Network Secure Version 8.0.

95
Technical Training

www.sangfor.com Sangfor Technologies Inc.

Contents

1 Quality improvements

2 New features overview

3 Removed function

Sangfor Technologies CONFIDENTIAL Page 1

 PART 1 Quality improvements

Sangfor Technologies CONFIDENTIAL Page 2

 Issue Fixed
NSF 8.0.95 mainly focuses on quality improvements, fixing a large number of know product issues, except that it
provides several urgent oversea demands, such as DDNS, VPN bandwidth management, and some cognitive
experience features. Below table lists the common known issues.
No. Issues Fixed Reference Cases

Recently application/URL blocking issues in Philippines,

1 Fail to block HTTPS websites/applications in Chrome
EMEA , Malaysia

2 PBR issues Internet & system unstable Malaysia MAIWP issue

Radius authentication handle leaking, LDAP base DN sync fail; SSL VPN username cannot include Boon Siew Honda,
3
“@” Help University, UNIKL

4 Web UI slow issues -

5 CLI update to avoid choice wording and multiple usability issues. HKT

6 Multiple Chinese wording issues in GUI -

7 Multiple stability issues in HA deployment mode -

8 Log & reporting center bug fix -

9 Multiple bug fix when Network Secure working with CM/BBC GITN

Sangfor Technologies CONFIDENTIAL Page 3

 Fail to block HTTPS websites/applications
This issue has become the hottest one for recent weeks, at least 8 TAC cases are involved with it. It is due to tls1.3
segment in essential. The current solution contains below options.

Version Solution Availability Remark

1. Network will suspend for minutes due to restart basic
services.
NGAF 8.0.47 Install SP SP will be officially released around on early August. 2. This SP covers not only block https failure issue, but also
necessary KB packages, which should be installed before
shipping.

1. KB is dependent on SP3, you have to install the latter,

SP3 and KB will be officially released around on middle July. then the former.
Solution 1: Install SP3 + KB
Beta package now is available. 2. Network will suspend for minutes due to restart basic
NSF 8.0.85 services.

NSF 8.0.95 will be officially released on middle July. We are looking for appropriate customers for NSF 8.0.95
Solution 2: Upgrade to NSF 8.0.95
Beta package now is available. beta upgrade.

Sangfor Technologies CONFIDENTIAL Page 4

 PART 2 New features overview

Sangfor Technologies CONFIDENTIAL Page 5

Automatic Respond by Integrate with Endpoint Secure

New Feature:
• Block malicious domain on Endpoint Secure Agent
• Contain malicious programs: stop malicious programs execution.
• Block domain, contain malicious programs and terminate malicious process can be done both manually
and automatically.

Threat intelligence via IP + AgentID makes it easy to identify

the real client in DHCP environment

One-click to start full/quick disk scan

One-click to terminate malicious process

Sangfor Technologies CONFIDENTIAL Page 6

Automatic Respond by Integrate with Endpoint Secure
• Block malicious domain & Contain malicious programs.

Integration Enabled

Access to Malicious domain: 4kgd3hmggptupi3p,k7oud1.top detected

& blocked by firewall.
Tell Endpoint Point Secure, add domain:
4kgd3hmggptupi3p,k7oud1.top to local domain block list
Contain the malicious program, stop it execute again.

Sangfor Technologies CONFIDENTIAL Page 7

Automatic Respond by Integrate with Endpoint Secure

Benefits:
1. Automate the response to malicious activities. Make it easier for security admins.
2. The client is protected even moving away from Network Secure protected network. This is good for BYOD,
WHX users.
3. Avoid malicious access been detected on network level. Avoid compliance issues.
4. Compare to the AV solutions that inspect malicious domain Minimize performance impact on the client side.

Caution:
1. Support Endpoint Secure 6.0.2 version or higher
2. Current Endpoint Secure 6.0.2/6.0.4 only contain & quarantine limited number of malwares via integration,
please check with HQ PMM for the malware samples. After 6.0.10 version, the capability to contain &
quarantine will be more generalized.

Sangfor Technologies CONFIDENTIAL Page 8

Automatic Respond by Integrate with Endpoint Secure

Sangfor Technologies CONFIDENTIAL Page 9

Automatic Respond by Integrate with Endpoint Secure

• Automatic Fixing

Sangfor Technologies CONFIDENTIAL Page 10

 DDNS
[Background]
DDNS feature is mainly for solving dynamic egress public scenario, some functions especially destination NAT and
VPN, are involved. This feather actually has been supported by NGAF 8.0.47, while NSF did not inherit it due to
some reason, until NSF 8.0.95 version, it is added back.

[Specification]
So far it supports “DynDNS”, “No-IP”, “ZoneEdit”, “EasyDns”, “DynAccess”, “DuckDns”, and “FreeDns” provider;
When you set DDNS feature, it is necessary to register firstly in above provider sites, and below is the example for
“No-IP”, in which you can see it updates successfully.

Sangfor Technologies CONFIDENTIAL Page 11

DDNS

Sangfor Technologies CONFIDENTIAL Page 12

 ACL Optimization
[Specification]
In NSF 8.0.95 version, there provides a filter for quickly searching concrete ACL policy, as well as a tool for ACL
matching check in order to improve troubleshooting efficiency.

Sangfor Technologies CONFIDENTIAL Page 13

 NAT Optimization
[Specification]
In NSF 8.0.95 version, there provides a filter for quickly searching concrete NAT policy, as well as a tool for NAT
matching check in order to improve troubleshooting efficiency.

Sangfor Technologies CONFIDENTIAL Page 14

 Logs Optimization
[Specification]
NSF 8.0.95 version, has improved experience of checking session logs. It adds more filter parameters, including NAT,
Protocol, Service/Application, Matched Policy so as to accurate searching.

Sangfor Technologies CONFIDENTIAL Page 15

 ACL Logs
[Cautions]
1. The “Protocol” field, it pointed to transport layer protocol, rather than layer 7;
2. The “Service/Application” field, especially for Application, the application directory is different with the one in
ACL policy, you can type keywords for searching, and you are only allowed to select one single item, instead
of multiple.
3. The “Matched Policy” field, you have to copy the complete policy name, without supporting fuzzy search.

Sangfor Technologies CONFIDENTIAL Page 16

 Sangfor VPN Optimization
[Specification]
In NSF 8.0.95 version, “Primary IP Address” and “Secondary IP Address” are supported by IPv6. “Local Subnet” is
supported by IPv6 as well.

Sangfor Technologies CONFIDENTIAL Page 17

 IoT Optimization
Unauthorized Outbound Access
[Specification]
NSF 8.0.95 version, add the function to detect IoT device unauthorized outbound access. In general these IoT
devices are working in internal network, isolated with Internet, once they are detected the possibility of access
Internet, it can be considered risky device for access Internet.

[Theory]
1. NSF will queries appointed IP’s “NetBios Name” and list the number of NICs through specific Windows OS API, so
as to list all active NICs and IP information.
2. By detecting the status of “WWAN” and “WLAN” service on Windows OS, NSF can determined the risky, since
by default, these two services are disabled.

[Precaution]
1. This feature is only applicable to “Windows” endpoints, instead of “Linux”, “Mac”, and “Android”.
2. This feature focus on the potential unauthorized outbound access device, instead of access behavior.

Sangfor Technologies CONFIDENTIAL Page 18

 IoT Optimization
[Precaution]
3. So far, NSF cannot detect IPv6 IP addresses;
4. NSF will not be able to detect if the Windows endpoint turns on firewall;
5. When multiple IP addresses are set into one NIC, only one of these IP address can be obtained;
6. NSF detects per IP with speed of around 1.5 seconds.

Sangfor Technologies CONFIDENTIAL Page 19

 IoT Optimization
[Configuration Step]
1. Configure “Unauthorized Outbound Access” policy for target IP segment;
2. Check the “Asset” NSF learned;
3. If these assets have the chance to access Internet, you can observe that in logs;

Sangfor Technologies CONFIDENTIAL Page 20

 IoT Optimization
Spoofed Access
[Specification]
NSF 8.0.95 version add the “Spoofed Access” feature, ensuring spoofed behavior such as IP address, MAC address,
and device type change, meanwhile NSF can block such behaviors.

[Precaution]
1. This feature is based on “Asset Discovery” function, and you have to enable that in advance.
2. If NSF is deployed in single-arm bypass mode, and you want to block spoofed behavior endpoint, you have to
turn on “Send a TCP reset message to deny a request”.

Sangfor Technologies CONFIDENTIAL Page 21

 IoT Optimization
[Configuration Step]
1. Enable “Asset Discovery” function firstly, either “Traffic identification” or “Endpoint scan” is supported;
2. Turn on “Spoofed Access” function;
3. Change IP address in test PC;
4. Check the “Spoofed Access” log for verify;
5. Check the “Temporary Blacklist” for block verification.

Sangfor Technologies CONFIDENTIAL Page 22

IoT Optimization

Sangfor Technologies CONFIDENTIAL Page 23

 IOT Optimization
[Caution]
The license of INP audit logs function is independent with the IOT license in Licensing. By default, there is no INP
audit logs license, and will occur below notification.

[Handling Method]
Open a case, and put out “.data” file in backend, then RnD will generate a new “.data” file to impot. AFter that
INP audit logs function will work.

Sangfor Technologies CONFIDENTIAL Page 24

 SOC Optimization
[Specification]
As for “User Security” and “Business Asset Security”, NSF 8.0.95 version provides the function for displaying specific
scope, in order to pay attention on those units who are real important.

Sangfor Technologies CONFIDENTIAL Page 25

 Case Study
[Requirement]
Customer only pay attention to the asset alerts of “192.168.0.1-192.168.255.254” network segment.

Sangfor Technologies CONFIDENTIAL Page 26

 VPN tunnel bandwidth
[Background]
In SDWAN scenario, there is typical demand for restriction traffic in VPN tunnel, in order to match limited
bandwidth. In addition, customer want some certain applications to occupy bandwidth with different proportion
and priority. All of previous NSF or NGAF versions, do not support, until NSF 8.0.95.

[Specification]
 This feather is applicable to both Sangfor VPN tunnel as well as standard IPSec VPN tunnel.
 Before you use this feather, you have to manually turn on “WAN Attribute” for vpntun interface in web-console
after VPN is established, otherwise it will not be displayed in “Link” list.

Sangfor Technologies CONFIDENTIAL Page 27

 Case study

[Requirement]
Customer required that “PC” in branch access “FTP server” in HQ through Sangfor VPN tunnel should be limited
less than 10 Mbps.

[Configuration Step]
1. Make sure the Sangfor VPN or IPSec VPN has been established successfully.
2. Configure VPN bandwidth link and bandwidth channel respectively.
3. Initiate FTP traffic to verify the outcome.
4. In addition, You are able to observe the general status in “Monitor”.

Sangfor Technologies CONFIDENTIAL Page 28

Case study

Sangfor Technologies CONFIDENTIAL Page 29

Case study

Sangfor Technologies CONFIDENTIAL Page 30

 PART 3 Removed function

Sangfor Technologies CONFIDENTIAL Page 31

 INP audit logs
[Background]
Due to some internal factors, NSF 8.0.95 has removed INP audit logs function. If some customers using this function,
plan to keep it after upgrade, please contact with RnD in advance.

Sangfor Technologies CONFIDENTIAL Page 32