How can I assign a Zone to SSLVPN interface

Ricky WONG Lv1Posted 10 Jan 2024 17:52

Dear all,

I am trying to use NGAF SSLVPN to access one Cloud Server.

I have added the wan IP as one resource group, but still no luck.

After research, we found that the SSLVPN interface is not under any ZONE,

So the SNAT is not even working for it to access the wan, is there any solution?

Tammee Ong has solved this question and earned 10 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

Kindly be informed that the current version 8.0.47 does not support assigning a Zone to the SSLVPN interface.
Is this answer helpful?
Tayyab0101 Lv2Posted 16 Jan 2024 14:23
  
you have to find official handbook guide or open a case with sangfor guide.
Farina Ahmed Lv5Posted 16 Jan 2024 14:28
  
To resolve the issue with NGAF SSLVPN accessing a Cloud Server, you should ensure that the SSLVPN interface is associated with a specific zone. Without being assigned to a zone, the SNAT (Source Network Address Translation) might not function correctly, preventing access to the WAN. Review your NGAF configuration and ensure that the SSLVPN interface is placed within an appropriate zone, allowing traffic to be properly processed and reach the desired resources. Additionally, double-check the resource group settings to confirm that the WAN IP is correctly added and that firewall rules are appropriately configured for SSLVPN traffic.
mdamores Posted 16 Jan 2024 14:35
  
you may try the steps below:

1. Access the Sangfor Management Interface thru browser and enter the IP address or hostname. You also need to login you credentials
2. Go to SSL VPN settings and look for SSL VPN configuration section in the management interface. GUI might vary depending on the version you are using.
3. Configure SSL VPN interface. You might see a menu like "VPN settings" or "SSL VPN configuration"
4. Assign the zone
5. Select the desired zone based on the security policies that you want to apply to the traffic passing through the interface
6. Save and apply the changes for the settings to take effect.
7. If all else fails, you may reach out to Sangfor support for support and assistance.
Adam Suhail Lv1Posted 16 Jan 2024 15:02
  
Maybe you need to configure tunnel route?

hope this helps!
Enrico Vanzetto Lv4Posted 16 Jan 2024 16:18
  
hi,
you have to configure zones on firewall as they are useful when configuring security features , nat, policy based route, ips and so on.

Here are the steps to configure a zone in Sangfor NGAF:

Go to Network > Interfaces > Zone.
Click Add to create a new zone.
Enter a name for the zone and select the type of zone you want to create.
Click OK to save the zone.

After that, to ensure that traffic to your cloud server are ensured, i would create a policy for it:

Here are the steps to configure a firewall rule in Sangfor NGAF:

Go to Policies > Access Control > Firewall.
Click Add to create a new firewall rule.
Enter a name for the rule and select the source and destination zones.
Select the protocol and port number for the rule.
Choose the action to take when the rule is matched.
Click OK to save the rule.
Prosi Lv3Posted 16 Jan 2024 16:20
  
Go to Network > Interfaces and click Create New > Zone.
Set the name of the zone, such as zone_sslvpn_and_port4.
Add port4 and ssl. root to the Interface members.
jerome_itable Lv3Posted 17 Jan 2024 08:09
  
Understanding the Problem:

    Missing Zone Assignment: SSLVPN interface lacks a zone, preventing SNAT from working for WAN access.
    Desired Outcome: Enable SSLVPN clients to access the cloud server through the WAN.

Solutions:

1. Assign SSLVPN Interface to a Zone (Ideal Approach):

    Check NGAF Documentation: Consult NGAF documentation for specific instructions on adding the SSLVPN interface to a suitable zone.
    Choose Appropriate Zone: Select a zone that allows traffic to the WAN (e.g., "Trusted" or "Untrusted").
    Configure SNAT: Apply SNAT rules to translate SSLVPN client IPs to the WAN IP when accessing the cloud server.

2. Alternate Solutions if Zone Assignment Isn't Supported:

    Policy-Based Routing: Create policies to route traffic from the SSLVPN interface to the WAN without relying on zones.
    Static Routes: Add static routes to direct traffic from the SSLVPN subnet to the WAN gateway.
    VPN-Based Solutions: Consider establishing a VPN tunnel specifically for SSLVPN clients to access the cloud server, bypassing zone limitations.

Additional Considerations:

    Firewall Rules: Ensure firewall rules allow traffic from the SSLVPN interface to the cloud server's IP and ports.
    NAT Configuration: Double-check NAT rules for correct translation of SSLVPN client IPs to the WAN IP.
    Routing: Verify routing tables for proper routing between the SSLVPN interface, WAN interface, and cloud server.
    Security Policies: Review any security policies that might restrict access from the SSLVPN interface to the WAN.
RegiBoy Lv5Posted 17 Jan 2024 11:27
  
1. Enter the IP address or hostname to access the Sangfor Management Interface using a browser. You must also log in with your credentials.
2. Navigate to the SSL VPN settings and check the administration interface for the SSL VPN setup section. Depending on the version you are using, the GUI may change.
3. Set up the VPN interface for SSL. A menu labeled "VPN settings" or "SSL VPN configuration" may appear.
4. Assign the area
5. Based on the security rules you wish to apply to the traffic going through the interface, choose the appropriate zone.
6. To make the changes take effect, save and apply the modifications.
7. You can get help and support from Sangfor support if everything else fails.
Naomi Posted 17 Jan 2024 11:28
  
Make sure the SSLVPN interface is connected to a certain zone in order to fix the problem with NGAF SSLVPN accessing a cloud server. The SNAT (Source Network Address Translation) may not work properly if it is not assigned to a zone, which would prohibit access to the WAN.

I Can Help:

Change

Moderator on This Board

11
7
5

Started Topics

Followers

Follow

1
3
5

Started Topics

Followers

Follow

0
4
5

Started Topics

Followers

Follow

67
20
3

Started Topics

Followers

Follow

3
14
3

Started Topics

Followers

Follow

1
137
3

Started Topics

Followers

Follow

Board Leaders