NGAF Configuration Best Practice Requirements Collection 100
  

sangfor_2267 Lv3Posted 13 May 2021 11:54

Dear Customers and Partners
        As you know, in the past few years, we have released user manuals, configuration guides.
        Last year we released a lot of best practices with cases. You can refer to the document for very detailed steps to configure NGAF.
        This year we are going to release best practices for configuration, including configuration steps, common precautions, and functional limitations. Take IPSEC VPN as an example. You can read the following article. We try to summarize the selection of deployment mode, configuration ideas, information collection, function limitations, version differences, etc., so that you can better configure NGAF when doing POC and delivery.


However, we need your suggestions to determine whether it is necessary for us to write related documents. Please truthfully feedback the following two questions to me. For detailed answers, I will give you 100 coins. For other answers, I will also give a certain amount of coins depending on the content of the answer, usually no less than 10 coins.

1. What other content do you think these documents need to be added?
2. Do you have any other suggestions? Any related suggestion is OK.


Chapter 1 Best Practice
1.1 Basic
1. If the end user is usingthe before NGAF 8.0.26 version. It is recommended to use IE browser toconfigure VPN related functions and enable the browser compatibility adaptationfunction.
75265609ca318eb52d.png
2. The VPN configuration has a largenumber of "OK" options, please be sure to click "OK" afterfinishing the configuration to ensure that the configuration takes effect.
1.2 Confirm the Requirements and Deployment
1.2.1 Confirm the Gateway Type
1. Check the network environment ofthe devices at both side, including: deployment mode, device versioninformation, network topology, WAN port type, etc.
1) If  one side of the VPN isusing NAT, the IPSEC VPN must use aggressive mode, and UDP 500 and 4500 portsneed do the port-mapping (DNAT) in front-end device.
    A. If both ends of the VPNdevices are fixed IP, no NAT is used, then it can be aggressive mode or activemode.
    B. If only one end is PPPoE/ADSL and no NAT isused.
     If the packet is sent from the PPPoE/ADSL end to the fixed IP intranet,either aggressive or main mode can be used.
     If the packet is sent from the fixed IP intranet to the PPPoE intranet,then you must apply for DDNS for the PPPoE end. Ensure that the fixed IP endmust enable the DDNS domain name that actively connects to the PPPoE end.
   C. If both ends are PPPoE, one end must use the DDNS to resolve domainname to ensure that one end can connect to the other end through the domainname.
(Ps: PPPoE may obtain the privatenetwork address of the operator from the ISP. At this time, it is equivalent tothe operator having a NAT, so you must use the aggressive mode to connect)
1.2.2 Confirm the License
1. Ifthe headquarters device is NGAF and the branch device is a third-party device,you need to confirm that the Branch VPN Sites license on NGAF are authorized.
IPSEC multi-line authorization is onlyrequired when there are multiple lines in the headquarters and branch, and boththe headquarters and the branch need to be opened at the same time. Undernormal circumstances, it is enough to open the IPSEC multi-line authorization ofthe headquarters or branch separately
98752609ca32b1d7c2.png
1.2.3 Confirm IKE Type and Parameters
1. Confirm the version of IKE. Fromthe standard version 8.0.23, NGAF's IPSEC VPN supports IKE v1 and IKE v2, whichmeans that if you use 8.0.26 and newer and use IKE v2, you need to ensure thatthe peer device is also Support IKE v2.
2. Confirm negotiation parameters,some encryption algorithms are not supported on some of the devices.
1.2.4 OSPF Scenario
IPSEC VPN cannot support multicast andbroadcast, so it cannot run dynamic routing protocols, but GRE supportsmulticast and broadcast, so you can establish IPSEC VPN first, then encapsulateGRE packets in IPSEC VPN, and then run OSPF in GRE.
1.3 Best Practices for Configuration
1.3.1 General Configuration Steps
61463609ca3399d1f3.png
1.3.2 Reduce Test Interference
1. When do the testing connectivity,it is recommended to turn off the system firewall of the headquarters andbranch intranet PCs to avoid failure of the ping test because the pingable tofirewall is not disabled.
2. Enable thetroubleshooting/passthrough mode for the test IP to avoid interception ofrelated data packets due to the NGAF policy configuration. In this way, you canquickly confirm whether a policy configured on NGAF causes IPSEC VPNconnectivity to fail.
1.3.3 Functional Adaptability and Limitations
1. NGAF's IPSEC VPN supports tunnelmode, but does not support transmission mode.
2. Startingfrom the first version of DLAN4.X, it supports standard IPSEC interconnectionin gateway mode using main mode and aggressive mode, and from DLAN5.0, itsupports standard IPSEC main mode and aggressive mode interconnection insingle-arm mode.
3. The main mode of Sangfor IPsec VPNonly supports IP address as identity id by default.
The aggressive mode of Sangfor IPsecVPN only supports FQDN as identity id by default (but DLAN is 4.x and abovesupports aggressive mode, you can use IP address as identity id)
Sangfor IPsec VPN supports route-basedIPSEC (route-based IPSEC: GRE tunnel-based IPSEC) starting from dlan6.2.0
5.NGAF device must have atleast one WAN attribute routing interface (non-management port ETH0) and onenon-WAN attribute routing port (non-management port ETH0) to establish astandard IPSEC connection
6.When standard IPSEC VPNinterconnection between NGAF device and third-party device, in addition to theconfiguration of [third-party docking], you also need to configure [intranetinterface settings] and [external network interface settings]


You can comment directly to let me know your opinion.
Single Poll, 13 voters in all View Voters

The poll has been closed.

92.31% (12)
0.00% (0)
7.69% (1)
You do not have the permission to vote here.

Like this topic? Like it or reward the author.

Creating a topic earns you 5 coins. A featured or excellent topic earns you more coins. What is Coin?

Enter your mobile phone number and company name for better service. Go

Faisal Lv7Posted 19 May 2021 11:21
  
Thank you very much for the information ...
Newbie451055 Lv2Posted 27 May 2021 15:32
  
thank you for the tutorial
sekyu Lv2Posted 03 Jun 2021 09:33
  
Great Job!!!
FahmiZnd Lv1Posted 03 Jun 2021 16:38
  
Great Information and tutorial.
harryjps Lv1Posted 02 Sep 2021 16:10
  
thx for your information
Fida_Balti Lv2Posted 24 Sep 2021 12:38
  
Very informative ...