#Configuration# Sangfor NGAF Route mode Configuration Guide

Rhebie Lv3Posted 11 Oct 2022 14:34

Last edited by Rhebie 11 Oct 2022 15:08.

#Configuration# Sangfor NGAF Route mode Configuration Guide
1. Introduction
1.1 Scenario
To configure Sangfor NGAF in Route mode setting.



1.2 Requirements

1. NGAF with firmware version of 8.0.35.
2. NGAF - Layer 3 switch point-to-point connection

2. ConfigurationGuide

2.1 Route mode confirguration
Step 1. Login to the device through the default IP address of the management interface(eth0). The default IP of the management port is Configurean IP address of the same network segment on the computer and log in to the device through

Step 2. Configure the external network interface, through Network >Interfaces > Physical Interfaces, click the interface that needs to be set as theexternal network interface. Select eth2 as the external network interface, select the Layer 3 under Type, select the custom external network zone (WAN) for the zone setting, select WAN attribute checkbox, configure IP, next hop address As shown below:
Step3. Configure the internal network interface. Select a free network port, click the interface name to enter the configurationpage. Select eth3 as the internal network interface, select Layer 3 under Type, select the custom
internal network zone (LAN) for the zone setting, and configure the IP, as shown in the figure below.
Step4. Configure the routing. You need to configure a default route to to point to the front router At the same time, because the internal network interface is connected to multiple network segments across Layer 3, you need to configure another static route for each network segment to the Layer 3 switch.

EnterNetwork > Routes > Static Routes to configure. Click Add Static Route, configure the default route Dst IP/Netmask as, and Next-Hop IP is1.2.1.1, the destination address/mask of the packet return route (intranet segment route) is, and the next hop address is As shown below.
Step 5. Configure the NAT policy, enter Policies > NAT > IPv4NAT. Click Add, configure source NAT, select the custom intranet zone forthe source zone, and select the custom intranet for the source address. The destination zone selects a custom external network zone, the Dst address is All, the Services is any, and the source address is converted to the outgoing interface address. As shown below.
Step6. Configure the application control policy, release the Internet access rights of intranet users. Enter Policies >Access Control > Application Control. Click Add to configure a policy to allow the traffic from intranet to external, and select the customized source zone in the internal network area, the source address selects a custom internal network, the destination area selects a custom external network zone, the Dstaddress is All, the Services is any, and the Applications is All. As shown below.
1.     Step 7. After the basic configuration is completed, connect the device to the network, connect the eth2 port to the optical fiber, and connect the eth3 port to the intranet layer 3 switch.

3. Precaution
1. The next-hop IP of the interface is only used for the link detection and policy routing functions of the interface. If the next hop gateway is set, the default route of will not be generated on the device. You need to manually set the default route.
2. The line bandwidth setting of the interface is not related to the bandwidth setting of bandwidth management. The line bandwidth setting of the interface is used for the policy-based routing.
3. When the device is working in route mode, the computer’s gateway in the LAN points to the device’s internal network interface IP or to the three-layer switch, and the gateway of the three-layer switch points to the NGAF. Internet data is forwarded by the NGAF through NAT or routing.
4. When the device has multiple route interfaces, multiple route interfaces can be set with IP addresses of the same network segment. Static routing is used to determine which network port the data is forwarded from.

5. The device supports route interfaces configured with multiple WAN port attributes to connect to multiple external network lines, but the authorization to open multiple lines is required.

Like this topic? Like it or reward the author.

Creating a topic earns you 5 coins. A featured or excellent topic earns you more coins. What is Coin?

Enter your mobile phone number and company name for better service. Go

RegiBoy Lv4Posted 11 Oct 2022 22:43
Nice work. I hope it will be approved
Zonger Lv2Posted 12 Oct 2022 04:29
Thanks for sharing
Zonger Lv2Posted 12 Oct 2022 04:31
Thanks for sharing
Newbie517762 Lv3Posted 12 Oct 2022 09:12
Thanks for sharing !
rivsy Lv4Posted 12 Oct 2022 12:06
thank you for this one
Faisal P Lv8Posted 02 Nov 2022 18:48
Thank you very much for the information ...
Faisal P Lv8Posted 02 Nov 2022 18:48
Nice article ...
Faisal P Lv8Posted 02 Nov 2022 18:48
Great info …
Faisal P Lv8Posted 02 Nov 2022 18:49
Very informative …