Sangfor NSF-NGAF Gateway

Newbie702126 Lv1Posted 27 May 2024 13:57

Hello Masters!   I need some recommendation on how to configure the routing in this scenario.

The client is already have a established network setup.
Router- ISP
Core Switch- DHCP Vlan Server, Port forwarding.
Access Switch- Connected to all the workstation.

The client had a plan to have network firewall and deploy as  router mode.
What is the configuration on the firewall so that all the vlans and the routing config will pass through the firewall, also the policy will take effect on all the workstation.

Thank you!

Enrico Vanzetto has solved this question and earned 20 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

Hi, to configure Sangfor NGAF (Next-Generation Application Firewall) in route mode and ensure that all VLANs and routing configurations pass through the firewall, follow these steps:

1. Topology Overview:

You currently have an existing network setup with the following components:

A router connected to the ISP.
A core switch serving as a DHCP VLAN server and handling port forwarding.
An access switch connected to workstations.


The objective is to introduce the Sangfor NGAF as a network firewall in router mode.


2. Sangfor NGAF Configuration:

Ensure that your Sangfor NGAF device is running firmware version 8.0.35 or later.
For demonstration purposes, let's assume the following IP addresses:

External (WAN) interface: 1.2.1.2/29
Internal (LAN) interface: 192.168.1.254/24




3. Configuration Steps:

a. Login to the Device:
- Access the Sangfor NGAF management interface via the default IP address (10.251.251.251/24) using a web browser.
- Configure your computer with an IP address in the same network segment (e.g., 10.251.251.x) and log in to the device via web ui to 10.251.251.251.

b. Configure External Network Interface (WAN):
- Navigate to Network > Interfaces > Physical Interfaces.
- Select the interface (e.g., eth2) to be set as the external network interface.
- Set the interface type to Layer 3.
- Assign it to the custom external network zone (e.g., WAN).
- Configure IP 1.2.1.2/29 and set the next hop address to 1.2.1.1.

c. Configure Internal Network Interface (LAN):
- Choose a free network port (e.g., eth3) for the internal network interface.
- Set the interface type to Layer 3.
- Assign it to the custom internal network zone (e.g., LAN).
- Configure IP 192.168.1.254/24.

d. Routing Configuration:
- Configure a default route to 0.0.0.0/0 pointing to the front router (1.2.1.2).
- Since the internal network interface connects to multiple network segments across Layer 3, configure additional static routes for each network segment to the Layer 3 switch.
- Example routes:
- Default route: Dst IP/Netmask = 0.0.0.0/0, Next-Hop IP = 1.2.1.1
- Intranet segment route: Dst IP/Netmask = 192.168.2.0/24, Next-Hop IP = 192.168.1.1

e. NAT Policy:
- Go to Policies > NAT > IPv4 NAT.
- Create a source NAT policy:
- Source zone: Custom intranet zone
- Source address: Custom internal network
- Destination zone: Custom external network zone
- Dst address: All
- Services: Any
- Convert source address to the outgoing interface address.

f. Application Control Policy:
- Navigate to Policies > Access Control > Application Control.
- Create a policy to allow traffic from intranet to external:
- Source zone: Custom internal network zone
- Source address: Custom internal network
- Destination zone: Custom external network zone
- Dst address: All
- Services: Any
- Applications: All

4. Testing and Verification:

Test connectivity from workstations to external resources (e.g., browse the internet) to ensure that routing and policies are working as expected.


Remember to adapt the configuration to your specific network setup and adjust IP addresses, zones, and routes accordingly.
Is this answer helpful?
Enrico Vanzetto Lv4Posted 27 May 2024 20:21
  
Hi, to configure Sangfor NGAF (Next-Generation Application Firewall) in route mode and ensure that all VLANs and routing configurations pass through the firewall, follow these steps:

1. Topology Overview:

You currently have an existing network setup with the following components:

A router connected to the ISP.
A core switch serving as a DHCP VLAN server and handling port forwarding.
An access switch connected to workstations.


The objective is to introduce the Sangfor NGAF as a network firewall in router mode.


2. Sangfor NGAF Configuration:

Ensure that your Sangfor NGAF device is running firmware version 8.0.35 or later.
For demonstration purposes, let's assume the following IP addresses:

External (WAN) interface: 1.2.1.2/29
Internal (LAN) interface: 192.168.1.254/24




3. Configuration Steps:

a. Login to the Device:
- Access the Sangfor NGAF management interface via the default IP address (10.251.251.251/24) using a web browser.
- Configure your computer with an IP address in the same network segment (e.g., 10.251.251.x) and log in to the device via web ui to 10.251.251.251.

b. Configure External Network Interface (WAN):
- Navigate to Network > Interfaces > Physical Interfaces.
- Select the interface (e.g., eth2) to be set as the external network interface.
- Set the interface type to Layer 3.
- Assign it to the custom external network zone (e.g., WAN).
- Configure IP 1.2.1.2/29 and set the next hop address to 1.2.1.1.

c. Configure Internal Network Interface (LAN):
- Choose a free network port (e.g., eth3) for the internal network interface.
- Set the interface type to Layer 3.
- Assign it to the custom internal network zone (e.g., LAN).
- Configure IP 192.168.1.254/24.

d. Routing Configuration:
- Configure a default route to 0.0.0.0/0 pointing to the front router (1.2.1.2).
- Since the internal network interface connects to multiple network segments across Layer 3, configure additional static routes for each network segment to the Layer 3 switch.
- Example routes:
- Default route: Dst IP/Netmask = 0.0.0.0/0, Next-Hop IP = 1.2.1.1
- Intranet segment route: Dst IP/Netmask = 192.168.2.0/24, Next-Hop IP = 192.168.1.1

e. NAT Policy:
- Go to Policies > NAT > IPv4 NAT.
- Create a source NAT policy:
- Source zone: Custom intranet zone
- Source address: Custom internal network
- Destination zone: Custom external network zone
- Dst address: All
- Services: Any
- Convert source address to the outgoing interface address.

f. Application Control Policy:
- Navigate to Policies > Access Control > Application Control.
- Create a policy to allow traffic from intranet to external:
- Source zone: Custom internal network zone
- Source address: Custom internal network
- Destination zone: Custom external network zone
- Dst address: All
- Services: Any
- Applications: All

4. Testing and Verification:

Test connectivity from workstations to external resources (e.g., browse the internet) to ensure that routing and policies are working as expected.


Remember to adapt the configuration to your specific network setup and adjust IP addresses, zones, and routes accordingly.

I Can Help:

Change

Moderator on This Board

11
7
5

Started Topics

Followers

Follow

1
3
5

Started Topics

Followers

Follow

0
4
5

Started Topics

Followers

Follow

67
20
3

Started Topics

Followers

Follow

3
14
3

Started Topics

Followers

Follow

1
137
3

Started Topics

Followers

Follow

Board Leaders