New The dialog box for adding a policy is displayed See the figure below SANGFOR NGAF 6 4 User Manual 121 Policy Name Description Source Subnet EE Mask 299 299 299 0 Peer Device Inbound Service All Services Schedule All day Allow in the above schedule O Deny in the above schedule IF Enable Expiry Time Expiry Time Enable This Policy In the Outbound Policy pane set the policy for routing packets sent from the local end to the peer end Click New The dialog box for adding a policy is displayed See the figure below SANGFOR NGAF 6 4 User Manual 122 Policy Name Description Source Subnet Mask 2595 24595 255 0 Peer Device SA Lifetime seconds Outbound Service Security Option Schedule All Services Default security option All day Allow in the above schedule O Deny in the above schedule IF Enable Expiry Time Expiry Time Enable This Policy Perfect Forward Secrecty OK Cancel The Inbound Service Outbound Service and Schedule options are extended by SANGFOR These options are valid only on the lo
23. Operating Environment No need to log in l Remember login credential Record Login Sequence URL No data available Login Select No need to log in for website which does not require authentication and select Remember login credential for website which require authentication If the website require authentication and after selected Remember login credential Click on Record to open Record page See the following figure SANGFOR NGAF 6 4 User Manual 308 Record Go to browser proxy tab and configure the following Proxy Server IP 10 251 251 251 Not use the proxy server address 10 251 251 251 Port S066 Logout Value Logout Log out Exit Proxy server is specified already How To Next i Cancel Follow the instructions in the wizard and save the record under the Remember login credential and the record can be used in the next scanning Configure the possible keywords shown on the page after login successfully in the Logout Value column and if the any of the keywords in Logout Value column match with the keyword the login will be thought as succeeded and the login credential will be remembered Operating Environment Use for determine Web Server type OS type Web Technology used and third party Application type manually The settings are set to Auto by default Refer to the figure below Site Settings Login Operating Environment Operating Environment The following are selected by default
24. SANGFOR Technologies Co Ltd SANGFOR International Service Centre 60 12711 7129 7511 Malaysia 1700817071 Email tech support sangfor com hk RMA rma sangfor com hk NGAF V6 4 User Manual SANGFOR December 2015 SANGFOR NGFW 5 6 User Manual SANGFOR Technologies Co Ltd SANGFOR International Service Centre 60 12711 7129 7511 E Malaysia 1700817071 Email tech support sangfor com hk RMA rma sangfor com hk Declaration Copyright SANGFOR Technologies Co Ltd All rights reserved No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of SANGFOR Technologies Co Ltd SANGFOR is the trademark of SANGFOR Technologies Co Ltd All other trademarks and trade names mentioned in this document are the property of their respective holders Every effort has been made in the preparation of this document to ensure accuracy of the contents but all statements information and recommendations in this document do not constitute a warranty of any kind express or implied The information in this document is subject to change without notice To obtain the latest version contact the international service center of SANGFOR Technologies Co Ltd SANGFOR NGFW 5 6 User Manual 11 SANGFOR Technologies Co Ltd SANGFOR International Service Centre 60 12711 7129 7511 E Malaysia 1700817071 Email tech support sangfor com hk RMA rma sangfor
25. The NGAF supports the following authentication modes SANGFOR NGAF 6 4 User Manual 197 No authentication Password authentication including local password authentication and external server authentication Single sign on SSO authentication The authentication modes are set under the sub menu Policy For SSO authentication configuration must be also done under the sub menu Option The authentication modes available in Policy are None SSO SSO Local or external password authentication and SSO only Y All three options include SSO authentication If SSO authentication is configured in Authentication Option the user name is used in priority for Internet access after the user name of the computer is identified using the SSO function 1 None SSO If this option is selected and SSO authentication is configured in Authentication Option the user name is used in priority for Internet access after the user name of the computer is identified using the SSO function If this option is selected and SSO authentication is not configured the NGAF identifies users based on the source IP addresses source MAC addresses and computer names of the data packet In this authentication mode the authentication dialog box requesting the user name and password does not pop up on the Web browser before the user accesses the Internet That is the user does not feel the existence of the NGAF How to create a user account not requiring authenticat
26. gt ARP Table Add X Z Refresh gt ARP Proxy C No IP Address MAC Address Interface Edit Click Add to add a static ARP entry See the figure below Add ARP Entry IP Address Get MAC Address MAC Address Interface IP Address IP address to which a static ARP entry is to be bound MAC Address MAC address to which the static ARP entry is to be bound Interface Set it to an interface on the same network segment as the bound IP address 3 2 4 1 2 ARP Proxy aR Table o Status The ARP proxy function indicates that the NGAF equipment proxy responds to ARP requests to protect hosts on the internal network See the figure below Add ARP Proxy Start IP End IP Interface For details about the configuration description of the ARP proxy see section 5 3 SANGFOR NGAF 6 4 User Manual 48 DNS On the DNS tab page you can set the DNS proxy function and the DNS server for the NGAF equipment to access the public network See the figure below Advanced Network Settings DNS Server Preferred DNS 8 8 8 8 Alternate DNS 202 188 1 133 DNS Proxy Once enabled the local DNS server can direct to this device which sends DNS requests on behalf of internal hosts Make sure this device can resolve DNS request DNS Proxy E Enable Disable You can set the DNS servers for the NGAF equipment to access the public network in Preferred DNS and Alternate DNS
27. 1 0 Time Cached 428 0 2013 08 15 10 5 SANGFOR NGAF 6 4 User Manual 473 Add Webmaster Username admini Password esseet Confirm seeee8 Allow to enable disable anti defacement Add Webmaster Username admin2 Password seee8 Confirm essees Sender Address Administrator domain com SMTP Server smtp domain com Reguire authentication Username Administrator Password LEIA Sent Test Email OK Step 4 Choose Server Security gt Website Anti Defacement and click Add to create two anti defacement policies for websites 1 and 2 SANGFOR NGAF 6 4 User Manual 474 Edit Website Anti Defacement Rule Website Name websitel Start URL http webi com Server IP Settings Max URL Levels 5 lt gt E Detection Method Fuzzy match high sensitivity WF E Check for resource file defacement i Check for unsafe links to virus ads on defaced webpage Action Taken if Defacement Detected Notify network administrator i Email testl domain com i Test W Block user from accessing website Redirect browser to prompt page Edit Webpage Redirect browser to server address U Log event Allow admin to maintain this website Webmaster admini amp Portal https 192 200 17 21 8000 guar d html Wisit Now Advanced OK Cancel SANGFOR NGAF 6 4 User Manual 475 Website Server Address ure IP address lis
28. 1 All All IP addresses 2 Server Farm 3 LAN IP Range Interfaces Physical Interface Sub Interface VLAN Interface Aggregate Interface Zone Link State Propagation Add X Refresh Zone Name Zone Type Interfaces Device Mat Privilege Allowed Address LAN Route layer 3 eth2 WebUI snmp All WAN Route layer 3 ethi WebUI snmp All Step 2 Access the Web Application Protection page and click Add The Add Web Application Protection Rule dialog box is displayed Set Name set Zone to WAN in the Source area the protected servers are on the intranet and set Zone to LAN IP Group to Server Farm and Port to WEB 80 in the Destination area Keep other default ports SANGFOR NGAF 6 4 User Manual 469 Add Web Application Protection Rule Enable Name DLP Description Source Zone WAN a Destination fone LAN ia IP Group server Farm HF Fort HTTP 80 FIP 21 MYSOL 3306 TELNET 2435 Step 3 Configure a sensitive data protection policy When the data retrieved from a query contains bank accounts mobile phone numbers and identity card numbers the query is considered as data leak Data Leak Protection Data Leak Protection Sensitive data protection Settings File download restriction Settings IP URL Whitelist SANGFOR NGAF 6 4 User Manual 470 Sensitive Keyword Group Select Sensitive Keywords the selected are with AND logic PJ No Sensitive Keyword Regular Expression
29. 192 168 1 1 192 168 1 255 Select Expiry Date and Date and set the date to 2012 01 01 00 00 SANGFOR NGAF 6 4 User Manual 177 Bind IP MAC Enable IP MAC Binding Bidirectional binding between user and address Unidirectional binding between user and address Modify IP MAC address IP Address y MAC address 6 IP MAC address Required One IP range per row Login is allowed on those addresses only 192 168 1 1 192 168 1 2535 Obtain Mappings from IP Group A Public Account o 7 mn Fl Allow concurrent login on multiple terminals i E Logout Page A Show Logout page if user passes password based authentication Expiry Date Never expire Date E Step 4 Click OK The batch editing is completed 3 7 1 4 2 Importing and Exporting Users Groups You can import users or groups in or export them from the equipment in batches by using this function Click import export and select Import The User Import page is displayed You can import users on this page For details see section 3 6 1 4 3 7 1 4 2 1 Configuration Example Exporting Users Groups Export the Engineering Department group and the users Step 1 On the Members page select the Engineering Department group click import 2 Export and SANGFOR NGAF 6 4 User Manual 178 select Export Members sf Add 4 Refresh 4 k Select CT Import E Export HEN Search by Name Step 2 Check the export success informatio
30. Algorithms Algorithm Type Provider DES Encryption Algorithm Walter tuchman and Carl Meyer 3DES Encryption Algorithm Walter tuchman and Carl Meyer MD5 Authentication Algorithm Ronald L Rivest of the RSA AES Encryption Algorithm Joan Daemen and Vincent Rijmen SHA 1 Authentication Algorithm US National Security Agency NSA SANGFOR_DES Encryption Algorithm Sangfor vpn group Save and Apply Description Operation Data Encryption Standard for encrypt data Triple DES Standard for encrypt data Message Digest Algorithm for Authentication Advanced Encryption Standard for encrypt data Secure Hash Algorithm 1 for Authentication Delete Data Encryption Standard for encrypt data Delete As shown in the preceding figure multiple encryption algorithms and authentication algorithms including DES 3DES MDS AES SHA 1 SANGFOR_DES are set on the equipment You can add other algorithms as required SANGFOR NGAF 6 4 User Manual 125 To add algorithms contact SANGFOR Advanced The Advanced configuration module consists of multiple sub modules including LAN Service Multicast LDAP Server RADIUS Server Dynamic Routing and Certificate LAN Service The SANGFOR equipment can specify access permission for connected VPN users It can restrict an IP address or mobile user on the internal network of a branch to specific services on a certain computer of the internal network It can also set inbound and outbound policy parameters for inter
31. Bind IP MAC Binding Mode Bind the IP on initial logon Bind the MAC on initial logon Bind the IP and MAC on initial logon Added as casual account not to any local group with same privilege as am User Group i L gt No authentication for new users If Added to specified local group is selected the new users are added automatically to the user list in the NGAF The Select Group parameter specifies which user group new users are added to In this example the new users authenticated by a third party are added to the IT group Therefore choose IT for Select Group If Not applied to new users authenticated against external LDAP server is selected users authenticated against a third party LDAP server or by SSO are synchronized to the NGAF based on the configured LDAP synchronization policy if there s any and are added to the corresponding group prior to the configuration of Select Group Under Other User Attributes the Concurrent Login and Bind IP MAC parameters can be specified The options for Concurrent Login are Allow concurrent login on multiple terminals and Only allow login on one terminal The configuration takes effect only for authenticated users The binding mode for IP MAC binding can be one way or bidirectional One way binding The user can be authenticated using only a dedicated address and other users can also use the same address for authentication Bidirectional binding The user can be authen
32. Disable the selected rule NGAF will not use this rule Character String Regular Expression and Direction are used to configure Rule content first 2 fields can be left blank Type Select which target should IPS protect See the figure below Server Protection Endpoint Protection Server and endpoint protection SANGFOR NGAF 6 4 User Manual 64 VPN The VPN module allows you to configure the VPN function and view the VPN connection status Basically the VPN module has 2 types of VPN SSLVPN and IPSecVPN as shown in the figure below VPN b SSLVPN gt PSecVPN The difference between these 2 types are SSLVPN is mainly for mobile users to connect to NGAF and IPSecVPN is used for connection to branch connection IPSecVPN consists of SangforVPN and standard IPSec VPN SSLVPN Online Users The Online Users page can view information of the online users such as number of users connecting to the SSL VPN the time when these online users connected the mount of received sent bytes as well as the outbound and inbound speed Administrator can disconnect or disable any of these online users The Online Users page is as shown below Online Users Refresh 10 seconds Y Refresh Disconnect gt Unfold All Locked O View Enter keyword p ch P lE O Username Description Logged in At WAN interface IP Authentication Group Searc 2 8 P Default group The following are the con
33. Example 200 200 0 1 19 168 1 119 Obtain Mappings from IP Group Scan MAC C Allow concurrent login on multiple terminals i Show Logout page if user passes password based authentication Expiry Date Never expire Date OK Cancel Step 6 Set the authentication policy for users on other network segments as follows Requirement Other network segments on the intranet do not require authentication The IP address is taken as the SANGFOR NGAF 6 4 User Manual 203 user name The new users are automatically added to the Default group Choose Policy and edit the Default Policy Select None SSO and Take IP as username under Authentication Authentication Policy Mame Default Policy Description Default Policy IP MAC Range i 0 0 0 0 255 255 255 2599 Authentication None SSO Take IP as username A Take MAC as username 5 Take host name as username If 550 is configured the detected username is preferable im Pia aes Pim 2 550 Local or external password authentication i The browser will be redirected to an authentication page when User attempts to access the Internet on which user credential are required Configure External Auth Server In New User Option select Added to specified local group and select Default group New User Option for users outside local device Added to specified local group Select Group Default group ty Not applied to new
34. Firewall Access Control IPS Server Security Risk Assessment Bandwidth Met System Maintenance and Configuration Wizard PP i a Select Panel E show Defauk Panels Resources System Interface 6 5 Sessions 2131 Locked Sources 0 Alerts oe y aaa ee A 2 15 42 3 Blocked Logged 388 388 O ahi ath hS aha aih5 PU mory Disk Sai 84 System Time 2015 11 23 10 01 48 gt RT Vulnerability Analysis Security Events gt Traffic Rantang Top 5 RT Vulnerabilities x Top 5 Attacks Today gt Abnormal Traffic Flow Control DHCP gt Orina Users gt Affiliated Source Lockout 11 No policy is crested Settings o No policy is crested Settings X Top 5 Outgoing DoS Attacks Last 7 days Top 5 Backlink Injections Last 7 days The icon in the lower right corner of the console is used to notify system information and alarm information about the equipment in real time When you hover the pointer over the icon WD on any configuration page the brief help information about the current configuration item is displayed This part is not described in the following sections SANGFOR NGAF 6 4 User Manual 2 Function Description Status The Status configuration module displays basic status information about the equipment including System Status System Status The System Status page displays alerts resources system
35. Internet IP LAN IP Time Connected Protocol Click Refresh to refresh the VPN connection status and traffic status Click Tunnel NAT Status to view the current tunnel NAT status including the user name original subnet segment proxy subnet segment network type and subnet mask See the figure below iy Refresh eT oe O Total Network Segments Total Users 0 NATed 0 Entries Per Page 50 E gt gt Page 0 0 0 entries hd No Username Source Subnet Translate to Subnet Type Subnet Mask Click Stop Service to stop the VPN service temporarily Click Search and enter a user name to quickly learn the connection condition of the user See the figure below SANGFOR NGAF 6 4 User Manual 94 Basic Settings Search Cancel Click Display Options to select the options to be displayed See the figure below Select All SIS EKNK KAK Connection Name User Name Description User Type Realtime Traffic Internet IP LAN IP Time Connected Protocol The Basic Settings page displays Web agent information MTU value of VPN data minimum compression value VPN listening port VPN connection mode broadcast packet and performance settings WebAgent specifies the address of the dynamic IP addressing file on the Web server There are two WebAgent addresses of which one is primary and the other secondary See the figure below Basic Settings Settings Primary WebAgent Secondary WebAgent MTU 224 2000 Min Compressi
36. It is only applicable to abnormal connection Detection based on specified rule will not be applied to connections to the destination IP address SANGFOR NGAF 6 4 User Manual 278 C Destination IP Page Web Filter Enter keyword Detection Rule Delete No data available 1 of 1 me Entries Per Page 50 OK Cancel Web filter is used to filter the access data of web pages that meet criteria It includes URL filter and file filter See the following figure URL Filter File Filter Add X Y t EC No Name Source Zone Fi 1 test LAN URL Filter 4 3 Refresh Source IP User URL Category Type Schedule Logging Action Status Adult Content http get i ae Sanga ce Pornography http post All week No Deny Y CT Gambling https URL filter is mainly used to filter the URLs of web pages that meet criteria Access the URL Filter page and click Add See the following figure SANGFOR NGAF 6 4 User Manual 279 URL Filter Enable Name Description Source Zone IP User URL URL Category Type Schedule Action Name It specifies the name of a rule test LAN Ta IP Group LAN IF Range ra G User Group L Select TF Adult Content Pornography Gambl Ta E HTTFP get W HTTP post 4 HTTPS All week w a Allow Menv OK Cancel Description It specifies the description of a rule Source Zone and IP User You can set the intrane
37. SANGFOR NGFW 5 6 User Manual xii About This Document Organization Part I Part II Part III Part IV Part V V This Introduces the installation guide to the NGAF product of SANGFOR This part describes the appearance functions and performance specifications of the NGAF equipment and preparations and precautions for its connection Introduces how to use and log in to the NGAF console Introduces the functions of the NGAF equipment Introduces the functions of the NGAF data center Introduces a set of cases This part describes typical configuration cases of functional modules under a common environment document takes SANGFOR NGAF5100 as an example Equipment of different models differs in both hardware and software specifications Therefore confirm with SANGFOR about problems involving product specifications Conventions GUI Conventions Item Sign Example Button Frame Shadow Shading The OK button can be simplified as OK l The menu item System Setup can be simplified as System Menu item Choose cascading menu items Drop down list option Setup Choose System Setup gt Interface Configuration The Enable User check box can be simplified as Enable button check box User Window name Bold Font Open the New User window The prompt Succeed in saving configuration The eT on configuration is modified You need to restart the DLAN service for the modification to take effect Restart the serv
38. Split horizon Yes No Poison Reverse 9 Yes No Authentication Plaintext MDS None OK Cancel SANGFOR NGAF 6 4 User Manual 43 Name name of the interface corresponding to the network segment published in Network Segments Interface IP Address IP address of the interface Passive Interface RIP work status on the interface The default value is No Version receive version of RIP packets received on the interface If the version is set to RIPv2 both RIPv1 and RIPv2 packets can be received Version send version of RIP packets sent on the interface RIPvl packets are transmitted in broadcast mode RIPv2 packets are transmitted in broadcast or multicast mode By default RIPv2 packets are transmitted in multicast mode If the version is set to RIPv2 both RIPv1 and RIPv2 packets can be sent Level Division whether to allow level division Level division indicates that a route learned from an interface cannot be sent through this interface Level division can avoid routing loops By default level division is allowed Reversion whether to allow reversion After reversion is enabled a route received from an interface will be flooded through this interface The metric of this route is infinite By default reversion is disabled Encryption mode for encrypting packets It can be set to Plaintext MD5 or None RIPv1 does not support packet encryption RIPv2 supports plaintext and MD5 encryption Password pas
39. The exclusion rule helps involved types of dataflow not be affected by traffic management policies for example the dataflow from the Intranet accessing the servers deployed on the DMZ of a front firewall with the NGAF deployed in bridge mode As these data packets do not pass through the Internet these data packets shall not be restricted to the bandwidth restriction policies of the Internet and applications or IP addresses involved with those servers shall be added to exclusion rules SANGFOR NGAF 6 4 User Manual 332 3 12 7 3 1 User Configuration Example Assume that the NGAF is deployed in bridge mode servers are deployed on the DMZ of the front firewall and an exclusion rule is to be configured for the dataflow accessing these servers Step 1 Choose Object Define gt IP Group Click Add On the displayed screen enter the IP address that applies to Add IP Group x Name the exclusion rule Server Farm Description IP Address Gi 172 16 1 10 172 16 1 1001 Resolve Domain ok Cancel Step 2 Choose Traffic Management gt Channel Configuration gt Exclusion Rule Click Add Bandwidth Channel Enable Bandwidth Management System Bandwidth Channel Exclusion Rule Add X E Refresh IIC No Name Application Category Dst IP Group Delete Step 3 Set the exclusion rule Enter the rule name and select the application type and destination IP group If the application type
40. The headquarters can access the services provided by the internal network of Shenzhen branch by using an IP address on the network segment 192 168 20 0 24 Before using the multicast services in Advanced choose VPN gt Advanced gt Multicast and add required services Before using tunnel NAT in Advanced choose VPN gt Virtual IP Pool and add the required branch virtual IP network segment Shenzhen branch and Shanghai branch cannot visit each other through an inter tunnel route If Shenzhen branch and Shanghai branch need to visit each other through the inter tunnel route tunnel NAT SANGFOR NGAF 6 4 User Manual 106 needs to be enabled for both of them for the purpose of translating their respective network segments into two different IP network segments Then add an inter tunnel route of which the source is an actual physical IP network segment and the destination is a virtual IP network segment VPN Connection The equipment provides the network node interconnection and setup functions to implement interconnection between multiple network nodes You can perform setup on the VPN Connection page Y VPN connection needs to be enabled only when the equipment serves as a branch and needs to connect to other equipment at the headquarters VPN connection does not need to be enabled if the local end is the equipment at the headquarters VPN Connection Y New Status Connection Name Primary Webagent Secondary Webagent User Pr
41. Y Predefined Sensitive Keywords C i MD5 2 Eall address 3 Custom Sensitive Keywords 3 ATM Description O ptio nal Hit Count Threshold E OK Cancel sensitive Data Hit Count Based On IP address x Ci e Add X Delete Sensitive Keyword Hit Count Threshold O DLP 1 OK Cancel Step 4 Configure file downloading filter to prevent downloading files in doc and xls formats from servers SANGFOR NGAF 6 4 User Manual 471 Select File Type Group Select file types that cannot be downloaded E Refresh Fuzzy match No File Type Group Description 4 Predefined File Type Y Custom File Type 46 doc 47 xls OK Cancel Step 5 Set Action to Deny and Logging to Log Event and click OK Action Action G Allow Deny Gi IP Lockout E Lock source IP i Logging Log event Settings w _ Add X Delete Y Enable Disable t Move Up Move Down 2 Move E Refresh F No Name Y Source Zone Dst Zone Dst IP Protection Buffer Overflow 1 DLP WAN LAN Server Farm URL overflow Post entity overflow 10 0 0 0 24 Data Leak Protection Sensitive data protection File download restriction Website Anti defacement Configuration The following figure shows a network topology where the NGAF works as a router and two web servers are deployed on the intranet The following requirements must be met e The NGAF protects the w
42. You can specify manually Web Server Auto y OS Auto w Web Technology Auto Y Third Party Application Auto w Probe Again Click on Probe Again to examine and explore the Operating Environment of the Website Template Templates are used to determine the scanning contents and scanning options which will be discuss in the section later By default there are two templates available naming Quick scan and Full scan Additional templates can be added in order to fulfill user s requirement Template Quick scan Quick scan Ordinary scanning taking relatively less time l Full scan Takes longer time e Add Click on Add and the following page will be shown SANGFOR NGAF 6 4 User Manual 309 Basic Settings Template Name Scan Options Description t Custom 404 Error t Crawler Test Policy Basic Settings To define Name and Description for the new template Scan Options To define Scanning Restriction such as Request Timeout in seconds Max Attempts Max threads Longest Scanning in minutes Max File Size for Scan in byte s and Enhance Scanning option Configuration for Proxy Server and port fall under this page as well Custom 404 Error To add Regular Expression and if the regular expression match with the website page it is recognized as custom 404 error page This helps to provide more correct scanning results RegEx Tester is available on
43. a a 4 Server Security Based on Target Server 192 200 17 200 A 202 96 137 75 EB 192 254 234 101 MA 12312668166 EB 173 254 28 87 MA 184 154 14 24 A 216 92 220 211 A 192 254 205 29 MA 195 242 93 116 EB 74 125 135 157 E Other Attack Count Percent Attacks 23 24 2 Irend 16 16 8 Trend 9 9 5 Trend 8 8 4 Trend 6 6 3 Trend 6 6 3 Trend 6 6 3 Trend 4 4 2 Trend Source Source Source Source Source Source Source Source Source A m Step 3 To view the type of web application attack on the server with the IP address 10 10 1 1 click corresponding attack count to link to attack details SANGFOR NGAF 6 4 User Manual 370 the Server Security Ra E Attack Count h D la bs Filter Period 2013 08 15 Server IP 192 200 17 200 Threat level High Medium Low Attack type WAF Action Allow Deny Statistics Attack Type Chart type Ranking Show Top 10 Show Top10 EX g a pas Attack Type Attack Count Percent Attacks Dril Down HTTP error page filter 23 100 Trend Source The data shows that all attacks on the server are SQL injection attacks totaling 3509 times 4 pa To enable the data center to collect statistics on server security logs click Log event in the Action area on the console Endpoint Security The Endpoint Security page enables users to collect statistics on the number and percentage of DoS attacks IPS attacks and vir
44. and the ETH and ETH3 pair Data flowing to interface ETH4 must be forwarded through interface ETH2 and data flowing to interface ETH1 must be forwarded through interface ETH3 This can be realized by configuring virtual wire interfaces Step 1 Log in to the NGAF by using the default IP address of the management port ETHO which is 10 251 251 251 24 Configure an IP address that is in the same network segment as the default IP address on your PC and log in to the NGAF by using https 10 251 251 251 Step 2 Choose Network gt Interface and click the interface such as ETH2 to be configured as an Ethernet interface The following dialog box is displayed SANGFOR NGAF 6 4 User Manual 425 Edit Physical Interface Enable Mame eth2 Description external Type Virtual wire layer 1 w Added To Zone Select zone w Interface 1 eth2 Interface 2 ethi w Basic Attributes WAN attribute Adwanced Configure link mode MTU and MAC address Erma OK Cancel Set Type to Virtual wire The Virtual Wire page is displayed providing the option of setting interface pairs of the virtual wire For details see section 3 2 3 Set Added To Zone to the zone which interface ETH2 belongs to which is a WAN in this example Set the zone in advance based on section 3 2 1 4 Set Basic Attributes to WAN attribute 1f the interface connects to an uplink The Advanced option enables users to set the operating mode MTU and MAC address of the ne
45. interfaces information Top 5 RT Vulnerabilities Top 5 Attacks Top 5 Bots Data Leak Top 5 Backlink Injections Top 5 Outgoing DoS Attacks and Top Applications By Traffic All lines Bidirectional Selecting Panels On the System Status page click Select Panel The following page is displayed EA select Panel Cd show Default Pan Top Attacks Bots Real Time Vulnerability Analysis Data Leak Backlink Injections Outgoing DoS Attacks Top Applications By Traffic Select the status information to be displayed on the System Status page Showing Default Panels On the Status page click Show Default Panels and the default panels are displayed including Alerts Resources System Interface Top 5 RT Vulnerabilities Top 5 Attacks Top 5 Bots Data Leak Top 5 Backlink Injections Top 5 Outgoing DoS Attacks and Top Applications By Traffic All lines Bidirectional SANGFOR NGAF 6 4 User Manual 3 Viewing Status 3 1 1 3 1 System Status The System Status page displays the overall conditions of system resources including the CPU usage memory usage disk usage number of sessions number of online users system time and information about Locked Sources and Blocked Logged actions See the figure below 31 42 CPU Memory Resources Sessions 4592 Locked Sources O Blocked Logged 408 406 Online Users System Time 2015 11 23 10 32 40 The information will automatically refresh every 5 seconds 3 1 1 3 2 In
46. test 3 QA Default Members Sub groups 0 immediate users 1 total users 1 test Members Add X Delete Refresh 4 Edit Multiple Select S Import R Export 3 Move Search by Name No Name Address Expiry Date Status O 1 usera No binding information Never expire Y Step 3 In the Add User dialog box Select Enable user and set Name Description Display Name and Added To Group SANGFOR NGAF 6 4 User Manual 173 Enable user Description Display Name Added To Group Admin i L Step 4 Set User Attributes Select Bind IP MAC and bind the user to the IP address MAC address In this example bind the user to the IP address MAC address of 192 168 1 117 00 1C 25 AC 4C 44 in a bidirectional manner Click Binding Mode and select Bidirectional binding between user and address in the displayed dialog box Select Bind IP MAC and type 192 168 1 117 00 1C 25 A C 4C 44 in the text box Bind IPFMAC Binding Mode IP Address i MAC Address 1 IP and MAC i One entry per row Annotation is separated by Example 200 200 0 1 192 168 1 117 00 1C 25 AC 4C 44 Set Expiry Date for the user Expiry Date Never expire Date E Step 5 After the user attributes are set properly click OK The user is added successfully Members a ae Group Path Admin Modify Ex Description Admin Admin Members Sub groups 0 immediate users 3 total users 3
47. the assured network bandwidth is provided to the financial department for visiting online banks and receiving and sending emails when the network is busy Bandwidth Channel Enable Bandwidth Management System Bandwidth Channel Exclusion Rule Add gt i x D t amp Refresh Bandwidth channel Application Dst IP Gro Schedule Target Min Bandw On the Bandwidth Channel tab page click Add and choose Bandwidth channel The Add Bandwidth Channel screen 1s displayed SANGFOR NGAF 6 4 User Manual 318 Add Bandwidth Channel Enable channel Name Gi Bandwidth Channel Target Line Line 1 Applicable Objects Channel Type Guaranteed channel Outbound Min Max Min Max Priority High Limited channel Outbound Inbound Priority A Per User Max Bandwidth OK Cancel Select Enable channel If the checkbox is deselected the traffic control function of the channel does not take effect Enter the channel name in Name Choose Bandwidth Channel under Options Set the properties of the channel on the right SANGFOR NGAF 6 4 User Manual 319 Add Bandwidth Channel x Enable channel Name Finance i Bandwidth Channel Bandwidth Channel Target Line Line 1 Applicable Objects Channel Type Guaranteed channel Outbound Min Priority 5 Limited channel Outbound 7a Mbps Inbound Mbps Priority w A Per User Max Bandwidth OK Ca n
48. the authentication fails Step 3 If user test does not exist as a local user or user test exists as a local user with the local password not SANGFOR NGAF 6 4 User Manual 198 being configured the NGAF checks for the user name and password on the external authentication server If the user name and password are correct the authentication succeeds if not the authentication fails In conclusion local authentication is executed in prior to external authentication 3 SSO only If this option is selected computers within the address range specified in Policy can access the Internet only after successful SSO authentication Configuration Step 1 Set the authentication policy for the specified network segment as SSO only Step 2 In Authentication Option select SSO only For a domain SSO set the domain server accordingly See section 3 6 2 2 1 You can set exceptional users for SSO authentication In this case those users only have to input the user name and password for authentication before accessing the Internet Handling new users New users refer to users that do not exist in the NGAF For these users the NGAF matches their IP or MAC addresses to the authentication policy and checks whether to add these users based on the settings of New User Option in Authentication Policy The users successfully authenticated are added automatically including the following 1 Users authenticated based on the following configuration N
49. type information in the text box and press Enter Search by Name Status Search by IP Search by MAC Advanced search This function is only used to search for users You can use this function to search for users based on multiple search criteria Search criteria include basic search criteria and other search criteria When you set multiple search criteria they must be met at the same time Search by Name 3 Q Advanced Search The Basics pane displays three options including Username IP and MAC You can select only one of the three options See the figure below SANGFOR NGAF 6 4 User Manual 161 Basics Username Name IP Start IP End IP MAC MAC Address The Others pane displays three options including Expiry Date User Status and Allow concurrent login on multiple terminals Others Expiry Date Start Date E End Date E User Status Any Enabled Disabled E z A E Allow concurrent login on multiple terminals 3 7 1 3 2 Adding Users Groups Adding Sub groups The default group on the equipment is the root group indicated by a slash The root group cannot be deleted and its group name cannot be modified Groups created by users are sub groups of the root group Groups on the equipment are classified into different levels The root group is a Level 1 group sub groups of the root group are Level 2 groups and so on This adapts to the organizational structure of an e
50. 2 Choose Traffic Management gt BM Line and set the BM line list and policy For details see section 3 12 4 Step 3 Configure the traffic restriction channel In this example the P2P and download data of the sales department employees are controlled The total bandwidth occupied by these services is restricted to below 2 Mb s for the department On the Bandwidth Channel tab page click Add and choose Bandwidth channel The Add Bandwidth Channel screen is displayed Select Enable channel If the checkbox is deselected the traffic control function of the channel does not take effect Enter the channel name in Name The slash before the channel indicates a primary channel Choose Bandwidth Channel under Options Set the properties of the channel on the right SANGFOR NGAF 6 4 User Manual 326 Add Bandwidth Channel Enable channel Name P2P limit i Bandwidth Channel Guaranteed channel Applicable Objects Outbound Min Max Inbound Min Max Priority Limited channel Outbound Inbound Priority E Per User Max Bandwidth Outbound 0 Inbound T Lo ox Cancel The menu Bandwidth Channel under Options is used to set the effective line channel type restricted or guaranteed bandwidth and bandwidth per user The parameter Target Line defines the applicable line of the channel That is only the data packets on the specified line are mapped to the channel For deta
51. 200 17 1 192 200 17 1 192 200 17 1 192 200 17 1 192 200 17 1 192 200 17 1 192 200 17 1 192 200 17 1 192 200 17 1 192 200 17 1 192 200 17 1 Move the cursor to Information to show details Dst IP 108 162 203 119 18 217 1 216 92 220 2 200 58 111 99 67 18 81 10 184 154 14 24 186 233 144 212 71 249 1 195 242 93 1 173 254 28 87 103 9 64 130 153 127 249 185 12 94 222 64 207 147 1 59 106 13 131 217 115 114 4 386 Rule ID 13070171 13070171 13070171 13070171 13070171 13070171 13070171 13070171 13070171 13070171 13070171 13070171 13070171 13070171 13070171 13070171 Threat Level High High High High High High High High High High High High High High High High AC De De De De De De De De De De De De De De De De Vi Vi Vi Vi Vi Vi Vi Vi Vi Vi Vi Vi Vi Vi Vi Vi Data View View View View View View View View View View View View View View View View Bypass Auto Bypass Auto Bypass Auto Bypass Auto Bypass Auto Bypass Auto Bypass Auto Bypass Auto Bypass Auto Bypass Auto Bypass Auto Bypass Auto Bypass Auto Bypass Auto Bypass Auto Bypass Auto Bypass click Log event in the Action area IPS The IPS page enables users to view exploits of vulnerabilities detected by the IPS module SANGFOR NGAF 6 4
52. 4 User Manual 12 Server Security The Sever Security page displays the types of attacks suffered by target servers See the figure below Recent Security Events Server Security 2 Refresh 5 seconds gt Refresh Endpoint Security Recent Attack Sources No Time Target Server Description URL Attack Type Details The displayed information includes the attack time target server URL attack type and attack details Click Refresh 5 seconds to set the refresh interval Click Refresh to refresh the information immediately Endpoint Security The Endpoint Security Events page displays the types of attacks suffered by the end users See the figure below Recent Security Events Server Security Endpoint Security 2 Refresh 5 seconds 2 Refresh Recent Attack Sources No Time Host IP Username Group Attack Type Details The displayed information includes the attack time host IP address user name group attack type and attack details Click Refresh 5 seconds to set the refresh interval Click Refresh to refresh the information immediately Recent Attack Sources The Recent Attack Sources page displays the sources of recent attack events See the figure below Recent Security Events Server Security Endpoint Security Recent Attack Sources 2 Refresh 5 seconds 2 Refresh No Time Attack Source Attack Type Details The displayed information includes the attack time attack source attack
53. 55 09 Log In 2013 8 6 17 50 48 Log In 2013 8 7 08 15 20 Log In Search by Name Online Duration 17 hours 19 minutes 17 hours 19 minutes 17 hours 19 minutes 17 hours 19 minutes 17 hours 19 minutes 17 hours 19 minutes 17 hours 19 minutes 17 hours 19 minutes 17 hours 19 minutes 17 hours 18 minutes 16 hours 23 minutes 1 hour 58 minutes 48 Operation Ba Eo Bo Ba Ba Ba bo Bo Bo Hr Ba HP The displayed information includes the name group IP address authentication mode login time or lockout time online duration and operation to be performed On the page enter a keyword in the Search box to query online users of the corresponding user group On the Online Users page you can search users by name or IP address See the figure below SANGFOR NGAF 6 4 User Manual 20 Search by Name Search by IP Filtering Online Users Click Filter to specify the conditions for filtering users See the figure below Filter User Status All C Objects Username One username per row Type here IP One IP address or IP range per row Type here User Status can be set to All Locked or Active After selecting the Objects check box you can filter users by user name or IP address After setting the user name or IP address click OK Locking Online Users Select one or more users and click Lock to end the network connections of the selected users The p
54. Delete deletes time segments Select a time segment that you want to delete and click Delete The selected time segment is deleted Schedule Preview displays time segments The horizontal axis indicates time points and the vertical axis indicates a date range File Type Group The File Type Group panel is used to define required file types which can be applied to the File Filter tab page of the Web Filter panel of the Access Control configuration module for limiting upload and download of HTTP and FTP files and can also be applied to the Bandwidth Channel tab page of the Bandwidth Channel panel of the Bandwidth Met configuration module for setting bandwidth control on file upload and download In the navigation area choose Objects gt File Type Group The File Type Group page is displayed on the right File Type Group F Add X amp Refresh No Name Description 1 Movie Movie format file PJ 2 Music Music format file 3 Image Image format file 4 Text Source file 5 Compressed File Compressed file such as zip rar tgz 6 Application Program Executable file script On the File Type Group page click Add The Add File Type Group dialog box is displayed as shown in the figure below Add File Type Group Description z 3 Pama File Extension I Type here Name name of the file type group SANGFOR NGAF 6 4 User Manual 153 Description description of the fi
55. Description Office Email Category Mail w Step 2 Set Packet Feature SANGFOR NGAF 6 4 User Manual 140 Packet Feature i E Direction Packets transmitted between specified direction may match this feature a LAN lt gt WAN F LAN gt WAN C WAN gt LAN Protocol TCP w Protocol Mo i Dst Port all 2 Specified i 25 IP Address a All Specified i m Target Domain mail sangfor com cn OK Cancel Direction direction in which the data passes through the equipment Only data in the direction will be identified Protocol protocol type for the data In this example emails are sent over the TCP protocol Dst Port destination port of the data In this example emails are sent over TCP25 ports IP Address source IP address destination IP address or destination IP address identified by the proxy Target Domain destination domain name accessed by the data In this example it is set to the domain name email address of the office for example mail sangfor com cn Step 3 After the settings are completed click OK App Ident Rules Add X Y 2 Refresh CY Import Export C Give higher priority to custom rules No Rule Name Description Application Application Status Delete 1 Office Email Office Email Mail Customize Email Y x Step 4 Set a priority for the custom rule The embedded application identification database also stores email identification rules I
56. E Worm Vulnerability Worm is a malware computer program that replicat Web Browse Vulnerability It includes vulnerabilities on a variety of Web brows Application Vulnerability It includes vulnerabilities of various application soft File Vulnerability It includes vulnerabilities of various formats of files Shellcode Vulnerability Shellcode is small piece of code used as the payloa K K K K K Custom IPS rule All takes effect SANGFOR NGAF 6 4 User Manual 284 Select Brute Force Attack and click Selected FTP IMAP Standard Protection Server Protection Selected Mail Vulnerability B Endpoint Protection Selected Web Activex Vulner Brute Force attack Selected FTRIMAP Standard i The Select Attack Type page appears Select the attack types so that the device implements IPS protection for the related brute force attacks Select Attack Type Fuzzy v Attack Type Description Y FTP A user continually login FTP server fail maybe try to brute f IMAP Auth A user continually login IMAP via AUTH mode maybe try to IMAP Login A user continually login IMAP via LOGIN mode maybe try tc IMAP Standard A user continually login IMAP server fail maybe try to brute V IMAP Tis A user continually login IMAP via TLS mode maybe try to bi Y MS Sql2000 A user continually login MS_SQL2005 2008 server fail mayt MS Sql2008 A user continually login MS_SQL2008 2012 server fail mayt Mysql A user continu
57. Fa Name agur 1 20 Li 9 Desompiion Typ Route layer 3 e Adided To Zone Select nore E Work Mode Actrre standby Ww Basic Attributes O WAN attribute fe Pirgable Next Hop IF Member Interfaces Available 1 Line Bandwidth Outbouwnd 1074 Mbps Iriberri 104 Mbps Advanced Spec TU amd Z addres Sati E DK Cancel Name specifies the name of the aggregated interface Description specifies the description of the aggregated interface Type specifies the interface type Three types are supported route bridge and virtual wire Added To Zone specifies the zone to which the aggregated interface belongs Work Mode specifies the work mode supported by the aggregated interface It can be set to load balancing hash load balancing RR or active standby Basic Attributes The method of setting basic attributes is the same as that of setting the route interface Member Interfaces specifies the interfaces to be aggregated The method of setting Link State Detection and Advanced is the same as that of setting the route interface SANGFOR NGAF 6 4 User Manual 29 Zone The Zone tab page displays the zone to which an interface belongs so as to provide modules for invoking including the content security traffic management and firewall modules There are three types layer 2 layer 3 and virtual line The layer 2 zone supports all transparent interfaces the layer 3 zone supports all route interfaces and th
58. Farm Step 2 Choose Firewall gt Anti DoS DDoS gt Outside Attack Set Zone to WAN select Defense against ARP flooding attack and set Scan Prevention SANGFOR NGAF 6 4 User Manual 449 Add Outside Attack Defense Policy Enable policy Name DOS protection Description Zone WAN Defense against ARP flooding attack Per Src Zone Packets Threshold packets sec Scan Prevention Ci IP scan prevention Threshold packets sec 4000 Port scan prevention Threshold packets sec 4000 a 500 A OK Cancel Step 3 Click Select type under Defense Against DoS DDoS Attack to access the anti attack configuration interface Set Dst IP to Server Farm select the attack detection types below and click OK Dst IP LAN IF Range fs l I efense against ICMP flooding attack Def nst ICMP flood ttack Per Dst IP Packet Threshold packets sec Defense against UDP flooding attack Per Dst IP Packet Threshold packets sec Defense against SYN flooding attack Per Dst IP Packet Threshold packets sec Per Dst IP Packet Loss Threshold packets sec Per Src IP Packet Loss Threshold packets sec 2000 100000 10000 10000 Defense against DNS flooding attack Per Dst IP Packet Threshold packets sec 10000 Step 4 Select Log event and Deny in the Action area leave Packet Based Attack and Abnormal Message Probe SANGFOR NGAF 6 4 User Manual 450 unspecified and c
59. IP Source Port Destination IP Destination Port Operation 172 16 1 100 17 1 65535 192 168 1 20 19 20 21 Edit Delete Cancel 1 Click New In the IP Range dialog box set relevant parameters See the figure below Source IP Start IP 172 16 1 100 End IP 172 16 1 100 Source Port _ 65555 Destination IP Start IP 192 168 1 20 End IP 192 168 1 20 Destination Port 20 2 Source IP Set it to the internal IP address 172 16 1 200 Source Port The value ranges from 1 to 65535 Destination IP Set it to the IP address of the FTP server 192 168 1 20 Destination Port Set it to the FTP service port 20 21 SANGFOR NGAF 6 4 User Manual 127 After defining the LAN service you need to grant internal network permission for the user in Local Users The LAN service settings can also apply to the Inbound Service and Outbound Service parameters in Inbound Policy and Outbound Policy of IPSec VPN For details see the above sections 2 In Local Users click Edit in the line of user Branch The page shown below is displayed Username Authentication Local Password oe Algorithm AES Confirm Password eee User Type Description Added To Default group Inherit group attributes Hardware authentication Certificate Enable USB key USB Key Assign virtual IP IP Address Valid Time All day Enable expiration Enable user Enable My Network Places Enable compression E Deny Internet access af
60. IPS exploits of vulnerabilities mounted from the WAN to LAN are displayed Click 13 Export Logs in the upper left corner to export the data to an EXCEL file Click Filter Period 2013 08 05 00 00 2013 08 05 23 59 Src zone LAN Src IP All Dst zone WAN_TEST Dst IP All Attack type All ID Al Device name Threat level High Medium Lo A Fei RRA ppp O N0 A YU MN KF O Time 2013 08 05 16 15 31 2013 08 05 16 15 31 2013 08 05 16 15 31 2013 08 05 16 15 31 2013 08 05 16 12 47 2013 08 05 16 12 47 2013 08 05 16 12 47 2013 08 05 16 12 47 2013 08 05 16 12 47 2013 08 05 16 12 47 2013 08 05 16 12 47 2013 08 05 16 12 47 2013 08 05 16 12 47 2013 08 05 16 12 47 2013 08 05 16 12 47 2013 08 05 16 12 47 Type system web web system system Source IP 172 16 2 2 172 16 2 2 172 16 2 2 172 16 2 2 172 16 2 2 172 16 2 2 172 16 2 2 172 16 2 2 172 16 2 2 172 16 2 2 172 16 2 2 172 16 2 2 172 16 2 2 172 16 2 2 172 16 2 2 172 16 2 2 Dst IP 172 16 2 3 172 16 2 3 172 16 2 3 172 16 2 3 172 16 2 3 172 16 2 3 172 16 2 3 172 16 2 3 172 16 2 3 172 16 2 3 172 16 2 3 172 16 2 3 172 16 2 3 172 16 2 3 172 16 2 3 172 16 2 3 the upper right corner to display a certain column 1 ID 10010 11020 11020 10010 10010 2087 10010 2087 2087 2087 2087 2087 2087 2087 2087 2087 Name DOS Gewse OpenSSL SSLv2 OpenSSL SSLv2 X Scan Services Microsoft Windo
61. Injection Vulnerability Application Vulnerability High Enable Block if attack detected Objects 12030539 ManageEngine EventLog Analyzer Information Disclosure Vulnerability Application Vulnerability Medium Enable Allow if attack detected Enable Cloud based analysis engine After the cloud based analysis engine is enabled suspicious unrecognized traffic is automatically uploaded to the SANGFOR cloud server The traffic is analyzed identified and matched with existing attack traffic modes on the cloud server thereby determining whether the traffic aims to perform attacks Click Slobal Action to unify all modified IPS Vulnerability Rules If Default initial action is selected the system will reset all IPS Vulnerability Rules actions to default If Strict detection Block if attack detected is selected all the actions will become Enabled Block if attack detected regarding any of the threat level In default option Medium level threats will be allowed After enabled this option all Medium level threats will be blocked Global Action Action of All Rules Default initial action Default initial action Strict detection Block if attack detected The Vulnerability ID column lists the IDs of existing vulnerabilities You can search for vulnerabilities by ID When the server is blocked according to an IPS rule you can view the vulnerability ID in the data center After finding the vulnerability ID
62. Interfaces Device Mat Privilege Allowed Address Delete LAN Route layer 3 eth2 WebUI snmp All In use WAN Route layer 3 ethi WebUI snmp All In use IP Group add X amp Refresh import Export C No Name Description Delete 1 All All IP addresses In use 2 LAN IF Range In use Step 2 On the concurrent connections control page click Add The Add Concurrent Connection Control Rule page appears In this example because the intranet users correspond to ETH2 and concurrent connections of the users must be limited Zone is set to LAN and IP Group is set to All See the following figure SANGFOR NGAF 6 4 User Manual 262 Enable Name Description Source Zone IP Group Max Concurrent Connections Per IP limit 500 limit 500 concurrent connection LAN All Specified 500 OK Step 3 Click OK to complete the configuration DoS DDoS Protection DoS DDOS attacks aim to terminate service responses by exhausting server resources During such an attack a great amount of fake request data is created to jam the server so as to prevent the server from responding to normal user requests The SANGFOR device provides Internet and intranet protection against DoS attacks This prevents intranets from being affected by DoS attacks from the internet and prevents computers on intranets infected with The number of TCP and UDP connections is limited as a whole viruses or computers with attack tools on intranets from
63. LDAP server are synchronized to the equipment as user groups and the organizational structures of the OUs are also SANGFOR NGAF 6 4 User Manual 185 synchronized to the equipment in the same form The users synchronized to the equipment still belong to the corresponding OU groups Sync by security group AD domain only is only applicable to Microsoft LDAP servers that is the AD domain In this synchronization mode the security groups in the AD domain server are synchronized to the equipment as user groups The security group does not have an organizational structure The equipment synchronizes the security groups at the same level that is the synchronized security groups are at the same level 3 7 1 6 1 Adding a Synchronization Policy Synchronization policies are used to set parameters related to the synchronization LDAP synchronization 1s performed based on the configured synchronization policies Sync by OU Sync by OU is applicable to all types of LDAP servers In this synchronization mode the OUs in the LDAP server are synchronized to the equipment as user groups and the organizational structures of the OUs are also synchronized to the equipment in the same form The users synchronized to the equipment still belong to the corresponding OU groups 3 7 1 6 1 1 Cases for Sync by OU OU engineering department OU marketing department and OU IT department and the corresponding sub OUs and users in the LDAP server are requ
64. Login filled with Y or N being left blank means N 7 Enable Account filled with Y or N being left blank means Y 3 Expiry Time format is yy mm dd hh mm being left blank indicates that the account will never get expired 39 Login Nan Display Nz Group Pat Descriptic Local Pass Bind IP U Bind IP Bi Allow Mul Enable Ac Expiry Time 10 Zhang Shan HO Mark New mer password 11 Li Si HO RD Local password is nu 10 0 10 10 N N 12 ID_95471 Wang Wu Default g No local p N A 10 0 1 0 10 0 1 255 1 Y Y 13 Zhao Liu Default groupf password 00 41 B2 C3 D4 E5 0 Y Y 14 Qian Qi Default group 123 10 0 0 2 00 A1 B2 C3 D4 E5 Y HEE 15 Mail Server Server N A 10 0 0 1 N AHR Step 2 Import the CSV file Click Import In the Import CSV File dialog box select the file that you want to import and select If user group does not exist create it If the target group for importing the users does not exist the equipment automatically creates a group during the import If the If user group does not exist create it option is deselected the equipment does not create a group during the import and instead the users are imported in the root group Select Proceed and overwrite existing one under If user already exists If users with the same user names already exist in the user list attributes of the users are updated Or you can select Skip and not overwrite existing user In this case if users with the same user names already exist in the user l
65. Manual 165 Add User x Enable user Mame Guest Display Name Added To Group Admin ta Step 4 Set User Attributes The User Attributes settings include the authentication method public account and expiry date Select Local password and type the password for login authentication in the Password text box Local password i Password Select Bind IP MAC and bind the user to IP addresses and MAC addresses In this example bind the user to an IP address range of 192 168 1 2 192 168 1 100 IP address range available for login in a unidirectional manner Click Binding Mode and select Unidirectional binding between user and address in the displayed dialog box Select IP Address and type 192 168 1 2 192 168 1 100 in the text box Bind IP MAC Binding Mode IP Address i MAC Address 1 IP and MAC One entry per row Annotation is separated by Example 200 200 0 1 192 168 1 2 192 168 1 100 The Allow concurrent login on multiple terminals option is used to set whether multiple users can log in by using the account at the same time If you select this option multiple users can log in by using the account at the same time In this example select Allow concurrent login on multiple terminals Allow concurrent login on multiple terminals i Select Show Logout page if user passes password based authentication This option is available for users authenticated based on the user name and password If th
66. Manual 196 Sync Logs Clear All No Name Mode Time Status 1 1376291342 2013 8 Sync now 2015 08 12 15 09 02 succeeded 2 1376290586 2013 8 Sync now 2015 08 12 14 56 26 succeeded Close User Authentication The User Authentication menu is used for user authentication settings with submenus of Policy Options and External Auth Server If user authentication is not enabled on the NGAF Intranet users can still access the Internet To prevent Intranet users from accessing the Internet you can define IP addresses in objects to protect the PCs on the Intranet In this case users and logs are listed by IP addresses Authentication Policies 3 7 2 1 1 Overview If user authentication is enabled on the NGAF all computers in the authentication zone must be authenticated and identified before accessing the Internet The authentication policy defines how the computers with specific IP addresses or MAC addresses or in a specific network segment are authenticated You can set an authentication policy to define the authentication mode of Intranet users and the policies for adding new users The NGAF verifies authentication policies from top to bottom one by one You can adjust the order of the authentication policies to change the priority by the button of the scroll bar on the screen The authentication policies allow you to set different authentication modes for computers in different network segments Authentication modes
67. Manual 99 address pool Y Before selecting the Assign virtual IP check box choose VPN gt Virtual IP Pool and set the virtual IP address pool Valid Time and Enable expiration are used to set the validity period and expiration time of the added user account If the VPN user needs to use the My Network Places service select the Enable My Network Places check box Enable compression is used to set whether to compress the data transmitted between the gateway and the user by using the compression algorithm Y This setting is the unique technology of SANGFOR VPN This improves the bandwidth usage and expedites data transmission However it is not applicable to all network environments You need to set this item based on actual conditions in practice The Deny Internet access after login item is valid only for mobile users If this check box is selected a mobile user can access the internal network only through the VPN after the user is connected to the VPN That is the user cannot access the Internet The Enable multi user login item sets whether to allow multiple users to share the account to log in to the VPN concurrently The Deny password change online item sets whether a mobile user can modify the login password after connected to the VPN If this check box 1s not selected the mobile user can modify the login password The LAN Service button is used to set the access permission of the user after connected to the VPN
68. Module Authentication Bypass Vulnerability Drupal v6 OpenID Module Authentication Bypass Vulnerability Drupal v7 Security Bypass Vulnerability Drupal v7 Information Disclosure Vulnerability Page 1of 24 gt M amp Entries Per Page 50 View All Category Cms Vulnerability Cms Vulnerability Cms Vulnerability Cms Vulnerability Cms Vulnerability Cms Vulnerability Cms Vulnerability Cms Vulnerability Cms Vulnerability Cms Vulnerability Cms Vulnerability Cms Vulnerability Cms Vulnerability Cms Vulnerability Cms Vulnerability Cms Vulnerability Cms Vulnerability Cms Vulnerability Cms Vulnerability Cms Vulnerability Cms Vulnerability v Rule ID or name Threat Level High High High High High High High High High High High High High High High High High High High High High Action Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable bd 1 50 of 1175 Rule Name name of the protection rule Category protection type of the current protection rule such as Cms vulnerability Threat Level level of the vulnerability There are three levels high medium and low Action actions taken by the equipment when the attack is performed There are two actions Enable and Disable You can define actions Click a vulnerability name to open the editing page See the figure below Edit Rule x Rul
69. NGAF 6 4 User Manual 113 Interval seconds 19 1 120 1 Only WAN physical route interfaces can be configured as external VPN interfaces 2 Multiple external VPN interfaces can be configured for implementing multiline routing of the VPN VPN LAN Interface On the VPN LAN Interface page you can define internal VPN interfaces See the figure below VPN LAN Interface VPN LAN Interface New Delete Status LAN interface Subnet Mask Operation VPN Interface IP Assigned automatically IP Address 104 12 141 86 Subnet Mask 255 255 255 0 O Specified Save and Apply Click New and select an internal VPN interface as shown in the figure below Interface hd Subnet Mask 255 255 255 0 Carce Only a non WAN interface with a static IP address can be configured as an internal VPN interface VPN Interface IP IP address of the virtual network adapter for VPN services A default setting If a prompt indicating IP address conflicts is displayed select Specified and set the IP address The Assigned automatically option button is selected by default and you are advised to retain the and subnet mask SANGFOR NGAF 6 4 User Manual 114 VPN interfaces are virtual interfaces of the SANGFOR gateway They are not physical interfaces Multiline Policy The SANGFOR equipment provides a powerful VPN multiline policy where different primary and secondary line groups can be selected based on the conditions of the ex
70. NGAF 6 4 User Manual 213 The dataflow process 1s as follows 1 The PC requests for domain login 2 The domain server turns login information to the PC 3 The PC executes the logon exe script and reports the domain login success information to the NGAF Configuration Step 1 Choose User Authentication gt Options gt External Auth Server and set the authentication AD domain service For details see section 3 6 2 3 Step 2 Enable SSO select the SSO mode and set the shared key Choose User Authentication gt Options gt SSO Options gt Domain SSO Select Enable Domain SSO Select Obtain login profile by executing logon script through domain Enter the shared key in Shared Key See the following figure 550 Options Domain 50 Proxy 550 POPS 550 Web SSO W Enable Domain 550 Domain SSO Program Download W Obtain login profile by executing logon script through domain Gi Shared Key G The shared key is used to encrypt the communication between the NGAF and the AD domain server and must be specified exactly the same in the login and logoff scripts Click Download to download the login and logoff scripts for steps 3 and 4 Step 3 Configure the login script on the AD domain server 1 Log in to the domain server and choose Manage Your Server on the menu as shown in the following figure SANGFOR NGAF 6 4 User Manual 214 Recycle Bin de Security Configurati
71. Prefix IPv6 address Pl Prefix Destination Zone Select External Zone Source Translation Translate Src To Py6 address f Prefix 3 8 1 1 1 Source NAT Configuration Example A customer has the topology shown in the following figure The intranet users and server groups of the customer require network access through the NGAF firewall In this case source NAT rules must be added on the NGAF device to change when the data is transferred through the NGAF device the IP addresses 192 168 1 0 24 and 172 16 1 0 24 of network access data to 1 2 1 1 which is the IP address of the ETH1 egress interface of the NGAF device SANGFOR NGAF 6 4 User Manual 245 ETHI 1 2 1 1 24 NGFW ETH2 10 10 10 1 30 Core Switch 4 t 192 168 1 0 24 172 16 1 0 24 Internal User ee ee rr e e ee e em e e e e _ e e ee ee ce e dl Step 1 Before setting the source NAT rules choose Network Configuration gt Interface Zone click the Zone tab define the home zone of the interface and then choose Object Definition gt IP Group and define the home IP group of the intranet segments For configuration details see sections 3 2 1 4 and 3 4 8 In this example interface ETH is defined as an Internet zone and ETH2 is defined as an Intranet zone 172 16 1 0 24 and 192 168 1 0 24 are defined as IP groups on the intranet See the following figure Interfaces Physical Interface Sub Interface VLAN Interface
72. Route Step 1 Choose Advanced Network Settings gt ARP gt ARP Proxy and select Enable ARP proxy as shown in the following table Advanced Network Settings gt ARP Table Enable ARP proxy gt ARP Proxy Add X E Refresh No Start IP End IP Interface Status The following prompt is displayed SANGFOR NGAF 6 4 User Manual 444 Enable ARP proxy D Are you sure to enable ARP proxy Click Yes Step 2 Click Add The Add ARP Proxy dialog box is displayed Add ARP Proxy x Start IP 1 2 1 5 End IP 1 2 1 5 Interface ethi w OK Cancel Start IP and End IP specifies the IP address range of servers Interface specifies the interface of the NGAF connected to servers Set Interface to eth1 servers are connected to interface ETH 1 Click OK Users can access servers on the intranet by using public IP addresses No port mapping rule needs to be added on the NGAF Y The requirements described above can be met by deploying the NGAF in hybrid mode or deploying the NGAF as a router and configuring ARP proxy When ARP proxy is used 1 configure a public IP address for the Ethernet interface of the NGAF 2 configure the interface of the NGAF connected to servers on the intranet as a router interface 3 configure an IP address that does not conflict with IP addresses in other network segments for the router interface DHCP Configurat
73. SA XMM PORO II a II A 383 42 2 WED A ppucaton Protec A AO 384 422 TEX AIG es eieiahs sada vaa isa alenara A unmade 385 AbD x Dis UPS A RRE 387 A2 Sco ME AMM LG aca ciclos sw treat Stns A N AD cua A O E saauls O N 388 A DA O 389 AL Ne AMANO A AAA 390 SANGFOR NGFW 5 6 User Manual X A FAS fav DAS II aT ER ae eae DEE N E mea et ee O en ae ee 391 A O NRT PTT Be nr 391 42 0 We DS STOW SING dois 394 420 Example ene cod 394 A TAPP edion No A ead aA en eae tare ees 395 A O A 396 4 220 LOCAL ECU EVE co 396 AS AMS A ean a Pataca deen aa ae Me seanca Pace ea ah 397 Oc SCT o a A ncn inte vii ves eae E A T clenes 398 ES A ON RHE Ie Nes ere EDR ee SUn OMT Meee nea a en aUe RIN RATER rts Cee Rr 398 A O 399 NAAA A A O A A 399 ASES NODO A O O Ia 400 As NRC DOGS caian ca case ewes desta anencatenn csecnneuisssaeetonaaiantcnaaseet ones 400 Ai Dd CUSO Re DONE AA O E A RE 401 AS Dal Example a E 402 AID SCOLARI 405 AS Dl ME a A AAA A 406 NS dt dd de dt 408 ASS SE AA ic 408 AZ O Dita bi ii A a AI cada dns 409 Chapters Configuration Examples sssri e A A cl EE 411 Sl Deployment and Configuration se a a iandernases 411 5 1 1 Router Interface Configuration ccccccccccnnnnnnononononcncnnnnnnnnnnononononnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnss 411 12 Transparent intertace Conti Uranio lona 417 ez ACCESS te ttace COMA eures a A ake aie aesteaeecs 417 S22 Trink Intertace Configuration diia alab 419 LS Virtual Wire Interface
74. SANGFOR NGAF 6 4 User Manual 212 information invoked from Authentication System gt User Management gt Group User Destination Zone It specifies the destination zone of the data to be controlled To control Internet access data of intranet users set the destination zone to an external zone IP Group It specifies the destination IP group of the data to be controlled To control Internet access data of intranet users set the destination IP group to All Service Application It specifies the service or application that requires data control Application is the application characteristics invoked from Object Definition gt Application Characteristic Library Service is the service defined in Object Definition gt Service Schedule The policy takes effect only in the specified period The values are defined in Object Definition gt Schedule Action It specifies whether the packets meeting the preceding criteria are discarded or not Log Control actions are recorded in the embedded data center when this option button 1s selected Anti Virus Policy Anti virus policies are used mainly to detect and remove viruses from data transferred through the device to protect data in specified zones The device can detect and remove viruses based on the HTTP FTP POP3 and SMTP protocols It is embedded with the anti virus engine from the world s famous anti virus software provider SOPHOS The engine features high virus detection rate and
75. SNMP request to the layer 3 switch for the MAC address table and saves it in its memory If a computer such as the PC with the IP address 192 168 1 2 in a network segment different from the LAN ports of the device connected to the layer 3 switch accesses the Internet through the device the device determines that the MAC address of the data packets from the PC is a layer 3 MAC address The device does not process the MAC address Instead it searches the memory for the real MAC address based on the IP address 192 168 1 2 and then authenticates the user based on the real MAC address Configuration Step 1 Enable the SNMP function on the layer 3 switch Step 2 Choose User Authentication gt Options gt Obtain MAC By SNMP and select Enable SNMP Settings SANGFOR NGAF 6 4 User Manual 236 Authentication Options SSO Options Enable SNMP Settings Auth Page Redirection oo e A SNMP Server Access Timeout Gi Authentication Conflict 1 Obtain MAC By SNMP SNMP Server Access Interval i Other Options A SNMP Servers i Step 3 Set SNMP Server Access Timeout and SNMP Server Access Internal Usually the default values are retained Step 4 In the SNMP Servers text box click Add The Add SNMP Server dialog box appears Enter the SNMP server IP address and click Search Select the server found and click Add See the following figure Add SNMP Server x SNMP Server IP Search J No IP MAC OID C
76. SSO authentication You can set one way binding SANGFOR NGAF 6 4 User Manual 208 New User Option for users outside local device Added to specified local group Select Group E Ca Not applied to new users authenticated against external LDAP server for they can be synchronized to a corresponding group automatically User Syne Policy Other User Attributes Concurrent Login Gi Allow concurrent login on multiple terminals G Only allow login on one terminal A Bind IP MAC Binding Mode Bind the IP on initial logon 9 Bind the MAC on initial logon Bind the IP and MAC on inital logon Added as casual account not to any local group with same privilege as User Group i Ll A No authentication for new users Step 5 Click Submit The policy is successfully edited Authentication Policy Y Enable user authentication Authentication Zone LAN Add X 4 4 Y Refresh Import Example File No Name IP MAC Authentication New User Option Description 1 sso 192 168 3 0 255 255 255 0 None IP as username Add to group 2 Martketing 192 168 2 1 192 168 2 255 None host name as userna Add to group Marketi Martketing policy 3 Subnet 1 192 168 1 0 255 255 255 0 Password based authentica Add to group IT 4 Default Policy 0 0 0 0 255 255 255 255 None IP as username Add to group Default Default Policy 3 7 2 1 4 Deleting Authentication Policies T
77. Src Zone WAN View 6 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200 Source IP 192 200 19 200 View 7 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200 Dst IP 192 200 19 63 View 8 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200 Policy Name test View 9 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200 Description View 10 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200 Threat Level Medium View 11 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200 A View 12 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200 192 200 19 63 Medium Allow View 13 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200 192 200 19 63 Medium Allow View 14 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200 192 200 19 63 Medium Allow View 15 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200 192 200 19 63 Medium Allow View 16 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200 192 200 19 63 Medium Allow View 17 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200 192 200 19 63 Medium Allow View 18 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200 192 200 19 63 Medium Allow View 19 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200 192 200 19 63 Medium Allow View 20 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200 192 200 19 63 Medium Allow View 21 2014 04 25 12 57 45 Sendina IP fragment 192 200 19 200 192 200 19 63 Medium Allow View The data shows that the server with the IP address 200 20
78. Status Delete 1 admin administrator Administrator Click Add to add an administrator account See the following figure SANGFOR NGAF 6 4 User Manual 341 Administrator Enable Username test New Password Confirm Description Console Privilege Read Write Read Only Privilege on Internal Report Center View logs Manage logs OK Cancel User Name name of the administrator account New Password and Confirm password of the administrator account Description description about the account Console Privilege Read Write NGAF configuration query and edit rights assigned to the administrator Console Privilege Read Only NGAF configuration query rights assigned to the administrator View logs option of assigning database log query rights to the administrator Manage logs option of assigning database log query and delete rights to the administrator If Manage logs is selected View logs is selected by default Click Submit The administrator is added Administrator Add X Y 2 Refresh l No Username Administrative Role Description Status 1 admin administrator Administrator 2 test administrator Y To manage the existing administrators click the user name to go to the editing screen You can click Delete to delete the selected administrator account click Enable to enable the selected administrator account and click Disable to disable the select
79. The modes have the OR relationship A hit is counted when a mode is matched Some sensitive data is stored in Word or Excel files which may be downloaded from the server and disclosed The NGAF can prevent such sensitive data leakage by filtering files downloaded Set Data Leak Protection to File download restriction and click Settings The Select File type Group page appears Select the extensions of files to be filtered See the following figure Select File Type Group Select file types that cannot be downloaded Add X E Refresh Fuzzy match P No File Type Group Description Y Predefined File Type Extension of file that has Hidden attribut File extension of common backup files at s File extension of data backup files at some File extension of data backup files at some File extension of data backup files at some File extension of database file revised to File extension of common log file File extension of database configuration file File extension of report file that exists in File extension of report file that exists in e File extension of Oracle configuration file ok Cancel The device is preset with extensions of some common website data backup files and common log files To customize an extension click Add and add the extension See the following figure Add File Ty
80. User Manual No 1 Time Type Protocol Method URL Directory Src Zone Source IP Src Port Dst Zone Dst IP Dst Port Rule ID State Code Policy Name Description Threat Level Action To enable the data center to display logs choose Server Security gt Web Application Protection and 2013 08 16 10 10 14 Information disclosure HTTP POST wilkie const compf LAN 192 200 17 128 29404 WAN_TEST 108 162 203 130 80 13070171 403 CTI serwer Website based attack is detected Type Information disclosure High Deny 387 Ls Specify the following and click Go to retrieve data From 2013 08 16 hs 00 00 To 2013 08 16 fis 23 59 Source Zone Ae sm Source IP All o Dst Zone Dst IP All D Attack Type Ae se ID All Threat Level High Medium Low Action Allow Deny Go Open in new tab Example Application scenario user needs to view details about the exploits of server vulnerabilities mounted from the Internet to the intranet on May 30 Step 1 Set search criteria SANGFOR NGAF 6 4 User Manual 388 L Filter at Export Logs al Specity the following and click Go to retrieve data From 2013 08 05 M 00 00 To 2013 08 05 W 23 59 Source Zone LAN Source IP All Gi Dst Zone WAN_TEST 7 Dst IP All o Attack Type All ID All Threat Level High Medium Low Action Allow Deny Go Cancel 4 Open in new tab Step 2 Click Go Statistics on
81. User Operation E Custom_Report Custom report 2013 08 16 10 52 16 admin Export as PDF File Send Mail The searched reports can be exported to a PDF file sent as emails or deleted Custom Report The Custom Report page enables users to customize reports based on required information SANGFOR NGAF 6 4 User Manual 401 Custom Report Report Name Custom Report s Filter Period 2013 08 16 fis 2013 08 16 3 Schedule All week a IP User Al P Group Statistics Type Ranking Trend Ranking amp Trend Show Top 10 20 lt Report Contents Report Type Simplified report Full report Security Type Overall Security Server Security Endpoint Security Threat Level High Medium Low m Traffic Rank By Bidirectional Traffic Outbound Traffic Inbound Traffic Statistics Application App Category C Group C 1P User App Category All e m Application Statistics Application App Category C IP User App Category All I m Anhan Demmin Example Application scenario A user needs to customize a report that ranks all websites accessed by intranet users on May 30 by access frequency Other information is not required The report must be generated in the NGAF so that it can be viewed on the Reports page Step 1 Click Custom Report and set statistic criteria SANGFOR NGAF 6 4 User Manual 402 Report Name Filter Period Schedule IP User Statistics Type Sho
82. Y Threat Level High W Medium Wl Low Action W Allow W Deny Go C Open in new tab Example Application scenario A user needs to view the logs concerning the traffic from the LAN to WAN that is denied by the application control policy on September 30 Step 1 Set search criteria Local Security Events a Specify the following and click Go to retrieve data From 2014 08 01 hs 00 00 To 2014 09 30 E 2359 Source Zone All F Src IP All i Attack Type All T Threat Level W High W Medium W Low Action W Allow W Deny Go C Open in new tab Step 2 Click Go Data that meets the search criteria is displayed SANGFOR NGAF 6 4 User Manual 397 Local Security Events Q Filter 3 Export Logs Fitter Period 2014 08 01 00 00 2014 09 30 23 59 Src zone All Src IP All Type All Threat level High Medium Low Action Allow Deny No Date Type Source IP Description Threat Level Action Details User Login Logout The User Login Logout page enables users to view the login and logout information of common users that are successfully authenticated by the authentication module of the NGAF For example a user can search for the users that log in and out from 12 00 to 13 00 on a certain day User Login Logout Ls Specify the following and click Go to retrieve data KS From 2013 08 15 fs 00 00 To 2013 08 15 fis 2359 Src IP User aAl OP uUser Group Go Open in
83. You can choose to log in to the equipment in Web UI SSH or SNMP mode and then manage the equipment See the figure below Device Mgt Privilege IM Web UI Pl SSH 4 SNMP Allowed IP Address All i To eliminate risk set the allowed IF to a minimum range that has access to the device Allowed IP address specifies the source IP address for logging in to the equipment Click to select and add IP groups Click OK 1 An interface can belong only to one zone A zone can contain multiple interfaces 2 A zone can contain both LAN interfaces and VLAN interfaces Link State Propagation The Link State Propagation tab page allows you to add the inbound and outbound data forwarding interfaces to the same propagation group when the NGAF equipment operates in load balancing mode This ensures that all interfaces in the same propagation group are consistent in the state For example if the network cable is disconnected from an interface in a propagation group all other interfaces in the group become unavailable automatically After the network cable is connected to this interface again and electric signals resume all other interfaces in the group also resume ensuring load balancing See the figure below SANGFOR NGAF 6 4 User Manual 31 g S Interfaces Physical Interface Sub Interface VLAN Interface Aggregate Interface Zone Link State Propagation Enable link state propagation MELWOFK interrace Groups
84. a group or a user Members Group Path Modify Description Members Sub groups 2 immediate users 1 total users 95 Members taAdd X Refresh 4 k Select E Import gt Export 3 Search by Name 3 C No Name Address Expiry Date Status Fi 1 A Admin z a ri 2 A Default group d 3 a sangfor No binding information Never expire y Step 2 Click Delete Confirm Are you sure to delete the selected group user o Step 3 Click Yes The selected group or user is deleted Deletion success information is displayed on the console SANGFOR NGAF 6 4 User Manual 175 If the group to be deleted is associated with a policy set in the Authentication Policy dialog box the group fails to be deleted as shown in the figure below In this case delete the associated policy from the Authentication Policy dialog box For details about authentication policy settings see section 3 6 2 1 Prompt Error Failed to delete group Authentication policy gt Subnet 1 has referenced Admin 3 7 1 4 1 Editing Users Groups in Batches Attributes available when you edit users or groups in batches are different from those available when you edit a single user or group You can edit multiple users or groups at a time In this case the bidirectional binding mode is unavailable for Bind IP MAC because batch editing and bidirectional binding are mutually exclusive 3 7 1 4 1 1 Co
85. address table and layer 3 routing check However the data is still controlled by all types of security policies The virtual wire function helps improve the data forwarding efficiency on the NGAF equipment and avoid data forwarding errors caused by a disordered MAC address table The Virtual Wire page is shown below Virtual Wire Add X E Refresh Interface Pair 1 Interface Pair 2 Description Edit Delete Click Add to add a virtual wire See the figure below Add Virtual Wire Interface Pair 1 Select WF Interface Pair 2 Select wr Description OK Cancel Description Enter the name and description of the virtual wire to be added Interface Pair 1 Select a physical interface with the virtual interface attribute Interface Pair 2 Select a physical interface with the virtual interface attribute Click OK to save and apply the settings LE Only virtual interfaces can form virtual wire groups Virtual interfaces and virtual wire groups must be configured at the same time Advanced Options The Advanced Options page includes the ARP DNS DHCP and SNMP tab pages ARP There are two menus in the navigation area of the ARP Settings pane that is ARP Table and ARP Proxy SANGFOR NGAF 6 4 User Manual 47 3 2 4 1 1 ARP Table You can bind static IP MAC entries in the ARP Table pane See the figure below Advanced Network Settings ARP DNS DHCP SNMP
86. and belong to level 9 OUs after synchronization Set the filter parameters for the synchronization in Filter Step 5 Set the import mode location where the synchronized OUs and users are stored in the organizational structure and synchronized user properties in Synchronization Target SANGFOR NGAF 6 4 User Manual 189 Synchronization Target Method Sync LDAP OUs and users to this device 6 Sync LDAP users to this device OU ignored Sync LDAP OUs to this device user ignored i Added To Group F Allow concurrent login on multiple terminals Set whether the OUs and users are synchronization in Method If you select Sync LDAP OUs and users to this device the OUs are synchronized to the equipment as user groups and meanwhile the users in the OUs are synchronized to the corresponding user groups of the OUs If you select Sync LDAP users to this device OU ignored the users of the OUs are synchronized to the equipment but the OUs are not If you select Sync LDAP users to this device user ignored the OUs are synchronized to the equipment as user groups but the users of the OUs are not In this example select Sync LDAP O Us and users to this device Specify an existing group in Add To Group so that the synchronized OUs belong to the sub groups of the selected OUs Click Select the corresponding group in Select Group Then click OK Select Group Fuzzy match 3 a Admin Gl Default group Ca
87. area set a server name server IP address authentication port timeout interval and BaseDN path of the server where the user resides Server Name Basic Settings Server Address Port 389 Timeout sec 5 Base DN In the Sync Options area enter a user name and password of a domain user and select the type of the domain The following five types are supported MS Active Directory OPEN LDAP SUN LDAP IBM LDAP and OTHER LADAP SANGFOR NGAF 6 4 User Manual 240 Sync Options i Type MS Active Directory w Anon Search Enable anonymous search Admin DN Password User Attributes sAMAccountName Group Attributes member Group Filter objectCategory group Description Attribute description Search configuration You can select Use extension function if the LDAP server supports paged search Otherwise use ordinary LDAP search Usually the server does not support paged search because the function has been disabled on the server or the LDAP software does not support the function such as early versions of OpenLDAP Page Size indicates the size of content on each search result page when the extension function is used to search You can consult the LDAP server administrator Usually the values 800 400 200 and so on are used You can try a smaller value until synchronization can be implemented Size Limit is related to synchronization Do not set this parameter unless the server has the requirement Search Pa
88. as shown in the figure below SANGFOR NGAF 6 4 User Manual 2i Edit VLAN Interface Name Yeth 1 Gi Description Added To Zone WAN w Basic Attributes Pingable IP Assignment Static DHCP Static IP 192 200 17 24 24 192 200 17 254 Link State Detection A feature that achieves automatic link failover oe nk tha Euan EA Settings when one of the lines becomes down Advanced Specify Maximum Transmission Unit MTU Settings OK Cancel Name specifies the VLAN ID Enter the ID of the VLAN to which the equipment is added Basic Attributes specifies whether the VLAN interface can be pinged IP Assignment can be set to Static or DHCP If it is set to Static enter the IP address on the corresponding VLAN network segment The method of setting Link State Detection and Advanced is the same as that of setting the route interface The IP address of any interface cannot be on the 1 1 1 0 24 network segment Aggregate Interface The Aggregate Interface tab page displays the aggregated interface list of the equipment See the figure below Forros SSS Physical Interface Sub Interface VLAN Interface Aggregate Interface Link State Propagation Add X 2 Refresh C Name WAN Attrib Ping Type Zone Link Mode IP Address MTU Physical Interfa Delete SANGFOR NGAF 6 4 User Manual 28 Click Add to add an aggregated interface as shown in the figure below Add Aggregate Interface x
89. brute force login Primary Authentication Method SANGFOR NGAF 6 4 User Manual 88 The primary authentication method in NGAF is local password based authentication The settings related to local password based authentication include password security options and username options Click the Settings button following Local Password and the Local Password Based Authentication page appears as shown in the figure below Authentication Password Security Policy Y Enabled Password must not contain username New password must be different from previous password lt IS Minimum length is 6 bytes Every 0 days user must change password 0 days before the password expires remind user to change it User must change the initial password is iS LI Password must have y Digit letter special character Username Options _ Ignore case of username OK Cancel The following are some contents included on the Local Password Based Authentication page Password Security Policy Configures the password strength the ways that users change password L Username Options If the option Ignore case of username is selected case of username would be ignored when users enter credentials to log in to SSL VPN Secondary Authentication Method The secondary authentication method in NGAF is Hardware ID based authentication Hardware ID is a unique serial number generated using t
90. check box to enable OSPF for the equipment The prompt shown in the figure below is displayed SANGFOR NGAF 6 4 User Manual 35 Enable OSPF Click Yes to save the setting When the NGAF equipment is in an area not adjacent to the backbone OSPF area you need to enable and configure a virtual connection Click Add Virtual Connection The page shown in the figure below is displayed Add Virtual Connection x E Enable rea ID Router ID Timer Hello Time Retransmit Interval Delay Dead Time Encryption A Plaintext 4 MDS None Password OK Cancel Click Enable to configure a virtual connection Area ID ID of the backbone area Router ID ID of the peer router in the virtual connection Timer Set the transmission interval retransmission interval transmission delay and expiration interval of Hello packets in seconds Hello Time interval for retransmitting Hello packets The default value is 10 seconds Retransmit Interval interval for retransmitting connection status packets adjacent to the interface The default value is 10 seconds Delay delay in transmitting a link status update packet The default value is 5 seconds Dead Time expiration time of Hello packets If no Hello packet is received within the specified expiration time SANGFOR NGAF 6 4 User Manual 36 the OSPF neighbor is considered unreachab
91. com hk Table of Content DAA o A 1 AA ER gat qreberisacsanesat qnebersacsen eo qvenarsacuenaeobqnenae 11 Chapter 1 ADOUL Ths DOCU Cie msc lie aE xili Bei E E E E E E xiii A AE AAA AA E E T xili Uco o E E N xili io CORY AAA nn HI O E X1V Ie nte 1000 AAA A N E E II X1V PLCKNOW ICAP CMICIE cipean a a alioli X1V eS A e vemaneuasemaacieauemapenavensaciauenepenauernacbaueneseuauernachavenspetnceenac XV al Mes 0 MCAT Uy TC AEDT oralidad ln dica XV A OW CI SONY CePA seme saqaeessescasseceeenscaner XV EE AICI gt vce crea saree E EE A A A E A E A E A A AE TA XV 1 4 Configuration and Management cccccccccsssssssssssseeeeceeeeeeeeeeeeeeaeseeessseeeeeeeeeeeeeeeeeeaaaaeaeesseseeeeeeeeeeeeeeeeeaaas xvi 10 Equipment E onne O a rE xvi Chapter 2 Introduction to the CONSOLE csosasccaccsesasnsnsaccesiwasasnauauarancantasasniooaneusseiesannmnasosnteidsossuneatonseebasanamerasesnuobiooususeted l 2 1 Lossme Tn to ihe We ONG Ths sass sut a bssovnatwentnladaanthencundubladeandned elaborada cial l 22 ir NAAA coatcndedunisdaa dautandedecis a 2 Chapter o gt Foncion Descrip UON io ae oi E donates E E E SA E E EA 3 SR R CA E E O Oo y E 3 NS AAA on mE 3 lll Sclectino Pane Seras bil ill ai 3 rL moy ino Derili Rand iSeries S 3 re MoM Ville Wy AUN SEALS A E T E E A E E EN 4 AS E2 I E E EE PET TEETE OE TAE PEAT A 8 AERD EA AA O E A E A E A 8 nn e o o aceon 8 ie Mead Ae UL Ol Ke AN A Pr 5 qodcuad sores 9 SANGFOR NGFW 5 6 User Manual iii 31
92. computer Importing User to Device Import users from file Click on and select to import users into NGAF from file as shown in the figure below Import Users from File csv CSV is the abbreviation of Comma Separated Value It is a plain text and can be edited in Excel spreadsheet You need to use Excel to edit the users first and then click the menu File gt Save As select file type CSV to save the file Example File Select File Browse If the specified group does not exist create it automatically If no location is specified for user import it to In case user already exists in local device Go on importing and overwrite the existing user Skip importing the user that already exists Next Cancel Select File Browse a CSV file that contains user information such as username path description password mobile number etc among which the username is required and others are optional For more details on how to maintain and edit the CSV file click the Download Example File link to download a copy and refer to the instructions in it If the specified group does not exist create it automatically This happens if the Added to Group of some users in the CSV file does not match any of the user groups existing on this Sangfor device If no location is specified for user import it to This specifies the user group to which these users will be added if the Added to Group column is
93. consecutive login failures 1 In authentication mode that requires a user name and password a user can change the password without the help of the administrator If the change fails the account of the user is locked for the period specified by Lock user if authentication attempts reaches the threshold 2 Access http device IP address click Change Password The password change page appears y Provide your credential before accessing the Internet A Modify Password Username Current Password New Password Confirm Password Submit Enter the user name whose password is to be changed old password and new password confirm the new password and click Submit SANGFOR NGAF 6 4 User Manual 239 External Authentication Server External Auth Server is used to configure information about third party authentication servers The device support LDAP RADIUS and POP3 external authentication servers Click Add A drop down list box appears external auth Serer L Add y x Y D Refresh LDAP Server Authentication Server Port RADIUS Server LDAP 192 200 17 31 389 POP3 Server 3 7 2 3 1 Adding an External Authentication Server Adding an LDAP Server Choose User and Policy Management on the navigation page Choose User Authentication gt External Auth Server On the External Auth Server page click Add and choose LDAP Server The External Authentication Server LDAP page appears In the Basic Settings
94. created Details IPS Rule Based Scan 1 1 No IFS rule is created Details Click Scan Again to scan the servers for threats Click Details to display more information Bots The Bots page displays current top 5 Bots and information about the Bots Security Status Events Top Attacks Bots Data Leak Backlink Injections Outgoing DoS Attacks 2 Refresh a Export Last 7 days Bot Threat Distribution Top 5 Bots No data available No data available Bot Details IP Address 2 No IP Address Zone Description Threat Count Last Threat No data available 1 1 Entries Per Page 50 Y 0 entry SANGFOR NGAF 6 4 User Manual 8 Data Leak The Data Leak page displays any data leakage and information about the Data Leak Events Top Attacks Bots Data Leak Backlink Injections Outgoing DoS Attacks Refresh Last 7 days y Data Leak No data available Details No Type Top 3 Servers Hosts Blocks Unblocks Last Threat No data available Backlink Injections The Backlink Injections page displays any backlink injections occur in the network and information about the Backlink Injections Security Status Events Top Attacks Bots Data Leak Backlink Injections Outgoing DoS Attacks 2 Refresh 2 Export Last 7 days Backlink Injection Distribution Top 5 Victim Hosts No data available No data available Top Victi
95. down Settings ie ok Cancel Step 2 Add a VLAN subinterface Choose Network gt Interface gt Sub Interface and click Add The Add Sub Interface dialog box is displayed SANGFOR NGAF 6 4 User Manual 433 Add Sub Interface Physical Interface eth w VLAN ID 2 Description Added To Zone Select zone Ww Basic Attributes Pingable IP Assignment Static E DHCP eS Static IP 192 168 2 1 24 Link State Detection Settings A feature that achieves automatic link failove hen one of the lines becomes down Advanced pecie Maximun anemie on Limit MTI E specity Maximum Transmission Unit MTU f Settings OK Cancel Physical Interface specifies the physical interface to which the subinterface is added Only a router interface can be added with a subinterface VLAN ID specifies the VLAN ID of the subinterface IP Assignment can be set to Static or DHCP If it is set to Static fill in the Static IP field with the gateway address of the corresponding VLAN The setting of Link State Detection and Advanced is the same as that of a router interface Click OK Repeat the preceding steps to add a subinterface to VLAN3 A physical interface can be added with multiple subinterfaces The IP address of the physical interface must be in a different network segment from that of any of its subinterfaces SANGFOR NGAF 6 4 User Ma
96. enable third party authentication correctly set the information about the third party RADIUS server on the RADIUS Server page including the server IP address port number shared key and protocol See the figure below RADIUS Server Server IP Port Shared Secret Confirm Protocol 200 200 0 95 1812 Test PAP v Enable RADIUS authentication Dynamic Routing Save and Apply On the Dynamic Routing page you can set the SANGFOR equipment to exchange or learn routing information from other network equipment through RIP for the purpose of updating routing information dynamically See the figure below SANGFOR NGAF 6 4 User Manual 131 Dynamic Routing _ Enable Routing Information Protocol RIP Enable password based authentication Password IP Address Port Y Triggered periodic updates Interval sec Log events Save and Apply Enable Routing Information Protocol After this check box is selected the SANGFOR VPN equipment advertises to the preset internal routing equipment the information about the peer network that establishes a VPN connection with the local end This is to update the routing table on other equipment and add a route to the peer end which directs to the SANGFOR VPN equipment After the VPN connection is released the routing equipment is notified to delete this route Enable password based authentication authentication password for exch
97. enjoy In this example the parameter is left empty If you select Evenly allocation for Bandwidth Allocation Among Users the bandwidth is allocated evenly among the users in the channel Here the users indicate those who have dataflow mapped to the channel Users within the scope of the channel but do not send or receive dataflow over the channel are not involved Free competition is not available If you select Make allocated bandwidth on this bandwidth shared evenly among each user of an external IP address is taken as a user of the channel and the bandwidth allocation policy among users and per user bandwidth configuration are effective to external IP addresses Be cautious This option is usually applied to the servers providing services on the Internet The menu Applicable Objects under Options is used to define what types of data packets are mapped to the channel in terms of application type applicable objects effective time object IP group sub interface and VLAN The channel is applicable only when all the conditions are met SANGFOR NGAF 6 4 User Manual 321 Add Bandwidth Channel Enable channel Name Finance Bandwidth Channel Applicable Objects Application Applicable Objects 2 All Specified Select Application IP Group All User Schedule Dst IP Group Al a Sub Interface All VLAN Gi lok Cancel Application defines the application type You can
98. enter keyword of the group name into the Search fielding the left pane and click the magnifier icon The group will be highlighted in bold if found To see all direct and indirect users of the selected group click Unfold All To delete the selected user or group click Delete To choose the desired entries click Select gt Current page or All pages To deselect entries click Select gt Cancel To edit the attributes of a user or group select the user or group and click Edit to enter the Edit User or Edit User Group page Adding Group 1 Click Add gt Group to enter Add User Group page as shown in the figure below SANGFOR NGAF 6 4 User Manual 67 Basic Attributes Fields marked are required Name Description Added To Max Concurrent Users 0 Status e Enabled Disabled Y Inherit role and authentication settings Y Inherit authentication settings Y Inherit assigned roles Authentication Options User Type Primary Authentication Secondary Authentication Local password Assigned Roles Roles Create Associate Save and Add Cancel 2 Configure Basic Attributes of the user group The following are basic attributes Name Enter a name for this user group This field 1s required Description Enter brief description for this user group Added To Select the user group to which this user group is added Max Concurrent Users Indicate
99. equipment Sync by security group AD domain only This synchronization mode is only applicable to the MS Active Directory server that is the AD domain In this synchronization mode the security groups in the AD domain server are synchronized to the equipment as user groups The security group does not have an organizational structure The equipment synchronizes the security groups at the same level that is the synchronized security groups are at the same level 3 7 1 6 1 1 Cases for Sync by security group AD domain only CN IT CN Management and CN Normal Users in the LDAP server and the users in the corresponding security groups are required to be synchronized to the equipment The security groups in the LDAP server are as follows SANGFOR NGAF 6 4 User Manual 191 S Active Directory Users and Computer sangfor com 16 objects Procedure Saved Queries H 1GB H E 2GB 1 1 500M6 E Builtin Computers H E Domain Controllers E a FAE iE ForeignSecurityPrincipals w 4 Product management 5 48 ED sales E DEEA Chinese sales J Hong Kong sales 23 Malaysia sales E Singapore sales Type Description 166 Organizational 266 Organizational SOOME Organizational J Builtin builtinDomain Computers Container Default container For upor Domain Controllers Organizational Default container for dom FAE Organizational j ity Princi ontajoe Defa ontainer For secu S
100. etc SANGFOR NGAF 6 4 User Manual 446 Reserved IP Addresses Name IP Address MAC Address Host Name Del John 192 168 1 118 FO AC 12 13 14 BB LB Y To view the DHCP operating status and how IP addresses are assigned through DHCP choose Status gt DHCP from the navigation menu DHCP Relay Configuration Configuration example The following figure shows the network environment where the switch of the intranet is divided into multiple VLANs which are assigned with IP addresses by a DHCP server The NGAF must work as the gateway of VLANs on the intranet and as DHCP relay DHCP Server 192 168 4 5 24 ETH2 192 168 4 1 24 Route prt GAS sme Eth 1 2 1 1 24 Route eth 1 3 192 168 3 1 24 eth1 2 192 168 2 1 24 VLAN 2 192 168 2 0 24 VLAN 3 192 168 3 0 24 Step 1 Configure interfaces on the NGAF Configure interfaces ETH1 and ETH2 as router interfaces and add the subinterfaces of VLAN2 and VLAN3 to interface ETH 1 For interface configuration see section 3 2 1 SANGFOR NGAF 6 4 User Manual 447 Step 2 Select W Enable DHCP relay Step 3 Set Apply Relay to Selected Interfaces and DHCP Server In the Apply Relay to Selected Interfaces area select the interfaces of the NGAF used to communicate with the DHCP serv
101. event following Logging in the Action area Anti virus The Anti Virus page enables users to view logs of viruses detected in Access Control gt Anti Virus SANGFOR NGAF 6 4 User Manual 389 Anti virus Filter Fa Export Logs Es a Specify the following and click Go to retrieve data From 2013 08 01 is 00 00 To 2013 08 16 fis 23 59 Source Zone AO e Src IP User aAl QP User Group Dst Zone AM Application AM Data Type Misent WiRecewed Go Cancel Open in new tab Example Application scenario A user needs to view details about virus scanning and removal when emails are sent or received from the intranet to the Internet on May 30 Step 1 Set search criteria Antivirus Ee Filter Fa Export Logs Specify the following and click Go to retrieve data From 2013 08 01 fis 00 00 To 2013 08 16 fis 23 59 Source Zone LAN me Src IP User A Ol uUser Group Dst Zone WAN Application E Go Cancel 4 Open in new tab Step 2 Click Go Data that meets the search criteria is displayed SANGFOR NGAF 6 4 User Manual 390 INSTA Anti Virus Details x 3 Export Logs Filter Period 2014 04 25 00 00 2014 04 25 23 59 Src zone All Src IP user All Dst zone All Application All Action Sent Received No Time Behavior 1 2014 04 25 14 53 23 EmailReceived 2 2014 04 25 14 53 03 EmailSent F
102. example http www baidu com ftp html Authentication Based on IP Address not requiring confirmation by email Admin a Based on Email Email Address 1 entries i Valid For 60 minute s OK Cancel Name The name of Server Access Verification Server IP The IP of Server Website Protection CMS Admin Console Access Tick to enable central management system so people can access CMS via browser HTTP Port The port number of CMS URL The URL of CMS FTP Server Access FTP Port The port number of FTP server URL The URL of FTP Server Authentication Based on IP Address IP Addresses selected in here do not required any authenticate confirmation by email Based on Email Tick to enable authentication based on Email Email Address The authenticate confirmation will be sent to the selected Email Address Valid For The validity of email can be configure in minutes SANGFOR NGAF 6 4 User Manual 302 Scanners Risk Assessment Risk detection and prevention scans ports for destination IP addresses so that administrators know the enabled ports and services of servers as well as all possible server loopholes Therefore the administrators can disable unnecessary ports to prevent loopholes which increases server security Risk detection and prevention scans for weak passwords for destination IP addresses so that administrator can resolve weak database password problems Meanwhile Risk Assessment can generate rules based on scan res
103. figure shows a network topology where the NGAF is deployed as a router at the network egress The web server cluster on the intranet must be protected The protection includes hiding of FIP server version information hiding of the server field and VIA field of web servers OS command injection protection SQL command injection protection XSS command injection protection CSRF command injection protection HTTP abnormality detection and buffer overflow detection Only URLs containing view http www com view can be accessed The service provision ports of servers on the intranet are WEB 80 and FTP 21 NGAF Layer 3 switch Step 1 Choose Network gt Interface and define the zones of interfaces before configuring a policy Choose Objects gt IP Group and define the IP address group of servers For details see section 3 4 8 Set ETH2 to LAN ETH1 to WAN and 172 16 1 0 24 to Server Farm IP Group Add X 3 Refresh import C Export No Name Description 1 All All IP addresses 2 Server Farm 3 LAN IP Range SANGFOR NGAF 6 4 User Manual 463 Interfaces Physical Interface Sub Interface VLAN Interface Aggregate Interface Zone Link State Propagation Add X Z Refresh Zone Name Zone Type Interfaces Device Mat Privilege Allowed Address LAN Route layer 3 eth2 WebUI snmp All WAN Route layer 3 eth1 WebUI snmp All Step 2 Access the Web Application Protection page
104. file types that require virus removal The device removes viruses only for the files matching the file types in the list This configuration is applicable only to HTTP and FTP applications Enable URL IP exclusion It excludes specified websites from anti virus protection and is applicable only to HTTP You can enter one domain name or IP address in each line Wildcard is supported Usually anti virus software providers websites must be excluded so that the virus definition libraries of anti virus software installed on computers on the intranet can be updated properly SANGFOR NGAF 6 4 User Manual 274 Action It specifies the action to be taken when an attack is detected The options include Log Event and Deny Click OK to complete the configuration Y The device removes viruses only for the files matching the file types specified SANGFOR NGAF 6 4 User Manual 275 APT Detection If users have found and isolated computers on the intranet that are infected by viruses or Trojan horses anti malware protection enables the device to identify the traffic of the viruses or Trojan horses when they try to communicate with the Internet block the traffic based on the users policies and record logs See the following figure Navigation gt Status Add XD v ble Y Move pan Refresh Domain IP Whitelist gt Network E No Name Source Zone Source IP User Dst Zone Protection Status gt Security Databases gt VPN g
105. horse is an HTML page fabricated by a hacker When a user accesses the web page the script embedded in the web page uses browser loopholes to make the browser download the Trojan horse deployed by the hacker on the Internet and run the Trojan horse The NGAF device can detect such attacks Website scan It scans websites as well as the structure and loopholes of the websites The NGAF device can detect such attacks WEBSHELL It is a script tool for web invasion Generally it is an ASP PHP or JSP page and is also called website background Trojan horse After invading a website a hacker usually deploys the Trojan horse in a web SANGFOR NGAF 6 4 User Manual 288 directory of the server together with web page files to manipulate the website in a long time The NGAF device can detect such attacks CSRF It takes advantage of trusted websites by imitating requests from trusted users The NGAF device can detect such attacks OS command injection An attacker uses the OS loopholes of a server to send OS commands by means of web access to the server to obtain network resources or change data The NGAF device can detect such attacks File inclusion It is a type of attack targeting only PHP websites If PHP variables are not carefully filtered and local server parameters are not distinguished from remote server parameters an attacker can use files on remote servers as parameters for variable settings If the files contain malicious cod
106. including the root group SANGFOR NGAF 6 4 User Manual 163 Adding Users You can add one or multiple users The following attributes need to be set for a new user the user name group name password and bound IP address MAC address excluding the authentication method To set an authentication method for a LAN user choose User Authentication gt Authentication Policy and set IP MAC Range for the equipment to determine an authentication method for the user 3 7 1 3 2 2 Configuration Example Adding a User 1 All computers on the network segment of 192 168 1 0 255 255 255 0 on the LAN of the customer are authenticated based on the user name and password A public account needs to be added to the engineer group The account is authenticated based on the user name and password and is bounded to an IP address range of 192 168 1 2 192 168 1 100 IP address range available for login in a unidirectional manner This account can be used for concurrent login from multiple terminals Step 1 Configure an authentication method based on the user name and password for all computers on the network segment of 192 168 1 0 255 255 255 0 First set an authentication method for all users on the network segment Choose User Authentication gt Authentication Policy In the Authentication Policy dialog box set IP MAC Range and set Authentication to SSO Local or external password authentication Before you set Authentication Policy set Authenticat
107. initiating DoS attacks Internet Protection Choose Firewall gt DoS DDoS Protection gt Outside Attack The Add Outside Attack Defense Policy page appears See the following figure SANGFOR NGAF 6 4 User Manual 263 Cancel Add Outside Attack Defense Policy Enable policy Name Dos Protection Description Zone Select lu A Defense against ARP flooding attack Per Sre Zone Packets Threshold packets seci 5000 1 Scan Prevention i IP scan prevention Threshold packets sech 4000 A Port scan prevention Threshold packets sec 4000 Defense Against DoS DDoS Attack Attack Type Select type Packet Based Attack Attacks Select type OK Cancel Name It specifies the name of a protection rule Description It specifies the description of a protection rule Zone It specifies the source zone to be protected The source zone of Internet protection is usually an external Zone Defense against ARP flooding attack ARP flooding attack protection is enabled when this option button is selected You can set Per Src Zone packets Threshold to specify the upper limit on ARP packets received by an interface in the specified zone per second If the upper limit is exceeded it is regarded as an attack If Deny is selected as an action to be taken when being attacked excessive ARP packets are discarded when an attack is detected IP scan prevention IP scan prevention is enabled when this option button is
108. interface of the layer 3 switch and interface ETHO to an interface of VLAN99 of the layer 3 switch on the intranet Subinterface Configuration Configuration example The following figure shows the network environment where the switch on the intranet is divided into two VLANs intranet users are grouped to VLAN2 and VLAN3 and the NGAF provides the routing function between the VLANs and works as a gateway for the VLANs on the intranet ETH1 2 192 168 2 1 24 ETH1 3 192 168 3 1 24 VLAN2 192 168 2 0 24 VLAN3 192 168 3 0 24 VLAN2 192 168 2 0 24 GW 192 168 2 1 VLAN3 192 168 3 0 24 W 192 168 3 1 Lo o a SO SSS SS SS SSS SS SS SSS SS SS o o o o o SSBB SG o o o o A a a a a a o d Step 1 Choose Network gt Interface gt Physical Interface and click the interface such as ETH2 to be configured as an intranet interface Configure the intranet interface as a router interface unselect WAN attribute and set the IP address and gateway of the intranet interface based on requirements SANGFOR NGAF 6 4 User Manual 432 Edit Physical Interface Enable El Name eth2 Description Type Route layer 3 yr Added To Zone Select zone w Basic Attributes WAN attribute E Pingable IP Assignment Static DHCP PPPoE Static IP 1 1 1 3 29 Next Hop IP Line Bandwidth Outbound 1024 Mbps Inbound 1024 Mbps Link State Detection A feature that achieves automatic link failover ES when one of the lines becomes
109. intranet and data must be sent from the intranet Therefore set Zone to LAN The users access the server through the public address 1 2 1 1 of the device Therefore select IP Address and enter 1 2 1 1 See the following figure Destination Zone Interface Zone LAN a Interface ethD Ww IP IP Address i 1 7 1 1 IP Group Select lg Step 5 Set the protocol In this example access data 1s transferred from any source port number to the TCP 80 port number matching the IP address 1 2 1 1 for translation See the following figure Protocol Type TCP w Dst Fort 80 i Source Port SANGFOR NGAF 6 4 User Manual 251 To restrict source port numbers of data packets set Sre Port to Specified Port In this example Sre Port is set to All See the following figure Transfer Protocol Src Port a All Specified Port OK Cancel Step 6 Set the source IP address to which the original source IP address is changed In this example it is set to the ETH2 intranet interface which is the egress interface See the following figure Source NAT To Egress interface w Step 7 Set the destination IP address and port number to which the original destination IP address and port number are Changed In this example the IP address 1 2 1 1 accessed by the users are changed to the IP address 172 16 1 100 of the intranet server which the port number being unchanged See the following figure Destination N
110. not filled in for some users in the CSV file In case user already exists in local device This means the imported user s name conflicts with an existing user s name Select Go on importing and overwrite the existing user to overwrite the existing one or select Skip importing the user that already exists not to overwrite the existing one C Next Click it to import the users and add them into the specified user group SANGFOR NGAF 6 4 User Manual 76 Moving Users to Another Group 1 On the User Management page select the desired user group s and click Move on the toolbar to enter User Groups page as shown below User Groups 3 Default group groupi 2 Select a user group to which the user group s is added 3 Click the OK button Exporting Users 1 Click More gt Export to enter the Export User File page as shown in the figure below Users Export Users Export Specified Users Groups Select To select the desired users click the Select button and you will see the user group tree check the boxes next to the users and groups and click the Export button If user file cannot be opened online save it onto the local PC and then open it with Excel or Notepad Back 2 Select the objects that you want to export as shown below SANGFOR NGAF 6 4 User Manual 11 User Groups Expert Cancel 3 Select the desired user group and then click the Export button The selected u
111. nt serra 88 SA A PP aiden E aiaeastombecedaiaeaetease 92 DAZ IPSEC VPN seca aie ces sis cts encase tie ences cto eens aia eiectts aie eect aes oases earns 93 DA J RR 94 DAD 2 Base SeN Sanane a a Ea E TE 95 SACL Eoc A aatvaacssaew acd aatvaannaew said aateaacssaewiacdastaaessaiaedaeeaoeeneaeee 97 DAD AEN EIN COMING CUI OI A A Sacre E A a NAN 107 ALS Vial Po iaa 109 3 4 2 5 1 A DN 111 ALO VENUE WAN Irati adi 113 RAI MET C AA A A A A 114 A E 115 DAO A A O 116 3A 2 AO Tunnel OU AR A A AA A AA EA AA A E 117 3 4 2 10 1 CASA A le aa Geni il das 117 5 42 11 ESC VPN SR A AAA AAA 119 3 4 2 11 1 Phase Locco a T T T T T TE 119 3 4 2 11 2 Pas dd E E do id 121 3 4 2 11 3 SC CHIEN OPONE ic 123 O AN 124 a AA O soamars aidsne ta saamare ENE 124 IA SLA ONL UA A A APN A dead on A A iGaddacs chad Di iead sadaedeaaehs 125 NN earn E N 126 SAAN ASCE WCC aN SNESEN 126 SAA MUlUCast CIVIC acetate helen a E hawks hea wke a iia 129 Die A ASAP CL VSN asa hadidioaa 3 aidiosshatidiena aidiesshaddeaestaidiesed dedendstasdeaed dideadd asbeaed dedeaddtasdesed ded eadataadetades 130 JAAA RADIUS SONE aide ithe io SN A E 131 5 44 A sriisiocisci edna ieee da tcamndi ders atasa nde een nh adorn delaware tear aneeeaiand 131 34 4 6 Certificate Generation is spss sscassiseevaensiensansiacavaondsenoansaquvaoasdenosssuaqavionsdenesesuaqasaonAensseaaaestaencee 132 Dict OJ E A A A 133 RA 133 302 Ap pica tom aca DB 134 SANGFOR NGFW 5 6 User Manual vi 3 5 2 1 Viewing Appl
112. overflow and click OK HTTP Website Scan Buffer Overflow Protocol anomaly Request method Settings Settings Selected URL overflow POST entity overflow Allowed HTTP Request Method d El d L d d d d d d d d L d o alya un a wimi Pe Aa hH pp wm hh W M e o Method GET POST HEAD OPTIONS PUT DELETE TRACE TRACK SEARCH CONNECT PATCH DEBUG PROPPATCH PROPFIND COPY SANGFOR NGAF 6 4 User Manual Description Send a Display request to the specified resou It sends requests to the server for the specified Make the server send back all the HTTP metho Upload the latest info to the specified resource Request the server for deleting resources with Display the requests received by the server fo For debugging the HTTP method of Web server For searching resource HTPP 1 1 protocol is reserved for the proxy ser For partially modifying resource For debugging or diagnose Web server similar This method can be used to set the attributes o Retrieve the attributes of resources with Reque Request the server for duplicating the specified Submit data forms or files to the specified res mM r OK Cancel 467 Buffer Overflow Detection Check for URL overflow Max URL Length 2048 Bytes Check for POST entity overflow Max URL Length 2048 Bytes A Check for HTTP header overflow
113. party authentication pass the user authentication on the NGAF and obtain the corresponding Internet access privileges The user names and passwords used by the NGAF for authentication are the same as those used by the third party authentication server The NGAF supports the following types of SSO AD domain SSO Proxy SSO POP3 SSO and Web SSO The configuration of SSO here is basic configuration The complete configurations in terms of users authentication servers and authentication modes are under User Management External Auth Server and Authentication Policy For details see sections 3 6 1 3 3 6 2 3 and 3 6 2 1 3 7 2 2 1 1 Domain SSO If a Microsoft AD domain server is deployed on the network for user management and the Intranet logins are managed based on the domain accounts the domain SSO can be used After the Intranet user logs in to the domain the user is authenticated by the NGAF automatically That is the terminal user can access the Internet after the logging in to the domain Domain SSO can be implemented by issuing domain scripts or monitoring the domain login data packets Domain SSO is applicable only to Microsoft Active Directory AD Domain SSO with domain script issuing By issuing and executing the configured login script logon exe and logoff script logoff exe on the domain server at user login and logoff user login and logoff are carried out on the NGAF See the following figure PC LDAP SANGFOR
114. router BDR The DR is elected from the routers on the same network segment by exchanging Hello packets A router includes the elected DR in a Hello packet and sends the packet to other routers on the same network segment If two routers on the same network segment elect themselves as the DR the router with the higher priority prevails If they share the same priority the router with the larger ID prevails The default value is 1 Retransmit Interval s interval for retransmitting LSAs By default the interval for retransmitting LSAs between adjacent routes is 5 seconds Enable MTU Un match Detection OSPF enabled routers describe their link state databases LSDBs by using DD packets during database synchronization By default no MTU value is filled in DD packets That is the MTU value is 0 SANGFOR NGAF 6 4 User Manual 38 3 2 2 3 3 Parameters Choose OSPF gt Parameters The page shown in the figure below is displayed Router ID 108 250 70 76 Intra Area Priority 10 Inter Area Priority External Priority SPF Interval Route Re Advertisement Re advertise Direct Route A Yes Metric No Re adwertise RIP Route O Yes Metric No Re adwertise Static Route O Yes Metric No Re adwertise Default Route Yes Default Metric OK Restore to Defaults Router ID router ID of the NGAF equipment Intra Area Priority priority carried in an intra area LSA after it is calculated and output to the
115. routing table This priority is called administration distance AD on Cisco equipment The default value is 10 Inter Area Priority priority carried in an inter area LSA after it is calculated and output to the routing table The default value is 110 External Priority priority assigned to an external route to be output to the routing table after shortest path first SPF calculation The default value is 150 SPF Interval interval for SPF calculation If the LSDB changes the shortest path needs to be recalculated The default value is 5 seconds Route Re Advertisement indicates whether to introduce direct routes RIP routes and static routes as external route information to the OSPF routing table You can set the metric value of an introduced route Re advertise Direct Route indicates whether to introduce direct routes as external routing information to the OSPF routing table You can set the metric value of an introduced route The default metric value is 10 SANGFOR NGAF 6 4 User Manual 39 Re advertise RIP Route indicates whether to introduce RIP routes as external routing information to the OSPF routing table You can set the metric value of an introduced route The default metric value is 20 Re advertise Static Route indicates whether to introduce static routes as external routing information to the OSPF routing table You can set the metric value of an introduced route The default metric value is 20 Default
116. select All to apply the channel to the data packets of all types of applications and Specified to apply the channel to data packets of specific applications Click Select Application In the displayed screen select Application category and Website Type In this example services mail receiving and sending and online bank visiting are guaranteed with bandwidth Therefore select Email All for Application category and Online bank for Website Type SANGFOR NGAF 6 4 User Manual 322 Select Application View All a a Application category Website Type File type Name FTP All smtp_status 20 All ICMP All Adult Content Type Application Application Application Website OK Cancel The File type category controls the download of files over HTTP and FIP In the Selected list check that all selected objects are correct and click OK The configuration of Applicable Objects defines the channel takes effect for which users user groups and IP addresses based on IP addresses or users In this example the users in the financial department are provided with guaranteed bandwidth Therefore choose User for IP User and select the group in the displayed Select User Group screen You can select users and user groups under Current Group The selected users and user groups are listed under Selected Objects After all required objects are selected click OK The configuration 1s complete SANGFOR NGAF 6 4 User
117. server if any Select Get Updates Using HTTP Proxy Server and set the IP address and port Then select Require authentication and set the username and password as shown in the following figure SANGFOR NGAF 6 4 User Manual 355 Update Server x Update Server Select Server Auto w 0 0 0 0 Test Server F Get Updates Using HTTP Proxy Server IF Address Fort O A Require authentication Username Password ox Cancel Backup Restore Backup Restore downloads and saves NGAF configuration to the local device or restores the backup configuration file to the NGAF Backup Restore Backup Restore Backup Configuration Backup Restore Configuration Method 1 Restore from auto backup file Method 2 Restore from backup file Browse Backup Configuration Backs up and download the existing configuration Click Backup to back up the current configuration SANGFOR NGAF 6 4 User Manual 356 Restore Configuration Restores backup configuration files in either of the following methods Method 1 Restore from auto backup file The NGAF automatically backs up the configuration every early morning By default configuration files in a week are saved Select the configuration file to be restored and click Restore Method 2 Restore from backup file Click Browse to open a local backup file and click Restore Logs Logs checks operation logs of NGAF modules You can check whether modules work prop
118. sessions between the Sangfor device and client To view current certificate of or to generate certificate for the Sangfor device navigate to SSLVPN gt Certificate as shown in the figure below Certificate RSA Encryption Standard Subject CN SANGFOR View Download Update Generate a certificate signing request CSR for the device Create a CSR for Device The following are the contents included on the Certificate page View Click it to view the detailed information of the current certificate Download Click it to download the current device certificate Update Click it to import a new certificate to take the place of the current one Create CSR for Device Click this button to generate a certificate signing request CSR which should be sent to the external CA to generate the device certificate The page is shown in the figure below SANGFOR NGAF 6 4 User Manual 92 Create a CSR for Device Country State City Company Department Issued To E mail Key Size Encoding 1024 w UTF 8 nl OK Cancel Configure the required fields and then click the OK button Once the certificate signing request is generated click the Download Link to download the request The contents of the downloaded request file are as shown below IPSecVPN The VPN module allows you to configure the Sangfor VPN IPsecVPN function and view the VPN connection Status Navigation gt Status Refre
119. the account can be used only on the manager s computer The IP address MAC address of the manager s computer are 192 168 1 117 00 1C 25 AC 4C 44 Step 1 Choose User Authentication gt Authentication Policy In the Authentication Policy dialog box set IP MAC Range and set Authentication to None SSO Before you set Authentication Policy set Authentication Zone As shown in the figure below the LAN 1s selected for authentication 52 Enable user authentication Authentication Zone LAN Add y Refresh CY Import Example File SANGFOR NGAF 6 4 User Manual 172 Authentication Policy Name Manager Description IP MAC Range o 192 168 1 117 Authentication None SSO a Take IP as username Take MAC as username O Take host name as username If 550 is configured the detected username is preferable S550 Local or external password authentication Gi The browser will be redirected to an authentication page when user attempts to access the Internet on which user credential are required Configure External Auth Server 550 only i Excluded Users Login name comma separated New User Option for users outside local device to specified local group Select Group i Step 2 In the Groups pane select a group for which you want to add a user On the Members page displayed on the right click Add and select User Users Fuzzy match Group Path Default test Modify a a Description
120. the IP addresses to be excluded and click OK Add Excluded Address Description Optional Excluded Address i 192 200 12 32 Cancel Custom Webpage Custom Webpage customizes the webpage redirected to the terminal by the NGAF The webpages can be customized including Authentication Successful Access Denied Virus Detected Change Password Bulletin Web Access Portal and Locked User Login Failure SANGFOR NGAF 6 4 User Manual 351 Custom Webpage Change Password Authentication Successful l T E A e Enable Users who adopt local password based authentication can change password through this page Access Denied fi Page Contents D Virus Detected i i gt O Preview Restore Previous Edition Restore Defaults Change Password lt DOCTYPE html htmi gt head gt meta http equiv Content Type content text html charset utf 8 gt meta name robots content noindex gt meta name robots content nofollaw gt lt meta name robots content noarchive gt lt title gt Modify Password lt title gt lt link href css style css rel stylesheet type text css gt lt head gt Bulletin Web Access Portal Locked User Login Failure lt body gt lt div class dialog gt lt div class dia inner gt lt div class dia head ico lock gt lt h2 id titlel gt Modify Password lt h2 gt lt div gt lt div clas
121. the destination IP address It should be set to 255 255 255 0 in this example Dst Route User VPN user that the route directs to In this example set it to the user that establishes the VPN connection between Shanghai branch and Shenzhen branch SANGFOR NGAF 6 4 User Manual 117 Y Source IP and Destination IP specify the source IP address and destination IP address of data If the data transmitted on the VPN tunnel match the settings the route settings take effect and data is forwarded to the corresponding VPN equipment Dst Route User specifies the VPN equipment to which the data is to be routed In this example Shanghai branch establishes a VPN connection with the headquarters by using the user name Shenzhen Shanghai in VPN Connection Therefore the data forwarded to the headquarters is labeled Shenzhen Shanghai 2 On the Tunnel Route page of Guangzhou branch select Enable tunnel route and click New to add a route to Shanghai branch See the figure below Source IP 10 1 1 0 Subnet Mask 255 255 255 0 Destination IP 172 16 1 0 Subnet Mask 299 299 299 0 Dst Route User Y Enabled F Access Internet via destination route user Source IP source IP address It should be set to 10 1 1 0 in this example Subnet Mask subnet mask of the source IP address It should be set to 255 255 255 0 in this example Destination IP destination IP address It should be set to 172 16 1 0 in this example Subnet Mask subnet mas
122. to synchronize configuration and negotiate VRRP Step 3 On firewall A choose High Availability gt Redundancy set VRID and Priority both to 50 for interfaces ETHS and ETH2 set VRID and Priority both to 20 for interfaces ETH1 and ETH3 and set Preemption to No Step 4 On firewall A choose High Availability gt Sync Options and select all three synchronized objects Step 5 Configure the HA interface of firewall B Step 2 On firewall B choose High Availability gt Basic Settings set Local Device IP to the IP address of interface ETH4 and set Peer Device IP based on requirements The settings enable firewalls A and B to synchronize configuration and negotiate VRRP Step 7 On firewall B choose High Availability gt Redundancy set VRID to 50 and Priority to 40 for interfaces ETH5 and ETH2 and set Preemption to No set VRID to 20 and Priority to 30 for interfaces ETH1 and ETH3 and set Preemption to Yes Step 8 On firewall B choose High Availability gt Sync Options and select all three synchronized objects Step 9 Power off firewalls A and B and connect cables After that power on firewall A and then firewall B After being started firewall B requests configurations from firewall A Note that firewall B can be powered on only after firewall A is started SANGFOR NGAF 6 4 User Manual 496 Appendix SANGFOR NGAF Upgrade System The SANGFOR NGAF upgrade system is used to upgrade device kernel versions and back up and re
123. to transmit broadcast packets on VPN channels Only broadcast packets within the specified port range can be transmitted to avoid broadcast storms Multicast whether to transmit multicast packets on VPN channels Local Users On the Local Users page you can manage VPN access accounts That is set the user name and password for accessing the VPN whether to enable hardware binding authentication or DKEY authentication whether to use virtual IP addresses the encryption algorithm used for user accounts account validity period and internal permission of user accounts You can also group users and set the public attributes of the group members See the figure below A Export Detect USB Key GQ Download USB Key Driver Click Detect USB Key to detect whether a USB key is inserted into the computer that is currently logged in to the gateway console If no DKey driver is installed a prompt is displayed asking whether to download it You can click Download USB Key Driver to download and install the DKey driver SANGFOR NGAF 6 4 User Manual 97 The DKey drive must be installed before the DKey is generated Otherwise the computer cannot identify the DKey hardware To avoid DKey drive installation failure caused by program conflicts exit programs including third party anti virus software and firewall before the installation Click Delete to delete selected users Click Import From LDAP Server to import user information from t
124. you can choose to ignore this rule The Vulnerability Name column lists the names of vulnerabilities The Type column lists the types of existing vulnerabilities such as backdoor The Threat Level column lists the levels of vulnerabilities There are three levels high medium and low The Action column lists the actions taken by the equipment when attacks are performed There are four actions Enable Block if attack detected Enable Log event if attack detected Enable Analyze based on Cloud technology and Disable You can define actions Click a vulnerability name to open the editing page See the figure below SANGFOR NGAF 6 4 User Manual 54 Edit Rule Vulnerability ID 12030504 Vulnerability Name Lyris ListManager Doemailpassword tml Cross Site Scripting Vulnerability Description Lyris ListManager is prone to a cross site scripting vulnerability because it fails to sufficiently sanitize user supplied input An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site Impact Execution of arbitrary code Threat Level High Reference http www securityfocus com bid 68973 Solution htto lyris com us en Action Enable Block if attack detected Enable Allow if attack detected Enable Analyze based on Cloud technology Disable Cancel Enable Block if attack detected The current rule is enabled In case of an attack based
125. 0 2 101 on the intranet encounters a DoS attack from the Internet at 16 14 May 30 The attack type is IP data block fragmentation transmission and the source IP address of the attack is 58 60 9 178 No Time Web Application Protection To display a certain column click Columns b Web application protection enables users to view attacks detected in Server Protection SANGFOR NGAF 6 4 User Manual 384 in the upper right corner al Specify the following and click Go to retrieve data From 2013 08 01 hs 00 00 To 2013 08 16 5 23 59 Source Zone All Source IP All Gi Dst Zone All A Dst IP All Type All Rule ID All Gi State Code All i Threat Level High Medium Low Action Allow Deny Merge Logs Enable i Go Open in new tab Example Application scenario A user needs to view details about the SQL injection attacks sent by the client with the IP address 192 200 17 128 on August 16 Step 1 Set search criteria SANGFOR NGAF 6 4 User Manual 385 LG Filter 3 Export Logs ES Specify the following and click Go to retrieve data From 2013 08 16 fs 00 00 To 2013 08 16 15 23 59 Source Zone All Source IP 492 200 17 128 Dst Zone All Dst IP All Ci Type All a Rule ID All State Code All nO Threat Level High Medium Low Action Allow Deny Merge Logs Enable i 4 Open in new tab co cana Step 2 Click Go Relevant data i
126. 00 Advanced eth2 Em No Bridge layer LAN da ree hanes E 1500 Y O catador ea t eth3 fein Yes Bridge layer WAN_TEST pl aoe Y gt Security Databases gt Objects Physical Interface The Physical Interface tab page displays the interface name description WAN interface type connection type zone IP address dial up status MTU operating mode ping function interface status and link status See the figure below Physical Interface Sub Interface VLAN Interface Aggregate Interface Zone Link State Propagation Y Refresh Name Interface WAN Ping Type Zone IP Assignment IP Address Link Mode MTU Link State Status eth F ci No Allow Route layer 3 None Static IP 10 251 251 251 24 boa N 1500 ae ethi ug No Deny Route layer 3 WAN Static IP 192 200 17 23 255 2 Auto negotia 1500 eth2 ci No Bridge layer LAN ia Ful duplex 1500 Y E eth3 cin Yes Bridge layer WAN_TEST aa _ oe ee Y Name name of the network interface The name of a physical interface cannot be changed Description description of the network interface Type type of the network interface There are four interface types route transparent virtual wire and bridge IP Assignment IP address obtaining mode including asymmetric digital subscriber line ADSL static IP address and DHCP Zone security zone to which the network interface belongs IP
127. 013 08 12 ra 11 54 07 Y End Time 2013 08 12 ral 11 54 07 Y OK Cancel Name schedule name Start Time start date and time of the schedule End Time end date and time of the schedule Recurring Schedule The recurring schedule specifies a certain time segment from Monday to Sunday and the equipment cyclically executes the schedule within the specified time segment In the navigation area choose Objects gt Schedule gt Recurring Schedule The Recurring Schedule tab page is displayed SANGFOR NGAF 6 4 User Manual 151 Schedule One Time Schedule Recurring Schedule Add X Refresh C No Name Schedule Description 1 All week Mon Sun Morning 0 00 Afternoon 11 59 the last minute included All week On the Recurring Schedule tab page click Add The Add Recurring Schedule dialog box is displayed Add Recurring Schedule x Name Description Add Time Segment X C Days Of Week Time Segment Edit Delete No data available Schedule Preview 00 01 02 03 04 05 06 0f 08 00 10 11 12 13 14 15 16 1 18 19 20 21 22 23 OK Cancel Name schedule name Description schedule description Add Time Segment Click Add Time Segment to set a specific time period and time range See the figure below Add Time Segment OK Cancel If you want to set several discontinuous time segments add multiple time segments SANGFOR NGAF 6 4 User Manual 152
128. 10 per minute Cancel Buffer Overflow Detection It specifies whether to detect URL overflow POST entity overflow and HTTP header overflow Click Selected URL overflow POST entity overflow The Buffer Overflow Detection page appears Select the required detection options The device then provides protection against the selected types of overflow SANGFOR NGAF 6 4 User Manual 296 Check for URL overflow Max URL Length 2046 Bytes Check for POST entity overflow Max URL Length 2048 Bytes Check for HTTP header overflow add X Max URL Length B Mo data available Select Check for URL overflow and set Max URL Length The device then checks URL lengths to prevent buffer overflow Select Check for POST entity overflow and set Max URL Length to prevent overflow resulting from data receiving by servers Select Check for HTTP header overflow click Add and set the maximum length of specified fields in HTTP headers Then the device checks for the fields with excessive lengths Server data leakage such as the CSDN and Tianya events is becoming increasingly serious After deploying the SANGFOR NGAF device you can enable the data leakage protection function to prevent leakage of sensitive information Data Leak Protection Data Leak Protection Sensitive data protection Settings File download restriction Settings IP URL Whitelist Set Data Leak Protection to Sensitive data protection a
129. 19 195 jcsweb 2014 09 04 18 01 19 18 03 49 a x F 2 http 192 200 19 195 2014 09 04 17 15 03 17 17 57 a Xx C 3 http 192 200 19 200 2014 09 04 16 55 56 16 55 56 a x 4 http 192 200 200 33 2014 09 04 15 52 21 15 52 59 a x Click M Export Report as HTML File to download the scan results in HTML file type Web Dir Structure shows the directory structure of the scan website and the pages which contain the vulnerability Refer to the figure below Search term al 192 200 19 195 5 a DJ jcsweb 3 gt download d 3 php 1 download php 1 E news php 2 os php gt 27 tools 3 wordpresst 2 a The results table contains two fields Vulnerability and Threat Level Click on the to expand the Process Description and Recommended Solution fields The scan results page is shown as below SANGFOR NGAF 6 4 User Manual 311 Web Scanner Scanner Restart Completed Time taken 2 minutes Scanned 24 pages 468 locations Note 2014 09 04 18 01 19 to 18 03 49 m Export Report as HTML File All v Search term Threat Level High Vulnerability 3 Cross Site Script XSS 3 Search term b 192 200 19 195 5 B 192 200 19 195 jcsweb news php 1 High id High High 192 200 19 195 wordpress wp register php 2 High Local File Inclusion 1 E SQL Injection 1 High Process Description Recommended Solution Page URL 192 200 19 195 jcsweb n
130. 192 168 1 20 110 Step 3 If login data is not transferred through the device You must set a mirror interface and connect it to the mirror interface of the switch that forwards login data Click Others and set the mirror interface The mirror interface must be an idle network interface SANGFOR NGAF 6 4 User Manual 228 Authentication Options SAL Up Dptrtion 4 ons Auth Page Redirection If SSO requires external authentication server and the packets of users logging into the Audis kara Creed external server do not go through this device you need to mirror the packets to an idle interface of this device Specify the mirror interface here A Enable mirror interface Other Options Mirror Interfaces selected interface will be monitored Fl etho Fl ethi eth2 Fl eth3 Step 4 Set authentication policies based on the IP addresses or MAC addresses of the users who require POP3 SSO Choose User Authentication gt Policy click Add and set the policies See section 4 6 2 1 3 Step 5 Send and receive emails using an email client on the PC After POP3 server login is successful you can access the Internet Scenario 2 The POP3 server is located on an external network NGFW POP3 Server The data flow 1s as follows SANGFOR NGAF 6 4 User Manual 229 1 Login data is transferred from the PC through the device to the POP3 server 2 The intranet interface of the device is also used as the monit
131. 192 200 17 22 80 http TCP WAN 0 0 0 0 255 255 255 255 Medium Web vulnerability open port risk C 192 200 17 203 80 http TCP WAN 0 0 0 0 255 255 255 255 Medium Y Web vulnerability open port risk o C 192 200 17 210 80 http TCP WAN 0 0 0 0 255 255 255 255 Medium W Web vulnerability Open port risk C 192 200 17 202 80 http TCP WAN 0 0 0 0 255 255 255 255 Medium Y Web vulnerability open port risk C 192 200 17 10 53 dns UDP WAN 0 0 0 0 255 255 255 255 Low Open port risk y C 192 200 17 10 445 netbios TCP WAN 0 0 0 0 255 255 255 255 Low Open port risk Move the cursor to a risk to view details SANGFOR NGAF 6 4 User Manual 482 Y Export as PDF All Associated Policies All v IP address or pot Q _ Server IP Port Applic Protocol Accessibl Accessible IP Threat Le Risk Operation 192 200 17 22 3306 mysql TCP WAN 0 0 0 0 255 255 255 255 High open port risk a 192 200 17 202 69 tftp UDP WAN 0 0 0 0 255 255 255 255 High open port risk C 192 200 17 202 21 ftp TCP WAN 0 0 0 0 255 255 255 255 High amp weak password risk1 open port risk J 192 200 17 200 1433 mssql TCP WAN 0 0 0 0 255 255 255 255 High open port risk Fl 192 200 17 22 80 http TCP WAN 0 0 0 0 255 255 255 255 Medium e Web vulnerability w Open port risk 6 192 200 17 203 80 http TCP WAN 0 0 0 0 255 255 255 255 Medium W Web vul 7 The port is prone to Web vulnerability E 192 200 17 210 80
132. 200 19 54 gt Authentication 2014 09 05 11 12 01 admin Log In IP 192 200 19 54 gt Objects https 10 251 251 251 framework php de Statistics The home page of the data center displays the security trend and traffic rate trend over the last 30 days SANGFOR Nem Home Log Out Navigation Menu AS Home Disk Usage ly Auto Generated Reports gt Server Security 9 Ej po i None gt Endpoint Security Total 268 83GB Used 6 11GB 2 gt Traffic gt Application gt Website Browsing gt Anti Virus ih 2014 08 07 2014 09 05 Security Trend The Three Threat Levels are High Medium and Low Security Over the Last 30 Days attacks 50k 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 01 02 03 04 05 B Threat Level High Threat Level Medium MM Threat Level Low Disk Usage indicates the used percentage of the current disk The preceding figure shows that 3 of the disk space is used Security Over the Last 30 Days shows the security trend over the last 30 days The security described here SANGFOR NGAF 6 4 User Manual 367 includes antivirus ActiveX filter script filter DoS attacks IPS attacks and security threats detected by WEB application protection To view attack details move the cursor to the corresponding column The following figure shows that there are 34 5 thousand attacks occurred on day 28 The x axis indicat
133. 20100 Wordpress Application Exploit Attack Web site vulnerabilities High Enable Block if attack de 13120099 Wordpress Application Exploit Attack Web site vulnerabilities High Enable Block if attack de E Tl anananan ve a a a T L sant E A Aa Ss ES A E Dl lle n Page lof49 gt M EntriesPerPage 50 1 50 of 2401 Click Global Action to modify rules of the WAF signature database in a unified manner If Default initial action is selected the default action takes effect If Strict detection Block if attack detected is selected the action Enable Block if attack detected takes effect for all rules By default the system allows all rules with the medium threat level After strict detection is enabled rules of all threat levels are blocked Global Action Action of All Rules Default initial action Strict detection Block if attack detected ancel View specifies the rule database of the current protection type Click to view the rule ID based on the protection type See the figure below _ _ ee 1 SQL injection X55 attack Trojan horse a E E Website scan WEBSHELL CSRF OS command injection File inclusion E Path traverzal Information disclosure E E Web site vulnerabilities Rule Name name of the protection rule SANGFOR NGAF 6 4 User Manual 56 Type protection type of the current protection rule such as SQL injection Threat Level level of the vulnerability There a
134. 2014 04 25 12 58 43 2014 04 25 12 58 43 2014 04 25 12 58 43 2014 04 25 12 58 43 2014 04 25 12 58 43 2014 04 25 12 58 43 2014 04 25 12 58 43 2014 04 25 12 58 43 2014 04 25 12 58 43 2014 04 25 12 58 41 nAi NA AL 1 00 41 Fa Export Logs Time fey Columns fh URL Category Other Other Other Other Other Advertisement Other Advertisement Other Search Engine Other Enterprise Website Adult Content Other Enterprise Website Other Other Other Life Information Search Engine IT Related Search Engine A duencticnemant Domain sic login dotomi com URL sjc login dotomi com commonid https secure ds serving sys com https secure ds serving sys com https secure ds serving sys com https secure ds serving sys com https secure ds serving sys com https secure ds serving sys com media fastclick net googleads g doubleclick net https 10 1 7 250 ad doubleclick net ib adnxs com https google com b scorecardresearch com ds serving sys com my gmads mookiel com n effectivemeasure net a tribalfusion com media fastclick net w get medi googleads g doubleclick net pa https 10 1 7 250 ad doubleclick net activity src ib adnxs com mapuid member https gqoogle com b scorecardresearch com p c1 ds serving sys com burstingres my gmads mookie1 com 247r g n effectivemeasure net emnb_ a tribalfusion com p media a0m themes googleusercontent com themes googleusercon
135. 224 Backlink Injections titi caida lidia ibid 9 EZ USOS DOS AAA A IA E IO 10 Soe RF Vulnerabilities Amalia india 11 3 134 Viewing RT Vulnerables Analysis A A A 11 LA Security E Venson ica 12 JA L Recent Security EY GINS conidios adicci n 12 A ZAS INE EU an 13 SAS ENANOS CU dd da ators dace N 13 SLAA RECETA ACES OU COS a5 sti ves ceryssada ste ween a a a vane O sae 13 Fal re AO RKS aa 14 ld Top Users by Haffi aaron 14 oz lop Apphicatons DY Trato ii dada 15 NON OS SY ro A oe a OS 16 SECADO ONN Oranen nE canes 18 MTRO CONO LR 19 Sl Tal WAIN PEE aia 19 ALT Bandwidth Channel A AAA 19 IERI Exs ON ER rasan asda asin wah aan waa hss an aw aah as aan aw ah as agen A 20 Pol Deo DPE Caterer meee rer or terme PENT Nee ROP Oe RENE PRICE ROT CREAT ETT TRENT PP eT 20 NO OMIM US ii 20 LT NeW me COMMITS USC ta IS A a a ca 20 31 22 Filtering Online SCrs orando nodo E dir n 21 O Online LST AA a a Ditiad nce daeeeeriande 21 3 1 9 4 Unlocking Online USTS oooonnnncccccoccnonononononnnnonnnnnnnnnnnnononononnnononnnnnnnnnnnnnnnnnnnnnnnononnnnnannnnnnnnnss 22 LESS Forcibly Loseme Qut Online USCIS criolla 22 TEROA MEES OULCe LOCO 23 A a O terete 23 dz le IMC A 23 Skil Physical nter a E e nilo 24 32 Mc 2 RN 26 3 2 15 VEAN ds 2i IZ O NA A D E A E E EN 28 Dad Mic Di LOINC E E E E E E E E E E E E E 30 SANGFOR NGFW 5 6 User Manual iV 32 10 LK State Propas aton scion a 31 DS O o e a alae 33 Jalota ROU ea E aideae eantesad aiden eaneeaad aideas on
136. 251 251 24 Configure an IP address that is in the same network segment as the default IP address on your PC and log in to the NGAF by using https 10 251 251 251 Step 2 Configure a management interface When the NGAF is deployed in bypass mode it blocks connections through the management interface Choose Network gt Interface gt Physical Interface and click eth0 The Edit Physical Interface dialog box is displayed SANGFOR NGAF 6 4 User Manual 428 Edit Physical Interface Enable Name etho Description Manage interface Type Routellayer 3 r Added To Zone Select zone Da Basic Attributes WAN attribute Fingable IF Assignment Static DHCP PPPoE Static IP 10 251 251 251 24 192 168 1 12 24 Mext Hop IP 192 168 1 1 Line Bandwidth Outbound 1024 Mbps Inbound 1024 Mbps Link State Detection A feature that achieves automatic link failover Sektin when one of the lines becomes down ace a ox Cancel Step 3 Configure a bypass mirror interface Choose Network gt Interface gt Physical Interface and click eth1 The Edit Physical Interface dialog box is displayed SANGFOR NGAF 6 4 User Manual 429 Edit Physical Interface Enable Name ethi Description Type Mirror Wr Added To Zone Mirror w Advanced Configure link mode MTU and MAC address aaa OK Cancel Set Type to Mirror Set Added To Zone to the zone which interface ETH1 belongs to which is a mirror zone in this exampl
137. 4 LB Y After the BM lines are defined set corresponding BM line policies with the defined lines otherwise the traffic control channel does not take effect BM Line Policy The BM line policy is mandatory for the traffic control channels to take effect You can define different BM line policies with different network protocols Intranet zones Internet zones and outbound interfaces Choose Traffic Management gt BM Line gt Policy Click Add On the displayed Add BM Line Policy screen set the parameters as follows Add BM Line Policy Transfer Protocol Type All Wr Protocol Mo 0 Ci Internal Address IP Address All Specified i LAN Port All Specified SANGFOR NGAF 6 4 User Manual 335 External Address IP Address a All Specified i WAN Port 2 All Specified Internet Line Internet Line Line 1 yr Transfer Protocol defines the protocol type of the data packets Internal Address defines the source IP address and port No of the data packets External Address defines the destination IP address and port No of the data packets Internet Line defines the BM line of the data packets that 1s the egress interface of the data packets After a BM line is specified as the Internet line of a BM line policy the traffic control channel takes effect for the BM line System System Configuration The general system configuration includes the configuration of the system time network paramete
138. 5 page The following are some optional operations on Hardware ID page Delete Click it to remove the selected user and or group Select Click Select gt On all pages or On current page to select all the hardware IDs or only those showing on the present page or click Select gt Cancel to deselect users Approve Click it and the selected hardware ID s will be approved and the corresponding user will be able to pass hardware ID based authentication View Filter the hardware IDs Choose certain type of hardware IDs to show on the page All The approved or Not approved hardware IDs Search Use the search tool on the upper right of the page to search for hardware ID based on username or hostname Import Click it to import hardware IDs by hand as shown below Import users from file File extension dat txt Example File File Path Select a dat or txt file Browse Overwrite the user owning a same name Upload Cancel For the file format and the way of maintaining the file that contains hardware IDs click the Example File link to download a copy to the local computer and main the hardware ID as instructed Overwrite the user owning a same name If it happens that any imported user owns the name of an existing user selection of this option would have that user imported and overwrite the existing user including hardware ID and other in
139. 61 8 Kb s 2 77 Mb s t 20 Mb s 20 Mb s 11 411 76 7 MB 830 78 MB Total rate t 619 62 Kb s 2 53 Mb s 439 32 Kb s 2 94 Mb s t 25 Mb s 25 Mb s t 2 10 128 71 MB 881 32 MB Bandwidth Channel Exclusion Rule Tips The two values in some columns respectively stand for Outbound t Inbound Period None Y View All channels v E E Name Line Transient Speed Percent Min Bandwidth Max Bandwidth Status limit Line 1 O b s O b s 0 0 O b s O b s 2 5 Mb s 2 5 Mb s Running BASIC Line 1 161 43 Kb s 161 61 Kb s 3 3 2 5 Mb s 2 5 Mb s 4 Mb s 4 Mb s Running Default channel All 458 19 Kb s 2 38 Mb s 1 9 O b s O b s 25 Mb s 25 Mb s Running Click Refresh 5 seconds to set the refresh interval Click Refresh to refresh the information immediately BM System Status in the upper part of the Flow Control page indicates whether the bandwidth management system is started You can view real time traffic information about channels only when the bandwidth management system is in the Running state Click Configure BM to open the Bandwidth Management page WAN Speed F m pa a a O II wal Name Transient Speed Speed History Max Speed Allowed Percent Traffic History Total rate 144 98 Kb s 140 33 Kb s 116 92 Kb s 35 24 Kb s 5 Mb s S Mb s 10 0 14 96 MB 110 32 MB The WAN Speed pane displays the overall traffic conditions including the transient speed historical speed preset speed perce
140. 68 1 0 255 255 255 0 SANGFOR NGAF 6 4 User Manual 200 Authentication Policy Mame Subnet 1 Description IP MAC Range i 192 168 1 0 255 255 255 0 Step 3 Choose Policy Select an authentication mode for Authentication The authentication modes available in Authentication are Non SSO SSO Local or external password authentication and SSO only For details about the authentication modes see section 3 6 2 1 1 In this example choose SSO Local or external password authentication Authentication None SSO Take IP as username G Take MAC as username G Take host name as username If 550 is configured the detected username is preferable 550 Local or external password authentication O The browser will be redirected to an authentication page when user attempts to access the Internet on which user credential are required Configure External Auth Server 550 only Gi Excluded Users Login name comma separated Step 4 Choose Policy and set New User Option SANGFOR NGAF 6 4 User Manual 201 New User Option for users outside local device Added to specified local group Select Group Ivf Uta L Not applied to new users authenticated against external LDAP server for they can be synchronized to a corresponding group automatically User Syne Policy Other User Attributes Concurrent Login i Allow concurrent login on multiple terminals G Only allow login on one terminal
141. 92 200 19 195 Medium View 5 2014 08 28 16 52 25 Version later than Apache 2 2 and earlier than 2 2 22 allows attackers to cause denial of service 192 200 19 195 Medium View 6 2014 08 28 16 52 25 Version later than Apache 2 2 and earlier than 2 2 22 allows heap based buffer overflow 192 200 19 195 Medium View 7 2014 08 28 16 52 25 Apache 2 2 lt 2 2 24 Multiple Cross Site Scripting Vulnerabilites 192 200 19 195 Medium View 8 2014 08 28 16 52 25 Apache 2 2 lt 2 2 23 Multiple Vulnerabilities 192 200 19 195 Medium View 9 2014 08 28 16 52 25 Version later than Apache 2 2 and earlier than 2 2 22 has vulnerability 192 200 19 195 Medium View ES Click View to read on the vulnerability details and suggestion of solutions Security Events Security Event Recent Security Events Endpoint Security Recent Attack Sources 2 Refresh 5 seconds 4 Refresh No Time Src IP Dst IP Attack Type URL Description Action Details Recent Security Events The Recent Security Events page displays recent attack events See the figure below Recent Security Events Endpoint Security Recent Attack Sources 2 Refresh 5 seconds y 2 Refresh No Time Src IP Dst IP Attack Type URL Description Action Details The displayed information includes the attack time source IP address destination IP address attack type and attacked URL Click Refresh 5 seconds to set the refresh interval Click Refresh to refresh the information immediately SANGFOR NGAF 6
142. A and set VRID and Priority both to 20 for interfaces ETH1 and ETH3 of firewall A In the Add VRRP Group dialog box set VRID to 50 and Priority to 40 for interfaces ETH5 and ETH2 of firewall B and set VRID to 20 and Priority to 30 for interfaces ETH1 and ETH3 of firewall B When the configuration is completed users on intranet A access the Internet through interfaces ETH2 and ETHS of firewall A and users on intranet B access the Internet through interfaces ETH3 and ETH1 of firewall B Upon failure of an interface the corresponding interface of the other firewall takes over replacing the faulty interface Allocate the interfaces of firewalls connected to layer 3 switch A to the same VLAN The IP address of interface ETH2 is 192 168 2 1 24 The next hop of layer 3 switch A points to 192 168 2 1 24 Configure two routes on firewall A The next hop to 172 16 1 0 24 is layer 3 switch A and the next hop to 172 16 2 0 24 is layer 3 switch B The implementation and configuration between layer 3 switch B and firewall B are the same as described above Steps Step 1 Configure the following data on firewall A interface IP addresses NAT packet reception route PRB etc For details see preceding sections SANGFOR NGAF 6 4 User Manual 495 Step 2 On firewall A choose High Availability gt Basic Settings set Local Device IP to the IP address of interface ETH4 and set Peer Device IP based on requirements The settings enable firewalls A and B
143. AT Translate IP To IP Address y IP Address 1 2 16 1 100 Translate Port Unchanged Ta Specified Port Step 8 Click Save to complete the bidirectional NAT rule configuration Step 9 Set application control policies to enable data to be transferred to the intranet IP address 172 16 1 100 with the HTTP port number 80 from the intranet For detailed configuration see section 3 8 1 e You can add an IP group either by defining an object or when you select bidirectional NAT rules e To modify a bidirectional NAT rule click the name of the rule to go to the modification page SANGFOR NGAF 6 4 User Manual 258 o To delete a bidirectional NAT rule select the rule and click Delete or click x and follow the instructions to complete deletion e To disable a bidirectional NAT rule click sel When the rule is disabled the status icon is changed to To enable the rule again click and follow the instructions to enable the rule DNS Mapping DNS Mapping is used to enable intranet users to access internal servers through public domain names It implements the same function as bidirectional NAT After DNS Mapping is set the firewall resolves the domain name to the internal IP address of the server when an intranet user sends a DNS request Then the firewall sends the IP address to the user s client so that the client directly accesses the server without using NAT rules Differences between DNS Mapping and bidirectional NAT
144. Address IP address configured for the network interface This column is left blank if no IP address is configured Dial up status When Link Mode operating mode of the network interface such as auto negotiation Ping whether the network interface can be pinged Interface Status link status of the network interface et indicates that the network interface is connected whereas Ub indicates that no cable is connected to the network interface or the network interface fails Link State link fault status of the network interface The equipment can detect the link status through ping detection or DNS detection e Status whether the network interface is enabled Indicates that the network interface 1s enabled SANGFOR NGAF 6 4 User Manual 24 You can click an interface name such as ethO to open the interface editing page See the figure below Edit Physical Interface Enable Name etho Description Manage interface Type Route layer 3 Added To Zone Select zone Basic Attributes _ WAN attribute Pingable IP Assignment Static PPPOE Static IP 10 251 251 251 24 Mext Hop IP Line Bandwidth Outbound Inbound OK Cancel Type specifies the interface type It defines the data forwarding function of the equipment There are four interface types Route An IP address need to be configured for a route interface which provides the routing and forwarding function Transparent A transparen
145. Application Group Rank By 8 Bidirectional Traffic Outbound Traffic Show Top 10 Chart Type Ranking Trend Ranking amp Trend Less lt lt Go Cancel VOpeninnewtkb Step 2 Click Go Relevant data is generated Filter Period 2013 08 15 IP User All Application All Statistics App Category Show Top 10 Rank by Bidirectional Traffic Show Top 10 Chart type Ranking Period Today Rank By Bidirectional Traffic Y Traffic Statistics Bidirectional Traffic Based on Application Category B Website Browsing EN SSL a P2P B Mail Soft update MA Streaming Media A Remote Login MA File Transfer Soft update 162 9MB 7 2 OA EN Other Application Category Outbound Traffic Inbound Traffic Website Browsing 51 381 KB 382 878 KB SSL 117 783 KB 263 797 KB P2P 38 594 KB 275 409 KB E 11 857 KB 245 649 KB Mail 27 241 KB 194 585 KB Soft update 17 471 KB 149 340 KB Streaming Media 1 858 KB 67 301 KB Remote Login 11 166 KB 51 090 KB SANGFOR NGAF 6 4 User Manual 374 Bidirectional Traffic 434 259 KB 381 580 KB 314 003 KB 257 506 KB 221 826 KB 166 811 KB 69 159 KB 62 257 KB O IP User Inbound Traffic Statistics App Category Show Top10 Click Trend The traffic rate trend of the specified IP address on May 30 is displayed IP User IP User IP User IP User IP User IP User IP User Traffic Statistics Bidirectional Traffic Based on
146. Application App Category O IP User App Category All l E Website Browsing Rank By 7 Bidmectional Traffic Y Access Count E Block Count Statistics E Category Ol Domain O IP User Report Subscription Periodic Day A Weekhy Monthhy Report Delivery Save report but not send to me 5 Send report to the following address OK Cancel Example Application scenario A user needs to subscribe to a report that collects statistics on the total traffic of all intranet users and ranks uplink and downlink traffic The report collects statistics once every week and is sent from sangfor sangfor com to administrator com Step 1 Configure an email server on the Settings page before setting report subscription Set Server Address Username Password and Sender Address sangfor sangfor com for the SMTP server corresponding to sangfor sangfor com SANGFOR NGAF 6 4 User Manual 406 Server Address 211 152 145 Require authentication Username sangfor D Password eee Sender Address sangfor sangfor com Step 2 Click Add and select Traffic on the Subscription page Leave other options unselected Gubeaintion Settings x E Enable 2 Filter IP User aw Al amp IP amp Group Statsics Type Ranking Trend Ranking amp Trend Show Top 10 Report Contents Report Type Simplified report Full report Type O Overall Security C Server Security E Endpoint Security Threat Level
147. Application Category Kbps 1 500 1 000 500 App Website Browsing Time 11 25 Speed Kbps 00 00 12 00 15 00 18 00 21 00 BE Website Browsing Click Application Category The traffic composition of the specified IP address is displayed Traffic Statistics Bidirectional Traffic Based on Application MM News Portal B Search Engine MA IT Related E Government Organiz MN Online Video amp Dow MA Life Information OW IT Industry MA Online Shopping Forum O Software Download MA Other To generate a report generate a PDF file export data to an EXCEL file or send data as an email click the a i Oe corresponding button in in the upper right corner 4 5 Y The traffic statistics function is enabled by default thus requiring no relevant operation on the console Application Statistics The Application page enables users to collect statistics on the times intranet users access an application on the Internet For example a user can identify the applications that are accessed by intranet users most frequently SANGFOR NGAF 6 4 User Manual 375 Application A Specify the following and click Go to retrieve data Filter Period Schedule IP User Application Action Others Statistics Show Top Less lt lt Go Example Application scenario A user needs to show the top 10 applications that are accessed by intranet users most frequently from August 12 to 15
148. C Text File PEM DER Browse Private Key File C Text File PEM DER PWK Browse Password Name Define name for the object Public Key Private Key Select the file type for both public and private key and click Browse to select related file Password Insert the password for the keys SANGFOR NGAF 6 4 User Manual 158 Authentication The Authentication configuration module is used to set authentication methods for LAN users Users defined on the equipment are LAN users who access network by using terminals Users are basic units for allocating network permission An administrator can manage users in a unified manner on the Local Users page and set authentication policies for LAN users on the User Authentication page Local Users Overview The firewall manages online users of terminals Therefore users are basic units for assigning network permission An administrator can manage online users in a unified manner on the Users page Principle 3 7 1 2 1 User Authentication Traditional network equipment is managed based on IP addresses However the NGAF equipment is managed based on users increasing management convenience and accuracy compared with the equipment managed based on IP addresses To enable user based management the system must learn which user 1s using a certain IP address at a certain time point Therefore online users must be authenticated for enabling user based management on net
149. CONSUMO AA DA 425 3 1 4 Bypass Mirror Interface Configuration aia 427 DL SUDIMtertace Confie oratoires T E 432 SO Vt Deployment erene estao 435 2 2 Policy Based Routines CONT UFAON iaa E E a aO D NENE 439 ETAN Y a RA CTC 439 SANGFOR NGFW 5 6 User Manual Xi DD EAMG 2 va luticeaiabesdecahateenas aidesihaticunaebeadecisetGaas a 441 ARE ORO A N ta Stade hon da Salas Rae saan hoe anda ae da aa 444 24 DHCP Comin Gut AON iii ri io 445 JA le Server Onl Ouran 45s erie aun eatin rani einen ern cane 445 5 4 2 DHCP Relay Coni UA N A se ieee ae eo 447 5 0 Configuration ol DoS DDOS Protec Massacre vaeauivonsobousaedsseulbsnaacouceateeaubensasasseiuasaivendesancneiees 448 HOVACCESS E ORO CONTAINS ec s 452 30 1 Contisuration or Application Control POS dcp aii ca eA 452 3202 OTR Te BCG 0 Sur ON tas nd toi 455 526 3 Pile Ty pe Filter Omit GO Ur all ac5 isa is 457 da IES COMM CULATION nados dotada 459 5 8 Configuration of Web Application ProtectiOn cccccccccccccccccceesssssessseeeeeeceeeeeeeeeeeaaaaeseesseeeeeeeeeeeeeeeeeeaaas 463 A T EN erate atins danas ahen Sateen E E A 463 520 2 Example 2 Dalat ak rote Cll OM aio ico laa 468 3 9 Website Anti detacement Cont SUPA HON ii xed aera ecent ceeds ie 472 US ASSESSING NE ees so setas she scence ees aa eciat sees aa eataa eee aa ae ee ea eee tee deen oe 479 Sel Hot Stand DY A PPC AO A AAA nae 488 AA O g O A O 488 AAA a E da 494 Appendix SANGFOR NGAP Up erade Sy SM A A lp cn 497
150. Choose User Authentication gt Options gt Obtain MAC By SNMP and set the options on the Obtain MAC By SNMP screen For details see section 4 6 2 2 4 Step 2 On the Authentication Policy screen click Add The Authentication Policy screen is displayed Enter the name and description of the policy Authentication Policy Mame Martketing Description Martketing policy IP MAC Range i 1927 168 2 1 192 168 2 255 Step 3 Select None SSO and Take host name as username under Authentication Authentication None SSO Take IP as username Take MAC as username Take host name as username If 550 is configured the detected username is preferable Y 550 Local or external password authentication i The browser will be redirected to an authentication page when User attempts to access the Internet on which user credential are required Configure External Auth Server 80 only Gi Excluded Users Login name comma separated SANGFOR NGAF 6 4 User Manual 205 Step 4 In New User Option select Added to specified local group and select Marketing Select Bind IP MAC and Bind the MAC on initial logon In this example as the MAC address is obtained from the switch over the SNMP you need to set the MAC address obtaining option under User Authentication gt Options gt Obtain MAC By SNMP New User Option for users outside local device Added to specified local group Select Group Marketing lu Not appl
151. ERVIDORES Jan 1 23 21 07 1998 GMT Dec 29 23 21 07 2009 GMT 11 SecureSign RootCAl Sep 15 15 00 01 1999 GMT Sep 15 14 59 59 2020 GMT 12 DSTCAE2 Dec 9 19 17 26 1998 GMT Dec 9 19 47 26 2018 GMT 13 FESTE Public Notary Certs May 13 19 21 28 1999 GMT Jan 1 19 21 28 2020 GMT 14 SecureNet CA SGC Root Aug 20 00 43 29 1999 GMT Oct 16 07 00 00 2009 GMT 15 VeriSign Commercial Software Publishers CA Apr 9 09 35 59 1996 GMT Dec 31 09 35 58 1999 GMT On the Trusted CA page click Upload Trusted Root CA and select and import a certificate Only local crt or cer certificates can be imported Certificates are distinguished based on their MDS values Certificates with different MD5 values are identified as different certificates The same certificate cannot be imported repeatedly The name of the certificate theme is generally the CN name of the certificate theme in the Internet Explorer If the certificate theme does not have a CN name the name of the last field of the certificate theme is used The sequence of the fields of the certificate theme may be different from that in the Internet Explorer SANGFOR NGAF 6 4 User Manual 155 Decryption The Decryption configuration module is used to decrypt data from Internet to LAN and from LAN to Internet Navigation Decryption gt Status add X Y t y 3 Refresh Excluded Address Name 2 gt Network Priority Name Src Zone Src IP Group
152. ETHI TRUNK VLAN 3 VLAN 2 192 168 3 0 24 N 192 168 2 0 24 GW GW 192 168 3 1 192 168 2 1 Step 1 Log in to the NGAF by using the default IP address of the management port ETHO which is 10 251 251 251 24 Configure an IP address that is in the same network segment as the default IP address on your PC and log in to the NGAF by using https 10 251 251 251 Step 2 Choose Network gt Interface and click the interface such as ETH2 to be configured as an Ethernet interface The following dialog box is displayed SANGFOR NGAF 6 4 User Manual 420 Edit Physical Interface i Enable i Name eth2 Description Type Bridge layer 2 w Added To Zone WAN w Basic Attributes WAN attribute T IP Assignment F Access Trunk en a k Native 1 VLAN ID Range 1 1000 VLAN Interface Advanced Contiaure link mode MTU and MAC address Ma Set Type to Transparent Set Added To Zone to the zone which interface ETH2 belongs to which is a WAN in this example Set the zone in advance based on section 3 2 1 4 Set Basic Attributes to WAN attribute 1f the interface connects to an uplink Set IP Assignment to Trunk The values of the Native set to 1 by default and VLAN ID Range set to 1 1000 by default fields do not need to be changed VLAN ID Range can also be set to the VLAN IDs that will go through device so set VLAN ID Range to 2 3 The Advanced option enables users to set the operating mode
153. El High O Medum El Low E Traffic Rank By E Bidirectional Traffic O Crutbound Traffic O Inbound Traffic Statistics El Application App Category ll Group E IP User sop Caer O Application Statistics El Application El App Category El 1P User Rank By O Bidirectional Traffic E Access Count E Block Count Statistics O Category O Domain O IP User Report Subscription Periodic H Daily Weekhy c Monthly Report Delivery amp Sawe report but not send to me Send report to the following address administrator abc com Unable to send email SMTP server has mot been configured SMTP Server OK Cancel Step 3 Click OK SANGFOR NGAF 6 4 User Manual 407 Subscription ieee Add X Delete Y Enable Y Disable E Report Name Number of Reports Last Generated Email To Periodic Created By Status Operation E Report 0 administrator abc com Weekly admin Y Generate System The System menu enables users to configure settings related to the data center such as setting the report generation time precise to minutes number of exported logs and timeout time or deleting logs Settings Server Address 11 1 1 1 Require authentication Sender Address sangfor sangfor com Report Automatic Generation Deletion Generation Time 00 00 06 00 Gi Auto Deletion Delete reports generated 7 days ago Preserve maximum 1000 newest reports Log Lookup Export Log Export Export the lates
154. FOR NGAF device has built in IPS rules which can be directly invoked to implement server loophole protection The following figure shows the configuration page IPS Add X Delete Y Enable Disable 4 Move Up Move Down Wi Move Refresh E Advanced Settings E Whitelist o No Name Src Zone Src IP _Dst Zone Dst IP Protection Status Delete Select Advanced Settings gt Enable Smart IPS is selected loopholes are identified based on applications Otherwise loopholes are identified based on port numbers Advanced Settings Internet access in high performance Enable Smart IPS Applications HTTPS SMTP POP3 IMARMSSQL t Select Whitelist to add exception from IPS detection Add Whitelist SANGFOR NGAF 6 4 User Manual 282 Click Add The Add IPS Rule page appears See the following figure Add IPS Rule Enable Name Description Source Zone IP Group Destination Zone IP Group Protection Server Protection Selected Mail Vulnerability B Endpoint Protection Selected Web Activex Vulner Brute Force attack Selected FTP IMAP Standard i Action Action E Allow e Deny 5 IP Lockout Affiliated Source Lockout Logging Y Log event Save and Add Enable The IPS rule is enabled when this option button is selected Name It specifies the name of an IPS rule Description It specifies the description of an IPS
155. GFOR NGAF 6 4 User Manual 254 Add IPv6 Bidirectional NAT Rule x gt we Enable Mame Description Source Zone Select internal zone a Subnet Prefix IPw6 address j Prefix Destination Zone Select internal zone tra Subnet Prefnc IPv6 address l Prefix Source Translation Translate Src To IPv6 address l Prefix Destination Translation Translate Dst To Pw6 address l prefix Save and Add OK Cancel 3 8 1 3 1 Bidirectional NAT Configuration Example A customer has the topology shown in the following figure There is an internal web server whose IP address is 172 16 1 100 The customer has applied for the domain name www xxx com and it points to 1 2 1 1 Currently destination NAT has enabled Internet users to access the web server through www xxx com However the intranet users with 192 168 1 0 24 cannot access the server through the domain name In this case bidirectional NAT is required to enable the intranet users to access the web server with the domain name SANGFOR NGAF 6 4 User Manual 255 ETHI 1 2 1 1 24 NGFW ETH2 10 10 10 1 30 172 16 1 100 192 168 1 0 24 WWW JO0 CcOm WEB Server LAN USER e e e e e e e ld Step 1 Before setting the bidirectional NAT rules choose Network gt Interface Zone click the Zone tab define the home zone of the interface and then choose Object gt IP Gro
156. Group 1 is the network segment 192 168 2 1 192 168 2 10 and that for authentication policy Marketing is the network segment 192 168 2 1 192 168 2 255 That is the condition for Marketing conveys the condition of Marketing Group 1 In this case users on the network segment 192 168 2 1 192 168 2 10 are authenticated against the policy Marketing SANGFOR NGAF 6 4 User Manual 211 Authentication Policy Enable user authentication Authentication Zone LAN Add 4 X t 4 Refresh import Example File C No Name IP MAC Authentication New User Option Description Move Delete F 1 Martketing 192 168 2 1 192 168 2 255 None host name as userna Add to group Marketi Martketing policy 4 x dll 2 Marketing Group 1 192 168 2 1 192 168 2 10 None IP as username Add to group tt x O 3 sso 192 168 3 0 255 255 255 0 None IP as username Add to group t4 x a 4 Subnet 1 192 168 1 0 255 255 255 0 None host name as userna Add to group IT t x 5 Default Policy 0 0 0 0 255 255 255 255 None IP as username Add to group Default Default Policy If you select Market Group 1 and click Move Up to move the policy above Market the policy Market Group 1 obtains higher priority In this case users on the network segment 192 168 2 1 192 168 2 10 are authenticated against the policy Market Group 1 Authentication Policy Enable user authentication Authentication Zone LAN Add 4 x 4 d Refresh C7 Import Example File C No Name
157. Group of the server s which need to perform RT Vulnerability Scan test on Click Y Re Scan or Re Scan to re attempt to perform the related scanning policy Click Refresh to get the latest scanning result of all policies Click L Excluded Domain IP Port URL to open the page for excluded domain IP address port and URL configuration See the figure below Excluded Domain IP Port URL Enable One entry per row Domain IP address port and URL support Examples Fuzzy match Type here Select the Examples to show the supported format of Domain IP address Port and URL Refer to the following figure Examples IP address 192 168 1 1 IP range 192 168 1 1 19 2 168 1 10 Subnet 192 168 1 0 24 or 192 168 1 0 255 255 255 0 Domain Name www test com support HTTP Host field value only Port 8080 integer between 1 and 65535 Port range 60 89 IP Port 192 168 1 1 8080 Domain Port www test com 8080 URL index php and 192 166 1 1 8080 index php URL directory fadmin www test com 8080 admin Click on to generate a report in HTML format which contains the scan results of all the policies configured SANGFOR NGAF 6 4 User Manual 313 Threat Alerts This Threat Alerts is used to display or alert any new threats around the world If your network is vulnerable to the new threats NGAF will alert you to take action in order to protect the network security Navigation SE Threat Alerts 2 Refresh 5
158. IP MAC Authentication New User Option Description Move Delete F 1 Marketing Group 1 192 168 2 1 192 168 2 10 None IP as username Add to group E x O 2 Martketing 192 168 2 1 192 168 2 255 None host name as userna Add to group Marketi Martketing policy tt x Ol 3 sso 192 168 3 0 255 255 255 0 None IP as username Add to group t x O 4 Subnet 1 192 168 1 0 255 255 255 0 None host name as userna Add to group IT t x 5 Default Policy 0 0 0 0 255 255 255 255 None IP as username Add to group Default Default Policy 3 7 2 1 7 Importing Authentication Policies If you have to set many authentication policies you can import them in CSV format Click Example File to download the format file as shown in the following figure Then edit the authentication policies in the file Authentication Policy Enable user authentication Authentication Zone LAN Add 4 X Delete T Move Up Move Down Refresh Import ple File No Name IP MAC Authentication New User Option Description Move Delete v 1 Martketing 192 168 2 1 192 168 2 255 None host name as userna Add to group Marketi Martketing policy x O 2 Marketing Group 1 192 168 2 1 192 168 2 10 None IP as username Add to group t x C 3 sso 192 168 3 0 255 255 255 0 None IP as username Add to group t4 x F 4 Subnet 1 192 168 1 0 255 255 255 0 None host name as userna Add to group IT t x 5 Default Policy 0 0 0 0 255 255 255 255 None IP as username A
159. IPS window is displayed You can add an IPS rule to protect the server Click Application Control and you can enter Content Security gt Application Control Policy path to add trusted applications being visited by users from intranet zones or IP groups Click and you can enter Content Security gt Anti virus Policy path You can configure anti virus policies on HTTP FTP SMTP and POP3 applications being visited by users from source and destination zones and IP groups Click and you can enter Content Security gt Web Filter path You can filter and protect user actions that matches policies configured for the source zones and IP groups so that you can prevent users from risks brought by add ins and scripts carried on websites Click and you can enter Content Security gt Anti Malware path You can add a risk isolation policy to prevent botnets and Trojans from access the clients Bandwidth Management If you need to guarantee the bandwidth for important applications used by intranet users configure the device as follows L Bandwidth Management l Allocate bandwidth to users or applications 1 BM Line a Create BM lines to achieve granular control over total bandwidth b Configure BM line policy to add flexibility to traffic control 2 Bandwidth Channel a Ensure access to specific business applications are allocated with needed amount of bandwidth Click and you can enter Traffic Management gt BM Line Configuration pa
160. Interface Sub Interface VLAN Interface Aggregate Interface Zone Link State Propagation Add X Refresh Zone Name Zone Type Interfaces Device Mgt Privilege Allowed Address Delete LAN Route layer 3 eth2 WebUI snmp All In use WAN Route layer 3 ethi WebUI snmp All In use Step 2 Click Add on the NAT page and choose Destination NAT The Add Destination NAT Rule page shown in the following figure appears Select Enable and enter a rule name and description If you do not select Enable the rule does not take effect See the following figure Enable Name Web Server Description Publish Web Server Step 3 Specify the source zone of data whose destination IP addresses are to be changed For example if internal servers are published on the Internet Internet users can access the server In this example Zone is set to WAN See the following figure SANGFOR NGAF 6 4 User Manual 251 Source Zone WAN lg Step 4 Set IP Address or IP Group in the Destination area to specify the address for destination NAT when Internet users access the address This IP address 1s the one accessed by users before destination NAT Usually 1t 18 the WAN IP address of an interface of the device In this example IP Address is set to 1 2 1 1 See the following figure Destination IP IP Address i 1 2 1 1 gt IP Group Select Cu Step 5 Set the protocol and destination port number for destination NAT In this examp
161. It can be customized Zone It specifies the zone where the maximum number of concurrent connections is limited For details about how to set IP groups see section 3 2 1 4 IP Group It specifies the IP group for which the maximum number of concurrent connections is limited in a specified zone Max Concurrent Connections Per IP It specifies the maximum number of concurrent connections allowed for each IP address 1 1 1 1 Concurrent Connections Control Configuration Example A customer has the topology shown in the following figure The administrator requires that the concurrent connections of the intranet users in the 192 168 1 0 24 network segment are limited to 500 concurrent connections SANGFOR NGAF 6 4 User Manual 261 per user ETHI 1 2 1 1 24 NGFW ETH2 10 10 10 1 30 Core Switch 4 t 192 168 1 0 24 172 16 1 0 24 Server Farm Internal User e e a ee Se _ cm ns a cell Step 1 Before setting concurrent connections control choose Network gt Interface Zone click the Zone tab define the home IP group of the WAN interface For configuration details see sections 3 2 1 4 and 3 4 8 In this example ETH2 is defined as an Intranet zone and 192 168 1 0 24 is defined as an LAN IP group See the following figure Interfaces Physical Interface Sub Interface VLAN Interface Aggregate Interface Link State Propagation Add X Refresh C Zone Name Zone Type
162. L or keep default port Redirect browser to the above server before authentication User Form Name Name of the table where username field locates Web Authentication page pwuser Authentication success keyword New staff Authentication failure keyword Step 2 Enter the address of the web authentication server in the Web Authentication Server text box Step 3 Select Redirect browser to the above server before authentication When a user is not authenticated the user 1s redirected to the page for web SSO when the user accesses any page Step 4 Enter the name of the list containing the user names to be submitted to the server during web authentication in the User Form Name text box Step 5 Select Authentication success keyword or Authentication failure keyword and enter the keyword indicating whether web server login is successful For example if you have selected Authentication success keyword and enter a keyword and the keyword is contained in the POST response web SSO is successful If you have selected Authentication failure keyword and enter a keyword and the keyword is contained in the POST response web SSO fails otherwise it is successful Step 6 Set the monitor interface Click Others select Enable mirror interface and select an interface SANGFOR NGAF 6 4 User Manual 232 Authentication Options SoU Uptions 550 Options Auth Page Redirection If 550 requires exter
163. MTU and MAC address of the network interface To modify the settings click Settings Advanced Link Mode Auto negotiation w MTU 1500 MAC D00 E0 4C 46 FA 6F Restore Default MAC Step 3 Configure an intranet interface Select an idle network interface and click the interface name to access the Edit Physical Interface dialog box Set Type to Transparent unselect WAN attribute and set IP Assignment to Trunk SANGFOR NGAF 6 4 User Manual 421 Edit Physical Interface Enable il Name ethi Description Type Bridge layer 2 w Added To Zone LAN Y Basic Attributes WAN attribute 7 IP Assignment F Access Trunk Native VLAN ID Range 1 1000 VLAN Interface Y Advanced Confiaure link mode MTU and MAC address Ber id OK Cancel Step 4 Configure VLAN2 and VLANJ3 interfaces in the Add VLAN Interface dialog box SANGFOR NGAF 6 4 User Manual 422 Add VLAN Interface Added To Zone Basic Attributes Pingable IP Assignment Static DHCP Static IP Next Hop IP Link State Detection A feature that achieves automatic link failover See when one of the lines becomes down Advanced Specify Maximum Transmission Unit MTU SANGFOR NGAF 6 4 User Manual 423 Name Description Added To Zone Basic Attributes IP Assignment Static IP Add VLAN Interface Weth 3 Select zone Pingable Static Type here F DHCP Link State Detec
164. Manual 323 Select User Group x aL Name Type Admin Default group atu _ Management Marketing Normal Users ia Admin Group Grouf Grour A Management Group t Marketing Group E Normal Users Group O O LI CI LI O O A sangfor User Page Liof i qa OK Cancel Schedule defines the effective time of the channel Dst IP Group defines the destination IP address groups of the channel Sub Interface defines to set the sub interface of the channel VLAN defines the applicable VLAN of the channel The complete configuration is shown in the following figure SANGFOR NGAF 6 4 User Manual 324 Add Bandwidth Channel Enable channel Name Finance Bandwidth Channel E Application Applicable Objects Schedule Dst IP Group Fi All Specified E IP Group Al User Marketing All week All Sub Interface All VLAN Gi After the configuration is complete click OK oK Cancel Step 4 The configured channel is listed under Bandwidth Channel The traffic guarantee channel is configured Bandwidth Channel V Enable Bandwidth Management System Bandwidth Channel Default chan IP group All All Al 1 The total guarantee bandwidth percentage of all channels may exceed 100 If so the minimum bandwidth percentage of each channel is reduced in proportion For example if two channels are configured with o
165. Metric default number of hops of an introduced route If no metric value is specified when a route is introduced the default metric value takes effect That is the number of hops of this introduced route is 10 The default value is 10 Click OK to save and apply the settings 3 2 2 3 4 Status The Status page allows you to view OSPF links OSPF routes OSPF adjacencies and OSPF interfaces 3 2 2 3 4 1 OSPF Links The OSPF Links tab page is shown below Status OSPF Links OSPF Routes OSPF Adjacency OSPF Interfaces No Type ID Adv Router Seq Age Opt Cksum Len Type LSA type ID ID of the router to which the LSA belongs The asterisk indicates an LSA generated by a router itself Adv Router router that advertises the LSA Seq sequence number of the LSA Age time that the LSA has been received The LSA is aged after the expiration time elapses Opt option information carried in Hello packets A router can reject messages sent from a neighbor that shares the same option filed with this router Cksum checksum of the LSA Len length of the LSA 3 2 2 3 4 2 OSPF Routes The OSPF Routes tab page displays OSPF routes See the figure below SANGFOR NGAF 6 4 User Manual 40 OSPF Links OSPF Routes OSPF Adjacency OSPF Interfaces Route Details No data available 3 2 2 3 4 3 OSPF Adjacency The OSPF Adjacency tab page is shown below OSPF Links OSPF Routes OSPF A
166. N Build40130719 IP Address 10 251 251 251 Update Method Current Device specifies the version information and IP address of the connected NGAF Update Method is used to upgrade the connected SANGFOR NGAF The options include Online update and Load package from Disk SANGFOR NGAF 6 4 User Manual 498 Online upgrade Click Online Update gt Select The SANGFOR NGAF upgrade system lists the versions that the NGAF can be upgraded to Select a version and click OK The system downloads an upgrade package from a server automatically and starts upgrade ab O When the SANGFOR NGAF upgrade system is used for online upgrade the NGAF must be connected to the Internet normally Some versions of the NGAF do not support online upgrade For details contact SANGFOR customer service center Load Package from Disk Click Load Package from Disk gt Browse select an upgrade package that has been downloaded to a local disk and click Next Basic information of the selected upgrade package 1s displayed Confirm the information and click 8 Sangfor Firmware Updater Device SA Update Version AFA 5 117 EN Build20130 19 IP Address 10 251 251 251 Update Method 5 Online update Select Load package from Disk DA My Document NGFW AF4 5 201307159 ssu SANGFOR NGAF 6 4 User Manual 499 AF4 5 117 EN Build20130719 To Version AF4 5 117 Build 20130719 Update with this package requires device to restart Softw
167. NMP DHCP Server DHCP Relay Enable DHCP relay Apply Relay to Selected Interfaces Available Selected DHCP Server 127 0 0 1 ok For details about the configuration description of the DHCP relay see section 5 4 2 SNMP SNMP allows other network management devices or software to manage and view information about SANGFOR equipment in through SNMP The information includes interface status traffic and routes This facilitates centralized management maintenance and monitoring of the network In the navigation area choose Network gt Advanced Network Settings and access the SNMP tab page Advanced Network Settings _ARP ows Duce sump Enable SNMP 2 Download MIB SNMP Hosts gt SNMP Hosts Add X Refresh gt SNMP V3 Name IP Address Community Select Enable SNMP Then other devices and management software can access information about SANGFOR equipment through SNMP In the SNMP Hosts pane you can set other devices to connect to the NGAF equipment through SNMPv2 as well as connection parameters Click Add to add a management host See the figure below SANGFOR NGAF 6 4 User Manual 51 SNMP Hosts Name Address Type IP address IP Address Community OK i Cancel Name name of the management host Address Type type of the management host It can be set to IP address or Subnet If it is set to IP address the SNMP manager is a host If it is set to Subnet the SNMP manag
168. P 1719 H 225 TCP 17 20 Gratuitous ARP ARP Broadcast Interval 5 seconds Send TCP Reset message to reject request Gi C Abnormal packet detection i IF Send TCP Reset message in mirror mode to reject request i Cloud based Security Engine 1 basebd i 0 The parameters TCP Conn Timeout UDP Conn Timeout ICMP Timeout define the timeout period of the TCP UDP and ICMP connections If no new data packets are sent over the connection within the period the connection times out and is dismissed The parameters SSH Port FTP Port RTSP Port SIP Port SOLNET Port TFTP Port PPTP Port H 323 Port SANGFOR NGAF 6 4 User Manual 338 defines the ports complying different protocols If the NGAF functions as proxy on the application layer for these protocols and the ports are not default ones the port information must be modified accordingly Free ARP defines whether to enable free ARP broadcasting and the time intervals for sending free ARP broadcasting messages You are recommended to enable Free ARP The option Send TCP Reset message to reject request enables the NGAF to send a Reset message to disconnect connections after the NGAF turns down a data connection based on configured policies The option Abnormal packet detection enables the NGAF to discard abnormal TCP packets Do not enable this function for asymmetric routers not requiring TCP status otherwise normal TCP packets may be discarded The option Send TC
169. P Group defines the destination IP address groups of the channel Sub Interface is used to set the sub interface of the channel VLAN defines the applicable VLAN of the channel The complete configuration is shown in the following figure SANGFOR NGAF 6 4 User Manual 331 Add Bandwidth Channel Enable channel Name P2P limit i Bandwidth Channel Applicable Objects Applicable Objects Application all IP Group All User Marketing Schedule All week Dst IP Group All Sub Interface All VLAN Gi OK Cancel After the configuration is complete click OK Step 4 The configured channel is listed under Bandwidth Channel The traffic restriction channel is configured Bandwidth Channel Enable Bandwidth Management System Bandwidth Channel Exclusion Rule tAdd 4 x Y t 4 Refresh Filter v Name IP User Application Dst IP Gro Schedule Target Min Bandwidth Max Bandwidth Per User Max Band Priority Status P2P limit User group P2P Stream M All All week Line 1 None None 14 Mb s 4 Mb s 1120 Kb s 120 K Low Y Y Marketing IP group All All All All week Line 1 1 Mb s 11 Mb s 1 Mb s 1 Mb s No limit No limit High Y F Default chan IP group All All All All week All None None 5 Mb s S Mb s No limit No limit High O Exclusion Rule The exclusion rule is used to define the data types that are not applicable to any traffic management channels
170. P Reset message in mirror mode to reject request enables the NGAF to send TCP RST messages The option Cloud based Security Engine allows the NGAF to report suspicious data packets to the cloud based security engine The option base64 enables the Web application protection mechanism to apply security check on base64 data packets Console Configuration On the Web UI tab page for console configuration you can set the Web UI options and login security options In the Web UI area you can set the device name default code Web UI port and timeout period for the NGAF See the following figure General System Time Web UI Options Language English Device Name SANGFOR NGAF Port 445 Idle Timeout min 10 Login Security Max Concurrent Sessions Per Liser Max Logons Max Login Attempts Device Name displayed name of the NGAF SANGFOR NGAF 6 4 User Manual 339 Default Code type of code used to identify non identifiable data monitored by the NGAF By default the value is GBK Port No of the port used to set the login console The default port is TCP 443 Idle Timeout timeout period of the console If the administrator performs no operation within the specified period the system disconnects by default Maximum Concurrent Sessions maximum number of login users on the NGAF console allowed Per User Max Logons Maximum number of IP addresses allowed to access the NGAF console using the same admin
171. PS window is displayed You can add an IPS rule to protect the server Click Web Application Protection and you can enter the Server Protection gt Web Application Protection path to enable a protection mode for the server Click Anti DoS DDOS land you can enter Firewall gt Anti DoS DDoS path to configure intranet and server protection against internet risks or configure an intranet DoS protection to prevent intranet risks Click Connection Control and you can enter Firewall gt Connection Control path You can control the connection of users from certain zones or IP groups to prevent a vicious consumption on server performance Click Website Anti Defacement land you can enter Server Protection gt Website Anti Defacement path to configure anti defacement function against websites Internet Access Protection If intranet users have a secured access to the internet configure the device as follows SANGFOR NGAF 6 4 User Manual 364 gu Internet Access Protection Prevent users from infecting virus browsing illeaiti 1 1PS a Protect inside users from being attacked 2 Application Control a Restrain use of applications 3 Anti virus a Keep users away from virus when surting on the Internet 4 Web Filter a Protect Internet users against malicious websites scripts or plugins 5 Anti Malware a Prevent communication between external network and internal machines infected virus Trojan or malware Click and an
172. S acaso 175 A Usep ese a EN 180 LELO LDAP Automate Ss y NC MPOMI7 AMON seine E E E A ENE 185 SANGFOR NGFW 5 6 User Manual vii Bo De VISCI AITO A A O OO 197 Size AU EME CA ON ROUCO A bags adda dads adda sahaadads adddes asad added ade 197 31 22 A then cation GC PUOUS dio 213 NA loros ino Serye acai cee nanan annua 240 3 7 2 4 Deleting an External Authentication Servet ccccccccccssseessssssssssseecccccccccceseecessssssesseseecees 243 O UE a cia 243 A Tea sued sass aacanaeesendseevacechaaaisaedaatvaneenecataaadseacansisasasasdnawacctneciens 243 Diss Wiel OUI e NA sc Scns NT Sacra aa sae Sacra aden sare E AA A 244 D5 Oe le 2 Desinit NA iia 249 Dole ICIS CU OMAN A sala t oon hase eae eat ean aah ae la 253 O Ue DNS WIAD PIS sidad lloros 259 55052 Concurrent ONMle CLIONS COn o iii 261 3 8 2 1 Concurrent Connections Control Configuration Example oooooonnnnnccnnncncnnnononnnnnnnnnannnnnnnnss 261 3 99 DOS D DOS Frot oinen ea nenen na enn nDe S 263 yh mermet Protec i Onee E aE E EE EEEE A E 263 O Intranet Protech Onena hae aes hae ahaa ahaa 269 3 0 ARP SPOONS PEO LS CUOTAS AAA an aa adie 21 39 ACCESS L ONTO A a 271 9 IE DN LP OIC inaran E EENEN 211 J92 An VEUS POO RR 273 IRAP T Dereon aoa a E E T E E E E E E sean iosaoeaw 276 LIA WED PET aaen EN NEEE EEN 279 DD ede Mee FIO uaa aa a A 279 E wl ol T ie Sree ee nen E EN E N A N E N 281 AOE NR 282 IN E T E SEE cat A AEA O E 286 SIT WebApplication Protecti
173. SP or ASPX pages HTTP Exception Detection Method Filter It specifies allowed HTTP methods Click Settings The page shown in the following figure appears Select the allowed HTTP methods The HTTP methods not selected are regarded as HTTP exceptions SANGFOR NGAF 6 4 User Manual 295 Allowed HTTP Request Method Request the server for duplicating the specified No Method Description i cr Senda Display request to the specified resou 2 POST Submit data forms or files to the specified res 3 HEAD o It sends requests to the oe for the specified Y 4 OPTIONS Make the server send back all the HTTP metho a 5 PUT Upload the latest info to the specified resource Pll 6 DELETE Request the server for deleting resources with fl 7 TRACE Display the requests received by the server fo F TRACK For debugging the HTTP method of Web serwer 9 SEARCH For searching resource 10 CONNECT HTPP 1 1 protocol is reserved for the proxy ser PJ 11 PATCH For partially modifying resource 12 DEBUG For debugging or diagnose Web server similar 13 PROPPATCH This method can be used to set the attributes o 14 PROPFIND Retrieve the attributes of resources with Reque Fl 15 copy 3 OK Cancel Website Scan Prevention It prevents website scans See the following figure Website Scan Prevention Enable website scan prevention Blacklist Period 60 i Attempt Count
174. SYN flooding attack Per Cist 1P Packet Threshold 5000 packets sec Per Dst IP Packet Loss Threshold 10000 packets sec Per Sre IP Packet Loss Threshold 10000 packets sec Defense against DNS flooding attack Per Dst IP Packet Threshold 10000 packets sec Dst IP It specifies the destination server or server group to be protected DoS DDOS protection applies only to the data transferred from the Internet to the destination IP or IP group based on the following thresholds Defense against ICMP flooding attack ICMP flooding attack protection is enabled when this option button is selected You can set Per Dst IP Packet Threshold to specify the upper limit on the ICMP packets from the specified source zone to an IP address per second If the upper limit is exceeded it 1s regarded as an attack If Deny is selected as an action to be taken when being attacked excessive ICMP packets are discarded when an attack is detected Defense against UDP flooding attack UDP flooding attack protection is enabled when this option button is selected You can set Per Dst IP Packet Threshold to specify the upper limit on the UDP packets from the specified source zone to an IP address per second If the upper limit is exceeded it is regarded as an attack If Deny is selected as an action to be taken when being attacked excessive UDP packets are discarded when an attack is detected Defense against SYN flooding attack SYN flooding attack protectio
175. Service Server Website Server Certificate Status gt Security Databases 1 facebook OFFICE All Decrypt data to the Internet from the LAN facebook O gt VPN 2 mail wan All Decrypt data to LAN server from the Internet 192 200 19 231 443 exchange Y 3 google DMZ 192 200 19 198 Decrypt data to the Internet from the LAN All websites Y gt Objects Decryption gt Decryption Server Certificate Decryption This function used to decrypt SSL data from internet to LAN After decryption NGAF WAF can detect attack This function used to decrypt SSL data from LAN to internet After decryption NGAF can audit and control HTTPS action Such as only allow users to view Facebook but cannot post status Click Add to insert new decryption configuration Decryption add PYF O Prior W Enable Ana aj 2 Mame al 3 Source Zone Select A IF Group Select la Service e Decrypt data to LAN server from the Internet O Decrypt data to the Internet from the LAN Server IP Port eF Add x eee No data available Server Certificate Default w OK Cancel Name The name of new decryption configuration Source Zone Source zone that wants to be decrypted IP Group IP Group that wants to be decrypted Service Decrypt data to LAN server from the Internet or Internet from the LAN Server IP Port Add the Server IP and using port number Server Certificate SANGFOR NGAF 6 4 User Manual 156 Ser
176. Specified 443l oK Cancel Egress Interface Next Hop specifies the interface or next hop that forwards compliant data packets Click OK The new PBR is displayed on the Policy Based Routing page Static Route Policy Based Routing OSPF RIP All Routes Add X Y t de D gt Refresh Import No Name Source Zone Src IP Group Dst IP Group Protocol Application Interface Next Hop Load Balanci Schedule Status Del All eth3 PS 172 16 1 2 1 Online bank LAN All week Y x Online Banking TCP All gt 443 All All Example 2 Configuration example There are two Ethernet lines connected to the Internet which are 2 Mbit s and 10 Mbit s lines of China Telecom The line with the lightest traffic must be selected automatically for intranet users to access a public network Choose Network gt Routing gt Policy Based Routing from the navigation menu and click Add The Add Link Load Balancing Route dialog box is added SANGFOR NGAF 6 4 User Manual 44 Add Link Losd Balancing Route x Hame Ps inbemet Description Schedule AN week yt Source Zone LAN TI IP Group a Ta Destina thn Eri IP Group an a i GP e Protocol Port oe eee Aus apli afec Interface Tad X cece a Mot detected yet 4 x etna Mot detected yet x Lasd Balancing Bethe Found Robin il pa ox Cancel Name and Description specifies the name and description of th
177. Step 1 Set statistic criteria SANGFOR NGAF 6 4 User Manual Today 2013 08 15 M 2073 08 15 is All week Al OP User Group All ES Application IP User El Open in new tab 376 Application F Specify the following and click Go to retrieve data Filter Period Specified e 2013 08 12 2013 08 15 al Schedule Allweek IP User Al GP uUser Group Application All mm Action AO Others Statistics App Category Application IP User Show Top 10 a Less lt lt Go Open in new tab Step 2 Click Go Relevant data is generated Period Specified Rank By Bidirectional Traffic Traffic Statistics Bidirectional Traffic Based on Application Category MA P2P B Website Browsing S amp S MN SSL E Download Tools B Mail A Soft update MA FTP ES Remote Login MA File Transfer P2P 6176 43MB 34 2 A Other Application Category Outbound Traffic Inbound Traffic Bidirectional Traffic 4 Pap 950 944 KB 5 373 724 KB 6 324 668 KB Website Browsing 178 752 KB 1 042 247 KB 1 820 999 KB 63 240 KB 1 702 915 KB 1 768 155 KB SSL 381 296 KB 1 220 363 KB 1 601 659 KB Download Tools 346 195 KB 681 157 KB 1 027 352 KB Mail 154 080 KB 794 899 KB 948 979 KB Soft update 79 950 KB 520 179 KB 606 129 KB FTP 11 910 KB 401 353 KB 303 263 KB SANGFOR NGAF 6 4 User Manual 377 The data shows that DNS applications ha
178. Step 2 Click Start Computers on the network segment of 192 200 17 1 192 200 17 254 are displayed Only survived computers are identified Username displays the computer names SANGFOR NGAF 6 4 User Manual 183 Preview Scanning Result Username ERIC PC DELL LIM SUPPORT SERVER KT PC ANDY RICHARD PC SUPPORT SERVER TONY LAPTOP USER PC SANGFOR PC VIRUS PC CARMENPCC BRW00225853BD IF Address 192 200 17 11 192 200 17 12 192 200 17 31 192 200 17 99 192 200 17 111 192 200 17 114 192 200 177 117 192 200 17 118 192 200 17 124 192 200 17 125 192 200 117 131 192 200 17 133 192 200 17 202 192 200 17 223 192 200 17 232 MAC Address 4c ed de a2 9c a6 60 6c 66 42 e9 74 00 0c 29 48 e6 3c 8c 89 a5 ff 43 55 a4 17 31 f6 b4 fc 60 6 7 20 6 84 c2 00 Dc 29 e2 ab 86 00 24 d7 46 39 28 8c a9 82 bf 14 b8 ed d5 3d 97 7f d9 ed d5 3d c1 50 b7 bc ae c5 6f 42 83 D00 22 58 53 bd 17 00 50 56 0Oc 11 33 00 0c 29 fd fa 9a Step 3 Click Import to import the users in the equipment In the Import Scanning Result dialog box select Create group if no such group on local device If the target group for importing the users does not exist the equipment automatically creates a group during the import If the Create group if no such group on local device option is deselected the equipment does not create a group during the import and instead the users are imported to the root group Select Proceed and overwrite ex
179. Sync by OU and Auto Sync to Enable every day so that the synchronization is automatically performed once every day Add User Sync Policy Policy Name Sync policy 1 Sync Mode Sync by OU w Auto Syne Enable every day w Ci Step 4 Set the related OU information of the LDAP server that needs to be synchronized in Synchronization Source SANGFOR NGAF 6 4 User Manual 187 Add User Sync Policy Policy Name Sync Policy 1 Description Sync RD Sync Mode Sync by OU Wr Auto Sync Enable every day Wr i Synchronization Source LDAP Server 1m ADL Ww Sync with Remote Directory OU RD 0C sangfor OC com Add user structure based on top level OU of selected remote directory beneath specified local group Gi Add user structure based on bottom level OU of selected remote directory beneath specified local group Gi Add user structure based on sub OU of selected remote directory beneath specified local group i OU Depth 16 i Filter Gi qr OK Cancel Set the LDAP server to be synchronized in LDAP Server In this step set the LDAP server to the server configured in step 1 Specify the OUs in the LDAP server to be synchronized in Sync with Remote Directory Then click OK In the Select Group window select OU FAE OU RD and OU sales Click OK SANGFOR NGAF 6 4 User Manual 188 Select Group x Group name Xx 3 m DC sangfor DC com JOU 1GB DC sangfor DC com OU 2GB DC san
180. TP server address 15 WPN Service Warning 15 26 22 SangforlKE There is no such user SH in HQ VPN s user database 16 WPN Service 15 26 22 SangforIKE Build primary tunnel Connect to peer 1P 192 200 17 252 Port 4009 17 VPN Service Warning 15 25 42 SangforlKE There is no such user SH in HQ VPN s user database Click Options The Filter dialog box is displayed Select the log types you want to check as shown in the following figure SANGFOR NGAF 6 4 User Manual 357 Filter Filter Info Warning Error Debug Select programs to view the related logs Programs VPN Service MLineDetect Lm Access Log System Traffic Statistics Anti Virus DB Update Outside DoS Defense Web Authentication a Cs a al e e After OK is clicked logs of the selected types are displayed Select a date from the Date drop down list to query system logs on the specified date LE System fault logs of the latest 7 days are saved circularly Web Console Web Console provides simple console commands to query simple information including vlan arp mii tool ifconfig ping telnet ethtool route and traceroute The detailed functions of each command are shown in the following figure Enter a command and press Enter in the Web Console to execute the command SANGFOR NGAF 6 4 User Manual 358 Web Console Lommands kh nn I T Packet Drop Bypass Packet Drop Bypass queries which modul
181. That is it is used to restrict the user to certain services By default 1t 1s not selected Y Before clicking LAN Service choose VPN gt Advanced gt LAN Service and add required services The Advanced button is used to set advanced attributes of the user after the user is connected to the VPN The advanced attributes include the routing policy multicast service tunnel parameters and tunnel NAT The routing policy indicates selecting different routes for different access users The multicast service aims to meet the requirements of applications between the headquarters and branches that need multicast support Intra tunnel traffic control aims to avoid the case that the VPN traffic of a connected user is too heavy Intra tunnel NAT aims to resolve address conflicts resulted when two branches with the same internal network segment access the headquarters The advanced setting page for mobile users 1s shown below SANGFOR NGAF 6 4 User Manual 100 Multiline Policy Multicast Service Tunnel Parameter Tips Multiline Policy Default policy The advanced setting page for branch users is shown below Multiline Policy Multicast Service Tunnel Parameter Tips Multiline Policy Default policy For details about setting the routing policy see section 3 3 9 For details about setting the multicast service see section 3 3 14 2 The page is shown in the figure below SANGFOR NGAF 6 4 User Manual 101 Multili
182. Therefore these rules cannot be disabled on the equipment o After rules are disabled here the corresponding applications are not blocked For details about rules for blocking applications see the access control section If QQ is disabled the equipment cannot identify QQ Generally the rules are enabled and they may be required in troubleshooting Intelligent Ident DB The intelligent identification database is used to identify application types of network access data Different from the application identification database the intelligent identification database can identify encrypted data for example unencrypted or encrypted data of P2P applications skype SSL and SANGFOR VPN and data of proxy tools such as Freegate and Ultrasurf See the figure below Navigation gt Status AY gt Network No Application Application Included Rules Rule Status Operation gt Security Databases 1 P2P Behavior P2P 1 Y All enabled Settings gt VPN 2 skype IM 1 Y All enabled Settings Objects Fl 3 SSL SSL 1 Y All enabled Settings gt 4 SANGFOR VPN SANGFOR VPN 1 Y All enabled Settings Application Ident DB ci 5 Ultrasurf and Freegate ProxyTool 1 Y All enabled Settings Intelligent Ident DB j 6 Video Voice IM 1 Y All enabled Settings App Ident Rules Enabling Disabling Intelligent Identification Rules In the navigation area choose Objects gt Intelligent Ident DB The Intelligent Ident Database
183. _TEST A ge eer All All All All All week Deny gt Allow Deny Yes Yes No v Hit Co Status Clone Del 0 9999 0 Y Y Es E La da x x 3 An IPS rule and web application protection rule are added automatically The scanning result shows that the server has security vulnerabilities and web application risks exist An IPS rule and web application rule can be created intelligently based on the scanning result For example select the third item in the scanning result and click SANGFOR NGAF 6 4 User Manual 484 Avoid Risk to configure web application and vulnerability risk protection Y Avoid Risk Export as PDF All Associated Policies All v IP address or pot Q O Server Port Applic Protocol Accessibl Accessible IP Threat Le Risk Operation 192 200 17 202 69 tftp UDP WAN 0 0 0 0 255 255 255 255 High Open port risk y 192 200 17 202 21 ftp TCP WAN 0 0 0 0 255 255 255 255 High Weak password risk1 Open port risk C 192 200 17 200 1433 mssql TCP WAN 0 0 0 0 255 255 255 255 High Open port risk 192 200 17 22 http TC WAN 0 0 0 0 255 255 255 255 Medium Web vulnerability Open port risk o 192 200 17 203 http TCP WAN 0 0 0 0 255 255 255 255 Medium 9 Web vulnerability open port risk 192 200 17 210 http TCP WAN 0 0 0 0 255 255 255 255 Medium Web vulnerability open port risk o 192 200 17 202 http TCP WAN 0 0 0 0 255 255 255 255 Mediu
184. abase gt Malware Signatur e Database Yes No 393 Website Browsing The Website Browsing page enables users to view details about the website browsing behavior of intranet users For example a user can search for the URLs accessed by an IP address on the intranet on a day The following figure shows the Website Browsing page Example Application scenario A user needs to search for all websites accessed by the source IP address 200 200 2 51 on May 30 Step 1 Set search criteria Website Browsing Es al Specity the following and click Go to retrieve data From 2013 08 15 fis 00 00 To 2013 08 15 fis 23 59 Source Zone All Src IP User Al IP User Group URL Category All e Domain Action Allow Y Deny Go Open in new tab Step 2 Click Go Data that meets the search criteria is generated SANGFOR NGAF 6 4 User Manual 394 Website Browsing Filter 5 Export Logs Filter Period 2014 04 25 00 00 2014 04 25 23 59 Src zone All Src IP user All Action Allow Deny URL category All Domain No 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 an Click Ho Application Control Time 2014 04 25 12 59 27 2014 04 25 12 59 25 2014 04 25 12 59 25 2014 04 25 12 59 25 2014 04 25 12 59 25 2014 04 25 12 59 23 2014 04 25 12 58 53 2014 04 25 12 58 51 2014 04 25 12 58 45 2014 04 25 12 58 43
185. able ff Move Up Y Move Down 2 Move CM Import Source Zone Y Dst Zone y C No Name Source Zone Source IP User Dst Zone Dst IP Service Application Schedule Action Log Hit Co Status Clone Del y Streaming Media All v 1 Restrict game a LAN Cin amen WAN a gt Game All All week Deny No o Y En x 2 P2P Stream Media All e The default policy of Deny all cannot be deleted because the firewall blocks all data by default A policy for admitting data must be created e AnIP address group must be configured in advance or the IP address group can be set to a user group of the organization URL Filter Configuration The following figure shows a network topology Users on the intranet must be prevented from visiting illegal pornographic and reactionary websites SANGFOR NGAF 6 4 User Manual 455 Step 1 Choose Network gt Interface and define the zones of interfaces before configuring a policy Choose Objects gt IP Group and define the IP address group of intranet users For details see section 3 4 8 Set ETH2 to LAN ETH1 to WAN and 192 168 1 0 24 to LAN IP Range IP Group Add X Refresh impor F Export C No Name Description Delete 1 All All IP addresses In use 2 LAN IP Range In use Interfaces Zone Add X Refresh Zone Name y Zone Type Interfaces Device Mat Privilege Allowed Address LAN Route layer 3 eth2 WebUI snmp All WAN Route layer 3 ethi WebUI snmp Al
186. access of the intranet is provided through a router interface set the zone to the Internet and the IP group to all IP groups In this example Zone is set to WAN and IP Group is set to All See the following figure Destination Zone Interface Zone WAN a gt Interface ethd W IP Group All al Step 5 Set the protocol After you specify the protocol for source NAT source NAT is implemented only for the data transferred through the destination and source interfaces that adopt the protocol Click OK In this example the default values are retained SANGFOR NGAF 6 4 User Manual 247 Protocol and Port Type All w Protocal Alo Src Port All Specified Port Dst Port All Specified Port OK Cancel Step 6 Set the parameters in the Source NAT area to specify the IP address to which the source IP address is changed when conditions including the source address destination address and protocol of data meet requirements You can select Egress interface IP Range IP Address or Unchanged In this case Egress interface is selected Source NAT To Egress interface Egress interface IP Range IP Address IP Group m Save and Add Anoth Unchanged cel Click Save to complete the source NAT rule configuration See the following figure NAT NAT DNS Mapping Add X Y t Le 13 CH import Export gt B Refresh Type All v J Original Data Packet Translated Data Packet C N
187. ace ETH2 can be defined as an Ethernet zone and ETH1 as an intranet zone 3 7 2 1 3 Adding an Authentication Policy 3 7 2 1 3 1 Configuration Example 1 Set a third party password authentication policy based on LDAP servers for the network segment 192 168 1 0 255 255 255 0 of the IT department The new users are automatically added to the IT group with user names and IP addresses bound bidirectionally That is the user name must in one to one correspondence with the IP address Other network segments on the intranet do not require authentication The IP address is taken as the user name The new users are automatically added to the Default group In this example the LDAP server is taken as an external server The steps for setting up external authentication for other types of external servers are similar Step 1 Set the LDAP external authentication server in External Auth Server For details see section 4 6 2 3 Step 2 Choose User Authentication gt Policy Click Add The Authentication Policy screen appears Specify the policy name in Policy Name which is mandatory In Description enter the description of the policy The parameter is optional In IP MAC Range enter the IP addresses IP address range or MAC addresses If a user for authentication does not match the range specified here the NGAF checks the IP or MAC address of the data packet and applies the authentication policy accordingly In this example set IP MAC Range to 192 1
188. aces LAN Route layer 3 eth2 WAN Route layer 3 ethi Aggregate Interface Zone Link State Propagation Device Mat Privilege Allowed Address Delete WebUI snmp All In use WebUI snmp All In use Step 2 Choose Access Control gt Application Control Policy and click Add The Add Application Control SANGFOR NGAF 6 4 User Manual 453 Policy dialog box is displayed Set Name and set Zone to LAN and IP Group to LAN IP Range in the Source area Enable Name Restrict game and streaming media Description Source IP User IP Group LAN IP Range ia User Group Select ia Zone LAN lu Step 3 In the Destination area set Zone to WAN and IP Group to All the destination IP addresses that are used when intranet users watch online videos and play games are unknown Destination IP Group All ta Zone WAN a Step 4 In the Service Application area set Application to Streaming Media All Game All P2P online videos and games cannot be blocked on ports Set Schedule to Working Hour and Action to Deny SANGFOR NGAF 6 4 User Manual 454 Service Application Service Application Service Select a Application Streaming Media All Game All P21 a Schedule All week w Action Allow Deny Logging A Log event Persistent Connection Enable i Step 5 Click OK The new policy is displayed on the Application Control Policy page Application Control Policy Add X Delete V Enable Dis
189. ackets are mapped to one traffic control policy The NGAF verifies traffic control policies from top to bottom one by one Therefore traffic channels with more specific conditions must be located on the top Channel Configuration Traffic Guarantee Channel To provide important applications with assured bandwidth when the network is busy you can set minimum bandwidth for specific types of data packets SANGFOR NGAF 6 4 User Manual 317 3 12 7 1 1 Configuring Traffic Guarantee Channel Example Assume that a company has rented a 10 Mb s telecom data line has 1000 users accessing the Internet and needs to ensure that the financial department enjoys the bandwidth from 2 Mb s to 5 Mb s for visiting online banks and receiving and sending emails when the network is busy Step 1 Choose Traffic Management gt Bandwidth Channel Select Enable Bandwidth Management System Bandwidth Channel Y Enable Bandwidth Management System Bandwidth Channel Exclusion Rule Add x Y t A Refresh Filter Name IP User Application Dst IP Gro Schedule Target Min Bandwidth Max Bandwidth Per User Max Band Priority Status Default chan IP group All All All All week All None None 5 Mb s 5 Mb s No limit No limit High Step 2 Choose Traffic Management gt BM Line and set the BM line list and policy For details see section 3 12 4 Step 3 Configure the traffic guarantee channel In this example
190. address MAC address also fails SANGFOR NGAF 6 4 User Manual 171 y Authentication falled Username test IP address 192 200 17 10 Authentication failed possibly because the IP or MAC address is outside the permitted range Y Choose User Authentication gt Authentication Policy In the Authentication Policy dialog box if users using certain IP addresses do not need to be authenticated they can access the network without typing the user name or password In this case the equipment identifies the users based on IP addresses MAC addresses and computer names General settings are as follows 1 When you create a user bind the user to an IP address and a MAC address in a bidirectional manner In this case the IP address MAC address are in a one to one mapping with the user so the equipment can identify the user based on the IP address and MAC address 2 Choose User Authentication gt Authentication Policy In the dialog box deselect Enable user authentication and use the IP address MAC address or computer name as the user name When a LAN user 1s authenticated the LAN user is matched to the corresponding user name based on the IP address MAC address or computer name 3 7 1 3 2 4 Configuration Example Adding a User 3 A user named Manager needs to be added to the Engineer group The user does not need to be authenticated and is bound to the IP address MAC address of the manager s computer in a bidirectional manner Therefore
191. administrator ur Manage Your Server ne PA tog off 0 shut down A start o 2 RemoteApp Agent Console Active Directory Users a e X imo 2 Click Manage users and computers in Active Directory See the following figure Manage Your Server lel z g Manage Your Server Search Help and support Center S J Search Help and Support Cente gt Server SUPPORT SERVER le Add shared Folders Help and Support Q Review the next steps For Microsoft TechNet this role Deployment and Resource Kits List of Common Administrative 4 Terminal Server Tasks Windows Server Communities 4 Terminal Services License Server has been Found on the Review licensing network td requirements what s Mew The use of Internet Explorer is restricted For all user groups Open Terminal Services ae Technology Protection on this server For more information click the Internet Configuration q Explorer Enhanced Security Configuration link in the Tools Open Terminal Services and Updates section Manager Review the next steps For this role Domain Controller Active Directory Domain controllers use Active Directory bo manage network E Manage users and resources such as users computers and applications pei Directory Manage domains and trusts gt Manage sites and services Q Review the next steps For this role A DAS Server DNS Domain Mame Systemi servers translate domain and computer DNS names to IF addresses Manage
192. ake the new user authentication policy test as an example Step 1 Select policy test SANGFOR NGAF 6 4 User Manual 209 Move Delete y x t x t x Authentication Policy Enable user authentication Authentication Zone LAN add 4 No vy 1 ri 2 ri 3 O 4 5 X Delete Name test SSO Martketing Subnet 1 Default Policy 4 Move Up Move Down Refresh Import Example File IP MAC 192 168 4 0 255 255 255 0 192 168 3 0 255 255 255 0 192 168 2 1 192 168 2 255 192 168 1 0 255 255 255 0 0 0 0 0 255 255 255 255 Authentication None IP as username None IP as username None host name as userna Password based authentica None IP as username New User Option Description Add to group Add to group Add to group Marketi Martketing policy Add to group IT Add to group Default Default Policy Step 2 Click Delete and confirm the deletion The policy is deleted successfully Info Operation succeeded Delete the policy test successfully 3 7 2 1 5 Editing Authentication Policies in Batches Move tt t Delete xix x You can edit the attributes of multiple authentication policies in batches except for names and descriptions In this example change the authentication mode to no authentication for users in the Marketing group on network segment 1 and change the new user authentication option to taking the host name as the user na
193. al of the POP3 server SANGFOR NGAF 6 4 User Manual 242 Deleting an External Authentication Server Step 1 Choose User and Policy Management on the navigation page Choose User Authentication gt External Auth Server On the External Auth Server page select the server to be deleted External Auth Server F Add X Delete vV Enable Disable 2 Refresh Authentication Server Port Status 192 200 17 31 389 Y Y No Name Y 1 ADI LDAP Step 2 Click Delete 3 7 2 4 1 Enabling Disabling an External Authentication Server Step 1 Choose User and Policy Management on the navigation page Choose User Authentication gt External Auth Server On the External Auth Server page select the server to be enabled disabled External Auth Server Add X Delete Y Enable Disable Refresh Authentication Server Port Status 192 200 17 31 389 Y J Y No Name Iv 1 ADI LDAP Step 2 Click Enable Disable Firewall The firewall module is used to set NAT concurrent connection control rules DoS DDoS protection and ARP protection NAT includes source NAT destination NAT and bidirectional NAT Through source NAT configuration you can set rules to enable intranet users to access the Internet and set SNAT rules to implement other types of source address translation Through destination NAT configuration you can publish intranet servers on public networks and set DNAT rules
194. ally login MySQL server fail maybe try to bru NtIm A user continually login server fail by NTLM authenticate mi Oracle A user continually login ORACLE server fail maybe try to br POP3 Apop A user continually login POP3 via APOP mode maybe try to POP3 Tls A user continually login POP3 via TLS mode maybe try to b u 1 A umen L L OK Cancel Action area It specifies whether packets are denied when IPS attacks on protected objects are detected and whether the action is recorded in the embedded data center Action If Allow is select packets are transferred If Deny is selected packets are discarded IP Lockout If Lock source IP is selected the source IP address initiating attacks is locked when IPS WAF or data anti leak module detects the attacks Logging If Log event is selected attacks by IPS attack packets are recorded in the embedded data center Action Action A Allow Deny 1 IP Lockout Lock source IP Logging Log event SANGFOR NGAF 6 4 User Manual 285 Server Security Web Application Protection The Whitelist is used to exclude from WAF Protection based on 3 types of parameters which are Signature URL Parameters and IP Address ii Whitelist Based on WAF Signature Based on URL Parameters Based on WAF Signature Fill the required information and WAF Signature Rule ID to whitelist from WAF Protection Dst IP Dst Port URL Descriptio
195. aly Traffic Detection Rule Rule Mame RDP anomaly Port 53 anomaly Port 21 anomaly Port 69 anomaly Port 443 anomaly Port 25 anomaly Port 110 anomaly Port 143 anomaly ICMP anomaly Port 22 anomaly o0oo0o0ooco0o0o0o0o0o0d0O Port 3389 anomaly Port 80 8080 anomaly SSH protocol anomaly Outgoing traffic anomaly Settings Description Non RDP protocol runs on destination port 3389 RDP protocol does not run on destination port 3389 Non DNS protocol runs on destination port 53 Unidentifiable application runs on dst port 80 8080 Mon FTP protocol runs on dst port 21 Mon TFTP protocol runs on destination port 69 Unidentifiable application runs on dst port 443 Non SMTP protocol runs on destination port 25 Non POPS protocol runs on destination port 110 Non IMAP protocol runs on dst port 143 Size of ICMP packet is greater than 64 Bytes Non SSH protocol runs on destination port 22 SSH protocol does not run on dst port 22 of LAN server Check if Trojan exists by detecting outgoing traffic an Select the related rule desired to protect from abnormally connection attacks Outgoing traffic anomaly is selected as default Click Settings on the right of Outgoing traffic anomaly It will display Advanced for Outgoing traffic anomaly See the figure below SANGFOR NGAF 6 4 User Manual Advanced e Use defaults 7 Specified E Outgoing Traffic Trigger View Defaults lt C
196. ame Interface IP ethi 192 200 19 18 24 Passive Interface Yes No Authentication Plaintext MDS None Cost 1 Neighbor Age sec Ag Msg Delivery Interval sec 10 Election Priority 1 Retransmit Interval sec 5 Enable DD packet MTU a Yes 5 No detection OK Cancel Name name of the interface corresponding to the network segment published in Network Segments IP IP address of the interface Passive Interface an interface that does not send OSPF link status After an interface is configured as a passive interface a direct route can be published However the OSPF packets of the interface are blocked and no neighbor relationship can be established The default value is No Encryption encryption mode of packets It can be set to Plaintext MD5 or None The default value is Plaintext Password password for encrypting packets when Encryption is set to Plaintext or MDS Cost cost for sending packets through a link The cost affects the metric of the link state advertisement LSA which directly affects the OSPF path selection result The value range is 1 65535 The default value is 1 Aging Time s expiration time The default value is 40 seconds Transmit Interval s interval for transmitting Hello packets The default value is 10 seconds Election Priority priority value of a router A router with the priority value O will not be elected as the designated router DR or backup designated
197. an IP address that is in the same network segment as the default IP address on your PC and log in to the NGAF by using https 10 251 251 251 Step 2 Choose Network gt Interface gt Physical Interface and click the interface such as ETH2 to be configured as an Ethernet interface The following dialog box is displayed Edit Physical Interface Enable k Name eth2 Description Type Bridge layer 2 Added To Zone Select zone N Basic Attributes WAN attribute IF Assignment Access 5 Trunk VLAN Interface Adwanced Configure link mode MTU and MAC address a r ox Cancel Set Type to Transparent Set Added To Zone to the zone which interface ETH2 belongs to which is a WAN in this example Set the zone in advance based on section 3 2 1 4 Set Basic Attributes to WAN attribute if the interface connects to an uplink Set IP Assignment to Access The access interface is the VLAN1 interface and does not need to be changed but it can be set to another VLAN interface The two interfaces of the NGAF must be on the same VLAN The Advanced option enables users to set the operating mode MTU and MAC address of the network interface To modify the settings click Settings Advanced Link Mode Auto negotiation w MTU 1500 MAC 00 E0 4C 46 FA bE Restore Default MAC ok Cancel SANGFOR NGAF 6 4 User Manual 418 Step 3 Configure an intranet interface Select an idle network interface
198. and password authentication select Require authentication Email Send Test Address Click Send Test Email after the address is entered to check whether the email can be sent Y Site tamper protection has been set in section 3 10 2 If site tampering occurs email will be sent to the administrator using the SMTP server Email alarm set in section 3 13 6 will use the SMTP server Email Alarm Email Alarm enables alarm information to be sent to the administrator s mailbox via email For example if the intranet 1s infected with viruses or the disk usage reaches a threshold the NGAF automatically sends alarm emails to the administrator s mailbox for alarming Email Alarm Enable Email Alarm Email Alarm Events Alarm Triggering Events Admin login failure Security issue Anti virus IPS High Medium Low WAF Internal report center disk usage exceeds threshold Threshold Ya 80 OK Events Specifies the events that trigger email alarms If you select multiple events alarm emails will be triggered when any of the events occurs SANGFOR NGAF 6 4 User Manual 349 Email Alarm Enable Email Alarm Events Options Email Subject Sending Interval Recipient Address SANGFOR FW Alarm Email Notice Immediately after alarm is triggered Interval mins i 20 support sangfor com Options Sets information including Email Subject and Sending Interval Globally Excluded Address
199. and click Add The Add Web Application Protection Rule dialog box is displayed Set Name and set Zone in the Source area to WAN the protected servers are on the intranet Enable Name Server Protection Description Source Zone WAN tra Step 3 Set Zone to LAN IP Group to Server Farm and Port to WEB 80 and FTP21 in the Destination area Keep other default ports Destination Zone LAN a IP Group Server Farm a Port HTTP 8 amp 0 FIP 21 MYSOL 3306 TELNET 23 Step 4 Select all attack types in the Select Attack Type dialog box SANGFOR NGAF 6 4 User Manual 464 Select Attack Type al Attack Type SOL injection X55 attack Trojan horse Website scan __ WEBSHELL CSRF OS command inj File inclusion Fath traversal KERE RERE ERERERERERERE E K Information disch Web site vulnera Fuzzy match Selected 11 Description SOL njection ls an attack in which malicious code is inserted into xX55 cross site scripting is a vulnerability in web applications th Trojan horse is a program that is designed by attacker to be do Attacker PEE the website to Sarma aF the site st WebShell or website background Trojan is often an ASP PHP 0 CRF FEES forgery ls a type o z ee exploit o 05 command injection is an attack that attacker submits special File inclusion is a type of attack specific on PHP websites It allow Path traversal ts a vulnerability that
200. and click the interface name to access the Edit Physical Interface dialog box Set Type to Transparent unselect WAN attribute and set IP Assignment to Access Edit Physical Interface Enable Name Description Type Bridge layer 2 Added To Zone LAN Basic Attributes C WAN attribute IP Assignment Access Trunk 2 VLAN Interface Adwanced Configure link mode MTU and MAC address Setti ngs Step 4 Configure a VLAN interface and set the corresponding IP address The IP address can be used to log in to the console of the NGAF for management For details about how to configure a VLAN interface see section 3 2 1 3 A special management interface can also be used to log in to the NGAF Step 5 Connect the NGAF to the network Connect interface ETH2 to the front end router and interface ETH1 to the layer 3 switch on the intranet Trunk Interface Configuration Configuration example The following figure shows a network topology where the NGAF works in transparent mode the switch on the intranet is divided into VLANs but does not enable routing and the front end router works as a gateway for various VLANs The intranet has two network segments 192 168 2 0 255 255 255 0 and 192 168 3 0 255 255 255 0 which belong to VLAN2 and VLAN3 respectively A trunk protocol is used between the switch and router SANGFOR NGAF 6 4 User Manual 419 VLAN2 192 168 2 1 24 VLAN3 192 168 3 1 24 ETH2 TRUNK AF 7
201. and the monitoring port of each domain server in one line See the following figure Authentication Options 550 Options Auth Page Redirection Authentication Conflict Obtain MAC By SNMP Other Options I Enable Domain SSO Domain SSO Program Download E Obtain login profile by executing logon script through domain Gi Shared Key Obtain login profile by monitoring the data of computer logging into domain iD If packets from internal users logging into domain do not go through the device you need to E mirror them to the device and go to the Others tab to enable mirror interface Domain Controllers 0 192 168 1 10 88 Step 3 If the login data does not pass the NGAF set a monitoring port connected to the mirroring port on the switch forwarding login data packets Click Others and set the mirroring port The mirroring port must be an available one not in use Authentication Options SSO Options Auth Page Redirection Authentication Conflict Obtain MAC By SNMP Other Options Sl Dpto tions SS E If 550 requires external authentication server and the packets of users logging into the external server do not go through this device you need to mirror the packets to an idle interface of this device Specify the mirror interface here Enable mirror interface Mirror Interfaces selected interface will be monitored A etho El ethi eth E eth3 Step 4 Set the authenticatio
202. anging RIP information Generally it does not need to be set IP Address and Port IP address to which route updates are to be sent Triggered periodic updates After this check box is selected the equipment triggers route updating only when a system route change and the Interval parameter 1s invalid Log events If this check box is selected the equipment records detailed RIP route update information Certificate Generation The hardware based certificate authentication system is a patent of SANGFOR The SANGFOR equipment adopts hardware based certificate authentication to implement identity authentication between VPN nodes A hardware feature is extracted for generating an encrypted authentication certificate The certificate is unique and cannot be forged because the hardware feature is unique This ensures that only the specified hardware equipment is authorized to access the network avoiding security threats Click Generate and select a path for saving the hardware certificate on the local computer See the figures below Certificate Generation Generate SANGFOR NGAF 6 4 User Manual 132 File Download Soe Do you want to save this file or find a program online to open it Name SINFORSO1 id Type Unknown File Type From 192 200 17 24 While files from the Intemet can be useful some files can potentially ham your computer f you do not trust the source do not find a program to open this file or save this
203. aracters Weak Password Keywords one entry per row maximum 50 entries allowed Type here OK Cancel Select the required rules or enter a weak password list and then click OK When the firewall detects a weak password the client cannot log in to the FTP server with the password The password must be changed on the FTP server to another one that meets requirements or the firewall password rule must be changed to resolve the problem Web Weak Login Password Protection It implements weak password protection during web login Enable this function Web Login Plain Text Transfer Detection It implements plain text transfer detection during web login Enable this function Defense against Brute Force Attack It is applicable to the FTP and HTTP protocols It is used to prevent password cracking Select Defense against Brute Force Attack and click Settings The page shown in the following figure appears SANGFOR NGAF 6 4 User Manual 293 Defense Against Brute Force Attack x Victim Application FTP Attempt Count 10 per minute Web Access i Attempt Count 10 per minute OK Cancel To prevent FTP password cracking select FTP To prevent HTTP website login password cracking enter the URLs of the related websites For example if the login URL of a website is http www com login html enter Aogin html See the preceding figure Attempt Count It specifies the maximum number of incorrect passwor
204. are distributed to multiple Ethernet lines equally Bandwidth ratio Connections are distributed to multiple Ethernet lines based on the bandwidth ratios of Ethernet lines Weighted minimum traffic Connections are distributed preferably to the line with the smallest ratio of traffic to bandwidth Preferred use of the preceding line is used when lines work in active standby mode All connections are distributed to the first line When the first line is faulty connections are redistributed to the selected available line Y e To implement load balancing on multiple Ethernet lines enable link failure detection For details see section 3 2 1 1 e Only interfaces with WAN attributes can be used for multiline load balancing e Each Ethernet line must correspond to a PBR The PBR can be based on the source IP address or multiline load balancing SANGFOR NGAF 6 4 User Manual 443 ARP Proxy Configuration Configuration example The following figure shows the network environment where the server cluster is deployed on the intranet and assigned with public IP addresses and the NGAF serves as a proxy to enable intranet users to access the Internet by using private IP addresses and to access intranet servers by using public IP addresses ARP proxy must be implemented in non hybrid deployment scenarios ETH 1 2 1 2 24 1 2 1 5 24 Route ETH3 1 2 1 6 24 l
205. are upgrade license need not be valid Supported Platforms and Upgrade Notes 1 Support immediate upgrade from version AF4 3 2 Support English language and Central Management CM Disconnect After upgrade State displays update successful in the Update Process area AF4 5 117 EN Build201 30719 IP Address 10 251 251 251 aly Y Improper upgrade with cause device damage Before upgrade contact SANGFOR customer service department SANGFOR NGAF 6 4 User Manual 500 Enabling technical support tools To enable technical support tools press F10 or Ctrl Shift F10 after the SANGFOR NGAF upgrade system is connected to the NGAF The Technical Support Tool dialog box has the Upgrade Backup Time Command Change Password and Help menus tt Technical Support Console 10 251 251 251 O Update U Backup B Time T Command C Password P Help H begin to update Connecting to device 10 251 251 251 The device 1s disconnected Connection 1s dropped Please commect the device again Connecting to device 10 251 251 251 MAC O0EF04C46FA6C DATE 20140320 Commect device successfully Yersion of current device AFA 5 117 EN Build2o0130T19 Update server version is 450 Upgrade includes the following options Restore Factory Default Restore Factory Default Network Setting Only Upgrade license and Update logs SANGFOR NGAF 6 4 User Manual 501 e sangfor Firmware Upda
206. ase Version 2013 04 28 Update Service Expires On 2014 07 29 URL Category Description Type Delete Job hunting amp Employment Websites containing job hunting and recruitment information Internal Adult Content Websites that contain information and comments on adult products sex education nude body art adults ent Internal Online Shopping Websites providing online shopping and online shopping services Internal News Portal Websites that contain latest news and comments on current affairs including the websites created by media s Internal IT Related Websites providing information of IT industry IT figures program designing and network and the forums for Internal Education Websites of various culture and education institutions and websites marketing or providing references for ed Internal Religion Websites of religion administrative departments of the nation and websites of various religion organizations a Internal Nonprofit Organization Websites created by the non profit social organizations such as charity institution volunteer organization tra Internal Science amp Technology Websites that research the existence of object things and related regularity and that provide science and tech Internal 3 Web Application Microblog Informal mini blog that is similar to traditional blog and publishes instant messages Internal Web Mailbox Websites that provide email related services Internal Search Engine Websites providing search
207. ased on multiple conditions such as the characteristic value of a data packet protocol port direction data packet length and data packet content and can detect application types that cannot be distinguished by ports or protocols for example QQ and P2P The application identification database stores embedded rules and custom rules Embedded rules cannot be modified and are periodically updated by the equipment To update the embedded rules a sequence number must be authorized and network must be available for the equipment Custom rules can be added deleted and modified For details see section 3 4 5 To cite application identification rules and control related applications choose Access Control gt Application Control Policy Viewing Application Identification Rules In the navigation area choose Objects gt Application Ident DB The Application Ident Database page is displayed on the right SANGFOR NGAF 6 4 User Manual 134 Application Ident Database View All v pP Total Applications 1093 Total Rules 2575 Current Database Released On 2013 04 02 Update Service Expires On 2014 07 29 agory plications of Strea Media gt Streaming Media 50 Y gt File Transfer 109 Application Included Rules Rule Status Operation A gt Game 243 al TE f 2 Y All enabled Settings gt IM 151 ll mms d IAS 2 Y All enabled Settings gt P2P Stream Media 55 WinM
208. atic routing o The NGAF allows a router interface configured with multiple WAN attributes to connect to multiple Internet lines but the interface must be granted with the right of multiline connection Transparent Interface Configuration When the network interface that routes data to or from the NGAF works in transparent mode the NGAF also works in transparent mode and is considered as a network cable with the filter function The transparent mode is used when it is difficult to modify the existing network topology The NGAF is connected between existing gateways and intranet users The configurations of the gateways and intranet users are not modified and only basic configurations of the NGAF are required The main feature of the transparent mode is that the NGAF is invisible to users Transparent interfaces are classified into access interfaces and trunk interfaces Access Interface Configuration Configuration example The following figure shows a network topology where the NGAF works in transparent mode and the intranet is connected to a layer 3 switch and has two network segments 192 168 2 0 255 255 255 0 and 192 168 3 0 255 255 255 0 LAN 192 168 1 254 24 ETH access ETHI access 192 168 1 1 24 192 168 2 1 24 192 168 3 1 24 192 168 2 0 24 E SANGFOR NGAF 6 4 User Manual 417 Step 1 Log in to the NGAF by using the default IP address of the management port ETHO which is 10 251 251 251 24 Configure
209. c Route Policy Based Routing Routing oser rip All Routes Routes IPv4 IPv6 Add X CAimport export Refresh p No Destination Subnet Mask Next Hop IP Metric Interface Status Edit Delete 1 0 0 0 0 0 0 0 0 192 168 1 1 O veth 1 Valid x Click on IPv6 tab for configuration in IPv6 environment Static Route Policy Based Routing OSPF RIP All Routes Add X CH import Export B Refresh P No Destination Subnet Prefix Next Hop IP Metric Interface Status Edit Delete Click Add to open the Static Route page You can choose to add a single or multiple static routes Static route Multiple static routes The page for adding a single static route is as follows SANGFOR NGAF 6 4 User Manual 33 Add Static Route Destination Required Ci Subnet Mask Required Mext Hop IP Required Interface Auto v Metric o Destination destination network ID Subnet Mask subnet mask of the target network Next Hop IP next hop IP address to the target network Interface interface through which data is forwarded Metric metric of the static route Click OK to save the settings The page for adding multiple static routes 1s as follows Add Multiple Static Routes One entry per row Example Gi Destination Subnet Mask WNext Hop IP Interface Metric Type here Enter the destination IP address subnet mask next ho
210. c9c9 fabcaeb29 B4527DESEA95 2015 11 23 16 37 25 120 192 168 19 59 android b632047ae147bb39 SCOASBC16EB2 2015 11 23 16 34 07 120 2 192 168 19 16 android 777715e901845da0 2008ED706888 2015 11 23 16 30 30 120 Online Users Viewing Online Users The Online Users page displays authenticated users that are online See the figure below Online Users Refresh 5 seconds gt Refresh User Status All Fuzzy match 3 a t Default group Dee A A ee oe IP Username None 5003 ans wn mis h k N pp Z Filter amp amp Name Display Name Group 192 200 17 20 Default 192 200 17 200 Default 192 200 17 224 Default 192 200 17 118 Default 192 200 117 231 Default 192 200 17 236 Default 192 200 17 203 Default 192 200 17 221 Default 192 200 17 235 Default 169 254 56 212 Default 192 200 17 21 Default 169 254 65 88 Default IP Address Authentication 192 200 17 20 None 192 200 17 200 None 192 200 17 224 None 192 200 17 118 None 192 200 17 231 None 192 200 17 236 None 192 200 17 203 None 192 200 17 221 None 192 200 17 235 None 169 254 56 212 None 192 200 17 21 None 169 254 65 88 None Time Logged In Locked 2013 8 6 16 54 35 Log In 2013 8 6 16 54 36 Log In 2013 8 6 16 54 36 Log In 2013 8 6 16 54 36 Log In 2013 8 6 16 54 36 Log In 2013 8 6 16 54 48 Log In 2013 8 6 16 54 55 Log In 2013 8 6 16 54 58 Log In 2013 8 6 16 55 06 Log In 2013 8 6 16
211. cal equipment They are not included in negotiation in the process of establishing a VPN connection with the third party equipment The source IP address is the intersection of the source IP addresses set and local peer device services 1 1 1 1 5 Security Options On the Security Options page you can set the parameters for establishing standard IPSec connections with the peer end This is phase II of the standard IPSec negotiation See the figure below Security Options 1 new Name Protocol Default security option MDS Authentication Algorithm Encryption Algorithm 3DES Description Operation Edit OK Before establishing an IPSec connection with the third party equipment understand the connection policy used by SANGFOR NGAF 6 4 User Manual 123 the peer equipment including the used protocol AH or ESP authentication algorithm null MD5 or SHA 1 and encryption algorithm DES 3DES AES or SANGFOR_DES Then click New See the figure below Protocol ESP Authentication Algorithm Encryption Algorithm E Null O DES MDS 3DES A SHA 1 AES SANGFOR_DES The SANGFOR equipment establishes an IPSec connection with the peer end after negotiation based on the preset connection policy Y Encryption Algorithm specifies the data encryption algorithm used at phase II of the IPSec negotiation If the SANGFOR equipment needs to interconnect with multiple pieces of equipment that a
212. cation Conflict l A Submit user credential using POST method Obtain MAC By SNMP DNS service is available before user passes authentication Other Options Basic services except HTTP are available before user passes authentication E Require authentication again if MAC address is changed IF Lock user if authentication attempts reaches the threshold Gi Max Attempts 2 Lockout Period minsi 1 Gi 3 7 2 2 1 3 POP3 SSO There is an email server on a customer s network and user information is stored on the POP3 server Before accessing the Internet a user uses a client such as Outlook or Foxmail to log in to the POP3 server to send and receive emails When the device working in monitoring mode detects user login it identifies and authenticates the user Then the user can access the Internet without entering a user name and password another time This is applicable regardless of whether the POP3 server is located on an internal or external network The methods of configuring POP3 SSO for the two scenarios are described as follows Scenario 1 The POP3 server is located on an intranet NGAF LAN Listening Port ETHI E Mirror Port PC pop3 Server The data flow is as follows SANGFOR NGAF 6 4 User Manual 227 1 The user initiates communication with the POP3 server by using an email client The device monitors the communication 2 When the email client successfully logs in to the POP3 server the device authe
213. cel The menu Bandwidth Channel under Options is used to set the target line channel type restricted or guaranteed bandwidth and bandwidth per user The parameter Target Line defines the applicable line of the channel That is only the data packets on the specified line are mapped to the channel The lines listed in the list box of Target Line are specified in BM Line in advance For details about how to set up BM lines see section 3 12 4 The Channel Type area is where the channel type and bandwidth range are defined In this example the financial department is guaranteed with the bandwidth from 2 Mb s to 5 Mb s for visiting online banks and receiving and sending emails Thus select Guaranteed channel Set Min and Max of Outbound and Inbound to 20 and 50 respectively The total bandwidth is 10 Mb s Therefore the minimum bandwidth will be 2 Mb s and the maximum bandwidth will be 5 Mb s The Priority can be set to High Medium and Low indicating the priority of the channel occupying other available channels SANGFOR NGAF 6 4 User Manual 320 E Per User Max Bandwidth Outbound 0 kbps Inbound T kbps 7 Advanced Make allocated bandwidth on this bandwidth channel shared evenly among external IP addresses and Per User Max Bandwidth setting applied to each of th em typically selected for server providing external services The parameter Per User Max Bandwidth is used to set the bandwidth each IP address in the channel can
214. ciate with the user group The procedures of creating a role is the same as that in Roles Adding section f To remove a role from the list select the role and click Delete g To edit a role select the role and click Edit SANGFOR NGAF 6 4 User Manual 12 Searching for Users At the upper right of User Management page there is a Search tool intended for searching for user or group as shown below Search by Name ame Enter keyword P Search by Description Search by Mobile Number To search for user or group by name description or mobile number click and select Search by xxx enter the p keyword and click the magnifier icon or press Enter key To sort users by name or description in ascending or descending order click column header Name or Description To filter users and view only one category of users click column header Type as shown below Type Description All Group External user Local user Certificate user Disabled user Managing Hardware IDs Among the tools on User Management page there is an item Hardware ID Hardware ID Click it to enter the Hardware ID page as shown below SANGFOR NGAF 6 4 User Manual 73 Delete A Select gt W Approve lihImport i Export Unfold All View All v 5 Back Search by Username Enter keyword p P EJ O Username MAC Address Host Name Hardware ID Status Default group A group1 Page 1ofi Show 2
215. ck New On the multicast service editing page set the multicast address and port See the figure below Name Video Conference 2 E Start IP End IF Port Description Operation 220 5 6 7 220 5 6 7 20000 Edit Delete After defining the multicast service create a user in Local Users choose Advanced gt Multicast and configure the multicast service See the figure below SANGFOR NGAF 6 4 User Manual 129 Multiline Policy Multicast Service Tunnel Parameter Tunnel NAT Multicast Service Selected Video Conference LDAP Server The VPN service provided by the SANGFOR equipment supports third party LDAP authentication To enable third party authentication correctly set the information about the third party LDAP server on the LDAP Server page including the server IP address port number and administrator password See the figure below Server IP 10 254 254 8 Advanced Port 389 Admin DN Admin Test Password SSSSSSSOSSOSCSSSS Confirm Password SSSSSSSSSSCSCOSCSCCS Enable LDAP authentication Save and Apply Click Advanced In the Advanced LDAP Settings dialog box set LDAP information as required See the figure below SANGFOR NGAF 6 4 User Manual 130 Server Type User Filter User Attribute Root DN Base DN Timeout sec 10 RADIUS Server The VPN service provided by the SANGFOR equipment supports third party RADIUS authentication To
216. cket Based Attack Attacks Selected Unknown protocol TearDrop atta Abnormal Message Probe Bad IP Options Select type Bad TCP Options Select type Action Log event Deny Defense Against DoS DDoS Attack Select Select type The page shown in the following figure appears Packet Based Attack Unknown protocol TearDrop attack IP packet splitting LAND attack WinNuke attack Smurf attack Huge ICMP pak attack gt 1024B Ping of death a A OK Cancel Unknown protocol Protection against unknown protocol is enabled when this option button is selected A protocol SANGFOR NGAF 6 4 User Manual 266 with an ID greater than 137 1s regarded as an unknown protocol TearDrop attack TearDrop attack protection is enabled when this option button is selected This protection is implemented by restricting fragment offset in an IP packet header If fragment offset fails to meet requirements it 1s regarded as a TearDrop attack IP packet splitting IP packet splitting is not allowed when this option button is selected If IP packet fragments are transferred it is regarded as an attack LAND attack LAND attack protection is enabled when this option button is selected When the NGAF detects that the source and destination addresses of a data packet are the same the packet is regarded as a LAND attack WinNuke attack WinNuke attack protection is enabled when this option button is selected If the URG flag of a TCP packet
217. comma separated Step 5 Click Submit The policies are successfully edited in batches 1 eS RE Authentication Policy j Y Enable user authentication l Authentication Zone LAN Add 4 Edit Multiple X Delete Move Up Move Down Refresh Import Example File it ga No Name IP MAC Authentication New User Option Description Move Delete 1 sso 192 168 3 0 255 255 255 0 None IP as username Add to group a x v 2 Martketing 192 168 2 1 192 168 2 255 None host name as userna Add to group Marketi Martketing policy t x Y 3 Subnet 1 192 168 1 0 255 255 255 0 None host name as userna Add to group IT 4 x 4 Default Policy 0 0 0 0 255 255 255 255 None IP as username Add to group Default Default Policy If only Authentication is selected and edited the new user options do not change If only New User Option is selected and edited the authentication mode remains unchanged 3 7 2 1 6 Adjusting Authentication Policy Priorities Similar to the priority of Internet access policies the authentication policy priority is based on its serial No the greater the serial No is the lower the policy priority The NGAF verifies authentication policies from top to bottom one by one If the IP or MAC address complies with the policy condition the specified authentication mode is executed In the following figure the condition for authentication policy Marketing
218. communication interface and set Peer Device IP to 10 10 9 10 High Availability Basic Settings Redundancy Sync Options Local Device IP 110 10 9 9 30 HA eth2 eee Step 4 On firewall A choose High Availability gt Redundancy and click Add The Add VRRP Group dialog box is displayed Set VRID and Priority to 100 and set Preemption to Yes Configure interfaces ETH3 and ETH1 as hot standby detection interfaces SANGFOR NGAF 6 4 User Manual 490 Add VRRP Group a VRID 100 1 255 Priority 100 1 255 Preemption Yes No Heartbeat Interval 1 1 60 s Member Interfaces Gi Interface ethi eth3 Tracked Interfaces Ci Available Selected etho ethi eth4 eth3 4 Delete OK Cancel Step 5 On firewall A choose High Availability gt Sync Options select User authentication Session information and Configuration Synchronization and click OK SANGFOR NGAF 6 4 User Manual 491 High Availability Basic Settings Redundancy Sync Options Enable configuration synchronization Objects Awallable Selected User authentication Session information i 1 Configuration synchronization Add amg sy 4 Delete sync Now View Logs Step 6 Configure firewall B Only interface ETH2 of firewall B and hot standby data need to be configured Other settings can be synchronized from firewall A On firewall B choose Network gt Interface gt Physical Interface and configure th
219. configuration because by default port 53 is used by DNS protocol but attackers exploited it Abnormal Traffic Refresh LAN Servers Show Top 10 Y Service All Y IP Address 2 No IP Address Service Count Today Last 7 Days Details Data Packet Click Refresh to refresh the information immediately Click LAN Servers to display manual added servers or auto identified servers by NGAF See the figure below a LAN Servers Add X amp Refresh No Server IP Service amp Port Description Operation Y Custom Servers a O 1 192 200 19 200 Web 808 80 8080 8081 FTP 21 Database 1433 Email 808 TSC Delete Y Auto Identified Servers 1 1 192 200 19 201 Web 80 Excluded E 2 192 200 19 220 LDAP 389 Excluded F 3 192 200 19 227 Web 85 Excluded i 4 192 200 19 228 Web 80 Excluded 7 5 192 200 19 229 Web 80 Excluded F 6 192 200 19 231 Web 80 Excluded F 7 192 200 19 232 Web 800 z Excluded SANGFOR NGAF 6 4 User Manual 18 Flow Control The Flow Control page displays real time traffic information about channels for which traffic management is enabled See the figure below Refresh 5 seconds Refresh BM System Status Running 3 Configure BM Name Transient Speed Speed History Max Speed Allowed Percent Traffic History Line 1 t 331 61 Kb s 282 2 Kb s t 177 52 Kb s 172 51 Kb s t 5 Mb s 5 Mb s 16 15 52 01 MB 50 54 MB Line 2 t 288 01 Kb s 2 26 Mb s 2
220. connecting with third party equipment For example the equipment allows user test to access Web services of the Web server at the headquarters and denies the access requests of user test to other services of the Web server Or it allows an IP address in the internal network of branchl to access the SQL server at the headquarters and denies the access requests of other IP addresses in the internal network Security management on the VPN tunnel can be implemented through service access authorization F New Name TCP All TCP Services Y All UDP Services All ICMP Services All Services v Save and Apply Description Operation Edit Delete Edit Delete Edit Delete View To set service access permission you need to create LAN services and then grant permission to users By default the system does not restrict the access permission of VPN users 3 4 13 1 1 Case Study A customer requires that only the internal IP address 172 16 1 100 of a branch can access the FTP server 192 168 1 20 at the headquarters and that the access requests initiated by other IP addresses and those initiated by 172 16 1 100 to other services are denied The configuration procedure is as follows In LAN Service click New In the LAN Service dialog box set Name and Protocol Set Protocol to TCP in this example See the figure below SANGFOR NGAF 6 4 User Manual 126 Description Allow 172 16 1 200 access FTP only Protocol TCP E uor E icmp Source
221. count admin after login The following figure shows the Admin Operation page Admin Operation m j al 5pecify the following and click Go to retrieve data From 2013 08 15 00 00 To 2013 08 15 is 2359 Admin Al o Description Go Open in new tab Example Application scenario A user needs to view the logs concerning the operations performed on the console by the account admin after login on August 15 Step 1 Set search criteria SANGFOR NGAF 6 4 User Manual 399 Admin Operation E al Specify the following and click Go to retrieve data From 2013 08 15 fs 00 00 To 2013 08 15 As 23 59 Admin All Y Description Go Open in new tab Step 2 Click Go Data that meets the search criteria is generated Admin Operation Filter X Export Logs X Delete All Filter Period 2013 08 15 00 00 2013 08 15 23 59 User All Description No Username Host IP Target Operation Time Details 1 admin 192 200 17 10 Report center No 1 View 2 admin 192 200 17 10 Report center a ais View 3 admin 192 200 17 10 Report center Host IP 192 200 17 10 View 4 admin 192 200 17 10 Update Target Report center View 5 admin 192 200 17 10 User logout Operation Log In View 6 admin 192 200 17 10 User login Time 2013 08 15 16 57 49 View 7 admin 192 200 17 10 Email alarm Description admin 192 200 17 10 Log In successfully View 8 admin 192 200 17 10 High Availability gt R
222. ction Choose Firewall gt DoS DDoS Protection gt Inside Attack The Inside Attack page appears See the following figure SANGFOR NGAF 6 4 User Manual 269 Outside Attack Inside Attack T Enable defense against inside attacks Source Zone Select Ta Source Address Allow packets from any source Only allow packets from the following sources Type here Device Deployment Connect to intranet through L3 switch Directly connect to intranet through Lz switch no L3 switch In between IP Exclusion Packets from the following IP addresses will not be blocked Type here I Max TCP Connections 1024 Gi Max Attack Packets 10240 o Lockout Period mint 3 i Es OK Source Zone The source zone of intranet protection is usually an internal zone Source Address It specifies the IP addresses from which packets can be transferred through the firewall If Only allow packets from the following sources is selected only the packets from the specified IP addresses can be transferred through the firewall The other packets are discarded by the firewall Device Deployment Directly connect to intranet through L2 switch no L3 switch in between This option is not recommended If the device is directly connected to the intranet through an L2 switch without an L3 switch in between you can select this option But this option is not mandatory By default the device detects attacks based on IP addresses If this optio
223. ction 3 6 2 2 1 2 SSO based on a POP3 mail server see section 3 6 2 2 1 3 SSO based on web table authentication see section 3 6 2 2 1 4 3 Identification based on IP addresses MAC addresses and computer names A user is identified based on the source IP address and source MAC address of data packets and the name of a computer used by the user In this method a user does not need to type the user name or password in the browser before accessing the network Therefore the user does not sense the existence of the equipment However the equipment cannot identify the specific name of the user either Especially when IP addresses are dynamically identified the equipment cannot associate network access behaviors with specific users and therefore control cannot be exercised on specific users 3 7 1 2 2 User Type Users are classified into the following types based on user sources users automatically discovered and created by the equipment users manually created by the administrator users imported from csv files users imported from external LDAP servers and users imported from computers on the network Users are classified into the following types based on authentication methods users who require no authentication bound to IP addresses MAC addresses users who require local password authentication users who require external password authentication and SSO users authenticated by the system together with an external authentication sys
224. culate the DoS attacks on servers over a specified period To access the data center click Internal Report Center in the upper right corner v Status Ed select Panel y Ed show Default Panels gt System Password of your account is default For the sake of network security please modify the password ASAP gt RT Vulnerability Analysis System Status 124 X Overall Security of the Day gt Security Events Attack Type Attempt Count Last Occurred O gt Server Security a _ a DoS_Attack 0 Anti Virus gt int S i i i Endpoint Security Sessions 36 Enabled Cloud based Security Engine Botnet gt Recent Attack Sources Online Users 0 System Time 2014 09 05 12 33 55 Remote_Access_Trojan gt Top Hosts by Traffic Locked Sources 0 Total eas ee Blocked Logged 0 0 gt Top Apps by Traffic gt Bandwidth Monitor gt Online Users Latest Vulnerable Servers 25M x System Key Events 2 lel Xx gt Affiliated Source Lockout a7 E a No Time Vulnerability Server Threat Level Protection Status Details Time Details 2014 09 05 12 27 02 admin Log In IP 10 251 251 2 gt Network 2014 09 05 11 40 57 admin Log In 1P 192 200 19 54 gt Security Databases 2014 09 05 11 40 57 admin Log out IP 192 200 19 54 Na data cad hi 2014 09 05 11 40 12 admin Log In IP 192 200 19 54 2014 09 05 11 40 12 admin Log out 1P 192 200 19 54 2014 09 05 11 28 16 admin Log In IP 192
225. d Central Management CM Exchange NICs E Ping is used to ping the Internet from the NGAF after login to check whether the NGAF is connected to the Internet Route table is used to view the routing table of the NGAF ARP table is used to view the ARP table of the NGAF View Network Setting is used to view the network settings such as IP address settings of the NGAF View NIC Setting is used to view the operating mode of each network adapter of the NGAF Modify NIC Setting is used to view the operating mode of a network adapter Exchange NICs is used to switch the physical positions of network adapters Check Device Health is used to detect the hardware status of the NGAF online or by uploading scripts Modify Password is used to change the password of the SANGFOR upgrade system SANGFOR NGAF 6 4 User Manual 505 Technical Support Console Device Disconnected Update U Backup B Time T Command C Password P Help H MAL UUEVIALAbBEFABL DALES ZULU SZ k Modify Password M Connect dewice successfully Yersion of current device AF4 5 117 EN Bu1r1ld20130T19 Update server version is 450 Connection is dropped Please connect the device again Version of the update package 1s AF4A 5 11T Build201350T19 Update with this package requires device to restart Software upgrade license need not be valid Supported Platforms and Upgrade Notes l Support immediate upgrade from version AFA 3 2 Support Engli
226. d Settings Defense Aaainst CC Attack Settings Website Scan Settings Buffer Overflow Selected URL overflow Data Leak Protection Data Leak Protection Sensitive data protection Settings File download restriction Settings IP URL Whitelist Action Action O Allow e Deny G IP Lockout _JAffiliated Source Lockout i Logging Log event Settings SANGFOR NGAF 6 4 User Manual 287 a a 5 a Name It specifies the name of a rule Description It specifies the description of a rule Source Zone It specifies the source zone of data that is matched with the rule For example if you set the Internet as the source zone it can detect loophole attacks from Internet users on servers Destination Zone and Destination IP Group Only the IP addresses in the specified IP group in the specified zone are matched with the rule Usually the parameters are set to the objects to be protected such as the IP addresses of servers on the intranet Port It specifies the port of the server to be protected When a user accesses the port of the server attack detection is implemented Website based attack It specifies the server attacks to be protected Click Selected SQL injection XXS attack The Select Attack Type page appears Select the required attack types so that the device can provide related protection Y Attack Type Attack Type Description w SOL Injection SOL Injection is an attack in which malicious co
227. d X gt 2 Interfaces LC No Network Segment 3 Neighbors gt 4 Parameters Select the Enable RIP check box to enable RIP for the equipment The prompt shown in the figure below is displayed Enable RIP x Are you sure to enable RIP Click Yes to save the setting SANGFOR NGAF 6 4 User Manual 42 3 2 2 4 1 Network Segments The Network Segments page allows you to set the network segment of an interface to RIP network segment Click Add The page shown in the figure below is displayed Add x Network Segment f OK Cancel Network Segment specifies the address of the network segment to be published The format is IP address mask Click OK to save and apply the settings 3 2 2 4 2 Interfaces The Interfaces page displays information about the interfaces corresponding to the network segment published in Network Segments The interfaces can receive and send RIP packets Suppose that the network segment shown in the figure below is added in Network Segments C No Network Segment Fil i 192 200 19 0 24 The automatically generated interface configurations are shown in the figure below Interfaces Name IP Address Passive Interface Authentication ethi 192 200 19 18 24 No None Click Name The page shown in the figure below is displayed Edit Interface x Name ethi Interface IP 192 200 19 18 24 Passive Interface Yes No Receive Version RIPv1 RIPv2 Send Version RIPv1 RIPYZ
228. d configuration loss on the active NGAF you are advised to modify configuration only on the active NGAF and enable configuration synchronization of User authentication Session information and Configuration synchronization on the active NGAF and to enable configuration synchronization of only User authentication and Session information on the standby NGAF Logging Options Logging Options sets NGAF log options including Internal Report Center and Syslog Internal Report Center includes system logs and data center logs Syslog can only transmit data center logs but cannot transmit system logs SANGFOR NGAF 6 4 User Manual 346 Logging Options Internal Report Center Enable internal report center Log Preservation Deletion Days logs will be kept Mumber of Days 15 L Delete logs of the earliest day if disk usage reaches threshold Log repetitive events only once O Internal Report Center Internal Report Center Sets automatic deletion of logs as shown in the following figure Logging Options Internal Report Center Enable internal report center Log Preservation Deletion Days logs will be kept Mumber of Days 15 O Delete logs of the earliest day if disk usage reaches threshold Y Log repetitive events only once T Select Enable internal report center to enable internal report center of the NGAF Log Preservation Deletion Sets whether the system automatically deletes access control lo
229. dd to group Default Default Policy Example file E IP MAC had ress this field cannot be left blank multiple entries are supported and separated from each other by half width comma The correct f A Authentication Method filled in with IP authentication or Password authentication being left blank means IP authentication New User Option filled in with Added to local group or Deny Internet access or Casual account being left blank means Added to local group Policy Nar Descriptic IP MAC Ai Authentic New User Under Group jpolicyl policyl 200 200 2 IP Authen Casual acc policy1 1 policy1 1 200 200 201P Authen Casual acc policy1 2 policy1 2 200 200 201P Authen Casual account policy2 policy2 00 1C F1 09 50 14 Deny Inte Default group policy2 1 policy2 1 200 200 20 245 200 2 Deny Inte Default group policy3 policy3 200 200 2 Password Authentic Default group policy4 policy4 00 1C F1 Password Added to policys policyS 00 1c f1 0 Password Added to After the file 1s edited click Import to import the file SANGFOR NGAF 6 4 User Manual 212 Authentication Options The authentication options are used to set the user authentication configuration including SSO options Authentication Page Redirection Options MAC Address Identification Options and Others 3 7 2 2 1 SSO Options If you have a third party authentication server to implement Intranet user authentication SSO allows users authenticated by a third
230. ddress 172 16 1 100 and port number 8080 of the internal server set Translate Port To to Specified Port and enter 8080 See the following figure Destination NAT Translate IP To IP Address w IP Address 172 16 1 100 Translate Port 5 Unchanged To j Specified Port e To modify a destination NAT rule click the name of the rule to go to the modification page x eo To delete a destination NAT rule select the rule and click Delete or click and follow the instructions to complete deletion e To disable a destination NAT rule click sai When the rule is disabled the status icon is changed to To enable the rule again click and follow the instructions to enable the rule Bidirectional NAT Bidirectional NAT means that one NAT rule involves translation of both source and destination IP addresses The source and destination IP addresses of the data matching the rule are changed This is usually used when intranet users access internal servers through public IP addresses or domain names See the following figure SANGFOR NGAF 6 4 User Manual 253 Add Bidirectional NAT Rule V Enable Name Description Source Zone IP Group Destination Zone Interface a Zone Select Interface etho 8 IP Address i IP Group Select IPv6 Bidirectional NAT does not support protocol and NAT rule settings Click on the ADD gt Bidirectional NAT the page in figure below will appears SAN
231. de Attack Add X Y Y Refresh No Name Description Type Attack Source Zone Status Defense against ARP flooding attack Disable Scan prevention Disable 1 DOS protection Anti DoS DDoS Enable LAN Y Packet based attack Enable Abnormal message probe Disable You can click Add to add other Internet attack protection rules To modify an Internet attack protection rule click the name of the rule To delete a rule select 1t and click Delete To enable a rule click Enable To disable a rule click Disable To move a rule upward or downward click Up or Down Rule matching 1s implemented from top to bottom o Matching between packets and rules is implemented from top to bottom of the rule list If a packet is discarded according to a rule the subsequent rules are not used If a packet does not match a rule the subsequent rule is used to check whether the packet represents an attack If you have set scan protection it is recommended that you set ICMP attack protection contained in DoS DDoS attack protection as well This mainly depends on attack characteristics Usually hackers scan IP addresses and then port numbers to find attack targets After detecting IP addresses and port numbers they will carry out next attack action Some hackers know IP addresses and port numbers in advance so they can direct attack the targets Therefore both protection measures are recommended to ensure effective protection Intranet Prote
232. de is inserted inte XSS cross site scripting is a vulnerability in web applications t Trojan Trojan horse is a program that is designed by attacker to be do Website Scan Attacker scans the entire website to get information of the site s WEBSHELL WebShell or website background Trojan is often an ASP PHP o CSRF CSRF cross site request forgery ls a type of malicious exploit of OS Command Injection OS Command Injection is an attack that attacker submits specia File Inclusion File Inclusion is a type of attack specific on PHP websites It allo Path Traversal Path Traversal is a vulnerability that or its variant is added t i Information Disclosure Information Disclosure is often brought by the security vulnerab Web Site Vulnerabilities Special vulnerabilities in well known websites The rule can fulfill W Custom WAF signature All takes effect SQL injection Attackers take advantage of design flaws to attach SQL code to text boxes on web pages to obtain network resources or change data The NGAF device can detect such attacks XSS attack Cross site scripting is a common web application attack on computer security loopholes It allows injection of code into pages provided for users For example it may be contained in HTML code and client scripts to use XSS loopholes to avoid access control and obtain data such as accounts The NGAF device can detect such attacks Trojan horse Web page Trojan
233. djacency OSPF Interfaces No Neighbor ID Pri State Dead Time Address Interface No data available Neighbor ID ID of the neighboring router Pri priority of the neighboring router State functional status of the neighboring router Dead Time expiration time of the router If the neighbor does not send a Hello packet the router enters the DEAD state after the specified time elapses Address IP address of the interface of the neighbor connected to the router When OSPF packets are transmitted to the neighbor the value of Address is the next hot IP address OSPF_VL I is a virtual connection identifier Interface interface of the neighbor connected to the router SANGFOR NGAF 6 4 User Manual 41 3 2 2 3 4 4 OSPF Interfaces The OSPF Interfaces tab page is shown below OSPF Links OSPF Routes OSPF Adjacency OSPF Interfaces Interface IP Area State DR BDR Interface interface name IP IP address of the interface Area area to which the interface belongs State role of the interface DR IP address of the DR in the area BDR IP address of the BDR in the area RIP The RIP tab page allows you to enable RIP for the NGAF equipment and set the RIP dynamic routing protocol This tab page covers four modules Network Segments Interfaces Neighbors and Parameters See the figure below Routing Static Route Policy Based Routing OSPF RIP All Routes Enable RIP gt 1 Network Segments Ad
234. dopts different connection policies you need to add these connection policies to the Security Options page Objects The Objects configuration module contains two sub modules Schedule and Algorithm Schedule On the Schedule page you can define commonly used time segment combinations which may be used in Local Users and LAN Service The current time on the equipment prevails See the figure below SANGFOR NGAF 6 4 User Manual 124 Schedule Description All day Save and Apply Click New The Schedule dialog box shown below is displayed Name Working Hours Description Click and drag over the grids to select time segment s All 00 01 02 03 04 05 06 OS 08 09 10 11 12 13 14 115 Mon Tue Wen Thu Fri Sat sun Operation View 17 48 19 120 121 22 123 In the preceding figure a time segment named Working Hours is defined By default the rules are effective in all time segments Select a time segment combination and click Then the rules are ineffective in the selected time segment and effective in other time segments Click OK The rules are effective in the time segments marked in green and ineffective in the time segments marked in gray Algorithms On the Algorithms page you can view and add data encryption algorithms supported by the equipment All data transmitted on the VPN is encrypted by using the specified algorithm to ensure data security See the figure below
235. dress 4 Time interval used for unlocking user IP ranges from 30 to 1800 0 means lock will not be released until admin unlocks by hand The following are the contents included on the Password Security Options page Enable on screen keyboard On screen keyboard is a virtual keyboard available on the login page to the SSL VPN and can prevent input disclosure adding security to SSL VPN access The other two options Random letter key layout and Random number key layout can have the letter keys and number keys on the virtual keyboard change positions randomly every time user uses this keyboard When user logs in to the SSL VPN and wants to call the on screen keyboard he or she needs only to click the keyboard icon next to the Password field on the login page as shown in the figure below Access SSL VPN Username Password a E E aii iLE S iE Eses Other Login Methods aal Use Cortifinets Il Vee USB Ke Saa gt Brute force Login Prevention This security feature enables the system to take actions to stop brute force login attempt If user fails to log in many times the login IP address or the user account would be locked up or word verification be enabled for a period of time The prompt given 1s as shown below SANGFOR NGAF 6 4 User Manual 91 Access SSL VPN Lsername Password o You are trying brute force login The user account is locked Certificate Certificate is intended for establishing
236. dress Expiry Date O 1 guest 192 168 1 2 192 168 1 100 Never expire Step 3 In the Add User dialog box Select Enable user and set Name Description Display Name and Added To Group SANGFOR NGAF 6 4 User Manual 169 Enable user Name Emily Display Name Added To Group Admin ca Step 4 Set User Attributes Select Local password and type the password for login authentication in the Password text box Local password i Password Confirm Select Bind IP MAC and bind the user to IP addresses and MAC addresses In this example bind the user to the IP address MAC address of 192 168 1 117 00 1C 25 AC 4C 44 IP address MAC address required for authentication and unavailable for other users in a bidirectional manner Click Binding Mode and select Bidirectional binding between user and address in the displayed dialog box Select Bind IP MAC and type 192 168 1 117 00 1C 25 A C 4C 44 in the text box Bind IP MAC Binding Mode IP Address Gi MAC Address 1 IP and MAC 1 One entry per row Annotation is separated by Example 200 200 0 1 192 168 1 117 00 1C 25 AC 4C 44 Scan MAC The user is bound only to one IP address and one MAC address Therefore the user is identified as a private account by default Select Show Logout page if user passes password based authentication This option is available for users authenticated based on the user name and password If this option is selected the l
237. ds entered in a minute If the upper limit is exceeded the actions are regarded as password cracking attempts File Upload Restriction It filters the types of files uploaded by clients to servers Select File Upload Restriction and click Settings The page shown in the following figure appears File Upload Restriction x File Type Blacklist asp wr te Add vw Click and choose preset file types and click to add the types to the list To customize a type enter it SANGFOR NGAF 6 4 User Manual 294 in the text box and click a to add it to the list URL Protection It is used to set URL access rights For example if access to a URL is prohibited the preceding attack protection measures are ineffective to the URL The URL will not be attacked because clients cannot access it If a URL is allowed to be accessed the preceding attack protection measures are ineffective to the URL Select URL Protection and click Settings The page shown in the following figure appears URL Access Right Add X Y a iS F URL Description Action Log Auto Added login htnl E y No OK Cancel Similar to password cracking protection you need to enter only the suffixes of URLs For example if a URL is http www com login html enter login html HTTP Exception Detection Protocol Exception It prevents the attack caused by incorrect processing by the server of multiple request parameters on A
238. e Set the zone in advance based on section 3 2 1 4 The Advanced option enables users to set the operating mode MTU and MAC address of the network interface To modify the settings click Settings Advanced Link Mode Auto negotiation w MTU 1500 MAC 00 E0 4C 46 FA 6F Restore Default MAC Step 4 Configure a default route destined to 0 0 0 0 0 0 0 0 that points to the front end gateway 192 168 1 1 Choose Network gt Routing gt Static Route The Edit Static Route dialog box is displayed SANGFOR NGAF 6 4 User Manual 430 Edit Static Route Destination 0 0 0 0 Gi Subnet Mask 0 0 0 0 Next Hop IP 192 168 1 1 Metric o ok Cancel Step 5 Configure a protection rule Choose IPS gt IPS to configure an IPS rule in bypass mode The Edit IPS Rule dialog box 1s displayed Edit IPS Rule Enable Name test Description Source Zone Mirror ip Destination zone Mirror ip IP Group Server Farm ty Threat Prevention Server Endpoint Action Action F Allow a Deny Ci IP Lockout Lock source IP Logging Log event OK Cancel _ In bypass mode set the source and destination zones to the zone which the bypass mirror interface belongs to and SANGFOR NGAF 6 4 User Manual 431 set the destination IP address group to the IP address group which the server network segment belongs to Step 6 Connect the NGAF to the network interface ETH1 to the bypass mirror
239. e OU ignored Sync LDAP OUs to this device user ignored 1 Added To Group d Ta Allow concurrent login on multiple terminals Method does not need to be configured By default the security groups and users are synchronized to the equipment Specify an existing group in Add To Group so that the synchronized security groups belong to the sub groups of the selected OUs Click Select the corresponding group in Select Group Then click OK Select Group Fuzzy match Bi 3 4G Admin Gl FAE a GORD sales Gl Default group Select Added To Group and Allow concurrent login on multiple terminals in Synchronization Target so that the domain account of the equipment is the public account by default that is the same account can be logged in on multiple computers If this option is not selected the user is a private account and this account can be logged in on only one computer Step 6 Set the synchronization policy Click Submit You can view the added synchronization policies in LDAP SANGFOR NGAF 6 4 User Manual 195 User Sync Policy and immediately start the synchronization by clicking If you do not click E the synchronization is automatically performed once every day Epeen LDAP User Sync Policy Add X E view Logs Refresh C No Policy Name Description Group User Auto Sync Last Sync Sync Now Delete 1 Sync Policy 1 Sync RD OU Yes Synchronizing succe x 2 Sync Polic
240. e and add the corresponding port in the text box Click OK Network services are set properly O You can type a protocol number in the Other text box 0 indicates all protocols The protocol number is an integer ranging from 0 to 255 O Inthe TCP or UDP text box type one port or one port range in a row In the ICMP text box set ports in the type a code b format a and b are integers ranging from 0 to 255 Multiple rows can be input Service Groups On the Service group tab page multiple services can be combined into one service group When multiple services need to be referenced you can directly reference the corresponding service group See the figure below Services edad Sends nrg F add X amp Refresh l Name Description Included Services Click Add The Add Service Group dialog box is displayed as shown in the figure below SANGFOR NGAF 6 4 User Manual 147 Add Service Group Description Service lu OK Cancel Name service group name Description service group description Service services contained in the service group Click to select services You can select multiple services from the predefined services and custom services IP Group The IP Group panel is used to define an IP address group that contains certain IP addresses The IP address group may contain an IP address segment on the LAN an IP address segment on the Internet or all IP addres
241. e ID 15090282 JCMS 2010 Database Configuration Load Vulnerability Vulnerability Name Description JCMS 2010 ts vulnerable to a Database Configuration Load attack because it fails to sanitize invalid content tn url poms workflow design readxml jsp flowcode An attacker may exploit this flaw to read database configuration Impact An attacker may use it to get sensitive information or get admin authority Threat Level High Reference Solution Use web firewall Action Enable Disable ok Cancel _ Enable The current rule is enabled the equipment performs analysis and detection on servers based on the rule When the vulnerability is detected it is logged Disable The current rule is disabled The equipment does not detect this rule SANGFOR NGAF 6 4 User Manual 58 Data Leak Protection The data leak protection database contains the regular expressions of some sensitive information such as ID number mobile phone number and bank account You can define the sensitive keywords After data leak protection is enabled the sensitive information is blocked by the equipment preventing the sensitive information about users from being leaked See the figure below Data Leak Protection Predefined Sensitive Keyword Custom Sensitive Keywords Refresh IP URL Whitelist No Name Description 1 MDS MDS value 32 bit support 2 Email address Email address Predefined Sensitive Keyword The Predefined S
242. e IP address of interface ETH2 Edit Physical Interface Enable a Name eth2 Description HA Type Route layer 3 w Added To Zone DMZ w Basic Attributes WAN attribute Pingable IP Assignment Static DHCP PPPoE ae Static IP 10 10 9 10 30 HA _ OK Cancel Step 7 On firewall B choose High Availability gt Basic Settings set Local Device IP to the IP address of interface ETH2 and Peer Device IP to 10 10 9 9 and click OK SANGFOR NGAF 6 4 User Manual 492 High Availability Basic Settings Sync Options Local Device IP 10 10 9 10 30 HAfeth2 wr Gi Peer Device 1 JO Step 8 On firewall B choose High Availability gt Redundancy set VRID to 100 which is the same as that of firewall A set Priority to a value smaller than that of firewall A for example 90 set Preemption to No set Heartbeat Interval to the same value as that of firewall A a different value will cause data synchronization failure and select network interfaces Add VRRP Group VRID 100 1 255 Priority 90 1 255 Preemption Yes No Heartbeat Interval 1 1 60 s5 Member Interfaces i Interface ethi eth3 Tracked Interfaces Gi Available eth eth4 OK Cancel Step 9 Optional Configure synchronization on firewall B Choose High Availability gt Sync Options and select synchronized objects After synchronization is configured any modification on firewall B is s
243. e PBR Schedule specifies the effective time of the PBR Click to select a schedule Recurring Schedule All week One Time Schedule e Add One Time Schedule SF Add Recurring Schedule Source contains the Zone mandatory and IP Group fields Destination contains the IP Group and ISP options select one of them Click of the IP Group dropdown SANGFOR NGAF 6 4 User Manual 442 list to select an option Before setting an ISP address set an ISP address database For details see section 3 5 1 In this example all applications used to access a public network must be matched with the PBR therefore select all IP addresses Protocol Port specifies protocol and port conditions In this example the PBR is applied to the applications used by all intranet users to access a public network therefore Protocol Port does not need to be configured indicating all protocols and ports Interface specifies the lines for load balancing Load balancing is implemented for two Ethernet lines Click Add and select the interfaces connected to the two Ethernet lines Interface T Add X Interface Link State Move Delete eth e tT x eth3 les t x Load Balancing Round Robin G Method Load Balancing Method specifies a scheduling algorithm for Ethernet lines Four algorithms are supported that is round robin bandwidth ratio weight minimum traffic preferred use of the preceding line Round robin Connections
244. e Technical Support Console Device Disconnected ac Y _ e _ Update U Backup B Time T Command C Password P Help H The dev Backup Config B Connect Restore Backup R omnect the device again Connecting to device 10 251 251 251 MAC O0E04C46F4A6C DATE 20140320 Commect device successfully Version of current device AFd 5 117 EN Buzild201307109 Update server version is 450 Connection 1s dropped Please connect the device again Version of the update package 1s AF4 5 117 build20130719 Update with this package requires device to restart Software upgrade license need not be valid Supported Platforms and Upgrade Notes l Support immediate upgrade from version AF4 3 2 Support English language and Central Management CM Backup Config is used to back up device configurations Restore Backup is used to restore backup configurations to the device Time is used to view the current time and synchronize the time of a public network so as to check whether a device upgrade license expires SANGFOR NGAF 6 4 User Manual 503 e Technical Support Console Device Disconnected Backup E Time T Command C Password P Help H The device is d Current Time C Connection 1s dr Get bent Manel 2 device again Connecting to device 10 251 251 251 WAC O0EOD4C46FA6C DATE 20140320 Connect device successfully Version of current device AFA 5 117 EN Build 0130719 U
245. e and bind to the corresponding user account Once administrator approves the submitted hardware ID the user will be able to pass hardware ID based authentication when accessing SSL VPN through specified terminal s This authentication method helps to eliminate potential unauthorized access As mentioned above that multiple users could use a same user account public user account to access SSL VPN concurrently it is reasonable that a user account may bind to more than one hardware IDs That also means an end user can use one account to log in to SSL VPN through different endpoints as long as the user account is binding to the hardware IDs submitted by the user from those endpoints 6 Assign roles to user group a Click on Roles field to enter the Assigned Roles page as shown below SANGFOR NGAF 6 4 User Manual 71 Assigned Roles Add Y Delete aj Edit C Role Name Description Page ijofi gt show 25 page Cancel b Click Add to enter the Select Role page as shown below Select Role Enter keyword D C Role Name Description Page 1jofi P es Show 25 page OK Cancel c Select the checkbox next to the desired roles and click the OK button The roles are added in to the Assigned Roles page d Click the OK button and name of the assigned roles filled in the Roles field e If the desired role is not found in the list click Create Associate to create a new role and asso
246. e drops the Packet for what reason This is used for quick configuration fault location and rule validity verification Click Enable and Filter In the displayed Filter dialog box set filter conditions including Specified IP IP Whitelist Protocol and Port as shown in the following figure SANGFOR NGAF 6 4 User Manual 359 Filter Specified IP i IP Whitelist i Type here Protocol Type All Wr Protocol Na Enter an integer between 0 and 255 All Specified Port T Enable Packet Drop List Enable Bypass Packet Drop List Specified IP enables the drop list for the specified IP addresses By default all network segments are included IP Whitelist excludes IP addresses from Specified IP so that real time log drop and bypass are disabled for these IP addresses Protocol and Port define the protocol type and port of Packets whose drop status is output to the access control list Click Enable Packet Drop List to validate the drop list All policies of the NGAF are valid and packets complying with drop policy configuration will be dropped and displayed You can click Refresh to view the dropped packets in real time Click to validate the drop list and bypass Network access policies are invalid and packets complying with drop policy configuration will be bypassed and displayed You can click Refresh to view the dropped packets in real time This function can promptly check whether errors such as network disconnecti
247. e e e e e e e dl Step 1 Choose NAT gt DNA Mapping and click Add NAT DNS Mapping Add X No Domain Name Public IP Internal IP Edit Step 2 Enter information such as the public IP address and domain name The following figure shows the configuration for this example Add DNS Mapping Domain Name WWW X COM i Public IP 1 2 1 1 Internal IP 172 16 1 100 OK Cancel Step 3 Click OK to complete the configuration The intranet users can directly access 172 16 1 100 by accessing WWW XXX COM SANGFOR NGAF 6 4 User Manual 260 Concurrent Connections Control Concurrent connections control is used to specify the maximum number of connections for each IP address When an intranet user downloads content in P2P mode or a computer on the intranet is infected by a virus there may be many connections set up in a short time This affects device performance In this case you can set concurrent connections control to limit the maximum number of connections allowed for each IP address which helps reduce network resource usage See the following figure Add Concurrent Connection Control Rule Enable Mame Description Source Zone Select HF IP Group Select TP Max Concurrent Specified Connections Per IP No limit OK Cancel Name It specifies the name of a rule It can be customized Description It specifies the description of a rule
248. e equipment must have access to network and is configured with available DNS addresses for resolving domain names LAN Server The LAN Server panel is used to display manual added servers or auto identified servers by NGAF Navigation LAN Servers gt Status A Add X amp Refresh gt Network No Server IP Service amp Port Description Operation gt Security Databases Y Custom Servers gt VPN 1 192 200 19 200 Web 808 80 8080 8081 FTP 21 Database 1433 Email 808 TSC Delete Objects 3 Auto Identified Servers gt ISP 7 1 192 200 19 201 Web 80 Excluded gt Application Ident DB 2 192 200 19 220 LDAP 389 Excluded 3 192 200 19 227 Web 85 Excluded gt Intelligent Ident DB 4 192 200 19 228 Web 80 Excluded gt App Ident Rules 5 192 200 19 229 Web 80 4 Excluded URL Database 6 192 200 19 231 Web 80 Excluded ee 7 192 200 19 232 Web 800 Excluded IP Group gt LAN Servers SANGFOR NGAF 6 4 User Manual 149 Click Add to add the new LAN Servers See the figure below Server IP Service Select Description In the drop down list of Service there are many types of services to choose Example if it is a FTP Server select FTP service server IP 192 200 19 86 Service Description Web 80 Web 800 L Email Click OK to confirm the new LAN Server The result will display at the Customer Servers See the figure below LAN S
249. e line to be viewed in the Objects pane Select a value from the Line drop down list In the Display Option pane you can set the number of displayed applications ranked by traffic SANGFOR NGAF 6 4 User Manual 15 Top Hosts by Traffic The Top Hosts by Traffic page displays the bandwidth usage of online hosts See the figure below Top Users by Traffic Top Applications by Traffic Top Hosts by Traffic 2 Refresh 5 seconds 2 Refresh x Filter View Top 60 Group No IP Address Outbound Speed Inbound Speed Bidirectional Obtain Flow Details The hosts are ranked by traffic The displayed information includes the IP address outbound speed inbound speed bidirectional speed link for obtaining the computer name and flow details In the Obtain column click Obtain to obtain the computer name corresponding to the IP address In the Flow Details column click an application to display the traffic information about the corresponding host See the figure below x Application Line Percent Outbound Inbound Bidirectional SSL E 66 12 23 Kb s 44 00 Kb 56 31 Kb s Website Browsing 20 9 88 Kb s 6 88 Kb s 16 75 Kb s Other 9 4 91 Kb s 2 48 Kb s 7 39 Kb s DNS 4 1 32 Kb s 2 43 Kb s 3 75 Kb s NETBIOS z 1 880 b s O b s 880 b s Click Refresh 5 seconds to set the refresh interval Click Refresh to refresh the information immediately Click Filter to specify the conditions for filtering h
250. e list will be down once a port is down The setting does not conflict with interface linkage of interface area setting Both settings are valid That is if the Ethernet interface list is selected interface linkage setting is not required eo Configuration synchronization consists of batch synchronization and incremental synchronization After a NGAF starts it sends a configuration synchronization request to the peer and requires synchronization from the peer In this manner batch synchronization is performed After batch synchronization is complete the NGAF checks whether configuration changes every 10 seconds Once configuration changes it synchronizes configuration changes to the peer In this manner incremental synchronization is performed If the rule library SN of NGAF A has not expired but that of NGAF B has expired NGAF A will fail to synchronize the rule library to peer NGAF B after NGAF A upgrades the rule library Synchronization of other configuration will not be affected o Hardware models of two NGAFs in redundancy must be the same If two NGAFs work in redundancy Ethernet interfaces will be synchronized NGAFs in different models have different numbers of Ethernet interfaces which will result in malfunction of the NGAFs o IP address information and High Availability configuration of HA interfaces are not synchronized during configuration synchronization o To prevent synchronization from the standby NGAF to the active NGAF an
251. e or PHP Trojan horses the code or Trojan horses are executed with web permissions The NGAF device can detect such attacks Path traversal It accesses directories of a web server other than the root directories by using a browser to attach to any directory of the server attach to a directory with special significance or attach a variant of The NGAF device can detect such attacks Information disclosure Because of web server configuration or web server security loopholes some system files or configuration files are directly exposed on the Internet causing disclosure of sensitive web server information such as user names passwords source code server information and configuration information The NGAF device can detect such attacks Web site vulnerabilities Highly reliable protection is implemented for specified loopholes of famous website systems Cross Site Request Forgery is also called one click attack or session riding It is often abbreviated as CSRF or XSRF It implements attacks by executing malicious operations on web applications to which users have logged in CSRF protection can effectively prevent such attacks See the following figure Add CSRF Webpage Protection Rule x Domain Name www sangfor com cn Ww Protected URLs Add X Y D P No Protected URL Target Allowed Source Page Referrer Status Edit 1 bbs asp re Y Ll Specify the domain names to the protected added pag
252. e users can use the user account to access SSL VPN concurrently Private user Indicates that only one user can use the user account to log in to the SSL VPN at a time If a second user uses this user account to connect SSL VPN the previous user will be forced to log out Primary Authentication Indicates the authentication method s that is are firstly applied to verify user when he or she logs in to the SSL VPN If any secondary authentication method is selected primary authentication will be followed by secondary authentication when the users log in to the SSL VPN By default is Local password Local password The connecting users need to pass local password based authentication using the SSL VPN account in this user group Secondary Authentication Secondary authentication is optional and supplementary authentication methods Select it to require the connecting users to submit the corresponding credentials after he or she has passed the primary authentication s adding security to SSL VPN access Hardware ID This is the unique identifier of a client end computer Each computer is composed of some hardware components such as NIC hard disk etc which are unquestionably identified by their own features that cannot be forged SSL VPN client software can extract the features of some hardware components of the terminal and generate the hardware ID consequently This hardware ID should be submitted to the Sangfor devic
253. e virtual wire zone supports all virtual wire interfaces See the figure below Physical Interface Sub Interface VLAN Interface Aggregate Interface Zone Link State Propagation Add X Refresh C Zone Name Forward Mode Interfaces Device Mat Privilege Allowed Address Delete WAN Route layer 3 ethi veth 1 WebUI All In use LAN Bridge layer 2 eth2 In use WAN_TEST Bridge layer 2 eth3 In use Click Add The page for adding a zone is displayed as follows Add Zone Name Forward Mode a Bridge layer 2 Route layer 3 O Virtual wire layer 1 Interface Available Selected 1 Add ho 4 o Device Mgt Privilege web UI F SSH SNMP Allowed IP Address All Ira ok Cancel Name specifies the name of the zone SANGFOR NGAF 6 4 User Manual 30 Forward Mode specifies the type of the zone If it is set to Bridge layer 2 the transparent interfaces not belonging to any zone are displayed in the interface list If 1t is set to Route layer 3 the route interfaces including both sub interfaces and VLAN interfaces not belonging to any zone are displayed in the interface list If it is set to Virtual wire layer 1 the virtual wire interfaces not belonging to any zone are displayed in the interface list Interface specifies the interfaces to be added to the zone You can click Add or Delete to add or delete interfaces Device Met Privilege specifies whether to allow login from this zone
254. ears you can add delete enable disable and search for application control policies By default the device has a policy for denying all services or applications See the following figure Application Control Policy Add X Y t 13 T No Name Source Zone Source IP User Dst Zone WAN All LAN 3 all test LAN 0 0 0 0 255 255 2 WAN 12 Default Policy All All All CF Import Source Zone Y Dst Zone Dst IP Service Application Schedule Action jr Predefined Service any All week gt Allow All All All All week Deny Click Add The Add Application Control Policy page appears See the following figure Hit Co Status Clone Del 37 vy BD x 0 Ely Add Application Control Policy Enable Mame Description Source IP User Zone Destination IP Group Zone Service Application Service Application Save and Add Another Enable An application control policy is enabled when this option button is selected Name It specifies the name of a policy IP Group Select Ma O User Group Select e Select HP All ia Select Ma Service Select Ma Application et Cra OKs Cancel Description It specifies the description of a policy 1 Source Zone To control Internet access data of intranet users set the source zone to an internal zone IP User It specifies whether to control data based on source IP addresses or users User Group It specifies the user
255. eb servers When illegal defacement occurs Internet users are prevented from visiting the defaced webpage and a prompt is displayed at the user end SANGFOR NGAF 6 4 User Manual 472 e Websites and 2 are maintained by administrators 1 and 2 respectively For example administrator 1 logs in to an anti defacement management system to update the local buffer after updating website 1 e When website 1 is defaced an email alarm test domain com is sent to administrator 1 The email server uses the SMTP information of administrator domain com o When website 2 is defaced an email alarm test2 domain com is sent to administrator 2 The email server uses the SMTP information of administrator domain com Layer 3 switch 192 168 2 0 24 Intranet users 192 168 1 240 24 192 168 1 250 24 Website 1 webl com Website 2 web2 com Step 1 Perform basic network configuration Configure the IP addresses and zones of the interfaces of the NGAF based on section 3 2 and section 5 1 1 Configure port mapping for the servers based on section 3 6 2 Step 2 Choose Server Security gt Website Anti Defacement select Enable website anti defacement and click Webmaster to add two webmaster accounts Website Anti Defacement V Enable website anti defacement Add X Y B 4 Refresh No Status Website Name Start URL Website IP Defaced Webpage Cached Webpage Whitelisted URL Time 1 Protected CTI http sangforser
256. ecify the inbound and outbound bandwidths for each user This ensures a proper access speed for all users SANGFOR NGAF 6 4 User Manual 102 Y In the Enable tunnel traffic control pane a bandwidth range instead of a specific bandwidth value is set For example if Max Inbound Bandwidth is set to 100 KBps the actual bandwidth ranges from 80 KBps to 120 KBps That is the actual bandwidth fluctuates slightly around 100 KBps On the Tunnel NAP tab page you can translate the internal network segment of a branch into an address on a network segment in the virtual IP address pool See the figure below m Multiline Policy Multicast Service Tunnel Parameter Tunnel NAT Tunnel NAT Pl Enable New Source Subnet Translate to Subnet Subnet Mask Operation Cancel For details about the virtual IP address pool see section 3 3 6 Click New and enter the original subnet segment proxy subnet segment and subnet mask You can also choose to enable the equipment to automatically assign an IP network segment from the virtual IP address pool See the figure below Auto Assign SANGFOR NGAF 6 4 User Manual 103 Source Subnet actual internal subnet segment of the branch Subnet Mask actual internal subnet mask of the branch Translate to Subnet virtual network segment after translation A During configuration ensure that the subnet mask must be matched Tunnel NAP applies only to the network segment of the mask and t
257. ected interface in the Ethernet interface list The priority increases with the value The Priority setting is effective only after Preemption is clicked If two NGAFs work in redundancy that is one NGAF work while the other acts as the standby NGAP and does not work set Priority to 90 and Preemption enabled for one NGAF and Priority to 80 for the other NGAF If the NGAF Priority set to 90 fails the NGAF Priority set to 80 takes over the work After the NGAF Priority set to 90 is normal it preempts and works as the active one while the other becomes standby again Preemption Defines whether active and standby NGAFs preempts to be active This option must be used with Priority Heartbeat Interval Sets the interval of data exchanges between two NGAFs During this interval the two NGAFs send packages and notify the Ethernet interface status and link status of each other If one NGAF is faulty active standby switchover is triggered If both NGAFs fail to receive heartbeat packages both NGAFs set them as SANGFOR NGAF 6 4 User Manual 344 active and they start to work at the same time Member Interfaces Selects the Ethernet interfaces to be added to the VRRP group Ethernet interfaces with HA identification cannot be selected here Tracked Interfaces This setting depends on the interface check method defined in interface area setting The interfaces will be tracked if selected here If link monitor is not selected only Ethernet
258. ecurity Group Security Group Ef Normal Users Security Group 2 Product managemen irganizational RD Organizational sales Organizational Test Organizational users Container Default container For upgr Step 1 Set the LDAP server to be synchronized Set the IP address port number user name and password for login In the navigation area choose Authentication gt User Authentication gt External Auth Server For details see section 3 6 2 3 Step 2 Choose Authentication gt LDAP User Sync Click Add lt LDAP User Sync Policy gt Status I add X E view Logs 2 Refresh gt Network No Policy Name Description Group User Auto Sync Last Sync Sy gt Security Databases 1 Sync Policy 1 Sync RD ou Yes Synchronizing succe gt VPN gt Objects v Authentication 4 Local Users Users User Import gt LDAP User Sync 4 User Authentication Policy m gt Options Step 3 In the displayed Add User Sync Policy dialog box set Policy Name Description Sync Mode and Auto Sync Set Sync Mode to Sync by security group AD domain only and Auto Sync to Enable every day so that the synchronization is automatically performed once every day Add User Sync Policy Policy Name Sync Policy 2 Description Sync IT Management Normal user Sync Mode Sync by security group AD domain only Auto Syne Enable every day w G Step 4 Set the related securit
259. ed administrator account High Availability High availability HA functions in dual firewall mode or when two NGAFs work concurrently Enter Basic SANGFOR NGAF 6 4 User Manual 342 Settings gt High Availability as shown in the following figure High Availability Basic Settings Sync Options Local Device IP 10 251 251 251 24 HA etho Peer Device IP 10 251 251 252 Basic Settings Sets the local device IP address and peer device IP address The local device IP address can only be set to the IP address of an interface with HA identification In addition this interface transmits and receives heartbeat package information and interactive configuration information and can communicate with only the interfaces on NGAFs for load balance Redundancy Select Redundancy and click Add The following dialog box is displayed SANGFOR NGAF 6 4 User Manual 343 Add VRRP Group VRID 100 1 255 Priority 100 1 255 Preemption 0 Yes No Heartbeat Interval 1 1 60 s Member Interfaces i Tadd X Interface Mo data available mW Tracked Interfaces i Available Selected ethi weth 1 Add F 4 Delete OK Cancel VRRP Group Defines the group to which the interface belongs in VRRP mode Interfaces on two NGAFs or different interfaces on one NGAF can be defined as a VRRP group The same VRRP group of two NGAFs works in active standby mode Priority Sets the priority of the sel
260. ediaPlayer Y gt P2P 25 OS 1 All enabled Settings gt Download Tools 20 ln 2 wv Allenabled Settings E gt HTTP Application 5 MP4Vid p EN 2 Y All enabled Settings FTP S s M4vVvVi gt Mail 6 E decias 1 Y All enabled Settings gt DNS 2 A 1 vV All enabled Settings Remote Login 35 ATTE v 4 W gt Page 1of4 M amp Entries Per Page 15 1 15 of 50 Total Applications 1093 Total Rules 2575 displays the total number of applications and rules in the embedded rule identification database of the equipment Current Database Released On displays the current version of the embedded rule identification database Update Service Expires On displays the upgrade expiry date of the embedded rule identification database Category displays the types of application identification rules such as IM and Game Select an application type and specific applications of the type are displayed on the right for example the QQ and MSN applications of the IM type Select the application type that you want to query from the View drop down list box If you select All all rules that meet the search criteria are displayed If you select Enabled enabled rules that meet the search criteria are displayed If you select Disabled disabled rules that meet the search criteria are displayed Type a keyword in the search box for example QQ and press Enter The figure below is displayed Application Ident Database
261. edundancy Disable 2013 08 15 14 43 33 View 9 admin 192 200 17 10 High Availability gt Redundancy Enable 2013 08 15 14 42 39 View 10 admin 192 200 17 10 High Availability Modify basic settings 2013 08 15 14 42 34 View 11 admin 192 200 17 10 Physical Interface Modify settings 2013 08 15 14 41 12 View 12 admin 192 200 17 10 Network gt Interface gt Zone Modify 2013 08 15 14 41 12 View 13 admin 192 200 17 10 Administrator account Add 2013 08 15 14 34 51 View 14 admin 192 200 17 10 User logout Log out 2013 08 15 14 19 56 View 15 admin 192 200 17 10 User login Log In 2013 08 15 14 19 56 View 16 admin 192 200 17 10 Exclusion Rule Add exclusion rule 2013 08 15 12 32 30 View Statistics Report The Statistics Report module is used to set custom reports search for statistic reports and subscribe to reports It consists of the Reports Custom Report and Subscription submodules Reports The Reports page enables users to search for statistic reports and the reports generated on the Subscription and Custom Report pages SANGFOR NGAF 6 4 User Manual 400 A al Specify the following and click Go to retrieve data Period 2012 08 16 5 2013 08 16 5 Report Type All Report Name Set Period Report Type and Report Name and click Go Data that meets the search criteria is displayed Reports _Q Filter X Delete Filter Period 2012 08 16 2013 08 16 Report name Reports All E Report Name Report Type Generated
262. eesadaiaeaeoneecetaieaetoand 33 1222 Poley Based ROUUNG o dio 35 SLDS DS eae aot ee aed Aa aaa Ane eee eee ee eae 35 E NT 42 Did 2 A aatvaansaaew acd aatvaansnaew said aateaanssaesacdantaanseaiadaeeaoeneaee 46 O OS 46 i NA In A 4 Oe IRE a nad es onda eden r a aceeaanad Ran a erectus ian tone tesa ne ean 47 Del O E 49 O AAA E E E E A A S 49 PA E ERIA UP ease Serato dee E EA EAE EE E E E EE N het 51 S MGIC AT pass Mode aaron pico sai aaees 53 ECU DADAS it A AAA A AAA 54 dle Vulnerability Daba Riad 54 ida WAP Sisnatiire Database A AA AA E AA 55 3 5 52 Vulnerability Analysis Rules A A A A A si 57 9924 Data Lek Prot aaa 59 oA Prode MMEG Sensitive KEY WO ii ca 59 3 34 2 Custom Sensitive KeyWords 5s u5 sires cactesced aca 60 32 Malware Sle Mature DataDaSe eisenai E E AE A NEEE 61 POC ONERU 8 ss 0 oes Ou OS 63 3 3 6 1 Custom WAF Signature 20 0 0 cccccccccccssssssssssseseeeeeeeeeeeeeeeesaaesseeesssseeeeeeeeeeeeeesesaaaaeesaseseeeseeeeees 63 02 CUStOMT IES RULO ccoo 64 Dies VN seas dae ence te an edad be dcacs aneace eiaiat thie es ea tear hal N 65 A O 65 AA o de ea o de do O 65 AZ Deploy MEN aint deci irleamneseerrisalasand anes hla end eiuariatea eee tea ate aa 66 JAk NR 67 A sin eee ooaAouomacue one 80 IJA LI ROME TN 83 DANG OCI OPUS a 86 SANGFOR NGFW 5 6 User Manual V DAs AMOS A A ON 88 IA LSAT 67218 0 a err rer Serr rant eerr rir Seti cint sett thr Setirint sett rns Serre Seer rnr errr ant Serre ee errre
263. egardless of whether the web server is located on an internal or external network Scenario 1 The web server is located on an intranet NGFW LAN Listening Port ETHI ES Mirror Port S PC Web Server The data flow is as follows 1 A user logs in to the web server Data is transferred in plain text during the process The device monitors the SANGFOR NGAF 6 4 User Manual 231 communication 2 The device determines whether the user is authenticated by the web server based on the keyword sent back from the server If the user is authenticated by the web server the device authenticates the user Configuration Step 1 Enable SSO on the device select the monitoring mode and set the shared secret Choose User and Policy Management gt User Authentication gt Authentication Options on the Policy Navigation page Authentication options are displayed on the right Choose SSO Options gt Web SSO and select Enable Web SSO Authentication Options Options 2 SSO Options 550 Options Domain 550 Proxy 550 POP3550 Web sso Others Auth Page Redirection Enable Web SSO Authentication Conflict RS at If packets from internal users logging into Web authentication server do not go through this dewice Obtain MAC By SNMP you need to mirror them to the device and go to the Others tab to enable mirror interface Other Options ae Web Authentication Server Enter IP IP Port or server domain UR
264. ement function provides the traffic sub channel function You can set up traffic sub channels as required to distribute channel bandwidth in a refined way Basic concepts Traffic channel The total bandwidth is divided into several parts in percentage as traffic channels for different service types and access control user groups The traffic channels are grouped into traffic guarantee channels and traffic restriction channels by function Traffic restriction channel The maximum data speed is defined for the channel When the network is busy the bandwidth occupied by the channel does not exceed the maximum bandwidth specified for the channel Bandwidth guarantee channel The channel is configured with a maximum bandwidth and a minimum bandwidth When the network is busy the bandwidth available to the channel is no smaller than the minimum bandwidth specified for the channel BM line The BM line maps the physical network interface to the effective line of a traffic channel to specify which interface matches a traffic channel in dataflow Traffic Channel Mapping and Priority When the traffic management function is enabled the NGAF maps the dataflow to the traffic channel based on the user group user IP address application type effective time and destination IP group Only when all the above information in the data packet matches the condition of a traffic channel the traffic channel is applied to the data packets Same data p
265. emote Installation Ser 22 Scripts Logon LogofF E SA Security Settings 1 23 Folder Redirection H A Internet Explorer Main E Administrative Templates 2 y Extended A Standard 2 In the displayed Logoff Properties window click Show Files in the lower left corner A directory is opened Save the logoff script file in the directory and close it Logoff Properties E Scripts q Logoff Scripts for Default Domain Policy gt Up Down d Edit th Remove To view the ecript files stored in this Group Policy Object press the Button below Show Files ca ee SANGFOR NGAF 6 4 User Manual 219 sangfor com sysvol sangfor com Policies 3182F340 016Db 11D2 945F 000C04F6984F9 User Scripts L File Edit View Favorites Tools Help O Back E F Search gt Folders E Mame Size Type Date Modified Attribute File and Folder Tasks A Plogff exe 184 KB Application 4110 2012 1 10PM A 5 Make a new Folder cd Publish this Folder to the Web gt gt Other Places 5 Scripts E My Documents e My Computer a My Network Places Details A El 3 In the Logoff Properties window click Add In the Add a Script window click Browse choose the logoff script file logoff exe and enter Script Parameters with the IP address of the AF exactly the same as that entered when login scrip is configured Then close the windows one by one Add a Script El
266. ensitive Keyword tab page displays the regular expressions of some sensitive keywords embedded in the equipment such as the ID number MD5 and mobile phone number The embedded sensitive keywords cannot be edited or deleted Online upgrade is supported See the figure below Data Leak Protection Predefined Sensitive Keyword Custom Sensitive Keywords Refresh IP URL Whitelist No Name Description 1 MDS MDS value 32 bit support 2 Email address Email address Click JEWEL Whitelist to exclude certain IP addresses and URLs from data leak protection See the figure below lt lt E Data Leak Protection IP URL Whitelist IP Whitelist URL Whitelist Add X Z Refresh No IP Whitelist Description Click Add The IP Whitelist dialog box is displayed as shown below SANGFOR NGAF 6 4 User Manual 59 IP Whitelist IP Whitelist Ci Type here Description Optional ok Cancel Select URL Whitelist and then click Add The URL Whitelist dialog box is displayed as shown below URL Whitelist x URL Whitelist i Examples path index html admin index asp path directory Description Optional OK Cancel Custom Sensitive Keywords You can define sensitive keywords on the Custom Sensitive Keywords tab page See the figure below Data Leak Protection Predefined Sensitive Keyword Custom Sensitive Keywords Add X Refresh IP URL Whitelist C No Name Descriptio
267. ent must be set to automatically obtain IP address and DNS Otherwise the information specified by the advanced options will not be assigned to the virtual network adapter of the mobile client 3 Create a branch virtual IP address pool When a branch accesses the headquarters the original network segment of the branch is replaced by a network segment in the virtual IP address pool This is to resolve internal IP address conflicts resulted when two branches with the same network segment concurrently accesses the headquarters Set the start IP address subnet mask and network segment quantity Then click Get and the end IP address is automatically calculated See the figure below Assigned To Branch user Branch VPN users who use tunnel NAT Start IP 192 166 20 1 End IP Subnet Mask 255 255 255 0 Subnets 3 Start IP the first IP address on the branch virtual IP address segment End IP the last IP address on the branch virtual IP address segment Get to calculate the last IP address on the virtual IP address segment automatically Subnets number of virtual IP address segments Subnet Mask subnet mask of the virtual IP address segment It is the same as the internal subnet mask of the branch After setting the branch virtual IP address segment choose VPN gt Local Users and create a user Set Type to Branch user Click Advanced and configure the branch network segment to be transited on the Tunnel NAT tab pa
268. ent provides powerful VPN tunnel routing functions After tunnel routes are configured interconnection between VPNs software hardware can be easily implemented See the figure below Tunnel Route New Enable tunnel route Status Source Src Subnet Mask Destination Dst Subnet Mask Destination Route User Move Operation Save and Apply 1 1 1 1 2 Case Study For example the headquarters Shenzhen 192 168 1 x 24 establishes connections with two branches Shanghai 172 16 1 x 24 and Guangzhou 10 1 1 x 24 Shanghai and Guangzhou branches interconnect with the headquarters through connection management configuration There is no VPN connection between Shanghai branch and Guangzhou branch You can set a tunnel route to implement mutual access between Shanghai and Guangzhou The procedure is as follows 1 On the Tunnel Route page of Shanghai branch select Enable tunnel route and click New to add a route to Guangzhou branch See the figure below Source IP 172 16 1 0 Subnet Mask 299 295 299 0 Destination IP Subnet Mask 255 295 299 0 Dst Route User SH Enabled E Access Internet via destination route user Source IP source IP address It should be set to 172 16 1 0 in this example Subnet Mask subnet mask of the source IP address It should be set to 255 255 255 0 in this example Destination IP destination IP address It should be set to 10 1 1 0 in this example Subnet Mask subnet mask of
269. equire confirmation by email if the user is not in the IP Addresses List Example Only Admin IP 192 200 19 25 does not require authentication confirmation by email other IPs than this are required email authenticate confirmation Server Access Verification Add X Delete Y Enable Disable Refresh amp Webmaster Email Address C No Name URL FTP Auth URL Status d 1 ProtectServer http 192 200 19 96 login admin y Click Webmaster Email Address gt Add to add the Webmaster Email Address See the figure below Webmaster Email Address x Add X Delete Refresh Search Username SsSCSCSY O Username _ Email Address Delete 7 Admin admin sangfor com In use wuyuan vincent sangfor com In use Add Webmaster Email Account Username Email Address Username Name of the person which this email address belongs to Email Address An email address for Authenticate Confirmation to be sent Click Add to add new Server Access Verification Authenticate Confirmation will be sent to the selected Email Address in the Webmaster Email Account SANGFOR NGAF 6 4 User Manual 301 Edit Server Access Verification x Server IP 192 200 19 86 Website Protection CMS admin console access HTTP Port 80 URL http 192 200 19 96 login admin i 1 16 entries FTP server access Before access to FTP server webmaster should submit passcode in this webpage Format domain name ftp html for
270. er If the indicators are normal but the cable connection fails check whether a wrong network cable is used A straight through cable differs from a cross over cable in the wire sequence at both ends See the figure below SANGFOR NGFW 5 6 User Manual XVI Standard Cross over PEF Orange White Orange Green White Blue Green White Green Orange White Blue Blue White Green Brown White Brown Blue White Orange Brown White Brown Figure 2 Wire sequences of straight through cables and cross over cables SANGFOR NGFW 5 6 User Manual xvii SANGFOR Technologies Co Ltd SANGFOR International Service Centre 60 12711 7129 7511 lt Malaysia 1700817071 Email tech support sangfor com hk RMA rma sangfor com hk Introduction to the Console Logging In to the Web UI The NGAF equipment supports Hypertext Transfer Protocol Secure HTTPS login through a standard HTTPS port If you log in through the MANAGE interface at initial login the URL is https 10 251 251 251 Login to the Web UI of the NGAF equipment through HTTPS can avoid security threats caused if the configurations are intercepted during transmission How to log in to the console page of the NGAF equipment Connect the cables as described earlier and then configure the NGAF equipment on the Web UI The procedure is as follows Configure an IP address 10 251 251 100 for example on the 10 251 251 X network segment for the computer from which y
271. er Absolute path disclosure Vulnerability Application Vulnerability High Enable Block if attack detected Vulnerability 12030555 Polycom RealPresence Resource Manager Arbitrary file upload Vulnerability Application Vulnerability High Enable Block if attack detected 12030549 Novell ZenWorks Configuration Management 11 3 1 Traversal And Code Execution Vulnerab Application Vulnerability High Enable Block if attack detected edie Sy gaa 12030548 PHPMoAdmin 1 1 2 Remote Code Execution Vulnerability Application Vulnerability High Enable Block if attack detected Vulnerability Analysis Rule 12030546 IBM Tivoli Endpoint Manager HTML Injection Vulnerability Application Vulnerability High Enable Block if attack detected Data Leak Protection 12030545 Persistent Systems Radia Client Automation Remote Code Execution Vulnerability Application Vulnerability High Enable Block if attack detected iene Seer 12030544 Lexmark MarkVision Enterprise Arbitrary File Upload Vulnerability Application Vulnerability High Enable Block if attack detected 12030543 ManageOwnage Series Products Unauthenticated File Upload Vulnerability Application Vulnerability High Enable Block if attack detected ln 12030542 Lotus Mail Encryption Server Local File Inclusion Vulnerability Application Vulnerability High Enable Block if attack detected 12030541 Tuleap Enalean Remote PHP Code Injection Vulnerability Application Vulnerability High Enable Block if attack detected Mis 12030540 MantisBT SQL
272. er Content Security gt Application Control Policy Otherwise data cannot go through the device User Authentication If an intranet user accesses the internet after being authenticated configure the device as follows 22 User Authentication SET dl hel Pea ClO leTtn or D 1 Local Users a Create and import user and group 2 Authentication Policy a Enable user authentication and select the zone that needs to be authenticated b Configure authentication policy Click and you can enter Authentication System gt User Management gt Group User path to add a user or user group Clicke Authentication Policy and you can enter Authentication System gt User Management gt User Authenticaiton path to configure authentcation zones and modes SANGFOR NGAF 6 4 User Manual 363 Server Protection If a server is deployed in the intranet configure the device as follows A Server Protection 1 1PS a Protect servers from attacks because of vulnerability 2 Web Application Protection a Complete various options to protect Web application from attacks 3 Anti DoS DDo0S a Configure defense options to protect Intranet and internal servers from outside attacks b Configure options to prevent DoS attack from inside users 4 Connection Control a Prevent vicious users from initiating too many connections to use up server performance 5 Website Anti Defacement a Protect website contents against defacement Click and an I
273. er and client DHCP Server DHCP Relay Enable DHCP relay Apply Relay to Selected Interfaces Available Selected Add 4 Delete DHCP Server 127 0 0 1 Y DHCP relay supports all router interfaces subinterfaces and VLAN interfaces but does not support router interfaces used for ADSL dial up If an interface enabled with DHCP relay is not connected DHCP relay is affected Configuration of DoS DDoS Protection The following figure shows the network topology where the network segment of intranet servers is 172 16 1 0 24 and the network segment of intranet users is 192 168 1 0 24 The servers were once under DDoS attacks causing application interruption The servers and users on the intranet must be protected from attacks by means of DoS DDoS protection When an intranet user under an attack sends a large amount of sessions and data the connection of the user is blocked to ensure network stability SANGFOR NGAF 6 4 User Manual 448 ETH1 1 2 1 1 24 ETH2 10 10 10 1 30 VLANI100 N VLANI01 J 2 16 1 0 24 192 168 1 0 24_ A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A PPP PVP ss e e e e e dl Step 1 Choose Network gt Interface gt Zone to define the zones of interfaces before configuring DoS protection Choose Objects gt IP Group and define the IP address group of servers on the intranet For details see section 3 5 7 Set ETH2 to LAN ETH1 to WAN and 172 16 1 0 24 to Server
274. er is a subnet and all hosts on this subnet can manage the NGAF equipment through SNMP IP Address IP address or IP address range of the SNMP manager If the SNMP manager is a host set IP Address to the IP address of the SNMP host If the SNMP manager is a subnet set IP Address to the subnet address and mask of the SNMP subnet Community community name used by the SNMP host to access the NGAF equipment Click OK to save the settings In the SNMP V3 pane you can set advanced parameters when SNMPvV3 is used as the communication protocol See the figure below SNMP V3 x Context i Authentication Password i Confirm Password Encryption Password i Confirm Password Security Encrypted w OK Cancel Context name of the SNMPv3 user Authentication Password password used by the SNMPv3 user for authentication The password must be a string of eight characters without spaces It is encrypted by using the MD5 algorithm Encryption Password password for encrypting packets The password must be a string of eight characters without spaces It is encrypted by using the Data Encryption Standard DES algorithm Security whether to encrypt SNMP authentication and management information It can be set to Encrypted or SANGFOR NGAF 6 4 User Manual 32 None If encryption is enabled both encryption and authentication are performed That is data is encrypted first and then message digest calculation is pe
275. er to the same local area network LAN as the SANGFOR NGAF equipment and configure the equipment The management interface of the NGAF equipment is MANAGE ETHO and its default IP address is 10 251 251 251 24 Connect the MANAGE ETHO interface to the LAN or directly to the computer by using a network cable at initial login Equipment Comnection Connect the power cable on the backplane and turn on the power switch Then the POWER indicator green and ALARM indicator red on the front panel becomes on The ALARM indicator turns off in 1 2 minutes which indicates that the gateway works properly Connect the MANAGE ETHO interface to the LAN by using a network cable with an RJ 45 connector and then configure the NGAF equipment After logging in to the console perform network connection and connect cables based on the network environment and deployment requirements For details see section 3 2 Y When the equipment works properly the POWER and LINK indicators are steady on The ACT indicator blinks in case of data flows The ALARM indicator red is on for about 1 minute at startup due to system loading and is off in normal operation If the ALARM indicator is steady on during installation power off the equipment and then start it again If the problem persists contact SANGFOR Y Use a straight through cable to connect the network interface directly to a modem or switch and a crossover cable to connect network interface to a rout
276. erly according logs as shown in the following figure Logs T Options No Module Type Time Details 1 VPN Service Warning 15 30 23 SangforIKE There is no such user SH in HQ VPN s user database 2 VPN Service Inf 15 30 23 SangforIKE Build primary tunnel Connect to peer 1P 192 200 17 252 Port 4009 3 Bandwidth Mat 15 30 00 10 fluxcctri cpp 264 Check Result Need Update 0 4 Bandwidth Mgt 15 30 00 0 fluxctri cpp 241 Old Time Rge 1337 Current 1338 Checking 5 VPN Service Warning 15 29 42 SangforIKE There is no such user SH in HQ VPN s user database 6 WPN Service 15 29 42 SangforIKE Build primary tunnel Connect to peer 1P 192 200 17 252 Port 4009 7 VPN Service Warning 15 29 02 SangforIKE There is no such user SH in HQ VPN s user database VPN Service 15 29 02 SangforIKE Build primary tunnel Connect to peer 1P 192 200 17 252 Port 4009 WPN Service Warning 15 28 22 SangforIKE There is no such user SH in HQ VPN s user database 10 WPN Service 15 28 22 SangforIKE Build primary tunnel Connect to peer 1P 192 200 17 252 Port 4009 11 WPN Service Warning 15 27 02 SangforIKE There is no such user SH in HQ VPN s user database 12 WPN Service 15 27 02 SangforIKE Build primary tunnel Connect to peer 1P 192 200 17 252 Port 4009 13 Email Alarm Warning 15 26 49 wi mailsnd cpp 1072 Failed to send Alarm on security email 14 Email Alarm Warning 15 26 49 wi mailsnd cpp 363 Failed to set SM
277. ertising unreachable routes Before the flush timer expires RIP continues to advertise unreachable routes If the flush timer expires the unreachable routes are deleted from the routing table Route Re Advertisement You can configure other routes such as direct routes OSPF routes and static routes to be introduced to RIP and set the metric values of introduced routes in the Route Re Advertisement pane Re advertise Direct Route indicates whether to introduce direct routes as external routing information to the RIP routing table You can set the metric value of an introduced route The default metric value is 10 Re advertise OSPF Route indicates whether to introduce OSPF routes as external routing information to the RIP SANGFOR NGAF 6 4 User Manual 45 routing table You can set the metric value of an introduced route The default metric value is 20 Re advertise Static Route indicates whether to introduce static routes as external routing information to the RIP routing table You can set the metric value of an introduced route The default metric value is 20 Default Metric default number of hops of an introduced route If you do not specify the metric value of an introduced route the default metric value takes effect The default metric value is 10 Click OK to save and apply the settings Click Restore to Defaults to restore the default parameter values All Routes The All Routes tab page displays all routes on the eq
278. ervers Y Add X Delete Refresh No Server IP Custom Servers Service amp Port Description E 1 192 200 19 86 Schedule FTP Sangfor Server The Schedule panel is used to define common time segments which can be selected on the Application Control Policy panel of the Access Control configuration module or the Bandwidth Channel of the Bandwidth Mgt configuration module for setting the effective time or expiry time of the rules The one time schedule and recurring schedule are available SANGFOR NGAF 6 4 User Manual 150 One Time Schedule The one time schedule specifies the start date and time of a schedule and the equipment executes the schedule within the specified time segment only once The one time schedule is usually applied to special dates For example you can specify an application control policy by using the schedule to prohibit games during the National Holiday After the National Holiday elapses the equipment automatically enables the game application without manual intervention In the navigation area choose Objects gt Schedule gt One Time Schedule The One Time Schedule tab page is displayed Schedule One Time Schedule Recurring Schedule Add X amp Refresh Name Start Time End Time On the One Time Schedule tab page click Add The Add One Time Schedule dialog box is displayed Add One Time Schedule Name TE T Start Time 2
279. es High Enable Block if attack de Fl 13120113 Wordpress Application Exploit Attack Web site vulnerabilities High Enable Block if attack de 13120112 Wordpress Application Exploit Attack Web site vulnerabilities High Enable Block if attack de FP 13120111 Wordpress Application Exploit Attack Web site vulnerabilities High Enable Block if attack de Fl 13120110 Wordpress Application Exploit Attack Web site vulnerabilities High Enable Block if attack de 13120109 Wordpress Application Exploit Attack Web site vulnerabilities High Enable Block if attack de C 13120108 Wordpress Application Exploit Attack Web site vulnerabilities High Enable Block if attack de 13120107 Wordpress Application Exploit Attack Web site vulnerabilities High Enable Block if attack de 13120106 Wordpress Application Exploit Attack Web site vulnerabilities High Enable Block if attack de 13120105 Wordpress Application Exploit Attack Web site vulnerabilities High Enable Block if attack de 13120104 Wordpress Application Exploit Attack Web site vulnerabilities High Enable Block if attack de 13120103 Wordpress Application Exploit Attack Web site vulnerabilities High Enable Block if attack de Fl 13120102 Wordpress Application Exploit Attack Web site vulnerabilities High Enable Block if attack de 13120101 Wordpress Application Exploit Attack Web site vulnerabilities High Enable Block if attack de 131
280. es time and the y axis indicates the number of attacks Security Over the Last 30 Days attacks 50k _ 25k 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 01 02 03 04 05 M Threat Level High MM Threat Level Medium BN Threat Level Low Traffic Statistics shows the top 5 applications with the largest traffic rate over the last 30 days The following figure shows that the traffic rate of the P2P application reached 253 KB s on August 12 The x axis indicates time and the y axis indicates the traffic rate Traffic Statistics Bidirectional Traffic Based on Application Category App P2P Date 08 12 Speed 253Kbps Kbps 500 250 08 01 08 05 08 09 08 13 08 17 08 21 08 25 08 29 MA FoF GB Website Browsing B Mail BSS Server Security The Server Security page shown in the following figure shows the number of server attacks including DoS attacks from the Internet IPS attacks and attacks blocked by the web application protection module SANGFOR NGAF 6 4 User Manual 368 Navigation Menu Server Security E Specify the following and click Go to retrieve data Server Security Endpoint Security Filter Traffic Period This month 2013 08 01 fis 2013 08 31 fis gt Application server IP All Attack Type AN Website Browsing is Threat Level High Medium Low Anti Virus Action Allow Deny Others Statistics
281. es to be protected and source pages that can be accessed to ensure that only redirection from the source pages Referer to protected URLs Target can be implemented In this way CSRF attacks are blocked SANGFOR NGAF 6 4 User Manual 289 Protected URL ensures that users key resources cannot be browsed by unauthorized clients See the following figure CSRF Webpage Protection Rules x Add X D P C No Website Domain Protected URL Count Status Edit 1 www sangfor com cn 1 y A ok Cancel Only www sangfor com cn bbs index html can be redirected to www sangfor com cn which cannot be accessed by other means Parameter Protection Proactive URL Protection Tradition SQL injection is implemented based on characteristics SQL injection protection systems based on characteristics cannot resolve the Oday and unknown attack problems Therefore proactive URL protection is added to the device to improve AF security protection See the following figure Proactive URL Protection Y Options Excluded URL F E Refresh View All v No Path Variabl Type Max Length Status Hit Count Operation You only need to enable the protection The device can learn protection itself When Variable Hits Threshold is reached it binds related parameters SANGFOR NGAF 6 4 User Manual 290 Options Learning Ability i Variable Hits Threshold 5000 times Matching Ratio Gi Ratio 95 2 Action if Attack Attem
282. essage IP loose source root option message and IP strict source root option message Normal IP packets do not contain these options IP packets containing these options are usually used in attacks To disallow IP packets to contain these options select the corresponding check boxes To disallow IP packets to contain other options select Wrong IP message Click OK to save the configuration Bad TCP Options Select Select type The page shown in the following figure appears Bad TCP Options Mame SYN packet splitting TCP header flag bits are 1 only SYN and FIN flag bits are 1 Only FIN flag bit is 1 Oooo OK Cancel Bad TCP options include SYN packet splitting TCP header flag bits are 1 only SYN and FIN flag bits are 1 and Only FIN flag bit is 1 Normal TCP packets do not contain the options Exception may occur when the destination server cannot properly process the TCP packets containing the options To disallow TCP packets to contain the options select the corresponding check boxes Click OK to save the configuration After setting the protection options select the action to be taken when being attacked See the following figure Action Log event Deny If Log event is select logs are recorded when an attack is detected and the attack is not blocked To block the attack when recording logs select Deny SANGFOR NGAF 6 4 User Manual 268 Click OK to save the configuration Anti DoS DDoS Outside Attack Insi
283. evant data is generated Traffic Statistics Bidirectional Traffic Based on Application B News Portal E Online Video Dow MA Search Engine MA IT Related B Government Organiz B Life Information OD Online Shopping Other 318 45MB 60 4 E Forum OO IT Industry E Software Download B Other Application Outbound Traffic Inbound Traffic Bidirectional Traffic News Portal 6 087 37 304 KB 63 450 KB Online Video Download 2 474 KB 47 476 KB 49 950 KB Search Engine 4 304 KB 31 752 KB 36 056 KB IT Related 2 427 KB 20 977 KB 23 404 KB Government Organization 460 KB 13 008 KB 13 467 KB Life Information 630 KB 6 905 KB 7 330 KB Online Shopping 588 KB 3 383 KB 3 971 KB Forum 961 KB 4 134 KB 5 095 KB The data shows that news websites are accessed by intranet users most frequently SANGFOR NGAF 6 4 User Manual 379 To enable the data center to collect statistics on website browsing go to Intranet Security gt Web Filter create a rule and click Log event in the Action area Antivirus Statistics The Anti Virus page enables users to collect statistics on viruses that are found in Intranet Security gt Virus Defense and Filter For example a user can identify the intranet user with the greatest number of viruses detected when sending or downloading files through FTP Anti Virus Filter Period IP User Others Statistics Less lt lt Example Virus Type Data Ty
284. ever requires the data packets of Intranet computers login to the domain server pass through the NGAF or be mirrored to the NGAF over a monitoring port The NGAF captures the login information by monitoring the UDP 88 port After successful login to the domain the user can access the Internet directly without being authenticated by the NGAF It is applicable to scenarios where the domain server is deployed within or out of the Intranet The SSO configurations for these two deployment modes of the domain server are described as follows I Domain server deployed on the Intranet an Listening x Es Mirror LDAP The dataflow process 1s as follows 1 The process of a PC logging in to the domain is monitored 2 If the user logs in to the domain successfully the NGAF authenticates the user automatically Configuration Step 1 Choose User Authentication gt Options gt External Auth Server and set the authentication AD domain service For details see section 3 6 2 3 Step 2 Enable SSO select the SSO mode and set the IP address of the domain server Choose User Authentication gt Options gt SSO Options gt Domain SSO Select Enable Domain SSO Select Obtain login profile by monitoring the data of computer logging into domain Enter the IP address and the monitoring port of the domain server in Domain Controllers If there are multiple domain servers enter the IP SANGFOR NGAF 6 4 User Manual 221 address
285. ews php Object id Results Vulnerable to XSS http 192 200 19 195 jcsweb news php Exploit Against Browser All x check the manual that corresponds to your MySQL server version for the right syntax to use near lt SCrIPT gt fake_alert 9973 lt SCrIPT at line Restart Click on to go back to the scan page RT Vulnerability Scanner Realtime Vulnerability Scanner scans the real time vulnerabilities available on the server based on the vulnerability rules placed under the Security Database The scan result shows the number of threat count found on the server and more details such as threat information threat level and suggested solutions can be found in the report Server Administrator can defense against the vulnerabilities and take actions accordingly by refer to the report See the following figure Realtime Vulnerability Scanner Add X Y e Of DR 2 Refresh Excluded Domain IP Port URL Re Pp Server Zone Server IP Group Threat Count Re Scan Report Status Delete C No Policy Name Click F Add to add and configure a new policy to perform RT vulnerability scanning on targeted server The following page will be shown i Enable Policy Name Description Server Zone Select Server IP Group Select SANGFOR NGAF 6 4 User Manual 312 Policy Name To define the name for the new policy Server Zone To select the Zone which the server located Server IP Group To select the IP
286. f the embedded email rules have a higher priority data may match the embedded email rules instead of the custom office email rule Therefore a priority must be set for the custom rule Select Give higher SANGFOR NGAF 6 4 User Manual 141 priority to custom rules on the App Ident Rules page Step 5 Choose Bandwidth Mgt gt Bandwidth Channel and set a guaranteed channel for the application to ensure bandwidth for sending office emails For details see section 3 12 3 1 Y You are advised to add identification information such as the destination port IP address and domain name when you set a custom rule If the identification conditions are too general they may be conflict with the embedded application identification rules causing identification errors and control and auditing failures Enabling Disabling Deleting Custom Application Rules On the App Ident Rules page select a custom rule and click Enable Disable or Delete The custom rule is enabled disabled or deleted App Ident Rules Add X Delete vY Enable Disable 2 Refresh C Import 2 Export _ Give higher priority to custom rules Y No Rule Name Description Application Application Status Delete v 1 Office Email Office Email Mail Customize Email Y x Importing Exporting Custom Application Rules Click Import to import a custom application rule Click Export to export a custom application rule App Ident Rules Add X Y 2 Refresh C Import Ex
287. f the system The product complies with the design requirements in terms of environment protection The deployment application and scrapping of the product must be in accordance with national laws and regulations Power Supply The SANGFOR NGAF series products are supplied with 110 230 V AC power Before connecting power to the product ensure that proper grounding measures are taken for the power supply Appearance Figure 1 Front panel NGAF M5100 1 CONSOLE interface 2 USB 3 MANAGE interface 4 ETH3 5 ETH2 6 ETHI1 The ALARM indicator is steady on in red during startup of the equipment If the indicator turns off after 1 2 minutes the equipment is started properly If the indicator does not turn off for a long period of time power off the equipment and then start it again after 5 minutes If the problem persists contact the SANGFOR NGFW 5 6 User Manual XV customer service center to confirm whether the equipment is damaged After the equipment is started properly the ALARM indicator may blink in red sometimes This means that the equipment is writing system logs Y The CONSOLE interface is used only for development and commissioning End users connect to the equipment through the CONSOLE interface Configuration and Management Before configuring the equipment get a computer ready and ensure that the webpage browser such as the Internet Explorer installed on the computer works properly Then connect the comput
288. fected by the virus irregularly send ARP spoofing broadcast packets on the intranet to disrupt normal communication between computers on the intranet Sometimes it causes network breakdown The device protects its ARP cache by denying ARP requests or responses that carry attack characteristics If the access controlled users of the device have bound IP addresses or MAC addresses the device uses the IP addresses or MAC addresses for protection See the following figure ARP Spoofing Prevention Enable Broadcast Now Enable The device regularly broadcast its MAC address if this option button is selected MAC Broadcast Interval sec It specifies the interval for broadcasting the MAC address of the device Access Control Network insecurity usually results from unlimited insecure content access by intranet users The SANGFOR NGAF device ensures Internet content security using application control policies anti virus policies and anti malware Application Control Policy It filters Internet data based on application layer characteristics of packets or port numbers of packets For example it can prevent intranet users from playing games in work hours Setting of this module requires the objects including service IP group schedule and application characteristic library in Object Settings SANGFOR NGAF 6 4 User Manual 271 Choose Access Control gt Application Control Policy On the page that app
289. file What s the risk Send the generated certificate to the administrator at the headquarters The administrator selects hardware authentication when creating a VPN account and binds the account with the hardware certificate Objects Various objects defined in the Objects configuration module lay a foundation for the Bandwidth Met Firewall and Access Control configuration modules Policy control and security control are exercised based on objects The ISP panel is used to set an IP address segment for the network operator and the IP address segment is used to invoke multi path load routing on the Policy Based Routing tab page gt Status pa gt Network gt Security Databases gt VPN y Objects m gt ISP Application Ident DB gt Intelligent Ident DB gt App Ident Rules URL Database Services IP Group Click Delete to delete selected ISP information Click Add to add ISP information See the figure below SANGFOR NGAF 6 4 User Manual 133 Mame IP Range Type here WHOIS o Type here OK Cancel Name ISP name IP Range network IP address segment of the operator WHOIS a WHOIS identifier corresponding to the ISP address segment It is used to identify IP addresses of different operators Application Ident DB The application identification database is used to identify application types of network access data It detects application types b
290. formation Click the Browse button to select a file and then upload button to upload it Export Click it to export the desired hardware IDs and save them into the computer as shown in the figure SANGFOR NGAF 6 4 User Manual 74 below Export Hardware ID Export e All hardware IDs o Hardware IDs of specified group rr a Specify the hardware IDs that you want to export To export all the hardware IDs select the option All hardware IDs and then click the OK button All the hardware IDs will be written into a file that will then be saved on the computer To export the desired hardware IDs of a specific user group select Hardware IDs of specified group and click the textbox to specify a user group as shown below User Groups Search 2 Default group P groupi Cancel b Click the OK button and the name of the selected user group is filled in the textbox as shown in the figure below SANGFOR NGAF 6 4 User Manual 75 Export Hardware ID All hardware IDs Hardware IDs of specified group Default group v Subgroup Cancel c To also export the hardware IDs of the users that are included in the subgroups of the specified user group select the checkbox next to Subgroup included If this option is not selected only the hardware IDs of the direct users in the selected group will be exported d Click the OK button to write the hardware IDs into a file and download the file into the
291. ge 1 1 1 1 1 Case Study The SANGFOR equipment is deployed in routing mode at the headquarters Remote mobile users need to access the headquarters through the VPN The configuration procedure is as follows SANGFOR NGAF 6 4 User Manual 111 Add a rule in Virtual IP Pool Set an IP address segment that is on the same network segment as the LAN interface of the equipment and not used by internal users See the figure below Assigned To Mobile user The mobile VPN users Start IP 192 168 1 200 End IP 192 168 1 220 On the Local Users page click New User to add a new and set User Type to Mobile user The default value of IP Address is 0 0 0 0 which means that a virtual IP address will be automatically assigned to the user You can also manually specify a virtual IP address for the user Username Authentication Password oe Algorithm AES Confirm Password eel User Type Mobile user Description fs Added To Default group Inherit group attributes O Hardware authentication Certificate Enable USB key USB Key Assign virtual IP IP Address 0 0 0 0 Valid Time All day _ Enable expiration Expired At Enable user Enable My Network Places Enable compression E Deny Internet access after login Enable multi user login E Deny password change online SANGFOR NGAF 6 4 User Manual 112 VPN WAN Interface On the VPN WAN Interface page you can define external VPN interfaces See the figure be
292. ged Search W Use extension function i Page Size 0 Gi Size Limit o Cid Test Effectiveness is used to verify the IP address port number and user name used for connecting the server Y In normal cases retain the default value in the Search area Adding a RADIUS Server Choose User and Policy Management on the navigation page Choose User Authentication gt External Auth Server On the External Auth Server page click Add and choose RADIUS Server The External Authentication Server RADIUS page appears SANGFOR NGAF 6 4 User Manual 241 Add RADIUS Server Enable Server Name RADIUS Server Server Address Port 1812 Timeout sec 5 Shared Secret Protocol PAP yr Test Validity OK Cancel Enter a server name The RADIUS Server area is used to set the IP address port number timeout interval shared secret and protocol of the RADIUS server Adding a POP3 Server Choose User and Policy Management on the navigation page Choose User Authentication gt External Auth Server On the External Auth Server page click Add and choose POP3 Server The External Auth Server POP3 page appears Add POPS Server Enable Server Name POPS Server Server Address Port 110 Timeout sec 5 Test Validity OK Cancel Enter a server name The POP3 Server area is used to set the IP address port number and timeout interv
293. gent Settings SANGFOR NGAF 6 4 User Manual 86 Select Enable Web Agent for dynamic IP support to enable this feature and the Sangfor device will be able to get an IP using Web Agent dynamic addressing if it 1s not using a static Internet IP address To add a Web agent entry a Click Add to enter the Add Web Agent page as shown below Add WebAgent OK CGancel _ b Enter the Web Agent address into the Address field and click the OK button c To check connectivity of a Web Agent select a Web Agent and click Test If the address is correct the Sangfor device then can connect to this Web A gent otherwise connecting will fail as shown in the figure below Testing connection y za Details lt lt Primary WebAgent secondary WebAgent Before test begins certain ActiveX control may need be installed as shown below Installation Tips This operation requires ActiveX control be installed Click a Install button to enter the page that will ask you whether to 1 install the add ons Follow the given instructions to install the ActiveX control Once installing completes you can go back to this page to resume the operations Install Check ActiveX Status Close d To remove or edit a Web Agent entry select the desired entry and click Delete or Edit e To modify password of a Web Agent select the desire entry and click Modify PWD Modifying password can prevent unauthorized use
294. gfor DC com OU 500MB DC sangfor DC com F CN Computers DC sangfor DC com OU Domain Controllers DC sangfor DC 0 3 vw OU FAE DC sangfor DC com EN ForeignSecurityPrincipals DC sangfor QU Product management DC sangfor DC F CN Program Data DC sangfor DC com ae OU RD DE sangfor DC com a 0U sales DC sangfor DC com a CN System DC sangfor DC com a OU Test DC sangfor DC com CN Users DC sangfor DC com OK Cancel If you select Add user structure based on top level OU of selected remote directory beneath specified local group the root domain names of the LDAP are synchronized as groups and other synchronized OUs are the corresponding subgroups If you select Add user structure based on bottom level OU of selected remote directory beneath specified local group the synchronization is performed from the selected OUs If you select Add user structure based on sub OU of selected remote directory beneath specified local group the synchronization is performed from the sub OUs of the selected OUs and the selected OUs and the direct users of the selected OUs are not synchronized to the equipment Set the depth for the imported OUs in OU Depth In this example set OU Depth to 10 so that 9 levels of the sub OUs can be synchronized to the equipment as user groups and OUs lower than level 9 are not synchronized to the equipment as user groups Users lower than level 9 can still be synchronized to the equipment
295. gs Click Days logs will be kept to set the days of saving logs Click Delete logs of the earliest day if disk usage reaches threshold to set logging according to disk usage Log repetitive events only once After it is selected the internal report center only logs once for repetitive access to the same domain name saving disk space SANGFOR NGAF 6 4 User Manual 347 If Enable internal report center is not selected the internal report center does not record logs but it will send the logs to the Syslog server if the Syslog server has been configured Syslog Settings Syslog settings allow NGAF logs saving synchronously to the remote Syslog server IP address and port of the Syslog server should be set as shown in the following figure Logging Options Internal Report Center 4 Enable Syslog O IP Address 10 10 10 10 Port 514 eo Syslog supports only UDP connection Syslog can synchronize data report center logs but cannot synchronize system logs SMTP Server SMTP Server sets SMTP server information for the NGAF to send alarm emails SMTP Server Sender Address test sangfor com SMTP Server A Require authentication Username Password Send Test Email SANGFOR NGAF 6 4 User Manual 348 Sender Address Sets the mailbox used by the NGAF to send alarm emails for example test domain com SMTP Server Sets the SMTP server domain name or IP address If the SMTP server requires user name
296. h Medium Low Action Allow Deny Go Open in new tab Example Application scenario A user needs to view details about the DoS attacks on intranet servers on May 30 The search excludes the DoS attacks on intranet users Step 1 Set search criteria Set Zone Type to External because the search target is intranet servers Dos Attack Ls g Specify the following and click Go to retrieve data From 2013 08 16 fs 00 00 To 2013 08 16 fis 23 59 Zone Type internal External Source Zone All el Source IP All Ci Dst IP All Gi Attack Type fA e Threat Level High Medium Low Action Allow Deny Go Open in new tab SANGFOR NGAF 6 4 User Manual 383 Step 2 Click Go Relevant data is generated DoS Attack Q Filter 3 Export Logs Filter Period 2014 04 25 00 00 2014 04 25 23 59 Zone type Internal External Src zone All Src IP All Dst IP All Type All Threat level High Medium Low Action Allow Deny No Time Type Source IP Dst IP Description Threat Level Action Details 1 2014 04 25 12 56 11 Sending IP fragment 192 200 19 200 192 200 19 63 Medium Allow View 2 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200 No 2 View 3 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200 Time 2014 04 25 12 57 45 View 4 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200 Type Sending IP fragment View 5 2014 04 25 12 57 45 Sending IP fragment 192 200 19 200
297. he domain server Y Before importing user information from the domain server choose VPN gt Advanced gt LDAP Server and set the information about the LDAP server Click Import From Text to import user information from a TXT or CSV file Click Export to export user information from the equipment to a local computer You can choose to export the user passwords in plaintext or cipher text mode See the figure below Password Type 8 Plaintext Ciphertext Click New Group and set the group name group description and public attributes of group members See the figure below Algorithm AES Enable My Network Places LAN Service SANGFOR NGAF 6 4 User Manual 98 Click Advanced to set the VPN routing policy multicast service and tunnel parameters Click New User and set the user name password description and algorithm in sequence See the figure below Username po Authentication Local Password Algorithm AES Confirm Password User Type Mobile user Description Added To Default group Inherit group attributes Hardware authentication Certificate Enable USB key USB Key Assign virtual IP IP Address 0 0 0 0 Valid Time All day _ Enable expiration Expired At Enable user Enable My Network Places Enable compression E Deny Internet access after login C Enable multi user login E Deny password change online Authentication user authentication type You can choose local authen
298. he extracted features of hardware components in a computer according to certain algorithm The uniqueness of computer components makes the generated hardware ID unique Click the Settings button following Hardware ID and the Hardware ID Based Authentication page appears as shown in the figure below SANGFOR NGAF 6 4 User Manual 89 Authentication A Policy Options e Collect hardware ID only _ Enable hardware ID based authentication Hardware ID based Message on Collecting Auto approve any hardware ID Any account can be used on approved endpoint Maximum hardware IDs owned by a user 1 OK Cancel The following are the contents included on Hardware ID Based Authentication page Collect hardware ID only If this option is selected hardware IDs of endpoint computers will be collected but hardware ID based authentication will not be enabled Enable hardware ID based authentication If this option is selected hardware ID of endpoint computers will be collected and hardware ID based authentication enabled Message on Collecting This will turn out to be a prompt seen by end users when they go through hardware ID based authentication Auto approve any hardware ID Indicates that any hardware ID submitted by end user will be approved and administrator need not approve them manually Any account can be used on approved endpoint Indicates that hardware IDs submitted by any u
299. he host ID does not change 3 4 2 3 1 Tunnel NAT Case Study The SANGFOR equipment in Beijing headquarters is deployed in routing mode Shanghai branch 192 168 2 0 24 and Shenzhen branch 192 168 2 0 24 need to connect to the headquarters through the VPN Tunnel NAT needs to be enabled on the SANGFOR equipment deployed in Beijing to resolve internal network segment conflicts between Shanghai branch and Shenzhen branch The procedure for enabling tunnel NAT is as follows Branch SZ Branch SH 1 In the virtual IP address pool add a virtual IP network segment 192 168 20 0 24 See the figure below SANGFOR NGAF 6 4 User Manual 104 Branch VPN users who use tunnel NAT Startip End IP Click Get or OK button Subnet Mask 2 On the Local Users page add a branch account Click Advanced and access the Tunnel NAT tab page Select the Enable check box click New to add a network segment 192 168 20 0 24 and associate this network segment with the branch account See the figure below Authentication Local 0 00 00 W Enable user SANGFOR NGAF 6 4 User Manual 105 Multiline Policy Multicast Service Tunnel Parameter Tunnel NAT Tunnel NAT Cancel Source Subnet 192 168 2 0 Subnet Mask 255 255 255 0 Translate to Subnet 192 168 20 0 Auto Assign Click OK to apply the rule Shenzhen branch can access the headquarters without modifying the internal IP address
300. header is 1 and the destination port number is TCP139 or TCP445 the packet is regarded as a WinNuke attack Smurf attack Smurf attack protection is enabled when this option button is selected When the device detects that the response address of a packet which is an ICMP response request packet is a broadcast address it is regarded as a Smurf attack Huge ICMP pak attack If this option button is selected it is regarded as an attack when an ICMP packet exceeds 1024 bytes After the configuration click OK to save the configuration of packet based attack protection You can continue setting other Internet attack protection options shown in the following figure Packet Based Attack Attacks Selected Unknown protocol TearDrop atta Abnormal Message Probe Bad IP Options Select type Bad TCP Options Select type Action W Log event V Deny Abnormal Message Probe It detects abnormal packets mainly IP packets and TCP packets Bad IP Options Select Select type The page shown in the following figure appears SANGFOR NGAF 6 4 User Manual 267 Bad IP Options Name Wrong IP message IP timestamp message IP security option message IP stream option message IP record route option message IP loose source route option message i ri PY YY IP strict source route option message OK Cancel Bad IP options include IP timestamp message IP security option message IP stream option message IP record route option m
301. her 9 4 91 Kb s 2 48 Kb s 7 39 Kb s DNS s 4 1 32 Kb s 2 43 Kb s 3 75 Kb s NETBIOS 1 880 b s O b s 880 b s Click Refresh 5 seconds to set the refresh interval Click Refresh to refresh the information immediately Click Lock or amp in the Operation column The page shown in the figure below is displayed Lockout Pertod Lockout Period mins SANGFOR NGAF 6 4 User Manual 14 After setting the Lockout Period click OK Click Locked icon in the Operation column to open Online Users page to unlock locked users Top Applications by Traffic The Top Applications by Traffic page displays rankings of applications by traffic in real time See the figure below Top Users by Traffic Top Applications by Traffic Top Hosts by Traffic 2 Refresh 10 seconds 7 2 Refresh E Filter View Top 60 Group No Application Line Outbound Speed Inbound Speed Bidirectional Percent The applications are ranked by occupied bandwidth The displayed information includes the application type line outbound speed inbound speed and bidirectional speed Click Refresh 5 seconds to set the refresh interval Click Refresh to refresh the information immediately Click Filter to specify the conditions for filtering applications by traffic See the figure below Filter Xx Objects Line All Ww Display Option Show Top 60 lt gt OK Cancel Set th
302. high virus removal efficiency The virus definition library of device is synchronized with SOPHOS s virus definition library once every one to two days Choose Access Control gt Anti Virus Policy The Anti Virus page appears The device allows only one anti virus policy which is often used to prevent intranet users computers from being infected by viruses The configuration procedure is as follows Step 1 Select Enable Anti Virus E Enable Step 2 Set the source objects to be protected such as all the users on the intranet See the following figure Source Zone LAN a IP User IP Group LAN IP Range ra User Group to SANGFOR NGAF 6 4 User Manual 273 Step 3 Specify the destination zones to which anti virus protection is implemented when users in source zones access the destination zones For example anti virus protection is implemented for all IP addresses accessing the Internet See the following figure Destination Zone WAN al Dst IP All ra Group Step 4 Specify the protocols including HTTP FTP POP3 for sending emails and SMTP for receiving emails for which anti virus protection 1s implemented Select all the protocols See the following figure Antivirus Scanning Scan the Following Protocol Traffic Only HTTP FTP POP3 SMTP Step 5 Set other supplementary options File Type Gi Fuzzy match Enable URL IP exclusion i Fuzzy match www google com File Type It specifies the
303. hrough domain 0 Shared Key D Obtain login profile by monitoring the data of computer logging into domain i If packets from internal users logging into domain do not go through the device you need to mirror them to the device and go to the Others tab to enable mirror interface Domain Controllers D 192 168 1 10 88 Step 3 Set the authentication policy Choose User Authentication gt Policy and click Add Set the authentication mode to SSO using IP or MAC addresses See section 3 6 2 1 3 Step 4 Log in to the domain on a computer and check whether you can access the Internet successfully Y In monitoring mode only the user login information is monitored The logoff data is not captured Therefore the logoff state is not obtained In this case the PC may have logged off while the user is not logged off in the online user list on the NGAF 3 6 2 2 1 2 PROXY SSO It is applicable when users access the Internet through a proxy and each user is assigned a proxy server account If proxy SSO is used the users are authenticated by the NGAF when the users are authenticated by the proxy server Proxy SSO works in monitoring mode SSO is implemented based on login data monitoring Scenario 1 The proxy server is located on an external network See the following figure SANGFOR NGAF 6 4 User Manual 224 The data flow is as follows 1 A user accesses the Internet through the proxy server The device monitors the interacti
304. http TCP WAN 0 0 0 0 255 255 255 255 Medium Y web vuli 1 SQL injection XSS attack Trojan horse Website scan webshell CSRF OS command 192 200 17 202 80 http TCP WAN 0 0 0 0 255 255 255 255 Medium W Web vuli injection File inclusion Path traversal Information disclosure F 192 200 17 10 53 dns UDP WAN 0 0 0 0 255 255 255 255 Low Open port risk 6 192 200 17 10 445 netbios TCP WAN 0 0 0 0 255 255 255 255 Low open port risk lt Page 1of1 2 Entries Per Page 50 1 28 of 28 Step 6 Eliminate risks based on scanning prompts 1 Change weak passwords completed 96 Scanned 5312 ports 1 ports left may leave th s page and cl g leckK It agi ain later View Weak Password Details Restart Enable weak password scan Y Export as PDF All Associated Policies All v IP address or port Q Server IP Port Applic Protocol Accessibl Accessible IP Threat Le Risk Operation E 192 200 17 22 3306 mysql TCP WAN 0 0 0 0 255 255 255 255 High open port risk E 192 200 17 202 69 tftp UDP WAN 0 0 0 0 255 255 255 255 High open port risk 192 200 17 202 21 ftp TCP WAN 0 0 0 0 255 255 255 255 High amp weak password risk1 Open port risk T 192 200 17 200 1433 mssql TCP WAN 0 0 0 0 255 255 255 255 High v i mi a Port is prone to weak password vulnerability FJ 192 200 17 22 80 http TCP WAN 0 0 0 0 255 255 255 255 Medium v 1 Username anonymous Password Ty
305. i neatncuisnoewaetigneuncuisneeuaetie neu a A A 358 IFAS Packet Drop DY PASS roisses ena a E E E a e aa IE NOTE 359 1406 Remote CCI SUP POU ee e E ENR 361 SANGFOR NGFW 5 6 User Manual 1X O E E E T a A IN II II II II A E ae mea er eee 361 ADE AO a O Hn ee rine ener ree 361 3 151 Device s a Gateway Routing Mode nn io 361 IZ Data Mirrormo Bypass Mod eae a a auch 362 3 15 3 No Change to Existing Network Bridge Transparent Mode ccccccccccceceeeeeesseeseseeeeeeeeees 363 JLA User A TS 363 PDE DELVEL Protec Oean accused oaevancanaevsned oe vaneasnevisand nae vaneasnevsand nae vaaeanneruond natvaaaannesuanenmevaoeenmevens 364 LO MENE t Acess PROTECT OD stice e cece at 364 loe Bandwidth Manac emen stars li 365 3 15 8 Set Attack Reminder and Keep Track of Attacker cc cccssssssssseeeececceeeeeeeeeeaeaaeeesesseeeeeeeeeees 366 Chapter Data Center sensation cda tasado 367 A P tt lef tl PE A E PTN tet cdo N E PAEA E PAT dates acto te tcl 367 A et Vet CCU aca n E E shad dade ans acne E ton deteaehndses akan dade edecie 368 A O ne 369 AZ AMC OMNES ECU rd A AAA AAA A AENA AAA awed ARA 371 ALZA BAM A ai 371 A raie AUS ncn SA A A ete ie 373 Ad AMP A A A EE E E 373 A Micha NINO CALL On SAS dd da 375 BeF EXAMEN EA A E 376 Ad Website ISTO WS sis li A cl a lanes 378 SN AT 378 AO ANTES A ICS E E E E A E A E T T T T T E 380 A kO TEMP ES sc nae ae A ne e lod eb E a a E ca Bacula 380 A DO arcadas pico ii 382 A DIOSA o 382 da
306. ication Identification Rules ococcccccncnononononooonnncnncnnnonononnnnnnononononnnnnnnnss 134 3 5 2 2 Enabling Disabling Application Identification Rules oooooonnnnncncccnnnnnononononnnononcnnnnnnss 135 0D Inte licent Ident DB cirio ido 137 3 5 3 1 Enabling Disabling Intelligent Identification Rules ooooooonnnncncnncnnnnnnnnnnononnnonncnnnnnnos 137 339 32 Editing P2P Behavior Identification Rules ii 138 A A TA RN 139 550 4 Addne Custom A pplication RUS cai 140 3 5 4 2 Enabling Disabling Deleting Custom Application Rules oocccccccccccncnnnnnononononcnnnnnnss 142 3 5 4 3 Importing Exporting Custom Application Rules o oooooooooononncnccnnnnnnnnnnnnnnnnnnnnooncnnnnnnss 142 A A o PEO tena eam se sencnc tone nc se sencnc tones E aatennce 142 Deo UTR Data ase soso senate o no sacteadadasasad socsenai adored sna tena shaseias ead ear edesentacesentaedeee 142 A E A orn A 145 A A A A EA 145 TG CUON I VICOS s s asta053 sesastensnsats i aiantensasante NaN 146 IO DEVICE COPOUPS vec ve A haa as alent nadia nein te AAA Re 147 O sas es ae A ee ae ares 148 DDS LAN Sali 149 AM A 150 SOME Mime Se Me Que tt 151 ZE CUELA CAU A eee A as 151 SA A A IN 153 LIe O A EEEN 155 SO CCH PUTO esse ies bases ts O aa 156 Sed Sy A A el di i shen rst re Asc A da noch bee Satna eden 156 RO 157 A O 159 Dale A O 159 A O E 159 TS A PUncip le aici idee ae E E denna E E adorn E E E 159 AN 160 Sd DES USE AO
307. ice ees now is displayed SANGFOR NGFW 5 6 User Manual xiii Symbol Conventions The symbols that may be found in this document are defined as follows Caution alerts you to a precaution to be observed during operation Improper operation may cause setting validation failure data loss or equipment damage Warning alerts you to pay attention to the provided information Improper operation may cause bodily injuries Y Note or tip provides additional information or a tip to operations Technical Support Email tech supportOsangfor com hk International Service Centre 60 12711 7129 7511 Malaysia 1700817071 Website www sangfor com Acknowledgement Thanks for choosing our product and user manual For any suggestions on our product or user manual provide your feedback to us by phone or email SANGFOR NGFW 5 6 User Manual X1V Installation Guide This part describes the composition and hardware installation of the NGAF series products of SANGFOR You can configure and commission the product after the hardware is correctly installed 1 1 Environment Specifications The environment specifications of the SANGFOR NGAF equipment are listed as follows 7 Input voltage 110 230 V 7 Temperature 0 45 C E Humidity 5 90 Take proper grounding and dustproof measures and keep good ventilation and stable room temperature in the application environment to ensure long term and stable operation o
308. ick Log event in the Action area on the console otherwise no statistics are generated SANGFOR NGAF 6 4 User Manual 381 Logs The Logs menu enables users to view log details For example a user can identify the server on the intranet that encounters a DoS attack as well as the source IP address and port of the attack Navigation Menu gt DoS Attack WAF gt IPS Anti virus APT Detection Website Browsing gt Application Control gt Local Security Events User Login Logout gt Admin Operation DoS Attack DoS Attack S mee es ae al Specify the following and click Go to retrie From To fone Type Source one Src IP Dst IP Attack Type Threat Level Action Go 2014 09 05 hs 2014 09 05 E Internal WlExternal Al All i High W Medium W Allow i Deny _ Open in new tab The DoS Attack page enables users to view details about DoS attacks on the intranet and Internet For example a user can view details about ICMP flood attacks on all servers on the intranet over a period SANGFOR NGAF 6 4 User Manual 382 DoS Attack Ts y T i al Specity the following and click Go to retrieve data From 2013 08 16 fs 00 00 To 2013 08 16 51 23 59 Zone Type IW Internal External Source Zone Source IP All LO Dst IP All i Attack Type A le Threat Level Hig
309. icy 4 Static Route a Make sure this device can communicate with the internal and external network normally 5 NAT a Create SNAT rule to translate source addresses of outgoing packets to public IP address b Create DNAT rule to translate destination addresses of incoming packets Click Physical Interface and a Physical Interface configuratoin window is displayed You can configure routing interfaces interface addresses and interface attributes in this window Click Zone and a Zone configuration window is displayed You can assgin Ethernet ports to different areas Click IP Group and you can enter Object Definition gt IP Group path Click Static Route and you can enter Network Configration gt Route gt Static Route configuration path Click NAT and you can enter Firewall gt NAT path If the NGAF device connects to an interface of a public network and uses a proxy for intranet to access internet the source addess needs to be translated If the intranet server 1s pushing messages to a public network the destinaiton address needs to be translated After a new NAT is created you need to create an application control policy under Content Security gt Application Control Policy Data Mirroring Bypass Mode If the NGAF device is deployed in a bypass mode to fulfill functions of IPS WAF and data leakage prevention configure the device as follows d Data Mirroring e ls conne 1 Physical Interface a Set a
310. ied to new users authenticated against external LDAP server for they can be synchronized to a corresponding group automatically User Syne Policy Other User Attributes Concurrent Login i Allow concurrent login on multiple terminals G Only allow login on one terminal Bind IP MAC Binding Mode 6 Bind the IP on initial logon Bind the MAC on initial logon Bind the IP and MAC on initial logon Added as casual account not to any local group with same privilege as User Group i la No authentication for new users Step 5 Click Submit The policy is successfully edited ff Authentication Policy V Enable user authentication Authentication Zone LAN Add 1 x 4 Y Refresh MImport Example File No Name IP MAC Authentication New User Option Description Move Delete 1 Martketing 192 168 2 1 192 168 2 255 None host name as userna Add to group Marketi Martketing policy x 2 Subnet 1 192 168 1 0 255 255 255 0 Password based authentica Add to group IT t x 3 Default Policy 0 0 0 0 255 255 255 255 None IP as username Add to group Default Default Policy o The NGAF obtains host names of the Internet accessing computers over the NETBIOS protocol The host name may not be obtained successfully In this case check whether the NETBIOS protocol is enabled on the computer whether the computer is configured with multiple IP addresses whether the SANGFOR NGAF 6 4 User Manual 206 firewall on
311. ile Name Virus Name Source IP User Address Action Details fwlog mailproxy pop Mal ZAccess CK 192 200 19 63 kwong sanafortest com Allow View fwlog mailproxy smt Mal ZAccess CK 192 200 19 63 kwong sangfortest com Allow View The data shows that a sent email containing a virus is allowed LU To enable the data center to record logs choose Access Control gt Anti Virus on the console create a rule and click Log event following Logging in the Action area APT Detection The APT Detection page enables users to view logs of APT detected in Access Control gt APT Detection APT Detection a Specify the following and click Go to retrieve data From To Source Zone Src IP User Dst Zone Type ID Threat Level Action Go Example 2014 09 01 rs 00 00 2014 09 05 hs 2359 All e All O IP O User Group All All All a W High 4 Medium W Low W Allow W Deny C Open in new tab Application scenario A user needs to search for the IP addresses or users on the intranet that generate APT traffic SANGFOR NGAF 6 4 User Manual 391 Step 1 Set search criteria APT Detection a Specify the following and click Go to From To Source Zone Src IP User Dst one Type ID Threat Leve Action Go retrieve data 2014 09 01 2014 09 05 All r DTP User O Group Al r
312. ils about how to set up target lines see section 3 12 4 The Channel Type area is where the channel type and bandwidth range are defined In this example the bandwidth for the P2P and data download services of the sales department is restricted Thus select Limited channel Set Outbound and Inbound to 20 respectively The total bandwidth is 10 Mb s Therefore the maximum bandwidth will be 2 Mb s The Priority can be set to High Medium and Low indicating the preemption priority of the channel occupying other available channels SANGFOR NGAF 6 4 User Manual 321 Add Bandwidth Channel x Enable channel Mame P2P limit T Bandwidth Channel Limited channel Applicable Objects Outbound Max 5 3 256 Inbound Max 5 o 1256 Priority Low Per User Max Bandwidth Outbound 30 Inbound 30 Advanced Make allocated bandwidth on this bandwidth channel shared evenly among external IP addresses and Per User Max Bandwidth setting applied to each of th em typically selected for server providing external services o K Ca nce The parameter Per User Max Bandwidth is used to set the bandwidth each IP address in the channel can enjoy In this example enter 30 Kb s for Outbound and Inbound If you select Even allocation for Bandwidth Allocation Among Users the bandwidth is allocated evenly among the users in the channel Here the users indicate those who have dataflow mapped to the channel Users within the scope of
313. interface Choose Network gt Interface gt VLAN Interface and click Add The Edit VLAN Interface dialog box is displayed Perform configuration as shown in the following figure SANGFOR NGAF 6 4 User Manual 437 Edit VLAN Interface Name Veth 2 pei Added To Zone Basic Attributes Pingable IP Assignment Static DHCP Static IP Next Hop IP Link State Detection A feature that achieves automatic link failover when one of the lines becomes Settings down x Step 5 Choose Network gt Routing gt Static Route Configure the default route of Internet access and the packet reception route Edit Static Route Destination Subnet Mask 0 0 0 0 Next Hop IP 1 2 1 2 Interface Metric SANGFOR NGAF 6 4 User Manual 438 Add Static Route Destination 192 168 2 0 i Subnet Mask 255 255 255 0 Mext Hop IP 192 168 1 254 Interface eth3 wr Metric 1 Configure NAT For details see section 3 7 Policy Based Routing Configuration Example 1 Configuration example A user needs to access an e bank IP address 127 8 66 42 over HTTPS The e bank checks the connected IP address When the source IP address of the same connection is changed the e bank disconnects causing an access failure To solve the problem configure a PBR so that data destined to the destination IP address is always routed out along
314. interfaces in the Ethernet interface list are checked in active standby mode Active standby switchover can be triggered only after physical Ethernet ports are down Sync Options Ignores active standby attributes of the NGAFs The modified configuration on one NGAF will be synchronized to the other once the configuration is modified Select Enable configuration synchronization as shown in the following figure High Availability Basic Settings Redundancy Sync Options Enable configuration synchronization Objects Available User authentication Session information Configuration synchronization Ss Add gt 4 Delete sync Now View Logs Objects Sets objects to be synchronized between two NGAFs including User authentication Session information and Configuration synchronization NGAFs check whether configuration changes every 10 seconds o Heartbeat Interval for active and standby NGAFs must be the same Otherwise active standby election may experience exceptions If the priority of the VRRP group is set to the same value no preemption occurs no matter the Preemption option is clicked SANGFOR NGAF 6 4 User Manual 345 O In routing mode if you enable the link monitor the active standby switchover is triggered if any of the three conditions is met no heartbeat packet received physical port in DOWN state link failure after link detection O In transparent mode other ports in the Ethernet interfac
315. ion In the Authentication Policy screen select None SSO for Authentication Apply bidirectional bindings between the user and the IP MAC address while creating the user account In this case a one to one relationship is defined between the IP MAC address and the user and the user can be identified by the IP MAC address The IP MAC address segment specified in Authentication Policy must contain the bound IP MAC address Or In the Authentication Policy screen select None SSO for Authentication Use the IP address MAC address or computer name as the user name The Intranet user is authenticated based on the IP address MAC address or computer name that matches the user name SSO Local or external password authentication This authentication mode is enabled when the user authentication function is enabled on the NGAF and SSO Local or external password authentication is selected If the SSO authentication is not configured or is not successful the authentication process for Internet access 1s as follows Step 1 A dialog box requesting the user name and password is opened on the Web browser Assume the input user name is test and the password is password Step 2 The NGAF checks for user test among local users If the user exists and has the local password that is Local password is selected in User Attributes the NGAF checks whether the local password is password If the password is correct the authentication succeeds if not
316. ion Server Configuration Configuration example The intranet interface ETH2 of the NGAF is connected to intranet segments The NGAF is required to automatically assign IP addresses 192 168 1 100 192 168 1 199 to users in a conference room to access the Internet The fixed IP address 192 168 1 100 1s assigned to the manager s PC Step 1 Enable the DHCP service Step 2 Select eth2 in Network Interface for DHCP configuration Set Lease and DHCP Parameters SANGFOR NGAF 6 4 User Manual 445 Lease min 120 Gi DHCP Parameters Gateway 192 168 1 1 Subnet Mask 255 255 255 0 Freferred DNS 8 8 8 8 Alternate DNS 8 8 4 4 Preferred WINS 0 0 0 0 Alternate WINS 0 0 0 0 OK Lease min specifies the use time of IP addresses DHCP parameters include Gateway Preferred DNS Alternate DHS Preferred WINS and Alternate WINS The parameters are used when IP addresses are assigned through DHCP automatically Step 3 Set IP Address Pool that is the IP addresses to be assigned automatically IP Address Pool Ci 192 168 1 100 192 168 1 199 Step 4 Click Reserved IP Addresses to perform related setting so that a fixed IP address is assigned to a PC based on the corresponding MAC address Reserved IP Addresses A MAC host can only be assigned one IP address from the pool above Reserved IP Addresses Click Add The Reserved IP Addresses dialog box 1s displayed Set Name IP Address MAC Address Host Name
317. ion configuration in LDAP User Sync For details see sections 4 6 2 3 and 4 6 1 5 Step 2 On the Authentication Policy screen click Add The Authentication Policy screen is displayed Enter the name and description of the policy Authentication Policy Name 550 Description i IP MAC Range 192 168 3 0 255 255 255 0 Step 3 Select None SSO and Take IP as username under Authentication SANGFOR NGAF 6 4 User Manual 207 Authentication None SSO Take IP as username O Take MAC as username O Take host name as username 3 550 Local or external password authentication i The browser will be redirected to an authentication page when User attempts to access the Internet on which user credential are required Configure External Auth Server 550 only i Excluded Users Login name comma separated Step 4 In New User Option select Added to specified local group and select Marketing The users not implementing SSO are added to the Default group and the Internet access policy of the default group is applied to these users Select Not applied to new users authenticated against external LDAP server The users using domain SSO are added to the user group specified in the synchronization rule Do not select Bind IP MAC Because if users not implementing SSO are added as new users and are applied with IP MAC bidirectional binding the IP MAC address can only be used by that user and can no longer be used in
318. ion Zone As shown in the figure below the LAN is selected for authentication For details about the settings see section 4 2 1 4 Authentication Policy Enable user authentication Authentication Zone LAN Add 4 X t amp Refresh EY Import Example File SANGFOR NGAF 6 4 User Manual 164 Authentication Name Subnet 1 Description IP MAC Range i 192 168 1 0 255 255 255 0 Authentication 5 None SSO Take IP as username Take MAC as username Take host name as username If 50 is configured the detected username is preferable 550 Local or external password authentication 1 The browser will be redirected to an authentication page when user attempts to access the Internet on which user credential are reguired Configure External Auth Server OK Cancel Step 2 In the Groups pane select a group for which you want to add a user On the Members page displayed on the right click Add and select User la PO0ps FreMmMpBDeErsS Fuzzy match eee Group Path Admin Modify eos Description Admin GB Admin Members Sub groups 0 immediate users 0 total users 0 E Default group Members taAdd X Refresh 4 k Select gt Ef Import Export 5 No Name Address Expiry Date No data available Page lofi El Entries Per Page 29 Step 3 In the Add User dialog box select Enable user and set Name Description Display Name and Added To Group SANGFOR NGAF 6 4 User
319. ired to be synchronized to the equipment The organizational structure in the LDAP server is as follows EA Active Directory Users and Computers gt File Action View Window Help e Ams XS P Bi On VPby Se F a 1B Malaysia sales 6 objects H 2GB E 500M6 Ca Builtin fo Malaysia manager Computers E Malaysia Sales E Domain Controllers E Malaysia Sales2 H FAE E Malaysia Sales3 l E ForeignSecurityPrincipals FF Malaysia Sales4 ME Product management f Malaysia Sales5 33 RD E AM a 1B sales E 2 42 Chinese sales aA Hong kong sales i Malay BEE sales E H Singapore sales E El Test SANGFOR NGAF 6 4 User Manual 186 Procedure Step 1 Set the LDAP server to be synchronized Set the IP address port number user name and password for login In the navigation area choose Authentication gt User Authentication gt External Auth Server For details see section 3 6 2 3 Step 2 Choose Authentication gt LDAP User Sync Click Add LDAP User Sync Policy l Status E Add X E view Logs Refresh lt Network a No Policy Name Description Group U t Security Databases t VPN Objects Authentication mM 4 Local Users Users User Import LDAP User Sync No data available a User Authentication Policy Options External Auth Server Step 3 In the displayed Add User Sync Policy dialog box set Policy Name Description Sync Mode and Auto Sync Set Sync Mode to
320. is function 1s applicable only to the MS Active Directory server To import users from other types of LDAP servers choose Local Users gt LDAP User Sync For details see section 3 6 1 5 Before you import users from an LDAP server configure the LDAP server In the navigation area choose Authentication gt User Authentication gt External Auth Server For details see section 3 6 2 3 Import from External LDAP Server MS Active Directory server is supported only For other types of LDAP server import users in Authentication gt Local Users gt LDAP User Sync Configure External Auth Server Import o 1 Controls must be installed for importing users from an LDAP server Therefore log in to the console by using the Internet Explorer during the import 2 When importing users from an LDAP server the equipment must properly connect to the TCP389 port of the LDAP server ensuring that user information on the LDAP server can be properly read and obtained LDAP Automatic Synchronization LDAP User Sync is used to synchronize users organizational structures and security groups to the equipment and perform automatic synchronization The equipment automatically synchronizes with the domain server every day at a random time from 00 00 to 06 00 LDAP User Sync is classified into Syne by OU and Sync by security group AD domain only Sync by OU is applicable to all types of LDAP servers In this synchronization mode the OUs in the
321. is not fixed select All In this example choose Server for Dst IP Group SANGFOR NGAF 6 4 User Manual 333 Exclusion Rule Name Application All r Dst IP Group Server Farm i Step 4 Click Submit Bandwidth Channel V Enable Bandwidth Management System Bandwidth Channel Exclusion Rule Add X Y Refresh _ No Name Application Category Dst IP Group Delete 1 Server All Server Farm x BM Lines BM Line List The BM line list shows all the current BM lines The BM line maps the physical network interface to the effective line of a traffic channel to specify which egress interface effective line matches a traffic channel in dataflow Click Add The Edit BM Line screen is displayed Set as follows Edit BM Line Egress Interface eth3 we Outbound 5 Mbps Inbound 5 Mbps Egress Interface defines the source interface of dataflow that is applied with the BM line Only WAN interfaces are available Outbound The outbound bandwidth of the physical line The value must be based on the actual situation otherwise the traffic control effect may be poor Inbound The inbound bandwidth of the physical line The value must be based on the actual situation otherwise the traffic control effect may be poor If traffic control must be set for multiple egress interfaces define multiple BM lines Click Add to add other BM lines one by one SANGFOR NGAF 6 4 User Manual 33
322. is option is selected the logout page is displayed after successful login Show Logout page if user passes password based authentication Set Expiry Date for the user SANGFOR NGAF 6 4 User Manual 166 Expiry Date Never expire Date El O LAOS Users Step 5 After the user attributes are set properly click OK The user is added successfully Groups i Members Fuzzy matcn Group Path Admin Modify 3 a Description Admin Admin Members Sub groups 0 immediate users 1 total users 1 Gl Default group Members tAdd X Refresh h Select Import Export 13 Search by Name No Name Address Expiry Date Status O 1 amp auest 192 168 1 2 192 168 1 100 Never expire Y Step 6 Open a webpage as a user on the corresponding network segment The webpage 1s redirected to the authentication page of the equipment Type the user name and password and click Log In If the user name and password are correct and meet the bound IP address range the authentication is successful gt 5 11 1 2 webAuth index htm www google com my Y Identity Authentication System 2 Provide your credential before accessing the Internet Password If the user name and password are correct but the IP address used for login is beyond the bound IP address range the authentication fails and a reminder message is displayed See the figure below SANGFOR NGAF 6 4 User Manual 167 Provide your crede
323. ist attributes of the users are not updated and the users are not imported Import CSV File Browse If user group does not exist create it If user already exists Proceed and overwrite existing one 5 Skip and not overwrite existing user OK Cancel 3 7 1 5 2 Import by Scanning IP You can scan IP addresses and MAC addresses and import identified users in the equipment The computer names obtained by scanning are used as the user names The users are imported in the root group by default and are bounded to IP addresses and MAC addresses but do not need to be authenticated SANGFOR NGAF 6 4 User Manual 182 Import by Scanning IP Scan all the online computers on local area network to obtain host name IP and MAC address and then import them as users This operation ts often carried out on network that fixed IP address are assigned to computers When scanning completes import them on to this device Immediately or modify them before importing Import 3 7 1 5 2 1 Configuration Example Import by Scanning IP Scan computers on the network segment of 192 200 200 1 192 200 200 100 on the LAN and import them in the user list Step 1 Select Import by Scanning IP click Import and type the IP address range that you want to scan Scan LAN Computers x Scan Object gt IP address IP Address IP Range Start IP 192 200 17 1 End IF 192 200 17 254 gt Subnet IF address Subnet Mask
324. isting one under If user already exists If a user with the same user name already exists in the user list the attributes of the user are updated If you select Skip and not overwrite existing user and a users with the same user name already exists in the user list the attributes of the user are not updated and the user is not imported Import Scanning Result Import scanning result of LAN computers Create group if no such group on local device If user already exists Proceed and overwrite existing one 5 Skip and not overwrite existing user Click Download to Edit The user information is stored in a local CSV file You can modify the scanning results and user attributes in the CSV file To import the modified file click Import from CSV File Step 4 Click OK The users are imported to the root group SANGFOR NGAF 6 4 User Manual 184 Y If Username is displayed as unknow the computer name is not obtained The computer name is obtained from the console over the NetBIOS protocol If the computer name is not found during scanning check whether the NetBIOS protocol is enabled on the target computer whether multiple IP addresses are configured on the target computer whether the firewall on the target computer filters the NetBIOS protocol and whether any equipment on the network filters the NetBIOS protocol 3 7 1 5 3 Import from External LDAP Server You can synchronize users on an LDAP server to the equipment Th
325. istrator account Max Login Attempts Maximum number of login failures allowed for an administrator account Click Submit to save the configurations and to make the configurations take effect License The licenses of the NGAF includes the gateway license cross operator SN anti defacement license function module licenses and update licenses See the following figure System Time Licensing Device License Gateway ID DESCB6EC Licensing Activated Modify Authorization Branch VPN Sites 0 Number of Lines 2 Mobile VPN Users 0 Cross ISP Access Optimization Licensing Not activatec Activate Anti Defacement License Licensing Activated Modify Authorization Websites 2 License of Function Modules Licensing Activated Modify VPM Activated Antivirus Activated IPS Actrvated Web Application Protection Activated SANGFOR NGAF 6 4 User Manual 340 Bandwidth Management Activated Application Control Activated Web Filter Activated Data Leak Protection Activated APT Detection Activated Realtime Vulnerability Activated Update Licenses Anti Virus Database Valid Modify Expiry Date 2015 06 19 URL Database Valid Modify Expiry Date 2015 06 19 Vulnerability Database Valid Modify Expiry Date 2015 06 19 Software Upgrade Valid Modify Expiry Date 2015 09 18 Application Ident Database Valid Modify Expiry Date 2015 06 19 WAF Signature Database Valid Modify Expiry Date 2015 06 19 Data Leak Protection Va
326. it Physical Interface Enable Name eth Description Type Bridge layer 2 Wr Added To Zone LAN y Basic Attributes WAN attribute E IP Assignment Access 5 Trunk FAN 2 VLAN Interface Advanced Configure link mode MTU and MAC address A E OK Cancel Step 1 Configure the intranet interface ETH1 Choose Network gt Interface gt Physical Interface and click eth1 The Edit Physical Interface dialog box is displayed Perform configuration as shown in the following figure Edit Physical Interface Enable a Name ethi Description Type Bridge layer 2 Added To Zone Select zone wr Basic Attributes WAN attribute IP Assignment Access 0 Trunk 2 VLAN Interface Advanced Configure link mode MTU and MAC address Ai oK Cancel Step 1 Configure the intranet interface ETH3 Choose Network gt Interface gt Physical Interface and click eth3 SANGFOR NGAF 6 4 User Manual 436 The Edit Physical Interface dialog box is displayed Perform configuration as shown in the following figure Edit Physical Interface J Enable Name eth3 Description Type Routellayer 3 w Added To Zone Select zone R Basic Attributes WAN attribute E Pingable IP Assignment Static DHCP PPPoE A Static IP 192 168 1 1 24 1 Line Bandwidth Outbound 1024 Mbps gt Inbound 1024 Mbps Link State Detection ates a ase OK Cancel Step 4 Configure a VLAN
327. k of the destination IP address It should be set to 255 255 255 0 in this example Dst Route User VPN user that the route directs to In this example set it to the user that establishes the VPN connection between Guangzhou branch and Shenzhen branch The network access data in a branch can be forwarded to the headquarters through a tunnel route and network access is performed through the public network interfaces at the headquarters For example set Shanghai branch to access the Internet through the headquarters See the figure below SANGFOR NGAF 6 4 User Manual 118 Source IP 172 16 1 0 Subnet Mask 255 259 255 0 Destination IP Subnet Mask Dst Route User oH W Enabled W Access Internet via destination route user Cancel Source IP source IP address Set it to the IP address that needs to access the Internet through the headquarters Subnet Mask subnet mask of the source IP address It should be set to 255 255 255 0 in this example Dst Route User VPN user that the route directs to Select Access Internet via destination route user to apply the settings o 1 In the case of network access through lines at the headquarters choose Firewall gt Address Translation gt Source Address Translation on the equipment at the headquarters and add source address translation rules for VPN network segments For details see the configuration description of the firewall 2 Ifthe NGAF equipment serves as the headqua
328. keyword and enter a keyword and the keyword is contained in the POST response web SSO fails otherwise it is successful Step 6 Before accessing the Internet log in to the preset website such as the BBS website in the example You can access the Internet after the login is successful 3 7 2 2 1 5 Other Options If server login data is not transferred through the gateway you need to select a mirror interface on the Others tab page as the monitor interface This monitor interface is required for domain SSO POP3 SSO and web SSO SANGFOR NGAF 6 4 User Manual 234 Authentication Options 530 Options Proxy SSO POP3 SSO Auth Page Redirection ae ae If SSO requires external authentication server and the packets of users logging into the gt Authentication Conflict external server do not go through this device you need to mirror the packets to an idle interface of this device Specify the mirror interface here Obtain MAC By SNMP y Enable mirror interface Other Options Mirror Interfaces selected interface will be monitored etho F ethi F eth Fl eth3 3 7 2 2 2 Redirection After Successful Authentication Auth Page Redirection is used to specify the page to which a user is redirected after successful web authentication See the following figure If you select Recently visited page an intranet user is redirected to the originally requested page after successful authentication If you select Logout page a
329. kout Period Remaining Lockout Module Violated Policy Details Click Refresh 5 seconds to set the refresh interval Click Refresh to refresh the information immediately Select an item and click to unlock the IP address Click Clear All to clear all source IP addresses thereby restoring the access permission of all IP addresses Click l Lockout Period to set the lockout period For a source IP address that triggers the security policy the default lockout period is 10 minutes That 1s this source IP address will be automatically unlocked in 10 minutes You can set a longer lockout period You can search by IP address in the search text box Network Interfaces The Interfaces page displays information about the network interfaces and zones The displayed information includes the physical interface sub interface VLAN interface zone and link state propagation See the figure below SANGFOR NGAF 6 4 User Manual 23 Interfaces gt Status Physical Interface Sub Interface VLAN Interface Aggregate Interface Zone Link State Propagation Network Y Refresh Interface Name Interface WAN Ping Type Zone IP Assignment IP Address Link Mode MTU Link State Status Routing etho a ci No Allow Route layer 3 None Static 1P 10 251 251 251 24 Full duplex sl 1500 j TE Virtual Wire ethi ug No Deny Route layer 3 WAN Static IP 192 200 17 23 255 2 Auto negotia 15
330. l Step 2 In the URL Filter dialog box set Name and set Zone to LAN and IP Group to LAN IP Range in the Source area intranet users belong to a LAN SANGFOR NGAF 6 4 User Manual 456 URL Filter Enable Name Deny_access Description Source Zone LAN Cra IP User IP Group LAN IP Range fa O User Group Select la Step 3 Select the types of websites that need to be filtered embedded options Set Type to HTTPS get and HTTPS some illegal websites are accessed through HTTPS Schedule to All day and Action to Deny URL URL Category Adult Content Pornography Gambl a Type HTTP get E HTTP post HTTPS E Schedule All week wr Action A a Allow Deny Logging Log event 5ave and Add Another Click OK File Type Filter Configuration The following figure shows a network topology Users on the intranet must be prevented from downloading music and movies during work time The work time is 08 00 12 00 and 14 00 18 00 SANGFOR NGAF 6 4 User Manual 457 Layer 3 switch 192 168 1 0 24 Server cluster Intranet users Step 1 Choose Network gt Interface and define the zones of interfaces before configuring a policy Choose Objects gt IP Group and define the IP address group of intranet users For details see section 3 4 8 Set ETH2 to LAN ETH1 to WAN and 192 168 1 0 24 to LAN IP Range IP Group Add X Refresh import Export C No Name IP Range Description 1 Al
331. l 0 0 0 0 255 255 255 255 All IP addresses 2 LAN IP Range 172 16 1 0 255 255 255 0 Interfaces Physical Interface Sub Interface VLAN Interface Aggregate Interface Zone Link State Propagation Add X Refresh Zone Name Zone Type Interfaces Device Mat Privilege Allowed Address LAN Route layer 3 eth2 WebUI snmp All WAN Route layer 3 eth WebUI snmp All Recurring Schedule Add X Refresh C No Name Schedule Description gt 1 All week Mon Sun Morning 0 00 Afternoon 11 59 the last minute included All week PF 2 Working Hour Mon Fri Morning 9 00 Afternoon 5 00 Step 2 Access the File Filter dialog box Set Name and set Zone to LAN and IP Group to LAN IP Range in the Source area intranet users access through interface ETH2 of the firewall SANGFOR NGAF 6 4 User Manual 458 File Filter Enable Name Deny_download Description Source Zone LAN a IP User IP Group LAN IP Range ne User Group la Step 3 In the File Filter area set File Type Group to Movie Music embedded options Behavior to Download to prevent users from downloading Schedule to Working Hour and Action to Deny File Filter File Type Group Movie Music HP Behavior A Upload Download Schedule Working Hour w Action E a 7 Allow Deny Logging Log event Save and Add Another OK Cancel Click OK IPS Configuration The following figure shows a network topology where the NGAF work
332. l be used by the site to obtain the network location of the CMC and therefore it should be the physical IP address or domain name Gf available of the CMC If the CMC is assigned a WebAgent address by the manufacturer enter the corresponding URL address Test WebAgent Click it to test the connectivity between the site and CMC Please note that this button does not work when the WebAgent address is a URL address Secondary WebAgent Secondary WebAgent indicates the standby WebAgent address which will be used by the site to connect to the CMC when the primary WebA gent is unavailable Site Name Enter the username for connecting to the CMC It should be the name of the corresponding site created on the CMC Password Enter the password for connecting to the CMC It should be the password of the corresponding site created on the CMC Shared Secret Enter the shared secret which should be the same as that configured on the CMC Ignore it if no shared secret 1s set on the CMC This device and CMC server reside on a same LAN Specify whether the CMC resides on the same local area network as the NGAF After click OK you should login again If the site has joined CM but it does not connect to the CMC as shown below SANGFOR NGAF 6 4 User Manual 353 Navigation E Central Management CM Management CM NN General Administrator Join CM 5 Logging Options Primary WebAgent 200 200 154 174 5000 s SMTP Server Sec
333. le Description Configures description of the role Assigned To Configures the user and or group that can access the associated resources To specify user and group click the Select User Group button and all the predefined users and groups on User Management page are seen in the list as shown below Users and Groups Search P EE RA Select hi Name L p Default group 01 groupi d ES Default group d ES groupl l 4 Page 1ijof1 Pp P 25 page OK _ Cancel Select the user or group to which the role is to be assigned and click the OK button 3 Configure associated resources Click Select Resources to enter the Resources page and select resources that the associated users of this role can access as shown below SANGFOR NGAF 6 4 User Manual 85 Select Resource 30 Al resources Resource Name a Description 3 Default group Page ijofi gt bi show 25 page OK Cancel 4 Click the Save button on the Add Role page to save the settings Login Options Click on SSLVPN gt Login Options to configure the login port and web agent settings as shown in the figure below Login Options Login Port HTTPS Port 4430 WebAgent Settings Enable WebAgent for dynamic IP assignment add Delete d Edit WTest Z Refresh O WebAgent Status OK Login Port Specifies the HTTPS port on which the SSL VPN service is being listened Configure Web A
334. le The value of Dead Time is usually 4 times that of Hello Time The default value is 40 seconds Encryption encryption mode of packets It can be set to Plaintext MD5 or None Password password for encrypting packets Click OK to save the settings 3 2 2 3 1 Network Segments The Network Segments page allows you to set the network segment to be published Click Add The page shown in the figure below is displayed Add Network Segment Network Segment IPyd or IPv6 subnet Area ID IPv 4 address or integer Network Segment specifies the address of the network segment to be published The format is IP address IPv4 or IPv6 mask Area ID specifies the area for which the network segment is bound Usually it is the ID of the backbone area 3 2 2 3 2 Interfaces The Interfaces page displays information about the interface corresponding to the network segment published in Network Segments Suppose that the network segment shown in the figure below is added in Network Segments Network Segments add X Fl No Network Segment Area ID Fij i 192 200 19 0 24 0 0 0 0 The automatically generated interface configurations are shown in the figure below Name IP Address Passive Interface Authentication Neighbor Age Election Priority Retransmit Interval E ethi 192 200 19 18 24 No None 40 1 5 Click Name The page shown in the figure below is displayed SANGFOR NGAF 6 4 User Manual 37 Edit Interface N
335. le like Email services HTTP services etc Description BIND is the most widely used DNS server software Denial of service vulnerability vulnerability in BIND 9 is released on July 29 2015 There are a few steps to protect the server from threats Click Protect under the Operation column See the figure below Threat Alerts IGE GREW ener Mc Refresh 10 seconds Refresh iy Settings Latest Threats No Appeared Since Description Threat Level a Protection Operation 1 2015 07 29 BINDS DoS Vulnerability High Threat Unprotected Y Protect It will open up another tab click Protect Now to perform the protection See the figure below MIC Gue Threat Alerts and Recommendations BIND9 DoS Vulnerability Refresh Back BIND9 DoS Vulnerability Exploits BIND TKEY Query Denial of Service Vulnerability Details gt gt f Sangfor INC Appeared Since 2015 07 29 Follow Sangfor Read Mor Q Update recommendations are as follows Your device is in protection against the APT attack stated in this event Vulnerability Database Updated to 2015 10 26 New threat can be prevented on 2015 08 07 version f 1 threats need immediate protection 127 IP addresses have been scanned 1 threats need immediate protection Protect Now Re Scan Immediate protection is required for the threats below 1 Potential vulnerability may not be found in time for the scanner is not enabled SANGFOR NGAF 6 4 User Manual 315 NGAF will ask confi
336. le the TCP protocol 1s used because the port number 80 for the HTTP service matches the TCP protocol Set the destination port number to 80 See the following figure Protocol Type TCP w r gt Step 6 Set the destination IP address to which the original IP address is changed and specify whether the destination port number must be changed In this example the IP address of the internal server providing services through port number 80 based on the TCP protocol is 172 16 1 100 and the port number does not need to be changed See the following figure Destination NAT Translate IP To IP Address w IF Address 172 16 1 100 Translate Fort Unchanged To Specified Port Step 7 Click Save to complete the configuration See the following figure SANGFOR NGAF 6 4 User Manual 252 NAT NAT DNS Mapping Add X Y t Y 13 EA import Export gt B Refresh Type All v Original Data Packet Translated Data Packet No Name Type Sourc Dst Zone Int Source IP Dst IP Protocol Src Port Dst Port Source IP Dst IP Dst Port Hit C Status Clone Delete wy 1 WebServer omar WAN An 1 2 1 1 TCP All 80 172 16 1 Unchanged o vw B x Step 8 Set application control policies to enable data to be transferred to the IP address 172 16 1 100 with the HTTP port number 80 from the Internet For detailed configuration see section 3 8 1 o If the IP address 1 2 1 1 and port number 80 must be mapped to the IP a
337. le type group File Extension file name extension Type various file name extensions such as mp3 and mp3 Y The equipment is configured with most file types by default including movies music pictures texts compressed files and application programs If the file types do not meet your requirements manually add file types SANGFOR NGAF 6 4 User Manual 154 Trusted CA You can import certificates into or delete certificates from the certificate database In the navigation area choose Objects gt Trusted CA The Trusted CA page is displayed on the right Trusted CA Upload Trusted Root CA X 2 Refresh 1 2 No CA UTN USERFirst Object DST Entrust GTI CA Swisskey Root CA AddTrust External CA Root C amp W HKT SecureNet CA Class A Equifax Secure eBusiness CA 2 First Data Digital Certificates Inc Certification Authority Valid From Jul 9 18 31 20 1999 GMT Dec 9 00 02 24 1998 GMT Apr 15 10 38 00 1999 GMT May 30 10 48 38 2000 GMT Jun 30 00 00 00 1999 Jun 23 12 14 45 1999 GMT Jul 3 18 47 34 1999 GMT To Jul 9 18 40 36 2019 GMT Dec 9 00 32 24 2018 GMT Dec 31 23 59 00 2015 GMT May 30 10 48 38 2020 GMT Oct 15 23 59 00 2009 Jun 23 12 14 45 2019 GMT Jul 3 19 17 34 2019 GMT 8 Class 3 Public Primary Certification Authority Jan 29 00 00 00 1996 GMT Aug 1 23 59 59 2028 GMT 9 Thawte Premium Server CA Aug 1 00 00 00 1996 GMT Dec 31 23 59 59 2020 GMT 10 IPS S
338. lick OK Packet Based Attack Attacks Abnormal Message Probe Bad IP Options Select type Bad TCP Options Action Log event Deny Anti DoS DDoS Inside Attack Add X Delete Y Enable Disable Refresh Outside Attack Description Type Attack Source Zone Step 2 Choose Firewall gt Anti DoS DDoS gt Inside Attack Set Source Zone to LAN click Only allow packets from the following sources and specify the network segments of servers and users on the intranet Click Connect to intranet through L3 switch a layer 3 switch is deployed Set IP Exclusion to the network segment of servers Click OK SANGFOR NGAF 6 4 User Manual 451 Outside Attack Inside Attack Enable defense against inside attacks Source Zone LAN lu Source Address Allow packets from any source Only allow packets from the following sources 172 16 1 0 255 255 255 0 192 168 1 0 255 255 255 0 1m Device Deployment Connect to intranet through L3 switch Directly connect to intranet through L2 switch no L3 switch In between IP Exclusion Packets from the following IP addresses will not be blocked 172 16 1 0 255 255 255 0 Max TCP Connections 1024 i Max Attack Packets 10240 Gi Lockout Period min 3 Gi Action Log event la OK Access Control Configuration Configuration of Application Control Policy The following figure shows a network topology The worki
339. lid Modify Expiry Date 2015 06 19 Malware Signature Database Valid Modify Expiry Date 2015 06 19 The License parameter in the Device License area is used to activate the device and authorize license configuration to the NGAF including the numbers of lines branch VPN lines and mobile VPN users The License parameter in the Cross ISP Access Optimization area is used to activate the cross ISP function of the NGAF The License parameter in the Anti Deface Optimization area is used to activate the Website anti defacement function in server protection In the License of Function Modules area you can activate different function modules with dedicated licenses including the VPN antivirus IPS Web application protection traffic control application control Web filter data leak protection APT Detection and Realtime Vulnerability In the Update Licenses area you can activate the updates of policy databases of the NGAF including the antivirus database URL database vulnerability database software updates application identification database Web application protection database data leak protection database and Malware signature database You can click Modify and enter the license No to activate the license Administrator Accounts The administrator accounts are used to manage the users accessing the NGAF console See the following figure Administrator Add X Y 0 Refresh No Username Administrative Role Description
340. logs SANGFOR NGAF 6 4 User Manual 409 Navigation Menu gt Statistics z E Specify the following and click Go to retrieve data t Logs n Statistics Reports Period 2012 08 16 S 2013 08 16 is 7 System gt Settings Go gt Log Database Set the search period and click Go The search result shows logs that are generated over the specified period Log Database L Filter X Delete Filter Period 2012 08 01 2013 08 16 E Date Data Size E 20130805 1 700 KB E 20130806 30 433 KB E 20130807 96 596 KB F 20130808 5 961 KB 20130809 6 000 KB 20130810 5 922 KB 20130811 5 993 KB 20130812 133 346 KB 20130813 124 354 KB 20130814 137 624 KB E 20130815 113 718 KB Click a date and click Delete Logs generated on the day are deleted 4 ra Y Logs are deleted by day Logs cannot be deleted individually SANGFOR NGAF 6 4 User Manual 410 Configuration Examples Deployment and Configuration Router Interface Configuration In a typical application scenario of router interfaces the NGAF is deployed at a public network egress as a router and serves as a proxy to enable intranet users to access the Internet N N f ay Configuration example The following figure shows a network consisting of three layers The NGAF is deployed at a public network egress and serves as a proxy to enable intranet users to access the Internet An optical line is used to connect to a p
341. low VPN WAN Interface new JF Advanced Refresh Status Line Line Alias Description Connection Mode Move Operation Save and Apply Click Add to add an external interface as shown in the figure below Interface eth2 Description Specify the gateway if IP address of this interface is static Gateway 1 1 1 1 For Ethernet type of line configure at least one DNS server to ensure VPN service For ADSL or Dial Up type of line both ONS servers can be null Testing DNS1 1 1 1 1 Testing DNS2 8 8 8 0 Connection Mode Directly connect Internet Use static Internet IP IP Address 1 1 1 1 Interface external VPN interface Only WAN route interfaces can be configured as external VPN interfaces Gateway gateway address corresponding to the external interface This parameter needs to be set only when the interface type is static IP address and does not need to be set when the interface type is ADSL or DHCP Testing DNS DNS address provided by the operator This parameter does not need to be set if the interface type is set to ADSL Connection Mode Internet connection mode It can be set to Directly connect Internet or Indirectly connect Internet If the interface connects to the Internet directly set this parameter to Directly connect Internet Use static Internet IP static public network IP address assigned to the interface Click al to perform DNS detection setup See the figure below SANGFOR
342. ludes vulnerabilities on a variety of operation sy Worm Vulnerability Worm is a malware computer program that replicates Telnet Vulnerability It includes a variety of vulnerabilities on Telnet serve Media Vulnerability It includes vulnerabilities on a variety of media serve FTP Vulnerability It includes vulnerabilities on a variety of FTP servers Network Device Vuln It includes vulnerabilities on a variety of network app Shellcode Vulnerability Shellcode is small piece of code used as the payload 222 dl La o d LA L Las nl wavy ae I OK Cancel die Select Endpoint and click Selected Web Activex Vulnerability Protection Server Protection Selected Mail Vulnerability B Endpoint Protection Selected Web Activex Vulner Brute Force attack Selected FTRIMAP Standard 7 The Select Attack Type page appears Select the attack types so that the device implements IPS protection for the loopholes related to the attack type of endpoints Select Attack Type Y Fuzzy match p Attack Type Description lt lt Web Activex Vulnerability ActiveX is a software framework component that cz Backdoor Vulnerability Backdoor is computer software that can bypass nor Trojan Vulnerability Trojan horse is a malware that can manipulate the Spyware Vulnerability Spyware is malware that can gather user informati System Vulnerability It includes vulnerabilities on a variety of operation lt K K lt
343. m Hosts IP Address 2 No IP Address Latest 3 Webpages Type Victim Webpages No data available 1a 2 Entries Per Page 50 Y 0 entry SANGFOR NGAF 6 4 User Manual 9 Outgoing DoS Attacks The Outgoing DoS Attacks page displays any outgoing DoS attacks occur in the network and information about the outgoing DoS attacks Security Status Events Top Attacks Bots Data Leak Backlink Injections Outgoing DoS Attacks 2 Refresh Last 7 days Top 5 Attack Sources from LAN Top 5 Destinations No data available No data available Details IP Address 2 No Started Since Duration Attack Source Destination IP Logging No data available 1a Entries Per Page 50 Y 0 entry SANGFOR NGAF 6 4 User Manual 10 RT Vulnerabilities Analysis Viewing RT Vulnerabilities Analysis The RT Vulnerabilities Analysis page displays real time vulnerable server statistic vulnerability overview latest critical vulnerabilities and latest vulnerabilities See the figure below Realtime Vulnerability Analysis 2 Refresh gq Generate Report Vulnerable Server Statistics Total Vulnerable Servers 1 Top 10 Vulnerable Servers 192 200 19 195 192 200 19 195 Count 10 0 1 2 3 4 5 6 7 8 9 10 11 No Server IP Vulnerability Type Vulnerability Count Unprotected 1 192 200 19 195 Apache Httpd Vulnerability 10 10 0 Click Refresh to refresh the information immediately Click Generate Report to generate a de
344. m Web vulnerability Open port risk y 192 200 17 10 53 dns UDP WAN 0 0 0 0 255 255 255 255 Low Open port risk y 192 200 17 10 445 netbios TCP WAN 0 0 0 0 255 255 255 255 Low open port risk 192 200 17 20 53 dns UDP WAN 0 0 0 0 255 255 255 255 Low O open port risk Avoid Risk Please select the type of protection you want to apply Web application Vulnerability The following information is displayed when protection rules are configured Y avoid Risk Export as PDF All Associated Policies FE Server IP 192 200 17 200 192 200 17 210 192 200 17 232 192 200 17 254 192 200 17 254 192 200 17 232 192 200 17 232 192 200 17 107 192 200 17 22 Port 80 443 3389 53 139 139 3306 Applic http https rdp dns https netbios netbios netbios mysql Protocol Accessibl TCP WAN TCP WAN TCP WAN TCP WAN TCP WAN TCP WAN TCP WAN TCP WAN TCP WAN Accessible IP 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 Threat Le AA eee No risk Risk v Open port risk v Open port risk v Open port risk v Open port risk v Open port risk v Open port risk v Open port risk v Open port risk Port is in protection All Step 7 Click All Ass
345. main Guests CN Users DC sang CN Domain Users CN Users DC sangfrl_ CN Enterprise Admins CN Users DC sz CN Group Policy Creator Owners CN U CN HelpServicesGroup CN Users DC s F CN Manager CN Users 0C sangfor Dc 4 rr t OK Cancel If you select Add user structure based on top level OU of selected remote directory beneath specified local group the root domain names of the LDAP are synchronized as groups and other synchronized OUs are the corresponding subgroups If you select Add user structure based on bottom level OU of selected remote directory beneath specified local group the synchronization is performed from the selected OUs If you select Add user structure based on sub OU of selected remote directory beneath specified local group the synchronization is performed from the sub OUs of the selected OUs and the selected OUs and the direct users of the selected OUs are not synchronized to the equipment OU Depth does not need to be configured for security group synchronization Set the filter parameters for the synchronization in Filter Step 5 Set the import mode location where the synchronized security groups and users are stored in the organizational structure and synchronized user properties in Synchronization Target SANGFOR NGAF 6 4 User Manual 194 Synchronization Target Method Sync LDAP OUs and users to this device Syne LOAP users to this devic
346. me Step 1 Select authentication policies Marketing and Subnet 1 Authentication Policy Enable user authentication Authentication Zone LAN Add 4 Edit Multiple X Delete Step 2 Click Edit Multiple The Edit Multiple Authentication Policies screen is displayed No 1 2 3 4 Name sso Martketing Subnet 1 Default Policy T Move Up Y Move Down 2 Refresh IP MAC 192 168 3 0 255 255 255 0 192 168 2 1 192 168 2 255 192 168 1 0 255 255 255 0 0 0 0 0 255 255 255 255 None SSO and Take host name as username SANGFOR NGAF 6 4 User Manual E Import Example File Authentication None IP as username None host name as userna Password based authentica None IP as username 210 New User Option Description Add to group Add to group Marketi Martketing policy Add to group IT Add to group Default Default Policy Move t Delete Select Authentication Edit Multiple Authentication Policies Name Subnet 1 Martketing Authentication None SSO Take IP as username O Take MAC as username Take host name as username If 550 is configured the detected username ls preferable 550 Local or external password authentication i The browser will be redirected to an authentication page when User attempts to access the Internet on which user credential are required Configure External 4uth Server 5 50 only G Excluded Users Login name
347. method for all users on the network segment Choose User Authentication gt Authentication Policy In the Authentication Policy dialog box set IP MAC Range and set Authentication to SSO Local or external password authentication Before you set Authentication Policy set Authentication Zone As shown in the figure below the LAN is selected for authentication SANGFOR NGAF 6 4 User Manual 168 Authentication Policy Enable user authentication Authentication Zone LAN Add X t Refresh import Example File Authentication Policy a Name Subnet 1 E Description IP MAC Range i E 192 168 1 0 255 255 255 0 Authentication F None SSO Take IP as username O Take MAC as username 5 Take host name as username If 50 is configured the detected username ls preferable 550 Local or external password authentication i The browser will be redirected to an authentication page when user attempts to access the Internet on which user credential are required Configure External Auth Server ncel Step 2 In the Groups pane select a group for which you want to add a user On the Members page displayed on the right click Add and select User Users PET een Group Path Admin Modify 3 a Description Admin Admin Members Sub groups 0 immediate users 1 total users 1 Default group Members Add X Refresh he select import Export Search by Name No Name Ad
348. mp 4000 packets second UDP 6000 packets second SYN 2000 packets second DNS 2000 packets second per second per second per second ok Cancel E 211 Action Select to allow or deny the connection which hits the rule in this policy Logging Check on the log event checkbox to record all the connections which match the policy rules F If policies have been set in Security Protection Objects and Zombie Network Rule Library when packets matching the policies are transferred through the device the packets are not denied though Action is set to Deny in Add Anti Malware Rule Click on the Advanced Advanced Which shown on the APT detection page and the page below is prompted Advanced Globally Excluded Domain IP Excluded domain or IP will pass through without any security detection which includes APT Detection Remote Access Trojan Abnormal Traffic Malicious Connection and Mobile Security Abnormal Traffic Detection Rule Exclusion Detection will not be performed for traffic destined to specified destination 1P address Globally Excluded Domain IP It excludes IP addresses and domain names on the Internet or intranet from anti malware protection The device does not block the packets from the specified IP addresses or domains though the packets are zombie network packets See the following figure Fuzzy match Abnormal Traffic Detection Rule Exclusion
349. n WAF Signature Rule ID Based on URL Parameters Fill in the URL with parameter name and string to whitelist from WAF Protection URL www sangfor com home URL Parameters Add X Delete SANGFOR NGAF 6 4 User Manual 286 Based on IP Address Select the csv file to import the IP addresses The Example File can be clicked to download the template Select File Import rules from csv file Example File Web application protection implements attack protection rules designed for web servers on intranets It can prevent various web application attack behaviors such as OS command injection SQL injection and XXS attacks and implement anti leak configuration for web servers See the following figure Add Web Application Protection Rule Enable Name Description Source Zone IP Group Destination Zone IP Group Port Protection Website based Attack Parameters Application Hiding Selected SOL Injection XSS Attack CSRF defense Settings _ Restrictive URL access Settings Proactive protection Settings _ Custom parameter protection Settings Y FTP HTTP Settings Password FTP Weak Password Protection Settings Web access weak password Web access cleartext request inspection Defense against brute force attack Settings Privilege File upload restriction Settings URL access Settings HTTP Protocol anomaly Request metho
350. n 192 200 17 200 Gi Range Method Full password dict takes longer time w i Advanced Settings ox cancel Range Select the applications and services for which weak passwords are to be scanned SANGFOR NGAF 6 4 User Manual 304 Select service application Service Application mysql oracle netbios ssh rdp 00008000 whe OK Cancel Method It defines the method of scanning weak passwords The values include Full password dict and Normal password dict The normal password dictionary contains only default system passwords Click Advanced Settings and set full password scan and the customized dictionary of RDP and VNC See the following figure Advanced Settings RDP VNC Service RDP VNC scan and full scan takes longer time By default it Implements general scan Implement full scan Username Password Dictionaries Username Dictionary i sangtor Password Dictionary i Type here OK Cancel _ SANGFOR NGAF 6 4 User Manual 305 Implement full scan It takes a long time to scan weak passwords for RDP and VNC To implement full scan for the two protocols select this option Username Dictionary It defines user names to be found Add customized user names to the related dictionary For example if the user name is sangfor the NGAF device checks whether the user name sangfor exists in addition to scanning for weak passwords of default user names Password Dicti
351. n Regular Expression SANGFOR NGAF 6 4 User Manual 60 Click Add In the displayed Add Sensitive Keyword dialog box enter the regular expression of the sensitive keyword to be defined See the figure below Add Sensitive Keyword Description Optional Regular Expression RegEx Tester Click 1P URL Whitelist to exclude certain IP addresses and URLs from data leak protection The functions of 1P URL Whitelist are the same as that on the Predefined Sensitive Keyword tab page Malware Signature Database The malware signature database contains a variety of protection types including Trojan AdWare Malware Spy Backdoor Worm Exploit HackTool and Virus See the figure below Malware Signature Database T Action All Y Type All v Rule ID Rule ID Signature Name Type Threat Level Action 30000000 Trojan Win32 Pirminay Trojan Medium Enable 30000001 TR Downloader Gen Trojan Medium Enable 30000002 Troj LdMon A Trojan Low Enable C 30000003 Trojan Downloader Win32 Dapato Trojan Low Enable 30000004 Trojan Downloader Win32 Dapato Trojan Enable 30000005 Trojan Downloader JS Iframe Trojan High Enable C 30000006 TR Graftor Elzob 15338 Trojan Low Enable 30000007 Trojan Win32 Jorik Pirminay Trojan Medium Enable C 30000008 TR Graftor Elzob 15338 Trojan Enable 30000009 Troj LdMon A Trojan Low Enable 30000010 TR Downloader Gen Trojan High Enable Fl 30000011 TR Graftor Elzob 15338 Trojan Low Enable
352. n interface to mirror port b Set manage interface Click Physical Interface and a Physical Interface configuratoin window is displayed You can set the interface type to bypass mirroring interface to mirror data from the switch SANGFOR NGAF 6 4 User Manual 362 No Change to Existing Network Bridge Transparent Mode If the NGAF device is deployed without any changes to the existing network that is the NGAF device is deployed as a transparent bridge in the network configure the device as follows Y No Change to Existing Network At ti e yplInKk O a Dare 1 Fhysical Interface a Set interface type to transparent b Set the outside interface to WAN interface to distinguish inbound and outbound traffic 2 Zone a Assign the configured interfaces to appropriate zone according to security level 3 1P Group a Put local IP addresses into different IP groups that can associate with security policy Click Physical Interface and a Physical Interface configuratoin window is displayed You can set the interface type to transparent interface with the uplink interface set to WAN so that you can measure data volume in the uplink and downlink Click Zone and a Zone configuration window is displayed You can assgin Ethernet ports to different areas Click IP Group and you can enter Object Definition gt IP Group path Y After the device is configured to the transparent mode you need to create an application control policy und
353. n intranet user is redirected to the manual logout page after successful authentication If you select Specified page an intranet user is redirected to the page specified by the user after successful authentication 3 7 2 2 3 Authentication Conflict Authentication Conflict is used to disallow multiple users to use the same account at the same time to log in The device handles the conflict either by terminating the previous session and requiring authentication on the current IP address or only by telling the user that another user has logged in with the same account somewhere else See the following figure SANGFOR NGAF 6 4 User Manual 235 Authentication Options authentication Coni 550 Options For account that disallows multi user login if it is logged in again on another IP then Auth Page Redirection Terminate previous session and require authentication on the current IP Authentication Conflict Only tell user that another user has logged in with this account somewhere else Obtain MAC By SNMP Other Options 3 7 2 2 4 IP or MAC Address Identification Across Three Layers If intranet users bind MAC addresses or only MAC address authentication is allowed and the internet network consists of three layers Obtain MAC by SNMP must be enabled for obtaining MAC addresses of intranet users This function can be used only when the switches on the intranet support the SNMP function Principle The device regularly sends an
354. n is enabled when this option button is selected When the number of SYN packets from the specified source zone to an IP address per second exceeds the upper limit specified by Per Dst IP Packet Threshold the SYN proxy is activated to protect the intranet server SANGFOR NGAF 6 4 User Manual 265 When the number of SYN packets from the specified source zone to an IP address per second exceeds the upper limit specified by Per Dst IP Packet Loss Threshold excessive SYN packets are discarded When the number of SYN packets from an IP address in the specified source zone to a destination IP address or IP group per second exceeds the upper limit specified by Per Src IP Packet Loss Threshold the source IP address is regarded as the attack source and excessive SYN packets are discarded Defense against DNS flooding attack DNS flooding attack protection is enabled when this option button is selected You can set Per Dst IP Packet Threshold to specify the upper limit on the DNS packets from the specified source zone to an IP address per second If the upper limit is exceeded it is regarded as an attack If Deny is selected as an action to be taken when being attacked all DNS packets sent to the IP address are discarded when an attack is detected After the configuration click OK and continue setting other protection options shown in the following figure Defense Against DoS DDoS Attack Attack Type Selected Defense against ICMP flooding Pa
355. n is selected the device detects attacks based on MAC addresses The reason why this option cannot be selected when the intranet has L3 switches is that the MAC addresses of data transferred through an L3 switch are changed to the MAC address of the L3 switch This may cause the device to discard all Internet access data from the intranet IP Exclusion DoS protection is not implemented for the IP addresses in the list For example if there is a server on the intranet that provides services for the Internet and sets up many connections with the Internet it is recommended that the IP address of the server be added to the list This prevents the IP address from being blocked by DoS protection Max TCP Connections It specifies the maximum TCP connections that can be set up from an IP address within 1 SANGFOR NGAF 6 4 User Manual 270 minute to a port number of another IP address If the upper limit is exceeded the source IP address is locked for a specified period Max Attack Packets It specifies the maximum number of attack packets including SYN ICMP and TCP UDP packets that can be sent by a host within 1 second If the upper limit is exceeded the IP address or MAC address of the host is locked for a specified period Lockout Period min It specifies the period in minutes in which a host making an attack is locked after the device detects the attack ARP Spoofing Protection ARP spoofing is a common intranet virus Computers in
356. n methods IP MAC address binding information and passwords If the target group for importing the users does not exist a group is automatically created during the import A CSV file is in a simple format and can be edited and stored by most spreadsheet software For example Microsoft Excel can edit CSV files and easily convert XLS files into CSV files CSV files do not support column width font or color settings Therefore to facilitate user editing and management you can edit user information in XLS files and convert the XLS files into CSV files before import SANGFOR NGAF 6 4 User Manual 181 Import from CSV File Import users from csv file Example File What Is CSW File Import Step 1 Click Example File to download example user information Set the user information that you want to import based on the format in the example file B Cc D E F G H l J K L no need to be filled with value 2 Please refer ta the example below to enter the accounts to be imported indicates that the field is required Please DO N 3 Local Password being left blank means the password is null N A indicates the user is not configured with local password and s 4 Bind IP Unidirectional being left blank indicates that the user can log in with any IP address Multiple addresses are supporte 5 Bind IP Bidirectional being left blank indicates that the user can log in with any IP address Multiple addresses are supported 6 Allow Multi User
357. n on the console and click the link in the displayed dialog box No Save As Page Pops se Click here to download again Step 3 Save the exported file The Engineering Department group and the users are exported successfully Save As IQ m Desktop 4 Search Desktop Organize New folder a FY Favorites r F Libraries MI Desktop System Folder de Downloads ES 4 Dropbox p User E Recent Places o l os S Computer oa A System Folder p Es Documents s gt a Music b E Pictures b EE Videos l 30C Fila falar Filename acuser_org csw Save as type Microsoft Office Excel Comma Separated Values File Hide Folders LE Y If a group contains no users the group cannot be exported independently 3 7 1 4 3 Moving Users Groups You can move an existing user or group to another group After the operation is successful the user or group 1s moved to the target group SANGFOR NGAF 6 4 User Manual 179 3 7 1 4 3 1 Configuration Example Moving Users Groups Move user and user2 to Default group Step 1 Select user1 and user2 click Move and select a target group Click Move user2 is moved successfully Members Add X Delete Refresh Edit Multiple k Select CY Import E Export 3 Move No Name Address Expiry Date O 1 amp dguest 192 1608 ME 2 ana 192 168 d amp manager Move to Group O 3 dtest 192 168 Default g
358. n policy Choose User Authentication gt Policy and click Add Set the authentication mode to SSO using IP or MAC addresses See section 3 6 2 1 3 Step 5 Log in to the domain on a computer and check whether you can access the Internet successfully SANGFOR NGAF 6 4 User Manual 222 I Domain server deployed out of the Intranet ldap The dataflow process 1s as follows 1 The data packets of a PC logging in to the domain pass through the NGAF 2 The Intranet interface of the NGAF is used as a monitoring port Configuration Step 1 Choose User Authentication gt Options gt External Auth Server and set the authentication AD domain service For details see section 3 6 2 3 Step 2 Enable SSO select the SSO mode and set the IP address of the domain server Choose User Authentication gt Options gt SSO Options gt Domain SSO Select Enable Domain SSO Select Obtain login profile by monitoring the data of computer logging into domain Enter the IP address and the listening port of the domain server in Domain Controllers If there are multiple domain servers enter the IP address and the listening port of each domain server in one line See the following figure SANGFOR NGAF 6 4 User Manual 223 Authentication Options Auth Page Redirection Enable Domain SSO Authentication Conflict Domain 550 Program Obtain MAC By SNMP Download Other Options l E e E Obtain login profile by executing logon script t
359. n the headquarters and branches use different operators lines for interworking and packet loss occurs frequently This item can be set to Low packet loss High packet loss or Y The Cross ISP Access Opt function needs to be enabled separately Otherwise it is invalid If this function is enabled at the headquarters all mobile users connected to the headquarters can use this function directly Other branch hardware equipment connected to the headquarters also needs to enable this function Click LAN Service to set the permission of the peer end of the VPN connection That is specify the services that the peer end can access Click Enable connection to activate the connection Click OK to save the settings Select LAN Service Available All ICMP Services All Services All TCP Services All UDP Services Default Action Allow Deny Virtual IP Pool If the SANGFOR VPN equipment assigns an idle IP address segment as the virtual IP address of mobile users or assigns any IP network segment as the virtual IP network segment of branches the virtual IP address pool is required to resolve IP address conflicts resulted when two branches with the same network segment concurrently access the headquarters through the VPN After a mobile user is connected a virtual IP address is assigned to this user The source IP address of all operations performed by this mobile user is the assigned virtual IP address You can specify netw
360. nabie a Name ethi Description Type Routel layer 3 w Added To Zone WAN y Basic Attributes WAN attribute LC Pingable IP Assignment Static DHCP PPPoE e mW Static IP 192 168 1 254 24 Next Hop IP Line Bandwidth Outbound 12 5 Mbps Inbound 12 5 Mbps Link State Detection Setti ngs mes becomes down OK Cancel Step 4 Configure a default route destined to 0 0 0 0 0 0 0 0 that points to the front end gateway 1 1 1 2 Add the static route destined to various network segments to the layer 3 switch because the intranet interface 1s connected to multiple network segments through three layers For static route configuration see section 3 2 2 1 Step 5 Configure a proxy to enable intranet users to access the Internet For details see section 3 7 1 1 Step 6 Connect the NGAF to the network Connect interface ETH2 to the optical line and interface ETH1 to the layer 3 switch on the intranet ad o When the NGAF works as a router the gateways of the PCs on the LAN point to the IP address of the intranet interface of the NGAF or the layer 3 switch The gateway of the layer 3 switch points to the NGAF Internet access data is provided to NAT on the NGAF or is routed SANGFOR NGAF 6 4 User Manual 416 o When the NGAF has multiple router interfaces they can be configured with IP addresses in the same network segment The network interface that forwards data is determined by st
361. nal authentication server and the packets of users logging into the Authentication Conflict external server do not go through this device you need to mirror the packets to an idle interface of this device Specify the mirror interface here Obtain MAC By SNMP 3 pl Enable mirror interface Mirror Interfaces selected interface will be monitored etho E ethi Fl eth2 E eth3 Other Options Step 7 Before accessing the Internet log in to the preset website such as the BBS website in the example You can access the Internet after the login 1s successful Scenario 2 The web server is located on an external network Web Server CQ SS PC S The data flow is as follows 1 Login data is transferred from the PC through the device to the web server SANGFOR NGAF 6 4 User Manual 233 2 The intranet interface of the device is also used as the monitor interface Therefore no more monitor interface needs to be set Web SSO is successful when web server login is successful Configuration Step 1 Enable SSO on the device select the monitoring mode and set the shared secret Choose User and Policy Management gt User Authentication gt Authentication Options on the Policy Navigation page Authentication options are displayed on the right Choose SSO Options gt Web SSO and select Enable Web SSO Authentication Options Options 550 Options 350 Options Domain SSO Proxy sso pop3 sso Web s
362. ncel Select Added To Group and Allow concurrent login on multiple terminals in Synchronization Target so that the domain account of the equipment is the public account by default that is the same account can be logged in on multiple computers If this option is not selected the user is a private account and this account can be logged in on only one computer SANGFOR NGAF 6 4 User Manual 190 Step 6 Set the synchronization policy Click Submit You can view the added synchronization policies in LDAP User Sync Policy and immediately start the synchronization by clicking E If you do not click E the synchronization is automatically performed once every day LDAP User Sync Policy lj Add X Delete E view Logs Refresh v No Policy Name Description Group User Auto Sync Last Sync Sync Now Delete vw 1 Sync Policy 1 Sync RD ou Yes Synchronizing succe E x Step 7 Choose User Management gt Groups to check the organizational structure As shown in the following figure the imported OUs and users are consistent with those in the LDAP server Fuzzy match 91 3 55 Admin A Wa FAE lu Chinese FAE Gl Hong Kong FAE A Malaysia FAE Gl Singapore FAE H ARD Y ia sales CG Default group If the names of the user groups or users in the equipment are the same as those of the user groups and users in the OUs to be synchronized the OUs and users in the LDAP cannot be synchronized to the
363. nd Central Management CM SANGFOR NGAF 6 4 User Manual 507
364. nd click Settings The Sensitive Data page appears Specify sensitive data and the method of calculating sensitive data hits See the following figure SANGFOR NGAF 6 4 User Manual 297 Sensitive Data x Hit Count Based On IP address i IP address O O Connection Sensitive Keyword Description Hit Count Threshold Mo data available OK Cancel You can set Hit Count Based On to IP address or Connection IP address indicates that when sensitive data is transferred through the device the hits of an IP address are counted Connection indicates that when sensitive data is transferred through the device the hits of a connection are counted When it is set to Connection joint source IP address locking is enabled by default Click Add select sensitive data and set sensitive data combination policies See the following figure Sensitive Keyword Group No Sensitive Keyword Regular Expression Predefined Sensitive Keywords E F MDS d Email address Mame Description Hit Count Threshold 100 OK Cancel SANGFOR NGAF 6 4 User Manual 298 You can add multiple sensitive data combination policies with each policy called a mode Each mode can contain multiple pieces of sensitive data If a mode contains multiple pieces of sensitive data a hit is counted only when all the sensitive data is matched When the minimum number of hits is reached or exceeded it is regarded as sensitive data leak
365. nd of management because it makes resources more distinguishable Navigate to SSLVPN gt Resources gt Resource and click on the resource group and there sources included in the group are displayed on the right pane The resource group tree is as shown in the figure on the right Default group is a group protected by system and cannot be deleted but its attributes could be modified Adding Editing Resource Group 1 Click Add gt Resource Group to enter Edit Resource Group as shown in the figure below Resources Description Enable resource group View Resources e In icons In text Added Ta Save and Add OK Cancel 2 Configure Basic Attributes of the resource group The following are the basic attributes Name Description Indicates the name and description of the resource group respectively This name will be seen on Resource page after user logs in to the SSL VPN successfully View resource Indicates the way resources are displayed on Resource page in icon or in text If In Icons is selected define the icon size 48 48 64 64 or 128 128 so that the resources will be displayed in icon as wanted If SANGFOR NGAF 6 4 User Manual 81 In Text is selected you may select Show description of the resource Added To Indicates the resource group to which this group is added By default resource group added to root group Adding Editing TCP Application TCP application 1
366. nd port settings are not available for IPv6 DNAT Click on Destination NAT on IPv6 NAT page the page in figure below will appear SANGFOR NGAF 6 4 User Manual 249 Add IPv6 DNAT Rule Name Description Source Zone Select External Zone a Destination Subnet Prefix IPv6 address f Prefix Destination Translation Translate Dst To IPv6 address f Prefix Save and Add OK Cancel 3 8 1 2 1 Destination NAT Configuration Example A customer has the topology shown in the following figure There is a web server whose IP address and service port number are 172 16 1 100 and 80 on the intranet of the customer The customer requires that Internet users can access the server by accessing http 1 2 1 1 This requirement can be met by destination NAT SANGFOR NGAF 6 4 User Manual 250 ETHI 1 2 1 1 24 NGFW ETH2 10 10 10 1 30 hn 172 16 1 100 _4 N 192 168 1 0 24 4 WEB Server LAN USER e e e e e e e e e e e e e ld Step 1 Before setting the destination NAT rules choose Network gt Interface Zone click the Zone tab define the home zone of the interface For configuration details see sections 3 2 1 4 and 3 4 8 In this example interface ETH is defined as an Internet zone and ETH2 is defined as an Intranet zone See the following figure Interfaces Physical
367. ne Policy Multicast Service Tunnel Parameter Multicast Service Fl Enable Prior to enabling it go to Basics gt Advanced to enable multicast Available Selected Default multicast service The Tunnel Parameter tab page displays information including tunnel timeout time dynamic tunnel detection and intra tunnel traffic control See the figure below Multiline Policy Multicast Service Tunnel Parameter Tunnel Parameter Timeout second s Enable tunnel dynamic probe Probe Interval 1 1440 LU minute s Enable tunnel traffic control Max Inbound Bandwidth Max Outbound Bandwidth Timeout SANGFOR VPN supports setting a timeout time for a network with a long delay and high packet loss rate The timeout time configured at the headquarters takes effect for all tunnels The default timeout time is 20 seconds The timeout time needs to be extended in a poor network environment Enable tunnel dynamic probe This item is valid when the local end or peer end has multiple lines The SANGFOR VPN equipment detects the delay and packet loss rate of each line and selects the optical line for data transmission Enable tunnel traffic control This item is used when multiple VPN branches or mobile users access the equipment If a branch or mobile user uses up the bandwidth at the headquarters the access speed of other branches or mobile users is thereby lowered To resolve this problem you can sp
368. ne guarantee channel percentage at 30 and the other 90 the first channel is All week All Add s x Y t Es Refresh Name IP User Application Dst IP Gro Schedule Target Min Bandwidth Marketing IP group All All All All week Line 1 1 Mb s 1 Mb s None None Filter w Per User Max Band Priority Status No limit No limit High Y No limit No limit High allocated with 30 90 30 that is 25 and the other being 90 90 30 that is 75 2 Priority If the actual bandwidth is not occupied fully the channel with higher priority preempts the non occupied bandwidth SANGFOR NGAF 6 4 User Manual 325 Traffic Restriction Channel You can set a maximum bandwidth for a channel to restrict the bandwidth allocated to the channel In this case the bandwidth occupied by the channel does not exceed the maximum bandwidth 3 12 7 2 1Configuring Traffic Restriction Channel Example Assume that a company has rented a 10 Mb s telecom data line has 1000 users accessing the Internet and needs to ensure normal business not be affected by Thunder Download or P2P downloading services which sales department employees use frequently The bandwidth occupied by data downloading services of the sales department is restricted to under 2 Mb s with per user bandwidth of these services under 30 Kb s Step 1 Choose Traffic Management gt Channel Configuration Select Enable Bandwidth Management System Step
369. ne interfaces When there are multiple external lines internal users are directed to different links to access applications such as online bank and online payment These applications have high security requirements Therefore some servers need to authenticate the source IP addresses If an internal user accesses such an application multiple times by using different source IP addresses the server ends the access connection In this case the policy based routing function enables internal users to access these applications from a specific interface or next hop This ensures that a fixed source IP address is used to access these applications There are multiple external lines on the equipment The optimal line is used in preference based on policy based routing bandwidth ratio and weighted minimum traffic In this way lines are selected dynamically thereby implementing effective use of line bandwidth and load balancing OSPF The OSPF tab page allows you to enable OSPF for the NGAF equipment and set the OSPF dynamic routing protocol This tab page covers four modules Network Segments Interfaces Parameters and Status See the figure below Routing Static Route Policy Based Routing OSPF RIP All Routes Y Enable OSPF F Add Virtual Connection Groups lt Network Segments 1 Network Segments Add X 2 Interfaces No Network Segment Area ID 3 Parameters 4 Status Select the Enable OSPF
370. new tab Example Application scenario A user needs to find whether the source IP address 192 200 17 10 is successfully authenticated by the authentication module of the NGAF on August 15 Step 1 Set search criteria User Login Logout TE al Specify the following and click Go to retrieve data From 2013 08 15 fs 00 00 To 2013 08 15 M 23 59 Src IP User Al P User Group 192 200 17 10 Gi Go Open in new tab Step 2 Click Go Data that meets the search criteria is generated SANGFOR NGAF 6 4 User Manual 398 g User Login Logout Q Filter Export Logs Fitter Period 2013 08 15 00 00 2013 08 15 23 59 Src IP user IP 192 200 17 10 Login IP Last Login 192 200 17 10 No Username Group 1 sangfor Username Group Login IP Last Login Last Logout Online Duration Online Duration Details View Last Logout sangfor 192 200 17 10 2013 08 15 08 24 03 2013 08 15 20 36 03 12 hours 12 minutes The data shows that the source IP address 200 200 2 113 was successfully authenticated by the authentication module of the NGAF on May 30 and stayed online for 10 hours 52 minutes and 9 seconds Admin Operation The Admin Operation page enables users to view the logs generated throughout the process whereby a user logs in to the console performs operations and then logs out For example a user can view the logs concerning the operations performed on the console by the ac
371. nfiguration Example Editing Users Groups in Batches Set Description to Engineering Department for users guest test userl user2 user3 and user4 Set the same password for the users bind the users to an IP address range of 192 168 1 1 192 168 1 255 in a unidirectional manner and set the expiry date for the users to January 1 2012 Step 1 Select users guest test userl user2 user3 and user4 and click Edit Multiple Members Add X Delete os Refresh Edit Multiple he Select CF Import E Export T Move Search by Name C No Name gt Address Expiry Date Status 1 A guest 192 168 1 4 192 168 1 100 Never expire e F 2 amp manager 192 168 1 217 00 1c 25 ac 4c 12 Never expire y 3 A test 192 168 1 117 00 1c 25 ac 4c 44 Never expire wf 4 user No binding information Never expire e 5 user No binding information Never expire Ww 6 user3 No binding information Never expire e 7 duser4 y No binding information Never expire Step 2 Select Description and type Engineering Department Select Password Settings and Local password and type the password SANGFOR NGAF 6 4 User Manual 176 Edit Multiple Users User Attributes Username quest test userl user2 users user4 users i E User Status Enable Disable Description Password Settings Local password i Password AAA Confirm PEPE Step 3 Select Bind IP MAC and Enable IP MAC Binding Select Modify IP MAC address and type
372. ng efficiency of users on the intranet is low because they watch online videos and play games during work time Users must be prevented from playing games and watching online videos during work time but are allowed to do those things after work The work time is 08 00 12 00 and 14 00 18 00 SANGFOR NGAF 6 4 User Manual 452 172 16 1 0 24 192 168 1 0 24 Step 1 Define objects before configuring an application control policy Choose Network gt Interface and define the zones of interfaces Choose Objects gt IP Group and define the IP address group of servers on the intranet Choose Objects gt Schedule to define the work time of users For details see section 3 4 12 1 Set ETH2 to LAN ETH1 to WAN and 192 168 1 0 24 to LAN IP Range Select Working Hour on the Recurring Schedule page IP Group add X amp Refresh Import Export C No Name 1 All 2 Server Farm 3 Internal Users 4 scansIPG20130815114346_000 Schedule One Time Schedule Recurring Schedule Add X Refresh No Name 1 All week FP 2 Working Hour Interfaces Description Delete All IP addresses In use In use X The IP group is automatically generated during risk preven In use Description Mon Sun Morning 0 00 Afternoon 11 59 the last minute included All week Mon Fri Morning 8 00 Morning 12 00 Physical Interface Sub Interface VLAN Interface Add X Y Refresh C Zone Name Zone Type Interf
373. nistrators 1 and 2 to log in through https device IP 8000 for management The following figure shows the page after login O a Website Anti Defacement System lt SANGFOR v Website Anti Defacement Refresh 5 seconds Refresh update Local Cache Y Enable O Disable Defaced Websites O Normal 1 Disabled O E No Status Website Name Start URL Website IP Defaced Webpage Cached Webpage Excluded URL Time O 1 Protected JCS http 192 168 3 100 1 0 19 0 4 Website Anti Defacement System Windows Internet Explo JOE de Favorites Website Anti Defacement System IN de SANGFOR we Website Anti Defacement Refresh 5 seconds v Refresh 4 Update Local Cache Y Enable Disable Defaced Websites 0 Normal 1 Disabled 0 e Name No Status Website N Start URL Website IP 1 Protected JCS http 192 168 3 100 1 Defaced Webpage Cached Webpage Excluded URL Time 0 19 0 The configuration is completed When defacement occurs the following prompt is displayed at the user end SANGFOR NGAF 6 4 User Manual 478 Website under Maintenance This website ts temporarily closed Please try again later e To enable the NGAF to restore normally buffered pictures to the client end when only pictures are Check defacement of static image text file etc i defaced select e I e To exclude a webpage from the defacement detection of the NGAF click Add into the whi
374. nloading applications are restricted in bandwidth Therefore select P2P Stream Media All Download Tools All and P2P AIl for Application category You can also select Website Type and File type to restrict the bandwidth for accessing certain Websites or for downloading certain types of files over HTTP and FTP In the Selected list check that all selected objects are correct and click OK SANGFOR NGAF 6 4 User Manual 329 Select Application View All mu Application category Website Type File type Name P2P Stream Media All Application P2P All Application Download Tools All Application OK Cancel The configuration of Applicable Objects defines the channel takes effect for which users user groups and IP addresses based on IP addresses or users In this example employees of the sales department are applied with this bandwidth restriction configuration Therefore choose User for IP User and select the group in the displayed Select User Group screen You can select users and user groups under Current Group The selected users and user groups are listed under Selected Objects After all required objects are selected click OK The configuration is complete SANGFOR NGAF 6 4 User Manual 330 Select User Group a m Admin Default group Cit Management Marketing Normal Users 5 Group 1 d Obiects Cra Marketing Schedule defines the effective time of the channel Dst I
375. ns Delete Properties Down Block Policy inheritance 5 In the displayed Group Policy Object Editor window choose User Configuration gt Windows Settings gt Scripts Logon Logoff SANGFOR NGAF 6 4 User Manual 216 Sq Group Policy Object Editor File Action View Help F Default Domain Policy support ser es Computer Configuration EU Software Settings H E Windows Settings 13 Administrative Templates Elf User Configuration H E Software Settings 1 Windows Settings EA Scripts Logon Logoff Select an item to view its description Name Logon Logoff H Internet Explorer Main H Administrative Templates 2 Extended Standard a SaS eee 6 Double click Logon on the right In the displayed Logon Properties window click Show Files in the lower left corner A directory is opened Save the login script file in the directory and close it Logon Properties Fa Scripts To view the script files stored in this Group Policy Object press the Button below Show Files SETE SANGFOR NGAF 6 4 User Manual 217 sangfor com syswol sangfor com Policies 3182F340 016D 11D2 945F 00C04FB984F9 User Scr Miel Fa File Edit wiew Favorites Tools Help back EJ pa Search gt Folders ial Address lj Wsangror comisysy ollsangfor com Policies 31B2F340 016D 11D2 945F 00C04F6984F9 User Scripts Li 30 Mame Size Type Da
376. ntage and historical traffic of each line and the main line Bandwidth Channel The Bandwidth Channel tab page displays the traffic information about channels See the figure below Bandwidth Channel Tips The two values in some columns respectively stand for Outbound Inbound Period None Y View All channels v fe E Name Line Transient Speed Percent Users Min Bandwidth Max Bandwidth Status Default channel All None 0 0 0 None 5 Mb s 5 Mb s Running The displayed information includes the channel name line transient speed percentage user quantity minimum bandwidth maximum bandwidth and status You can choose to display the traffic history within a certain period of time Select All channels or Running channels from the View drop down list SANGFOR NGAF 6 4 User Manual 19 Exclusion Rule The Exclusion Rule tab page displays the traffic information filtered out by the exclusion rule See the figure below Bandwidth Channel Exclusion Rule No Name Transient Speed Speed History Traffic History 1 Total rate 0 0 0 DHCP The DHCP tab page displays the assigned IP with hostname MAC address time assigned and lease minutes The Current Status is displaying the status of DHCP Click Refresh to update the new DHCP information See the figure below DHCP Es Refresh Assigned IP Addresses 39 Current Status Running No IP Address Host Name MAC Address Time Assigned Lease minutes O 192 168 19 60 android 15b
377. nterface If two or more pairs of virtual wires must be configured the NGAF needs to have at least five interfaces Except for an interface that must be configured as the management interface the remaining interfaces can be configured as virtual wire interfaces Bypass Mirror Interface Configuration Bypass mode A network environment does not need to be modified to implement protection The risk of network interruption caused by device malfunction can be avoided The NGAF is connected to the mirror interface of a switch or to a hub so that an Internet user accesses the data of a server through the switch or hub Upstream and downstream data must be mirrored when the mirror interface is configured to realize server protection SANGFOR NGAF 6 4 User Manual 427 Configuration example The following figure shows the network topology where the NGAF is deployed in bypass mode the user network segment is 192 168 2 0 24 and the server network segment is 172 16 1 0 24 The NGAF is required to implement IPS protection and web application protection and prevent sensitive data leak on servers WLAN 192 168 1 1 24 WLAN 172 16 1 1 24 al Mirror Interface ETI VLANI 1 192 168 2 1 24 ETHO IP 192 168 1 12 24 GoW 192 165 1 1 Step 1 Log in to the NGAF by using the default IP address of the management port ETHO which is 10 251
378. nterprise or an institution thereby facilitating management 3 7 1 3 2 1 Configuration Example Adding a Sub Group This section describes how to add an engineer sub group under the root group Step 1 In the Groups pane select a group for which you want to add a sub group On the Members page displayed on the right click Add and select Group SANGFOR NGAF 6 4 User Manual 162 Users Fuzzy match Group Path Modify o Description E Default group Members Sub groups 1 immediate users 1 total users 87 Members Add X Refresh 4 hi Select C Import Export 73 Search by Name C No Name Address Expiry Date 1 4G Default group O 2 a sangfor No binding information Never expire Page lofi gt Entries Per Page 20 Step 2 In the Add Group dialog box type the group name in the Group Name text box and type the group description in the Description text box Add Group Group Name Admin Path Step 3 Click OK The sub group is added successfully Fuzzy match Group Path Modify B a Description Admin Members Sub groups 2 immediate users 1 total users 87 Default group Members Add X Refresh he Select gt import Export 3 Search by Name C No Name Address Expiry Date 1 Admin FP 2 A Default group Dx 8 sangfor No binding information Never expire Y The equipment supports a maximum of 16 levels of groups
379. ntial before accessing the Internet 2 9 User que failed to pass the authentication possibly due to username password error Y Two binding modes are available for Bind IP MAC unidirectional binding and bidirectional binding Unidirectional binding A user can use only a specified IP address for authentication and other users can also use the specified IP address for authentication Bidirectional binding A user can use only a specified IP address for authentication and the specified IP address is only available for the user In the example the created user is authenticated based on the user name and password and is bound to IP addresses in a unidirectional manner The following example describes how to add a user bound to IP addresses in a bidirectional manner 3 7 1 3 2 3 Configuration Example Adding a User 2 All computers on the network segment of 192 168 1 0 255 255 255 0 on the LAN of the customer are authenticated based on the user name and password A user named Engineer Li needs to be added to the engineer group The user is authenticated based on the user name and password and is bounded to the IP address MAC address of 192 168 1 117 00 1C 25 AC 4C 44 IP address MAC address required for authentication and unavailable for other users Step 1 Configure an authentication method based on the user name and password for all computers on the network segment of 192 168 1 0 255 255 255 0 First set an authentication
380. nticates the user Therefore the user can access the Internet without entering a password again 3 Because data is exchanged on the intranet POP3 login data is not transferred to the devices Therefore a monitor interface must be set on the device Configuration Step 1 Set the POP3 server for authentication Choose User Authentication gt Options gt External Auth Server For details see section 3 6 2 3 Step 2 Enable SSO on the device select the monitoring mode and set the IP address of the domain server Choose User Authentication gt Options gt SSO Options gt POP3 SSO Select Enable POP3 SSO to enable the POP3 SSO function Enter the IP address and port number default port number TCP110 of the POP3 server for POP3 authentication in the Mail Server List text box If there are multiple IP addresses and port numbers each line contains only one IP address and port number See the following figure Authentication Options 550 Options SSO Options Domain 550 Proxy 550 Web 550 Auth Page Redirection Enable POP3 SSO Authentication Conflict If packets from internal users logging into POPS server mail server do not go through this Obtain MAC By SNMP device you need to mirror them to the device and go to the Others tab to enable mirror Other Options interface Mail Server List One entry per row IP and port are separated by colon Keep the defaults if you do not want to specify any
381. nual 434 Hybrid Deployment Configuration example The following figure shows a network topology where the intranet has a massive server cluster which must be accessed by users through a public network Each server is assigned a public IP address The NGAF is deployed at a public network egress to enable users to access the server cluster by using public IP addresses Servers cannot be advertised through port mapping The NGAF can serve as a proxy to enable intranet users to access the Internet 1 2 1 5 24 ETH2 Bridge VLAN2 1 2 1 2 24 GW 1 2 1 1 ETH 3 Route 1 2 1 6 24 IP 192 168 1 1 24 VLAN2 192 168 1 254 24 VLAN3 192 168 2 254 24 192 168 2 0 24 To enable users to access servers by using the corresponding public IP addresses configure EHT2 of the NGAF connecting to a public network and EHT1 of the NGAF connecting to the server cluster on the LAN as transparent access interfaces on the same VLAN Configure a VLAN interface and the corresponding public IP address Configure interface ETH3 connecting to the intranet as a router interface When an intranet user accesses a public network the source IP address is converted to the public IP address of the VLAN interface Step 1 Configure the Ethernet interface ETH2 Choose Network gt Interface gt Physical Interface and click eth2 The Edit Physical Interface dialog box is displayed Perform configuration as shown in the following figure SANGFOR NGAF 6 4 User Manual 435 Ed
382. o 7 Open in new tab 395 LO Service Application A e Allow Y Deny in associated policy Example Application scenario A user needs to view the logs concerning the traffic from the LAN to WAN that is denied by the application control policy on May 30 Step 1 Set search criteria Application Control Pees Specify the following and click Go to retrieve data From 2013 08 15 As 00 00 To 2013 08 15 fis 23 59 Source Zone Src IP User Al OP User Group Dst Zone Dst IP WiDeny WiDeny in associated policy Action Allow Go Open in new tab Step 2 Click Go Data that meets the search criteria is displayed Application Control Q Filter 3 Export Logs Filter Period 2013 08 15 00 00 2013 08 15 23 59 Src zone LAN Src IP user All Dst zone WAN Dst IP All Service application All Action Allow Deny Deny in associated policy Policy Name Details No Time Service Application Protocol Src Zone Source IP User Src Port Dst Port No data available Local Security Event The Local Security Event page shows the overall security event of the local network which enable user to view the security issues happened in the network SANGFOR NGAF 6 4 User Manual 396 Local Security Events a Specity the following and click Go to retrieve data From 2014 08 01 fis 00 00 To 2014 09 05 5 23 59 Source Zone All Y Src IP All Attack Type All
383. o Name Type Sourc Dst Zone Int Source IP Dst IP Protocol Src Port Dst Port Source IP Dst IP Dst Port Hit C Status Clone Delete 1 Internet acc SNAT LAN WAN LAN IP Ra AR ae All All Egress int Unchanged MORIR ON e To modify a source NAT rule click the name of the rule to go to the modification page o To delete a source NAT rule select the rule and click Delete or click x and follow the instruction to complete deletion SANGFOR NGAF 6 4 User Manual 248 o To disable a source NAT rule click sci When the rule is disabled the status icon is changed to To enable the rule again click and follow the instruction to enable the rule O You can add an IP group either by defining an object or when you select source NAT rules Destination NAT Destination NAT changes the destination IP addresses of data transferred through the device This is often used in mapping services on internal servers to the Internet so that Internet users can access the server Click Add on the IPv4 NAT page choose Destination NAT The page shown in the following figure appears Add Destination NAT Rule x M Enable Name Port Mapping Description Source Zone WAN lg Destination mW a IP Address i 2027 96 13 7 75 IP Group Select a Protocol Type TCP W Dst Port 50 i Destination NAT Translate IP To IP Address wr IP Address 192 168 1 1 JE Save and Add Another OK Cancel Protocol a
384. o Static DHCP or PPPoE based on the characteristics of the specified line If IP Assignment is set to Static you need to set Static IP and Next Hop IP If the IP address of the interface is obtained automatically through DHCP set IP Assignment to DHCP If the line uses ADSL dial up set the user name password and other dial up parameters Static IP can be in the formats of IP address mask and IP address mask HA The latter format indicates that the IP address is not synchronized along with the network interface The format is applicable in the scenario where the NGAF works in hot standby mode Set IP Assignment to Static because the Ethernet interface is connected to an optical line assigned with a static IP address and configure the public IP address and next hop gateway assigned to the optical line by an ISP SANGFOR NGAF 6 4 User Manual 413 Set the uplink and downlink bandwidths of the public link in the Line Bandwidth area Click to change the bandwidth unit which is KB s MB s or GB s Link State Detection enables users to detect link availability To enable link failure detection click Settings The Link State Detection dialog box is displayed where you can configure a detection method Link State Detection x Enable Es Detection Method DNS lookup i DNS Server 1 ONS Server 2 Resolve Domain WIA Sangror cam PING iD Destination IP 1 207 96 157 23 Destination IP 2 Options Interval sec
385. o the default value and Method to Full password dict and click Advanced Settings In the Advanced Settings dialog box set Username Dictionary to sangfor Enable weak password scan Full password dict takes longer time w Gi Advanced Settings 481 SANGFOR NGAF 6 4 User Manual Advanced Settings Step 5 Click RDP VNC Service RDP VNC scan and full scan takes longer time By default it Implements general scan Implement full scan Username Password Dictionaries Username Dictionary sangfor Password Dictionary Type here canoa to start scanning The following figure shows the scanning result Risk Assessment completed 96 Scanned 5312 ports 1 ports left View Weak Password Details Tips You may leave this page and check it again later Restart Enable weak password scan Y JLExport as PDF All Associated Policies All A IP address or port Cc C Server IP Port Applic Protocol Accessibl Accessible IP Threat Le Risk Operation C 192 200 17 22 3306 mysql TCP WAN 0 0 0 0 255 255 255 255 High Open port risk C 192 200 17 202 69 tftp UDP WAN 0 0 0 0 255 255 255 255 High Open port risk E 192 200 17 202 21 ftp TCP WAN 0 0 0 0 255 255 255 255 High amp Weak password risk1 O open port risk C 192 200 17 200 1433 mssql TCP WAN 0 0 0 0 255 255 255 255 High Open port risk
386. ociated Policies to view the intelligently created protection policies SANGFOR NGAF 6 4 User Manual 485 IP address or port Operation e eaeece amp Gg All Associated Policies Oooo Md x A D Policy Name Type View All Target Server IP Time Created Status scansWAF201306 Web app protecti scansIPG 2013062 2013 08 27 11 01 we scansWAF201308 Web app protecti scansIPG2013082 2013 08 27 11 01 e scansWAF201308 Web app protect scansIPG2013081 2013 08 15 11 43 e v scansApp2013082 Port Block Policy scansIPG2013082 2013 08 27 10 57 Click a policy name to view the policy View Web Application Protection Rule edit not allowed Enable Name Description Source Zone Destination Zone IP Group Port Protection Website based Attack Parameters Aneliastianm Uridine SANGFOR NGAF 6 4 User Manual scans WAF2Z013082 71101368_ 000 The policy is automatically generated during risk prevention WAN WAN scansIP620130827110138_000 Selected OS command injection SOL CSRF defense Setti 4 TIN a Restrictive URL access Settings Proactive protection Settings Custom parameter protection ral orm 486 Close la gt i 1 El Close View application control policy edit not allowed Enable Name scansApp20130827105718 000 Description The policy is automaticall
387. ogout page is displayed after successful login Show Logout page if user passes password based authentication Set Expiry Date for the user SANGFOR NGAF 6 4 User Manual 170 Expiry Date Never expire Date a Step 5 After the user attributes are set properly click OK The user is added successfully Fuzzy match Group Path Admin Modify o 0 Description Admin Admin Members Sub groups 0 immediate users 2 total users 2 G Default group tAdd X Z Refresh K Select MImport Export S Search by Name No Name Address Expiry Date 1 guest 192 168 1 2 192 168 1 100 Never expire O 2 test 192 168 1 117 00 1c 25 ac 4c 44 Never expire Step 6 Open a webpage as a user on the corresponding network segment The webpage is redirected to the authentication page of the equipment Type the user name and password and click Log In If the user name and password are correct and meet the bound IP address the authentication is successful If the user name and password are correct but the IP address MAC address used for login are inconsistent with the bound IP address MAC address the authentication fails and a reminder message is displayed See the figure below y Authentication failed Username test IP address 192 200 17 10 Authentication failed possibly because the IP or MAC address is outside the permitted range Authentication for other users using the IP
388. omain name containing the keyword 1s identified as the URL category The matching priority of domain name keywords is lower than that of embedded URL databases and custom URL databases Y The asterisk is a wildcard character For example if you want to set a URL for Sina web pages including news sina com cn sports sina com cn and ent sina com cn type sina com cn in the URL text box Note that the asterisk indicates only matching of top level domain names and it must be placed in front of the URL for the URL to take effect 3 5 5 1 3 Deleting a URL Category You can delete a custom URL category Embedded URL categories on the equipment cannot be deleted On the URL Database page select a custom URL category and click Delete The selected URL category is deleted SANGFOR NGAF 6 4 User Manual 144 3 5 5 1 4 Modifying a URL Category You can modify a custom URL category or an embedded URL category When you edit a custom URL category you can edit Description URL and URL Keyword When you edit an embedded URL category you cannot edit Name or Description or edit an existing URL in the embedded URL databases You can only add URLs and keywords in the URL and URL Keyword text boxes as supplements to the embedded URL databases Click the name of the URL category that you want to modify The Add URL Category dialog box is displayed Add URL Category Name Facebook Description Facebook URL i 0 fac eb ook com
389. ommun Operation SANGFOR NGAF 6 4 User Manual 231 Step 5 Set authentication policies based on the IP addresses or MAC addresses of the users who require MAC address authentication Choose User Authentication gt Policy click Add and set the policies See section 4 6 2 1 3 Step 6 After the previous five steps the computer connected to the layer 3 switch can be authenticated as a new user and access the Internet through the device Y When the SNMP server is searched for by its IP address the SNMP function of the server must be enabled and COMMUNITY must be set to Public Otherwise the search fails and you need to enter SNMP server information manually 3 7 2 2 5 Other Authentication Options Other Options is used to set some options related to authentication See the following figure other options 550 Options E Auto logout the user who causes no flow in a specified period Auth Page Redirection Time Period mins 120 i Authentication Conflict l 4 Submit user credential using POST method Obtain MAC By SNMP B Y DNS service is available before user passes authentication Other Options Basic services except HTTP are available before user passes authentication Require authentication again if MAC address is changed W Lock user if authentication attempts reaches the threshold i Max Attempts 2 Lockout Period mins 1 Gi You can select Auto logout the user who causes no flow in a specified pe
390. on are caused by the fault in the network access behavior module and restore network failures caused by policy configuration faults Cancel disables the drop list output and bypass SANGFOR NGAF 6 4 User Manual 360 Remote Tech Support This function is used when device connection fails through port mapping Enter the license key provided by the device provider and click Start Then technical support personnel can connect to your device and intranet Remote Tech Support After license key is activated technical support representative can remotely connect to this device and your intranet optional Start Please contact device provider for license key 6 digits Restart The Restart page provides Restart Device and Restart Services buttons as shown in the following figure Restart 44 Restart Device P Restart Services Configuration Device as a Gateway Routing Mode If the NGAF device functioning as a gateway is deployed configure the device as follows SANGFOR NGAF 6 4 User Manual 361 37 This Device as Gateway This is often used on initial installation to ensure normal 1 Physical Interface a Set interface type to route b Configure physical interface as WAN interface for connecting to external network 2 Zone a Assign the configured interfaces to appropriate zone according to security level 3 1P Group a Put local IP addresses into different IP groups that can associate with security pol
391. on gt Policy click Add and set the policies See section 4 6 2 1 3 Step 4 Send and receive emails using an email client on the PC After POP3 server login 1s successful you can access the Internet If the POP3 server is located on an external network while automatic authentication is required you must assign the permission in the root group to access the POP3 server For configuration details see section 4 8 1 In addition choose Authentication Options gt Other Options and select Basic services except HTTP are available before user passes authentication See the following figure SANGFOR NGAF 6 4 User Manual 230 Authentication Options 350 Options A Auto logout the user who causes no flow in a specified period Auth Page Redirection Time Period mins 120 Authentication Conflict A Submit user credential using POST method Obtain MAC By SNMP DNS service is available before user passes authentication Other Options Basic services except HTTP are available before user passes authentication A Require authentication again if MAC address is changed Lock user if authentication attempts reaches the threshold Gi Max Attempts E Lockout Period mins 1 Gi 3 7 2 2 1 4 Web SSO Web SSO is applicable to users who have their own web servers and the web servers store account information When the users are authenticated by the web servers they are also authenticated by the device This is applicable r
392. on Value specifies the minimum size of a compressed VPN data package The default value is 100 VPN Listening Port specifies the listening port of the VPN service The default value is 4009 It is configurable MSS Change specifies the maximum VPN data fragment in User Datagram Protocol UDP transmission mode Y In normal cases retain the default values of MTU Min Compression Value and MSS Change If you need to change the any value change it under the guidance of SANGFOR technical support engineers Internet Connection connection mode of the gateway to the Internet It can be set to Directly or Indirectly If Internet users can access the VPN port of the gateway by directly obtaining an Internet IP address or through port mapping set Internet Connection to Directly Otherwise set Internet Connection to Indirectly Click Advanced Then set DLAN performance parameters enable broadcast and multicast and set the maximum number of VPN connections and whether to transmit broadcast and multicast packets on VPN channels See the figure below SANGFOR NGAF 6 4 User Manual 96 VPN Performance Broadcast Fl Enable Start Port End Port Multicast E Enabled Threads maximum number of VPN connections of the control device The default value is 300 A maximum of 1280 VPN connections are supported Change the value of Threads under the guidance of SANGFOR technical support engineers when necessary Broadcast whether
393. on Value 99 5000 VPN Listening Port default 4009 MSS Change UDP only Internet Connection 110 254 254 254 4009 1500 100 4009 LJ Allow 8 Directly Indirectly Advanced SANGFOR NGAF 6 4 User Manual Modify Password Modify Password Shared Key Test Save and Apply 95 In case of Dynamic addressing non fixed IP address enter the Webpage address of the Web agent which usually ends with php You can click Test to check whether the address is reachable In case of fixed IP address enter the Webpage address in the format of IP address port number for example 202 96 134 133 4009 Click Modify Password to set the password of the Web agent This is to prevent unauthorized users from embezzling the Web agent to update a false IP address Click Shared Key to set a shared key This is to avoid unauthorized access to the equipment Y If a password is set for the Web agent the password cannot be recovered once lost In this case contact SANGFOR customer service center to regenerate a password free Web agent file and then replace the original file with this new file If a shared key is set the same shared key must be set for all VPN sites for interworking purposes If multiple lines and fixed IP addresses are used set the address of the Web agent in the format of IP1 IP2 port MTU specifies the maximum MTU value of VPN data The default value is 1500 Min Compressi
394. on between the PC and proxy server 2 When the PC is authenticated by the proxy server it is also authenticated by the device Configuration Step 1 Enable SSO on the device select the monitoring mode and set the IP address of the domain server Choose User Authentication gt Options gt SSO Options gt Proxy SSO Select Enable Proxy SSO to enable the proxy SSO function Enter the IP address and port number of the proxy server for proxy authentication in the Proxy Server List text box If there are multiple IP addresses and port numbers each line contains only one IP address and port number See the following figure SANGFOR NGAF 6 4 User Manual 225 Authentication Options SSO Options Auth Page Redirection Enable Proxy 550 if login packet to domain does not go through this device Authentication Conflict hoes A If packets from internal users logging into Proxy server do not go through the device you need Obtain MAC By SNMP mirror them to the device and go to the Others tab to enable mirror interface Other Options E Proxy Server List One entry per row IP and port are separated by colon Keep the defaults if you do not want to specify any 192 168 1 88 808 Step 2 If login data is not transferred through the device You must set a mirror interface and connect it to the mirror interface of the switch that forwards login data Click Others and set the mirror interface The mirror interface m
395. on ita ia atadas 286 PLL Server ACCESS Verca ON esa id 301 RS 303 312l RISK NSSES SIMENL occ 303 A WED SCANMEL A E E E A E A A A A A E T E A 307 SPRF Vumera ii IN 312 SA Tiea RR 314 SANGFOR NGFW 5 6 User Manual Vill Trato Mana comenta calada aliadas 317 NA IE WENN 317 3 12 6 Traffic Channel Mapping and Priority ccccccccccccccccceeeceaesesssssesseececcceeeeeeseeeaaaaassssseeeeeeeeeess 317 127 Channel Conf curan ion cal 317 TA cs Channel A RN 317 312 12 Traffic Restriction C anne scissione niee E E E 326 ERA eo 332 TO IS a a E a E E E E E E tocar 334 STS FBM Line ita ia 334 2 ME FO enea a a a eaten hea ates 335 DAD nay SUC 1 1 OPEP NO 5 Io RE 336 SS SLC TN As AAA A AA O RN 336 EEES E Bad once re eee rene Oe rire Dene ROP END E MT TAT NOT CTE OEE RARE RTA eT er 336 SSL NS Work ORIO ciao 337 LL Console Con euroen E alent E E R A E end ea dadiaacds 339 SARA EE RN 340 132 Adm ACCOUN S s ee ee ee 341 SDs e AV Ail AOL A E A A A A A Aa 342 SVS AN ONS aan E ee as aan cea E ENE 346 SOAL Internal Report Conta A E a 347 DN O SE O SEINE A SN 348 Dal De OVE RO 348 SN el AIM An O 349 3 13 7 Globally Excluded Address ccccccccccccsssssssssssseeeeeecceeeeeeeeeeeaeeeseesssseeeeeeeeeeeeeesessaaaaesssseeeeeeeeeeees 350 ONO CUS LOMM Wc RO 351 A ciitralel VIA A Se ime Nt skeet O 352 Did As Oyster Maintenance militancia tia datada 354 SMA Update AAA E 354 S142 Bae Mp RESTON ne 356 O O TR 357 JAA W De COMB OLE a a a a act
396. on this vulnerability corresponding packets are blocked Enable Log event if attack detected The current rule is enabled In case of an attack based on this vulnerability the attack is logged and the packets are not blocked Enable Analyze based on Cloud technology If this option is selected the equipment performs analysis and detection by using the cloud technology Disable The current rule is disabled The equipment does not detect this vulnerability 1 The Action attribute is set for the vulnerability database before delivery When you need to modify a rule edit it 2 You can edit only one rule of the vulnerability database at a time WAF Signature Database The WAF signature database contains characteristics of application layer attack packets that perform attacks based on structured query language SQL injection cross site scripting XSS attacks and cross site request forgery When passing through the equipment these packets can be blocked based on the settings to protect the server See the figure below SANGFOR NGAF 6 4 User Manual 55 WAF Signature Database Y O J Enable Cloud based analysis engine amp Global Action View All v Rule ID or name Q Rule ID Rule Name Type Threat Level Action 13120115 Mybb Application Exploit Attack Web site vulnerabilities High Enable Block if attack de PF 13120114 Wordpress Application Exploit Attack Web site vulnerabiliti
397. onary It defines weak passwords to be found Add customized passwords to the related dictionary For example if the password is sangfor the NGAF device checks whether the default user names use the password sangfor when scanning for default weak passwords of the default user names start After port and weak password scan is set click CE The scan result is displayed on the lower part of the page See the following figure Y ya All v IP address or port C Server IP Port Applic Protocol Accessibl Accessible IP Threat Le Risk Operation E 192 200 17 200 1433 mssql TCP WAN 0 0 0 0 255 255 255 255 High y Open port risk 6 C 192 200 17 200 80 http TCP WAN 0 0 0 0 255 255 255 255 Medium Web vulnerability v Open port risk 6 Click corresponding to a scan result the Port Block Policy page appears Port Block Policy Source Source Zone WAN Source IP 0 0 0 0 255 255 255 255 Service Target Server 192 200 1 7 200 Service TCP 80 Action Deny Logging Log event OK Cancel Click OK The port is blocked and an application control policy for denying access is generated Select a scan result and click Avoid Risk The Avoid Risk page appears See the following figure SANGFOR NGAF 6 4 User Manual 306 Avoid Risk Please select the type of protection you want to apply Web application Vulnerability OK Cancel Select the risks to be avoided and click OK IPS rules and web application pro
398. ondary WebAgent Test Validity y Site Name Email Alarm Password Global Exclusion a Shared Secret Custom Webpage _ This device and CMC server reside on a gt Central Management same LAN Maintenance Configuration Wizard Y Please check 1f the site name password and shared secret are identical with the site name password and shared secret configured on the CMC Otherwise connecting to the CMC will fail If the network connection is available and the site can join Central Management CM successfully you can view the following figure Navigation NN Central Management CM m t Bandwidth Mgt ge Joined CM Connected to CMC server 200 200 154 174 5000 Remove from CM General vf Join CM Administrator Primary WebAgent 200 200 154 1 4 5000 Logging Options Secondary WebAgent Test Validity SMTP Server Siu Nama Email Alarm Password Global Exclusion Shared Secret F _ This device and CMC server reside on a Custom Webpage same LAN Central Management Maintenance System Maintenance Update Update manages upgrades of patches and built in libraries virus URL database IPS signature database application recognition library web application protection SANGFOR NGAF 6 4 User Manual 354 Update Y Manual Update amp A Update Server Refresh Status Not upda
399. one SSO is enabled in Authentication and Take IP as username Take MAC as username or Take host name as username is selected in New User Option 2 SSO users 3 Users authenticated with external passwords You can choose one of the following options to handle new users Added to specific local groups Added as casual account not to any local group and No authentication for new users 3 7 2 1 2 Selecting Authentication Zone Before setting an authentication policy select zones for the authentication settings For details about how to set up an authentication zone see section 3 2 1 4 Step 1 Select Enable user authentication Authentication Policy Enable user authentication Authentication Zone None de Add 4 Lie amp Refresh Import Example File Step 2 Select the zones where the authentication policy 1s applied SANGFOR NGAF 6 4 User Manual 199 Select Authentication Zone Name Forward Mode d InternalZone Bridge layer 2 InternetZone Bridge layer 2 ExternalZone Route layer 3 InternalZonetest Route layer 3 Trusted UKM Routellayer 3 External UKM Route layer 3 OK Cancel Click OK The authentication zones are set Y You can choose the zone where the intranet port locates as the authentication zone The zones can also be defined by intranet interfaces or Ethernet interfaces For example interface ETH2 is a WAN interface while ETH1 is a non WAN interface That is interf
400. onfigure firewall A Choose Network gt Interface gt Physical Interface and configure router interfaces and related information such as IP addresses For details see section 3 2 1 Set ETH1 to WAN ETH3 to LAN and ETH2 to HA SANGFOR NGAF 6 4 User Manual 489 Edit Physical Interface Enable Name eth2 Description HA Type Routel layer 3 w Basic Attributes WAN attribute Pingable IP Assignment 3 Static DHCP 5 PPPoE i Static IP 10 10 9 9 30 HA Interfaces Physical Interface Sub Interface VLAN Interface Aggregate Interface Link State Propagation Y Refresh Name Interface WAN Ping Type Zone IP Assignment IP Address Work Mode MTU Link State Status gt etho 10 251 251 251 24 Full duplex 1 PO AS Manage i E No Allow Route layer3 None Q al 192 200 17 22 24 Auto negotia 2 00 o gt ethi T No Allow Route layer 3 WAN Static IP 1 0 1 2 29 Auto negotia 1500 Not detected W gt e mA No Allow Route layer 3 DMZ Static IP 10 10 9 9 30 HA Auto negotia 1500 Not detected Y gt eth3 ug No Allow Route layer 3 LAN Static IP 10 10 10 10 24 Auto negotia 1500 Not detected W Step 2 Configure NAT on firewall A and configure firewall A as a proxy to enable intranet users to access the Internet For details see section 3 6 2 1 Step 3 On firewall A choose High Availability gt Basic Settings set Local Device IP to the IP address of interface ETH2 as the hot standby
401. or interface Therefore no more monitor interface needs to be set Configuration Step 1 Set the POP3 server for authentication Choose User Authentication gt Options gt External Auth Server For details see section 4 6 2 3 Step 2 Enable SSO on the device select the monitoring mode and set the IP address of the domain server Choose User Authentication gt Options gt SSO Options gt POP3 SSO Select Enable POP3 SSO to enable the POP3 SSO function Enter the IP address and port number default port number TCP110 of the POP3 server for POP3 authentication in the Mail Server List text box If there are multiple IP addresses and port numbers each line contains only one IP address and port number See the following figure Authentication Options Options amp 550 Options SSO Options Domain 550 Proxy 550 Enable POP3 550 Web 550 Auth Page Redirection Authentication Conflict a tE If packets from internal users logging into POP3 server mail server do not go through this Obtain MAC By SNMP device you need to mirror them to the device and go to the Others tab to enable mirror Other Options interface Mail Server List One entry per row IP and port are separated by colon Keep the defaults if you do not want to specify any 192 168 1 20 110 Step 3 Set authentication policies based on the IP addresses or MAC addresses of the users who require POP3 SSO Choose User Authenticati
402. ork attributes for the connected mobile user in Advanced The procedure for configuring a virtual IP address is as follows 1 Create a virtual IP address pool The IP addresses in the virtual IP address pool are idle IP addresses on the LAN where the SANGFOR equipment resides 2 Configure a mobile user to use a virtual IP address If the virtual IP address is set to 0 0 0 0 a virtual IP address will automatically be assigned to this mobile user After this mobile user is connected the SANGFOR SANGFOR NGAF 6 4 User Manual 109 equipment at the headquarters specifies a virtual IP address for the mobile user or selects an idle IP address from the virtual IP address pool and assigns it to the mobile user Virtual IP Pool New Advanced IP Range Subnet Mask Subnets Assigned To Operation Save and Apply Click New In the Virtual IP Pool dialog box set the start IP address See the figure below The mobile VPN users Click Advanced on the Virtual IP Pool page and set the virtual IP subnet mask DNS and WINS which are to be assigned to the virtual network adapter of the mobile client See the figure below Preferred DNS 0 0 0 0 Alternate DNS 0 0 0 0 Preferred WINS 0 0 0 0 Alternate WINS 0 0 0 0 Subnet Mask 255 255 255 0 SANGFOR NGAF 6 4 User Manual 110 Y After setting the advanced options on the Virtual IP Pool page the virtual network adapter SANGFOR VPN virtual network adapter on the mobile cli
403. osts by traffic See the figure below SANGFOR NGAF 6 4 User Manual 16 Filter Type Line All Application All All Objects IP address one entry per row Type here Display Option Show Top 60 i la L A bo ai 3 o Cancel Set the line and application in the Type pane Line specifies the line to be viewed and Application specifies the application to be viewed After setting the line and application click OK The page shown in the figure below is displayed Select Application 3 m All m Known categories Others SANGFOR NGAF 6 4 User Manual 17 Streaming Media All File Transfer All Same All P2P Stream Media All P2P All Download Tools All HTTP Application All FTP All Mail All DNS All Remote Login All Net Meeting All Net Sharing All ICMP All S5L All OK Cancel _ You can choose to display all applications selected applications and unselected applications The selected applications are displayed in the right pane Click OK to save the settings Objects specifies a specific IP address In the Display Option pane you can set the number of displayed IP addresses ranked by traffic Abnormal Connection The Abnormal Connection page shows abnormal connection from attacker which uses common ports number to forward traffics with another protocol For example if NGAF detects SSL traffics forward in port 53 NGAF take action of these connections based on user
404. otocol Operation Save and Apply Click New to add a connection to the headquarters See the figure below SANGFOR NGAF 6 4 User Manual 107 Connection Name Po Primary WebAgent fs Secondary WebAgent fs Test Shared Key fs Confirm Key Po Transfer Protocol UDP Confirm Password E Cross ISP Access Opt Low packet loss Packet loss rate Lu ita Enable connection Connection Name name of the connection to the headquarters Description description of the connection Primary WebAgent Secondary WebAgent Web agent to be connected to the headquarters You can click Test to test whether the Web agent works properly The test results are shown below Testing completed Details gt gt Primary WebAgent secondary WebAgent Test requests are initiated from the local end instead of the NGAF equipment If the Web agent is represented by using a domain name and the test succeeds the Webpage exists otherwise the Webpage does not exist If the Web agent is presented by using a fixed IP address and the test succeeds the IP address format is correct The connection to the VPN may fail even if the test succeeds Transfer Protocol protocol used for transmitting VPN packets It can be set to TCP or UDP The default value is SANGFOR NGAF 6 4 User Manual 108 UDP Set Shared Key Username and Password based on the account information provided by the headquarters The Cross ISP Access Opt item needs to be set whe
405. ou log in to the console Then enter the default login IP address and port number of the MANAGE interface on the address bar of the Internet Explorer that is https 10 251 251 251 A safety prompt shown in the figure below is displayed There is a problem with this website s security certificate The security certificate presented by this website was not issued by a trusted certificate authority The security certificate presented by this website was issued for a different website s address Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server We recommend that you close this webpage and do not continue to this website Click here to close this webpage ES Continue to this website not recommended E More information Click Yes and the login interface shown in the figure below is displayed A NGAF Platform More services in Sangfor Tech 60 12711 7129 7511 Support C ommunity SUPPORT Username Password Enter the user name and password and click Log In the default user name and password are both admin You do not need to install any control for logging in to the console You can log in to the console by using another browser instead of the Internet Explorer Configuring and Using the Console After logging in to the configuration Web UI you can view the following configuration modules Status Network Security Databases VPN Objects Authentication
406. p Authentication Options User Type Primary Authentication Secondary Authentication Local password Assigned Roles Roles Create Associate Save and Add OK Cancel 2 Configure Basis Attributes of user The following are the basic attributes Name Enter a name for this user This field is required SANGFOR NGAF 6 4 User Manual 70 Description Enter brief description for this user Added To Select the user group to which this user is added Local Password Retype Password Enter the password of this user account Mobile Number Enter the mobile phone number of the user Added To Specifies to which user group this user is added Inherit authentication settings parent group If selected the current user will inherit its parent group s policy set and authentication settings If not selected the authentication settings and policy set could be different from those of its parent group 3 Configure valid time of the user account Expire indicates the date on which this user account will get invalid If Never is selected the user account will be valid always If On date is selected select a date as expiry date 4 Configure status of the user account This user account will be enabled valid if Enabled is selected or disabled invalid if Disabled is selected 5 Configure Authentication Settings Public user Indicate sthat multipl
407. p IP address interface and metric in sequence A line indicates a static route Click OK to save the settings Click Advanced Search to search for route entries based on specified conditions LE It is recommended that Interface be set to Auto for a static route If multiple interface IP addresses of the equipment are on the same network segment manually specify the interface of the static route SANGFOR NGAF 6 4 User Manual 34 Policy Based Routing The Policy Based Routing tab page allows you to select inbound and outbound lines based on the source destination IP address source destination port and protocol when multiple external interfaces of the equipment are connected to multiple external lines This ensures that different data is forwarded through different external lines In the navigation area choose Network gt Routing and access the Policy Based Routing tab page Static Route Policy Based Routing All Routes Add X Y t o 3 Refresh MImport No Name Source Zon Y Src IP Group Dst IP Group Protocol Application Interface Next Hop Load Balanci Schedule Status Del Policy based routing 1s required in the following scenarios l The interface or next hop is selected based on the source IP address or protocol Data flows of internal users accessing the public network are distributed That is internal users on different network segments access the public network through different li
408. page is displayed on the right Intelligent Ident Database Y O No Application Application Included Rules Rule Status Operation 1 P2PBehavior P2P 1 Y All enabled Settings 2 skype IM 1 Y All enabled Settings 3 S5L SSL 1 Y All enabled Settings 4 SANGFOR VPN SANGFOR VPN 1 Y All enabled Settings 5 Ultrasurf and Freegate ProxyTool 1 Y All enabled Settings 6 Video Voice IM 1 Y All enabled Settings Select skype and click Enable or Disable Intelligent identification rules for Skype are enabled or disabled If you want to enable or disable a certain rule for a specific application for example disable a certain rule for video voice click Settings The Video Voice Identification Rule dialog box is displayed and lists all video voice related rules Select a rule click Enable or Disable The selected rule is enabled or disabled SANGFOR NGAF 6 4 User Manual 137 Video Voice Identification Rule Y Rule Name Description Status Video Voice 18 MSN video 80 y 0K Cancel Editing P2P Behavior Identification Rules P2P behavior identification rules are supplements to the application identification rules and are used to identify P2P data that cannot be identified by the application identification database P2P behavior rules can be edited Click P2P Behavior The Intelligent Ident Database dialog box is displayed SANGFOR NGAF 6 4 User Manual 138 Intelligent Ident Database Enable Rule AN
409. pdate server version is 450 Connection 1s dropped Please connect the device again Version of the update package 1s AF4 5 117 build2 0130719 Update with this package requires device to restart Software upgrade license need not be valid Supported Platforms and Upgrade Notes l Support immediate upgrade from version AF4 3 2 Support English language and Central Management CM Command include the following options Route table ARP table View Network Setting View NIC Setting Modify NIC Setting Exchange NICs amp Check Device Health SANGFOR NGAF 6 4 User Manual 504 GS Technical Support Console Device Disconnected Update U Backup B Time T Command C Password P Help H MAL UUEVALADFADL DALE Ping P Connect device successi Version of current dev Route Table R AFA 5 117 EN Bu1ld 20130 ARP Table 4 View Network Settings W Update server version View NIC Settings N POE a eee Modify NIC Settings M Version of the update Update with this packag Software upgrade licens Check Device Health C Supported Platforms and Uprrade M tes l Support immediate upgrade from version AF4 3 2 Support English language and Central Management CM Version of the update package 1s AF4 5 117 Build201l30T19 Update with this package requires device to restart Software upgrade license need not be valid Supported Platforms and Upgrade Notes l Support immediate upgrade from version AF4 3 2 Support English language an
410. pe Show Top A Specify the following and click Go to retrieve data Specified 2013 08 15 ts 2013 08 15 3 Al OP Ouser Group All Sent Received Virus Name Virus Type IP User 10 20 L Open in new tab Application scenario A user needs to show the top 10 intranet users with the greatest number of virus attacks when sending and receiving emails on May 30 Step 1 Set statistic criteria SANGFOR NGAF 6 4 User Manual 380 Anti Virus A Specify the following and click Go to retrieve data Filter Period Virus Type Data Type Sent Received Others Statistics a Virus Name 5 Virus Type Show Top 10 Hal Less lt lt Go Open in new tab Step 2 Click Go Relevant data is generated Anti Virus Y Filter Today 2014 03 24 5 2014 03 24 5 IP User Al IP User Group 5 IP User Filter Period 2014 04 25 Statistics Virus Name Period Today v Statistics Virus Name Show Top10 v Anti Virus Based on Virus Name UN Mal ZAccess CK E W32 Allaple F EN Other Virus Name Detected Times Percent Dril Down Mal ZAccess CK 2 66 7 Virus Type IP User W32 Allaple F 1 33 3 Virus Type IP User Total 3 100 Virus Type IP User The data shows that the firewall detected email viruses on the PC with the IP address 200 200 3 31 on May 30 ye Y To enable the data center to collect antivirus statistics cl
411. pe Group File Extensions One entry per row Description SANGFOR NGAF 6 4 User Manual 299 Data Leak Protection Data Leak Protection Sensitive data protection Settings File download restriction Settings IP URL Whitelist Click IE URL Whitelist on the data leak protection configuration page and configure exclusion settings for specified IP addresses or URLs For details about object protection exclusion see section 3 4 3 1 Action Action A Allow Deny i IP Lockout E Lock source IP i Logging Log event Settings Action If Allow is selected attacks are detected only If Deny is selected attacks are both detected and blocked IP Lockout If Lock source IP is selected the source IP address initiating attacks 1s locked when IPS WAF or data anti leak module detects the attacks Logging If Log event is selected detected attacks are recorded in the data center You can click Settings and set related state code Logging Options Log response state code i State Code 200 i OK Cancel Y Oo Only when Deny is selected will the device blocks attacks detected e In URL protection the action Allow and Deny are not related to the action Deny to be taken when attacks are detected The action set in URL protection prevails SANGFOR NGAF 6 4 User Manual 300 Server Access Verification The Server Access Verification is used to protect server access It will r
412. pe None 192 200 17 203 80 http TCP WAN 0 0 0 0 255 255 255 255 Medium Y Web vulnerability Open port risk 192 200 17 210 80 http TCP WAN 0 0 0 0 255 255 255 255 Medium Y Web vulnerability Open port risk E 192 200 17 202 80 http TCP WAN 0 0 0 0 255 255 255 255 Medium Y Web vulnerability Open port risk E 192 200 17 10 53 dns UDP WAN 0 0 0 0 255 255 255 255 Low open port risk E 192 200 17 10 445 netbios TCP WAN 0 0 0 0 255 255 255 255 Low Open port risk Page 1 of 1 gt Entries Per Page 50 1 28 of 28 Change weak passwords based on risk prompts 2 Disable unnecessary ports The scanning result shows the ports enabled on a server Unnecessary ports can be disabled manually by a user with administrator rights For example to disable port 445 of the server with the IP address 192 168 1 249 used by intranet users to access the server click following dialog box 1s displayed SANGFOR NGAF 6 4 User Manual 483 o in the corresponding rule The Port Block Policy Source Source one WAN source IP 0 0 0 0 255 255 255 255 Service Target Serer 192 200 17 22 Service TCP 3306 Action Deny Logging Log ewent OK Cancel Click OK The following information is displayed Risk Assessment Untrusted Source Zone WAN a on o Restart Destination 192 200 17 1 192 200 17 254 i Port 80 81 8001 8002 http 443 Enable weak password scan Y Export as PDF All As
413. port C Give higher priority to custom rules No Rule Name Description Application Application Status Delete 1 Office Email Office Email Mail Customize Email O x URL Database The URL database defines different URL types based on the content on web pages which helps the equipment identify various websites and exercise access permission control and traffic control on various websites The URL Database page displays embedded URL groups and custom URL groups Embedded URL groups are periodically updated on the server by SANGFOR The equipment updates the embedded URL groups by accessing the server based on authorization When the embedded URL groups do not meet your requirements you can set custom URL groups based on known URLs URL Database The URL Database page displays embedded URL databases and custom URL databases Embedded URL SANGFOR NGAF 6 4 User Manual 142 databases are periodically updated by the equipment To update the embedded databases a sequence number must be authorized and network must be available for the equipment Custom URL databases can be added deleted and modified For details see section 3 4 7 In the navigation area choose Objects gt URL Database The URL Database page is displayed on the right Click on the URL Database page The version and upgrade expiry date of the embedded URL database are displayed in the upper part of the page URL Database Add X 2 Refresh Q URL Category Lookup Datab
414. pt Detected Deny Log event OK Cancel Results Proactive URL Protection E Options E Excluded URL Y Clear All Refresh View All No Path Variabl Type Max Length Status Hit Count Operation gt sangforserver no ip org 2 F 1 cms plus list php tid Being lea 2 Being learned 3 Edit Learn Again URL Whi Fi 2 cms plus view p aid Being lea 2 Being learned 1 Edit Learn Again URL Whi Page 1 of 1 Y Entries Per Page 50 Parameter Protection Custom Parameter Protection Rule Similar to proactive URL protection only the related parameters must be set Regular expressions are supported When the conditions specified by regular expressions are met actions are denied Custom Parameter Protection Rule Add X v a Pal No URL Case Sen Variables Definition Value Status Edit 1 admin asp Yes id is URL wi 4 SANGFOR NGAF 6 4 User Manual 291 Application Hiding FTP When a client logs in to the FTP server the server sends back information such as version to the client An attacker can use the loopholes related to the version to initiate attacks This function hides the information sent back to prevent attacks To hide the information select FTP Application Hiding HTTP When a client accesses a website the server sends many fields contained in HTTP headers to the client such as Server and Via Via may cause disclosure of proxy version information An attacker can
415. r a physical interface is a route interface and the scenario where VLAN trunk needs to be enabled for the route interface See the figure below Interfaces Physical Interface Sub Interface VLAN Interface Aggregate Interface Zone Link State Propagation Add X Refresh C Name Zone IP Assignment IP Address MTU Ping Link State Delete SANGFOR NGAF 6 4 User Manual 26 Name name of the sub interface The interface name is generated automatically and cannot be changed For example the name of a sub interface on VLAN2 of the ethO interface is generated as eth0 2 Description description of the sub interface Zone zone to which the sub interface belongs IP Address IP address of the sub interface MTU MTU value of the sub interface Ping whether the sub interface can be pinged Link State whether link detection is enabled for the sub interface For details about the configuration procedure of a sub interface see section 5 1 4 si The IP address of any interface cannot be on the 1 1 1 0 24 network segment VLAN Interface The VLAN Interface tab page displays the VLAN list of the equipment See the figure below Physical Interface Sub Interface VLAN Interface Aggregate Interface Link State Propagation Add X Y Refresh Name Zone IP Assignment IP Address MTU Ping Link State Delete veth 1 WAN Static 192 200 17 24 24 1500 Allow l tected x Click Add to add a VLAN interface
416. r from using and updating a false IP address into the Web Agent page f To refresh the status of the Web Agent click Refresh SANGFOR NGAF 6 4 User Manual 87 Logging In Navigate to SSLVPN gt Logging In The Logging In Page is as shown in the figure below Logging In Basic Attributes Fields marked are required Page Title Access to SSL VPN as Background Color Bulletin Message HTML supported max 1024 characters Preview OK Cancel Page Title Specifies the caption of the login page Background Color Indicates the background color of the login page Bulletin Message Enter themes age into the textbox This bulletin message will be seen on the portal after users log in to the SSL VPN Maximum 1024 characters are allowed and HTML is supported To preview the bulletin message click Preview Authentication Authentication covers settings related to primary and secondary authentication methods Navigate to SSLVPN gt Authentication and the Authentication page appears as shown in the figure below Authentication Primary Authentication e Local Password Settings Password strength the ways that users change password applying only to the user accounts in local database Secondary Authentication sz Hardware ID Settings E Configure hardware ID related options such as hardware ID collecting and approval Other Options Password Security Options Settings Block insecure and
417. ra Threat Prevention Sener Selected worm network device database PF Endpoint Action Action F Allow a Deny i IP Lockout E Lock source IP Logging Log event Save and Add Another OK Cancel Step 3 Configure client protection Access the IPS page and click Add The Add IPS Rule dialog box is displayed Set Name set Zone to WAN in the Source area set Zone to LAN and IP Group to All in the Destination area select Endpoint in the Threat Prevention area select vulnerabilities and click OK SANGFOR NGAF 6 4 User Manual 461 Add IPS Rule Enable Name Internal Description Source Zone LAN Cra Destination Zone WAN a IP Group All lg Threat Prevention Server Endpoint Selected worm file backdoor trojan spyw Action Action Allow Deny Gi IF Lockout F Lock source IP Logging Log ewent Save and Add Another OK Cancel e The vulnerability protection rules of server protection and client protection are different because the types of attacks on the server and client are different e For server protection the source zone is the zone of the Ethernet interface and the destination zone is the zone of the intranet interface For client protection the source zone is the zone of the intranet interface and the destination zone is the zone of the Ethernet interface SANGFOR NGAF 6 4 User Manual 462 Configuration of Web Application Protection Example 1 WAF The following
418. re imported in the root group by default and do not need to be authenticated The bound IP addresses MAC addresses and the user names are the computer names obtained by scanning If the imported IP address conflicts with the bound IP address of a user the user cannot be imported Import from External LDAP Server You can synchronize users from an LDAP server to the equipment For example you can import users from the MS Active Directory server When you import domain users by using this method security groups on the domain server are imported in the equipment and users are imported in the corresponding security groups User Import User Import Import from CSV File Import users from csv file Example File What Is CSV File Import Import by Scanning IP Scan all the online computers on local area network to obtain host name IP and MAC address and then import them as users This operation is often carried out on network that fixed IP address are assigned to computers When scanning completes import them on to this device Immediately or modify them before importing Import Import from External LDAP Server MS Active Directory server is supported only For other types of LDAP server import users in Authentication gt Local Users gt LDAP User Sync Configure External Auth Server Import 3 7 1 5 1 Import from CSV File You can import users from a CSV file including user information such as the user names authenticatio
419. re three levels high medium and low Action actions taken by the equipment when the attack is performed There are four actions Enable Block if attack detected Enable Log event if attack detected Enable Analyze based on Cloud technology and Disable You can define actions Click a vulnerability name to open the editing page See the figure below Signature Based Detection Rule Rule ID 13120534 Rule Name WordPress xmlrpc php DDOS Attack Description Param xmirpc php of WordPress used by the attackers is a DDOS vulnerability Impact Possible DDOS Attack Threat Level High Action Enable Block if attack detected Enable Allow if attack detected Enable Analyze based on Cloud technology Disable Enable Block if attack detected The current rule is enabled When the attack is detected corresponding packets are blocked Enable Log event if attack detected The current rule is enabled When the attack is detected it is logged and the packets are not blocked Enable Analyze based on Cloud technology If this option is selected the equipment performs analysis and detection by using the cloud technology Disable The current rule is disabled The equipment does not detect this rule Vulnerability Analysis Rules The vulnerability analysis rules contains the rules of vulnerabilities that can be used for scanning and detection for servers and hosts When the equipment runs RT vulnerability scanner to scan ser
420. ress Add Multiple Addresses e IP or domain IP Range HOSTS Port 80 OK Cancel Add Edit Resource Address Add Address Add Multiple Addresses Example 10 10 10 20 50 80 1 1 1 1 2 2 2 2 80 80 httos www domain com 80 One entry per row OK Cancel Port indicates the port used by this TCP application to provide services For built in types of TCP applications this port is predefined For Other type of TCP application enter the corresponding port number Program Path Indicates path of the client software program that may be used by C S client server application Added To Indicates the resource group to which this resource is added By default the selected resource group is Default group to configure resource group refer to the Adding Editing Resource Group section Visible for user To have connecting users see this resource on the Resource page select this option Invisibility here only means that the resource is not seen on the Resource page in fact it is still accessible to the user Roles A role is an intermediate that builds a connection between user group and resource more specifically designates SANGFOR NGAF 6 4 User Manual 83 internal resources to user or group Users can only access the designated internal resources over SSL VPN This kind of association enables one or multiple users or groups to associate with one or multiple resources facilitating control over
421. result Today 3 1 1 3 7 Top 5 Backlink Injections The Top 5 Backlink Injections page displays the backlink injection attacks in last 7 days See the figure below Top 5 Backlink Injections Last 7 days EJES Last 7 days Last 7 days You can select Yesterday Today to display different day result 3 1 1 3 8 Top 5 Outgoing DoS Attacks The Top 5 Outgoing DoS Attacks page displays outgoing DoS attacks in the last 7 days See the figure below Top 5 Outgoing DoS Attacks Last 7 days Last 7 days Last 7 days You can select to display different day result Yesterday Today SANGFOR NGAF 6 4 User Manual 6 3 1 1 3 9 Top Applications By Traffic All lines Bidirectional The Top Applications By Traffic All lines Bidirectional page displays the traffic speed trends of applications dynamically in different colors See the figure below Top Applications By Traffic All lines Bidirectional 04 00 05 00 12 00 B Other NR Send Mail MA Encrypte SANGFOR NGAF 6 4 User Manual 7 Security Status Events The Events page displays current threat and information about the threats Security Status II AN eects ie Top Attacks Data Leak Backlink Injections Outgoing DoS Attacks 2 threats need immediate action Scan Agal n Last Occurrence 2015 11 23 11 52 17 Application Server Without Protection 2 Gi Wf WAF Rule Based Scan 1 1 No Web application protection rule is
422. rformed If encryption is disabled only authentication is performed Click OK to save the settings Optical Bypass Module The optical bypass function is supported The configuration page is shown below Optical Bypass Module Enable external optical bypass module i Type optical bypass w select type before configuring external optical bypass module Add External Optical Bypass Module X Refresh Module ID Interfaces Status Switch Type Only optical bypass is supported Note that optical bypass and two node hot backup are mutually exclusive Add External Optical Bypass Module Select the corresponding optical module interface and configure it Add External Optical Bypass Module x Module ID Available Selected max 2 Add gt 4 Delete SANGFOR NGAF 6 4 User Manual 53 Security Databases Vulnerability Database The vulnerability database contains characteristics of attack packets that perform attacks based on system and program vulnerabilities When passing through the equipment these packets can be blocked based on the settings to protect the server See the figure below Navigation IPS Vulnerability Database Vulnerability Database gt Status M Enable Cloud based analysis engine Y Global Action Y O D View All Y Search By Vulnerability Name Y gt Network tl Vulnerability ID v Vulnerability Name Type Threat Level Action y Security Databases 12030557 Polycom RealPresence Resource Manag
423. riod and set a timeout interval If a user causes no flow within the specified interval the user is logged out You can select Submit user credential using POST method so that an authentication web page is displayed when a user uses a user name and password for authentication You can select DNS service is available before user passes authentication to allow users to access the DNS service before being authenticated You can select Basic services except HTTP are available before user passes authentication to assign before users are authenticated root group permissions to the users except the permission to use the HTTP service You can select Require authentication again if MAC address is changed to require re authentication of a user who has been authenticated before when the MAC address of the user is changed For example if the user whose IP address is 192 168 1 1 has been authenticated using a user name and password the user is not deregistered in a certain period after the user logs out If another user changes his or her IP address to 192 168 1 1 this means that SANGFOR NGAF 6 4 User Manual 238 the IP address corresponds to another MAC address In this case re authentication is required You can select Lock user if authentication attempts reaches the threshold to specify the maximum number of consecutive authentication failures and the user locking duration The figure shows that a user is locked for 1 minute after three
424. rmation to add these new policies to protect from the threats Click OK to implement See the figure below Confirm Following Actions The following policies are auto created Click on policy for details e IP Group OneClickProtection_BIND9_DoS_Vulnerability_1 e Realtime Vulnerability Scanner OneClickProtection_BIND9_DoS_ Vulnerability The threat is prevented successfully with the result Scan Again button is used to scan all the Server IP Group again which defined by user See the figure below BIND9 DoS Vulnerability ee ae ee Exploits BIND TKEY Query Denial of Service Vulnerability Details gt gt angor INC Appeared Since 2015 07 29 Congratulations All the threats are in protection 1 Threat are prevented add 1 IP Group add 1 Real time Vulnerability Scanner rules The following threats are protected 1 Realtime vulnerability scanner is enabled SANGFOR NGAF 6 4 User Manual 316 Traffic Management Overview The traffic management function controls the traffic size of various Internet accessing applications by establishing traffic management channels The NGAF offers the bandwidth guarantee and restriction functions The bandwidth guarantee function helps to provide assured bandwidth to important applications while the bandwidth restriction function helps to restrict the total uplink and downlink bandwidth of users or user groups and bandwidth occupied by various applications The traffic manag
425. rocedure is as follows Select a user USCI S z a a TS o OO o E E n o C No Name Display Name Group IP Address Authentication Time In Locked 7 Online Duration Operation 1 192 200 17 20 Default 192 200 17 20 None 2013 8 6 16 54 35 Log In 17 hours 29 minutes amp F 2 192 200 17 231 Default 192 200 17 231 None 2013 8 6 16 54 36 Log In 17 hours 29 minutes amp Click Lock or amp in the Operation column The page shown in the figure below is displayed SANGFOR NGAF 6 4 User Manual 21 Lockout Period Lockout Period mins 10 After setting the Lockout Period click OK The status of the locked user changes as shown in the figure below PJ 29 192 200 17 231 Default 192 200 17 231 None 2013 8 7 10 25 01 Lock Locked Unlock 09 min D FJ 30 192 200 17 200 Default 192 200 17 200 None 2013 8 7 10 25 14 Lock Locked Unlock 09 min D Unlocking Online Users The procedure for unlocking a user is as follows Select a locked user F 29 192 200 177 231 Default 192 200 17 231 None 2013 8 7 10 25 01 Lock Locked Unlock 09 min D 2 FJ 30 192 200 17 200 Default 192 200 17 200 None 2013 8 7 10 25 14 Lock Locked Unlock 09 min Click Unlock or the gt icon in the Operation column Forcibly Logging Out Online Users The administrator can forcibly log out online users excluding temporary users and those that do not require au
426. roup aj 4 A userl No bindi Members Fuzzy match Group Path Default group Modify a 7 Description Admin Members Sub groups 0 immediate users 93 total users 93 G Default group Members add X Refresh k Select Import A Export 13 Search by Nar C No Name Address Expiry Date Fl Fi a 192 200 1 236 192 200 17 236 Never expire O s 4192 200 17 244 192 200 17 244 Never expire O 9 4 192 200 17 247 192 200 17 247 Never expire C 10 4 192 200 17 252 192 200 17 252 Never expire O 11 amp 4192 200 17 99 192 200 17 99 Never expire Fi 12 a userl No binding information Never expire Ol 13 2 user2 Mo binding information Never expire A common administrator can manage only certain groups Therefore a common administrator cannot move a user or a group to another group beyond the permission of the common administrator User Import You can import users in batches in the following three methods Import from CSV File You can import users from a CSV file including user information such as the user names authentication methods IP MAC address binding information and passwords If the target group for importing the users does not exist a group is automatically created during the import Import by Scanning IP When you import users bound to IP addresses MAC addresses you can scan MAC SANGFOR NGAF 6 4 User Manual 180 addresses of LAN users by using this method facilitating user import In this method users a
427. rs console configuration and license System Time On the System Time tab page you can set the system time of SANFOR NGAF You can change the time on the UI directly or set time synchronization schemes SANGFOR NGAF 6 4 User Manual 336 General System Time Web UI Date and Time Date 2013 08 15 Fa System Time 14 28 01 Sync with Local PC Restore System Time Time Zone Time Zone GMT 08 00 Beijing Shanghai Hong Ko w Synchronize Time with NTP Server NTP Server pool ntp org Sync Now Under Date and Time you can check the current time in the system and adjust the system time manually You can click Syne with Local PC to synchronize the system time to time on the login terminal or click Restore System Time to show the original time on the system You can also set a time synchronization scheme for the system Select a time zone from the Time Zone drop down list box and enter the NTP server address in NTP Server The system automatically synchronizes time based on the specified NTP server Network Configuration On the Network tab page you can set the network parameters See the following figure SANGFOR NGAF 6 4 User Manual 337 General System Time Network TCP Conn Timeout s 1800 UDP Conn Timeout s 180 ICMP Timeout s 30 SSH Port 22545 FTP Port TEP 21 RTSP Port TCP 554 SIP Port UDP 5060 TCP 5060 SOLNET Port TCP 1521 TFTP Port UDP 69 PPTP Port TCP 1723 H 323 Port RAS UD
428. rters and branches need to access the Internet through the headquarters perform operations under the guidance of SANGFOR technical support engineers IPSec VPN The SANGFOR equipment supports interworking with third party VPN equipment by establishing standard IPSec VPN connections 1 1 1 1 3 Phase I On the Phase I page you can set information about the peer VPN equipment that needs to establish a standard IPSec connection with the SANGFOR gateway This is phase I of the IPSec negotiation See the figure below SANGFOR NGAF 6 4 User Manual 119 o O New Outlet Line Status Device Name Device Address Authentication Type Connection Mode ISAKMP Lifetime s Description Operation OK Select Outlet Line and click New The dialog box shown in the figure below is displayed Device Name pix Description Address Type Static IP Static IP 201 1 1 1 Authentication Method Enable this device Auto connect Cance Click Advanced In the displayed Advanced dialog box set advanced options See the figure below SANGFOR NGAF 6 4 User Manual 120 ISAKMP Lifetime 3600 s Retry Times Mode Main mode D H Group MODP1024 group 2 ISAKMP Algorithm List Authentication Algorithm MDS Encryption Algorithm SDES Cancel 1 1 1 1 4 Phase II On the Phase II page you can set parameters of phase II of the IPSec negotiation See the figure below Phase II
429. rule Source Zone and Source IP Group It specifies the source zone and source IP group of data to be matched with the rule for protection For example if you set a public zone as the source zone the loophole attacks from Internet users on servers can be detected Destination Zone and Destination IP Group Only the IP addresses in the specified IP group in the specified zone are matched with the rule Usually the parameters are set to the objects to be protected SANGFOR NGAF 6 4 User Manual 283 Protection It specifies the protected content Select Server and click Selected Mail Vulnerability Protection Server Protection Selected Mail Vulnerability B Endpoint Protection Selected Web Activex Vulner Brute Force attack Selected FTP IMAP Standard i The Select Attack Type page appears Select the attack types based on the services published by the servers so that the device implements IPS protection for the loopholes related to the attack type Select Attack Type Y Fuzzy match p Attack Type Description Mail Vulnerability It includes vulnerabilities on a variety of Mail servers Backdoor Vulnerability Backdoor is computer software that can bypass norm Trojan Vulnerability Trojan horse is a malware that can manipulate the ta Spyware Vulnerability Spyware is malware that can gather user information Tftp Vulnerability It includes vulnerabilities on a variety of TFTP server System Vulnerability It inc
430. s dia body gt Enable Select Enable otherwise the webpage cannot be displayed Note Authentication Successful and Web Access Portal pages cannot be disabled Edit Modifies the displayed webpages by changing webpage source codes You are advised to change only the texts and images Other modifications may lead to missing of normal links Click Preview Save Restore Defaults or Restore Previous Edition to preview save or restore the customized webpages Central Management Sangfor NGAF devices that can be centrally managed and monitored by the Sangfor Central Management Console CMC after they connect to the CMC To have a NGAF device successfully connect to the CMC create the site on the CMC and configure the CMC connection options on the NGAF device The Central Management page is shown as below SANGFOR NGAF 6 4 User Manual J32 gt Risk Assessment Status 7 Bandwidth Mgt Status Joined CM Connected to CMC server 200 200 154 174 5000 Remove from CM General Join CM D Administrator Primary WebAgent 200 200 154 174 5000 Logging Options secondary WebAgent Test Validity SMTP Server Site Name wrg Password Email Alarm Global Exclusion Shared Secret _ This device and CMC server reside on a Y Custom Webpage same LAN Central Management Maintenance Primary WebA gent Enter the WebA gent address in format of IP Port or URL The WebAgent wil
431. s as a router and the server cluster and user zone on the intranet are connected to two different interfaces of the firewall Server and client protection must be implemented by the IPS function SANGFOR NGAF 6 4 User Manual 459 LLL NGAF VLANI00 72 16 1 0 24 Step 1 Choose Network gt Interface and allocate the three interfaces of the firewall to different zones Set ETH1 to WAN ETH2 to DMZ and ETH3 to LAN Choose Objects gt IP Group Set 172 16 1 0 24 to Server Farm and 192 16 1 0 24 to LAN IP Range Interfaces Aggregate Interface Zone Link State Propagation add X Refresh Zone Name Zone Type Interfaces Device Mgt Privilege Allowed Address LAN Route layer 3 eth3 WebUI snmp All WAN Route layer 3 eth WebUI snmp All DMZ Route layer 3 eth WebUI snmp All IP Group Add X amp Refresh Import F Export No Name Description 1 All All IP addresses 2 Server Farm 3 LAN IP Range Step 2 Configure server protection Access the IPS page and click Add The Add IPS Rule dialog box is displayed Set Name set Zone in the Source area to WAN set Zone to DMZ and IP Group to Server Farm in the Destination area select Server in the Threat Prevention area select a rule unselect Endpoint and click OK SANGFOR NGAF 6 4 User Manual 460 Add IPS Rule Enable Name server Description Source Zone WAN ra Destination Zone DMZ a IP Group Server Farm
432. s generated UA wAF x Q Filter 13M Export Logs Filter Period 2013 08 16 00 00 2013 08 16 23 59 Src zone All Src IP 192 200 17 128 Dst zone All Dst IP All Rule ID All State Code All Type All Device name Threat leve Web Web Web Web Web Web Web Web Web Web Web Web Web Web Web Web No Time 1 2013 08 16 10 10 14 2 2013 08 16 10 10 14 3 2013 08 16 10 09 20 4 2013 08 16 10 05 13 5 2013 08 16 09 35 34 6 2013 08 16 09 20 10 7 2013 08 16 09 00 16 8 2013 08 16 09 00 16 9 2013 08 16 09 00 16 10 2013 08 16 09 00 16 11 2013 08 16 09 00 16 12 2013 08 16 08 55 20 13 2013 08 16 08 53 54 14 2013 08 16 08 53 53 15 2013 08 16 08 53 51 16 2013 08 16 08 53 48 Type URL Directory Information di wilkie const com Information di uchidabashi com Information di summerjazz net Information di instalelectric com Information di star nmrc com Information di pbya com Information Information disclosure Information di zagros group net Information di gigabit com pl Information di envi ro Information di gfr com au Information di kmr net com Information di www rea soft ru Information di mastechn com Information di coketh com Information di bigtopmultimedia SANGFOR NGAF 6 4 User Manual Source IP 192 200 17 1 192 200 17 1 192 200 17 1 192 200 17 1 192 200 17 1 192
433. s the maximum number of users in this group that can concurrently access SSL VPN Status Indicates whether this user group 1s enabled or not Select Enabled to enable this group otherwise select Disabled Inherit role and authentication settings Select the checkbox next to it and this user group will inherit the attributes such as the roles and authentication settings Inherit authentication settings Select the checkbox next to it and this user group will inherit the authentication settings of its parent group Inherit assigned roles Select the checkbox next to 1t and the current user group will inherit the assigned roles of 1ts parent group 3 Configure Authentication Settings Group Type Specifies the type of this user group Public group or Private group Public group Indicates that any user account in this group can be used by multiple users to log in to the SSL VPN concurrently Private group Indicates that multiple users to log in to the SSL VPN concurrently can use none of the user accounts in this group If a second user uses a user account to connect SSL VPN the previous user will be forced to log out Primary Authentication Indicates the authentication method s that is are firstly applied to verify user when he or she logs in to the SSL VPN If any secondary authentication method is selected primary authentication will be followed by secondary au
434. s type of resource that allows end users to use C S based or TCP based application on their local computer to access corporate resources and servers over SSL VPN 1 Click Add gt TCP app to enter the Edit TCP Application page as shown in the figure below Resources Basic Attributes Fields marked are required Name Description Address Program Path Path could be absolute path and environment variable e g Yowindir Added To Default group H Ico Y Enable resource Visible for user Save and Add 4 Cancel 2 Configure Basic Attributes of the TCP application The following are the basic attributes Name Description Indicates the name and description of the TCP resource This name may be seen on the Resource page after user logs in to the SSL VPN Type Indicates the type of the TCP application Some common types are built in the Sangfor device This selection determines the port number entered in the Port field automatically If the TCP application is not any of the built in types select Other and configure the port manually Address Indicates the address of the TCP resource To add one entry of address IP address domain name or IPrange click the Add Address tab To add multiple entries of addresses click the Add Multiple Addresses tab as shown in the figures below SANGFOR NGAF 6 4 User Manual 82 Add Edit Resource Address Add Add
435. seconds y 2 Refresh Settings BH Latest Threats No Appeared Since Description Threat Level Protection Operation 07 E Details gt Security Databa 1 2015 07 29 BINDS DoS Vulnerability High Threat In protection ff gt Decryption gt Access Control Risk Assessment Web Scanner RT Vulnerability Scanner Threat Alerts Click Scanners gt Threat Alerts gt Settings to add in the Server IP Group with the threat scan and alert functions Below is the sample of DMZ IP Group with protection options Settings server IP Group DMF Protection Options Trigger automatic scan when new event occurs Enable high protection SANGFOR NGAF 6 4 User Manual 314 For more information about the threat you can select the Name of Threat under the Description column It will open a website about the clicked threat See the figure below 4h BINDS DoS Vulnerability x E sec sangfor com events 28 htm a O SANGFOR Secu rity Center Home Vulnerability Database Threat Distribution English Location Home gt Threat Intelligence gt BIND9 DoS Vulnerability BIND9 DoS Vulnerability Source Sangfor Security Center Date Published 2015 08 08 BIND DoS Vulnerability ISC patched a critical DoS vulnerability in BIND the most widely used DNS server software which allows remote unauthenticated attacker to launch DoS DNS server is essential for some networks Without DNS many services will be unavailab
436. selected You can set Threshold to specify the upper limit on scan packets received from an IP address in the specified source zone per second If the upper limit is exceeded it is regarded as an attack If Deny is selected as an action to be taken when being attacked all data from the IP address is blocked within 5 minutes when an attack is detected After 5 minutes the number of scan packets from the IP address is recalculated Port scan prevention Port scan prevention is enabled when this option button is selected You can set Threshold to specify the upper limit on port scan packets received from an IP address in the specified source zone per second SANGFOR NGAF 6 4 User Manual 264 If the upper limit is exceeded it is regarded as an attack If Deny is selected as an action to be taken when being attacked all data from the IP address is blocked within 5 minutes when an attack is detected After 5 minutes the number of port scan packets from the IP address is recalculated After the preceding treatment data packets are filtered through Defense Against DoS DDoS Attack Packet Based Attack and Abnormal Message Probe Defense Against DoS DDoS Attack Select Select type The page shown in the following figure appears Dst IP al Defense against ICMP flooding attack Per Dst IP Packet Threshold 000 packets seci Defense against UDP flooding attack Per Ost IP Packet Threshold 100000 packets sech Defense against
437. send data as an email click the Gh b iaa Gl corresponding button in in the upper right corner LU Y To enable the data center to collect statistics on server security logs click Log event in the Action area on the console SANGFOR NGAF 6 4 User Manual oy Traffic Statistics The Traffic page enables users to collect statistics on the Internet access traffic of intranet users by application IP address etc i Specify the following and click Go to retrieve data Filter Period Today w 2013 08 15 is 2013 08 15 3 Schedule All week l IP User SGA OP User Group Application All L4 a Others Statistics App Category Application Group IP User Rank By Bidirectional Traffic Outbound Traffic Inbound Traffic Show Top 10 an Chart Type Ranking Trend Ranking Trend Less lt lt Go Open in new tab Example Application scenario A user needs to show the top 10 IP addresses of intranet users occupying the heaviest traffic on August 15 Step 1 Set statistic criteria SANGFOR NGAF 6 4 User Manual 373 Traffic Ee Filter A Specify the following and click Go to retrieve data Filter Period Today 2013 08 15 2013 08 15 Schedule Allweek f IP User Al OP uUser Group Application All E Others Statistics App Category
438. ser from certain endpoint s will be approved automatically if administrator has ever approved the hardware ID of the endpoint s Save Click this button to save the settings when configuration is completed Password Security Options Password security options are settings related to login when user submits username and password to access the SSL VPN including two parts Logon Security Options and Brute force Login Prevention Click the Settings button following Password Security Options and the Password Security Options page appears as shown in the figure below SANGFOR NGAF 6 4 User Manual 90 Authentication Logon Security Options _ Enable on screen keyboard so that Trojan will not record the input Random letter key layout Random number key layout Brute force Login Prevention C If consecutive logon failures reach activate word verification 0 means enabled if it is below 3 set to 3 for non Windows dient If consecutive logon failures by a user reach 5 1 32 lock the user for 600 30 1800 seconds later If consecutive logon failures on one IP reach 64 64 2048 lock IP address for 45 30 1800 seconds later 1 Logon failure indicates that the interval between two adjacent logons is less than 45 seconds 2 Logon failures by a user indicate that user fails to log in successively 1 32 times with a user account 3 Logon failures on an IP indicate that user fails to log in successively 64 2048 times on an IP ad
439. ser will be written into a CSV file and saved on the local computer The exported user information includes username group path password encrypted by an algorithm developed by SANGFOR mobile number description and the time user logged in last time as shown below Usemame Added to Group Password Mobile Number Description Last Logn Leong group 1 19 iba 1256ab35 60123456789 normal user Never logged m sangfor Default group e2cd948b878c5eld test ace Never logged m Associating Roles with User 1 Click More gt Associate with role to enter the Roles Associated With xxx page as shown below SANGFOR NGAF 6 4 User Manual 78 Roles Associated With Default group add Delete Role Name Description 4 Page 1jof1 P Fi EY Show 25 page 2 Click Add to enter the Roles page as shown in the figure below Role Name Description website Page ijof1 P Fi E Show 25 page a K 0 entry Cancel Enter keyword OK Cancel The roles on Roles page are all the roles predefined under SSL VPN gt Roles gt Role Management p 3 Select the checkboxes next to the roles that you want to associate with the selected user or group 4 Click the OK button and then the Submit button to save the settings SANGFOR NGAF 6 4 User Manual 79 Advanced Search Click on More gt Advanced Search to open advanced search page The criteria for advanced search are as shown in the figure below Advanced Search
440. service webpage list and index service Internal Forum Various websites that provide visitors with forum for leaving message BBS etc excluding the websites prov Internal Online Chat Web version of instant messaging IM tools and websites that offers chat room to send and receive instant Internal Network Storage Websites that store files on the Internet server for backup or sharing Internal Software Download Websites providing various software download Internal 3 5 5 1 1 Querying a URL Category In the navigation area choose Objects gt URL Database The URL Database page is displayed on the right Click 4 URL Category Lookup The URL Category Lookup dialog box is displayed Set Domain Name and click Go The corresponding URL category is displayed URL Category Lookup Domain Name jwww baildu com Go Result The URL category you are searching for is Search Engine Close Fuzzy search is not supported 3 5 5 1 2 Adding a URL Category You can add a custom URL category On the URL Database page click Add The Add URL Category dialog box is displayed SANGFOR NGAF 6 4 User Manual 143 Add URL Category URL Keyword i Name name of the URL category Description description of the URL category URL URL category to be set A URL category may contain multiple URLs which support wildcard based matching URL Keyword keyword for automatically matching a URL category A d
441. ses Both IPv4 and IPv6 IP address are supported The settings on the IP Group panel can be referenced by the NAT panel of the Firewall configuration module Application Control Policy panel of the Access Control configuration module and Bandwidth Channel panel of the Bandwidth Met configuration module In the navigation area choose Objects gt IP Group The IP Group page is displayed on the right IP Group Add x Refresh import Export FP No Name IP Range Description 1 All 0 0 0 0 255 255 255 255 All IP addresses On the IP Group page click Add to select IPv4 or IPv6 group Add gt x Re Add IPv4 IP Group Add IPv6 IP Group Click on Add IPv4 IP Group or Add IPv4 IP Group The Add IP Group dialog box is displayed SANGFOR NGAF 6 4 User Manual 148 Add IP Group Name P Description IP Address Gi Type here Resolve Domain Save and Add Another OK Cancel Name IP group name Description IP group description IP Address Type one IP address or IP address range in a row The IP address range is in the start IP address end IP address format for example 192 168 0 1 192 168 0 100 or 2001 1001 2001 000 Resolve Domain indicates automatically resolving IP addresses corresponding to certain domain names This function can automatically add resolved IP addresses to the IP address list The Resolve Domain function is implemented by the equipment Therefore th
442. sh Tunnel NAT Status Stop Service gt Network VPN Status Running Connections 0 Security Databases WAN Data Inbound 0 Byte s y VPN VPN Data Inbound 0 Byte s SSLVPN Search Display Options 4 IPSecVPN Disconnect Connection Name Status Basics Local Users VPN Connections gt Virtual IP Pool VPN WAN Interface VPN LAN Interface Multiline Policy gt Local Subnet Tunnel Route IPSec VPN Objects Advanced SANGFOR NGAF 6 4 User Manual Username Remaining Licenses IPSEC VPN sites 5 Mobile VPN users 10 Outbound 0 Byte s Outbound 0 Byte s 50 entries page lt gt gt Page 0 0 O entries y Internet IP LAN IP Description Type Traffic In Out Time Connected Protocol 93 To use the VPN function ensure that at least one layer 3 interface is available on the equipment The VPN function requires multi function authorization Status The Status page displays current VPN connection and network traffic information See the figure below Status Refresh Tunnel NAT Status Stop Service VPN Status Running Connections 0 Remaining Licenses IPSEC VPN sites 5 Mobile VPN users 10 WAN Data Inbound O Byte s Outbound 0 Byte s VPN Data Inbound 0 Byte s Outbound 0 Byte s Search Display Options 50 entries page lt gt gt Page 0 0 0 entries Y Disconnect Connection Name Username Description Type Traffic In Out
443. sh language and Central Management CM Version of the update package 1s AF4 5 117 buzild20130719 Update vith this package requires device to restart Software upgrade license need not be valid Supported Platforms and Upgrade Notes l Support immediate upgrade from version AFA 3 2 Support English language and Central Management CM 1 Help provides the links to the public network homepage and technical support forum and the version information of the current SANGFOR Firmware Updater SANGFOR NGAF 6 4 User Manual 506 e Technical Support Console Device Disconnected Update U Backup B Time T Command C Password P MAL VUEVALAIADEADL DALES AULaUo A Sangfor Website W Connect device successfully ngf Version of current device About A AF4 5 117 EN Build20130T19 Update server version is 450 Connection is dropped Please connect the device again Tersion of the update package 1s AF4 5 117 build20130719 Update with this package requires device to restart Software upgrade license need not be valid Supported Platforms and Upgrade Motes l Support immediate upgrade from version AF4 3 2 Support English language and Central Management CM Version of the update package 1s AF4 5 117 build20130719 Update with this package requires device to restart Software upgrade license need not be valid Supported Platforms and Upgrade Notes l Support immediate upgrade from version AF4 3 2 Support English language a
444. so Others Auth Page Redirection Enable Web SSO Authentication Conflict ESEN aie If packets from internal users logging into Web authentication server do not go through this device Obtain MAC By SNMP you need to mirror them to the device and go to the Others tab to enable mirror interface Other Options ron Web Authentication Server Enter IP IP Port or server domain URL or keep default port Redirect browser to the above server before authentication User Form Name Name of the table where username field locates Web Authentication page pwuser Authentication success keyword New staff Authentication failure keyword Step 2 Enter the address of the web authentication server in the Web Authentication Server text box Step 3 Select Redirect browser to the above server before authentication When a user is not authenticated the user is redirected to the page for web SSO when the user accesses any page Step 4 Enter the name of the list containing the user names to be submitted to the server during web authentication in the User Form Name text box Step 5 Select Authentication success keyword or Authentication failure keyword and enter the keyword indicating whether web server login is successful For example if you have selected Authentication success keyword and enter a keyword and the keyword is contained in the POST response web SSO is successful If you have selected Authentication failure
445. so means an end user can use one account to log in to SSL VPN through different endpoints as long as the user account is binding to the hardware IDs submitted by the user from those endpoints 4 Assign roles to user group a Click on Roles field to enter the Assigned Roles page as shown below Assigned Roles add Delete aj Edit C Role Name Description Page 1of1 b Show 25 page Cancel b Click Add to enter the Select Role page as shown below SANGFOR NGAF 6 4 User Manual 69 Select Role Enter keyword Pp IL Role Name Description Page ijof1j P Fi E Show 25 page c Select the checkbox next to the desired roles and click the OK button The roles are added in to the Assigned Roles page d Click the OK button and name of the assigned roles filled in the Roles field e If the desired role is not found in the list click Create Associate to create a new role and associate with the user group The procedures of creating a role is the same as that in Roles Adding section f To remove a role from the list select the role and click Delete g To edit a role select the role and click Edit Adding User 1 Click Add and select User to enter the Add User page as shown in the figure below Basic Attributes Fields marked are required Description Status 8 Enabled Disabled Password Retype Password Mobile Number Added To oe Y Inherit authentication settings from parent grou
446. sociated Policies All v IP address or port Q C Server IP Port Applic Protocol Accessibl Accessible IP Threat Le Risk Operation O 192 200 17 202 23 telnet TCP WAN 0 0 0 0 255 255 255 255 Low w Open port risk F 192 200 17 200 80 http TCP WAN 0 0 0 0 255 255 255 255 Open port risk E 192 200 17 210 443 https TCP WAN 0 0 0 0 255 255 255 255 Low open port risk y F 192 200 17 232 3389 rdp TCP WAN 0 0 0 0 255 255 255 255 Low v Open port risk 192 200 17 254 53 dns TCP WAN 0 0 0 0 255 255 255 255 Low v Open port risk y O 192 200 17 254 443 https TCP WAN 0 0 0 0 255 255 255 255 Low w Open port risk F 192 200 117 232 445 netbios TCP WAN 0 0 0 0 255 255 255 255 Low O open port risk T 192 200 17 232 139 netbios TCP WAN 0 0 0 0 255 255 255 255 Low Open port risk a 192 200 17 107 139 netbios TCP WAN 0 0 0 0 255 255 255 255 Low open port risk y Y Port is in protection 192 200 17 22 0 0 0 0 255 255 255 255 No risk An application control policy is created automatically to prevent intranet users from visiting port 445 of the server with the IP address 192 168 1 249 Application Control Policy Y Dst Zone Add X Y scansApp20130 The policy is au Fij 2 test scansApp20130827105718_000 _ WAN 4 3 Default Policy All All 13 Mp Import Source Zone A ere et Predefined Service All week WAN All LAN 7 0 0 0 255 255 3 Predefined Service any All week WAN
447. store device configurations When a device encounters a critical error the upgrade system can restore the device to factory settings The upgrade system can enable technical support tools to detect configurations such as the operating status of network interfaces and change the operating mode of network interfaces The SANGFOR NGAF upgrade system can be used after the software is decompressed There are a STARTUP folder and a main program as SANGFOR Firmware Updater e aF Sangtor Firmware Updater SANGFOR ba STARTUP Double click the icon of the main program The following page is displayed e Sangfor Firmware Updater Device Disconnected Euless SANGFOR IP Address Password IP Address specifies the IP address of the connected NGAF which is in the format of IP address port When a single IP address is entered port 51111 is used by default Password specifies the password used to log in to the connected NGAF the password is related to the device version The default password is dlanrecover or is consistent with the password of the console of the NGAF Search Click it to search for NGAFs on a LAN SANGFOR NGAF 6 4 User Manual 497 10 251 251 251 Enter the IP address and admin password of an NGAF and click Connect to connect to the NGAF and perform operations such as system upgrade and restoration of default settings Se Sangfor Firmware Updater 10 251 251 25 Co AP4 5 117 E
448. sword for encrypting packets when Encryption is set to Plaintext or MDS 3 2 2 4 3 Neighbors The Neighbors page allows you to set the IP address of a neighboring router that runs RIP See the figure below Neighbor IP Click OK to save the settings 3 2 2 4 4 Parameters Choose RIP gt Parameters The page shown in the figure below is displayed SANGFOR NGAF 6 4 User Manual 44 RIP Parameters Route Priority Timers Update Timer Timeout Timer Flush Timer Route Re Advertisement Re advertise Direct Route a No Re advertise OSPF Route O Yes Metric a No Re adwertise Static Route 0 Yes Metric a No Default Metric OK _ Restore to Defaults RIP Parameters You can set the route priority and timer in the RIP Parameters panel Route Priority RIP priority The optical route is selected among the routes that are obtained through the routing protocol determined by the priority The larger the priority value is the lower the priority is You can manually configure the RIP priority The default RIP priority value is 120 Update Timer interval for periodically updating routes The default value is 30 seconds Timeout Timer timeout time of a route If the information about this route is not received within the specified time the number of hops of this route is set to 16 which means that this route is unreachable The default value is 180 seconds Flush Timer time of adv
449. t Add X Delete How to confi Domain Name _IP Address webi com 192 168 1 240 SANGFOR NGAF 6 4 User Manual 476 Add Website Anti Defacement Rule Website Name website a Start URL http fweb2 com Server IP Settings Max URL Levels 5 Sl wr Detection Method Fuzzy match high sensitivity w i Check for resource file defacement 0 Check for unsafe links to virus ads on defaced webpage Action Taken if Defacement Detected Notify network administrator i Email test2 domain com Test Block user from accessing website Redirect browser to prompt page Edit Webpage Redirect browser to server address Li Log event Allow admin to maintain this website Webmaster admin2 amp Portal https 192 200 17 21 8000 quar d html Wisit Now Adwanced oK Cancel SANGFOR NGAF 6 4 User Manual 477 Website Server Address Add X Delete How to configure IP address list Domain Name IP Address web2 com 197 200 200 720 _ Cancel Website Anti Defacement Enable website anti defacement Add X Delete Y Enable Oc sable fa Update Local Cache Edit M tiple EL Webmaster 2 Refresh C No Status Y Website Name Start URL Website IP Defaced Webpage Cached Webpage Whitelisted URL Time Time Cached E 1 Protected website1 http web1 com 1 0 5 0 2012 08 10 14 3 E 2 Protected website2 http web2 com 1 0 5 0 2012 08 10 14 3 Step 5 Enable admi
450. t Objects gt Authentication gt Firewall w Access Control gt Application Control gt Anti Virus No data available gt APT Detection gt Web Filter gt IPS gt Server Security gt Risk Assessment gt Bandwidth Mgt gt System gt Maintenance nit Entries Per Page 20 Choose Access Control gt APT Detection On the page that appears you can add delete enable and disable anti malware policies The following figure shows after user clicked on the Add button Add APT Detection Rule Enable Name Description Protection Zone Select a IP User 0 IP Group Select _ User Group Security Options Remote Access Trojan Malicious Connection Cloud Based Sandbox Mobile Security Cloud Based Sandbox Abnormal Traffic Settings i Action Action Allow _ Deny G Logging Log event Save and Add SANGFOR NGAF 6 4 User Manual 276 Name Define name for the policy Description Description for the policy Protection Zone Select the zone where the policy will apply protection to IP User Select the protection IP and User for the policy Security Options There available security protection options are Remote Access Trojan Malicious Link Cloud Based Sandbox Mobile Security Cloud Based Sandbox and Abnormal Connection Click on the Settings on the right of Abnormal Connection and the page below is shown Select Anom
451. t 1000 logs by default i Lookup Capacity 10000000 Restore Defaults i Miscellaneous Idle Timeout 10 minute s Unit of Speed bps Bps OK Settings Click Settings The Settings page is displayed SANGFOR NGAF 6 4 User Manual 408 SMTP Server Server Address 11 1 1 1 Require authentication Sender Address sangfor sangtor com Report Automatic Generation Deletion Generation Time 00 00 06 00 Gi Auto Deletion Delete reports generated 7 days ago Preserve maximum 1000 newest reports Log Lookup Export Log Export Export the atest 1000 logs by default i Lookup Capacity 10000000 Restore Defaults i Miscellaneous Idle Timeout 10 minute s Unit of Speed bps Bps SMTP Server is applicable when a user configures an email server in section 4 3 3 Report Automatic Generation Deletion specifies the time when reports that are configured in section 4 3 are generated The report storage time can also be specified Log Lookup Export specifies the maximum number of exported reports and that of displayed reports The maximum values are not used by default to limit device performance consumption Miscellaneous specifies the timeout time and traffic rate unit on the home page of the data center Log Database The Log Database page enables users to view the sizes of logs generated over a specified period and perform related operations such as deleting
452. t as the source zone and include all users In this case the device matches all data from the intranet with specified URLs from top to bottom in the URL list and does not match data from the Internet URL Category It specifies the URL library for URL filter The built in and customized objects in Object Definition gt URL Category Library are invoked Type It specifies the type of URL for the filter including HTTP get HTTP post and HTTPS For example to prevent intranet users from browsing a certain type of web page select HTTP get To allow intranet users to browse web pages but prevent them from uploading files to websites such as posting on BBS websites select HTTP post To prevent intranet users from browsing HTTP websites select HTTPS and HTTP get To allow them to browse the websites but prevent them from uploading files to the websites select HTTPS and HTTP post Schedule It specifies the time when the rule is effective Action It specifies whether the packets meeting the preceding criteria are discarded or not Log URL access actions of users are recorded in the embedded data center when this option button is selected SANGFOR NGAF 6 4 User Manual 280 File Filter File filter 1s used to filter files of specified types downloaded or uploaded through HTTP For example it can be used to prevent intranet users from downloading movie files during business hours See the following figure File Fil
453. t interface equals a common switching interface No IP address needs to be configured for a transparent interface which does not support routing or forwarding Data is forwarded based on the MAC address table Virtual wire A virtual wire interface is also a common switching interface No IP address needs to be configured for a virtual wire interface which does not support routing or forwarding Data is directly forwarded through the interface that is paired with the virtual wire Bridge A bridge interface is connected to a switch with the mirroring function and is used to mirror data that passes through the switch NGAF 5 2 does support IPv6 addressing You can click IPv6 tab to configure IPv6 IP address for the interface See the figure below SANGFOR NGAF 6 4 User Manual 25 Edit Physical Interface Enable Mame etho Description Manage interface Type Route layer 3 Added To Zone Select zone Basic Attributes C WAN attribute Pingable IP Assignment 8 Static a Static IP 2001 1 64 Mext Hop IP Line Bandwidth Outbound Inbound 1 The ETHO is a route interface You cannot change the interface type 2 You can add a management IP address for the ETHO interface The default management IP address 10 251 251 251 24 cannot be deleted 3 The IP address of any interface cannot be on the 1 1 1 0 24 network segment Sub Interface The Sub Interface tab page displays whethe
454. tailed report with full information Realtime Vulnerability Analysis Vulnerability Overview T Total Vulnerabilities 10 Vulnerabilities over Last 7 Days 10 Vulnerabilities over Last 3 Days 10 Vulnerabilities on This Day 0 Vulnerability Distribution Apache Httpd Vulnerability 100 00 No Vulnerability Description Servers Threat Level Status Many features of Apache are achieved by encoded modules like authentication module mod_access mod_auth and mod_digest However there are security vulnerabilities on Apache 192 200 19 195 High Unprotected which can be exploited by attacker to get sensitive information or achieve other purposes remotely Apache Httpd Vulnerability SANGFOR NGAF 6 4 User Manual 11 Realtime Vulnerability Analysis El Latest Critical vulnerabilities No Type Vulnerability Servers Time Announced Threat Level Status Solution No data available Latest Vulnerabilities Last 7 Days Last 30 Days No Time Last Detected Vulnerability Servers Threat Level Status Details 1 2014 08 28 16 52 25 Apache 2 2 lt 2 2 20 Multiple Vulnerabilities 192 200 19 195 High View 2 2014 08 28 16 52 25 Apache HTTP Server denial of service 192 200 19 195 High View 3 2014 08 28 16 52 25 Apache HTTP Server vulnerability in the mod_session_dbd module 192 200 19 195 High View 4 2014 08 28 16 52 25 Version later than Apache 2 2 and earlier than 2 2 22 allows unauthorized information disclosure 1
455. te Mc File and Folder Tasks A Plogon exe 381 KB Application 5 16 20 ES Make a new Folder ga Fublish this Folder to the web gt gt Other Places Sy Scripts My Documents og My Computer My Network Places A Details 7 In the Logon Properties window click Add In the Add a Script window click Browse choose the login script file logon exe and enter the IP address of the NGAF port No fixed to 1773 and shared key exactly the same as that configured on the NGAF in Script Parameters The parameter values must be separated by space Click Apply and then OK Then close the windows one by one Add a Script ki Script Hame sso Browse Script Parameters li 0 251 251 254 1773123 nea Step 4 Configure a logoff script on the AD domain server The logoff script helps users that are logged off from the domain server log off from the NGAF as well 1 Perform the steps for configuring the login script In step 6 double click Log off instead SANGFOR NGAF 6 4 User Manual 218 a om ann 1a ra o gt Mom tishe a a eira mm i Group Policy Object Editor File Action wiew Help ry Default Domain Policy support ser El Computer Configuration E Software Settings E J Windows Settings Logoff EL Administrative Templates Display Properties EE User Configuration E Software Settings Description Contains user logoff scripts J Windows Settings E R
456. tection rules are generated based on risk instructions Click Export as PDF to generate a PDF file containing a proactive scan analysis report Click All Associated Policies The protection rules generated when Avoid Risk is implemented All Associated Policies X e 4 View All bi Policy Name Type Target Server IP Time Created Status Delete scansWAF201308 Web app protecti scansIPG2013081 2013 08 15 11 43 we Close You can click a policy name to view the protection rule configuration Web Scanner Web Scanner scans websites and web servers so that administrators know the possible flaws and vulnerabilities that might be exploited by third party and affect the operation of the server On top of that the scan results can be exported as a report in HTML file Therefore the administrators can take action based on the report to prevent unwanted access and modification on the website which increases server security See the following figure SANGFOR NGAF 6 4 User Manual 307 Web Scanner Scanner Start URL Example http www domain com http y Q Start Scheduled Scan Template Select Scan History um Export Report as HTML File v Search term Vulnerability Threat Level Search term Start URL It defines the initial directory of the website that the scanning start with Click on E to open the site setting page as shown below Site Settings Login Login
457. telist k Website Anti Defacement website2 Cached Webpage o y Str 8 Update Local Cache EJAdd into the whitelist P Fuzzy match Pill No Status URL Size Time Time Cached 3 web2 com 2 F Protected web2 com 1 KB 2001 07 07 07 30 06 22 KB 2013 08 26 22 43 40 1 v 2 Protected web2 com index htm A WW Risk Assessment The following figure shows a network topology where the NGAF works as a router and the server cluster and user zone on the intranet are connected to two different interfaces of the firewall An administrator needs to know the enabled ports and vulnerabilities of the server with the IP address 192 168 1 249 and whether any weak password containing sangfor exists SANGFOR NGAF 6 4 User Manual 479 ETHI PNGAF NGAF ETH2 ETH3 Step 1 Choose Network gt Interface and define the zones of interfaces before configuring a policy Choose Objects gt IP Group and define the IP address group of servers For details see section 3 4 8 Set ETH1 to WAN ETH2 to DMZ ETH3 to LAN and 192 168 1 249 to 249 IP Group Add X 3 Refresh import E Export F No Name IP Range 1 All 0 0 0 0 255 255 259 299 2 Server Farm 10 0 0 0 24 a 3 LAN IP Range 172 16 1 0 255 255 255 0 F 4 249server 192 168 1 249 Physical Interface Sub Interface VLAN Interface Aggregate Interface Zone Link State Propagation Add X Z Refresh C Zone Name Zone T
458. tem Users 3 7 1 3 1 Viewing Users Groups To view existing users and groups on the equipment select a group in the Groups pane The Members page on the right displays information of the group including the group name description and detailed information Members The Members page displays detailed information of sub groups and users including the group name binding information IP addresses and MAC addresses bound to the users expiry date for the users description and status enabled or disabled You can also select the information to be displayed by using the selection function SANGFOR NGAF 6 4 User Manual 160 Users Fuzzy match Group Path Modify y Description CG Default group Members Sub groups 1 immediate users 1 total users 87 Members Add X Z Refresh f A select import Export 3 Search by Name x No Name Address Expiry Date Status C 1 A Default group 2 amp sangfor No binding information Never expire Y Page l of 1 T Entries Per Page 20 1 2 of Selection function This function is used to quickly select users and groups on the current page and on all pages Click Select The following page is displayed On current page total 1 E On all pages total 1 Never expire Search function This function is used to quickly search for users or groups Click the search box select Search by Name Search by IP or Search by MAC
459. tent co bs serving sys com fonts googleapis com www gstatic com https accounts google com hiensiila danbhla slisi mat bs serving sys com burstingpipe fonts googleapis com css family www gstatic com doubleclick s https accounts google com hiencilila daiuhkiacliele mat in the upper right corner to display a certain column Source IP User 192 200 19 63 192 200 19 63 192 200 19 63 192 200 19 63 192 200 19 63 192 200 19 63 192 200 19 63 192 200 19 63 192 200 19 63 192 200 19 63 192 200 19 63 192 200 19 63 192 200 19 63 192 200 19 63 192 200 19 63 192 200 19 63 192 200 19 63 192 200 19 63 192 200 19 63 192 200 19 63 wna a2 Ane Action Allow Allow Allow Allow Allow Allow Allow Allow Allow Allow Allow Allow Allow Allow Allow Allow Allow Allow Allow Allow View View View View View View View View View View View View View View View View View View View View in the upper left corner to export the data to an EXCEL file Details Click The Application Control page enables users to view the logs generated in Access Control gt Application Control Policy SANGFOR NGAF 6 4 User Manual Application Control From To Source Zone Action 2013 08 15 2013 08 15 IP User TE al Specify the following and click Go to retrieve data 65 00 00 m 23 59 a Group Abe Src IP User 9 All Dst Zone Dst IP All Deny G
460. tents included on Online Users page Auto Refresh Specifies the time interval for refreshing this page or click Refresh to refresh the page manually and immediately Disconnect Click it and select an option to disconnect or disconnect and disable the selected user s as shown below Refresh 10 seconds Y Ss Refresh Unfold All Locked O View Search P t E Disconnect Description 3 a Discannect amp Disable Default group SANGFOR NGAF 6 4 User Manual 65 If Disconnect is selected the selected user will be forced to disconnect from the SSL VPN If Disconnect amp Disable is selected and Apply button is clicked on the pop up bar at the top of the page the selected user will be forced to disconnect with SSL VPN after are clicked and be prohibited from logging in again until it is unlocked Click on View to open locked users page as below Refresh k Go Back lO Username Description IP Address Locked Unlocked Use Remove Lockout to remove the users from list Click e Gabacia go to Online Users page Deployment This page shows the deployment of the SSLVPN in NGAF device There are 2 types of Deployment Mode as following Gateway Mode Deployment Deployment Mode Gateway Single Arm WAN and LAN interfaces need to be configured Interface Settings LAN Interface eth2 WAN Interface ethi Single Arm Deployment
461. ter Device Disconnected Technical Support Console Device Disconnected Update U Backup B Time T Comrmand C Password P Help H Restore Factory Defaults R gement CM Restore Factory Defaults Network Settings Only N pee l restart Upgrade License U Update Logs L Ts Support Immediate uperade trom versi n AFA 3 2 Support English language and Central Management CM Version of update package is AF4 5 117 build2 0130719 begin to update Connecting to device 10 251 251 251 The device 1s disconnected Connection 1s dropped Please connect the device again 4 Restore Factory Default is used to restore SANGFOR hardware to factory settings by loading an upgrade package Restore Factory Default Network Setting Only used when the NGAF is not connected is used to restore the network settings of the NGAF to factory settings by issuing commands through broadcast packets The operation takes effect for all SANGFOR hardware gateways on a LAN Do not use this function without authorization Upgrade license is used to check whether the current gateway is within the upgrade service validity period If the gateway expires purchase the corresponding license before upgrade Update logs is used to view the upgrade history of the current device or view clear local historical records of upgrade Backup includes the Backup Config and Restore Backup options SANGFOR NGAF 6 4 User Manual 502
462. ter Name Description Source Zone IP User File Filter File Type Group Behavior Schedule Action Logging User Group Select file type group Upload Download All week a Allow Deny FP Log event Save and Add Another Name It specifies the name of a rule Description It specifies the description of a rule Cancel Xx de m Source Zone and IP User If the intranet is set as the source zone and all IP addresses are selected all the data transferred from the intranet through the device is matched with the specified file types from top to bottom in the list Data from the Internet is not matched File Type Group It specifies the types of files to be filtered Behavior It specifies the behavior of uploading or downloading files through HTTP Schedule It specifies the time when the rule is effective It can be a repeated period or a specified time Action It specifies whether the packets meeting the preceding criteria are discarded or not Logging File filter actions are recorded in the embedded data center when this option button is selected SANGFOR NGAF 6 4 User Manual 281 IPS The Intrusion Prevention System IPS checks packets for potential threats on intranet systems IPS checks the packets entering a network for the real purposes of the packets and then determines whether the packets can enter the network based on configuration The SANG
463. ter login Enable multi user login Deny password change online 3 In the dialog box move the Branch service to the service list on the right select Allow Then select Deny under Default Action See the page below Select LAN Service Available Selected Allow Deny Schedule Move All TCP Services Branch E All day Up Down Left All UDP Services All ICMP Services All Services Default Action SANGFOR NGAF 6 4 User Manual 128 After the preceding settings are finished the internal IP address 172 168 1 200 of Branch can access the FTP server 192 168 1 20 and the access requests initiated by other IP addresses are denied Other computers at the headquarters cannot access Branch either When another computer at the headquarters initiates a request to access the branch the destination IP address carried in the response packet sent by the computer at the branch is not 192 168 1 20 and therefore the packet is blocked Multicast Service The SANGFOR supports the transmission of multicast services on tunnels to meet the needs of using applications like VoIP and video conference through the VPN These applications require multicast support You can define multicast services The IP address range is 224 0 0 1 239 255 255 255 and the port range is 1 65535 See the figure below Multicast Service Name Description Operation Default multicast service Default multicast service Edit Save and Apply Cli
464. terface The Interface page displays the status and cable connection of each network interface See the figure below Interface 6 cg tala a etho ethi eth2 eth3 eth4 eth5 em Indicates that a network interface 1s in the connected state Indicates that a network interface is in the disconnected state SANGFOR NGAF 6 4 User Manual 4 3 1 1 3 3 Top 5 RT Vulnerabilities The Top 5 RT Vulnerabilities page displays the overall information about server vulnerabilities vulnerable servers See the figure below Top 5 RT Vulnerabilities W Vulnerabilities 192 200 19 200 AA 5 192 200 19 201 MN 3 192 200 19 220 F 1 192 200 19 231 1 3 1 1 3 4 Top 5 Attacks The Top 5 Attacks page displays attack events that occurs in the network Top 5 Attacks Today No attack is found Last Y days You can select Last days Yesterday to display different day result Today 3 1 1 3 5 Top 5 Bots The Top 5 Bots page displays the top 5 Bots that attack the network in the last 7 days See the figure below Top 5 Bots Last 7 days Last Y days O Last 7 days You can select Yesterday to display different day result Today SANGFOR NGAF 6 4 User Manual 3 3 1 1 3 6 Data Leak The Data Leak page displays any data leakage in the last 7 days See the figure below Data Leak Last 7 days Last 7 days You can select Last days Yesterday to display different day
465. ternal lines between the local end and peer end Traffic can be evenly distributed by session or packet See the figure below Multiline Policy New Name Request Assignment Description Operation Default policy Assign sessions evenly Default policy Edit Save and Apply Click New The multiline policy editing dialog box shown below is displayed Tips Basic Settings Description Line Settings Local Lines EJ Peer Lines 4 Threshold for VPN Data Transfer Line Selection ms Primary Lines Secondary Lines Local Line Peer Line Line 1 Line 1 Line 1 Line 2 Line 1 Line 3 Line 1 Line 4 Request Assignment Assign sessions evenly Assign packets evenly Cance Name name of the policy Line Settings You can set the number of external lines of the local end number of lines of the peer end and threshold for line selection SANGFOR NGAF 6 4 User Manual 115 Primary Lines primary line groups for VPN connections You can click Right in the Move column to move a selected line group to Secondary Lines Secondary Lines secondary line groups for VPN connections Request Assignment It can be set to Assign sessions evenly or Assign packets evenly Y After the multiline policy is set you need to enable it in Advanced of Local Users Local Subnet When the internal network at the headquarters consists of multiple subnets a local subnet list needs to be configured if mutual access is required bet
466. th to configure internet bandwidth and BM line rules Click Bandwidth Channel and you can enter Traffic Management gt Bandwidth Channel path You can configure the minimum uplink and downlink bandwidth of certain applications for users or IP groups so that important SANGFOR NGAF 6 4 User Manual 365 applications have sufficient bandwidth when the traffic is busy Set Attack Reminder and Keep Track of Attacker If a server or client is attacked or maches a certain security policy configure the device as follows to inform the administrator and record logs ay Set Attack Reminder and Keep Track of Attacker 1 Email Alarm a Configure the alarm options and email address to receive alarm triggered by attack attempt 2 Logging Options a Configure external report center to store firewall logs Click Email Alarm and you can enter System gt Email Alarm path to configure the mail server which events need to be reported 1s delivered to Click Logging Options land you can enter System gt Logging Options path to configure the logging policy for local logs or send log files to the Syslog server and being restored SANGFOR NGAF 6 4 User Manual 366 Data Center The data center enables users to search and collect statistics on the logs generated by function modules For example a user can search for the attacks blocked by web application protection and identify the source and destination IP addresses of the attacks or cal
467. the channel but do not send or receive dataflow over the channel are not involved Free competition is not available If you select Make allocated bandwidth on this bandwidth shared evenly among each user of an external IP address is taken as a user of the channel and the bandwidth allocation policy among users and per user bandwidth configuration are effective to external IP addresses Be cautious This option is usually applied to the servers providing services on the Internet The menu Applicable Objects under Options is used to define what types of data packets are mapped to the channel in terms of application type applicable objects effective time object IP group sub interface and VLAN The channel is applicable only when all the conditions are met SANGFOR NGAF 6 4 User Manual 328 Add Bandwidth Channel Enable channel Name P2P limit Gi Bandwidth Channel Applicable Objects Applicable Objects Application 3 All Specified Select Application a IP Group All A User Schedule All week Dst IP Group All a Sub Interface All VLAN Gi ae aa Application defines the application type You can select All to apply the channel to the data packets of all types of applications and Specified to apply the channel to data packets of specific applications Click Select Application In the displayed screen select Application category In this example P2P and dow
468. the computer filters out the NETBIOS protocol and whether a device on the network path is deployed with NETBIOS protocol filtering If the host name cannot be obtained the NGAF takes the computer as a new user with the name of Unknown Computer The computer can be queried only in the online user list and is not added to the specified local user group If one or multiple L3 switches are deployed between the computer trying for Internet access and the equipment room the MAC address of the computer is changed In this case the NGAF cannot obtain the actual MAC address of the computer The problem can be solved in the following way Obtain the ARP list of the L3 switch which is most close to the computer that is the destination gateway of the data packet sent by the computer for Internet access Check the original MAC address of the specified IP address from the ARP list 3 7 2 1 3 3 Configuration Example 3 The computers on the network segment 192 168 3 0 255 255 255 0 are authenticated using the AD domain SSO That is only when the user in the AD domain is authenticated successfully against AD domain and the NGAF the user can be synchronized to the NGAF If the SSO of the computer on the network segment fails the IP address is taken as the user name and no authentication is required The user is added to the Default group automatically Step 1 Set the LDAP external authentication server in External Auth Server and the LDAP user synchronizat
469. the line connected to interface ETH3 Choose Network gt Routing gt Policy Based Routing from the navigation menu and click Add The Add Source Based Route dialog box is added SANGFOR NGAF 6 4 User Manual 439 Add Source Based Route x Name e Desorption l Schedule All week we Source Zome Select Ta IP Group ia Ta Destination IP Group Ta ISP Online Banking Protocol Por Protocol and port match causes Application Egress Interface Next Hop di Interface OK AS Name and Description specifies the name and description of the PBR Schedule specifies the effective time of the PBR Click to select a schedule CI y Recurring Schedule All week One Time Schedule e Add One Time Schedule t Add Recurring Schedule Source contains the Zone mandatory and IP Group fields Destination contains the IP Group and ISP options select one of them In this example The HTTPS application SANGFOR NGAF 6 4 User Manual 440 used to access the destination IP address 127 8 66 42 must be matched with the PBR Click of the IP Group dropdown list to select an option All All Education network Online Banking e Add ISP Protocol Port specifies the protocol and port conditions Click Settings The Protocol Port dialog box is displayed Protocol Port x Protocol TCP w Protocol Wo 6 Src Port All Specified Dst Port All
470. the page Crawler To define Restrictions such as URL s case sensitivity for Unix Linux directory and the link under its sub directories to be scan and the deepest crawled Directory Other configurations such as Excluded URL Excluded File Type and Excluded Parameter are found on this page See the figure below Basic Settings Restrictions Scan Options URL is case sensitive for Unix Linux Custom 404 Error W Scan this directory and the links under its sub directories mer Deepest Crawled Dir start URL counted in 10 Excluded Objects Test Policy Excluded URL Excluded File Type Excluded Parameter Add X Delete RegEx Tester Regular Expression Test Policy To determine the policy used to do web scanning for this template Q Start After the Start URL and Template have been configured click on CE button to initiate the web scanning and after a while the results will be displayed Scheduled Scan Click on to configure the date and time for scanning on the scheduled scan page refer SANGFOR NGAF 6 4 User Manual 310 to the following figure Scheduled Scan Start Date 2014 09 05 Time Start Scanning 09 39 Click on Scan History to show the previous scans done Click on A to re scan the web server and X to delete the scan history See the following figure Scan History X De No Start URL Last Scan Re Scan Delete E 1 http 192 200
471. thentication If the administrator attempts to forcibly log out a temporary user or a user that does not require authentication the prompt shown in the figure below is displayed Prompt You cannot log out casual user or authentication free user by force Password authenticated users and single sign on SSO users can be forcibly logged out The procedure is as follows Select a user No Name Display Name Group IP Address Authentication Time Logged In Locked Online Duration Operation Fl 1 sangfor f 192 200 17 10 Password based auth 2013 8 7 10 28 28 Log In 40 seconds amp Click the human icon under Operation column The prompt shown in the figure below is displayed SANGFOR NGAF 6 4 User Manual 22 Prompt This operation will block the selected user from accessing the Internet Would you like to al proceed Yes No Click Yes to log out the user Affiliated Source Lockout The Triggered affiliated source lockout page displays the locked source IP addresses and the security policy that triggers the lockout propagation when lockout propagation is enabled between the IPS rule and the data leak protection module and between the Web application protection rule and the risk isolation module See the figure below Trigger affiliated source lockout affiliated source lockout 2 Refresh 5 seconds 2 Refresh Clear All Lockout Period Source IP Loc
472. thentication when the users log in to the SSL VPN By default is Local password Local password The connecting users need to pass local password based authentication using the SSL VPN SANGFOR NGAF 6 4 User Manual 68 account in this user group Secondary Authentication Secondary authentication is optional and supplementary authentication methods Select it to require the connecting users to submit the corresponding credentials after he or she has passed the primary authentication s adding security to SSL VPN access Hardware ID This is the unique identifier of a client end computer Each computer is composed of some hardware components such as NIC hard disk etc which are unquestionably identified by their own features that cannot be forged SSL VPN client software can extract the features of some hardware components of the terminal and generate the hardware ID consequently This hardware ID should be submitted to the Sangfor device and bind to the corresponding user account Once administrator approves the submitted hardware ID the user will be able to pass hardware ID based authentication when accessing SSL VPN through specified terminal s This authentication method helps to eliminate potential unauthorized access As mentioned above that multiple users could use a same user account public user account to access SSL VPN concurrently it is reasonable that a user account may bind to more than one hardware IDs That al
473. this DNS server tj Review the next steps for this role l F 3 In the displayed window right click the domain to be monitored and choose Properties SANGFOR NGAF 6 4 User Manual 215 LE Active Directory Users and Computers lt 3 File Action view Window Help Hm eSa Om Pay ge Active Directory Users and Computer sangfor com 16 objects Saved Queries Mame Type Descript Delegate Control Organizational Find Organizational Connect to Domain E Organizational Connect to Domain Controller ni builtinCiornain Raise Domain Functional Level Su bers Container Default Operations Masters ain Controllers Organizational Default Organizational Her ignSecurityPrincipals Container Default All Tasks uct management Organizational View Organizational New Window From Here Organizational fra Fee ee BD sD D a Organizational Refresh Export List Container Default Security Group Properties agement Security Group al Users Security Group Help y P 4 Inthe displayed window click Group Policy Double click the group policy Default Domain Policy sangfor com Properties EJ xl General Managed By Group Policy Group Policy Object Links Mo Override Disabled E Default Domain Policy Group Policy Objects higher in the list hawe the highest priority This list obtained from support server sangtor com New Add Edit Up Optio
474. ticated using only a dedicated address and other users cannot use the same address for authentication In this example select Bidirectional binding and Bind the IP on initial logon If Added as casual account is selected the new users are not added to the user list and access the Internet with SANGFOR NGAF 6 4 User Manual 202 only temporary user privileges If User Group under this option is specified the new users access the Internet with privileges of the specified user group If No authentication for new users is selected the new users are not added to the user list and do not pass the authentication In this case the new users are not allowed to access the Internet and have only the privileges specified for unauthenticated users under User Authentication gt Options gt Other Auth Options Step 5 Set the parameters as follows if manual user adding is necessary Set Name to the user name on the external authentication server Do not select Local password If Local password is selected the user is authenticated locally rather than being authenticated against the external server Select Bind IP MAC and set the IP address to be bound Add User x Enable user Name ltt Description Display Name Added To Group IT i User Attributes E Local password Gi Password Confirm Bind IP MAC Binding Mode IP Address i MAC Address 1 IP and Mac One entry per row Annotation is separated by
475. tication hardware authentication LDAP authentication and Radius authentication User Type type of the VPN user that uses this account It can be set to Mobile user or Branch user Inherit group attributes whether to group users If this check box is selected the Added to parameter becomes active You can add the user to a user group and apply the public attributes of this user group Y Before selecting the Inherit group attributes check box add a user group After a user is added to a user group the Algorithm Enable My Network Places and LAN Service parameters of this user cannot be configured Hardware authentication whether to enable hardware based certificate authentication After enabling hardware authentication select the corresponding certificate file 1d Enable USB key whether to enable DKey authentication for mobile users After DKey authentication is enabled insert the DKey into a USB port on the computer and then click USB Key Assign virtual IP used for the access of mobile clients The Assign virtual IP check box must be selected for a mobile user After this check box is selected set a virtual internal IP address in the virtual IP address pool for this user After this user is connected the preset IP address is used as the virtual internal IP address If the virtual IP address 1s set to 0 0 0 0 the system automatically assigns an internal IP address to this user from the virtual IP SANGFOR NGAF 6 4 User
476. ting No Database Current Version Latest Version Update Svc Ex Auto Update Operation a 1 Anti Virus Database 2013 01 04 2013 06 06 2014 07 29 Y E 2 2 URL Database 2013 04 28 2013 04 28 2014 07 29 Y 3 lO 3 Ps 2013 02 16 2013 08 01 2014 07 29 Y 22 4 Software Update 2013 07 05 Never expire Y 3 9 S Application Ident Database 2013 04 02 2013 04 02 2014 07 29 Y 39 2 6 amp 6 WAF Signature Database 2013 02 16 2013 08 02 2014 07 29 Y 39 7 Data Leak Protection 2012 07 04 2012 07 04 2014 07 29 Y 2 _ 8 Malware Signature Database 2013 05 13 2013 07 30 2014 07 29 Y 3 9 Select the checkbox on the left of No and click Enable to start automatic upgrades of built in libraries You can also click Disable to cancel automatic upgrades of built in libraries and click Refresh to view the real time information of built in libraries Click Manual Update to set manual upgrades of rule libraries within the upgrade validity period as shown in the following figure Manual Update Database Anti Virus Database wr Upload File Update Cancel Click Update Server to display the Update Server dialog box Select Server sets the server for upgrade It can be set according to the customer external network link In addition you can select Auto to enable the NGAF to automatically detect the available update server Built in libraries updates require that the NGAF can access the Internet or access the Internet through proxy
477. tion A feature that achieves automatic link failover Settings when one of the lines becomes down Advanced apecity Maximum Transmission Unit MTU Settings OK Cancel Physical Interface Sub Interface VLAN Interface Aggregate Interface Link State Propagation Add X Refresh a Name Zone IP Assignment IP Address MTU Ping Link State Delete O E veth 3 None Static 1500 Allow Not detected yet x O veth 2 None Static 1500 Allow Not detected yet x Step 5 Connect the NGAF to the network Connect interface ETH2 to the front end router and interface ETH to the layer 3 switch on the intranet a Oo In the network environment described above virtual wire interfaces can be deployed and virtual wires are recommended For configuration details see section 2 1 3 eo The IP addresses and gateways of the VLAN interfaces can be left unspecified SANGFOR NGAF 6 4 User Manual 424 Virtual Wire Interface Configuration Configuration example The following figure shows a network environment where two layer 3 switches and two routers are deployed on the intranet for load balancing and The NGAF is deployed in transparent mode not changing the original Internet access mode Ay z eth2 B eth3 MIA eth4 ent eth eth2 y eth3 En ERGA Core Switch Core Switch ell To deploy the NGAF in transparent mode layer 2 isolation must be configured between the ETH4 and ETH2 pair
478. tion rules You can define applications that are not contained in the embedded application identification database by setting the data direction IP address protocol and port In the navigation area choose Objects gt App Ident Rules The App Ident Rules page is displayed on the right SANGFOR NGAF 6 4 User Manual 139 gt Status gt Network gt Security Databases gt VPN Objects gt ISP gt Application Ident DB gt Intelligent Ident DB gt App Ident Rules gt URL Database Services IP Group Schedule gt File Type Group Trusted CA lt App Ident Rules A i I Add X Y 2 Refresh EF Import Export C Give higher priority to custom rules No Rule Name Page liof 1 Description Application Application Status Entries Per Page 50 Adding Custom Application Rules Click Add on the App Ident Rules page The dialog box for adding custom application rules are displayed Details are as follows Configuration example Office email traffic needs to be controlled but emails cannot be selected independently when a user selects an application type In this case an office email application can be defined Step 1 Enable rules and set Basic Attributes including Rule Name Description Category and Application You can select an existing category or define a new one Enable Basic Attributes Rule Name Office Email
479. to implement destination address translation NAT The NGAF 5 2 supports IPv6 NAT feature On the NAT page click IPv4 NAT to configure for IPv4 environment and IPv6 NAT for IPv6 environment Clock on Add to select options for Source NAT Destination NAT and Bidirectional NAT in both environment IPw4 NAT IPwb NAT badd y x Y Pw NAT IPv6 NAT Source MAT Destination NAT Bidirectional NAT SANGFOR NGAF 6 4 User Manual Source MAT Destination NAT Bidirectional NAT 243 Source NAT Source NAT translates source IP addresses of data that meet criteria It is most commonly used when the device is deployed on the egress of the public network and intranet users need to access the public network On the IPv4 NAT and IPv6 NAT page you can manage add and delete source NAT rules Figure below shows IPv4 Add Source NAT Rule page Add Source NAT Rule Enable e Mame Access Internet Description Source Zone InternalZonetest lg IP Group All pe Destination Zone Interface a Zone m External UKM i Interface ethd w IP Group All ta Protocol Configure protocol and port Ai Source Translation To Egress interface w Save and Add Another OK Cancel Protocol and port settings are not available in IPv6 Source NAT The figure below shows Add IPv6 SNAT Rule SANGFOR NGAF 6 4 User Manual 244 Add IPv6 SNAT Rule Name Description Source Zone Select internal zone Subnet
480. twork interface To modify the settings click Settings Advanced Link Mode Auto negotiation yr MTU 1500 MAC D00 0B6 4B 55 D0C 1D Restore Default MAC 0K Cancel Click OK Use the same method to set the Ethernet interface ETH3 Step 3 Configure an intranet interface Select an idle network interface and click the interface name to access the Edit Physical Interface dialog box Set Type to Virtual wire and unselect WAN attribute SANGFOR NGAF 6 4 User Manual 426 Edit Physical Interface Enable Name ethi Description LAN Type Virtual wire layer 1 w Added To Zone Select zone w Interface 1 ethi Interface 2 Select interface Basic Attributes WAN attribute Advanced Configure link mode MTU and MAC address Settings OK Cancel Click OK Use the same method to set the intranet interface ETH4 Step 4 Set a virtual wire Choose Network gt Interface gt Virtual Wire to add a virtual wire For details see section 3 2 3 Step 5 Configure switchover for the switches and routers on the intranet Choose Network gt Interface gt Link State Propagation and enable interface propagation For details see section 3 2 1 6 Step 6 Connect the NGAF to the network Connect interfaces ETH2 and ETH3 to the front end routers and interfaces ETH4 and ETH to the layer 3 switches on the intranet Y The management interface cannot be configured as a virtual wire i
481. type and attack details Click Refresh 5 seconds to set the refresh interval Click Refresh to refresh the information immediately SANGFOR NGAF 6 4 User Manual 13 Traffic Ranking Traffic Ranking Top Users by Traffic Top Applications by Traffic Top Hosts by Traffic 2 Refresh 5 seconds 2 Refresh x Filter E Locked View Top 60 Group No Username Group Outbound S Inbound Sp Bidirectional Lock Obtain Flow Details Top Users by Traffic The Top Users by Traffic page displays the bandwidth usage of online hosts See the figure below Top Users by Traffic Top Applications by Traffic Top Hosts by Traffic 2 Refresh 5 seconds 7 2 Refresh x Filter amp B Locked View Top 60 Group No Username Group Outbound S Inbound Sp Bidirectional Lock Obtain Flow Details The Users are ranked by traffic The displayed information includes the username group outbound speed inbound speed bidirectional speed lock link for obtaining the computer name and flow details In the Obtain column click Obtain to obtain the computer name corresponding to the IP address In the Flow Details column click an application to display the traffic information about the corresponding host See the figure below x Application Line Percent Outbound Inbound Bidirectional SSL E 66 12 23 Kb s 44 09 Kb s 56 31 Kb s Website Browsing 20 9 88 Kb s 6 88 Kb s 16 75 Kb s Ot
482. ublic network and assigned with a fixed IP address SANGFOR NGAF 6 4 User Manual 411 ETH 1 2 1 1 29 GW 1 2 1 2 29 ETH1 192 168 1 254 24 192 168 1 1 24 192 168 2 1 24 192 168 2 0 24 re re re _ me A cc Step 1 Log in to the NGAF by using the default IP address of the management interface ETHO which is 10 251 251 251 24 Configure an IP address that is in the same network segment as the default IP address on your PC and log in to the NGAF by using https 10 251 251 251 Step 2 Choose Network gt Interface and click the interface such as ETH2 to be configured as an Ethernet interface The following dialog box is displayed SANGFOR NGAF 6 4 User Manual 412 Edit Physical Interface Enable he Name eth2 Description Type Route layer 3 wr Added To Zone Select zone w Basic Attributes WAN attribute Pingable IF Assignment Static DHCP 5 PPPoE ES E i W Static IP 1 2 1 1 20 Line Bandwidth Outbound 10 Mbps Inbound 10 Mbps Link State Detection A feature that achieves automatic link failover when one of the lines becomes down Settings ti c m D ral r OK Cancel Set Type to Route Set Basic Attributes to WAN attribute if the interface is connected to an uplink or set it to Pingable Set Added To Zone to the zone which interface ETH2 belongs to which is a WAN in this example Set the zone in advance based on section 3 2 1 4 Set IP Assignment t
483. uipment including direct routes static routes and those learned through a dynamic routing protocol See the figure below Static Route Policy Based Routing OSPF RIP All Routes Route for IPv4 Address v Type All v 2 Refresh Pp Type Destination Netmask Prefix Next Hop IP Metric Interface Static route 0 0 0 0 0 0 0 0 192 168 1 1 O vlani Direct route 193 168 1 0 255 255 255 0 0 0 0 0 O eth3 Direct route 192 168 1 0 255 255 255 0 0 0 0 0 O vlani Direct route 10 251 251 0 255 255 255 0 0 0 0 0 O etho Route for IPv4 and IPv6 address selection is available Click to select the Internet Protocol choices Refer to figure below Route for IPw4 Address Route for IPv4 Address Route for IPv6 Address Click next to Type to filter routes by type See the figure below Type Al Type All Stati Static Route Direct Route Direc OSPF Dire Iret RIP eb Click Refresh to refresh the route entries to be displayed Virtual Wire The virtual wire function involves setting a physical interface group on the NGAF equipment For example set interfaces A and B to form a virtual wire group After packets are forwarded to the equipment through interface A SANGFOR NGAF 6 4 User Manual 46 all other data is forwarded through interface B except the data whose destination IP address is that of the NGAF equipment That is the other data is directly forwarded without searching the layer 2 MAC
484. ults to provide protection for customers See the following figure Risk Assessment Untrusted Source Zone a A i Q Start Destination IF address or range i Port 80 81 8001 8002 http 443 E A ALExport as PDF All Associated Policies C Server IP Port Applic Protocol Accessibl Accessible IP Threat Le Risk Untrusted Source Zone It defines the source zone for application control policies IPS and WAF detection It is used to check whether application control policies IPS and web application protection rules are implemented between the zone and destination IP address Destination It defines the range of destination IP address for which ports or weak passwords are scanned Port It defines the ports of destination IP addresses to be scanned Click 80 81 8001 8002 The Select Port page appears See the following figure SANGFOR NGAF 6 4 User Manual 303 Select Port Add X Delete Port Application Delete 3 Predefined Ports EN pepa gt sat SE ae Pete mle erie ee eL 3306 mysql 1521 oracle 1433 mssql 139 445 netbio JOANA KE KS IS KS 53 dns q OK Cancel Common ports of servers are preset in the device To add a port click Add Select Enable weak password scan to enable the weak password scan function See the following figure Risk Assessment Untrusted Source Zone WAN al Q Start Port 80 81 8001 8002 http 443 Enable weak password scan Destinatio
485. um Low Others Show Top10 Chart Type Ranking URL Category Bandwidth Distribution Traffic Statistics Bidirectional Traffic Based on Application News Portal 14 Search Engine 7 1 IT Related 3 5 Life Information 3 3 Web Mailbox 3 2 Forum 1 9 Game 1 7 Travel amp Traffic 1 5 Sports 1 4 Personal Website amp 1 2 Other 61 2 URL Category Bandwidth Distribution URL Category 1 News Portal 2 Search Engine Bidirectional Traffic 20 212 KB 10 148 KB Inbound Traffic 18 051 KB 9 203 KB Outbound Traffic 2 161 KB 945 KB Custom reports are one off reports and cannot be generated repeatedly Subscription The Subscription page enables users to generate periodic reports and send generated reports to specified mailboxes regularly SANGFOR NGAF 6 4 User Manual 405 Navigation Menu a Subscription Report Name Firewall Report Filter Schedule Allwesk IP User w Al lt IP amp Group Statistics Type Ranking Trend Ranking amp Trend Show Top 10 i Report Contents Report Type Simplified report Full report Type E Overall Security Y Server Security Y Endpoint Security Threat Level E High El Medium El Low E Traffic Rank By E Bidirectional Trafic O Outbound Traffic El Inbound Traffic Statistics F Application E App Category El Group 1P User App Category All A E Application Statistics E
486. up and define the home IP group of the WAN interface For configuration details see sections 3 2 1 4 and 3 4 8 In this example ETH2 is set to LAN 192 168 1 0 24 is defined as IP groups on the intranet See the following figure Interfaces Physical Interface Sub Interface VLAN Interface Aggregate Interface Zone Link State Propagation Add X Refresh C Zone Name Zone Type Interfaces Device Mat Privilege Allowed Address Delete LAN Route layer 3 eth2 WebUI snmp All In use WAN Route layer 3 ethi WebUI snmp All In use AM IP Group add X amp Refresh CY Import Export C No Name Description Delete 1 All All IP addresses In use F 2 LAN IF Range In use Step 2 Click Add on the NAT page and choose Bidirectional NAT The Add Bidirectional NAT Rule page shown in the following figure appears Select Enable and enter a rule name and description If you do not select Enable the rule does not take effect See the following figure SANGFOR NGAF 6 4 User Manual 256 did Bidirectional NAT Rule Enable Name Web Server_Internal Description Access web server via domain namel Step 3 Specify the source zone and source IP group to which the rule is applicable In this example the configuration is shown in the following figure Source Zone LAN Cra IP Group LAN IP Range Ca Step 4 Specify the destination IP address and destination zone to which the rule is applicable In this example the server is on the
487. us attacks mounted on the intranet by intranet users Endpoint Security nm Specify the following and click Go to retrieve data Ss Filter Period Today 2013 08 15 5 2013 08 15 H IP User aAl OP uUser Group Attack Type AI itl Threat Level High Medium Low Action Wl llow Deny Others Statistics Host IP 6 Attack Type Show Top 10 El Less lt lt Go Open in new tab Example Application scenario A user needs to show the top 10 IPS attacks on intranet users on August 15 Step 1 Set statistic criteria SANGFOR NGAF 6 4 User Manual 371 Endpoint Security Filter ih Specify the following and click Go to retrieve data Filter Period Today 2013 08 15 fie 2013 08 15 H IP User aAl OP User Group Attack Type IPS o o e Threat Level High Medium Low Action W Allow Deny Others Statistics a Host IP Attack Type Show Top 10 50 Less lt lt Go Cancel Open in new tab Step 2 Click Go Corresponding icons are generated Period Specified w Threat Level High Medium Low Statistics Host IP Show Top10 v E Endpoint Security Based on Host IP M17216 2 2 E Other Host IP Username Group Attack Count Percent 172 16 2 2 172 16 2 2 466 100 Total 466 100 To generate a report generate a PDF file export data to an EXCEL file or
488. use the loopholes of the related version to initiate attacks Therefore the fields can be hidden to prevent attacks Select HTTP and click Settings The page shown in the following figure appears HTTP Packet Header Filter Hide specified fields in HTTP response header Server w Add X Type server x powered by Replace server error page Sxx Ci Replace request error page 4xx i OK Cancel Customize the content of the HTTP header You can use packet capturing tools such as HTTPWATCH to obtain some fields sent back by the server to the client and enter the fields on this page Select Replace server error page to enable the firewall to replace an error information page such as error 500 page that usually contains server information sent from the server with an error information page that does not contain server information FTP Weak Password Protection It is applicable only to the FIP protocol It filters simple user names and passwords Select FTP Weak Password Protection and click Settings The page shown in the following figure appears SANGFOR NGAF 6 4 User Manual 292 FTP Weak Password Protection Weak Password Definition Password is null Username and password are the same Password contains 8 or less than 8 characters in alphabetical order Password contains 8 or less than 8 digits only Password contains 8 or less than 8 letters only Password contains 6 or less than 6 alphanumeric ch
489. users access to corporate resources Navigate to SSLVPN gt Roles and the Roles page appears as shown below Q Add Delete Edit RA Select J3 Privilege Report Search by Name Enter keyword P C Role Name Description Assigned to Group Status O 8 website Jf The following are some contents included on Role Management page Search by Name Description User Group To search for specific role or type of roles select an option enter the keyword into the textbox and click the magnifier icon Name description indicates the name description of the role User group indicates the user and or group that the role is assigned to Role Name Indicates name of the role Description Indicates description of the role Add Click it to add new role directly or using an existing role as template Edit Click it to edit a selected role Delete Click it to remove the selected role s Adding Role 1 Click Add gt Role to enter the Add Role page as shown in the figure below Basic Attributes Fields marked are required Name gt Description Assigned To Select User Group Enable Role Associated Resources mm laz Select Resource Name Description 2 Configure the Basic Attributes of the role The following are basic attributes SANGFOR NGAF 6 4 User Manual 84 Name Configures name of the ro
490. users authenticated against external LDAP server for they can be synchronized to a corresponding group automatically User Syne Policy Other User Attributes Concurrent Login i Allow concurrent login on multiple terminals Only allow login on one terminal Bind IP MAC Binding Mode Bind the IP on initial logon Bind the MAC on initial logon Bind the IP and MAC on initial logon The NGAF verifies authentication policies from top to bottom one by one For the two authentication policies SANGFOR NGAF 6 4 User Manual 204 configured in this example the order should be the same as the order in the following figure Authentication Policy Enable user authentication Authentication Zone LAN Add x t Refresh C Import Example File No Name IP MAC Authentication New User Option Description Move Delete a 1 Subnet 1 192 168 1 0 255 255 255 0 Password based authentica Add to group IT x 2 Default Policy 0 0 0 0 255 255 255 255 None IP as username Add to group Default Default Policy 3 7 2 1 3 2 Configuration Example 2 The IP address range on the Intranet is 792 168 2 1 to 192 168 2 255 The computers within the IP address range are added automatically as new users The authentication mode is no authentication and the computer name is taken as the user name The binding mode is bidirectional binding by MAC address New users are added to the Marketing group Step 1
491. ust be an idle network interface Authentication Options 550 Options oxy SS POP 330 Auth Page Redirection If 550 requires external authentication server and the packets of users logging into the Asteria Coiled external server do not go through this device you need to mirror the packets to an idle interface of this device Specify the mirror interface here Oe ea a Enable mirror interface Other Options Mirror Interfaces selected interface will be monitored A etho E ethi eth2 E eth3 Step 3 Set authentication policies based on the IP addresses or MAC addresses of the users who require proxy SSO Choose User Authentication gt Policy click Add and set the policies See section 3 6 2 1 3 Step 4 Log in to the proxy server on the PC You can access the Internet after successful login If the proxy server is located on an external network while automatic authentication is required you must assign the permission in the root group to access the proxy server For configuration details see section 3 8 1 In addition choose Authentication Options gt Other Options and select Basic services except HTTP are available before user passes authentication See the following figure SANGFOR NGAF 6 4 User Manual 226 Authentication Options iS 550 Options A Auto logout the user who causes no flow in a specified period Auth Page Redirection Time Period mins 120 Gi Authenti
492. uto Bypass Auto Bypass Auto Bypass Auto Bypass Auto Bypass Auto Bypass Auto Bypass Aia M canac No 1 Time Type Protocol URL Directory Src Zone Source IP User Group Src Port Dst Zone Dst IP Dst Port Rule ID Policy Name Threat Level Action Data Packet Body Tr ai 106 REQUEST 2014 03 14 18 35 58 Botnet TCP g ceipmsn com85E 711 MI 30E1D084E57 4B400484BF026B2 OFS44BER 05 6 1 6018 amp TE 228 TV pchNPO1 Civ 3 126 0 907 Cid681 7 Ctloem 7 Cot 7CopNPOl1 7Cpov 7 3 124 0 7 Csi1 tor Ct520140314103746341 Cie8 0 7601 17514 Cm u0 7 CbuProd 7Cdb1 7Cio0 WAN Demo 10 0 0 2 mi 49175 WANLI 131 253 40 10 80 40018995 Demo Low Deny m p Mm y es mn celo ira J m y m Step 4 Click Data Packet to view the packet that matches the APT policy GET 85E 711 MI 30E1D84E574B400484BF026820F844BE8 05 6 1 6018TE 228 TW pcWP01 7Cw7 3 126 0 Cid681 Ctloern97Cpt1 7CppNP01 7Cpw7 3 124 0 C si1 907 Cts20140314103746341907 Cie8 0 7601 17514 7 Cmu0 ChuProd 7Cdb1 967 Ci o0 HTTP 1 1 User Agent BingBar 1 3 126 0 Host g ceipmsn com SANGFOR NGAF 6 4 User Manual Step 5 Click Auto Bypass to disable the rule for matching the Botnet feature database The function is used when the administrator finds misevaluation Bypass is applied on 40018995 disabled To remove bypass a gain YOU can 1 Click Remove Bypass 2 Rule is configurable in Security Dat
493. ve the highest access frequency among intranet users To enable the data center to collect application statistics choose Access Control gt Application Control Policy create a policy and click Log event in the Action area Website Browsing The Website Browsing page enables users to collect statistics on the website browsing behavior of intranet users Website Browsing ii Specify the following and click Go to retrieve data s Filter Period Schedule IP User URL Category Action Others Statistics Rank Br Show Top Less lt lt Go Example Specified 2013 08 12 M 2013 08 15 rs Allweek SAI OP User Group All e WiAlow WlDeny URL Category Domain IP User Access Count e 10 20 Open in new tab Application scenario A user needs to show the top 10 websites that are accessed by intranet users most frequently on May 30 so as to know the Internet behavior of intranet users Step 1 Set statistic criteria SANGFOR NGAF 6 4 User Manual 378 Website Browsing 0 Specity the following and click Go to retrieve data Filter Period Specified 2013 08 12 i 2013 08 15 i Schedule Allweek IP User A rP Use Group URL Category AM Action eny Others Statistics URL Category Domain IP User Rank By Show Top 10 l H Less lt lt Step 2 Click Go Rel
494. ver Certificate Server Certificate is an object used in the SSL Policy Configuration there are 3 methods to add a server certificate in this sections Import Certificate Self signed Certificate and Import Public Private Key Navigate to Objects gt Server Certificate and the page is shown as figure below Server Certificate Add X Refresh No Name Expiry Date Certificate Delete Import Certificate Click on Add and select Import Certificate the page below is shown Import Certificate Mame Certificate pfx p12 Password OK Cancel l Name Name for the Certificate object Certificate Click on Browse to select certificate which default format pfx and p12 for this object Password Insert the password of certificate SANGFOR NGAF 6 4 User Manual 157 Self signed Certificate Click on Add and select Self signed Certificate the page below is shown Self signed certificate City Company Department Issued To E Mail CA Password Key Size 1024 Valid To 5 years Configure the required fields In this scenario Name Country State City Company Department Email address the certificate is issued to CA Password Key Size and Valid period Click OK to complete the process Import Public Private Key Click on Add and select Import Public Private Key the page below is shown Import Public Private Key x Name Public Key File
495. vers the equipment will detects the vulnerabilities of the server if the rules match during scanning The analysis will be logged and used to generate report for user SANGFOR NGAF 6 4 User Manual 57 Vulnerability Analysis Rule Rule ID 15090282 15090281 15090280 15090279 15090278 15090277 15090276 15090275 15090274 15090273 15090272 15090271 15090270 15090269 15090268 15090267 15090266 15090265 15090264 15090263 15090262 Rule Name JCMS 2010 Database Configuration Load Vulnerability JCMS 2010 SQL Injection Vulnerability JCMS 2010 Arbitrary File Upload Vulnerability JCMS 2010 Local File Include Vulnerability KingCMS5 0 Fckeditor Component Upload WebShell Vulnerability Detection Joomla Zap Calendar Component XSS Vulnerability Joomla Flexicontent Component Remote Code Execution Vulnerability Joomla Extplorer Component XSS Vulnerability Joomla Multi Calendar Component XSS Vulnerability Joomla 2 5 Remote Privilege Escalation Vulnerability Joomla 3 2 SQL Injection Vulnerability Detection Joomla 3 2 HTML Injection Vulnerability Detection Joomla Simple File Lister Component Local File Inclusion Vulnerability Joomla Jotloader Component Local File Inclusion Vulnerability Joomla JoomTouch Component Local File Inclusion Vulnerability Drupal v6 OpenID Module Authentication Bypass Vulnerability Drupal v7 Access Control Vulnerability Drupal v6 OpenID
496. w Top Custom_Report 2013 08 16 fs 2013 08 16 A Allweek w Al IF Group Ranking Trend Ranking amp Trend 10 a Step 2 Select Website Browsing in the Report Contents area and set Rank by and Statistics SANGFOR NGAF 6 4 User Manual 403 Report Contents Report Type Simplified report Full report Security Type 4 Overall Security Server Security Endpoint Security Threat Level 5 High C Medium E Low _ Traffic Rank By 7 Bidirectional Traffic Outbound Traffic O Inbound Traffic Statistics Application App Category C Group E IP User App Category All 5 C Application Statistics Application C App Category C IP User App Category All m Website Browsing Statistics Category Domain E IP User Report File Format Open on webpage and saved to report list E Save as PDF file on local PC Step 2 Click OK A report that meets the criteria is generated SANGFOR NGAF 6 4 User Manual 404 Custom_Report Navigation Menu URL Category Bandwidth Distribution gt URL Category Access Count a pea Print PA export as PDF File MA s Report Details Custom_Report Generated 2013 08 16 11 19 54 At Filter Period 2013 08 16 00 00 00 2013 08 16 23 59 59 Schedule All week IP User All Application Category Traffic Statistics All Application Category Application Statistics All Threat Level High Medi
497. ween other VPN users and the subnets of the internal network at the headquarters For example the internal network at the headquarters consists of two subnets 192 200 100 x and 192 200 200 x You can configure a local subnet list to implement mutual access between the network segments of branch users mobile users and the headquarters The procedure is as follows 1 On the Local Subnet page configure the subnets to be interconnected See the figure below Local Subnet Q New No IP Address Subnet Mask Operation Save and Apply Click New to add a local subnet See the figure below Set IP Address and Subnet Mask to the network ID and subnet mask on a non direct network segment of the VPN equipment in the internal network at the headquarters 2 Set routes for the subnets to be interconnected in Static Route For details choose Network gt Routing gt Static Route Y The local subnet list is like a declaration The network segments defined on the Local Subnet page are considered as VPN network segments by the VPN equipment and software clients After passing through the VPN equipment or software all packets destined for these network segments are encapsulated and transmitted on the VPN tunnel Generally after adding subnet segments on the Local Subnet page you need to configure static routes to implement access to multiple subnets SANGFOR NGAF 6 4 User Manual 116 Tunnel Route The SANGFOR equipm
498. work access behaviors The following types are available based on authentication methods 1 User name password Before an online user of a terminal accesses the network the browser 1s redirected to the authentication page prompting the user to type the correct user name and password Password authentication includes local password authentication and external server password authentication After an online user types the user name and password the system checks whether the user name and password are correct in local user groups If the user is not a local user and an external authentication server is configured the system checks whether the user name and password are correct on the external authentication Server Note that only accounts for which Local password is selected are applicable to local password authentication If Local password is not selected the user name and password are sent to the external authentication server 2 SSO SSO If an authentication system is already configured on the network the system can work together with the SANGFOR NGAF 6 4 User Manual 159 authentication system to identify a user who is using a certain IP address The user is not prompted to type the user name and password before accessing the network reducing the impact on the online users At present the following SSO types are supported SSO based on the MS Active Directory domain see section 3 6 2 2 1 1 SSO based on a proxy server see se
499. y 2 Sync IT Management Normal user GROUP Yes Synchronizing succe E x i Step 7 Choose User Management gt Groups to check the organizational structure As shown in the figure below the imported security groups and users are consistent with those in the LDAP server Y If the names of the user groups or users on the equipment are the same as those of the user groups and users in the security groups to be synchronized the security groups and users in the LDAP cannot be synchronized to the equipment 3 7 1 6 2 Deleting a Synchronization Policy To delete a useless synchronization policy select the synchronization policy on the LDAP User Sync Policy page and click Delete Deleting a synchronization policy does not affect the groups and users that have been synchronized to the equipment LDAP User Sync Policy Add X E View Logs Refresh No Policy Name Description Group User Auto Sync Last Sync Sync Now Delete 1 Sync Policy 1 Sync RD OU Yes Synchronizing succe x 2 Sync Policy 2 Sync IT Management Normal user GROUP Yes Synchronizing succe x 3 7 1 6 3 Checking Synchronization Logs The NGAF generates a synchronization log each time it executes an LDAP synchronization You can view the logs to learn about the synchronization process and result Click View Logs On the displayed Sync Logs screen select the required log item download the log and check the content SANGFOR NGAF 6 4 User
500. y gene Source IP User a IP Group All ta O User Group Select ta Zone WAN la Zone has been selected based on IP group in existing policy Yes Destination IP Group scansIPG20135082 105 718_0 1m Zone WAN lg Service Application E Close SANGFOR NGAF 6 4 User Manual 487 View application control policy edit not allowed Enable pas Mame scansApp20130827105 18 000 Description The policy is automatically gene Source IP User IP Group All Me User Group Select ta Zone WAN la Zone has been selected based on IP group in existing policy Yes Destination IP Group scansIPG2013062 105 18_ 004 Zone WAN E Service Application Hot Standby Application Example 1 The following figure shows a network topology where two NGAFs are deployed at the network egress to implement SNAT and serve as a proxy to enable intranet users to access the Internet Firewall A is the active firewall and firewall B is the standby firewall Upon failure of firewall A firewall B must immediately take over replacing the active one When the fault of firewall A is rectified firewall A can switch over to the active firewall automatically thus realizing high redundancy SANGFOR NGAF 6 4 User Manual 488 ETH1 ETHI 1 0 1 2 29 1 0 1 2 29 Active E ler E as E Standby firewall A Y all firewall B ETH3 ETH3 10 10 10 10 30 10 10 10 10 30 VLANI00 VLAN101 72 16 1 0 24 192 168 1 0 24 Step 1 C
501. y group information of the LDAP server that needs to be synchronized in Synchronization Source SANGFOR NGAF 6 4 User Manual 192 Add User Sync Policy Synch e ization Sou rce LDAP Server ADI Ww Sync with Remote Directory CN IT DC sangfor DC com CN Management DE sangfor DE com CN Normal Users DE sangfor DE com Add user structure based on top level OU of selected remote directory beneath specified local group Ci Add user structure based on bottom level OU of selected remote directory beneath specified local group Ci Add user structure based on sub OU of selected remote directory beneath specified local group i OU Depth 16 Filter i LDAP Server is used to set the LDAP server to be synchronized In this step set the LDAP server to the server configured in step 1 Specify the security groups in the LDAP server to be synchronized in Sync with Remote Directory Click Cre e eee In Select Group select CN IT CN Management and CN Normal Users Click OK SANGFOR NGAF 6 4 User Manual 193 Select Group x Group name x am DC sangfor DC com a EN IT DC sangfor DC com CN Management DC sangfor DC com CN Normal Users DC sangfor DC com CN Cert Publishers CN Users DC sang CN DnsAdmins CN Users C sangfor CN DnsUpdateProxy CN Users DC san CN Domain Admins CN Users DC sanc F CN Domain Computers CN Users DIC CN Domain Controllers CN Users DC CN Do
502. ynchronized to SANGFOR NGAF 6 4 User Manual 493 firewall A High Availability Basic Settings Redundancy Sync Options Enable configuration synchronization Objects Available Selected User authentication Session information 1 Configuration synchronization Add b a SE 7 4 Delete Step 10 Power off firewalls A and B and connect cables After that power on firewall A and then firewall B After being started firewall B requests configurations from firewall A Note that firewall B can be powered on only after firewall A is started Example 2 The following figure shows a network topology where users on intranet A and intranet B must access the Internet by using lines of China Telecom and China Netcom respectively Two firewalls A and B operate simultaneously to reduce load Upon failure of a firewall all data is routed to the other firewall causing no adverse impact on the network SANGFOR NGAF 6 4 User Manual 494 10 1 2 1 24 ETHI SANGFOR mm SANGFOR Firewall A o E cia Firewall B o a da HH EH ETH3 Layer 3 switch B VLAN100 172 16 2 0 24 VLAN100 172 16 1 0 24 Configuration procedure l In the Add VRRP Group dialog box set VRID and Priority both to 50 for interfaces ETH5 and ETH2 of firewall
503. ype Interfaces Device Mat Privilege Allowed Address LAN Route layer 3 eth3 WebUI snmp All WAN Route layer 3 ethi WebUI snmp All DMZ Route layer 3 eth2 WebUI snmp All Step 2 Configure an application control policy Choose Access Control gt Application Control Policy and enable all services used by intranet users to access servers and the HTTP service used by Internet users to access servers SANGFOR NGAF 6 4 User Manual 480 Application Control Policy Add X Y t 3 E Import Source Zone Y Dst Zone y 4 F No Name Source Zone Source IP User Dst Zone Dst IP Service Application Schedule Action Log Hit Co Status Clone Del Da rd e j ETE gt r epi Predefined Service http All week Allow No o Y Er x O 2 internal access LAN de sisas 5 BIZ pp n Predefined Service any All week Allow No 0 Y En x Step 3 Configure port scanning On the Risk Assessment page set Untrusted Source Zone to WAN and LAN Destination to 192 168 1 249 and Port to the frequently used port embedded in the NGAF Risk Assessment Untrusted Source WAN LAN maki Zone Destination 192 168 1 249 i lt password scan Specified Part 80 81 8001 8002 http 443 y qa Export as PDF Clear Scan Results All Associated Policies Server IP Port Applic Protocol Accessibl Accessible IP Th Step 4 Configure weak password scanning On the Risk Assessment page select Enable weak password scan set Range t
Download Pdf Manuals
Related Search