Does anyone have an issue like us with NSF 8.0.85?
  

addimasqi Lv2Posted 08 Jul 2024 17:04

First of all, We have a good experience with my NGAF.  NGAF has been  protecting our servers for around 7 years.  When our team attended to  Sangfor Event in 2023 and Sangfor announced a new product (NSF), we got  excited with the new features like Cloud Deception, SOC, FQDN in Network  Object, and other things.

This year, We have a project to migrate  from NGAF to NSF, with the same topology, IP addresses, and some  configuration with a little improvement.  But in the first migration, we  encounter so many problems.  Our services not running well.  Our communication between zones is not running, and our SSLVPN is not running,  and many other things.

So We are troubleshooting with our partner and Sangfor principal then we know the root cause.  We create a testing environment that same as our production.  The root cause  is :
1. Object -  Custom Services, my team with our partner added a specific source port that is the same as the destination port.
2. NSF the default hierarchy of routing is in order: direct route, PBR, SSLVPN, IPSEC VPN, destination route (static route).  Not like NGAF I know the default hierarchy of routing is in order: direct route, destination route (static route), SSLVPN, PBR.
3. So many misconfigurations in route (static route, PBR) and SSLVPN.  This misconfiguration has been solved with the Sangfor principal.

And then the second migration is coming.  NSF is going to production from the testing environment.  We just reconfigured the IP address on the interface and changed the IP address gateway from PBR then plugged the patchcord cable into the NSF interface.  The result is all of our services are now running except SSLVPN.  We made a decision the NSF is in production now without the SSLVPN feature.

We don't know yet what the problem is.  We hope, is just misconfiguration or maybe firmware bugs in NSF firmware.  
Does anyone have an issue like us with NSF 8.0.85?
vesogi7900 Lv2Posted 08 Jul 2024 18:03
  
It sounds like you've had quite a journey with the migration from NGAF to NSF! It's great to hear that most of your services are now running smoothly, but I understand the frustration with the SSLVPN issue.

From what I found, there are a few common issues and solutions related to SSLVPN on NSF 8.0.85:

Configuration Issues: Ensure that the SSLVPN configuration is correct. This includes setting up the correct interfaces, ports, and user roles. Make sure the SSLVPN port (default is 4430) is accessible from external networks.
Routing Hierarchy: As you mentioned, the routing hierarchy in NSF is different from NGAF. Double-check that the routing rules are correctly configured to prioritize SSLVPN traffic appropriately.
Firmware Bugs: There might be firmware bugs affecting SSLVPN functionality. It’s a good idea to check for any firmware updates or patches that might address these issues.
Testing Environment: Since your testing environment worked well, compare the configurations between your testing and production environments to identify any discrepancies.

If these steps don't resolve the issue, it might be helpful to reach out to Sangfor support for more specific guidance. They might have encountered similar issues with other users and could provide a more tailored solution.
Enrico Vanzetto Lv4Posted 08 Jul 2024 21:49
  
Hi, please try to backup your configuration and perform a factory reset of your device and try to redo the configuration from scratch (at least the basic configuration in order to see if there some issues again).
Newbie517762 Lv5Posted 09 Jul 2024 16:44
  
HiHi,

The new firmware, version V8.0.95 release by 20-July and new hardware are also coming.
I hope they can solve your concerns:

The upcoming version 8.0.95 introduces new automation capabilities, allowing Sangfor Network Secure and Endpoint Secure to respond automatically to detected threats, minimizing potential impact.
Additionally, our new hardware models cater to a broader range of needs, from high-spec models supporting larger throughput to cost-effective versions that combine NGFW and SD-WAN in a single solution. We've also addressed stability and usability issues to provide the best performance and user experience to date.
addimasqi Lv2Posted 09 Jul 2024 17:42
  
We were just remotely accessed by Sangfor technical support.  We have information that, The NGAF firewall and NSF firewall have different structures. For NSF firewalls, it's essential to configure a default route/static route (0.0.0.0) to enable VPN functionality. This is considered a best practice for NSF firewalls when setting up static routes.  And with the current configuration (using the default route 0.0.0.0), we will monitor all our services first. We will inform our partners later whether there are any issues or not.
Prosi Lv3Posted 10 Jul 2024 09:25
  
Hi,

Always prioritize backup, verification, and contingency planning to mitigate risks associated with such migrations.