#Configuration# Sangfor NGAF Bridge mode in Access port Deployment Guide

Rhebie Lv3Posted 18 Oct 2022 16:11

Last edited by Rhebie 18 Oct 2022 16:26.

#Configuration# SangforNGAF Bridge mode in Access port Deployment Configuration Guide
1. Introduction
1.1 Scenario
The enterprise network is across-tier layer 3 environment, there are routers deployed on the publicnetwork gateway, the original environment cannot be changed, and need totransparently deploy the NGAF device into the network.
1.2 Requirements
1. NGAF with firmware version of 8.0.35.
2. ConfigurationGuide
Step 1. Log in to thedevice through the default IP address of the management interface (ETH0). Thedefault IP of the management port is Configure an IP addressof the same network segment on the computer and log in to the device throughhttps://
Step 2. Configure theexternal network interface through Network > Interfaces > PhysicalInterfaces, click the interface that needs to be set as the external networkinterface, select eth2 as the uplink external network interface, select theLayer 2 type, select the custom uplink zone for the zone setting, select theWAN attribute checkbox. The connection type is Access 1.

Step3. Configure the internal network interface, through Network >Interfaces > Physical Interfaces, click the interface that needs to be setas the internal network interface, select eth3 as the internal networkinterface, select the Layer 2 type, select the custom internal zone for thezone setting, and the connection type is Access 1.

Step4. Configure the management interface in Network > Interface >VLAN Interface, configure the logical interface of the VLAN interface as themanagement interface, with VLAN ID 1, and assign the management address

Step5. Configure the route. You need to configure a default route to0.0.0.0/ pointing to the front gateway At the same time,because the intranet interface is connected to multiple network segments acrossthree layers, you also need to configure another static route to add eachnetwork segment to the Layer 3 switch. Go to Network>Routes>Static Routesfor configuration, click Add to add static route shown in the following figure,the default route Dst IP/Netmask is, and the Next-Hop IP is192.168.1.254. The packet return route Dst IP/Netmask is, andthe Next-Hop IP is

Step6. Configure the application controlpolicy. Release the intranet user access rights 7. in Policy > AccessControl > Application Control Policy, add a new application control policyto release the inside-to-outside data access rights, select a custom down-linkarea for the source area, select a custom intranet for the source address,select a custom up-link area for the destination area, select All for the DstAddress, select Any for the Services, and select All for the Applications.

Step 7. Afterthe basic configuration is completed, connect the device to the network,connect the eth2 port to the front router, and connect the eth3 port to theinternal layer 3 switch.

3. Precaution
1. Confirm the interface properties of the upstream anddownstream devices. If the other party is an Access interface, the AFinterface needs to select Access.
2. Need to confirm the deployment environmentof the firewall, pay attention to not loop.

3. Through the VLAN IP or separate configuration managementinterface to manage the device.

Like this topic? Like it or reward the author.

Creating a topic earns you 5 coins. A featured or excellent topic earns you more coins. What is Coin?

Enter your mobile phone number and company name for better service. Go

rivsy Lv4Posted 18 Oct 2022 16:38
thank you for this wonderful information
Newbie517762 Lv3Posted 19 Oct 2022 12:59
Thank you for your information.