Sangfor Iag v13.0.19 User Manual en 20210927

Sangfor IAG 13.0.
19 User Manual
Sangfor IAG
User Manual
Product Version 13.0.19
Document Version 01
Released on Sep. 27 2021
Version 01 (Mar.24, 2021) Confidentiality: Public in 1

Company
Sangfor Technologies Inc.

Sangfor IAG 13.0.19 User Manual
Copyright © Sangfor Technologies Inc. 2021. All rights reserved.
Unless otherwise stated or authorized, Sangfor Technologies Inc. (hereinafter referred

to as "Sangfor") and its affiliates reserve all intellectual property rights, including but
not limited to copyrights, trademarks, patents, and trade secrets, and related rights to
text, images, pictures, photographs, audio, videos, charts, colors, and layouts as
presented in or concerning this document and content therein. Without prior written
consent of Sangfor, this document and content therein must not be reproduced,
forwarded, adapted, modified or displayed or distributed by any other means for any
purpose.
Disclaimer
Products, services or features described in this document, whether wholly or in part,

may be not within your purchase scope or usage scope. The products, services or
features you purchase must be subject to the commercial contract and terms as
agreed by you and Sangfor. Unless otherwise provided in the contract, Sangfor
disclaims warranties of any kind, either express or implied, for the content of this
document.
Due to product version upgrades or other reasons, the content of this document will
be updated from time to time. Unless otherwise agreed, this document is used for
reference only, and all statements, information, and recommendations therein do not
constitute any express or implied warranties.
Version 01 (Sep.27, 2021)

Technical Support
For technical support, please visit: https://www.sangfor.com/en/about-
us/contact-us/technical-support
Send information about errors or any product related problem to

[email protected].
Version 01 (Sep 27, 2021) 2

About This Document

This document describes user manual for the IAG product.
Intended Audience
This document is intended for:
⚫ Network design engineers
⚫ O&M personnel
Note Icons
English Icon Description
Indicates an imminently hazardous situation which, if not avoided,

will result in death or serious injury.
Indicates a potentially hazardous situation which, if not avoided,

could result in death or serious injury.
Indicates a hazardous situation, which if not avoided, could result

in minor or moderate injury.
Indicates a hazardous situation, which if not avoided, could result

in settings failing to take effect, equipment damage, or data loss.
NOTICE addresses practices not related to personal injury.
Calls attention to important information, best practices, and tips.
NOTE addresses information not related to personal injury or

equipment damage.
Change Log
Date Change Description
Sep. 27, 2021 This is the first release of this document.
Version 01 (Sep 27, 2021) 3

Contents
Technical Support............................................................................................................. 2
Change Log ........................................................................................................................ 3
1 IAG Installation ............................................................................................................ 15
1.1 Environment Requirement ............................................................................. 15
1.2 Power ................................................................................................................. 15
1.3 Product Appearance ........................................................................................ 15
1.4 Configuration and Management .................................................................... 16
1.5 Wiring Method of Standalone......................................................................... 17
1.6 Wiring Method of Redundant System ........................................................... 19
2 IAG Console .................................................................................................................. 20
2.1 Web UI Login ..................................................................................................... 20
2.1.1 Log into the Web Console .................................................................... 20
2.1.2 Remove the Certificate Alert Dialog .................................................... 23
2.2 Configuration .................................................................................................... 24
3 Functions ...................................................................................................................... 26
3.1 Value-added Services ....................................................................................... 26
3.1.1 Approach to Technology Community ................................................. 26
3.1.2 "Sangfor" Robot ..................................................................................... 27
3.2 Business Intelligence System .......................................................................... 28
3.2.1 Internet Access ....................................................................................... 31
3.2.1.1 Application Scenarios ................................................................. 31
3.2.1.2 Configuration Method ................................................................ 31
3.2.1.2.1 Contents .................................................................................. 33
3.2.1.2.2 Apps & Websites .................................................................... 35
3.2.1.2.3 Display Options ...................................................................... 36
3.2.1.3 Internet Access Analytics ........................................................... 38
3.2.2 Bandwidth Analytics .............................................................................. 39
3.2.2.3 Data Analytics .............................................................................. 40
3.2.3 Electricity Waste Analytics .................................................................... 41
3.2.3.3 Log Export .................................................................................... 42
3.2.4.1 Configuration Scheme................................................................ 42
3.2.4.2 Server Configuration .................................................................. 44
3.2.4.3 Log Option ................................................................................... 46
3.3 Real-time Status ................................................................................................ 47
3.3.1 Real-time Status ..................................................................................... 47
3.3.1.1 Dashboard ................................................................................... 47
Version 01 (Sep 27, 2021) 4

3.3.1.1.1 Displayed Panels .................................................................... 47

3.3.1.1.2 Restore Default Panels .......................................................... 48
3.3.1.1.3 Viewing Status ........................................................................ 48
3.3.1.2 Endpoint Visibility ....................................................................... 56
3.3.1.2.1 Endpoints ................................................................................ 56
IP Ranges is to view the live IP status of the intranet, as shown in the
figure below:............................................................................................ 58
3.3.1.3 Users ............................................................................................. 64
3.3.1.3.1 Viewing Online Users ............................................................. 64
3.3.1.3.2 Failed to Get Online (7 Days) ................................................ 67
3.3.1.4 Rule Check ................................................................................... 68
3.3.1.5 Monitoring of Network............................................................... 69
3.3.1.5.1 Network ................................................................................... 70
3.3.1.5.2 Access Control ........................................................................ 72
3.3.1.5.3 Authentication ........................................................................ 72
3.3.1.5.4 Web Access Connection Monitoring.................................... 73
3.3.1.5.5 User Based Detection ............................................................ 77
3.3.1.5 Traffic Statistics ........................................................................... 80
3.3.1.5.1 Top Users by Traffic ............................................................... 81
3.3.1.5.2 Top Apps by Traffic ................................................................ 84
3.3.1.5.3 Flow Control ............................................................................ 86
3.3.1.6.4 Connection .............................................................................. 95
3.3.1.6.5 Quota Usage ........................................................................... 96
3.3.1.6.6 Link Load Balancing ............................................................... 96
3.3.1.6.7 Top Services by Traffic ........................................................... 97
3.3.1.7 Internet Activities ........................................................................ 98
3.3.1.7.1 Viewing Internet Activities..................................................... 98
3.1.1.7.2 Filtering Internet Activities ................................................. 98
3.3.1.8 Locked Users ............................................................................ 99
3.3.1.8.1 Viewing the Locked Users .................................................. 99
3.3.1.8.2 Filtering Locked Users ........................................................ 99
3.3.1.9 SaaS Applications ...................................................................... 100
3.3.1.10 DHCP Status ......................................................................... 101
3.3.1.11 Security Events ........................................................................ 102
3.4 Proxy 103
3.4.1 Proxy Services ............................................................................. 104
3.4.2 Proxies ......................................................................................... 105
3.4.2.1 HTTP Proxy.............................................................................. 106
3.4.2.2 SOCKS4 Proxy ......................................................................... 109
3.4.2.3 SOCKS5 Proxy ......................................................................... 111
3.4.3 ICAP Server Groups.................................................................... 113
3.4.4 Cascading Proxy Servers ........................................................... 117
3.4.5 Forward ....................................................................................... 118
Version 01 (Sep 27, 2021) 5

3.5 Access Management ...................................................................................... 120

3.5.1 Working Principle ....................................................................... 120
3.5.1.1 Users Type .............................................................................. 120
3.5.1.2 Local Group/User ................................................................... 121
3.5.1.2.1 Add New Group/User .......................................................... 122
3.5.1.3 Domain Users ............................................................................ 126
3.5.1.4 User Binding Management...................................................... 128
3.5.1.4.1 User Binding ......................................................................... 128
3.5.1.4.2 IP/MAC Binding ..................................................................... 131
3.5.1.5 User Sync.................................................................................... 132
3.5.1.5.1 Sync User Accounts from the Database ........................ 132
3.5.1.5.2 Sync User Accounts from H3C CAMS Server ................. 134
3.5.1.6 User Self Service........................................................................ 136
3.5.1.6.1 Approval List ......................................................................... 136
3.5.1.6.2 User Registration .................................................................. 136
3.5.1.6.3 Prerequisites ......................................................................... 137
3.5.1.6.4 Configuration Entrance ....................................................... 137
3.5.1.6.5 Account Registration............................................................ 137
3.5.1.6.6 Configuration Method ......................................................... 138
3.5.1.6.3 Endpoint Registration .......................................................... 144
3.5.1.6.3.1 Scenarios ............................................................................ 144
3.5.1.6.4 User Information Self-management ................................. 146
3.5.1.6.5 User Profile ........................................................................... 147
3.5.1.6.6 Self Registration Approval................................................... 149
3.5.1.7 Public API Service ...................................................................... 152
3.5.1.7.1 Public API ............................................................................... 152
3.5.1.7.2 Open LDAP API ..................................................................... 153
3.5.1.8 Advanced.................................................................................... 154
3.5.1.8.1 USB Key User. ....................................................................... 154
3.5.1.8.2 Custom Attributes ................................................................ 157
3.5.2 Authentication...................................................................................... 159
3.5.2.2 Portal Authentication ............................................................... 159
3.5.2.2.1 Authentication Policy ........................................................... 160
3.5.2.2.2 External Auth Server ............................................................ 183
3.5.2.2.3 Single Sign-On (SSO) ............................................................ 245
3.5.2.2.4 Custom Webpage ................................................................. 261
3.5.2.3 Correlation Connection ............................................................ 267
3.5.2.3.1 Controllers............................................................................. 267
3.5.2.3.2 RADIUS Server ...................................................................... 271
3.5.2.3.3 MAC Address Acquistion ..................................................... 271
3.5.2.4 Advanced.................................................................................... 274
3.5.2.4.1 Authentication Options ....................................................... 274
Version 01 (Sep 27, 2021) 6

3.5.2.4.2 Managed Authentication..................................................... 280

3.5.3 Endpoint Check .................................................................................... 284
3.5.3.1 Check Policies ............................................................................ 285
3.5.3.1.1 Check Policy Management .................................................. 286
3.5.3.2 Check Rules................................................................................ 286
3.5.3.2.1 Ingress Client Based ............................................................ 286
3.5.3.2.2 Combined Ingress Rule ....................................................... 290
3.5.3.2.3 Check Rule Management .................................................... 291
3.5.3.3.4 Traffic Based ......................................................................... 291
3.5.3.4 Endpoint Check Configuration Case ...................................... 293
3.5.4 Ingress Client Settings ......................................................................... 296
3.6 Online Activities ............................................................................................... 298
3.6.1 Access Control ...................................................................................... 299
3.6.1.1 Introduction to Access Control ............................................... 299
3.6.1.1.1 Access Control ...................................................................... 299
3.6.1.2 Adding Object for Access Control ........................................... 301
3.6.1.3 Viewing Network Access Policies of Users ............................ 308
3.6.1.4 Matching Network Access Policies ......................................... 311
3.6.1.5 Adding Policies .......................................................................... 312
3.6.1.5.1 Adding Network Access Permission Policies .................... 312
3.6.1.5.2 Adding a Policy Using a Template ...................................... 342
3.6.1.6 Deleting a Policy ..................................................................... 343
3.6.1.7 Editing Policies in Batches .................................................... 343
3.6.1.8 Enabling or Disabling a Policy .............................................. 345
3.6.1.9 Changing the Policy Order .................................................... 345
3.6.1.10 Importing/Exporting a Policy ............................................. 346
3.6.2 Advanced Policy Options........................................................... 348
3.6.2.1 Web Access Options .............................................................. 348
3.6.2.2 SSL Certificate ......................................................................... 349
3.6.2.2.1 Built-in root certificate......................................................... 349
3.6.2.2.2 Specified root certificate ..................................................... 349
3.6.2.3 SSL Certificate Distribution ................................................... 355
3.6.2.4 Excluded Application ............................................................. 357
3.6.2.5 SSL Decryption Exclusion ...................................................... 359
3.7 Bandwidth Management ............................................................................... 359
3.7.1 Overview ..................................................................................... 359
3.7.2 Bandwidth Management Rules ................................................ 361
3.7.3 Bandwidth Channel Configuration .......................................... 361
3.7.3.1 Line Bandwidth ...................................................................... 363
3.7.3.2 Guarantee Channel .................................................................. 365
3.7.3.3 Limited Channel ..................................................................... 373
3.7.3.4 Traffic Sub-Channel ............................................................... 390
Version 01 (Sep 27, 2021) 7

3.7.3.5 Exclusion Policy ...................................................................... 398

3.7.3.6 Penalty Channel ..................................................................... 399
3.7.4 Quota Control ...................................................................................... 411
3.7.4.1 Flow Quota ................................................................................. 411
3.7.4.2 Online Duration Quota ............................................................ 414
3.7.4.3 Bandwidth .................................................................................. 418
3.7.4.4 Concurrent Connection............................................................ 420
3.7.4.5 Online Endpoint ........................................................................ 421
3.7.5 Virtual Line Configuration ......................................................... 423
3.7.6 DNS Server Proxy................................................................................. 431
3.7.6.1 Redirect to DNS Server............................................................. 432
3.7.6.2 Resolve to specified IP.............................................................. 434
3.7.6.3 Directly Discard Access to Some Domain Names ................ 436
3.7.6.4 Redirect Access to Specified Line ........................................... 438
3.7.6.5 DNS Failed Over ........................................................................ 441
3.7.6.6 Precautions ................................................................................ 441
3.7.7 Link Load Balancing............................................................................. 442
3.7.7.1 Bridge Mode Routing ............................................................... 444
3.7.7.2 Route Mode Routing................................................................. 447
3.7.7.3 Specified Routing of Lines ....................................................... 458
3.7.7.4 Multi-Line Link load .................................................................. 459
3.7.7.5 Bandwidth Management Overview ........................................ 461
3.7.7.6 Precautions ................................................................................ 461
3.8 Audit Policy ...................................................................................................... 463
3.8.1 Internet Access Audit .......................................................................... 463
3.8.1.1 Auditing Application ................................................................. 465
3.8.1.2 Auditing Traffic and Internet Access Duration ...................... 473
3.8.1.3 Auditing Webpage Content ..................................................... 476
3.8.2 Ingress Client Audit ............................................................................. 478
3.8.2.1 Application Ingress Client Audit .............................................. 479
3.8.2.2 Ingress Client Application Audit .............................................. 480
3.8.2.3 Ingress Client Audit USB Device.............................................. 482
3.9 Endpoint Management .................................................................................. 483
3.9.1 Endpoint Connection Sharing ............................................................ 484
3.9.1.1 Shared Connection Management........................................ 484
3.9.1.2 Mobile Endpoint Management ............................................ 488
3.9.2 Anti-Proxy .................................................................................... 492
3.9.3 Internet Security .................................................................................. 498
3.9.3.1 Security Events .......................................................................... 499
3.9.4 Security Configuration ........................................................................ 501
3.9.4.1 Security Capabilities ................................................................. 501
3.9.4.1.1 Capability Diagram............................................................... 501
Version 01 (Sep 27, 2021) 8

3.9.4.1.2 Overview ................................................................................ 502

3.9.4.1.3 Update Calendar .................................................................. 503
3.9.5 Security Configuration ........................................................................ 504
3.9.5.1 All Terminal Security ............................................................... 504
3.9.5.2 Network Security ..................................................................... 510
3.9.5.2.1 Anti-DoS ................................................................................. 510
3.9.5.2.2 ARP Protection ................................................................... 513
3.9.5.2.3 Malicious URLs................................................................... 515
3.9.5.2.4 SAVE Antivirus .................................................................... 516
3.9.6 Endpoint Reminder Policy .................................................................. 518
3.9.7 Endpoint Connection Control Case Study ........................................ 520
3.9.7.1 Connection Sharing Case Study .............................................. 520
3.9.7.2 Mobile Endpoint Case Study ................................................... 522
3.10 Internet Security ........................................................................................... 524
3.10.1 Security Events ................................................................................... 524
3.10.2. Security Configuration ..................................................................... 526
3.10.2.1 Security Capabilities ............................................................... 526
3.10.2.1.1 Capability Diagram ............................................................ 527
3.10.2.1.2 Overview ............................................................................. 528
3.10.2.1.3 Update Calendar ................................................................ 529
3.10.2.2 Security Configuration ........................................................... 530
3.10.2.2.1 All Terminal Security .......................................................... 530
3.10.2.2.2 Network Security ................................................................ 536
3.11 System ........................................................................................................... 544
3.11.1 Object ........................................................................................... 544
3.11.1.1 Application Signature .......................................................... 547
3.11.1.1.1 Viewing the Application Signature ................................ 548
3.11.1.1.2 Enabling/Disabling Application Identification Rules .. 551
3.11.1.2 Advanced App Signature .................................................... 553
3.11.1.3 Enabling/Disabling Advanced App Signature .................. 553
3.11.1.3 Editing P2P Behavior Identification Rules ........................ 554
3.11.1.4 Editing Web Online Proxy Identification Rules ................ 555
3.11.1.2 Custom Application ............................................................. 556
3.11.1.2.1 Adding Custom Application Rules ................................ 557
3.11.1.2.2 Enabling, Disabling, and Deleting Custom Application
Rules 559
3.11.1.2.3 Importing and Exporting Custom Application Rules ..... 559
3.11.1.3 URL Database ...................................................................... 560
3.11.1.3.1 URL Database List ........................................................... 560
3.11.1.4 Ingress Rule Database ........................................................ 565
3.11.1.4.1 Ingress Rules.................................................................... 565
3.11.1.4.2 Adding Ingress Rules ...................................................... 565
3.11.1.4.3 Deleting Ingress Rules .................................................... 578
Version 01 (Sep 27, 2021) 9

3.11.1.4.4 Modifying Ingress Rules ................................................. 579

3.11.1.4.5 Editing Ingress Rules in Batches ................................... 579
3.11.1.4.6 Importing and Exporting Ingress Rules .......................... 580
3.11.1.4.7 Combined Ingress Rule .................................................. 580
3.11.1.4.8 Adding Combined Ingress Rule ........................................ 580
3.11.1.4.9 Deleting and Modifying Combined Ingress Rules ......... 584
3.11.1.5 Service ................................................................................... 585
3.11.1.6 IP Address Database ........................................................... 587
3.11.1.6.1 IP Group ........................................................................... 587
3.11.1.6.2 ISP...................................................................................... 589
3.11.1.6.3 Country/Region ............................................................... 591
3.11.1.7 Schedule................................................................................ 594
3.11.1.8 Keyword Group .................................................................... 596
3.11.1.9 File Type Group .................................................................... 597
3.11.1.10 Location .............................................................................. 598
3.11.2 Network .............................................................................................. 601
3.11.2.1 Deployment ........................................................................... 601
3.11.2.1.1 Route mode ........................................................................ 603
3.11.2.1.2 Single Arm Mode ................................................................ 611
3.11.2.1.3 Bridge Mode ....................................................................... 615
3.11.2.1.4 Bypass Mode ...................................................................... 622
3.11.2.1.5 Mode switch........................................................................ 627
3.11.2.2 Network Interface Configuration.......................................... 628
3.11.2.2.1 Configuring Network Interfaces in Route mode ............ 628
3.11.2.2.2 Configuring Bridges in Multi-Bridge Mode ..................... 632
3.11.2.3 High Availability.................................................................... 635
3.11.2.3.1 Active-Standby Mode......................................................... 636
3.11.2.3.2 Active-Active Mode ............................................................ 642
3.11.2.4 Static Routes ............................................................................ 648
3.11.2.5 Dynamic Routing..................................................................... 650
3.11.2.6 HOSTS ....................................................................................... 653
3.11.2.7 GRE Tunnel .............................................................................. 654
3.11.2.8 Open Ports on WAN Interface............................................... 655
3.11.2.9 DHCP ........................................................................................ 657
3.11.2.10 Protocol Extension ............................................................... 659
3.11.2.11 Optical Bypass Module ........................................................ 662
3.11.3 VPN Configuration...................................................................... 663
3.11.3.1 DLAN Operating Status ....................................................... 663
3.11.3.2 Multi-line Options ................................................................ 664
3.11.3.3 SDWAN Path Selection ........................................................ 666
3.11.3.3.1 Specified Path .................................................................. 668
3.11.3.3.2 Multi-line Load................................................................ 671
Version 01 (Sep 27, 2021) 10

3.11.3.2.3 Service Priority.................................................................... 673

3.11.3.4 Basic Settings ....................................................................... 676
3.11.3.5 User Management ............................................................... 679
3.11.3.6 Connection Management .................................................. 694
3.11.3.7 Virtual IP Address Pool........................................................ 697
3.11.3.8 Local Subnet List .................................................................. 698
3.11.3.9 Inter-channel Routing Settings .......................................... 699
3.11.3.10 Third party connection ..................................................... 702
3.11.3.10.1 Phase I ............................................................................ 702
3.11.3.10.2 Phase II .............................................................................. 709
3.11.3.11 Security Options ................................................................ 712
3.11.3.12 Object .................................................................................. 714
3.11.3.12.1 Schedule ............................................................................ 714
3.11.3.12.2 Algorithm List Settings .................................................... 715
3.11.3.13 Certificate Management ...................................................... 716
3.11.3.13.1 Certificate Request .......................................................... 716
3.11.3.13.2 Certificate List ................................................................... 717
3.11.13.14 Advanced Settings .............................................................. 721
3.11.13.14.1 Intranet Service Settings ............................................... 721
3.11.13.14.2 VPN Interface Settings .................................................. 724
3.11.13.14.3 Multicast Service ............................................................ 726
3.11.13.14.4 LDAP Server Settings ..................................................... 728
3.11.13.14.5 Radius Server Settings .................................................. 729
3.11.4 Firewall......................................................................................... 730
3.11.4.1 Firewall Rules........................................................................... 730
3.11.4.2 IPv4 SNAT ................................................................................. 733
3.11.4.3 IPv4 DNAT ................................................................................ 739
3.11.4.4 IPv6 NAT ................................................................................... 744
3.11.5 General................................................................................................ 747
3.11.5.1 Authorization ........................................................................... 747
3.11.5.2 Administrator .......................................................................... 748
3.11.5.2.1 Email Verification ............................................................... 761
3.11.5.2.2 Admin Account of External Authentication Server ........ 764
3.11.5.3 Date/Time ................................................................................ 767
3.11.5.4 Update ...................................................................................... 768
3.11.5.4.1 System Update ................................................................... 768
3.11.5.4.2 Proxy Server........................................................................ 768
3.11.5.4.3 Database Update ............................................................... 769
3.11.5.5 Alarm Options ......................................................................... 770
3.11.5.5.1 Email Alarm ......................................................................... 773
3.11.5.5.2 Syslog Alarm .................................................................... 776
3.11.5.5.3 SNMP Trap Alarm ............................................................... 776
Version 01 (Sep 27, 2021) 11

3.11.5.6 Global Exclusion ...................................................................... 777

3.11.5.7 Backup/Restore....................................................................... 779
3.11.5.8 Custom Webpage ................................................................... 781
3.11.5.9 Report Center .......................................................................... 783
3.11.5.10 Advanced Settings ................................................................ 786
3.11.5.10.1 Web UI ............................................................................... 786
3.11.5.10.2 Proxy .................................................................................. 788
3.11.5.10.3 Remote Tech Support ..................................................... 789
3.11.5.10.4 Syslog Server .................................................................... 791
3.11.5.10.5 Central Management ...................................................... 792
3.11.5.10.6 Device Name .................................................................... 794
3.11.5.10.7 Server Certificate ............................................................. 794
3.11.5.10.8 SNMP ................................................................................. 795
3.11.5.10.9 DNS Service....................................................................... 796
3.11.5.10.10 Open Interface ............................................................... 796
3.11.5.10.11 Other Options ................................................................ 797
3.11.5.10.12 Redirection/Proxy .......................................................... 799
3.11.5.10.13 Advanced Configuration for Internet Access by SNAT
Proxy ...................................................................................................... 800
3.11.3.10.14 Notification Options ...................................................... 800
3.11.5.11 Sangfor Device Connection ................................................. 809
3.11.6 Diagnostics ......................................................................................... 822
3.11.6.1 System Logs ............................................................................. 822
3.11.6.2 Capture Packets ...................................................................... 823
3.11.6.3 Web Console............................................................................ 825
3.11.6.4 Troubleshooting...................................................................... 826
3.11.6.5 Shutdown ................................................................................. 828
4 Use Cases ................................................................................................................... 829
4.1 SSO Configuration ........................................................................................... 829
4.1.1 SSO Configuration for the AD Domain .................................... 829
4.1.1.1 SSO Implemented by Delivering a Login Script Through
Domains ...................................................................................... 829
4.1.1.2 Obtaining Login Information Using a Program (SSO Without
a Plug-in) ...................................................................................... 841
4.1.1.3 SSO Implemented Using IWA ............................................... 850
4.1.1.4 SSO Implemented in Monitoring Mode .............................. 852
4.1.2 Proxy SSO Configuration ........................................................... 856
4.1.2.1 SSO in Monitoring Mode ...................................................... 857
4.1.2.2 SSO in ISA Mode ..................................................................... 861
4.1.3 POP3 SSO Configuration ........................................................... 864
4.1.4 Web SSO Configuration ............................................................. 869
4.1.5 Configuration of SSO Implemented with Third-Party Devices
873
Version 01 (Sep 27, 2021) 12

4.1.5.1 SSO Implemented with Ruijie SAM ...................................... 873

4.1.5.2 SSO Implemented with Devices Supporting the HTTP SSO
Interface ...................................................................................... 880
4.1.5.3 SSO Implemented with H3C CAMS...................................... 883
4.1.5.4 SSO Implemented with Dr. COM ......................................... 884
4.1.5.5 SSO Implemented with H3C IMC ......................................... 886
4.1.6 SSO Implemented with Another SANGFOR Device ............... 887
4.1.7 SSO Implemented with a Database System ........................... 890
4.2 Configuration That Requires No User Authentication ............................... 892
4.3 Configuration That Requires Password Authentication ............................ 899
4.3.1 SMS Authentication.................................................................... 899
4.3.1.1 Sending SMS Messages Through an SMS Modem ............ 899
4.3.2 WeChat and QR Code Authentication ..................................... 905
4.3.3 Password Authentication .......................................................... 916
4.4 Other Configuration Cases ............................................................................ 925
4.5 CAS Server Authentication Case ................................................................... 939
4.6 Policy Configuration Cases ............................................................................ 942
4.6.1 Configuring a Policy for Blocking P2P and P2P Streaming
Media Data for a User Group.............................................................. 942
4.6.2 Configuring an IM Monitoring Policy for a User Group ........ 947
4.6.3 Enabling the Audit Function for a User Group ....................... 951
4.7 Endpoint Device Management Configuration Cases ................................. 953
4.7.1 Configuring the Sharing Prevention Function ........................ 953
4.7.2 Mobile Endpoint Management Configuration Cases ............ 955
4.7.3 Configuring Anti-Proxy .............................................................. 956
4.8 Comprehensive Configuration Cases ........................................................... 959
4.8.1 Customer Network Environment and Requirement ............. 959
4.8.2 Configuration Idea ..................................................................... 960
4.8.3 Configuration Process ............................................................... 961
4.9 SNMP Trap Configuration Case..................................................................... 981
4.9.1 Basic Configuration ............................................................................. 981
4.9.1.1 Enable Email Alarm ................................................................... 981
4.9.2 Testing Procedure................................................................................ 984
4.9.2.1 Test with the mib browser tool ............................................... 984
4.9.3 Testing Results ..................................................................................... 986
4.10 International Bandwidth Configuration Cases ................................. 986
4.10.1 Network Environment and Requirement ............................... 986
4.10.2 Proposed Solution...................................................................... 988
4.10.3 Configuration Guide .................................................................. 988
Appendix: Usage of SANGFOR Device Upgrade System ......................................... 993
Version 01 (Sep 27, 2021) 13

Version 01 (Sep 27, 2021) 14

1 IAG Installation
This chapter mainly describes the appearance and installation of the SANGFOR
IAG hardware device. After correct installation, you can configure and debug
the system.
1.1 Environment Requirement

The SANGFOR IAG device requires the following working environment:
⚫ Input voltage: 110V-230V
⚫ Temperature: 0-45℃
⚫ Humidity: 5%-90%
The power supply should be properly grounded to ensure long-term and stable
running of the system, dustproof measures are taken, the working
environment well ventilated, and the indoor temperature kept stable. This
product conforms to the requirements on environment protection, and the
placement, usage, and discard of the product should comply with relevant
national law and regulation.
1.2 Power
The SANGFOR IAG device uses 110 ~ 230V alternating current (IAG) as its power
supply. Make sure it is well-grounded before being provided with a power
supply.
1.3 Product Appearance
SANGFOR IAG Hardware Device
Version 01 (Sep 27, 2021) 15

Above is the front panel of the SANGFOR IAG hardware gateway device. The
interfaces or indicators on the front panel are described respectively in the
following table.
No. Interface/Indicator Usage
1 CONSOLE Interface Used for Bypass Switch and sms modem connectivity
2 WAN2 (eth3) Network interface to be defined as WAN2 interface
3 DMZ (eth1) Network interface to be defined as DMZ interface
4 WAN1 (eth2) Network interface to be defined as WAN1 interface
5 LAN (eth0) Network interface to be defined as LAN interface
6 POWER Indicator Power indicator of IAG gateway device
7 ALARM Indicator Alarm indicator of IAG gateway device
Table 1: Interface Description1
The CONSOLE interface is only for debugging by technical engineers. The end-users connect
to the device via the network interfaces.
1.4 Configuration and Management

Before configuring the device, please prepare a computer and make sure the
web browser (for example, Internet Explorer browser) can normally be used.
Then connect the computer with the IAG device to the same local area network
(LAN) and then configure the IAG device on the computer over the established
network.
The default IP address settings for the network interfaces are described below:
Version 01 (Sep 27, 2021) 16

Interface IP Address
eth0 (LAN) 10.251.251.251/24
eth1 (DMZ) 10.252.252.252/24
eth2 (WAN1) 200.200.20.61/24
Table 2: IP address table
1.5 Wiring Method of Standalone

Connect the power cable to the Power interface on the rear panel of the IAG
device and switch on the power supply. The POWER indicator (green) and
ALARM indicator (red) on the front panel will light up. The ALARM indicator will
go out one or two minutes later, indicating the device runs normally.
Follow the instructions below to wire the interfaces:
⚫ Use standard RJ-45 Ethernet cable to connect the LAN interface to the local
area network and then configure the IAG device.
⚫ Use standard RJ-45 Ethernet cable to connect the WAN1 interface with the
networking device, such as a router, optical fiber transceiver, ADSL Modem,
etc.
⚫ Use standard RJ-45 Ethernet cable to connect the DMZ interface to the DMZ
zone network. Generally, the Web server and Mail server providing services
to a wide area network (WAN) are placed at the DMZ zone. The IAG device
provides secure protection for these servers.
When wiring the interfaces, please use the correct cables for connection as
instructed below:
⚫ Use the straight-through cable to connect a WAN interface with the Modem
and a crossover cable to connect a WAN interface with the router.
⚫ Use the straight-through cable to connect the LAN interface with the switch
and a crossover cable to connect the LAN interface on the device with the
network interface on the computer.
If the connections cannot be established while the corresponding indicator

functions normally, please check whether the cables for connections are
correct. The differences between straight-through cable and crossover cable
Version 01 (Sep 27, 2021) 17

are the wire sequences at both ends, as shown below:
Wire Sequences of Straight-through Cable and Crossover Cable
After correct connections, log in to the console of the IAG device and configure
the deployment mode according to the network topology (see section 3.1.3.1
Deployment).
1. The multi-line function of the IAG device allows multiple Internet lines to
be connected. In this situation, connect the second networking device to
the WAN2 interface, the third networking device to the WAN3 interface,
and so on.
2. When the IAG gateway device runs, the POWER indicator (green) lights up,
and the WAN LINK and LAN LINK indicators (orange) light up. The ACT
Version 01 (Sep 27, 2021) 18

indicator ( green) will be blinking if there is data flow. When the device is
starting, the ALARM indicator light is red due to system loading and then
goes out after one or two minutes, indicating the successful startup of the
device. After startup, the ALARM indicator may flash, which means the
device is writing logs. However, if the ALARM indicator stays lighted for a
long time and does not go out, please shut down the device and restart the
device after 5 minutes. If this situation remains after the restart, please
contact us.
1.6 Wiring Method of Redundant System

If two IAG devices are deployed in high availability mode (HA), please wire the
two devices to the external network and internal network as shown below:
Follow the instructions below to wire the two devices:
⚫ Use standard RJ-45 Ethernet cable to connect the WAN1 interfaces of the
two IAG devices to the same switch (if multi-line function is applied, the
wiring method is the same: connect the WAN interfaces of the two devices
to the same external line), and then connect the switch to other networking
devices, such as a router, fiber optical transceiver and ADSL Modem, etc.
⚫ Use the Console cable (among the accessories) to connect the Console
interfaces of the two IAG devices.
Version 01 (Sep 27, 2021) 19

⚫ Use RJ-45 Ethernet cable to connect the LAN interfaces (eth0) of the two IAG
devices to the same switch, and then connect the switch to the LAN switch,
connecting it to the LAN.
After the two devices are correctly wired, switch on the power for both devices
and then configure them. The procedures for configuring the redundant
system are the same as those for a standalone device. You need only configure
the active IAG device, automatically synchronizing its configurations to the
standby IAG device.
2 IAG Console
2.1 Web UI Login
The IAG device supports secure HTTPS login using the standard port of HTTPS
protocol. If you log into the Web Console of the IAG device for the first time,
type the default login address https://10.251.251.251 in the browser's address
bar.
Using HTTPS to log in to the WEBUI and manage the IAG device can avoid the potential risks
that the configurations may be intercepted during transmission.
2.1.1 Log into the Web Console

After finishing all the wiring, you can log into the Web User Interface (UI) to
configure the SANGFOR IAG device. Follow the procedures below to log into the
console of the IAG device:
Step 1. Configure an IP address (for example, 10.251.251.100) on the

10.251.251.X subnet for the computer, and then type the default login IP
address and port in the IE address bar: https://10.251.251.251. Click Go, and the
following alert dialog appears:
Version 01 (Sep 27, 2021) 20

Step 2. Click Yes to open the login interface, as shown below:
Step 3. Type the username and password, read the Terms of Use and Privacy
Policy, select "I have read and agree to the Terms of Use and Privacy
Policy," and click Login to log into the IAG device console. The username and
password are admin by default. (If you have any questions about the Terms of
Use and Privacy Policy, please contact us).
If the user's password is too simple, it will be detected to be weak. On the

console, the system prompts to modify the weak password after login. The
popup is shown below:
Version 01 (Sep 27, 2021) 21

If the password is not modified within 15 days, a compulsory password modification will
prompt on the next login.
To view the version of the current IAG gateway device, click Version.
Version 01 (Sep 27, 2021) 22

You can log into the console without installing any ActiveX. Non-IE browsers are
also supported.
2.1.2 Remove the Certificate Alert Dialog

During the login to the console, the browser may pop up the certificate alert
dialog. To remove it, do as follows:
Login to the console, open the System > General > Advanced > Web UI page.
Specify the IP address (to which the certificate will be issued) in the Issue
Console SSL Cert. To field. Here, the IP address refers to that of the network
interface for login, and it is the IP address of the LAN interface by default. In
this example, we suppose that you have logged into the console through the
default address of the LAN interface.
Step 1. Click Download Certificate to download the certificate to the local

computer and click Save.
Version 01 (Sep 27, 2021) 23

Step 2. Locate the certificate on the local computer and double-click it to

install.
After the certificate is installed, the alert dialog will not pop up when you login
through the default address of the LAN interface.
This alert dialog will be removed only when you login through the IP address specified in
Issue Console SSL Cert. To and the local computer has installed the certificate. If you login
through another address or the computer has not installed the certificate, the alert dialog
will still pop up.
2.2 Configuration
After logging in to the Web UI, you will see the following major modules:
System, Proxy, Objects, Users, Access Mgt, Bandwidth Mgt, Endpoint
Device, Security and System as shown below:
Version 01 (Sep 27, 2021) 24

The following instructions for the buttons and icons apply to all the
configuration pages on the IAG device and will not be described again in the
subsequent sections:
⚫ If a Commit button is included on the configuration page, you need to click

this button to apply your configuration changes after you change the
configurations. Generally, it may take 5 to 10 seconds for the configuration
changes to take effect. To make them take effect immediately, click the
icon at the bottom-right of the page.
⚫ The icon at the bottom-right of the page is for broadcasting some

system messages or warning messages in real-time.
⚫ Most of the configuration pages include the icon. When you put your
mouse cursor over this icon, a brief description of the current configuration
item will pop up.
When you modify the settings on the System > Network > Deployment page or System >
System Time page or default encoding on the System > General > Advanced > Web UI
Options page, the IAG device will restart and you need to re-login.
For most of the pages that display the configuration information and status in
List View, you can select the columns to be shown to quickly get your desired
information and sort the information in ascending or descending order
Version 01 (Sep 27, 2021) 25

according to your needs. For example:
1. On the Members page, you can select the columns that you want to
display, and the page will only display the information of the selected
columns, as shown below:
2. You can select Sort Ascending or Sort Descending to sort the information
in ascending or descending order by the corresponding column on the
Online Users page.
3 Functions
3.1 Value-added Services
3.1.1 Approach to Technology Community

The Sangfor community (community.sangfor.com) is a platform offered by
Sangfor Technologies to users, which focuses on Sangfor products, and where
channel partners and employees can discuss and communicate with one
another.
There is an entry for accessing the technology community on the console page
of device, including functions of posting for helps, consulting online and
Version 01 (Sep 27, 2021) 26

searching for questions and data in the technology community, as shown

below:
When clicking , the console page will

automatically jump to SANGFOR community system on a new page in the
browser. Enter mobile phone number for registration and password to access
the community.
By self-services of this community, users can query device's information,

covering server validity period, maintenance schedule, channel service
qualification and channel certificate information, as shown below:
3.1.2 "Sangfor" Robot

The device console integrates with the community robot that can answer the
questions in one second during daily consultation.
When the device can access the Internet, click the robot:
Version 01 (Sep 27, 2021) 27

When the Internet is not connected, jump to the QR code interface:
3.2 Business Intelligence System
Version 01 (Sep 27, 2021) 28

On the basis of a new architecture of original Sangfor IAG External Report

Center and massive Internet access logs, the business intelligence system takes
various App stores as carriers to offer various business intelligence Apps for
assisting trouble shooting and analysis.
The internal gateway offers App experiences including Internet access, report
center, bandwidth analytics, data leakage tracking analytics and electricity
waste analytics.
After entering Business Intelligence, click Internet Access Analytics to pop

up the following message:
Click OK to enable this function.
Click Internet Access Analytics icon to directly enter the Internet Access
Analytics system.
Version 01 (Sep 27, 2021) 29

Click button to pop up more App descriptions.
Click , providing contact information to apply for free trial of

more Apps.
Version 01 (Sep 27, 2021) 30

3.2.1 Internet Access
3.2.1.1 Application Scenarios
It is applicable to monitoring for network traffic and network security of single

device (office network), and provides network management and security
visualization for specific office network through collecting the Internet access
data and security data of Next-Generation Application Firewall (NGAF), so as to
help the administrator directly grasp the Internet access overview of whole
network, and discover and process threats timely.
3.2.1.2 Configuration Method
As shown above, click Current Region at the top right corner of map, and set
current Region as your region; click OK to save the settings. The map displays
conditions that current device accesses other network addresses.
Version 01 (Sep 27, 2021) 31

Click Options to enter the configuration page of Internet Access Analytics,

and set contents of three parts including Contents, Apps & Websites and
Display Options to define display contents.
Click Restore Defaults to restore the current settings to default settings.
Click Save to save the current settings and take effect.
Version 01 (Sep 27, 2021) 32

3.2.1.2.1 Contents
As shown above, set the contents:
Sangfor NGAF Access: It is used to enable external docking with Sangfor

NGAF. After the function is enabled, NGAF-related panels can be displayed on
the display screen (your NGAF report center shall support docking).
Enabling method: Click Enable, and fill in external report center IP address,
external report center port and password.
Display Panels: It is divided into Traffic Analytics and Security Analytics. The
checked contents will be displayed on the Dashboard page. The more the
checked contents, the greater the display density. It is suggested to select a
screen with proper resolution for displaying.
Traffic Analytics: It includes throughout, user traffic distribution, most active

users slideshow, App traffic distribution, and most active Apps.
Security Analytics: It includes top notorious Apps by user, top illegitimate

Apps, attack logs, top threat types, top notorious websites by user, top
Version 01 (Sep 27, 2021) 33

targeted users, threat ranking by user and top attackers.
Layout: The overall layout model is adjusted as per demands including large
image left-aligned, large image center-aligned, and large image right-aligned.
Title: As shown below, define the headline of display contents on the

Dashboard page.
Panel Name: As shown above, define tile names of all panels displayed on the
Dashboard page. As shown below, Panel displays the name of each panel, and
double click the row where a panel to be modified is, to edit the panel name
displayed underneath Name; after changing, click OK to save the settings.
Version 01 (Sep 27, 2021) 34

3.2.1.2.2 Apps & Websites
As shown above, check notorious Apps and notorious websites to be displayed.
Version 01 (Sep 27, 2021) 35

Check a specific notorious App category to be displayed in Notorious Apps,

and check a notorious website category to be displayed in Notorious
Websites. Both options support fuzzy query.
3.2.1.2.3 Display Options
As shown above, set the display options.
View By: Select group or user as a query object.
View Data: Define the data of recent several hours in that day for querying.
Auto Refresh: Define the time interval for data refreshing in seconds (180
seconds by default, 60 seconds at minimum and 3,600 seconds at maximum).
Display Trigger: Define the percentage of notorious App traffic threshold, i.e.,
the unit status is displayed as abnormal when the proportion of notorious App
traffic exceeds the defined threshold. Define the percentage of notorious
Version 01 (Sep 27, 2021) 36

website visit threshold, i.e., the unit status is displayed as abnormal when the
number of notorious website visits exceeds the defined threshold.
Display Entries: As shown below, define the top number of display objects in
each panel on the Dashboard page. Panel: Define the name of each panel,
and double click the row where a panel to be modified is, to edit the Top; after
changing, click OK to save the settings.
Affected by the size and aesthetics of display box, please adjust the number of objects to be
displayed as per actual situations.
Version 01 (Sep 27, 2021) 37

Finally, click Save and Yes to save the settings.
Since data acquisition of Internet Access Analytics is implemented on IAG

device in real time, please wait for a while after all the settings take effect, and
you will see the analysis result.
3.2.1.3 Internet Access Analytics
As shown above, move the mouse cursor to the display panel to query detailed
data of display contents of this panel.
The box in red displays the Most Active Users Slideshow contents and displays
each active user's usage in a slideshow manner, with a default unit of group. If
it is required to change the unit to the user, change in View By in Display
Options. After changing, the whole Internet Access Analytics system takes
the user as the unit.
Version 01 (Sep 27, 2021) 38

3.2.2 Bandwidth Analytics
When the O&M personnel wants to know whether the LAN bandwidth is
enough and what bandwidth-intensive Apps, they should know about the
traffic usage from the aspects of Apps and users, to adjust and analyze the LAN
bandwidth timely. After each branch docks with External Report Center or
business intelligence system (BI) successfully, a single device will be analyzed
through the bandwidth analytics App.
Select Bandwidth Analytics in the App Store, and then choose Apps -> click
Bandwidth Analytics.
Select a branch device to be viewed at the upper right corner to view daily,
weekly, and monthly data, and click Options.
Version 01 (Sep 27, 2021) 39

Tips: If it is an internal report center, there is no branch device for selection. If

it is an external report center, there are selection lines.
Bandwidth Overload Thresholds: Set overload judgment conditions,

including trigger, weekly overload, and monthly overload.
How Duration of Bandwidth-Intensive Application is Calculated?: Set the

thresholds of bandwidth-intensive Apps and customize LAN bandwidth-
intensive Apps.
3.2.2.3 Data Analytics
As per set conditions, the user can view bandwidth data analytics in last one
week. A certain App with greater traffic of the branch can be subject to traffic
control management in accordance with bandwidth analytics results.
Version 01 (Sep 27, 2021) 40

3.2.3 Electricity Waste Analytics
With the popularization of enterprises' office automation, the work efficiency is

improved, whereas resources of enterprises are wasted due to some
employees' lousy work habits.
As the initiator of the electricity waste analytics App ("Visual electric meter")
that is green and environmentally friendly and aims at saving enterprises'
resources, Sangfor identifies users who did dot shut down the PCs by analyzing
their Internet access behaviors and provides reference data for the enterprises
to optimize resources in the enterprises.
Firstly, click Electricity Waste Analytics, and then click Specify Now button to
set corresponding organizational structures.
Effect Analytics
Version 01 (Sep 27, 2021) 41

3.2.3.3 Log Export
There are massive logs to be analyzed along with the increase of cyber security
devices. Usually, IAG audit logs need to be sent to a third-party log platform
and other devices for unified analysis or personalized log analysis. Sangfor IAG
offers a method for realizing the requirements.
Prepare an IAG Internet access audit policy. The Internet access behavior can
be audited normally, and logs can be viewed on Internal BI or External BI.
Internal BI (i.e., IAG device) or External BI can communicate with the third-party
log platform (equipped with a Syslog server or FTP server interface).
3.2.4.1 Configuration Scheme
Internal BI enables log export function
⚫ Log in to the IAG device console to enter the Internal BI.
⚫ Click Log Export on the navigation bar at the top
Version 01 (Sep 27, 2021) 42

⚫ or enter Report Center, and choose System -> Settings -> Log Export.
⚫ Enter the Log Export page where functions are not enabled by default.
⚫ Check Enable log export to prompt impacts on system performance.
Version 01 (Sep 27, 2021) 43

External BI enables log export function
⚫ In System -> Settings -> Log Export, default functions are not enabled.
Check Enable log export.
It is recommended to use the separated business intelligence system to

implement the log export function. In contrast, more device performance will
be wasted when the predefined business intelligence system enables this
function.
3.2.4.2 Server Configuration
Support two external servers, including Syslog and FTP. The settings of Internal
BI or External BI are identical.
External Syslog
Fill in address and port of Syslog server, supporting IPv6.
Version 01 (Sep 27, 2021) 44

1. When a single log is too long, it may be truncated. Do not check

unnecessary fields.
2. To ensure logs can be analyzed and displayed correctly, please set the
coded format of the Syslog server as UTF-8.
3. Support configuring 20 Syslog servers at maximum.
FTP Server Configuration
Fill in server address, server port, and export to the path of FTP server, and fill
in authentication information when authentication is required. After basic
settings are completed, the validity of FTP servers can be tested.
* Filling descriptions for export to the path: If the FTP work path is d: test and
the external access path is ftp://200.200.2.2/test, fill in "/test" in the row of
"Export to Path"; if the external access path is ftp://10.10.10.68/, fill in "/" in the
row of "Export to Path".
Advanced Settings: When the FTP server is abnormal, set an email alarm server
for alarming; the uploaded log files support compression in rar, 7z and zip
formats.
Version 01 (Sep 27, 2021) 45

3.2.4.3 Log Option
Display logs following the organizational structure of Logs, and this function is
not enabled by default.
Click to-be-exported log category switch , and change
it to the status .
Check detailed fields at the right side of log categories as per demands. The
system recommends Common Fields by default. Check Other Fields as per
Version 01 (Sep 27, 2021) 46

demands.
Each field has its description for helping to understand.
Select logs in multiple categories and export, transmit them to the server in
the form of one category in one csc file, for example, "Website Browsing" and
"Sending & Receiving Emails" are enabled at the same time on the server:
/Export to Path/Data/action/. There are two subdirectories (URL and mail) in
the directory, representing website browsing log and email sending and
receiving logs.
3.3 Real-time Status
3.3.1 Real-time Status

Real-time Status is to view basic status information of the device, including
Dashboard, Endpoint Visibility, Users, Rule Check, Troubleshooting Center,
Traffic Statistics, Internet Activities, Locked Users, SaaS Applications, DHCP
Status, and Security Events.
3.3.1.1 Dashboard
System Resources are displayed on the Dashboard page, including the graph of
Throughput on All WAN Interfaces, Web-Access Connection Monitoring, Top
Application by Traffic, SaaS Applications, Top Users by Traffic, Application
Bandwidth Distribution, Network Interface, Security Events, Internet Activities,
and Regional/Overseas Traffic.
3.3.1.1.1 Displayed Panels
On the Dashboard page, click Displayed Panels.
Version 01 (Sep 27, 2021) 47

Select the status information to be displayed on the Dashboard page.
3.3.1.1.2 Restore Default Panels
On the Dashboard page, click Restore Default Panels to show the following
default panels: System Resources, Throughput on ALL WAN Interfaces, Top
Applications by Traffic, Regional/Overseas Traffic, and Saas Applications.
3.3.1.1.3 Viewing Status
3.3.1.1.3.1 System Resources
The System Resources panel displays the overall conditions of device

resources, including the CPU usage, memory usage, disk usage, number of
sessions, number of online users, daily connection quality, number of ICS users
over the last seven days, system time, and daily log summary. See the following
figure.
Version 01 (Sep 27, 2021) 48

Click to set whether to enable automatic refresh and the automatic refresh
interval. See the following figure.
Click Internal Report Center to access the homepage of the data center
embedded in the device and perform operations such as log query and
measurement.
3.3.1.1.3.2 Throughput on ALL WAN Interfaces
The Throughput on ALL WAN Interfaces panel displays the real-time

conditions of data received and transmitted on interfaces in a curve. See the
following figure.
Version 01 (Sep 27, 2021) 49

Click . The following figure is displayed.
You can set Period to display the data forwarding conditions of interfaces at a
specific time. Data Unit specifies the traffic unit, and Interface specifies the
interface whose data forwarding conditions are to be displayed.
3.3.1.1.3.3 Web-Access Connection Monitoring
The Web-Access Connection Monitoring panel displays the network quality

information monitored by the device, as shown in the following figure.
Version 01 (Sep 27, 2021) 50

Click and set the quality criteria.
The navigation path is Dashboard > Web-Access Connection Monitoring. For

details, see section 3.2.1.3.
3.3.1.1.3.4 Top Applications by Traffic
The Top Applications by Traffic panel displays the top 10 applications by traffic.
You can rank the applications by outbound traffic, inbound traffic, or
bidirectional traffic.
Click to set the automatic refresh time. Set the username and application
type to view details about the user that uses the application.
Version 01 (Sep 27, 2021) 51

3.3.1.1.3.5 Top Users by Traffic
The Top Users by Traffic panel displays the top 10 users by traffic. You can
rank the users by outbound traffic, inbound traffic, or session quantity.
Specifically, click Outbound to rank users by outbound traffic or Inbound to

rank users by inbound traffic.
Click to set the automatic refresh time. Set the username to view details
about the applications used by the user.
3.3.1.1.3.6 Application Bandwidth Distribution
The Application Bandwidth Distribution panel displays the Application

Bandwidth Distribution dynamically in different colors. See the following figure.
Version 01 (Sep 27, 2021) 52

Set the traffic rate unit in Data Unit, select All Lines, Line 1, or Line 2 in Line,
and Bidirectional, Outbound, or Inbound in Type.
3.3.1.1.3.7 Network Interface
The Network Interface panel displays the status, cable connection, real-time
transmitted and received traffic of each network interface. See the following
figure.
indicates that a network interface is in the connected state, and

indicates that a network interface is in the disconnected state. Click to set
the automatic refresh interval.
3.3.1.1.3.8 Security Events
Version 01 (Sep 27, 2021) 53

The Security Events panel displays the number of times that insecure
behaviors are detected. See the following figure.
Click to set the automatic refresh interval.
3.3.1.1.3.9 Internet Activities
The Internet Activities panel displays real-time information about the online
behaviors of users. See the following figure.
Click to set the automatic refresh interval.
3.3.1.1.3.10 Regional/Overseas Traffic
The Regional/Overseas Traffic panel displays real-time information about

Regional/Overseas traffic. It can use to check whether the traffic is congested
or not. The system will automatically identify the device's location. See the
following figure.
Version 01 (Sep 27, 2021) 54

If the system fails to identify the location (For example, the device cannot
access the internet or another special network environment), the user can
manually select the region. In advance, the system will identify the location
based on the selection of the user. (Automatic identify function no longer
active)
Version 01 (Sep 27, 2021) 55

3.3.1.2 Endpoint Visibility
Endpoint Visibility is to view the status of the current internal network

equipment and IP usage status. The page mainly includes Endpoints, IP
Ranges, Endpoint scan, etc.
3.3.1.2.1 Endpoints
3.3.1.2.1.1 Checking Endpoints
Endpoints are to view the status of internal network equipment. When the
endpoint scan function is not enabled, the interface is as follows:
Version 01 (Sep 27, 2021) 56

After enabled and configured the endpoint scanning function, the interface is
as follows:
Here you can see all the internal network endpoint IP addresses, MAC address,
user, group, endpoint device, operating system, first detected time, last login
time, and operations on them.
Click to view details, and you can see the detailed information of the endpoint
as follows:
Basic information: including endpoint type, user, group, IP/MAC address

information, vendor, operating system, first detected time, last login time, open
ports, etc.
Status: Online refers to whether there is the same IP of the endpoint in the
online user list. The presence of the IP indicates that the user has used the
endpoint to go online. At the same time, it will display the information of the
user and the status of the group. Offline means that the endpoint IP is
currently not used by users.
Enter keywords in the Search column on the Local Users page to search for
the endpoint and query the status of the corresponding endpoint.
Search by IP address, Search by MAC address and Search by username can
Version 01 (Sep 27, 2021) 57

search for the specified endpoint in Status > User. The interface is as follows:
3.3.1.2.1.2 Filtering Endpoints
Click the filter, and you can set the specified condition to view the
corresponding endpoint. The interface is as follows:
First Detected can choose a built-in time range, including all, the last day, the
last seven days, the last 30 days, or a custom time range.
Status can choose all, active, and offline.
After selecting Object, you can choose to filter according to Username or IP

address, enter the specified user and IP, and click Commit after setting.
3.3.1.2.1.3 IP Ranges
IP Ranges is to view the live IP status of the intranet, as shown in the figure
below:
Version 01 (Sep 27, 2021) 58

IP Ranges displays the 24-bit address segment where the surviving IP address
of the intranet is located, with a maximum of 1024 C segments.
The specific IP survival status in the segment is displayed on the right, and the
following figure will be displayed when the mouse hovers on a particular IP:
Normal use: Refers to whether this IP has been scanned alive within a period
(the default is 30 days, configurable). Online refers to whether there is the
endpoint’s IP in the online user list. If there is, it means the user has used the
endpoint to go online, and it will display the user and group information at the
same time.
Unused: Indicates that this IP has not been scanned alive.
Long-offline: Refers to the IP that has been scanned alive before, but after a
certain period (the default is 30 days, configurable, specify the time for long-
offline status through small “i” icon as shown in the figure below) the IP did not
scan to be alive, and it will be defined as offline.
Version 01 (Sep 27, 2021) 59

3.3.1.2.1.4 Endpoint Scan
Endpoint Scan is to enable and set the entire network endpoint scan function,
as shown below:
The endpoint list will show the endpoint status only after you check the Enable
endpoint scan function.
Asset subnets: Used to configure the internal network segment.
SNMP v1/v2: For network equipment, you need to configure SNMP, configure
the corresponding name and community name. The type can be v1 or v2
protocol as shown in the figure:
MAC Address Acquisition: There are two ways to get MAC across layer three.
Version 01 (Sep 27, 2021) 60

The setting methods are as follows:
The first method: acquire the MAC of intranet users through mirroring
(recommended)
Select MAC address is acquired from captured ARP packets or DHCP

packets, connect any free network port of IAG to the switch, enable mirroring
on the corresponding interface of the switch, and mirror related data packets
to the IAG. This method does not require the switch to enable the snmp
protocol.
The second method: configure to acquire MAC across layer three

Intranet users are bound to the MAC address or limited the user's MAC address
range, and the intranet is a three-layer environment. Therefore, you need to
enable the "MAC acquisition across L3 function" function to obtain the MAC
address of the intranet user. The premise of using this function is that the
intranet switch supports the SNMP function, and the IAG obtains the real MAC
addresses of intranet users on the switch through the SNMP protocol.
Principle: The device will periodically send the SNMP request to the Layer 3
switch to request the MAC table of the switch and save it in the device memory.
At this time, if computers in other network segments of the Layer 3 switch go
online through the device, for example, a PC 192.168.1.2 (not the same
network segment as the device lan port) goes online through the device. The
PC data packet passes through the device, and the device verifies this data
packet is the MAC address of the layer three switch and will not process this
MAC address. The actual MAC address is searched in the memory according to
the IP of 192.168.1.2 to realize the verification of the user's real MAC.
Step 1. Enable the SNMP function on the Layer 3 switch.
Step 2. Click to enter Access Mgt > Correlation Connection > MAC Address
Acquistion to set and check Enable MAC acquisition across L3 network on the
device interface:
Version 01 (Sep 27, 2021) 61

Step 3. Set SNMP Servers to add the information of the Layer 3 switch that
needs to obtain the MAC address:
The Layer 3 switch first needs to enable the SNMP function.
Version 01 (Sep 27, 2021) 62

IP: Fill in the IP address of the switch.
IP OID: Fill in the OID corresponding to the IP in the SNMP information.
MAC OID: Fill in the OID corresponding to the MAC in the SNMP information.
Community: Fill in the SNMP negotiated key.
Timeout: Set the timeout period for IAG to obtain SNMP information.
Interval: Set how often the IAG sends SNMP requests to obtain information.
Max MAC Addresses: Set the maximum number of SNMP entries obtained
each time.
Click Server Details to view the SNMP information on the SNMP server (the
switch).
Click Commit to complete the setting.
Step 4. Fill in the MAC address of the internal network switch to prevent this
part of the MAC from being bound by the user, as shown in the figure:
Step 5. In addition to manually filling in the MAC address of the switch in the
previous step, the device can also automatically discover the MAC address of
the Layer 3 switch. The principle is: count the number of IP addresses
corresponding to the MAC every 10 minutes. If it is the MAC of a layer three
switch, one MAC will correspond to multiple IP addresses.
Version 01 (Sep 27, 2021) 63

Click MAC Address Calculation to view the statistical results of each MAC.
Select Automatically exclude L3 switch MAC address. The device will

automatically add MAC addresses that exceed the number of IP records to the
MAC address exclusion list according to the set IP address Threshold.
Select Give alert when MAC address is excluded automatically to send

alarm emails to the administrator after MAC is automatically added. The alarm
options are set in System > General > Alarm Options.
3.3.1.3 Users
3.3.1.3.1 Viewing Online Users
Users can view username (Alias), group, IP address, MAC address (need to
select manually), endpoint device, Auth method, ingress client, check result,
time logged in/locked, online duration, and operation of all online users
passing the device authentication.
Enter a keyword in the Search column on the Organizational Structure page

to search the user group to query the conditions of online users in the
corresponding user group.
Search for specified users by clicking Search by Username, Search by IP

Address and Search by MAC Address on the Online Users page. The page
Version 01 (Sep 27, 2021) 64

shown in the following figure is displayed.
3.3.1.3.1.1 Filtering Online Users
Click Filter to set specified conditions to view the corresponding users. The
page shown in the following figure is displayed.
Status: Select All, Locked Users, and Active Users.
Endpoint Device: Select All, Mobile Endpoint, PC and PC, and mobile device.
Ingress Client: All, installed, not installed.
Check Result: All, passed, error, failed.
Object: After checking this option, select to enter the specified username, IP
address, and MAC address for filtering in accordance with Username, IP
Version 01 (Sep 27, 2021) 65

Address or MAC Address, and click Commit after the settings are completed.
3.3.1.3.1.2 Locked Users
Select one or more users and click Lock to end the network connections of the
selected users. The procedure is as follows:
Step 1. Select a user.
Step 2. Click Lock in the Operation column. The page shown in the following
figure is displayed.
Step 3. After setting the Lockout Period, click Commit. The status of the locked
user changes, as shown in the following figure.
3.3.1.3.1.3 Unlocking Online Users
The procedure for unlocking a user is as follows:
Select a locked user.
Click Unlock or the icon in the Operation column.
Version 01 (Sep 27, 2021) 66

3.3.1.3.1.4 Forcibly Logging Out Online Users
The administrator can forcibly log out online users, excluding temporary users,
USB Key users, and those that do not require authentication. For example,
suppose the administrator attempts to forcibly log out a temporary user, a USB
KEY user, or a user that does not require authentication. In that case, the
message shown in the following figure will prompt out.
Password-authenticated users and Single Sign-On (SSO) users can be forcibly

logged out. The procedure is as follows:
Step 1. Select a User.
Step 2. Click LogOut. The prompt shown in the following figure is displayed.
Step 3. Click Yes to log out the user.
3.3.1.3.2 Failed to Get Online (7 Days)
Failed to Get Online (7 Days) is to record users who have failed

authentication within seven days. It supports search and filtering, same as
filtering online users, as shown in the figure:
Version 01 (Sep 27, 2021) 67

View the details to see the specific problem description and troubleshooting
suggestions, as shown in the figure below:
3.3.1.4 Rule Check
Rule Check checks the compliance status of the endpoint, as shown in the
figure below:
Click on Filter, and you can set the specified condition to view the
corresponding user. The interface is as follows:
Version 01 (Sep 27, 2021) 68

User group can be selected according to the organizational structure.
Username can be filtered by username, one entry per line.
IP address enters the IP address to be filtered.
Filter can be selected from all, failed, passed, and error, and click Commit after
setting.
At the same time, the upper right corner also supports filtering based on the
rule name and check result, as shown in the figure:
3.3.1.5 Monitoring of Network
The Troubleshooting Center includes six parts: Network, Authentication,

Ingress Client Decryption, Access Control, Web Access Connection Monitoring,
and User-Based Detection. It is to help operators, engineers, and other
professionals to conduct self-inspection of failure. The interface is as follows:
Version 01 (Sep 27, 2021) 69

3.3.1.5.1 Network
The Network Troubleshooting monitors network status. When the network is

abnormal, it provides a reference solution. These are the four types of
abnormalities that can be identified:
Inside DOS Attack
Introduction: Attack issue occurs xx times and will lead to performance

problems, network congestion, and worsened user experience.
Failure type: Inside DOS Attack.
Solution: Please check whether the network topology changes form a loop.
Please isolate devices of the corresponding IP and perform virus detection on
the device.
Packet Loss on Gateway
Introduction: Data packet loss occurs xx times, resulting in slower network

connection and worsening the user experience.
Failure type: rx_crc_errors.
Solution: This error indicates failure in the physical layer of packet

transmission. Please replace the network cable that connects to the
corresponding gateway or the peer gateway directly connected to the network
cable.
ARP Issues
Introduction: ARP issue was detected xx times. There are ARP requests not
replied to or reply errors.
Failure type: ARP Abnormal.
Version 01 (Sep 27, 2021) 70

Solution: Please check the operation status and connectivity of the gateway
device.
PPS Issues
Introduction: PPS Overrun was detected xx times, which will cause the failure
of all control and audit functions of the device.
Failure type: PPS Issues.
Solution: When the device exceeds the PPS limit, it indicates that the current
device performance is insufficient. It is recommended to split the traffic
passing the device or contact the business channel to use a higher-end
platform device instead.
The effect is as shown in the figure:
The line chart can be dragged. Zoom in to show the particular period. The reset
button is on the right side.
The function needs to be enabled by needs.
Customizable detections:
Version 01 (Sep 27, 2021) 71

3.3.1.5.2 Access Control
After the Internet policy is configured, the user matching issues cannot be
detected by engineers. It can only be searched slowly through straight-through
mode, and it is low efficiency. To solve the problems, Sangfor has launched the
"Access Control Troubleshooting" tool.
The tool is to check the match between the user and the Internet access policy.
When the user matching the policy does not meet the actual expectations, the
operation and maintenance personnel or engineers can use this function to
check.
Enter the IP address of the abnormal user in the input box and click Start to
see all the policies that the user matches. Find the issue based on the
comparison with actual expectations and adjust the policies.
Analysis of user status based on tracking results. As shown in the following

figure:
You can see the App Category matched, five-tuple of each, whether it is
matched, and whether it is specially released (overall exclusion)
3.3.1.5.3 Authentication
After the LAN user is associated with the authentication policy, the user
matching issues cannot be detected by engineers. It can only be searched
slowly through straight-through mode, and it is low efficiency. You may contact
400 engineers for remote investigation, but it lacks autonomy. To solve the
Version 01 (Sep 27, 2021) 72

problems, Sangfor has launched the "Authentication Troubleshooting" tool.
The tool checks issues during the authentication process. It displays the result
to the console so that the operation and maintenance personnel or engineers
can locate and solve them.
Enter the username/IP address/mac address of the abnormal user in the input
box and click Search, you can see the issue during the authentication process,
follow up prompts and adjust the issued configuration or environment.
3.3.1.5.4 Web Access Connection Monitoring
It is to monitor the device's network quality, evaluate the device's network

status and all the IP addresses. There are two kinds of results: excellent and
poor. When the result is poor, it will provide potential problem analysis
suggestions to check the current network quality monitoring status, recent
network quality, current network quality, and network diagnostic results.
Select Enable web access connection monitoring and choose Yes according
to the prompt.
Version 01 (Sep 27, 2021) 73

Click Connection Quality Definition to configure the quality definition of the

monitored network (same as the of web access connection monitoring);
Real-time quality definition (5 minutes): Record once every 5 minutes.
There are three default quality definitions: excellent, good, and poor. Users can
customize the monitoring percentage.
When the number of active users is less than N, the statistic can be
customized. The default is ten users, and you can enter a number between 1
and 100.
Version 01 (Sep 27, 2021) 74

All-day quality monitoring:
When the total time of all-day quality monitoring exceeds N minutes, the
network quality is poor. The default value is 30 minutes, and a number
between 10 and 300 is allowed.
Choose Date: You can check the connection quality in recent weeks.
Monitor Object: To choose monitored websites. All websites are chosen by

default. Users can also specify which websites to monitor. There can be at
most three monitoring lists, each with a maximum of 100 domain names. Click
custom website list to switch monitored website.
Click management to edit the website list.
Version 01 (Sep 27, 2021) 75

Move the mouse to the waveform, and a floating box will appear. You can see
the detailed network quality status. When the network quality is poor, you can
click to view and check the slow user list.
The x-coordinate is time, and each coordinate point is five minutes: 00:00,
00:05, 00:10 and shows the user information summary within the previous 5
minutes. For example, if the x-coordinate is 00:05, the coordinate point shows
the summary of 00:00 to 00:05.
The y-coordinate is the number of online users, and it is the sum of users with
excellent network quality and users with the poor network quality.
Move the mouse to the waveform to check the number of users with excellent
and poor network quality at the current time.
Version 01 (Sep 27, 2021) 76

Assessment can be used to check the detailed network quality and show you
several reasons for poor network quality:
1. Traffic control not enabled.
2. Insufficient bandwidth (If HTTP traffic occupies 90% of the bandwidth for
ten consecutive minutes of the day).
3. Bandwidth occupied by P2P. It is recommended to limit the speed. (If the

p2p traffic occupies 90% of the bandwidth for ten consecutive minutes of
the day).
4. It is recommended to set a guaranteed channel (the traffic control has

more than 10% packet loss and without a guaranteed channel).
5. Policy (xxx) has low traffic control.
6. Policy (xxx) has low connection control.
7. PPS broke down sometime today.
8. DNS configuration error.
9. Indicate an internal or external performance choke point.
3.3.1.5.5 User Based Detection
Version 01 (Sep 27, 2021) 77

Provides a single-user detection function, which can perform targeted

detection for single users when the overall network quality judgment cannot
solve the problem.
For example: When user A is listed on the slow network list, you can enter the
username or IP address in user-based detection - user or click Select User and
select user from the following group structure:
If you confirm to submit, click Configure in the monitored address to configure

the address:
Version 01 (Sep 27, 2021) 78

Terminal page redirection: You can choose to access Baidu to redirect to the
test page or redirect all web access to the test page.
Monitored address: Optional use of built-in monitored address library or

custom monitored address.If you confirm to submit, click Start.
Take www.google.com as an example:
When the user visits www.google.com, they will be redirected to the test page.
After clicking Start, the user will start the detection. There will be a time prompt
during the test.
Version 01 (Sep 27, 2021) 79

Then the administrator page will indicate detection start:
User detection finished:
The detection result will be shown on the administrator page.
3.3.1.5 Traffic Statistics
Version 01 (Sep 27, 2021) 80

The Traffic Statistics panel displays traffic information about online users and
applications, status information about Bandwidth Management channels, and
connection monitoring information.
3.3.1.5.1 Top Users by Traffic
3.3.1.5.1 1 Viewing User Rankings
The Top Users by Traffic panel displays the bandwidth usage of online users.
See the following figure.
As shown in the preceding figure, you can rank users by the outbound or
inbound traffic rate. The displayed information includes the username, group,
outbound, inbound traffic rates, bidirectional traffic, number of sessions,
locking status, the button for obtaining the machine name, and traffic details.
In the Lock column, click to restrict a user from Internet access. In the
Obtain column, click Obtain to obtain the computer name of the
corresponding user. In the Top Apps column, click an application to display
the traffic information about the user.
Click Auto Refresh: 5 seconds to set the refresh interval.
Click Refresh to refresh the information immediately.
3.3.1.5.1 2 Filtering Users
Click Filter to specify the conditions for filtering users by traffic.
Version 01 (Sep 27, 2021) 81

Set the line and application in the Type pane. See the following figure.
Line specifies the line to be viewed, and App Category specifies the application
to be viewed. After setting the line and application, click Commit. The page
shown in the following figure is displayed.
You can choose to display all applications, selected applications, and

unselected applications. The selected applications are shown in the right pane.
Click OK to save the settings.
You can set the specific user or IP address in the Objects pane. See the
following figure.
Version 01 (Sep 27, 2021) 82

The User Group Filter, Username and IP address option buttons in the Objects
pane are mutually exclusive. Below Group Filter, the slash (/) indicates all
groups. After you click Select, the page shown in the following figure is
displayed.
Select a group to view or enter a group name and click OK.
Version 01 (Sep 27, 2021) 83

In the Show pane, you can set the number of displayed users ranked by traffic.
3.3.1.5.1 3 Locked Users
You can end a user connection by locking the user, and this user cannot access
the Internet within a period. Specifically, select a user in Top Users by Traffic,
click Lock, and set the lockout period in minutes. See the following figure.
3.3.1.5.1 4 Unlock Users
To unlock a user, click Unlock Users. The Online Users page is displayed. See
the following figure.
In the user list, select the user to be unlocked and click Unlock.
3.3.1.5.2 Top Apps by Traffic
3.3.1.5.2.1 Viewing Application Rankings
The Top Applications by Traffic panel displays rankings of applications by

traffic in real-time. See the following figure.
Version 01 (Sep 27, 2021) 84

As shown in the preceding figure, you can filter applications by bandwidth. The
displayed information includes the application type, outbound, and inbound
traffic rates, bidirectional traffic, line, occupied bandwidth in percentage, and
user details about the application. Click a user in the Top User column.
Information about users of this type of application is displayed, including the

username, group, IP address, upload rate, download rate, and total rate. See
Click Auto Refresh: 5 seconds to set the refresh interval. Click Refresh to
refresh the information immediately.
3.3.1.5.2.2 Top Applications by Traffic
Version 01 (Sep 27, 2021) 85

Click Filter to specify the conditions for filtering applications. See the following
figure.
In the Objects pane, set the line and user group. In Show, set the number of
displayed applications ranked by traffic. Then click Commit.
3.3.1.5.3 Flow Control
The Flow Control Status is mainly used to check flow control settings, channel
flow information, etc., provided that the flow control channel has been
enabled. The interface is as follows:
3.3.1.5.3.1 Scenario and Method
3.3.1.5.3.2Initial Launched Device Scenario
Scenario: In areas with sufficient bandwidth, the core requirement is to

improve the Internet experience. So, enabling flow control and using default
configuration may improve the internet experience significantly. However, IT
administrators cannot view the traffic usage after flow control is enabled. In
subsequent adjustments, there is no visual feedback, resulting in high
operation and maintenance costs.
In areas with tight bandwidth, IT administrators need to implement relatively

fine bandwidth management. However, if the initial implementation is
inexperienced, you can use the default configuration first, check the current
Version 01 (Sep 27, 2021) 86

usage, and make adjustments.
Provides overall line visualization and channel visualization to help users

analyze flow control results after launch.
Analysis Method:
1. When the device is launched, click Bandwidth Management-

Bandwidth Channel to enable bandwidth management and use the
default configuration.
2. After completing the channel configuration, you can link to Flow Control
through the Line X of Bandwidth Management-Bandwidth Channel
page.
IT administrators linked to Flow Control can check several core elements first:
Check the flow usage of the uplink and downlink of the line, including the
guaranteed channel and the restricted channel, and support the transfer to the
topN primary channel to evaluate whether the channel occupancy meets
expectations.
Users can check the real-time flow and number of users through Details and
Version 01 (Sep 27, 2021) 87

click to enter the channel.
Users can determine the overall status of the channel by checking the current
real-time speed, uplink and downlink usage, number of apps, number of users,
and idle line bandwidth.
If the overall line is idle but the flow usage is high, you can click Settings to
modify the channel configuration.
Version 01 (Sep 27, 2021) 88

The IT administrator can directly click on the subchannel in the flow rate details
to view its details or use the left tab to jump to any other subchannel and
check the flow details.
Check the relationship between the pre-channel flow throughput and

configuration, including the channel usage rate and the parent channel idle
bandwidth.
Version 01 (Sep 27, 2021) 89

Check whether the app usage in real-time flow is as expected.
3.3.1.6.3.1.2 Daily Operation and Maintenance Scenario
Scenario:
After the Flow Control is enabled, the administrator cannot check the flow
usage in the Enable Bandwidth Management System due to the lack of
visualization. The administrator cannot evaluate the flow control configuration
or adjust the channel configuration to distribute the flow better.
Provides overall line visualization and channel visualization to help users

analyze the results after flow control.
Analysis Method:
1. Link to Flow Control through the Bandwidth Management - Bandwidth

Channel page.
If you deploy in bridge mode, you need to configure the Virtual Line Rules first.
IT administrators jumped to Flow Control can check the bandwidth status of

each line
Version 01 (Sep 27, 2021) 90

Check the flow usage of the uplink and downlink of the whole line. The
administrator can view the 24-hour bandwidth idle condition of the line (the
line bandwidth in the above figure minus the highest point of the area map)
and the Top when the traffic usage ratio is high (guaranteed channel/ limited
channel) channel condition.
The difference between the used bandwidth and the line bandwidth (i.e., the
bandwidth of the current line idle) can be visually seen from the diagram.
Condition of guaranteed channel/ limited channel:
For example, the flow usage of the guaranteed channel has been too small,
and the user can check the flow throughput in the guaranteed channel (the
area map of the guaranteed channel/ limited can be clicked to jump to the top
three area map of the corresponding type of channel).
Check the Realtime Rate to view the real-time rate of the channel list. It can be
combined with the line bandwidth usage and real-time usage rate to determine
the specified channel for viewing.
Version 01 (Sep 27, 2021) 91

After entering the channel, the IT administrator can check:
Click to check the channel, and the real-time rate is high. View the throughput
of the primary channel and the user/app ranking.
If you enter the guaranteed bandwidth, you can see the usage information of
the guaranteed bandwidth in the line and provide four reference lines: used
bandwidth, line bandwidth, maximum available bandwidth, latest guaranteed
bandwidth.
After checking the throughput and comparing the bandwidth used, the
administrator can adjust some channel configurations and increase the
bandwidth utilization.
Click Edit Channel, enter the maximum available value, and click OK.
Version 01 (Sep 27, 2021) 92

Modify the configuration, and the throughput diagram will be displayed in 5

minutes, showing the effect quickly.
3.3.1.6.3.1.3 New Service Scenario
As the business cloudlization, the original LAN app moves to the Internet, or
new Internet services appear. As a result, IT administrators need to protect
new services and face the problem of redistributing bandwidth.
Provides line visualization and channel visualization to help administrators

allocate bandwidth to new services.
Analysis Method:
1. Click Real-time Status > Bandwidth Management > Flow Control to

view the traffic status of the line on the day or view the historical
situation (within one month) to ensure that there is free bandwidth
allocated to the new service.
2. Administrators can go to Bandwidth Management > Bandwidth

Channel > Add Guaranteed Channel
3. After the administrator sets the bandwidth management channel, click

Details in the channel list to redirect to the newly created channel's real-
time status.
Version 01 (Sep 27, 2021) 93

The administrator can check the usage of the current channel and the overall
line's idleness to ensure that the new configuration is reasonable.
Status seen from the figure can be decomposed into four parts: 1., 2., 3., 4.:
1. You can see the channel names and the active shows which channel is
in use.
2. You can see instantaneous uplink and downlink rate, channel bandwidth
usage, which applications are using bandwidth (click on the number to
view the specific application), and the number of users in the channel in
use.
3. You can see the real-time or 24-hour uplink and downlink trend in the
trend diagram section in the middle. You can check the three reference
lines to the user: the bandwidth used, line bandwidth, and the maximum
available bandwidth.
For example, this is a limited bandwidth, its speed is limited to 32MB/s, and the
occupied bandwidth is continuously lower than the maximum available
Version 01 (Sep 27, 2021) 94

bandwidth of the channel, indicating that the channel is healthy.
If it continues to be equal to the maximum available bandwidth of the channel,

the channel pressure is high; If you select "When the line is idle, it is allowed to
exceed the limit", when the whole line is idle, the line will exceed the
"maximum available bandwidth".
You can also see the topN of user flow ranking and application flow ranking in
the channel.
After the operation above, the IT administrator can quickly guarantee the new
services, check the historical channel congestion Flow Control Status when
the whole line is busy, allocate and adjust the flow, or upgrade the bandwidth.
3.3.1.6.4 Connection
The Connection panel displays information about active connections

of specified users or IP addresses. You can query the information by
IP address or username. See the following figure.
3.3.1.6.4.1 Search by IP Address
By default, connection information is queried by IP address. For example, enter
192.168.19.14 and click . As a result, it will display the page shown in the
following figure.
Version 01 (Sep 27, 2021) 95

You can view the information about the entered IP address connections,
including the source IP address, destination IP address, protocol, application
type, application name, and direction.
3.3.1.6.4.2 Search by Username
Click Search by Username to query connection information by username. See

3.3.1.6.5 Quota Usage
Quota Usage allows you to view the usage of a specified user or quota policy
and execute the reset operation. See the following figure.
Configure and enable Policies -> Web Access -> Quota Policy in advance.
Select query conditions: Support querying in accordance with the quota policy
or the user.
Support resetting: Select a user to be reset, and support resetting daily flow,
resetting monthly flow, and resetting duration.
3.3.1.6.6 Link Load Balancing
The link load balancing status can display the current link status (normal, busy,
offline, no data), the TOP5 link bandwidth utilization (outbound, inbound), and
the distribution of policy traffic.
Version 01 (Sep 27, 2021) 96

The administrator can also view the real-time information of the link load
balancing policy, including the real-time and cumulative traction of the day.
The administrator can click on any policy name or details to redirect to the
policy details description.
3.3.1.6.7 Top Services by Traffic
The administrator can display the current business traffic conditions, including
business IP ports, outbound, and inbound flow rates, the number of
connections, users, and specific content can be further viewed by clicking
Details.
Version 01 (Sep 27, 2021) 97

3.3.1.7 Internet Activities
3.3.1.7.1 Viewing Internet Activities
The Internet Activities panel displays information about recent online

behaviors of users. See the following figure.
You can view the online behaviors, access time, IP address, application type,
application name, and details.
3.1.1.7.2 Filtering Internet Activities
Version 01 (Sep 27, 2021) 98

Click Filter to specify the conditions for filtering online behaviors. See the
following figure.
In the Type pane, set the users whose online behaviors are to be viewed. You
can select any of the User Group, Username, and IP address.
In the Objects pane, set the network behaviors to be viewed. The available
options include Search Term, Forum and Microblog, Emails, Outgoing File,
IM Chats, Websites Browsing, and Others.
In Action, set the actions to be viewed. The available options include Reject,
Log, and Alert.
3.3.1.8 Locked Users
3.3.1.8.1 Viewing the Locked Users
The Locked Users panel displays the users that are recently locked. See the
following figure.
The displayed information includes the locked details, operation, locked

time, IP address, violation type, and remaining time.
Select a locked user and click Unlock to relieve the user. Click Unlock All to
relieve all users.
3.3.1.8.2 Filtering Locked Users
Version 01 (Sep 27, 2021) 99

Click Filter to specify the punishment conditions. See the following figure.
In the Objects pane, set the users to be filtered. You can select any of the User
Group, Username, and IP address.
3.3.1.9 SaaS Applications
Along with the rise of the Internet, more and more software providers offer
SaaS services in the evolution process from Web2.0 to Html5.0 to support the
users' usage of the Internet, bringing convenience but causing the risks of
Shadow IT.
Shadow IT: All applications not involving IT organizations and applications not
covered by IT service management are all in the scope of Shadow IT.
The Shadow IT brings in potential risks and costs. Hundreds of Cloud
Version 01 (Sep 27, 2021) 100

applications may be operated in the large enterprise network, in which most

Cloud applications are shadow services. These services are not supervised by
IT, and it might cause significant risks to and compliance issues of data and
business.
How to handle Shadow IT becomes a problem to be solved in the aspect of

enterprise information security:
⚫ How to inspect and evaluate the usage of SaaS applications.
⚫ How to discover and handle potential Shadow IT risks.
⚫ How to manage SaaS applications.
Please check How to manage SaaS applications.
3.3.1.10 DHCP Status
The DHCP Status panel displays the DHCP assignment conditions after DHCP
is enabled.
The displayed information includes the current DHCP status,

allocated IP address, computer name, Media Access Control (MAC)
address, lease date, and lease term.
Version 01 (Sep 27, 2021) 101

3.3.1.11 Security Events
The Security Events is to display insecurity behaviors detected by the device

and analysis users and security events. If you have access to the Sangfor
Neural-X, you can also see the hot events. The interface is as follows:
Users: Infected user is in red, and the user likely infected is in orange.
Security Event: Display Botnet, Malicious URL, Inside Dos Attack, and Virus.
Hot Events: Access to the Sangfor cloud nerve to get top 10 security events. If
the event occurs, the cloud diagram will turn red, and the user can click to
check details.
Information List: You can check the exact user and security event here.
Users: Click on the user name to enter the user tab. You can see the specific
occurrence time, description, data packets, risk information, and details.
Version 01 (Sep 27, 2021) 102

Details:
Security Events:
Click the Journal to link to Security Event Details, and check the data packet,
threat information, and details.
3.4 Proxy
The IAG unit can function as a proxy server. By enabling and
configuring this unit as a proxy server in a web browser, internal
users can access the Internet through that unit. Therefore, this unit
Version 01 (Sep 27, 2021) 103

can manage and control Internet activities.
3.4.1 Proxy Services

Available proxy services include HTTP proxy, SOCKS4/SOCKS5 proxy, and proxy
auto-config (PAC) script.
Check Enable HTTP Proxy, and then the user can set HTTP proxy and set the
proxy port. Support filling in 5 ports at maximum, which are separated by
commas.
Advanced: Support to preserve original client IP address.
X-Forwarded-For: It is a well-known proxy Internet access scenario for hiding a

source IP address. Sometimes, it passes CDN and then reaches the X-
Forwarded-For field in the request header Nginx serves as load balance. The
Version 01 (Sep 27, 2021) 104

field content is a real IP address at the HTTP request side.
X-Forwarded-By: It is an information scenario for adding a reverse proxy

device to the rear-end proxy server. Check Enable SOCKS4/SOCKS5 Proxy to
enable SOCKS4/SOCKS5 proxy and set port numbers of the proxy. Support
filling in 5 ports at maximum, which are separated by commas.
To use PAC script, select the option Use Proxy Auto-Config (PAC)
Script. A PAC script determines whether web browsers choose the
proxy server for fetching a given URL. More specifically, only the access
to the URLs specified in the script will use the proxy.
The script address is http://IAG_IP_Address/proxy.pac, for example,

http://10.111.111.8/proxy.pac. To edit a PAC script, click Edit
Script, as shown below:
On the above page, it provides the following operations: Import,

Restore Defaults, Download. Example:
1. Import. It allows administrators to import an existing PAC file to the unit;
2. Download example. It allows administrators to download a PAC script

example;
3. Restore defaults. It allows administrators to restore the current PAC script

to defaults. The PAC script can also be edited directly. To save and apply
the changes, click Commit.
3.4.2 Proxies
Version 01 (Sep 27, 2021) 105

Proxies fall into three categories: HTTTP proxy, SOCKS4 proxy, and
SOCKS5 proxy to meet various requirements. On the Proxies page, you
can perform the following operations: Add, Delete, Enable, Disable,
Move Up and Move Down.
3.4.2.1 HTTP Proxy
To add an HTTP proxy, click Add, select HTTP Proxy and configure the fields on
the following page:
Version 01 (Sep 27, 2021) 106

Enable: Select this option to enable this HTTP proxy.
Name: Specifies a different name for this HTTP proxy.
Description: Description of the HTTP proxy.
Object: It allows you to specify the source IP group and destination domain for
Version 01 (Sep 27, 2021) 107

this HTTP proxy.
Source: Specifies the source IP group that this HTTP proxy applies. The IP
groups specified in Objects > IP Group are selectable. Default is the All group.
Dst Domain: Specifies the destination domain names. Default is All.
For specified domain name, it should meet the following

requirements:
⚫ Fully-qualified domain name is allowed.
Note that if baidu.com is specified as the DST domain, it includes zhidao.baidu.com and
music.baidu.com. If www.baidu.com is specified as the DST domain, the DST domain is
www.baidu.com only.
⚫ Domain name cannot exceed 127 characters.
⚫ Number of entries is or less than 1000.
Options: It allows you to specify the action, ICAP server groups,

cascading proxy server, and proxy IP address for this HTTP proxy.
Action: Specifies an action, Allow or Deny. Default is Allow.
ICAP Server Groups: It determines whether to send data to the ICAP

server. You can select None or one or more ICAP server groups.
Default is None, which indicates that no data will be sent to the ICAP
server. To send data to a specific ICAP server group, select or add that
Version 01 (Sep 27, 2021) 108

ICAP server group. For more information about the ICAP server group,
refer to the ICAP Server Groups section in this Chapter.
Cascading Proxy Server: Default is None. To use cascading proxy,

you can specify or add a cascading proxy server. For more information
about cascading proxy servers, refer to Cascading Proxy Servers
section in this Chapter.
Proxy IP: Specifies the IP address of the outgoing interface that proxy
data go through. If you select Auto, the proxy IP address will be
automatically chosen. You can also select a specific IP address from
the pull-down list. In the list, there are IP addresses of VLAN interfaces,
WAN interfaces, bridge interfaces, DMZ interfaces, and interfaces for
Single Arm mode (exclusive of IP addresses of LAN interfaces).
If this unit is deployed in Route mode, multiline is supported. If a specific proxy IP address is
selected, a corresponding outgoing line will be chosen. If Auto is selected, the outgoing line
is determined by policy-based routing.
3.4.2.2 SOCKS4 Proxy
To add a new SOCKS4 proxy, click Add, select SOCKS4 Proxy, and
configure the fields on the following page:
Version 01 (Sep 27, 2021) 109

Enable: Select this option to enable this SOCKS4 proxy.
Name: Specifies a different name for this SOCKS4 proxy.
Description: Description of the SOCKS4 proxy.
Object: It allows you to specify the source IP group for this SOCKS4 proxy.
Source: Specifies the IP group. Default is the All group. You can also
select one or more IP groups specified in Objects > IP Group.
Options: It allows you to specify action and proxy IP address for this SOCKS4
proxy.
Version 01 (Sep 27, 2021) 110

WAN interfaces, bridge interfaces, DMZ interfaces, and the interfaces
for Single Arm mode (exclusive of IP addresses of LAN interfaces).
3.4.2.3 SOCKS5 Proxy
To add a new SOCKS5 proxy, click Add, select SOCKS5 Proxy, and
configure the fields on the following page:
Enable: Select this option to enable this SOCKS5 proxy.
Name: Specifies a different name for this SOCKS5 proxy.
Version 01 (Sep 27, 2021) 111

Description: Description of the SOCKS5 proxy.
Object: It allows you to specify the source IP group.
Source: Specifies the IP group. Default is the All group. You can also
select one or more IP groups specified in Objects > IP Group.
Options: It allows you to specify action and proxy IP address for this SOCKS5
proxy.
WAN interface, bridge interfaces, DMZ interfaces, and the interfaces
for Single Arm mode (exclusive of IP addresses of LAN interfaces ).
If none of the proxy services (HTTP proxy, SOCKS4 proxy, and SOCKS5 proxy) is enabled,
there is a prompt on the Proxies page, showing No proxy will take effect, for no proxy
service is enabled.
⚫ Proxy is matched from top to bottom, and only one proxy will be matched
by one connection.
⚫ A maximum of 512 entries is allowed.
Version 01 (Sep 27, 2021) 112

⚫ Even though no proxy is created, the proxy services(HTTP proxy, SOCKS4

proxy or SOCKS5 proxy) are enabled. The data will also go through the
corresponding proxy server because the data not configured any proxy are
allowed use proxy by default.
3.4.3 ICAP Server Groups

Proxy data can be sent to an ICAP server from this unit, performing
virus scanning and data loss prevention (DLP) against the proxy data.
You can configure at most 64 ICAP server groups, and each server group can
contain one or more ICAP servers. In an ICAP server group, servers are selected
in a round-robin, which means the requests are sent to each ICAP server in the
server group by round-robin. An ICAP server is given an unique IP address and
port and must not exist in two different ICAP server groups.
To add a new ICAP server group, click Add and configure the following fields:
Version 01 (Sep 27, 2021) 113

Name: Specifies a different name for this ICAP server group.
Description: Descriptive information of this ICAP server group.
Request Type: Options are POST and GET. Users’ requests can be modified on
this unit, but responses from the ICAP server cannot be changed.
You can configure 32 ICAP servers for each ICAP server group and
perform operations against an individual server, such as enable,
disable, delete. The Status column displays the status of individual
ICAP servers, enabled or disabled.
Version 01 (Sep 27, 2021) 114

To add an ICAP server, click Add Server and configure the following fields.
Name: Specifies a different name of this ICAP server.
Description: Description of this ICAP server.
Server IP: Specifies the address of this ICAP server. It cannot exceed
96 characters. IPv6 address is supported as well.
Port: Specifies the port of this ICAP server. It should be an integer between 1
and 65535.
Version 01 (Sep 27, 2021) 115

Connection Timeout(s): Specifies the timeout of the connection. It

should be an integer between 1 and 120 seconds.
Max Connections: Specifies the maximum number of connections. It

should be an integer between 4 and 100.
Send: You can choose which information to be sent to the ICAP

server, src IP address, server address, authenticated user, and
groups.
Negotiate: Click Negotiate to test the validity of the ICAP server and
negotiate parameters with that server.
Interval: Specifies how often to perform a health check. It is 10

seconds by default. It should be an integer between 5 and 60 seconds.
Health Check Method: Options are L4 health check and L7 health

check. The former is to check the port, while the latter is to check the
application. For example, a HTTP GET, or HTTP HEAD request for a
specific URL can be sent.
Action: Specifies the action to be taken if an error occurs on the ICAP

server, Rejects client request, or allows client request.
Version 01 (Sep 27, 2021) 116

3.4.4 Cascading Proxy Servers

A cascading proxy server is required when this unit needs another
proxy server to do proxy before gaining resources. To add a new
cascading proxy server, click Add on Cascading Proxy Servers page
in Proxy > Cascading Proxy Servers, and configure the fields on the
following page:
Name: Specifies a different name of this cascading proxy server.
Description: Description of the cascading proxy server.
Server IP: Specifies the IP address of this cascading proxy server.
Port: Specifies the port of this cascading proxy server.
Server Requires Authentication: If this option is selected, it indicates

that the identity of this unit needs to be authenticated by this
cascading proxy server. Therefore, a username and password are
Version 01 (Sep 27, 2021) 117

required.
To test connectivity between this unit and the cascading

proxy server, click Test Validity. To save and apply the
settings, click Commit.
3.4.5 Forward
Forward applies to HTTP proxy, HTTPS proxy, and SOCKS proxy. With
the help of Forward, the data destined to a specific IP address and port
can be forwarded to a corresponding IP address and port. Therefore,
when internal users access internal resources through the proxy
server, requests could be forwarded directly to the corresponding LAN
server.
Note that the destination address can be the IP address or domain name, but the forward IP
address can only be an IP address.
For example, configure a forward entry to forward the access to

www.sangfor.com.cn (through port
443) to the LAN server at 10.1.1.3 (through port 443). The

corresponding configuration is as shown on the following page:
Version 01 (Sep 27, 2021) 118

Health Check Options: You can specify health check method, L4 health
check, or L7 health check, and action if forward refuses to work, Stop
forwarding data, or Continue forwarding data. HTTP or HTTPS probe
packets are required to perform the L7 health check.
To specify health check interval, click Advanced Settings on the Forward page, as
shown below:
Interval (mins): The interval is a global setting. It should be an integer between

5 and 60 minutes.
Version 01 (Sep 27, 2021) 119

3.5 Access Management

The role of access management is to manage intranet users and
configure authentication methods for intranet users. These include
user management, authentication, and endpoint check. User
management is mainly for unified management and configuration of
intranet users, and authentication configures the authentication and
authentication server for intranet users. Endpoint check is to realize
the control of endpoint compliance and illegal outreach.
3.5.1 Working Principle

The following sections introduce the basic concepts involved in user
management and authentication.
3.5.1.1 Users Type
The users on the IAG are classified into three types: local users, AD
domain users, and temporary users. Local users: Users can be
managed and configured on the page displayed after you choose
Users > Local Users > Local Users.
Local users can be added in the following ways:
1. Manually created by the console administrator.
2. Set on the Authentication Policy page and automatically add after

authentication (including users who do not require authentication, users
authenticated on a third-party server, and SSO users).
3. Users imported by using the import function.
4. Users synchronized to the IAG by using the automatic synchronization

function on the user management page.
AD domain users: If there is an AD domain on the intranet and the

IAG needs to work with the AD domain server for third-party
authentication and SSO authentication, the IAG will obtain users of the
Version 01 (Sep 27, 2021) 120

AD domain and the organization structure in real-time. The

organization structure on the IAG is the same as that in the AD domain.
AD domain users can be managed on the page displayed after
choosing Users > Local Users > Domain User. AD domain users are
not synchronized to the IAG. Therefore, they cannot be deleted or
moved on the IAG. Instead, you can associate Internet access policies
and traffic control policies with this type of user.
Temporary users: users authenticated by the IAG but not included in

the organization structure on the IAG. This type of user will not be
displayed on the page after choosing Users > Local Users.
The following introduces how to configure an Internet Access Policy for temporary users.
Network access permission is specified on the Authentication Policy page. As shown in the
following figure, select a group in Add Non-Local/Domain Users to Group. Then the
Internet Access Policy of the specified group will be applied to temporary users.
3.5.1.2 Local Group/User
Local groups/users can manage and configure IAG local user groups
Version 01 (Sep 27, 2021) 121

and users and add, delete, batch edit, import, and export, and move
users to the user group.
3.5.1.2.1 Add New Group/User
3.5.1.2.1.1 Add New Subgroup
By default, there will be a built-in group of the device, which is the root
group, this group cannot be deleted, and the group name cannot be
modified. The newly added groups are all subgroups of the root group.
The root group is the first-level group, and the newly added group
under the root group is the second-level group, and so on. The local
group supports up to 16 levels of organizational structure, including
the root group. This design is more in line with the company's
organizational structure and facilitates management. For example:
Add an engineer group under the root group.
Step 1. Select the user group that needs to add a subgroup in the local users
and enter the management interface on the right. Click the Add button in the
member list and select the new type Group.
Step 2. Set the name as Engineer and description information of the group
name list.
Version 01 (Sep 27, 2021) 122

Step 3. After the configuration is complete, click Submit, and subgroups can
be added to the member list.
Step 4. After successfully adding a subgroup, you can import user information
belonging to the group under the group or add users.
3.5.1.2.1.2 Add New User
New users are divided into two categories: ordinary users and multi-
users. Since the device comes with a default policy (password
authentication), the administrator can directly add user information
and access the Internet through password authentication.
Step 1. In Access Mgt/User Management/Local Users, click Add to select a

user in the member list.
Version 01 (Sep 27, 2021) 123

Step 2. When the administrator selects Enable this user, fill in the login name
(required), description, display name, mobile phone number, email (not
required, fill in according to requirements), the current group.
Step 3. The administrator sets the user attributes, selects the local password,
and sets the login password. If the user uses an external password for
authentication, there is no need to tick it.
Step 4. The administrator can display the currently configured policies in the
policy list, create new policies or remove policies. In the advanced properties,
you can set the logout window after the password authentication is successful,
allow multiple people to log in with the account simultaneously, and modify the
local password.
If you want to restrict some IP logins, select Restrict login within the
following address range, and then fill in the restrictions required IP address.
The breaches list can display the breach information of the user.
Password must be changed upon the first login: The user must
change the initial password after passing the initial authentication.
When the user is a public account (that is, multiple people are allowed
Version 01 (Sep 27, 2021) 124

to log in with this account simultaneously), the Password must be

changed upon first login option does not take effect.
Step 5. The administrator clicks Add User Binding to bind information such as
IP, MAC.
New user binding: to set the binding relationship between user IP and
MAC. Fill in the description, binding purpose, binding object, and
binding validity period. The binding purpose can select auto
authentication, correlated login with an account, auto authentication,
and correlated login with an account. Fill in the bound IP and MAC in
the binding object.
Auto authentication: After the user is authenticated after binding the

IP or MAC, he can access the network without authentication.
Correlated login with an account: The user can only be authenticated

within a specific range.
Auto authentication and correlated login with an account: Users can

only authenticate within a specific range and do not need to be
authenticated every time after authentication.
Step 6. Click Commit to complete the user addition, and the newly created
user will be displayed in the member list.
Version 01 (Sep 27, 2021) 125

Step 7. After the creation is successful, you can enter the username and
password through the local password authentication method to authenticate.
3.5.1.2.1.3 Adding Multiple Users
Add multiple users allows you to add multiple users at the same time.
However, unlike the newly added users, the Endpoint Binding in the
advanced properties cannot be set when adding multiple users, IP, and
MAC binding. Because this setting is unique, you cannot set it when
adding multiple users.
The attributes and policies of multiple users set by the newly added
users are exactly the same, except for the username. Configure
multiple usernames in the user name list, separated by commas.
When adding multiple users, because the initial passwords of multiple
users are the same, you can set the requirement that the user must
change the password during the first authentication. Other
configurations are the same as Add New User as above.
3.5.1.3 Domain Users
The IAG obtains domain users from the AD server in real-time. The
organization structure of domain users on the IAG is the same as that
on the AD server. Before obtaining the organization structure on the
AD server, choose Users > External Auth Server and add an AD
server.
Version 01 (Sep 27, 2021) 126

If the IAG works with the AD server for authentication, including AD

SSO and AD third-party authentication, you can view domain users,
organization structure, and associated Internet Access Policy.
In User Group, select Domain Users to view information about

obtained AD domain users and user groups. On the Member and
Policy panel, user group information is displayed, including the type
and path.
On the Members tab page, you can view details about each user group
and user. Domain users differ from local users in that domain users
cannot be edited, moved, or deleted on the IAG.
You can view the Internet access policies associated with AD users and
user groups on the Policies tab page, as shown in the following figure.
The Internet access policies are displayed on the Policies tab page in
the same sequence as the Access Mgt > Policies page. Network
access policies are matched in sequence. To change the sequence,
click Up or Down on the Access Mgt > Policies page.
In the Policies, you can view only the name of Internet access policies,
and you need to click a policy to view the details. The policy result set
provides an easier way for the administrator to view details about
Internet access policies referenced by users and user groups. Click
Version 01 (Sep 27, 2021) 127

View Resultant Set to integrate the policies referenced by a group

and list the detailed settings on the Policies tab page.
3.5.1.4 User Binding Management
User binding management is usually used for password

authentication and can also be used in scenarios where the
administrator defines a username that does not require
authentication. It mainly includes user binding, IP/MAC binding, and
WeChat ID binding.
User binding: When you need to restrict a user name to only log in on
a specific IP or MAC address, and require the bound IP or MAC to be
used only by this user, you need to use the user binding function.
IP/MAC binding: Binding the user's IP address and MAC address can
facilitate the administrator's unified management of intranet users
and realize one-person, one-machine real-name management. In
addition, the IP address and MAC address are bound in two directions.
When the user is authenticated, it will verify whether the user's IP and
MAC comply with the binding relationship. If one item is incorrect, the
authentication will fail. To prevent users from modifying the IP at will
on the intranet.
WeChat ID binding: As WeChat officially reclaimed open ID-related

permissions, WeChat authentication cannot be used. The WeChat ID
binding here also loses its original function. If there are updates in the
future, the Sangfor team will notify you as soon as possible.
3.5.1.4.1 User Binding
User binding methods include automatic binding and manual binding.
Automatic binding: When the administrator configures the

authentication policy, he can go to the action option to automatically
bind the binding relationship between the user and IP/MAC, and you
can choose to bind IP, MAC, or IP and MAC. The binding supports
Version 01 (Sep 27, 2021) 128

setting the validity period.
Manual binding: The administrator can bind the users when adding
users in User Management/Local Users. Please refer to Add New
User section. The user binding configuration instructions are as
follows.
Step 1. In Access Management/User Management/User Binding

Management/User Binding, click Add to go to the new user binding page.
Step 2. Check Enable and set the bound username and description. The
username can add binding relationships to users in the local IAG organizational
structure and add binding relationships to users who are authenticated by a
third-party server. If these users are not added to the IAG's organizational
structure, the binding relationship is still valid as long as the username is
known.
Step 3. Select the binding purpose for auto authentication, including auto
authentication, correlated login with an account, auto authentication, and
Version 01 (Sep 27, 2021) 129

correlated login with an account.
Step 4. Set binding object: select whether the user is bound to IP or MAC.
If the administrator does not know the MAC address of the endpoint used by the user when
binding the MAC, click Auto assigned and enter the IP address of the user endpoint to
obtain the MAC address automatically.
Step 5. Set the binding validity period: You can choose to set never to expire
or expiration time.
Step 6. Click Commit, the user binding is successful.
Administrators can add, batch edit, delete, advanced search, advanced

settings, select, import/export in user binding. You can also download
the example file for reference. Among them:
Batch editing: Used to set the description information and auto

authentication settings of multiple bound users simultaneously.
Advanced search: Users can search based on basic conditions:

username, IP, MAC. According to the binding purpose: auto
authentication, correlated login with an account, auto authentication,
and correlated login with an account. You can also filter the users in
the list by time since added and the account expiration time.
Version 01 (Sep 27, 2021) 130

Example file: You can click to download the sample template and fill
it in according to the prompts and examples.
View user binding error report: You can view the user binding error
report during the authentication process.
Advanced settings: Click Advanced settings to jump to the advanced

options. For detailed configuration, please refer to the instructions in
the advanced options.
3.5.1.4.2 IP/MAC Binding
IP/MAC binding function is to import in batches and bind the IP

address and MAC address in two directions. When the user is
authenticated, it will verify whether the user's IP and MAC confirm the
Version 01 (Sep 27, 2021) 131

binding relationship here. If one of them is wrong, it will not pass the
authentication to prevent users from modifying the IP at will on the
intranet.
The administrator can delete, import, and export the corresponding

policy. When there are many policies in the list, you can search based
on IP/MAC, enter the description information and press Enter to
search.
3.5.1.5 User Sync
When the IAG works with a database or the H3C CAMS system for
authentication, the automatic user synchronization function is used to
synchronize users in the database or CAMS system to the local
organization structure on the IAG.
3.5.1.5.1 Sync User Accounts from the Database
Users and user groups in the database can be automatically

synchronized to the local organization structure on the IAG. You need
to set the synchronization interval.
3.5.1.5.1.1 Adding Sync User Accounts from the Database
A synchronization policy involves synchronization parameters. The

configuration procedure is as follows:
1. Set information about the database from which information is

synchronized to the IAG, including the IP address, port, login
username, and login password.
Version 01 (Sep 27, 2021) 132

2. Choose Access Mgt > Users Mgt > User Sync, click Add, and set
synchronization parameters in the displayed Sync User Accounts from
Database window.
Set the policy name and policy description. Select Automatic User
Sync and set the synchronization interval. As shown in the above
figure, the synchronization interval is set to 24 hours.
In Database Server, select the database server set in step 1 and

enter the SQL statement to obtain user information and a group
path separator. The group path separator is used to separate a
group from a child group in the data table. In this example, the
hyphen (-) is set as the separator. If there are only level-1 groups and
no child groups, leave the Group Path Separator parameter blank.
In Local Group Path, specify the path for saving the synchronized
user information on the IAG.
If Allow multiple users to log in with an account concurrently is

selected, accounts synchronized to the IAG are public accounts. A
Version 01 (Sep 27, 2021) 133

public account can be used for login on multiple computers. If this

option is not selected, synchronized accounts are private accounts and
can be used for login on a single computer at a time.
Click Test Validity to list the information about obtained users and
user groups and the SQL statement execution time.
3.5.1.5.1.2 Deleting Sync User Accounts from the Database
Access the User Sync page, select a synchronization policy, and click
Delete. After a synchronization policy is deleted, the users and user
groups that are synchronized to the IAG by using this policy remain
unaffected.
3.5.1.5.1.3 Viewing Synchronization Reports
The IAG generates a synchronization report each time synchronization

is performed. Click View Import History. On the Import History page,
select a synchronization report and download it.
3.5.1.5.2 Sync User Accounts from H3C CAMS Server
Users and user groups in the H3C CAMS system can be automatically
synchronized to the local organization structure on the IAG. You need
to set the synchronization interval.
3.5.1.5.2.1 Adding Sync User Accounts from H3C CAMS Server
A synchronization policy involves synchronization parameters. The

Version 01 (Sep 27, 2021) 134

1. Set information about the H3C CAMS system from which the
information is to be synchronized to the IAG, including the IP address,
port, login username, and login password.
2. Choose Access Mgt > User Mgt > User Sync, click Add, and set
synchronization parameters in the displayed Sync User Accounts from
H3C CAMS Server window.
Set the policy name and policy description. Select Automatic User
Sync and set the synchronization interval. As shown in the above
figure, set the synchronization interval to 24 hours.
In H3C CAMS Server, select the H3C CAMS server in step 1.
In Local Group Path, specify the path for saving the synchronized user
information on the IAG.
If Allow multiple users to log in with an account concurrently is

selected, accounts synchronized to the IAG are public accounts. You
can use a public account to log in to multiple computers. If this option
is not selected, synchronized accounts are private accounts and can
be used for login on a single computer at a time.
Version 01 (Sep 27, 2021) 135

3.5.1.5.2.2 Deleting Synchronization Policies
Access the User Sync page, select a synchronization policy, and click
Delete. After a synchronization policy is deleted, the users and user
groups that are synchronized to the IAG by using this policy remain
unaffected.
3.5.1.5.2.3 Viewing Synchronization Reports
The IAG generates a synchronization report each time

synchronization is performed. Click Import History. On the Import
History page, select a synchronization report and download it.
3.5.1.6 User Self Service
3.5.1.6.1 Approval List
After the administrator receives self-registered user information, approve it on

this page:
3.5.1.6.2 User Registration
Support two registration methods, including user registration and endpoint
Version 01 (Sep 27, 2021) 136

registration.
3.5.1.6.3 Prerequisites
User Registration: Local user and external password authentication support.
Endpoint Registration: Authentication support is not needed.
Other authentication servers do not support registration. When the

authentication servers not supporting the registration are selected, the option
of registration will become grey.
3.5.1.6.4 Configuration Entrance
User authentication and management:
⚫ Authentication Policy -> Open Authentication -> Obtain during Self

Registration
⚫ Authentication Policy ->Password Based Authentication -> Enable Self

Registration
⚫ User Self-service -> User Registration
Configuration idea: When the authentication policy is configured, self-

registration-related information can be configured one by one. Or the self-
registration-related information can be defined in advance and can be directly
quoted in the authentication policy.
The document adopts the method of Defining self-registration related

information in advance and directly citing in the authentication policy to
facilitate the description.
3.5.1.6.5 Account Registration
Scenarios:
⚫ Password authentication: Need to type in the user profile to assist

management.
⚫ Previously, the administrator created the accounts one by one. At present,

the user can register by himself as per demands.
⚫ Which authentication methods support account registration
Version 01 (Sep 27, 2021) 137

⚫ Local password authentication and password authentication of an external

authentication server (including WeChat ID/SMS quick login)
3.5.1.6.6 Configuration Method
3.5.1.6.6.1 Configure account self-registration
Add account registration.
Set registration contents.
Form Fields: commonly include mobile number, Email address, gender,

birthday, etc. (the best analogical pattern, and the information required to be
filled in when the user registers for specific forums)
Add New Field: Define contents, the default value (can be left blank), and
whether the new field is required.
Version 01 (Sep 27, 2021) 138

Binding Required: Support mobile number binding and Email address

binding. This method also can be used for finding back the password.
Added To Group: The local user can specify the specific groups.
Approval Options: The administrator can determine whether the contents

entered in self-registration need to be approved.
Version 01 (Sep 27, 2021) 139

For situations needing approval, the administrator's permission shall be the

approval list permission at least.
Advanced: You can set the account expiration. In addition, the account
Version 01 (Sep 27, 2021) 140

supports creating the user binding.
If the administrator approval scenario is needed, whether the approval result is

notified to the user is optional (the approval result shall be available for
ensuring the SMS notification server).
3.5.1.6.6.2 Configure authentication policy
Open Add authentication policy -> Select password authentication and

select local user authentication server as the authentication server; check
Enable self registration -> Select group authenticated to be online and
click Commit.
Version 01 (Sep 27, 2021) 141

3.5.1.6.6.3 Effect Rendering
Access the webpage and redirect to the authentication page. Since there is no
account, click Register at the lower right corner.
Type in information in accordance with requirements.
Version 01 (Sep 27, 2021) 142

Approval not required: Directly authenticate using the account password

after the registration.
Approval required: Your information is submitted. Please wait for the

administrator to approve your request.
After receiving the notifications, the administrator logs in to the device console
to see the account registration and audit information in the approval list:
Click Approved to complete user registration.
Click Reject to refuse a user registration.
If Notify approval result to users is configured, the registered user will

receive an approval result notification.
After the registration is approved, the user uses the registered account
password to authenticate (The quick login is configured, and the authentication
can be completed using the quick login method).
Version 01 (Sep 27, 2021) 143

If the registration is rejected, the user uses the registered account password to
authenticate, prompting that the username and password are incorrect.
3.5.1.6.3 Endpoint Registration
3.5.1.6.3.1 Scenarios
Open Authentication: Need to type in the user profile to assist management.
Which authentication methods support endpoint registration:
Open Authentication
Configuration Method:
Configure endpoint registration
Add endpoint registration:
Approval and advanced configuration methods are identical to account

registration.
Version 01 (Sep 27, 2021) 144

Quote authentication policy.
Access the webpage and pop up the registration information.
When approval is not required, the user can directly access the Internet after
typing in the information.
When approval is required, the user needs to wait for the approval result after
typing in the information.
Version 01 (Sep 27, 2021) 145

It will display the user information after approval.
3.5.1.6.4 User Information Self-management
Scenarios
User Profile Change, etc.
How to Access
The page is as follows:
1. http://IAGIP/homepage/index.html?_FLAG=1.
2. Manually and directly access http://IAGIP (80 port).
3. Skip to User Profile using skipping after the authentication function.
Version 01 (Sep 27, 2021) 146

3.5.1.6.5 User Profile
Click Edit to edit the information.
Version 01 (Sep 27, 2021) 147

For binding the endpoint, only the following page is allowed to view:
Advanced -> User Profile Change -> Allow user to change user profile
After checking the box, the following page pops up:
Version 01 (Sep 27, 2021) 148

3.5.1.6.6 Self Registration Approval
There are two approval methods to submit registration information by the

user, no matter the registration is account registration or endpoint
registration.
One is approval not required, which indicates that the account takes effect
after a successful registration. The other is approval required, which indicates
that the account can take effect only if it is approved by the administrator
having the corresponding group permission.
Set account self-registration approval:
Set endpoint registration approval:
Version 01 (Sep 27, 2021) 149

After logging in to the device, the administrator can view the registration
request submitted by the user in the approval list and select Approve or
Reject. When Approve is selected, the registration request takes effect
immediately; when Reject is selected, the registration request does not take
effect. The user needs to submit the registration request again.
When the self-registration approval is rejected, the Approval Opinions box

pops up, in which the reason for rejection can be remarked. Meanwhile, the
reason is recorded in the approval history. When the user selects to reject
account login, the approval rejection and reason will be prompted, and this
approval opinion is allowed to be empty. Filling in the opinion once in batch
approval is supported.
Version 01 (Sep 27, 2021) 150

Check the Notify user of approval result checkbox of self-registration policy
Version 01 (Sep 27, 2021) 151

in the Approval Options.
3.5.1.7 Public API Service
Public API service includes public API and open LDAP API services, and
the device itself provides services.
3.5.1.7.1 Public API
When a third-party device needs to fetch the relevant data of the IAG
device, it needs to use the API interface to perform it. The interface
type is Restful interface. Please refer to the help document for the use
of the interface.
In Access Management/User Management/Public API

Service/Public API, check the Enable Public APIs checkbox.
Version 01 (Sep 27, 2021) 152

Shared Secret: To verify the connected devices, the shared key of both
parties must be consistent.
Allow to use IP address on this interface: You can configure which

addresses of servers can access.
3.5.1.7.2 Open LDAP API
Root Domain: The local users who enable the LDAP service
authentication will exist in the branch IAG through domain users in the
managed authentication scenario.
Port: fill in the port used to open the LDAP service. The default is 389,
which can be customized.
1. The LDAP API service is a public function to open LDAP services to the
outside world. The external user information that supports LDAP
Version 01 (Sep 27, 2021) 153

query includes user binding information, IP\MAC binding, user

attributes, and local organization structure, which can be used in
managed authentication scenarios. It does not support querying other
information through the LDAP API, such as the access control policy to
which the user belongs.
2. The LDAP API supports IPv6 address interconnection.
3.5.1.8 Advanced
3.5.1.8.1 USB Key User.
There are two types of USB Keys. One is a green USB Key to generate
authentication-free users. A user can insert a green USB Key into a PC
and enter the USB Key password to pass authentication on the IAG
The other is a purple USB Key to generate privileged users. A user-

generated by using a purple USB Key has audit-free and control-free
privileges. The online behaviors of this user will not be audited, and no
control policy is effective for the user. A purple USB Key is
authentication-free, and the usage method is the same as the green
USB Key. You can identify USB Keys by color.
Example: Add a privileged USB Key user and demonstrate the login process.
1. On the USB Key User page, click Add. It will display the Add USB Key
User window shown in the following figure.
Click Download USB Key Driver, install the
Version 01 (Sep 27, 2021) 154

program, and insert a USB Key into the PC. Set

the username and description.
In Type, select Permission Key.
Set the password that is needed when the user gets authenticated
with a USB Key. In Permissions, select the privileges of the user. For
example, you can select No Audit and No Control.
2. Click Commit. The user information starts writing into the USB Key.
3. Install the USB Key authentication client. The program is available at

http://Gateway IPaddress/Dkeyauth.exe.
You can also download the USB Key client on the authentication page.
4. After installing the USB Key client, turn on the PC. In the dialog box that is
displayed, enter the password and select Save Password. Then you can
insert a USB Key without entering the password for future login.
Version 01 (Sep 27, 2021) 155

5. Click Login. An authentication success message will pop out in the lower
right corner if the entered password is correct.
You logged into the IAG successfully.
1. USB Key authentication involves saving authentication information in

a USB Key, and then a user can use the USB Key for authentication.
USB Key authentication has the highest priority. When a USB Key
inserts into a PC on the intranet that has been authenticated on the
IAG in another mode, the PC will access the Internet with the USB Key
user’s permission. The Auth Method needs to be set on the page
displayed after you choose Authentication Policy for common users.
However, USB Key authentication users can be directly set on the page
displayed after selecting Advanced > USB Key Users.
2. The following figure shows the two types of USB Keys.
Version 01 (Sep 27, 2021) 156

3.5.1.8.2 Custom Attributes
When embedded user attributes on the IAG cannot meet the

requirements, you can set extended user attributes, namely, custom
attributes. For example, an ID card number management attribute is
required if you want to manage users by ID card number.
Click Add and add an attribute.
Name: Name of the attribute to be added.
Type: It can be set to Text or SN.
If Text is selected, you can manually set the attribute value when
editing the user, as shown in the following figure.
Version 01 (Sep 27, 2021) 157

If SN is selected, set several sequence values. For example, set the Name to
Gender, set sequence values to Male and Female.
You can select an attribute value when editing the user.
Version 01 (Sep 27, 2021) 158

The sequence values can be left blank. Other modules will automatically collect
attribute values.
3.5.2 Authentication
Authentication is an important step for users to access the network.
Only after authentication is completed then the corresponding
policies can be made based on users.
IAG supports a wealth of identity authentication methods and

provides a complete authentication system to meet the daily
authentication needs of enterprises.
At present, authentication is divided into two categories: portal

authentication. Portal authentication can choose multiple
authentication methods and can be combined with third-party
authentication servers flexibly.
3.5.2.2 Portal Authentication
Version 01 (Sep 27, 2021) 159

Portal authentication, also known as Web authentication, provides

users with personalized information services such as identity
authentication in a browser or client. Portal authentication includes
four modules: authentication policy, authentication server, single
sign-on, and custom webpage. The flexible combination of these
functions meets the needs of diverse authentication methods.
3.5.2.2.1 Authentication Policy
Before accessing the Internet, all endpoints on the intranet must

pass user authentication to identify the identity of the online
computer and reduce the security risk of the intranet. The
authentication policy determines the authentication method for a
computer with an IP/network segment/MAC address to access the
Internet. Set the authentication range, authentication method, and
post-authentication action of intranet users through authentication
policies.
3.5.2.2.1.1 Authentication Policy Configuration
Before accessing the Internet, all users need to pass identity

authentication. Authentication Policy specifies the Auth Method of
computers on an IP address segment, network segment, or MAC
address segment. You can set the Auth Method of intranet users and
the policy for adding new users. Authentication policies are matched
from top-down one by one. You can adjust the priorities of
authentication policies by moving them up or down. You can
configure different Auth Methods for different network segments.
The Auth Methods supported by the device are listed as follows:
1. Open Auth.
2. Password based: including Local Password Based, authentication by an

external authentication server, SMS Based Authentication, WeChat Based
Authentication, and QR Code Based Authentication.
3. SSO.
4. Disabled (restricted from Internet access).
5. USB Key authentication.
USB Key-authenticated users can be directly added on the page
Version 01 (Sep 27, 2021) 160

displayed after you choose Access Mgt > User Management >
Advanced > USB Key User. No authentication policy needs to be
independently set for USB Key users. USB Key authentication has the
highest priority. A USB Key-authenticated user can forcibly log out
another user authenticated in another mode. Suppose an IP address
or MAC address range is prevented from authentication. In that case,
USB Key users cannot be successfully authenticated by using any of
these IP addresses or MAC addresses.
Set the open Auth, Password-based, SSO, and Disabled in

authentication policies. The Auth Method of a user is determined by
matching the IP address or MAC address range specified in
authentication policies.
The following describes these Auth Methods:
Open Auth
If authentication is opened, the device will identify users based on the

source IP address and source MAC address of packets, and the
hostname of endpoints. In this mode, the device will not prompt for
the username and password before users accessing the Internet. The
device is invisible to users.
Password-based
The Password-based procedure is as follows:
1. The browser is redirected to the authentication page.
2. On the authentication page, select an Auth Method.
Four Auth Methods are displayed because local authentication server,

WeChat Based Authentication server, QR Code Based Authentication
server, and SMS Based Authentication server are selected in
authentication policies. Each authentication server maps an Auth
Method.
Version 01 (Sep 27, 2021) 161

Password-based falls into two types: Local Password Based and

Password based on an external server. The external server can be an
LDAP server, Radius server, or POP3 server.
Perform the following steps before conducting a Password-based on an

external server:
1. Choose Access Mgt > Authentication > Web Authentication > Auth
Server and set related server information.
2. Choose Access Mgt > Authentication > Web Authentication >

Authentication Policy > Auth Method, select Password-based, and
select an external authentication server.
The Password-based procedure is as follows:
1. On the authentication page, select Password-based and enter the

correct username and password. For example, enter the username
test and password password.
Version 01 (Sep 27, 2021) 162

2. The system searches for user tests among local users. If the user exists
and has a local password (Local user database is selected in user
properties), the system checks whether the local password of this user is
correct. If yes, the authentication succeeds. If no, the authentication fails.
3. If the user does not exist in the local user database, but the Local user
database and external authentication server are selected in user
properties, the system will check whether the username and password are
correct on the external authentication server. If multiple external
authentication servers are selected, the system will perform the check on
all selected servers. If any server returns an authentication success
message, the user is authenticated successfully. If no server returns such a
message, the authentication fails.
To sum up, the system performs local authentication first and then external
authentication.
SMS Based Authentication: In SMS Based Authentication, the SMS

modem or gateway connected to the IAG will send an SMS message to
users. Users can access the Internet by entering the verification code
carried in the SMS message.
Before performing SMS Based Authentication, perform the following steps:
Version 01 (Sep 27, 2021) 163

Server and set related information about the SMS server.
2. Open System -> General -> Advanced Configuration -> Notification

Settings to create a SMS notification server.

Authentication Policy > Auth Method, select Password based, and
select the SMS Based Authentication server.
The SMS Based Authentication procedure is as follows:
4. On the authentication page, select SMS Based Authentication, enter the

mobile phone number, and click Send.
5. Enter the verification code carried in the SMS message and click Log In.
The username displayed on the IAG is the mobile phone number.
WeChat Based Authentication
Unauthenticated users can click perform authentication by following

either of the following processes:
Version 01 (Sep 27, 2021) 164

⚫ Tap authentication process: A user accesses a Wi-Fi hotspot. The browser

displays a Portal page. The user follows the WeChat account for
authentication.
⚫ Scan authentication process: A user starts WeChat and scans the QR code
of a store. The authentication page is automatically displayed.
Before performing WeChat Based Authentication, perform the following

steps:
Server and set related information about the WeChat server.

Authentication Policy > Auth Method, select Password based, and
select the WeChat Based Authentication server.
QR Code Authentication: This authentication method includes QR code-based

approved login and QR code registered login.
QR Code Based Approved Login: When redirecting to the authentication page,

select QR Code Auth Method, and then a QR code will be displayed on the
page. Meanwhile, the user needs to find a mobile phone passing the
authentication and scans the QR code on the page via this mobile phone, and
then the user can obtain the authentication to access the Internet.
The QR code-based approved login includes the following three scenarios:
⚫ Guest fills in information, and approver scans QR code.
⚫ Guest logs in the name of approver who scans QR code
Version 01 (Sep 27, 2021) 165

⚫ Approver scans QR code and fills in guest information.
When the QR code-based approved login is used, the following two points shall
be configured in advance:
1. Set information related to the QR code-based approved login in

Access Mgt > Authentication > Web Authentication > Auth Server.
2. Select Access Mgt > Authentication > Web Authentication >

Authentication Policy > Auth Method, and check the corresponding QR
code-based approved login server when selecting the authentication
server.
Version 01 (Sep 27, 2021) 166

The mobile phone user for scanning QR code should be a user checked in QR code-based
approved login server - Approver. Otherwise, the user has no audit permission.
QR Code Registered Login: It applies to authentication when guests

participate in online meetings. The mobile endpoint scans the QR code for
authentication, and the PC enters the QR code for authentication.
Details of the authentication process are as below:
When the QR code registered login is used, the following two points shall be
configured in advance:
3. Set information related to the QR code registered login in Access Mgt >
Authentication > Web Authentication > Auth Server.
4. Select Password Auth in Access Mgt > Authentication > Web

Authentication > Authentication Policy > Auth Method, and check the
corresponding QR code registered login server when selecting the
authentication server.
Version 01 (Sep 27, 2021) 167

Single Sign-On (SSO)
Suppose the customer has a third-party authentication server available for

authenticating intranet users. In that case, intranet users can be authenticated
by the device when being authenticated by the third-party authentication
server through SSO. In addition, the users can obtain relevant Internet access
permission.
The same username and password are used for authentication on the IAG and
the third-party authentication server.
The supported SSO types include AD domain SSO, Radius SSO, proxy SSO,
POP3 SSO, Web SSO, database SSO, and SSO on SANGFOR devices and other
third-party devices Ruijie SAM system, H3C CAMS system, and HTTP/HTTPS
authentication system of CITY HOT. Before performing SSO, perform the
following steps:
Version 01 (Sep 27, 2021) 168

Server and set information about the external authentication server

on which SSO is enabled.
2. Choose Access Mgt > Authentication > Web Authentication > Single
Sign-On and set related SSO information.

Authentication Policy > Auth Method and select Single Sign-On.
Disabled (always reject the requests)
If authentication is not allowed, users within the IP address or MAC

address range cannot be authenticated on the IAG for Internet access.
In otherwise, these users are restricted from Internet access. SSO
users and USB Key users cannot be authenticated for Internet access.
3.5.2.2.1.2 Adding Authentication Policy
Choose Access Mgt > Authentication > Web Authentication >

Authentication Policy.
Click Add and add an authentication policy, as shown in the following figure.
Version 01 (Sep 27, 2021) 169

Select Device: Select all or according to needs. Select the device range for which
the authentication policy takes effect. The applicable range is to set the range of
endpoints and users that match the authentication policy and set the IP, IP
segment, MAC address, or VLAN ID. Users who match these address segments use
the settings in this policy.
Check Enable to enable this authentication policy.
Name: Set the name of the authentication policy.
Description: Set the description information of the authentication policy.
Auth Range: Set an applicable object of this authentication policy. The range is
specified through IP address, MAC address, VLAN ID, and key value, and
supports adding description in <>.
Version 01 (Sep 27, 2021) 170

Key value: This matching condition is usually used for a PORTAL controller
docking scenario. Example: When executing portal docking, the wireless
controller can carry SSID parameter information. The authentication policy is
specified as "SSID=ztest-wifi" which is an authentication range condition for
authenticating wireless users meeting SSID=ztest-wifi in batch parameters.
KEY=VALUE matching condition is identical with IP, MAC, and VLAN levels, and
has no priority relationship with them.
Set IP, IP range, MAC address, or VLAN ID in Applicable Range, and users
matching these address ranges can be authenticated using the authentication
method in this authentication policy.
Auth Method: specifies the Auth Method of users in the

authentication scope. The following describes the configuration
items of different Auth Methods.
Configuration items of Open Auth:
Select Open Auth in Auth Method. When a user accesses the

Internet, the device will identify the user based on the source IP
address and source MAC address of packets, and the computer name
of the terminal. No authentication dialog box is displayed. The device
is invisible to the user.
In Username, select a username to be used after authentication. You

can choose to use the IP address, MAC address, or hostname as the
username.
Version 01 (Sep 27, 2021) 171

Configuration items of Password-based:
Select Password based in Auth Method. When a user opens a

webpage, it will redirect the user to an authentication page. The user
needs to be authenticated before accessing the Internet.
There are five types of Password-based: Local Password Based,

Password based on an external server, SMS Based Authentication,
WeChat Based Authentication, and QR Code Based Authentication.
You can select only Local user database in Auth Server, which
means Local Password Based. To select another authentication
server, choose Access Mgt > Authentication > Web Authentication
> Auth Server and select an authentication server.
To use Local Password Based, choose Access Mgt > User

Management > Local Users and add a user.
In Authentication Policy, define the authentication page to be displayed

when a user attempts to access the Internet. Choose Access Mgt >
Authentication > Web Authentication > Custom Webpage and manage and
customize an authentication page.
Version 01 (Sep 27, 2021) 172

In Login Redirection, specify the page the user jumps after being
authenticated using a password. The configuration page is shown in
On the page for setting a web page to which an authenticated user

redirects, select the previous visited web page and jump to the web
page requested before authentication.
If a Specified URL is selected, the user will jump to the custom webpage after
authentication.
If Login successful webpage is selected, the user will jump to the

successful authentication page after authentication, as shown in the
following figure. The login username and authentication result are
displayed.
Click Logout to log out this user.
Version 01 (Sep 27, 2021) 173

Click Traffic Statistics to view the traffic statistics of users.
If both Login successful webpage and Log Out user if the page is
closed are selected, the user will be logged out after the
authentication page is closed.
User Profile: If this option is checked, jump to the User Profile page after user
authentication is successful, and then view personal basics.
⚫ Configuration items of SSO:
Select Single Sign-On (SSO) in Auth Method. Suppose the customer

has a third-party authentication server available for authenticating
intranet users. In that case, the device's intranet users can be
authenticated by the third-party authentication server through SSO.
In addition, the users can obtain relevant Internet access permission.
Version 01 (Sep 27, 2021) 174

The SSO process is transparent to intranet users.
Before performing SSO, perform the following steps:
Server and set information about the external authentication server
on which SSO is enabled. This step is not required for some SSO
modes. For details, see section 4.1.
2. Choose Access Mgt > Authentication > Web Authentication > Single
Sign-On and set related SSO information Users that fail SSO can be
handled in any of the following ways:
3. Open authentication: If SSO fails, users do not need to perform

authentication and can access the Internet by using the IP address, MAC
address, or computer name.
4. Password based: If SSO fails, an authentication page is displayed and only

authenticated users can access the Internet.
5. Go To: If SSO fails, users will jump to the specified page.
Predefined webpage can be selected when SSO is integrated with

Active Directory. The page prompts users to use SSO and provides an
authentication tool. Users can manually run this tool and perform
authentication using SSO integrated with Active Directory.
Version 01 (Sep 27, 2021) 175

If Predefined webpage is selected, the predefined webpage will be

displayed when users attempt to open a webpage after SSO fails.
Jump to CAS server: After a single sign-on fails, jump to a third-party

authentication system, and enter username and password into this system to
complete the authentication.
Configuration items of Disabled:
Select Disabled (always reject requests) is selected in Auth Method. Users in

the specified scope cannot be authenticated on the IAG and are restricted from
accessing the Internet through the IAG.
On the Action page, specify the follow-up operations to be performed after

authentication.
In Add Non-Local/Domain Users To Group, specify a group whose

permission is used for Internet access by non-local users and non-
Active Directory users after authentication. The Internet Access Policy
of this group is also applied to these users.
Add user account to local user database specifies whether to

automatically add non-local users and non-AD domain users to the
local organization structure on the IAG after authentication. If Add
user account to local user database is selected, authenticated users
will be added to the group specified by Add Non-Local/Domain Users
To Group.
Version 01 (Sep 27, 2021) 176

You can also specify whether authenticated users are added to the
local organization structure as public users or private users.
Automatic binding specifies whether to automatically synchronize

the binding relationships between usernames and IP/MAC addresses
of authenticated users, including local users, domain users, and new
users.
If Automatic binding is selected, the IP addresses of users are recorded after

login. When the users access the Internet through the IAG again within the
Open Auth validity period, no authentication is required if the IP addresses are
consistent with the recorded ones. If Bind IP to MAC Address is selected, MAC
addresses of users are recorded after login. When the users access the
Internet through the IAG again within the Open Auth validity period, no
authentication is required if the MAC addresses are consistent with the
recorded ones.
Click Advanced.
Version 01 (Sep 27, 2021) 177

Use this permission before authentication: Set to match the Internet access
permission of a certain group before user authentication.
Forcibly authenticate all HTTP accesses: If this option is selected, all Internet
accesses shall be authenticated before the user authentication. If not, only
HTTP accesses rejected by the group policy need authentication.
Enable user whitelist/blacklist: specifies the scope of users who

access the Internet using this authentication policy. Certain users can
be allowed to log in, and some can be restricted from login.
Show Terms of Use: Users meeting the Open Auth policy can access
the Internet without authentication. You can select this option so that
a reminder page is displayed before such users access the Internet.
Terms of Use with Slideshow: This item is available in advanced

options when the Auth Method is SSO or Open Auth. If Terms of Use
with Slideshow is selected, SSO users and authentication-free users
will be redirected to the disclaimer page when they access a webpage.
Not allow free authentication in authentication scope of this policy: Enabling

function switch indicates that users in current policy access cannot use the
authentication-free function.
Version 01 (Sep 27, 2021) 178

After setting the authentication policy, click Commit to save the settings.
3.5.2.2.1.3 Deleting Authentication Policy
The following is an example of deleting a new user authentication policy

named test.
1. Select Test.
2. Click Delete and confirm your operation in the displayed dialog box. The
policy is deleted successfully.
Version 01 (Sep 27, 2021) 179

3.5.2.2.1.4 Editing Authentication Policy in Batches
You can edit all attributes of authentication policies except the name
and authentication scope in batches.
Example: Change the Auth Method of test1 and test2 to Open Auth, take
hostname as the username, incorporate new users to the local organization
structure and add them to the engineer group. The procedure is as follows:
1. Select test1 and test2.
2. Click Edit. The page for editing authentication policies in batches is

displayed. In Auth, select Open Auth.
Version 01 (Sep 27, 2021) 180

In Username, select Take hostname as username.
In Action, select Engineer Group from Add Non-Local/Domain Users to

Group.
Select Add user account to local user database. Then new users are
automatically added to the engineer group, with the computer name as
the username.
Version 01 (Sep 27, 2021) 181

3. Click Commit.
During Edit, if only the Auth Method is edited, the follow-up processing policies remain
unchanged after batch editing. Likewise, if only Action information is edited, the Auth
Method remains unchanged.
Version 01 (Sep 27, 2021) 182

3.5.2.2.1.5 Adjusting Priorities of Authentication Policy
Authentication policies are displayed in descending order of priority.
A smaller priority value indicates a higher priority. Authentication

policies are matched from the top-down. If the IP address, MAC
address, VLAN ID, and terminal scope meet a policy, the Auth Method
of this policy takes effect.
Select an authentication policy for which the priority is to be adjusted.
Click Move Up or Move Down. Or click Move To and set the priority of the
policy.
3.5.2.2.1.6 Importing Authentication Policy
If there are many authentication policies, you can import them from a
.csv table. As shown in the following figure, click Example File and edit
authentication policies based on the example file format.
Example file: Edit the policy file to be imported based on the example file, click
Import, and select the policy file.
3.5.2.2.2 External Auth Server
Auth Server is used to set the information of third-party authentication

servers. The device supports defining 12 third-party authentication servers
Version 01 (Sep 27, 2021) 183

covering SMS based authentication, WeChat based authentication, QR code-

based approved login, QR code registered login, LDAP server, RADIUS server,
POP3 server, OA account-based authentication, social media account, database
server, H3C CAMS server, and third-party auth system.
As shown in the following figure, add the corresponding

authentication server for an Auth Method that needs to be used on
the IAG.
To set sync interval(1-24 hours), click LDAP Options, as shown below:
Version 01 (Sep 27, 2021) 184

To synchronize data with all LDAP servers, click Sync with all LDAP servers.
3.5.2.2.2.1 SMS Based Authentication
When the LAN user uses this authentication method, a verification message
will be sent to the client using an SMS modem, SMS gateway, or SMS platform
connected to the IAG device. The client authenticates accessing the Internet
using the SMS verification code. The SMS-based authentication can be
implemented to add an SMS server in the External Auth Server page and
configuring correct parameters.
Click New and select SMS Based Authentication:
Name: Set the name of the SMS server.
SMS Gateway: Select available SMS platforms.
Message Content: The user sets the contents of a verification message to be

sent. The verification code is valid within 10 min.
Version 01 (Sep 27, 2021) 185

Click Restore initial contents to restore the contents of custom SMS into
default value.
Authenticated user automatically binds MAC and is free of

authentication: Check this option to implement the following functions: after
the user successfully logs in to a specific endpoint through SMS-based
authentication, the device will record the login information and automatically
bind the user and MAC address. Then the authentication will automatically
pass when the user accesses the Internet using the same endpoint.
Validity Period: Set the validity for no need for repeated login.
Connect to Wi-Fi via SMS and WeChat: Support the WeChat-based

authentication function after SMS based authentication: open the webpage
after the endpoint accesses the network to perform the SMS based
authentication; after successful authentication, pop up to Connect to Wi-Fi via
WeChat page and click and pull up WeChat client; then click Connect Now to
complete the WeChat-based authentication.
3.5.2.2.2.2 WeChat Based Authentication
Before performing WeChat Based Authentication, add a WeChat server on the

External Auth Server page and set related parameters correctly.
Click Add and choose WeChat Based Authentication.
Version 01 (Sep 27, 2021) 186

A link for downloading the WeChat Based Authentication deployment

guide and example code is provided.
Name: Name of the WeChat server.
Company Abbreviation: A character string that uniquely identifies a

customer. This field can be used to check whether the public WeChat
account followed by users is correct. You need to set the SALT field in
the config.php file on the third-party server must be set to the same
character string.
Follow us on WeChat: After a user follows the public WeChat account,

the user clicks Start Access or sends the letter W for authentication.
Version 01 (Sep 27, 2021) 187

This Internet access scheme has two scenarios:
Scenario 1: Code needs to be deployed on a server (service account

and subscription account supported).
In this case, we need to enable the development mode for the public
WeChat platform. Code needs to be deployed on a local or leased
server for responding to all kinds of events. For details about the
deployment description and code, see the example code.
Scenario 2: No code needs to be deployed (service account and subscription

account supported).
In interworking with a third-party WeChat platform, such as Weimob

and Weigou, you need to set related parameters, as shown in the
following figure.
If a third-party platform is enabled, no SANGFOR code needs to be

deployed. The user ID is extracted from the URL or cookie, and no
checking is needed. WeChat service providers, such as Weimop and
Weigou, cannot modify the service code but can extract user IDs from
the URL or cookie. See the developer documentation for details about
the configuration method, and a link for downloading the document is
provided.
Enable Connect to Wi-Fi via WeChat : This scheme is implemented using the
following two authentication methods:
Version 01 (Sep 27, 2021) 188

1. Access endpoint to SSID -> select Connect to Wi-Fi via WeChat on the
browser -> click to pull up WeChat client on the endpoint and click
Connect Now.
2. Link the endpoint to Wi-Fi and scan the QR code downloaded from
WeChat official account. Then the page prompt of Enable Connect to
Wi-Fi via WeChat by single click will be popped up. Follow the WeChat
official account using the endpoint to complete the authentication.
bssid: bassid is the MAC address of any AP in LAN or keeps a default value.
ssid: ssid of wireless network device.
shopid: ID of shop where the user registered.
appid: the unique evidence for third-party users. After adding the device on
the WeChat public platform, view the device upgrading information to obtain
appid.
secretkey: the unique evidence for third-party users. After adding the device
on the WeChat public platform, view the device upgrading information to
obtain appsecret.
Version 01 (Sep 27, 2021) 189

All users are online by default. Please set Force users to follow our official
account, if official account following is compulsory.
Set Force users to follow our official account: Setting this function is to force
users to follow our official amount when accessing the Internet. After this
function is enabled, the user account will log off automatically after one minute
if the user does not follow the official account.
You can use this function only if the official account has passed the authentication.
appid: the unique evidence for third-party users. After adding the device on
the WeChat public platform, view the device upgrading information to obtain
addid.
appsecret: the unique evidence for third-party users. After adding the device
on the WeChat public platform, view the device upgrading information to
obtain appsecret.
Version 01 (Sep 27, 2021) 190

Select Acquire mobile phone number of connecting WeChat users, and fill
in decryption key of the WeChat public platform; click How to Apply Options,
and fill in the information to apply for the decryption key from Tencent, with
the help of Sangfor Technologies.
User passing WeChat based authentication is free of authentication

within validity period: Check this option to implement the following
functions: after the user successfully logs in to a specific endpoint through
WeChat-based authentication, the device will record the login information.
Then IAG device automatically passes the authentication when the user
accesses the Internet using the same endpoint.
Validity Period: Set the validity for no need for repeated login, with the value
of 1-100 days.
Permission Before Being Authenticated: Allow WeChat basic interactions,

not Moments (default) or Allow WeChat basic interactions and Moments
can be selected, and the configuration is as shown below:
Version 01 (Sep 27, 2021) 191

Click Commit to complete the settings of WeChat based authentication server.
3.5.2.2.2.3 QR Code Based Approved Login
QR Code Based Approved Login: In the scenario of external guests, they can
access the Internet normally after internal employees' approval. Thus, good
experience is brought for external guests and can be effectively managed by
the internal employees. It is recommended to use the QR code based
approved login method, and the internal employees scan the QR code of each
guest, thus implementing this scenario.
The QR code based approved login includes three scenarios as described

below:
⚫ Guest fills in information, and approver scans QR code. Collect guest

information and approve to access the Internet after the approver scans the
QR code and approver's information is confirmed to be true.
⚫ Guest logs in the name of approver who scans QR code. If there is no need
to collect guest information, select this method to give the guest approver's
permission.
⚫ Approver scans QR code and fills in guest information.
Suppose there is no need to do more operations by the client. In that case, the
internal employees are responsible for filling in the information, and online
users can view specific information of the approver, select this method.
Version 01 (Sep 27, 2021) 192

Name: Set the name of QR code based approved login server.
Approver: The internal employee group with the approval permission.
Version 01 (Sep 27, 2021) 193

Auth Scheme: Support three authentication schemes for selection as per

demands.
3.5.2.2.2.4 QR Code Registered Login
QR Code Registered Login: For online conferencing experience or small-range

private Internet access experience, it is expected to access the Internet in a
conference room or the small range without the permission of informing other
people of the Internet access method. Therefore, the QR code registered login
method is recommended to satisfy the requirements.
⚫ Support real-name authentication scenario.
⚫ Support non-real-name authentication scenario.
The implementation process is as below:
1. The user side provides QR code ID (manually filling in/scanning for

identification).
2. The IAG device searches the server via the QR code ID, then reads the
server's settings, and returns the information item for filling in by the user.
3. Fill in the information item on the user side, and commit to login.
Version 01 (Sep 27, 2021) 194

The configuration page of the QR code registered login server is as shown

below:
Name: Set the name of QR code based approved login server.
Online User Group: After the QR code registered login, the users go online to
obtain the specific group.
Version 01 (Sep 27, 2021) 195

QR Code Settings: The QR code needs to be configured to be posting for the

conference room.
QR Code Name: Give the QR code for the conference room a name.
QR Code ID: Set one ID to type in ID on the PC
Max Online Users: The number of users in one conference room is limited,
and you can manage the crowd effectively by limiting the joining users.
Validity Period: You can define the validity period of the QR code as No
expiration or Specified expiration time.
Enable real name authentication by mobile phone number: If there is a

real-name registration system requirement on the QR code, real name
authentication can be performed by combining the mobile phone number.
Choose System -> System Config -> Advanced -> Notification to enable a real name
authentication function by mobile phone number
Guest Information Settings: Define information items to be filled in by participants.
Version 01 (Sep 27, 2021) 196

3.5.2.2.2.5 LDAP Server
Before performing LDAP SSO or using the LDAP server for authentication, add
an LDAP server on the Auth Server page and set related parameters.
After adding the LDAP server, configure it on the following three tab pages:
Basics:
Version 01 (Sep 27, 2021) 197

IP Address: IP address of the LDAP server.
Port: port to which the LDAP server is connected. For example, the
authentication port is 389 in the AD domain.
Timeout (sec): The timeout duration of an authentication request.

After the system forwards an authentication request to the LDAP
server, authentication fails if no response is returned within the
specified timeout duration. If the network conditions between the IAG
and the LDAP server are poor, you can set the timeout duration to a
larger value, for example, 10s.
Search: This option can be selected when the LDAP server supports
Version 01 (Sep 27, 2021) 198

an anonymous search. Administrator DN: user account used for

query and synchronization from the LDAP server. Specify the detailed
user location and BaseDN.
Administrator Password: password of the account bound to the server.
Enable encryption: When the LDAP server enables SSL/TLS encryption, the
IAG connection also needs to enable encryption. And the authentication port
needs to be changed after encryption is turned on. When the AD domain uses
SSL encryption, the default is 636.
Verify certificate: Verify the legitimacy of the certificate. If the LDAP server
needs to verify the certificate, configure the domain name, and the IAG can
access the domain name. (Fill in the IP resolved to the domain name in
System/Network/Advanced/Hosts.
BaseDN: start point of the domain search path. This start point
determines the applicable scope of the LDAP rule. If a user is outside
the specified BaseDN, the user cannot get authenticated on the
external server, and the configured policy is ineffective to this user.
Therefore, you can define the jurisdiction areas of different
administrators by using the BaseDN field.
The supported LDAP types are MS Active Directory, OPEN LDAP,

SUN LDAP, IBM LDAP, Lotus LDAP, Novell LDAP, and OTHER LDAP.
Version 01 (Sep 27, 2021) 199

Sync Options:
User Attribute: an attribute field that uniquely identifies a user on the

LDAP server. For example, the sAMAccountName attribute uniquely
identifies a user in the AD domain, and the uid attribute uniquely
identifies a user on the Novell LDAP server.
Username: an attribute that uniquely identifies the displayed name of

a user on the LDAP server. For example, in the AD domain,
displayName uniquely identifies the displayed name of a user.
Description Attribute: an attribute that uniquely identifies the

description of a user on the LDAP server. For example, in the AD
domain, description uniquely identifies the description of a user.
User Filter: user filtering condition on the LDAP server for

determining whether a node is a user. For example, you can enter
"(|(objectClass=user)(objectClass=person))" in the AD domain to
determine whether a node is a user.
Version 01 (Sep 27, 2021) 200

OU Filter: organization unit filtering condition on the LDAP server for

determining whether a node is an organization unit. For
example, you can enter
"(|(objectClass=organizationalUnit)(objectClass=organization)(objectC
lass=domain)(objectClass=domainDNS)(objectClass=container))" in
the AD domain to determine whether a node is an organization unit.
Security Group Filter: (security) group filtering condition on the LDAP

server. The group refers to a security group in the AD domain and a
common group in a non-AD domain. You can determine whether a
node is a (security) group. For example, you can enter
"(objectClass=group)" in the AD domain to determine whether a node
is a security group.
Security Group Attribute: specifies which attribute identifies the

member list of a security group. This attribute is valid only when the
LDAP server is the AD domain. Enter member in common cases.
If Type is set to MS Active Directory, the preceding parameters are

already set, and it is recommended to use the default setting. If
another LDAP type is selected, adjust the parameters based on the
actual situation so that the IAG can read correct information from the
LDAP server.
Version 01 (Sep 27, 2021) 201

Advanced:
Auto update of security groups: If this option is selected, the IAG will
request the LDAP server to synchronize required contents in real-time.
It will increase the pressure on the LDAP server. This option is valid
only in the AD domain.
Security Group and User Association: The default value is recommended.
Method: The association method can be set to User based

(recommended) or Group based. On the LDAP server, if an attribute
of a user stores the group to which the user belongs, Group based can
Version 01 (Sep 27, 2021) 202

be selected to improve the matching performance and reduce the

performance pressure on the LDAP server. On the LDAP server, if only
groups save information about member users, User based
(recommended) must be selected.
Attribute: If Group based is selected, this field must be set to the

parent group attribute saved by the group or user on the LDAP server.
For example, the memberOf attribute in the AD domain identifies the
parent group of a node. Therefore, the memberOf attribute is to
search the parent group. If User based is selected, this field must be
set to the member user attribute saved by the group on the LDAP
server. For example, the member attribute in the AD domain identifies
the member users of a group. Therefore, the member attribute is to
search the member users of a group.
Allow security group nesting: specifies whether a (security) group is

valid for member users of this group or member users and child
groups. If this option is selected, the configured (security) group is valid
for both member users and child groups. If it is not selected, the
configured (security) group is valid only for member users of this
group.
Attribute: This field is valid only when Allow security group nesting
is selected. This field specifies the attribute that identifies a group to
be searched in recursive mode. If Group based is selected, this field
must be set to the same value as Attribute. If User based is selected,
this field must be set to the child group attribute saved by the group
on the LDAP server. For example, the member attribute in the AD
domain identifies the child groups of a group. Therefore, the member
attribute is used to search the child groups of a group.
Paged Search: An extended API is used for search on the LDAP server. The
default setting is recommended.
Version 01 (Sep 27, 2021) 203

Page Size: The value 0 indicates that the page size is not limited. The default
setting is recommended.
Max Size: The default setting is recommended.
The global catalog needs to be enabled for all sub-domains on the parent domain. When
adding an LDAP server, the settings are the same as above. Set Authentication Port to
3268 and IP Address to the IP address of the parent domain. See the following figure.
Version 01 (Sep 27, 2021) 204

LDAP Server Sync Configuration:
Click LDAP Sync Options to configure time intervals of LDAP synchronization,

and set the range to 1-24 hours.
Click Synchronize All LDAPs Now to manually synchronize all LDAPs.
3.5.2.2.2.6 RADIUS Server
Before using the Radius server for authentication, add a Radius server on the
Auth Server page and set related parameters.
Server Name: Name of the Radius server to be added.
Version 01 (Sep 27, 2021) 205

IP Address: IP address of the Radius server.
Port: Authentication port of the Radius server, which is 1812 by default.
Timeout (sec): Timeout duration of authentication requests.
Shared Secret: Key for Radius negotiation.
Protocol: Set Radius negotiation protocol, unencrypted protocol PAR,

challenge handshake authentication protocol, Microsoft CHAP, Microsoft
CHAP2, and EAP_MD5.
Encoding: Support selecting UTF-8 or GBK encoding format.
3.5.2.2.2.7 POP3 Server
Before performing POP3 SSO, add a POP3 server on the Auth Server
page and set related parameters.
Server Name: Name of the POP3 server to be added.
Version 01 (Sep 27, 2021) 206

POP3 Server: Set the server IP address, authentication port, and timeout
duration.
3.5.2.2.2.8 OA Account Based Authentication
Along with the development of the Internet, users require great authentication
scenarios. IAG also supports mainstream applications such as DingTalk,
Enterprise WeChat, Pocket Assistant, Facebook, Twitter, Line, and Gmail, and
authentication is implemented through the OAUTH interface.
Implementation process:
OAUTH protocol provides a safe, open, and simple standard for authorizing
user resources. OAUTH does not enable the third party to access the user's
account information (such as username and password), i.e., a third party can
apply for the authentication of user resources without accessing the user's
username and password.
A standard Oauth process is as follows:
(A) After the user opens the client, the client requires the user to grant
authentication.
(B) The user agrees to grant the authentication.
(C) The client uses the authentication obtained in the last step to apply for an
access token from the authentication server.
(D) After authenticating the client, the authentication server agrees to

distribute the access token after confirmation.
Version 01 (Sep 27, 2021) 207

(E) The client uses the access token to apply for resources from the resource
server.
(F) After confirming that the access token is correct, the resource server agrees
to open the resources to the client.
Nowadays, WeChat, DingTalk, and Pocket Assistant are widely used in

enterprises, and the clients already have a set of complete organizational
structure and authentication system in the Enterprise WeChat and wish IAG
can implement the authentication of accessing the Internet using the
Enterprise WeChat. IAG provides a method for combining with the Enterprise
WeChat for authentication to complete the authentication. During Internet
access, the QR code pops up, and mobile WeChat scans the QR code to
authorize to realize the authentication. An authorization page pops up on the
mobile phone, and then WeChat is directly pulled up to perform authorization
authentication.
Application of Oauth2.0 authorization method: IAG's predefined OA account

authentication supports three authorization methods: Enterprise WeChat,
DingTalk, and Pocket Assistant.
3.5.2.2.2.8.1 WeChat Work
Developer Platform Configuration:
Log in to Admin site of Enterprise

WeChat:https://work.weixin.qq.com/wework_admin/frame#profile
Note: all screenshots in this chapter will be in Chinese word due to the developer
platform.
Select My Enterprise to obtain enterprise ID and fill in the app id column of

the IAG device authentication server.
Version 01 (Sep 27, 2021) 208

Select Apps and Applets, click Create App in Create and fill Access the
Internet in the application name.
Click to enter Access the Internet.
Version 01 (Sep 27, 2021) 209

A. Obtain agendid and secret to fill into enterprise id and appsecret

respectively.
B. Click to enter Webpage Authorization and JS-SDK, and fill in

oauthservice.net.
Version 01 (Sep 27, 2021) 210

C. Enable Authorized Login of Enterprise WeChat and fill in an authorized

callback domain name. i.e. oauthservice.net.
D. Enable Workbench App Homepage and fill in

https://open.weixin.qq.com/connect/oauth2/authorize?
appid=ww9c6d66e15efc420c&redirect_uri=https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Foauthservice.net%
2Fac_portal%2Foauth_callback.html&response_type=code&scope=snsapi_base
&state=qywechat-#wechat_redirect, in which appid is replaced with appid
obtained in step 2.
Version 01 (Sep 27, 2021) 211

Check Always Enter Homepage in WeChat Workbench.
IAG Authentication Configuration:
Complete the configuration of the authorization server.

Authentication Policy > Add authentication policy, fill in authentication
range and use configured enterprise WeChat authentication server to
complete the configuration.
Version 01 (Sep 27, 2021) 212

Effect Rendering:
PC Effect
Click the authentication method icon.
https://open.work.weixin.qq.com/wwopen/sso/qrConnect?appid=ww9c6d66e1
5efc420c&agentid=1000002&redirect_uri=http://oauthservice.net/ac_portal/oa
uth_callback.html&state=qywechat-4122d678a7c142fb67d1a20a19751b36
to skip to the QR code scan page and use the mobile Enterprise WeChat to
scan the QR code (the mobile phone does not need to access the network).
After the mobile Enterprise WeChat scans the QR code to pass the
authorization, the current page will be accessed:
Version 01 (Sep 27, 2021) 213

List of the online users
Mobile Effect
After the mobile phone accesses the Wi-Fi, open one page on the browser and
redirect to the authorization page; click Enterprise WeChat Authentication to
jump to Login Failed page and complete the authorization in the Enterprise
WeChat client. Manually enter the Enterprise WeChat app, click Workbench on
the lower navigation bar; pull it down to the bottom until Access the Internet
is displayed, and click to complete the authorization. After completion, the user
can access the Internet.
Version 01 (Sep 27, 2021) 214

3.5.2.2.2.8.2 DingTalk Based Authentication
Note: all screenshots in this chapter will be in Chinese word due to the developer
platform.
1. Developer Platform Configuration
Log in to DingTalk open platform:https://open-dev.dingtalk.com/#/corpeapp
Enter Access Mobile Apps in App Development, and then click Login.
Version 01 (Sep 27, 2021) 215

Create Scan QR code to authorize App login, to obtain appid and appsecret.
Fill in the callback domain name:

http://oauthservice.net/ac_portal/oauth_callback.html(which can be copied in
the IAG console).
2. IAG Authentication Configuration
Authentication server configuration: Only appid and appsecret parameters,

and enterprise ID should be filled in.
Version 01 (Sep 27, 2021) 216


Authentication Policy > Add authentication policy, fill in authentication
range, and use configured DingTalk authentication server to complete the
configuration.
3. Effect Rendering
PC Effect
Click authentication method icon
Version 01 (Sep 27, 2021) 217

Scan the QR code using mobile DingTalk to log in (the mobile phone does not
need to access the network).
After the mobile DingTalk scans the QR code to complete the authentication,
the current page will be accessed:
Mobile Effect
After the mobile phone accesses the Wi-Fi, open one page on the browser and
redirect to the authorization page; click DingTalk Authentication to wake up
the DingTalk app. After the user logs in through the app, the authentication is
completed.
Version 01 (Sep 27, 2021) 218

After the completion of authentication, it will display the list of online users:
3.5.2.2.2.8.3 Pocket Assistant Based Authentication
The Pocket Assistant does not offer an open developer platform, and please
contact Sangfor after-sale service hotline (beginning with 400) or region to
obtain parameters for authentication.
Configure OA account based authentication server on IAG, obtain server

parameters by registering and authorizing the App on the third-party platform,
and disable automatic obtaining of user groups.
Version 01 (Sep 27, 2021) 219

Authentication Process:
The authentication page offers authentication methods for selection by users

as per authentication policy settings.
Version 01 (Sep 27, 2021) 220

After the user select the authentication method, the page will skip to OA
account based authentication page to complete the authentication.
After the authentication, the authentication platform will call back IAG in
accordance with URL parameters filled into the platform. Then IAG can obtain
the user's authentication information on the third-party platform, enabling the
user to log in on IAG.
Version 01 (Sep 27, 2021) 221

Effect After Authentication:
The group of online users is configured by choosing Authentication Policy ->

Process after authentication -> Use this to go online by non-local/regional
user.
Mobile Effect
Different from the other two Apps, the Pocket Assistant app does not need to
be pulled up. When accessing the webpage using the browser, click the Pocket
Assistant authentication icon to skip to the Pocket Assistant Login page; and
enter the mobile phone number and password to complete the authentication.
Version 01 (Sep 27, 2021) 222

3.5.2.2.2.9 Social Media Account Based Authentication
A lot of websites can be logged in via FaceBook account, Twitter account, and
Google account. These social media accounts are very convenient for users.
Users can log in without registering an account. IAG users also hope to pass
authentication by using their social media accounts. It is very convenient to log
in abroad using the FaceBook account, Twitter account, and Google account.
The requirements of using social media accounts in public Internet scenarios
are met. The device supports the authentication realization of these four social
media accounts, including Facebook, Gmail, Line, and Twitter.
Access Mgt > Authentication > Web Authentication > Auth Server, click
Add and check Social Media Account.
3.5.2.2.2.9.1 Facebook Authentication
1. Developer Platform
Facebook Developer Platform website: https://developers.facebook.com
a) Select Add New App, fill in Name and Mail Address.
Version 01 (Sep 27, 2021) 223

b) Select Setting and select Basic
Obtain App ID and App Secret.
Fill in the Privacy Policy URL: The Privacy Policy URL is required to fill in your
company's homepage. This parameter is not for OAuth authentication. You can
even write an URL that doesn't exist.
c) Add Facebook Login product, select Web:
Version 01 (Sep 27, 2021) 224

d) Navigate to settings. Fill in Valid OAuth Redirect URIs:

https://oauthservice.net:444/ac_portal/oauth_callback.html (Copy from IAG
console)
Version 01 (Sep 27, 2021) 225

Finally, fill in the privacy policy’s URL, then commit all settings.
2. IAG authentication configuration
External Auth Server configuration: just need to fill in AppID and AppSecret.
Access Mgt > Authentication > Web Authentication > Auth Server >Access
Mgt > Authentication > Web Authentication > Authentication Policy >Add
Policy. Fill in Authentication Range, Choose Facebook Authentication
Server that you configured.
Version 01 (Sep 27, 2021) 226

3. Authentication process
Click the Facebook icon.
Fill in the username and password of your Facebook account and click Login:
Authentication finished:
Version 01 (Sep 27, 2021) 227

You can see the username in Oline Users:
3.5.2.2.2.9.2 Gmail Authentication
Login google developer platform: https://console.developers.google.com.
Click Credentials, click Create credentials, click OAuth Client ID.
Click Web Application, Fill in an authorized redirect URI:
Version 01 (Sep 27, 2021) 228

http://oauthservice.net/ac_portal/oauth_callback.html (we recommend you to

copy the redirect URL directly from the IAG’s back end.)
Version 01 (Sep 27, 2021) 229

Click Library, Check Gmail API in API Library, Click Enable.
External Auth Server configuration: it required to fill in appid and appsecret.
Version 01 (Sep 27, 2021) 230

Access Mgt > Authentication > Web Authentication > Authentication

Policy >Add new policy. Fill in IP range Segment, choose Gmail Server.
Click Gmail icon.
Fill in username and password.
Version 01 (Sep 27, 2021) 231

After the completion of authentication, it will direct you to the webpage that
you want to browse previously.
You can view users in Online user.
3.5.2.2.2.9.3 Line Authentication
Log in to the Line developer platform: https://developers.line.biz/console/
Select providers, click Create New Provider, follow the instructions to complete
the provider creation.
Version 01 (Sep 27, 2021) 232

Go to the created provider, click create channel, select LINE Login, follow the
instructions to complete the channel creation.
Click to enter the newly created channel, get Channel ID, Channel secret, fill in
appid, appsecret under channel setting, and check LINE Login (NATIVE_APP),
LINE Login (WEB) under App type.
Set the Callback URL under App Setting to copy in the IAG’s web console.
Version 01 (Sep 27, 2021) 233

Change the channel status to be published.
External Auth Server: It is required to fill in the appid and appsecret

parameters.

Policy >Add new Policy. Fill in IP range segment, choose Line
Version 01 (Sep 27, 2021) 234

Authentication Server you configured before.
Click on the LINE icon.
Go to the LINE log in page and fill in the account password:
After the completion of authentication, it will direct you to the page you want
Version 01 (Sep 27, 2021) 235

to access previously.
Can view online users.
3.5.2.2.2.9.4 Twitter Authentication
Log in to the Twitter developer platform:

https://developer.twitter.com/en/apps , click Detail, and go to the app.
Click Keys and tokens to get the application parameters.
Version 01 (Sep 27, 2021) 236

External Auth Server: Fill in the parameters.
Version 01 (Sep 27, 2021) 237


Policy > Add new Policy, Insert the authentication range, check Twitter
Authentication Server.
Click the Twitter icon.
Version 01 (Sep 27, 2021) 238

Log in to you Twitter account.
You can use Twitter after the completion of authentication.
Version 01 (Sep 27, 2021) 239

You can see that user in Online User.
3.5.2.2.2.10 Database Server
Before performing database SSO, add a database server on the Auth

Server page and set related parameters.
Version 01 (Sep 27, 2021) 240

Select Enable To enable the external authentication server.
Server Name: Name of the database server to be added.
Type: Type of the database to be added, which can be set to DB2,

Oracle, MS SQL, or MySQL. Server Address: Address of the
database server.
Port: Listening port of the database.
Encoding: Encoding type of the database, which can be

set to UTF-8, GBK, or BIG5. Username: Name of a user
with the permission to query SQL statements.
Version 01 (Sep 27, 2021) 241

Password: Password of the user.
Database Name: Database name.
Timeout (sec): Timeout duration for the IAG to request data from the
database server. The default value is 60 seconds. The timeout duration
can be adjusted based on the server load and user quantity.
Click Test Validity to test the connectivity between the IAG and the
database server and the effectiveness of the initial configuration.
3.5.2.2.2.11 H3C CAMS Server
Before performing H3C CAMS SSO, add an H3C CAMS server on the Auth
Server page and set related parameters.
Select Enable to enable the external authentication server.
Server Name: Name of the H3C CAMS server to be added.
Server Address: IP address and port number of the H3C CAMS

server, in the format of IP address: Port or URL.
Version 01 (Sep 27, 2021) 242

Encoding: Encoding type of the database can be set to UTF-8, GBK,

or BIG5. If the type of coding is incorrectly selected, the username
may be displayed as garbled characters.
Username: Username of the system administrator of the H3C CAMS.
Password: Password of the system administrator.
Timeout (s): timeout duration for the IAG to connect to the H3C CAMS
system. The timeout duration can be adjusted based on the server
load. We recommend you use the default value of 60 seconds.
Click Test Validity to test the connectivity between the IAG and the server.
3.5.2.2.2.12 Third-Party Auth System
The LAN user can select the third-party authentication system servers,
including CAS and OAuth, in the password authentication method.
To enable a third-party auth system, click Enable.
Version 01 (Sep 27, 2021) 243

Name: Specifies a different name for the third-party authentication system.
URL: Specifies the URL of the third-party authentication system. Example:

https://ip:8443/cas/login .
Keyword: Specifies the keyword to identify response and extract username.

Default format: cas:serviceResponse>cas:authenticationSuccess>cas:user
Version: Specifies the version of the third-party authentication system, cas2.0

or cas3.0. To save and apply the settings, click Commit.
The device is equipped with seven OAuth authentication methods. If Oauth

authentication other than the seven authentication methods needs to be
implemented, open Auth Server -> Third-party Auth System -> Oauth to
choose the authentication server to configure.
Version 01 (Sep 27, 2021) 244


Authentication Policy -> Add authentication policy. Fill in authentication
range and use configured Oauth authentication server to complete the
configuration.
3.5.2.2.3 Single Sign-On (SSO)
Suppose the customer has a third-party authentication server

available for authenticating intranet users. In that case, the device's
intranet users can be authenticated by the third-party authentication
server through SSO. In addition, the users can obtain relevant
Internet access permission. The same username and password are
used for authentication on the IAG and the third-party authentication
server. The supported SSO types include MS AD domain SSO, Radius
Version 01 (Sep 27, 2021) 245

SSO, proxy SSO, POP3 SSO, Web SSO, database SSO, and SSO on
SANGFOR devices and other third-party devices, such as Ruijie SAM
system, H3C CAMS system, and HTTP/HTTPS authentication system
of CITY HOT. In addition to the basic configuration, you need to
configure the users, authentication server, and Auth Method.
3.5.2.2.3.1 MS AD Domain
You can implement Domain SSO if a Microsoft AD server is deployed for user
management on the customer's network and intranet users log in using
domain accounts. User can access the Internet by logging in to the domain
without the need to get authenticated on the IAG. Domain SSO can be
implemented by:
1. Delivering the login script in the domain.
2. Obtaining login information through the program embedded on the IAG.
3. Integrated Windows authentication (IWA).
4. Intercepting login information on the listening port.
The preceding methods can be used independently or combined. They

do not conflict with each other. Increase the SSO success rate can by
Version 01 (Sep 27, 2021) 246

combining several modes.
Mode 1: By delivering the login script in the domain
Configure the logon.exe and logoff.exe scripts on the AD server.

When a user logs in to the domain or logs out from the domain, the
IAG executes the login or logout script based on the domain policy and
implements the log in or log out of the user.
Configure SSO on the IAG as follows:
Step 1. Select Enable Domain SSO.
Step 2. Select Obtain login profile by executing logon script through the
domain.
Step 3. In Shared Key, set the shared key used by the login script to send
information. For details about other configuration operations, see section
4.4.1.1.
Mode 2: By obtaining login information through the program embedded

on the IAG
Embed an SSO client program ADSSO on the IAG. The program will
periodically obtain login information from the AD server and report
the received information to the IAG for implementing SSO.
Configure SSO on the IAG as follows: Select Enable Domain SSO.
Version 01 (Sep 27, 2021) 247

Select Domain SSO.
Click Add to add a domain server.
Domain DNS Server: Domain name of the domain DNS server. The
domain DNS server must resolve the domain name. Click Resolve
Domain to parse the IP addresses of all domain controllers.
Domain Name: Domain name of the domain server.
Version 01 (Sep 27, 2021) 248

Controller IP: IP address of the domain server.
Domain Account: Enter an account with the domain administrator's

permission. The user must be an administrator or be added to the
administrator group.
Password: Password of the domain account.
Log eventID: Fill in AD domain event IDs that are separated using commas
Advanced Keyword: RecordNumber filter log or TimeWitten filter log
Click Test Validity to test the domain controller. Click Commit to save the
settings.
For details about other configuration operations, see section 4.4.1.2.
Mode 3: By IWA (Integrated Windows Authentication)
IWA is a common Auth Method that is applicable in Windows. In IWA,

the IAG and intranet computers need to be added to the domain.
When an intranet user opens a webpage, the computer automatically
accesses the IAG and submits an identity credential for implementing
SSO.
Configure SSO on the IAG as follows: Select Enable Domain SSO. Select Enable
Integrated Windows Authentication.
Version 01 (Sep 27, 2021) 249

Computer Name: Computer name of the IAG after added to the

domain. In the computer name, the last four digits are the last four
digits of the gateway license. The field prior to the gateway license can
be defined. It consists of letters, digits, and hyphens (-) and contains a
maximum of 10 bytes.
Domain Name: Name of the domain to which the IAG was added.
DNS Server: IP address of the DNS server corresponding to the domain.
Domain Account: Account used by the IAG to join the domain.
Password:Password of the domain account.
Click Test Validity to test whether the parameters are valid. Then click
Commit.
Version 01 (Sep 27, 2021) 250

Redirection Interval After Auth Failure (min): Interval for

performing redirection and authentication after IWA SSO fails.
Domain of Windows 2000 Earlier Versions: If the OS on the domain

server is version earlier than Windows Server 2000, you need to set
the domain name here.
The IWA single sign-on function will be affected by the server signing
requirement enabled in the AD domain. Therefore, if the server
signing requirement is enabled on the AD domain, you need to enable
the encrypt connection with AD domain server at the IWA single
sign-on location.
Mode 4: Obtain login profile by listening to computer login to domain
In this mode, the IAG intercepts data of the PC that logs in to the domain
server and obtains login information from the data, thereby implementing
SSO. No component needs to be installed on the domain server, but the data
of intranet PCs that log in to the domain server needs to be mirrored to the
device.
Configure SSO on the IAG as follows:
Select Enable Domain SSO.
Version 01 (Sep 27, 2021) 251

Select Obtain login profile by listening to computer login to domain
Domain Controllers: Enter the IP address and listening port of the

domain server. If there are multiple domain servers, enter the
information about one server in each row. The default listening port
is UDP 88.
3.5.2.2.3.2 Radius
You can enable Radius SSO if a Radius server exists and the Radius
authentication and charging packets pass the IAG. An authenticated
user gets online on the IAG by using a Radius username.
The configuration procedure is as follows:
Step 1. Select Enable RADIUS SSO.
Step 2. In RADIUS Server Addresses, enter the IP address of the Radius server.
Step 3. Suppose Radius authentication and charging packets do not pass the
IAG. In that case, a mirrored port needs to be set on the IAG, the authentication
and charging data need to be mirrored to the IAG through the mirrored port.
For details about the mirrored port setting, see section 3.4.2.3.9.
Step 4. Select Read RADIUS attributes and assign value to custom user
attribute. A Radius user has some attribute values, and you can set them on
the IAG. When a Radius user is authenticated, this option needs to be selected
if the user attributes need to be synchronized to the IAG.
Step 5. In RADIUS Attribute, set the Radius attribute to be read.
Step 6. In Custom User Attribute, set a custom user attribute to which the
read Radius attribute value is assigned.
Version 01 (Sep 27, 2021) 252

3.5.2.2.3.3 Proxy
You can use the Proxy SSO if a proxy server is deployed and intranet
users access the Internet using accounts and passwords through the
proxy server. An intranet user is automatically authenticated on the
IAG after being authenticated on the proxy server. A user can access
the Internet after connecting to the proxy server without getting
authenticated on the IAG. Proxy SSO can be implemented through
listening or by executing the specified login control. The configuration
page is shown in the following figure.
Enable Proxy SSO: to enable or disable proxy SSO.
Version 01 (Sep 27, 2021) 253

Obtain login profile by monitoring the data of computer logging

into proxy server: If this option is selected, the IAG obtains login
information about users through interception. If users logging in to
the proxy server does not pass the IAG, a mirrored listening port
needs to be set. For details about the configuration procedure, see
section 3.4.2.3.3.
Compatible with Kerberos authentication: If the proxy server is an

ISA server that adopts IWA, this option needs to be selected for
implementing SSO. This option is applicable only when login packets
pass the IAG and inapplicable if a mirrored port is set to mirror the
login data to the IAG.
Proxy Servers: IP address of the proxy server.
Obtain login profile by executing login control through proxy:

Configure a login script on the proxy server. When a user logs in, the
proxy server will automatically execute this script and send login
packets to the IAG. For details about the configuration procedure, see
section 4.1.2.2.
3.5.2.2.3.4 POP3
You can use POP3 SSO if a POP3 mail server is deployed and intranet
users log in to the mail server with accounts and passwords. A user
can access the Internet after being authenticated by the POP3 server.
Version 01 (Sep 27, 2021) 254

Enable POP3 SSO: to enable or disable POP3 SSO.
POP3 Servers: IP address of the mail server.
For details about the configuration procedure, see section 4.1.3.
3.5.2.2.3.5 Web
Suppose the WEB server has been deployed in the user network environment
and the client LAN users have respective accounts and passwords for logging
in to the WEB server. In that case, the LAN users can access the Internet using
a WEB single sign-on (SSO) method after they pass the WEB server's
authentication. The configuration interface is as below:
Enable Web SSO: Enable and disable the Web SSO switch.
Web Auth Server: Set the IP address of the Web server.
Type: Select Cookie value, form submitted using POST and parameter in URL
request, which applies to different Web authentication servers.
Cookie value: After the user's authentication succeeds, the Web server returns
one Cookie value for determining whether the login succeeds or not.
Version 01 (Sep 27, 2021) 255

Cookie Name: Fill in the Cookie name returned by the server after the
authentication succeeds.
Form submitted using POST: During Web authentication, this type is needed
when the username is submitted using the POST method.
User Form Name: Fill in the user form name submitted to the server during
Web authentication, supporting a regular expression.
Support enabling/disabling the authentication keywords, and disabling means

that do not need to verify the keywords during authentication:
Authentication success keywords: Refer to the keywords for identifying

whether Web login succeeds or not. If the returned result includes preset
keywords, it indicates that the Web SSO succeeds.
Authentication failure keywords: If the returned result includes preset

keywords, it indicates that the Web SSO fails.
Parameter in URL request: This is needed when authentication information is

submitted using HTTP get during web authentication.
Version 01 (Sep 27, 2021) 256

URL Parameter: Fill in parameter names corresponding to authentication

fields in the URL request.
Specified Form Encoding Type: If messy codes appear, try to specify the
encoding type; otherwise, the device will automatically identify the selected
encoding code, no setting is required.
3.5.2.2.3.6 Third-Party Server
If a third-party authentication system is deployed for user authentication and

organization structure management, the IAG can integrate with the third-party
authentication system to implement SSO. Currently, Ruijie SAM system, HTTP
SSO interface, H3C CAMS system, web authentication system of City hotspot
and H3C IMC system are supported. See the following figure.
3.5.2.2.3.7 Sangfor Appliance
The IAG can work with another IAG to implement authentication. Two
SANGFOR devices are deployed, one for authentication and the other
for audit and control. After a user is authenticated on the
Version 01 (Sep 27, 2021) 257

authentication IAG the audit and control, IAG can synchronize the
user information from the authentication IAG for audit and control.
Select Receive user credentials from other Sangfor appliances: The

appliance receives user credentials from other appliances, and automatically
adds authenticated users. A shared key identical to the appliance needs to be
set and forwarded.
Select Send user credentials to other Sangfor appliances: Send user

credentials of this appliance to other appliances.
Forwarding Policy: a policy for setting the appliance to receiving the user
credentials.
Control on source IP address: %forward IP% indicates that a forward range is

all and must be separated using two %.
Writing form: applicable range%target appliance%policy description.
Version 01 (Sep 27, 2021) 258

Applicable range: Support IP address and controller name, which are

separated using semicolons.
Target appliance: Support IP or IP: Port. Conditions are separated using

semicolons.
Examples are as follows:
1. %192.200.244.96%: basic situation (The applicable range is not limited,

only fill in the target appliance to be forwarded, and earlier versions
are supported.)
2. %192.200.244.97:1775%: port added (The applicable range is not limited,

only fill in the target appliance: port to be forwarded, and earlier versions
are supported.)
3. %2003::22%IPv6 (ipv6 scenario in example 1)
4. %[2003::22]:1773%IPv6: port added (ipv6 scenario in example 2)
5. sxf%192.200.244.16%: limitation on the controller (the appliance is

configured with the authentication server; after the third-party wireless
controller is docked, forward specific controller user credentials to the
specified target appliance.)
6. 10.10.10.20%192.200.244.96%: limitation on source IP address (forward

specified source IP address user credentials to the specified target
appliance.)
7. 20.20.20.10;sangfor%172.16.12.1;172.16.12.4%: Conditions are separated

using semicolons (forward specified condition user credentials to the
specified target appliance.)
Shared Key: a key for encrypting when the user credentials are sent. The
receiving appliance shall be consistent with the sending appliance.
3.5.2.2.3.8 Database
Suppose a database system is deployed for storing and managing

user authentication information and the organization structure. In
that case, SQL statements can be configured on the SANGFOR IAG for
querying the user list and authenticated users from the database
system, synchronizing the information to the local organization
structure and online user list, thereby implementing SSO by working
with the database system. After a user is authenticated in the
Version 01 (Sep 27, 2021) 259

database, the user is automatically authenticated on the IAG. Then

the user is logged out from the database and automatically logged
out on the IAG. Currently, the supported database types include
Oracle, MS SQL Server, DB2, and MySQL. See the following figure.
Database Server: Select the database server that you set on the External
Auth Server page.
SQL Statement: Set a select statement that can query online users. The IAG
runs this select statement to query online users in the user information table
of the database.
Sync Interval (sec): maximum duration from the time when a user is
authenticated on the server, to the time when the user is
authenticated on the IAG. The default interval is 30 seconds.
3.5.2.2.3.9 Others
If the login data does not pass the IAG, a mirrored listening port needs
to be set for intercepting login data. Select any idle interface. The
Version 01 (Sep 27, 2021) 260

listening port can be set in domain SSO (listening mode), Radius SSO,
POP3 SSO, and web SSO.
This listening port can also be used to intercept mirrored Internet

access data when the IAG is deployed in bypass mode.
3.5.2.2.4 Custom Webpage
For a user that adopts Password-based, the user will be redirected to the
authentication page if the user attempts to access the Internet before
authentication. The authentication page can be customized. The disclaimer
page can also be customized. See the following figure.
3.5.2.2.4.1 Captive Portal
Embedded authentication page templates are listed below:
⚫ Captive Portal without Slideshow and Terms of Use
⚫ Captive Portal with Terms of Use but no Slideshow
⚫ Captive Portal with Slideshow and Terms of Use
⚫ Captive Portal with Full-screen Slideshow
Click Upload to upload an authentication page template. You can

download an example page and edit it.
Version 01 (Sep 27, 2021) 261

Click Delete to delete a template. Embedded authentication page templates

cannot be deleted.
If select Enable segregation of webpage administration on the Right

Segregation page, all other administrators, except the administrator admin,
can edit only authorized pages.
Authorized Admin: for authorizing editable pages to non-admin

administrators after independent permission control is enabled.
Click View to preview the display effects on a computer and a mobile phone.
Click Clone to create a template based on an existing template and edit this
template.
Click Download to download a page template and click Upload to

upload the template to other devices.
Version 01 (Sep 27, 2021) 262

Click Authorize to authorize a template to non-admin

administrators. Authorized administrators can edit and view this
template.
Click Update to modify the name and description of the template.

You can also import other pages. Embedded page templates can be
edited. The procedure is as follows:
1. Click the name of any page template. The page shown in the following
figure is displayed.
2. The values of Page Caption, LOGO, Background Color, Page Contents,

Pictures for Slideshow, and Terms of Use are displayed on the
authentication page, as shown in the following figure.
Version 01 (Sep 27, 2021) 263

3. Click Background Color, select a color in the upper left corner, and click
OK to save the setting.
Version 01 (Sep 27, 2021) 264

4. Click Edit next to Page Content and edit the contents, as shown in the
following figure.
5. Upload pictures for the slideshow, which will be played cyclically on

the authentication page, and specify the URL of each picture.Picture
URLs are automatically added to the global exclusion list to ensure
that unauthenticated users can access these pictures.
Version 01 (Sep 27, 2021) 265

6. Click Edit next to Terms of Use. Edit the disclaimer and set whether
the option The "I have read and agreed Terms of Use" option is
selected by default.
7. Click OK.
The contents on embedded authentication page templates are different from those on
custom templates. The preceding procedure is an example of editing a page with
advertisements and disclaimers and is for reference only.
Version 01 (Sep 27, 2021) 266

3.5.2.2.4.2 Terms of Use
The page for editing a disclaimer page is shown in the following figure.
The procedure for editing a disclaimer page is similar to editing an

authentication page and is not described in this section.
3.5.2.3 Correlation Connection
Correlation connections are for docking with third-party devices, including

controller docking, Radius authentication server, and MAC address acquisition
across layer three network.
3.5.2.3.1 Controllers
Controller docking includes Sangfor device docking and third-party controller

docking, which is suitable for multi-branch scenarios. When Sangfor equipment
is connected to the headquarters IAG as the authentication center, it combines
the branch Sangfor equipment to do managed authentication to push the
authentication page uniformly. Using the third-party controller as a unified
authentication server for the IAG connects with the wireless controller to push
the unified authentication page to realize unified authentication and the right
to follow.
3.5.2.3.1.1 Sangfor Appliance
When IAG acts as an authentication center, it can connect with Sangfor

equipment to complete the managed authentication function.
Authentication center settings: to set the authentication center parameters.
Version 01 (Sep 27, 2021) 267

Pre-Shared key: The key used for branch IAG access must be consistent with
the connection key of the branch Sangfor device.
Interface: The port used for communication between the IAG authentication
center and the branch Sangfor equipment. The default is 390, which can be
modified. It needs to be consistent with the branch Sangfor equipment
authentication center port.
After the IAG authentication center has completed the configuration, it needs to go to the
branch IAG equipment to configure the managed authentication. Please refer to the
managed authentication chapter. For BBC environment configuration, please refer to the
chapter on multi-branch networking scenarios.
3.5.2.3.1.2 Third-party Appliance
Go to Access Mgt > Authentication > Correlation Connection > Controllers

page:
Version 01 (Sep 27, 2021) 268

Click Add to add a Third-party server interface as follows:
Controller information:
Name: Used to set up the name of the third-party portal server.
Description: The description information of the server.
Portal Protocol: Supported types of portal protocols, currently supporting

connection with standard CMCC 1.0, CMCC 2.0 and Huawei Portal 2.0/IMC,
Cisco External Portal Web Authentication Protocol, and Aruba Protocol.
Version 01 (Sep 27, 2021) 269

Request URL: After relevant protocols are selected, a URL address will be
automatically generated. When WeChat is enabled to connect WiFi by QR code,
the controller is required to support carrying AUTHURL and EXTEND
parameters in the configuration of the request URL.
Controller IP: The IP address of the third-party portal controller can be

entered with a port. If the port number is not entered, the port 2000 will be
used by default in connection with CA.
Use external RADIUS server: The authentication system combines the third-
party controller for authentication; when the user information is maintained
on the third-party RADIUS server, check this option; when the authentication
system serves as the RADIUS server, do not check this option. Enable the
configuration in Access Mgt > Authentication > Correlation Connection >
RADIUS Auth Server, set the port as 1812, and the key as RADIUS, consistent
with the third-party controller.
Client parameter field configuration:
IP Address Field: The way to obtain the IP address of the client. The field can
be obtained from the data packet or the URL parameter.
MAC Address Field: MAC address information of the third-party controller.
VLAN 1 Field: Field information contained in the data packet of the third-party
controller.
VLAN 2 Field: Field information contained in the data packet of the third-party
controller.
BSSID Field: Consistent with the controller.
URL Field before Authentication: Consistent with the controller.
When there is more than one third-party controller's information

configuration, you can use the search box in the upper right corner to search
relevant information by name.
Version 01 (Sep 27, 2021) 270

3.5.2.3.2 RADIUS Server
The device can be regarded as the RADIUS server, and the accounting port and
the authentication port use mutually exclusive keys.
Enable: Check Enable to configure the IAG device as the RADIUS server, and
only PAP is supported by default.
Port: Configure ports used by the RADIUS server.
Secret Key: Configure the secret key of RADIUS.
3.5.2.3.3 MAC Address Acquistion
There are two ways to acquire MAC across L3. The setting method is as follows:
First: Read the MAC of LAN users by the mirror.
Select MAC address is acquired or from captured ARP packets or DHCP

packets to connect any idle network port of IAG to the switch, enable mirror on
the corresponding interface of the switch, and mirror relevant data packets to
IAG. This method does not require enabling SNMP protocol by the switch.
Second: Get MAC by configuring across L3.
Version 01 (Sep 27, 2021) 271

If intranet users are bound with MAC addresses or the MAC address range is
limited, and the intranet covers L3, the function of obtaining MAC addresses
across L3 needs to be enabled for obtaining MAC addresses of intranet users.
To use this function, ensure that the intranet switch supports SNMP so that the
IAG can obtain real MAC addresses of intranet users from the switch through
SNMP. Working principle: The IAG periodically sends an SNMP request to the
L3 switch to obtain the MAC address table and saves the table in the memory.
Suppose a PC on another network segment accesses the Internet through the
IAG, for example. In that case, a PC with the IP address 192.168.1.2 (on a
different network segment as the LAN interface of the IAG) accesses the
Internet through the IAG will verify whether the MAC address of the packets is
the L3 switch. If yes, the IAG will query and verify the real MAC address based
on the IP address 192.168.1.2.
The procedure is as follows:
1. Enable SNMP on the L3 switch.
2. Select Enable MAC filtering across L3 switch.
3. In SNMP Servers, enter the information about the L3 switch from which
the IAG obtains MAC addresses.
Version 01 (Sep 27, 2021) 272

Enable SNMP for the L3 switch in advance.
IP Address: IP address of the L3 switch.
IP OID: OID of the IP address in the SNMP information.
MAC OID: OID of the MAC address in the SNMP information.
Community: Key for SNMP negotiation.
Timeout (second): Timeout duration for the IAG to obtain SNMP information.
Interval (sec): Interval for the IAG to send an SNMP request for obtaining
information.
Max MAC Addresses: Maximum number of SNMP entries obtained at a time.

Click Server Details to view SNMP information on the SNMP server (switch).
Click Commit to save the settings.
4. Enter the MAC address of the intranet switch to avoid being bound with a
user, as shown in the following figure.
Version 01 (Sep 27, 2021) 273

In addition to the MAC address manually entered in the preceding

step, the IAG can automatically discover the MAC address of the L3
switch. The IAG counts the number of IP addresses corresponding to
each MAC address every 10 minutes. If a MAC address corresponds
to multiple IP addresses, this MAC address is one of the L3 switch.
Click MAC Address Calculation.
If Exclude MAC address automatically is selected, the IAG will add

each MAC address whose count of IP addresses exceeds the specified
value of IP Address Threshold to the exclusion MAC address list.
If Give alert when MAC address is excluded automatically is

selected, the IAG will send an alarm mail to the administrator after
adding a MAC address. Set alarm options on the page displayed after
you choose System Management > General > Alarm Options.
3.5.2.4 Advanced
The advanced authentication options include authentication options and

managed authentication.
3.5.2.4.1 Authentication Options
You can configure authentication options on the page shown in the following
figure.
Version 01 (Sep 27, 2021) 274

Select Log out users who causes no fow in specified period to set a timeout
duration for the IAG to log out a user if the user has no traffic within the
specified time.
Select Log out all users every day to set a time for the IAG to log out all online
users.
Version 01 (Sep 27, 2021) 275

Select Lock users if authentication attempts reach the threshold for the
IAG to lock a user if the user fails authentication for the specified number of
times.
Log out user who causes no flow in specified period: For users
whose devices are automatically added to the organizational
structure, the login time is detected. If they have not logged in after
the set time, IAG will automatically log out these users.
Users created manually will not be logged out.
After Delete accounts inactive for too long a time is selected, the
IAG will detect the login time of users that are automatically added to
the local organization structure. If any user does not log in for a long
time, the IAG will delete this user. Manually created users will not be
deleted.
Auto clean up expired bindings: For authentication-free binding

relationships automatically entered by the device, detect the login
time. If the authentication-free binding time is expired, these users will
be automatically deleted.
The manually entered authentication-free users also will be deleted.
Allow account to be bound with limited endpoints: This option is

used to set the number of endpoints corresponding to the account,
and limits that the user can log in to several endpoints using one
account.
After Re-authentication is required if MAC address changes is

selected, an authenticated user must perform authentication again if
the MAC addresses changes. For example, user A with the IP address
192.168.1.1 adopts Password based. After getting offline, user A will
Version 01 (Sep 27, 2021) 276

remain logged in for a period of time. During this period, if another

user preempts the IP address 192.168.1.1, the MAC address of user A
will change. In this case, user A needs to perform authentication again
before accessing the Internet.
In Take action if user logs in on a second IP address with an

account that does not allow concurrent login, set a policy for new
endpoints, which can be Reject request and notify user that
account is being used on another endpoint, or Disconnect
earliest endpoint and allow new endpoint. Multiple users can
concurrently use a public account for login. You can choose
Bandwidth Mgt > Quota Control and set the number of endpoints
to use the public account for login. When you exceed the number of
endpoints, you need to specify a policy for new endpoints.
Enable Cookie-based authentication: Set the Cookie-based authentication

validity in a range of 1-100 days.
Select Enable password strength requirements and click Settings

to set the security requirements for user passwords. In the dialog
box for setting security requirements, you can select Password and
Version 01 (Sep 27, 2021) 277

username must not be the same, New and the current password
must not be the same, Password Strength, or Password must
contain. After all the four options are selected, a user can change the
login password only if all the requirements are met.
By default, the Password based page is an HTTP page. Information

submitted on this page is in plaintext. The option Use SSL to encrypt
username and password must be selected if SSL encryption is
required.
Domain Name indicates the domain name of a page to which users are
redirected. Click Device Certificate to import or create an SSL certificate.
Allow user to edit endpoint information: If the endpoint user can change
the information of bound endpoints by oneself, check this function.
Not allow password retrieval through SMS message in Password Retrieval:

If you use the password retrieval function and do not want to retrieve the
password using SMS message, check this function to use the Email account
password function. You shall configure the email sending server.
Select DNS service is available even user is not authenticated or is locked

to allow users to access the DNS service before being authenticated or after
being locked.
Version 01 (Sep 27, 2021) 278

When users adopt Password-based open an HTTP web page, they will
be redirected to an authentication page. However, they will not be
redirected if they access an HTTPS webpage. To redirect users when
they access an HTTPS webpage, select the option Redirect HTTPS
request to captive portal if user is not authenticated.
For Internet access using proxy, password submission is Web

based: If this option is selected, the password submission is
performed using Web authentication page for the Internet access
using the proxy. If it is not selected, 407 pop-ups are used to
authenticate Internet access using the proxy.
Username of domain user is domain account plus domain name

can be selected to identify users on different domain servers if there
are multiple domains. The domain name is suffixed to the username
on the Online Users and Status pages.
Suppose the proxy server is deployed in one-arm mode and the IAG
is deployed in bridge mode between the intranet and the proxy
server. In that case, public network IP addresses will be added to the
online users list. In this case, Open auth for data flow from WAN to
LAN interface needs to be selected to avoid authenticating public
network IP addresses. For the configuration example, see section 4.4.
Disable sorting by user/group: When the user/group query speed is

too slow, the Disable sorting by user/group function can be
enabled to accelerate the query.
Resolve virtual domain name

(oauthservice.net/onauthservice.com) as specified IP address: It
is recommended to configure this function because multiple IAG
devices exist in the environment/Oauth authentication or QR code
authentication is configured in the IAG scenario.
Version 01 (Sep 27, 2021) 279

3.5.2.4.2 Managed Authentication
1. Support configuring managed authentication function on AC, SG and

IAG devices, and implement the managed authentication of users in
the authentication system. Enable Managed Authentication, and
then the device will enter the managed authentication status.
2. After Managed Authentication is enabled, authentication-related

functions are implemented in the authentication system, and the following
functions will be hidden on the controller device and do not take effect.
a. Authentication policy
b. User binding
c. IP/MAC binding
d. User automatic synchronization
e. Single sign-on
f. Authentication controller
g. RADIUS Server
3. After Managed Authentication is enabled, Authentication Outage

Remediation is supported. When the authentication system is offline, the
device is authenticated using the configuration policy of the outage policy
to go online. The outage policy supports two methods, including open
authentication and password based.
4. Under the managed authentication status, the user going online on the
controller does not support synchronously going online on the
authentication system, but the user logged off on the controller can be
synchronously logged off on the authentication system.
5. The managed authentication supports four authentication policy methods,

including MAC authentication-free, open authentication, password
authentication, and authentication not allowed.
6. The managed authentication also supports the scenario taking the control
device as the proxy server, HTTPS proxy, HTTP proxy, and SOCK5 proxy
scenarios.
7. The managed authentication supports docking with IPV6 addresses.
Version 01 (Sep 27, 2021) 280

Check Enabled to enable the functions.
Auth System IP: Fill in IP addresses from unified authentication system to

authentication port, supporting IPV4 and IPV6.
Access Token: It keeps in line with the secret key for the unified authentication
system settings.
Auth System Port: It is a TCP390 port by default, which can be customized in

the authentication system.
The configuration of Access Token and Communication Port in the

authentication system is defined in Access Mgt > Authentication >
Correlation Connection > Controllers, as shown below:
Version 01 (Sep 27, 2021) 281

Redirection Port: A port used in the authentication redirection page, which is

a TCP80 port by default and can be customized.
LDAP Service Port: The unified authentication system can be used as an LDAP
server, and takes a TPC389 port as the default port.
Outage mechanism: After Managed Authentication is enabled,

Authentication Outage Remediation is supported. When the authentication
system is offline, the device is authenticated using the configuration policy of
the outage policy to go online. The outage policy supports two methods,
including open authentication and password based.
Open Authentication: IP address, MAC address, or computer name can be

selected as username.
Password Authentication: Select the authentication server, the
Version 01 (Sep 27, 2021) 282

authentication page, and skip after authentication. For the configuration

method, refer to 3.6.2.1.2 Add Authentication Policy.
Alternate Group (post outage): Use the configuration policy of the outage
policy to authenticate and go online on the user group.
Click Test Validity: This option is to test communication situations of the

device and unified authentication system.
After configuration, click Commit to prompt the following message:
After confirming and submitting, the display device is managed by the

authentication system and can skip to the authentication system, as shown
below:
Version 01 (Sep 27, 2021) 283

Meanwhile, the unified authentication system displays the device access

status:
Cancel Enabled and click Commit to prompt the following message. Please
operate carefully.
3.5.3 Endpoint Check

The primary function of endpoint check is to perform a security check and
control endpoint behavior after the user accesses the endpoint.
Security inspection currently supports inspection rules such as operating

system inspection, process inspection, file inspection, registry inspection,
Version 01 (Sep 27, 2021) 284

scheduled task rules, patch inspection, etc. After inspection, access is

controlled according to the inspection results.
Control scenarios include external connection control, peripheral control, etc. It

checks whether the endpoint has an unauthorized connection to the external
network. If a violation is detected, the endpoint network card is prohibited
from implementing access control, including dial-up check, wireless network
card check, and external network connection check.
Configuration process
The idea that the administrator needs to configure the endpoint checking policy:
1. In Access Management > Endpoint Check > Check Rules, select

configure the rules.
2. Configure the check policy, including the name of the policy (required),
description information (optional), select the ingress client based on the
checking policy, set applicable objects, and advanced configuration.
3. Configure the action after violation of rule.
3.5.3.1 Check Policies
The role of the check policy is to check and control the compliance and illegal
outreach of all endpoints. The configuration of the policy is first customized
according to the settings of the check rules. The following are the steps to check
the configuration of the policy.
Step 1. After configuring the check rule settings, create a new policy in Access
Management/Endpoint Check/Check Policy in the navigation menu, click to
enable the policy, and enter the policy name and description information.
Step 2. In the policy settings, there is ingress client-based to be chosen. Check

the corresponding check rules that have been configured and click Add. Select
the type of rule created before, select the effective time as needed, and click
OK.
Step 3. On the Objects page, select the users for which the policy takes effect.
You can select the objects to be checked according to the user, location,
endpoint type, and destination.
Step 4. On the Advanced page, you can set the expiration time of the policy,
Version 01 (Sep 27, 2021) 285

the viewing and editing permission settings of the same level administrator,
and whether to allow lower-level administrators to view it.
Step 5. Click Commit to complete the configuration of the check policy

function.
3.5.3.1.1 Check Policy Management
The administrator can delete, edit in batches, enable and disable, import/export,
move up/down, etc., all check policies can be filtered and selected.
3.5.3.2 Check Rules
Check rules are divided into ingress client-based checking. When implementing
the ingress client-based rules, the endpoint needs to install the ingress plug-in.
3.5.3.2.1 Ingress Client Based
Step 1. In Access Management/Endpoint Check/Check Rule/Ingress Client

Based, click Add to add the check rule to be configured.
Step 2. Fill in the rule name and rule description, select the rule type in the
menu, or you can directly enter the custom rule type name in the dialog box to
select the configuration and item to be checked according to the configured
check rule.
Rule Name Rule Description
Anti-Virus The antivirus software checked mainly include 360 Antivirus,

Software Rising Antivirus, Kingsoft Internet Security, Tencent Computer
Based Rule Manager, 2345 Security Guard, Rising Personal Firewall,
Xiaohong Umbrella, Kaspersky, Avast, Symantec (SEP), Trend
Antivirus, Norton Antivirus software, McAfee (MSC), Windows
Defender
Microsoft Antivirus, Jiangmin Antivirus, Panda Guardian,

Tinder Internet Security, Big Spider Kill, etc.
Login Must log in to the domain;

Domain need to log in to the specified domain: it can be customized.
Version 01 (Sep 27, 2021) 286

Based Rule
Operating Windows XP、Windows2003、Windows7、Windows8、

System Windows10
Based Rule
Windows2012R2、Windows2016、Windows Vista、
Windows2008R2
Windows2008。
Process Process name, window name, program path.

Based Rule
Process status: running and not running.
Advanced conditions: The MD5 value and size of the

matching program can be set.
File path: the storage path.
File status: file exists, and the file does not exist.
File Based
Rule Advanced conditions: Set the MD5 value, file size, and update
date of the matching file by the number of days lagging
behind the current date.
Registry entries, entry names, entry data.

Registry
Based Rule
Entry status: yes and no.
execute program
1. Enter the program path or click to upload the file.
2. Configure the parameters required for the operation of the

program, and use it with the above program
Task Based Schedule Execution

Rule
1. Periodic operation: the minimum time interval is 40
seconds.
2. Run once: run when the access program is started on the

computer.
Execution permission
Version 01 (Sep 27, 2021) 287

1. The current user execution permission.
2. Execute with SYSTEM user authority.
Result check
1. The result is returned without inspection.
2. Check the returned result
Detect according to the specified level; detect according to

Patch
the specified patch; deal with violations when obtaining pc
Based Rule
patch information and identification
Access Dial-up behavior, wireless network port, dual network card

Check behavior, 4g network card, connection to the external
network, custom external connection, connection to illegal
WIFI, use of illegal gateway.
Access Only the following address can be accessed; the following

control address cannot be accessed
External Forbidden Device types

Device
Storage devices, network devices, Bluetooth devices,
Control
cameras, printers.
Fine control
U disk and mobile hard disk access: readable and writable,

rejected, readable, alarm.
Portable device access: allow, disable, alarm.
Windows It is forbidden to log in to the computer as the super

account administrator of the computer (an account belonging to the
based rule Administrators group), otherwise, the computer is prohibited
from accessing the Internet.
Anti- It is to check the user to change their MAC address and the
Defacement PC IP address.
Rule
Table 2: Rule name table
Step 3. Configure the violation action and select the corresponding violation
Version 01 (Sep 27, 2021) 288

action according to different check rules. Click Commit to complete the

configuration.
Check Rule Violation
Anti-Virus Including: Prohibiting Internet access and prompting users,

Software prompting users, fixing violations, restricting user rights,
Based Rule and customizing prompt content.
Login Including: prohibiting Internet access and prompting users,

Domain prompting users, only recording results, limiting user rights,
Based Rule and customizing the prompt content.
Operating Including: Prohibiting Internet access and prompting users,

System prompting users, only recording results, and customizing
Based Rule prompt content.
Prohibit surfing the Internet and prompt the user, stop the
Process
process, prompt the user, only record the result, customize
Based Rule
the prompt content.
Prohibit surfing the Internet and prompt users, delete files,

File Based
prompt users, only record results, and customize prompt
Rule
content.
Prohibit surfing the Internet and prompt the user, delete

Task Based
this item, prompt the user, only record the result, customize
Rule
the prompt content.
Registry Prohibit Internet access and prompt users, prompt users,

Based Rule and only record results.
Patch Based Prompt the user and only record the result.
Rule
Access Send alert emails, disconnect the network, and customize

Check the reminder content.
External Whitelist setting, the corresponding device should add the

Device ID to the whitelist.
Control
Table 3: Rule Table
Version 01 (Sep 27, 2021) 289

1. When configuring the check policy, the added rule type is the name entered in the
check rule type. Therefore, it is recommended that the rule type needs to be filled
in to match the rule for subsequent calls.
2. Operating system check: The patch package requires SP2 or above for Windows XP, and
no other requirements.
3. File inspection: The rules are only used for files with conditions configured at the same
time.
4. Patch package detection: This rule does not support Windows XP, Windows Server 2003
and the operating system versions below it; when checking at the specified level and
detect for the specified patch simultaneously, any violation detected by either method
is a violation.
5. Access check rules: Among them, illegal WIFI and illegal gateways have whitelist
settings.
6. External device control rules: Windows XP system and all family version systems have
no group policy and do not support group policy management and control; refined
control only supports Windows 7 and above, regardless of whether it is home version;
refined control is only for USB interface Storage device: U disk mobile hard disk
portable device.
3.5.3.2.2 Combined Ingress Rule
Step 1. In Endpoint Check/Check Rule/Ingress Client Based, click Combined

Ingress Rule, and click Add to add a combination rule.
Step 2. Fill in the rule name and rule description. The rule type can be selected
in the menu, or you can directly enter the name of the custom rule type in the
dialog box. This rule type is to call when adding a rule policy later. The
establishment of the combination rule can choose: establish all the rules and
establish any one of the rules.
Step 3. In combination rule setting, select the rule to be set, and click Add to
add it to the selected rules. If there is no rule to choose from, create an
operating system rule, process rules, file rules, registry rules, scheduled task
rules, patch package detection rules, windows account rules in the endpoint
ingress client-based check rule.
Step 4. Operation after violation: Reject request and alert, give an alert or log
event only. You can also click Prompt Text to customize the prompt content.
Step 5. Click Commit, the combination rule configuration is completed.
Version 01 (Sep 27, 2021) 290

The combination rule function only supports operating system rules, process rules, file
rules, registry rules, scheduled task rules, patch package detection rules, and Windows
account rules. Other rules currently do not support the combined ingress rule.
3.5.3.2.3 Check Rule Management
In Endpoint Check/Check Rules, the administrator can delete, batch edit, and
import/export ingress client-based check rules. Combined ingress rules only
support the delete and edit operations.
1. When a rule that a check policy has referenced, you cannot delete it directly; if you need
to delete it, you need to delete the rule referenced in the check policy first.
2. Cannot export the built-in check rules.
3. The imported rule file must be in zip format, and the imported file must include the
IngressRuleExport.conf file, and the IngressRuleExport.conf file must be at the outermost
level.
3.5.3.3.4 Traffic Based
Step 1. In Access Management/Endpoint Check/Check Rule/Traffic Based, click

Add the inspection rules to be configured.
Step 2. Fill in the rule name and rule description. The rule type can be selected
from the menu, or you can directly enter a custom rule type name in the dialog
box.
Version 01 (Sep 27, 2021) 291

Step 3. Check items configuration can choose personal antivirus software or

enterprise antivirus software. The personal version of antivirus software has
defined traffic characteristics for the device. The enterprise version of the
antivirus software will have a designated server address. It can be judged
whether to install the antivirus software by checking whether the terminal has
traffic.
Personal antivirus software
You can choose to check the anti-software: 360 security guards and anti-virus,
Kingsoft Internet Security, Tinder security software, Tencent Computer
Manager, Xiaohong Umbrella, Kaspersky, Symantec.
Violation judgment condition: According to the default time set by different

anti-virus software, check whether there is the anti-virus software. The filling
time cannot be less than the default value.
Enterprise Edition Antivirus Software
The anti-virus that can be selected for detection are: EDR, 360 Tianqing,
Kaspersky, Symantec, and custom enterprise anti-virus.
Version 01 (Sep 27, 2021) 292

Violation judgment conditions: need to be set according to the update

frequency of the enterprise version of the anti-virus configuration (EDR
defaults to fail to detect the anti-virus for more than 1 minute is a violation,
and it is recommended to configure it for 5 minutes), each application has a
different minimum default value, The user configuration must be greater than
the default value.
Step 4. Deal with violations. You can choose: only record the results or
periodically redirect to the specified URL for repair. If you choose to redirect to
the specified URL for repair periodically, you need to configure the redirection
configuration: redirect URL and redirection interval.
Step 5. Click Submit to complete the configuration of traffic detection rules.
3.5.3.4 Endpoint Check Configuration Case
Operating system scenario introduction
When an enterprise only allows employees to use the XP operating system, the
operating system of the access endpoint is checked for compliance, and the
compliant operating system can normally access the Internet. There are three
ways to deal with non-compliant endpoints: reject Internet access and alert,
give alert, and log event only.
Configuration steps:
Step 1. In Access Management/Endpoint Check/Check Rules/Ingress

Client Based, click Add to add an Operating System Based Rule.
Version 01 (Sep 27, 2021) 293

Step 2. Fill in the rule name, rule type, rule description on the operating
system rules page, and check the corresponding operating system. The
operating system selected here is not in violation, and the operating system
that is not selected is in violation. Take the XP system as an example, only the
XP system is allowed, and the other unchecked systems are all violating
systems.
Version 01 (Sep 27, 2021) 294

Step 3. Some methods for illegal operations include: reject the request and
alert, give alert, and log event only. At the same time, click Prompt Text to
customize the prompt content.
Step 4. After completing the check rule settings, create a new policy in Access
Management/Endpoint Check/Check Policy in the navigation menu, enter
the policy name and description information, check the ingress client-based,
and click Add. Select the previously created operating system rule, select the
effective time as needed, and then click OK.
Step 5. On the Objects page, select the users for whom the policy takes effect.
You can choose according to the user, location, endpoint type, and destination.
Step 6. On the Advanced page, you can set the expiration time of the policy,
the viewing and editing permission settings of the same level administrators,
and whether to allow lower-level administrators to view it.
Step 7. Click Commit to complete the configuration of the operating system

detection function, and you can see the operating system check strategy in the
check policy list.
Step 8. When the user is not using the specified operating system, access to
Version 01 (Sep 27, 2021) 295

the Internet will be prohibited.
Step 9. The device will pop up a reminder of violation of disobey rules: OS.
3.5.4 Ingress Client Settings

The ingress client configuration sets the relevant parameters of device access,
including ingress client authentication configuration, ingress client push
configuration, ingress client download, ingress rule exclusion, etc. This function
will refer to the configuration here in the endpoint check policy.
Ingress client authentication configuration
Version 01 (Sep 27, 2021) 296

⚫ There are two ways to authenticate via ingress client: enable the 802.1X
function of the ingress client and enable the portal authentication function
of the ingress client authentication (automatic online function enabling is
optional).
⚫ Set ingress client uninstall password: Check this option to enable the ingress
client anti-uninstallation function. Uninstalling the ingress requires a
password to complete the uninstallation. The anti-uninstallation takes effect
only after the endpoint successfully obtains the check policy.
⚫ Set ingress client to find gateway address: automatically obtain gateway and
specify gateway address.
How to configure the gateway address: find the installation path

C:/ProgramFiles/Sangfor/Ingress3.0.0, open zrclient.exe, click Advanced Options, and
configure the address of the IAG device.
When the device is in bypass mode, the device will find the IP automatically. We recommend
you to check the "Set Ingress Client Gateway Address" and fill in the gateway address
manually.
Remind users to install Ingress Client
It is not supported to run the access system endpoint such as MAC,

mobile endpoint, dumb endpoint (this option is effective for all
endpoints) after selecting.
If you do not check the non-windows endpoint, it will not be pushed.

It needs to be manually installed by the administrator or pushed
through the AD domain.
⚫ As the check failed, Internet access is prohibited: After checking, the Internet
access of the endpoint that does not install the ingress client is prohibited.
⚫ Allow Internet access: After checking, the endpoint that does not install the
ingress client is allowed to access the Internet.
Version 01 (Sep 27, 2021) 297

Download Ingress Client
After updating the ingress client function configuration, please click

Commit to download. There are two ways to install the ingress client:
MSI installation package and EXE installation package. (The AD domain
transparent installation ingress configuration method document is in
the installation package).
1. The ingress client installed by MSI cannot prevent uninstallation and is usually used in
conjunction with domain control push.
2. The EXE package is used for the anti-uninstallation of the ingress client, and it needs to be
used in conjunction with the set ingress client uninstallation password.
Ingress Rule Exclusion
Ignore the patches detected by the patch check rules at the specified
level without prompting and network control.
3.6 Online Activities

On the Online Activities page, you can set and manage Internet
access policies based on the user type, user location, endpoint
device, and target area.
Version 01 (Sep 27, 2021) 298

3.6.1 Access Control

On the Access control page, administrators can set different Internet
access policies based on the permission assignment conditions of
intranet users.
3.6.1.1 Introduction to Access Control
3.6.1.1.1 Access Control
Access control consists of three modules: Access Control, mail

filtering, and QQ number whitelist, as shown in the following figure.
Application includes: Application, Service, Proxy, Search Keyword, File Type, and SaaS
Options
Version 01 (Sep 27, 2021) 299

Application: The IAG has an application rule library set for all types of common
network applications and a URL Database set for websites (for details, see sections
3.5.1–3.5.4). The Application module references these rules to implement
permission control on network applications and websites.
Permission control for websites falls into four types: Website Browse, File Upload,
Other Upload, and HTTPS.
In permission control for website browse, the IAG detects the URLs of visited
websites and controls website access behaviors. The URLs are referenced from
the URL groups defined on the page displayed after choosing System > Objects >
URL Database.
The IAG has embedded URL groups. Dedicated personnel collect and classify a
large number of URLs. Embedded URL groups can be referenced. In addition,
custom URL groups can be defined. For details, see section 3.5.4.
In control of file uploading and another uploading, the IAG filters behaviors of
uploading files through HTTP POST or other contents based on URL groups.
HTTPS permission control is about filtering websites visited through HTTPS. Like
permission control for website browse, HTTPS permission control is also
performed based on URL groups defined on the page displayed after choosing
System > Objects > URL Database. They differ in the URL detection mode. When
a user visits a secure website through HTTPS, data is encrypted, and the IAG
cannot detect the URL. Generally, the URL of a secure website is the same as the
address specified in Issued To of an SSL certificate. Therefore, the IAG can detect
this value in the SSL certificate to obtain the URL of the visited security website. To
define the URL of an HTTPS website, set the URL based on the value of Issued To
in the certificate issued by the website.
Service involves detecting the IP address, protocol ID, and port number of packets
to control Internet access data. You can choose System > Objects > URL
Database and define target IP groups, and choose System > Objects > Service
and define target protocols or ports (for details, see section 3.5.6 and 3.5.7). These
defined objects are referenced in port control to control Internet access data.
Proxy includes whether to allow an external HTTP proxy and an external SOCK4/5
proxy, and whether to detect sharing Internet access. To prevent applications
from transmitting data using a standard HTTP port (TCP 80) or SSL port (TCP 443)
to escape restrictions of the IAG, you can select the Not allow other protocols
on standard HTTP or SSL port.
Search Keyword falls into two types: search keyword filtering and HTTP uploading.
In search keyword filtering, the IAG performs filtering or generates alarms based
on search keywords. In HTTP uploading, the IAG performs filtering or generates
alarms based on keywords in HTTP uploading. The referenced keywords are
defined on the page displayed after choosing System > Objects > Keyword Group
Version 01 (Sep 27, 2021) 300

(for details, see section 3.5.10). The two types of filtering are aimed at all HTTP
websites and cannot implement keyword-based filtering or alarming for specified
URLs.
In File Type, the IAG can filter files upload or download through HTTP or FTP. The
referenced file types are defined on the page displayed after choosing System >
Objects > File Type Group (for details, see section 3.5.11).
SaaS Options: The configuration documents are provided on this device and are not
repeated in this manual. The corresponding function post in the Sangfor community is as
follows: http://bbs.sangfor.com.cn/forum.php?mod=viewthread&tid=65956
Email involves filtering emails sent and received by clients on the intranet through SMTP or
POP3. The IAG can filter mails by the sending address, recipient address, mail subject, or
text keyword.
If a QQ Whitelist is defined, only QQ numbers in the whitelist can be used, and therefore no
QQ blocking policy needs to be configured. The whitelist function is compatible with both PC
QQ client and mobile QQ client.
3.6.1.2 Adding Object for Access Control
Network access objects and Internet access policies are independent

elements on the IAG. An Internet Access Policy is valid only after being
associated with specific Internet access objects.
There are several Internet access objects on the IAG.
The Internet access objects to which Internet access policies can be associated
are listed on the
Object tab page, as shown in the following figure.
Version 01 (Sep 27, 2021) 301

There are four types of objects: User, Location, Endpoint Device, and
Destination.
User: including Local Users, Domain User, Security Group, Domain

Attributes, User Attributes, and Source IP.
Location: Locations are classified by IP address segment, wireless network, or

VLAN.
Endpoint Device: types of Internet access devices, including mobile

devices, PCs, and multipurpose devices.
Target area: target IP address range.
1. The four types of objects have the AND relationship. For example, you can select user IT
Department in Users, All in Location, PC in Endpoint Device, and All in Destination. This
policy applies to user tests with the endpoint device PC on the IP address segment at the
R&D headquarters. The object set is displayed on the Selected pane.
Version 01 (Sep 27, 2021) 302

2. If any of the four object types are not specified, this type is not used as a filtering
condition. For example, if no location is specified, the location is not a filtering condition.
3. If none of the four object types is specified, this policy is blank. It is not associated with
any user and is not effective to any user.
There are six user types: Local Users, Domain User, Security Group,
Domain Attributes, User Attributes, and Source IP.
If a user is synchronized to the IAG added to the IAG by an

authentication policy or created on the IAG, the user is a local user. A
local user can be selected in Local Users.
Domain User, Security Group, and Domain Attributes are displayed only if
an LDAP server is configured.
In Domain User, all configured LDAP servers are listed as OU groups.

You can select OU groups or users in Domain User.
In Security Groups, all configured LDAP servers are listed as OU

groups. However, you can select only security groups in Security
Groups, and cannot select domain users or OU groups.
Version 01 (Sep 27, 2021) 303

In Domain Attributes, you can select users meeting specified attributes on the
LDAP server. On the Domain Attributes page, click Add. In the Add Domain
Attribute dialog box, set attribute conditions. A maximum of five conditions
can be set. The conditions have the AND relationship.
In User Attributes, you can select users meeting specified attributes. On the
User Attributes page, click Add. In the Add User Attributes dialog box, set
attribute conditions. A maximum of five conditions can be set. The conditions
have the AND relationship.
In Source IP, you can select a source IP address range of intranet users.
1.The Users type includes Local Users, Domain User, Security Groups, Domain Attributes,
User Attributes, and source IP addresses. The user types have the OR relationship instead of
the AND relationship. For example, if you select local user A and domain user B, the policy
applies to both users.
Version 01 (Sep 27, 2021) 304

2.Domain Users, Security Groups, and Domain Attribute are displayed only if an LDAP
server is configured.
The procedure for adding an Internet Access Policy for a specific object is as
follows: When creating this Internet Access Policy, you can directly add objects
for this policy.
1. On the Policies page, click Add.
2. Click Object, select an object type and then select a user group or
user.The selected user/user group is displayed on the Selected pane.
3. Click Commit.
The procedure for adding an Internet Access Policy (only local users)
on the User Management page is as follows:
Choose Users > Local Users. Select a user group named Marketing
Department in User Group.
On the Member and Policy pane, click Policies.
Version 01 (Sep 27, 2021) 305

Click Add. In the Add dialog box, select Access Control for Marketing
Department, and the option Recursive pass down to its subgroups to apply
the Internet Access Policy to child groups. If this option is not selected, this
policy does not apply to child groups. However, it will still apply to member
users of this user group and child groups added later. Click OK.
On the Policies tab page, view the list of policies associated with the user
group. The Pass Down column indicates whether a policy applies to all
member users and child groups.
You can change the Internet Access Policy of a single user on the Online users
page. The procedure is as follows:
Choose Status > Users. On the Members pane, select user test for which an
Internet Access Policy is added or edited.
Version 01 (Sep 27, 2021) 306

Click the username. The editing page is displayed.
On the Policies tab page, click Add and select an Internet Access Policy
associated with the selected user.
Version 01 (Sep 27, 2021) 307

On the Online Users page, you can edit or modify the Internet Access Policy of a non-
temporary user. If you click the username of a temporary user in the online users list, you
can only view the policy result set of this user. You cannot edit the Internet Access Policy of
the user.
3.6.1.3 Viewing Network Access Policies of Users
Choose Access Mgt > User Management > Local Users, and you
can view the Internet access policies associated with local users and
domain users. See the following figure.
Click Policies next to a user group. The names of all Internet access
policies associated with the user group are displayed.
Click View Resultant Set to display the policy combination results, as shown in
Version 01 (Sep 27, 2021) 308

Choose Status > Users, and you can view the Internet access policies of online
users.
Click the username of a user whose Internet Access Policy is to be viewed. The
page shown in the following figure is displayed.
Version 01 (Sep 27, 2021) 309

If the online user is temporary, you can only view the Internet Access
Policy of this user and cannot edit the policy.
Version 01 (Sep 27, 2021) 310

1. On the page displayed after you choose Access Mgt > User Management > Local
Users, the location and endpoint attributes are not displayed in the displayed
Internet access policies.
2. On the page displayed after you choose Status > Users, the Internet
Access Policy of the current user matching the current location and
endpoint device is shown.
3.6.1.4 Matching Network Access Policies
If a user or user group is associated with multiple policies, the

policies are matched in a particular order. Overlay policies are
matched from the top down. For non-overlay policies, only the first
valid policy is matched.
Overlay policies include Access Control, port control, web keyword

filtering, web file type filtering, QQ number whitelist, flow quota,
Internet access online duration quota, traffic rate limit, concurrent
connection limit, Ingress policies, and application audit. The following
figure shows the matching sequence of Internet access permission
policies.
Version 01 (Sep 27, 2021) 311

Other overlay policies are matched from the top down.
Non-overlay policies include proxy control, SSL content identification,

mail filtering, Flow/Online Duration, webpage content audit, Bulletin
Board, and online endpoints. The first valid non-overlay policy
prevails.
If the sequence of policies in the Policies is adjusted, the policy sequence on the page
displayed after you choose Users > Policies is changed accordingly.
3.6.1.5 Adding Policies
3.6.1.5.1 Adding Network Access Permission Policies
The procedure for setting an Internet access permission policy is as follows:
1. On the Access control page, click Add and choose Access Control.
Version 01 (Sep 27, 2021) 312

2. On the Access control page, select Enabled. If this option is not selected,
the added policy will not take effect.
3. Enter the policy name and description. The policy name uniquely identifies
a policy. It is mandatory and must be unique. The description is a summary
of the policy and is optional.
4. On the Option tab page, set the Internet access permission policy as
required. On the Access Control pane, select a control type and set details
on the right pane. Access Control consists of three control modules:
Application, Email, and QQ Whitelist. For more information, see the
following sections.
5. On the Object tab page, set the applicable user, location, endpoint device,
and destination for this policy.
6. On the Advanced tab page, set the expiry date, whether to allow other
administrators of the same level to view and edit the policy, and whether
to allow lower-level administrators to view the policy.
If Never Expire is selected, the policy will be valid permanently. If

Valid till is selected and a date is set, for example, 2016-06-01, the
policy will expire after January 1, 2016.
Version 01 (Sep 27, 2021) 313

In Privilege of Admin in Same Role, set whether to allow other

administrators of the same level to view and edit the policy. If two
administrators are of the same role on the page displayed after you
choose System > General > Administrator, they are of the same
level. If only View is selected, another administrator of the same level
can view this policy but cannot edit it. If Edit is selected, another
administrator of the same level can view and edit this policy by
default. The jurisdiction scope of this administrator must be the same
or wider. For details about the precautions, see section 3.2.4.2.
If Give view privilege to administrator in lower-level role is

selected, a lower-level administrator can view this policy but cannot
modify it. A lower-level administrator refers to an administrator
whose role specified on the page displayed after you choose System
> General > Administrator is lower than the administrator that
creates this policy.
7. Click Commit.
3.6.1.5.1.1 Access Control
3.6.1.5.1.1.1 Application
A. Application
The IAG has an application rule library set for all types of common network
applications and a URL Database set for websites (for details, see sections
3.5.1–3.5.4). The Application module references these rules to implement
permission control on network applications and websites.
Version 01 (Sep 27, 2021) 314

The Application module can detect packet contents to control applications. You
need to set control policies for identified and unidentified applications, such as
P2P applications, QQ, and mail applications.
The Application module can also filter website access behaviors, including
HTTP URL filtering, HTTPS URL filtering, and HTTP uploading filtering.
The following introduces the procedures for configuring Access Control based
on application types and configuring HTTP URL filtering.
i. Control based on application types
The following is a configuration example of rejecting P2P applications.
1. Select Application. Click Add and choose Application. Click below

Application. The Application Signature, Advanced App Signature,
custom applications, and schedule groups are referenced. For details,
see sections 3.5.1–3.5.3 and section 3.5.9.
Version 01 (Sep 27, 2021) 315

2. On the Select Applications page, select P2P.
3. Return to the Application tab page, set Action to Reject, Schedule to All
Day, and click OK. The policy for rejecting P2P applications is set
successfully. For details about setting the effective time, see section 3.3.6.
4. To modify the Access Control policy, select P2P and click Delete to delete
the policy. You can also select Allow in Action, or select Reject. Click Up or
Down to change the priority of the policy. A policy with a smaller priority
value will be preferentially matched.
5. If only Access Control is required, click Commit. If other types of policies

need to be edited, continue with the procedure.
Version 01 (Sep 27, 2021) 316

By default, the IAG allows access to applications for which no control policy is set.
ii. HTTP URL filtering
Configure the IAG to control website access behaviors by detecting the

URLs of visited websites. Example: Set a policy to prevent users from
accessing e-banks and bank websites during working hours.
1. Select Application. Click Add and choose Application. Click below

Application.
2. In the Select Application window, find the Visit Web Site type, and select
Internet Banking and Bank Website under Finance.
3. Return to the configuration page, set Action to Reject and Schedule to
Version 01 (Sep 27, 2021) 317

Office Hours, and click OK. For details about how to set the schedule, see
section 3.5.8. The policy is set successfully.
In control of file uploading and another uploading, the IAG filters behaviors of uploading
files through HTTP POST or other contents based on URL groups.
iii. HTTPS URL filtering
HTTPS URL filtering involves filtering websites that are visited over
HTTPS. For example, you can configure a policy to prevent intranet
users from accessing the encrypted website https://mail.google.com/.
The procedure for setting a policy to reject access to Gmail all day is as follows:
1. In the URL Database, no URL group is specific for Gmail. Therefore, set
a URL group and add the URL of Gmail before setting the policy.
2. Choose System > Objects > URL Database and click Add. On the Add
URL Category page, enter the URL group name, description, and URL.
In URL, enter the value of Issued To in the SSL certificate issued by the
website. HTTPS URLs support wildcards. Therefore, enter
*.google.com.
Version 01 (Sep 27, 2021) 318

3. Select Access Control. Click Add and choose Application. Click below
Application.
Version 01 (Sep 27, 2021) 319

4. In the Select Application window, find the Website Access type and
select HTTPS under Gmail.
5. Return to the configuration page, set Action to Reject and Schedule to All
Day and click OK. For details about how to set the effective time, see
section 3.3.8. The policy of preventing access to Gmail all day is set
successfully.
When a user visits a secure website through HTTPS, data is encrypted, and the IAG cannot
detect the URL. Generally, the URL of a secure website is the same as the address specified
in Issued To of an SSL certificate. Therefore, the IAG can detect this value in the SSL
certificate to obtain the URL of the visited security website. To define the URL of an HTTPS
website, set the URL based on the value of Issued To in the certificate issued by the website.
B.Service
Port control is performed based on the destination IP address and port of

packets, and the time segment. For example, you can set a policy to block
access from the intranet to port 80 of an IP group.
The following is an example of setting a policy to reject access to ports 1000

and 1001 of the IP group
200.200.200.1-200.200.200.254 in working hours.
1. Select Service. On the Service pane, click Add and set related
parameters. It will refer to the IP groups, network services, and
schedule groups defined earlier. For details, see sections 3.3.6–3.5.9.
Version 01 (Sep 27, 2021) 320

2. Select a target IP group from the drop-down list. If the required IP group
does not exist, select Add IP Group at the bottom of the drop-down list to
create it. Click OK.
3. Add IP Group: This item is linked to the page displayed after you choose
Objects > IP Group. In the Edit IP Group dialog box, enter the IP group
name, description, and IP address, and click Commit.
Version 01 (Sep 27, 2021) 321

4. Select a service from the drop-down list. If the required service does
not exist, select Add Service at the bottom of the drop-down list to
create it. Click Commit.
5. Add Service: This item is linked to the page displayed after you choose
Objects > Service. In the Add Service dialog box, enter the service name
and port or protocol ID, and click Commit.
6. Return to the configuration page, set Action to Reject and Schedule to

Office Hours and click OK.
7. To modify the port control policy, select the corresponding network service
Version 01 (Sep 27, 2021) 322

and click Delete to delete the policy. You can also select Allow in Action or
select Reject. Click Move Up or Move Down to change the priority of the
policy. A policy with a smaller priority value will be preferentially matched.
8. If only port control is required, click Commit. If other types of policies need
to be edited, continue with the procedure.
By default, the IAG allows access to network services for which no control policy is set.
C. Proxy
Proxy control involves controlling behaviors of using HTTP and SOCK proxies
and using other protocols on a standard HTTP or SSL port. See the following
figure.
If Not allow external HTTP proxy is selected, the IAG will reject the requests
sent by intranet users to access the Internet by using an external HTTP proxy
server.
If Not allow external SOCK4/5 proxy is selected, the IAG will reject the
requests sent by intranet users to access the Internet by using a SOCK proxy.
After Not allow other protocols on standard HTTP or SSL port is selected, if
identified/unidentified software conducts communication over a well-known
port (TCP 80 or TCP 443), and the communication contents are in private
protocol format, the IAG will reject the communication information.
D. Search Keyword
Version 01 (Sep 27, 2021) 323

Web keyword filtering comprises two parts: search keyword filtering

and HTTP uploading filtering. In search keyword filtering, the IAG
filters or generates alarms when detecting specified search
keywords. For example, the IAG can control behaviors of searching
keywords by using search engines such as Baidu and Google. In HTTP
uploading filtering, the IAG rejects access requests or sends an alarm
mail when detecting keywords uploaded over HTTP. For example, the
IAG can filter access requests or generates an alarm for keywords in
posts on forums or in QQ Zone. Set Action to Give alert. When the
uploaded contents include the specified keyword, the IAG will send
an alarm mail to the specified mailbox.
Example: Set a policy to reject search requests with the keyword "Job Hunting"
and allow search requests with the keyword "Game" all day. When detecting
search requests with the keyword "Game", the IAG sends an alarm mail to
[email protected]. The IAG prevents uploading data containing
politically sensitive keywords through HTTP.
1. Select Search Keyword. On the Search Keyword pane, click Add and
set related parameters. The Keyword Group and schedule groups
defined earlier are referenced here. For details about defining objects,
see sections 3.5.9 and 3.5.10.
2. In the Keyword drop-down list, select Job Hunting. If the required
Version 01 (Sep 27, 2021) 324

keyword is not included, select Add Keyword Group to create it.
3. Return to the configuration page, select all URL types, and click OK.
4. Set Action to Reject and Schedule to All Day, and click OK. The policy of
rejecting search requests for the keyword Job Hunting all day is set
successfully. Repeat steps 1 to 4 to set a policy to generate alarms for
search requests for the keyword Game.
5. On the HTTP Upload tab page, click Add. Click the drop-down button
below Keyword to display the keyword group list.
Version 01 (Sep 27, 2021) 325

6. In the Keyword drop-down list, select Political Sensitive Keyword. If the

required keyword is not included, select Add Keyword Group to create it.
7. Return to the configuration page, select all URL types, and click OK.
8. Set Action to Reject and Schedule to All Day, and click OK. The policy of
rejecting uploading requests with political sensitive keywords all day is set
successfully.
Version 01 (Sep 27, 2021) 326

9. If only keyword filtering is required, click OK. To enable Web keyword

filtering alarms, choose System > General > Alarm Options > Events >
Sensitive Keyword is detected, as shown in the following figure.
10. To set the address of the mail server for sending alarm mails and the
recipient mailbox, choose System > General > Alarm Options > Email
Alarm > SMTP Server.
Version 01 (Sep 27, 2021) 327

E. File Type
Web file type filtering comprises two parts: uploading and downloading. You
can set the IAG to filter files uploaded or downloaded over HTTP or FTP.
The procedure for setting a policy to reject requests of downloading

and uploading film files from websites or over FTP is as follows:
1. Select File Type. On the File Type pane, click Add and set related
parameters. The File Type Group and schedule groups defined earlier
are referenced here. For details about defining objects, see sections
Version 01 (Sep 27, 2021) 328

3.2.9 and 3.2.11. Click the drop-down button below File Type and
choose a keyword group. Select Apply to FTP upload/download as
well.
2. On the Upload tab page, click Add.
3. In the File Type drop-down list, select Movie. If the required file type is not
included, select Add File Type Group to create it.
Day and click Commit. The policy of rejecting requests to upload film files
to websites or over FTP all day is set successfully.
5. On the Download tab page, click Add.
Version 01 (Sep 27, 2021) 329

6. In the Fill Type drop-down list, select Movie. If the required file type is not
included, select Add File Type Group to create it.
Day and click OK. The policy of rejecting requests to download film files
from websites or over FTP all day is set successfully.
8. To allow file uploading and downloading for some websites, add an

exclusion URL. Select Excluded Website and select exclusion URL types.
Version 01 (Sep 27, 2021) 330

9. Click OK.
F. SaaS Options
Along with the rise of the Internet, more and more software providers offer
SaaS services in the evolution process from Web2.0 to Html5.0 to support the
users' usage of the Internet, bringing convenience but causing the risks of
Shadow IT.
Shadow IT: All applications not involving IT organizations, and applications not
covered by IT service management are all in the scope of Shadow IT.
The Shadow IT brings in potential risks and costs. Hundreds of Cloud

applications may be operated in the extensive enterprise network, in which
most Cloud applications are shadow services. These services are not
supervised by IT, and more significant risks to and compliance issues of data
and business may be caused, so that how to handle Shadow IT becomes a
problem to be solved in the aspect of enterprise information security:
⚫ How to inspect and evaluate the usage of SaaS applications.
⚫ How to discover and handle potential Shadow IT risks.
Version 01 (Sep 27, 2021) 331

⚫ How to manage SaaS applications.
SaaS Options
The configuration documents are provided on this device and are not repeated
in this manual. The corresponding function post in the Sangfor community is
as follows:
https://community.sangfor.com/forum.php?mod=viewthread&tid=1488&highli
ght=
3.6.1.5.1.1.2 Email
Mail filtering involves filtering emails sent and received by clients on

the intranet through SMTP or POP3. The IAG can filter mails by the
sending address, recipient address, mail subject, or text keyword.
The following is an example of setting a policy to filter emails sent to a

Gmail mailbox or mails with a .exe attachment.
10. Select Email and set a policy to filter emails sent to a Gmail mailbox or
mails with a .exe attachment.
Version 01 (Sep 27, 2021) 332

There are several methods of filtering sent and received mails:
Source Address: to filter sender addresses of mails. Select Block email sent
from the following addresses/domain only and enter the mail addresses to
be filtered. If the sender of any mail matches any of the listed mail addresses,
the IAG blocks the mail. Select Only allow email sent from the following
addresses/domain and enter the mail addresses to be allowed. If the sender
of any mail matches any of the listed mail addresses, the IAG allows the mail.
Destination Address: to filter recipient addresses of mails. Select Block email

sent to the following mail addresses/domain and enter the mail addresses
to be filtered. If the recipient of any mail matches any of the listed mail
addresses, the IAG blocks the mail. Select Only allow email sent to the
following mail addresses/domain and enter the mail addresses to be
allowed. If the recipient of any mail matches any of the listed mail addresses,
the IAG allows the mail. In this example, mails sent to Gmail mailboxes are to
be filtered. Therefore, enter @gmail.com in Block email sent to the following
address/domain.
Version 01 (Sep 27, 2021) 333

Block outgoing email containing the following keyword in subject or

body: If this option is selected, the IAG detects whether the title and text of a
mail to be sent contain the specified keywords. If yes, the IAG blocks the mail.
For example, to filter mails whose title or text contains the keyword "Job
Hunting", enter Job Hunting.
Block outgoing email attached file with the following extension: If this
option is selected, the IAG detects whether a mail to be sent contains an
attachment of the specified type. If yes, the IAG blocks the mail. In this
example, emails containing a .exe attachment are to be filtered. Therefore,
enter .exe.
If Block emails larger than (KB) is selected in the Advanced dialog

box, and the function of detecting mail size is enabled, the IAG will
Version 01 (Sep 27, 2021) 334

block mails whose size exceeds the specified value. If Block email if
attachments exceed is selected and the function of detecting the
number of attachments in emails is enabled, the IAG will block mails
whose number of attachments exceeds the specified value.
The configured rules have the OR relationship and are matched from the top down. If any
rule is matched, the IAG performs the specified action. For any conflicts, the first matched
rule prevails.
1. On the Email page, you can enter a complete mail address or a suffix, for
example, [email protected], @abc.com, or abc.com. If abc.com is entered, mails with
abc.com or abc.com.cn will be matched. Enter one mail address in each row.
On the Email page, you can enter a regular expression when setting keywords.
For example, if key.*d is entered, both key and keyword are matched.
If one keyword is entered in each row, keywords in different rows have the OR
relationship. A rule will be matched if any keyword is matched.
2. If multiple keywords separated with a comma (,) are entered in each row, the
keywords have the AND relationship. A rule will be matched if all keywords in a
row are matched.
3. Mail filtering involves filtering emails that are sent through SMTP. This function is
invalid for webmails. To use this function, ensure that mail data passes the IAG.
The standard SMTP port used for sending mails is TCP 25. The mail filtering
function is invalid for mails that are sent over a non-standard port.
4. An SMTP authentication password must contain at least three characters. If the

SMTP authentication password of a mail contains less than three characters, the
mail will be blocked.
Version 01 (Sep 27, 2021) 335

5. Before enabling mail filtering, ensure that the IAG can connect to the mail server
correctly. Otherwise, mails cannot be sent.
3.6.1.5.1.1.3 QQ Whitelist
You can configure a QQ number whitelist to allow specified QQ

numbers and block other QQ numbers. The whitelist function is
compatible with both PC QQ client and mobile QQ client.
Click Commit.
If a mobile phone number or a mailbox is used as the QQ account, you need to fill in the
account automatically allocated by Tencent, which is a numeric string.
3.6.1.5.1.2 SSL Decryption
The role of the SSL decryption policy is to perform content audit

identification for applications connected using SSL security protocols,
including encrypted websites, webmail, web-bbs, POP3, IMCP, SNMP,
etc., except for financial-related websites such as online banking and
online payment.
Two decryption methods: SSL middleman decryption and ingress

client decryption. Selecting ingress client decryption requires
configuring an ingress policy to take effect.
Version 01 (Sep 27, 2021) 336

Middleman decryption Ingress Client

Decryption
No PC system Windows system users

requirements, need to need to install the ingress
Requirement
install the certificate client, need to install the
certificate
1. AD domain, desktop 1. The ingress client will

management software, be installed silently, and
and ingress client the users are not aware
distribution to install the
2. AD domain, desktop
certificate, users are not
management software,
aware
and ingress client
2. Users who have not distribution to install the
Distribution installed the certificate certificate, users are not

will be redirected to the aware
Method certificate installation
3. Users who have not
page when they visit the
installed the certificate
webpage, and they will
will be redirected to the
be guided to download
certificate installation
the certificate
page when they visit the
installation tool
webpage, and they will be
guided to download the
installation tool
No need to install No need to consume

the ingress client, no IAG performance,
Advantage
PC system richer audit content
requirements
Decryption based on web page identification

requires more CPU resources. It is recommended to
customize the domain name for decryption to
reduce performance degradation caused by
excessive traffic decryption.
Note
For complete decryption requirements, you can use

hardware model devices with hardware
acceleration cards. The decryption performance of
hardware acceleration cards is doubled compared
with software decryption performance. For specific
Version 01 (Sep 27, 2021) 337

models, please contact Sangfor regional offices or

Sangfor channel partners for details.
The HTTPS decryption function configuration does

not support IP addresses in the domain name list
when the domain name list is customized.
When using the HTTPS decryption function, you need

to install a device certificate on the endpoint to a
trusted root certification authority.
HTTPS decryption does not support the QUIC

protocol. It is recommended to check "Reject data
transmitted over QUIC protocol".
The HTTPS decryption function conflicts with the Easy connect

protocol of SSL VPN. When the HTTPS decryption function is
enabled, if the endpoint needs to use Easy connect to access
General the headquarters resources through SSL VPN, it needs to be
excluded from the exclusion list of the SSL global decryption
of the IAG device, otherwise, the connection will be
interrupted.
This function requires [Multi-function license/SSL content

Ident]
When SSL middleman decryption and ingress client

decryption are configured at the same time, the policy list is
matched from top to bottom, and only the first one that is
matched takes effect.
If the endpoint is a virtual machine, it is not recommended to

use an ingress client for decryption. You can use an SSL
middleman to decrypt.
When the option of installing the ingress client on PC is turned

on, it only supports the Windows system (XP system does not
Ingress support). Mac system and Linux system can use SSL
Client middleman for decryption.
The ingress client only decrypts port 443 by default.
Version 01 (Sep 27, 2021) 338

The client's certificate and the SSL content recognition

certificate are different certificates.
HTTPS decryption supports the scenario where the device

itself acts as a proxy, but only supports HTTPS proxy and does
not support SOCKS proxy. The client decryption solution does
not support use in proxy scenarios.
In the scenario where there is a two-way certificate

verification, the HTTPS decryption function cannot be used,
Middleman
otherwise, there will be a connection error caused by a client
verification failure.
If the endpoint’s DNS request data does not go through the

device or the HTTPS website accessed by the endpoint is
directly accessed with an IP address, the HTTPS decryption
function is not supported.
Table 4: Decryption Comparison table
Step 1. In Online Activities > Access Control, click Add SSL Decryption, and
click to enable the policy.
Step 2. Fill in the policy name and description information. The policy name is
the only required item, and the description information is not required.
Step 3. The decryption method can choose SSL middleman decryption or

ingress client decryption according to the actual situation. For more detail, you
can click on More.
Step 4. Define the decryption range, check Identify contents of encrypted

Web application, you can choose all or custom these two ways to configure,
web applications only support identification using port 443.
Version 01 (Sep 27, 2021) 339

Step 5. When selecting custom identification, click to select SaaS applications

or encrypted web content according to requirements.
Step 6. Check Reject data transmitted over QUIC protocol, SSL decryption
will not affect QUIC protocol domain names.
Step 7. Click Decryption Exclusion, configure the IP, domain name, and
process that do not require SSL content identification. The three are related to
each other and can be used flexibly.
Version 01 (Sep 27, 2021) 340

Step 8. When you need to identify the content of the 25, 465, 143, 993, 587
ports of the mail, you need to enable the mail content recognition.
Step 9. Click Download Root SSL Certificate to download and install the
downloaded root certificate on the computer and eliminate the browser
security alarm caused by enabling SSL content recognition. If you need to stop
the security alarm of the browser in the AD domain environment, click Root
SSL Certificate Distribution via AD Domain, and refer to the configuration
steps in the document for details.
Version 01 (Sep 27, 2021) 341

Step 10. After the setting is completed, click the Commit button to complete
the editing of this policy. If you need to edit other types of policies, continue to
select other control types for editing.
SSL content recognition is invalid for financial-related sites such as online banking and
online payment to prevent sensitive financial information from being audited.
In the HTTPS scenario, we need to configure SSL content recognition.
3.6.1.5.2 Adding a Policy Using a Template
You can use an available policy or a built-in policy as a template to add a policy.
If a policy is added using a template, the settings for the template are applied
to the new policy. It facilitates the addition of multiple Internet access policies
that are identical to or similar to each other.
The configuration page is shown in the figure below:
For example, if the Various Internet activities and traffic template is used to
add a policy, all the settings included with the template are copied to the new
Version 01 (Sep 27, 2021) 342

policy. You can modify the settings of Policy Name, Description, Policy Setup,
Applicable Group and User, and Advanced Settings.
Suppose the Give view privilege to administrator in lower-level role option is not selected on
the Advanced Settings tab page. In that case, low-level administrators cannot use this
template to add a new policy after logging in to the console.
3.6.1.6 Deleting a Policy
This function allows you to delete a policy permanently. After it is deleted, the
association between this policy and specified users or user groups is removed.
Step 1. Select the policy to be deleted.
Step 2. Click Delete. When it is deleted, a notification is displayed.
Suppose the organization structure managed by a high-level administrator covers the

organization structure managed by a low-level administrator who creates a policy. In that
case, the high-level administrator can delete the policy. Suppose the organization structure
managed by an administrator covers the organization structure managed by another
administrator at the same level who creates a policy. In that case, the former administrator
can delete the policy only when Editing Allowed is selected for administrators at the same
level.
3.6.1.7 Editing Policies in Batches
This function is used to edit multiple policies at the same time. It

applies only to the Applicable Group and User options of the policies.
You can use this function to associate multiple users or user groups
with one or more policies.
Step 1. Select the policies to be edited in batches.
Version 01 (Sep 27, 2021) 343

Step 2. Click Edit. The Applicable Object window is displayed.
Step 3. Select the users or user groups to whom the policies are applicable.
Click OK.
1. After users and user groups are selected, the original associations between users
and user groups and the policies are replaced.
2. If the organization structure managed by a high-level administrator covers the

organization structure managed by a low-level administrator who creates policies, the
Version 01 (Sep 27, 2021) 344

high-level administrator can edit the policies in batches. Suppose the organization
structure managed by an administrator covers the organization structure managed by
another administrator at the same level who creates policies. In that case, the former
administrator can edit the policies only when Editing Allowed is selected for
administrators at the same level.
3.6.1.8 Enabling or Disabling a Policy
Each policy can be in either the Enabled or Disabled state.
The Enabled state indicates that a policy is available and all the rules
included in the policy are effective when the policy is invoked.
The Disabled state indicates that a policy is unavailable and all the
rules included in the policy are not effective when the policy is
invoked.
Select a policy and click Enable or Disable to set the status of the policy
In the status column, indicates the Disabled state while indicates the Enabled
state.
Suppose the organization structure managed by a high-level administrator covers the

organization structure managed by a low-level administrator who creates a policy. In that
case, the high-level administrator can enable or disable the policy. Suppose the organization
structure managed by an administrator covers the organization structure managed by
another administrator at the same level who creates a policy. In that case, the former
administrator can enable or disable the policy only when Editing is selected for
administrators at the same level.
3.6.1.9 Changing the Policy Order
This function is to change the order of policies. Policies on a list are

implemented in descending order. You can move policies up or down
in the list to change their priorities.
Version 01 (Sep 27, 2021) 345

You can move policies in a list using two methods: 1. Select the
policy, and click or ; 2. Click in the

Move column in the policy records.
1. The change in this list is applied to the policy lists of users or user groups.
2. The order of policies created by administrators at different levels cannot be changed, and
the priorities of the policies depend on the administrators' priorities. The order of policies
created by administrators at the same level can be changed.
3. If the organization structure managed by a high-level administrator covers the

organization structure managed by a low-level administrator who creates a policy, the high-
level administrator can move the policy. Suppose the organization structure managed by an
administrator covers the organization structure managed by another administrator at the
same level who creates a policy. In that case, the former administrator can move the policy
only when Editing Allowed is selected for administrators at the same level.
3.6.1.10 Importing/Exporting a Policy
This function is used to import or export a policy. When necessary, you

can import a policy into the system. If there are multiple devices whose
versions are the same and the same policy must be applied to all of
them, you can create the policy and import it into the devices so that
repeated configuration is not required.
The procedure for exporting policies is as follows:
Step 1. Select one or more policies that need to be export. Click .
Step 2. Save the export policies.
Version 01 (Sep 27, 2021) 346

The procedure for importing a policy is as follows:
Step 1. Click Import. Select the policy to be imported.
Step 2. Click Open.
Version 01 (Sep 27, 2021) 347

When a policy is imported or exported, the object associated with the policy is imported or
exported as well. If the name of an imported object exists in the IAG, the IAG asks you
whether to replace the object that exists in the IAG.
3.6.2 Advanced Policy Options

Advanced policy options include Web Access, Excluded Application, SSL
Certificate, SSL Certificate Distribution, and SSL Decryption Exclusion.
3.6.2.1 Web Access Options

Web Access Options is used to specify whether to disallow accessing
websites using IP addresses, allow resources with external domain
names on webpages and disable forbidden webpages during URL
filter permission control policies matching.
Not allow visit to website with IP address, exclusive of those in URL

database: After this option is selected, an intranet user cannot access a
website using its IP address unless the IP address is included in the URL library.
Allow visit to links on webpage: When a user accesses a webpage, some

resources (such as advertisements and images) contained in the webpage may
have external domain names. Policies may reject these resources because
their URLs are inconsistent with the domain names of the webpage. As a result,
the webpage may not be displayed completely. In this case, you can select this
option so that the resources are displayed when the web page's domain name
is accessible.
Disable Access Denied webpage: If this option is selected, when a user

attempts to access a forbidden webpage, the access denial page will not be
shown but will notify the user that the page cannot be shown.
Version 01 (Sep 27, 2021) 348

Enable redirection for rejected HTTPS traffic: Enable the HTTPS

redirection function. When Online Activities/Access Control denies
HTTPS traffic, the redirect page can be displayed.
3.6.2.2 SSL Certificate

Enable SSL Contents, and then the endpoint browser will alarm that the
certificate of HTTPS website cannot be validated. The alarm can be removed
when the certificate is imported on the endpoint computer. Root certificates of
previous devices only can be imported into the built-in root certificate of the
Sangfor device, which supports custom certificate import.
3.6.2.2.1 Built-in root certificate

Choose Online Activities > Advanced > SSL Certificate to check Built-in root
certificate.
Click Download Root SSL Certificate.
3.6.2.2.2 Specified root certificate
Choose Online Activities > Advanced > SSL Certificate to check Specified
root certificate. Click Settings button to configure the specified root certificate.
Version 01 (Sep 27, 2021) 349

3.6.2.2.2.1 Generate a New Root Certificate
Fill in the information of root certificate and click Commit.
After you return back to the configuration page, Root certificate has been
specified. Click Commit to apply the changes is on the page for further
confirmation.
Version 01 (Sep 27, 2021) 350

Click Commit and then confirm to prevent from bringing troubles caused by
misoperation into the endpoint.
After click Yes, Valid is on the SSL Certificate page to prompt the certificate
status.
Click Download Root SSL Certificate to distribute the root certificate to the
endpoint device.
Version 01 (Sep 27, 2021) 351

3.6.2.2.2.2 Import Root Certificate with Private Key

Import a certificate file and enter a password.
After you return to the configuration page, Root certificate has been
confirmation.
Version 01 (Sep 27, 2021) 352

status.
Click Download Server SSL Certificate to distribute the root certificate to the
endpoint device.
3.6.2.2.2.3 Import Root Certificate and Private Key
Import a certificate file and a private key, and enter a password:
Version 01 (Sep 27, 2021) 353

After you return to the configuration page, Root certificate has been
confirmation.
Version 01 (Sep 27, 2021) 354

status.
Click Download Server SSL Certificate to distribute the root certificate to the
endpoint device.
3.6.2.3 SSL Certificate Distribution
1. For PC added into the domain, it can be directly used to push and install
the root certificate.
2. In the environment without domain control, it is recommended to choose

Online Activities > Advanced -> SSL Certificate Distribution in the
device.
Version 01 (Sep 27, 2021) 355

How does the device determine whether the PC client is equipped with the
root certificate?
1. If each endpoint has a marker, determine whether the root certificate

needs inspection and whether it has passed the inspection.
2. If the root certificate needs inspection, but does not pass the inspection,
redirect to http://x.x.x.x/httpscert/https.htm?
vlanid=xxx&url=xxxxxx&signver=xxxx, to inspect the root certificate.
Whether the root certificate is installed can be determined by judging
whether checkcert.js is loaded.
3. If it passes the inspection, http://x.x.x.x/httpscert/handler is distributed to

skip back to the originally accessed page, such as Baidu.
4. If it does not pass the inspection, http://x.x.x.x/httpscert/handler_failed is

distributed to access the root certificate download page
(http://x.x.x.x/httpscert/index.html).
5. A new root certificate MD5 will be distributed if the root certificate needs
to be switched. When there is traffic from the user, a global root certificate
Version 01 (Sep 27, 2021) 356

MD5 will be compared with the user's original root certificate MD5. If both
are not identical, the endpoint passing the inspection will be marked, and
the SSL certificate will be redistributed.
6. Finally, the certificate can be manually installed. After an installation

package is downloaded on the PC client, double click it to install.
3.6.2.4 Excluded Application
Excluded Application specifies the applications excluded from Internet access

during
statistics and Internet access duration control. It consists of the Applications

(exempted from duration quota policy), Specified, and Excluded Ports
sections.
Version 01 (Sep 27, 2021) 357

Applications (exempted from duration quota policy): It defines some

application traffic, such as the traffic for background software updates. You
can enable or disable the list.
Specified: It allows users to specify the applications to be excluded

from statistics and Internet access control. Click Select Application
and select the applications to be excluded. If an application to be
excluded is not listed, you can choose Define Object > User-Defined
Application, define the application and select the application in this
list.
Excluded Ports: You can enter the destination ports of Internet

applications to exclude the ports from Internet access duration audit
Version 01 (Sep 27, 2021) 358

and control.
3.6.2.5 SSL Decryption Exclusion
1. Support two methods, including Custom Excluded Address and Predefined

Excluded Address.
2. The Predefined Excluded Address list cannot be disabled and deleted.
3. In the exclusion list, the exclusion is performed using domain name

prefixes and does not support wildcards.
4. The domain name in the exclusion list will not be used to decrypt SSL
contents.
5. The domain name exclusion list can be used to exclude correctly only if
DNS resolution can be normally performed.
3.7 Bandwidth Management
3.7.1 Overview
Bandwidth management is to manage and identify the network
Version 01 (Sep 27, 2021) 359

traffic of different users and applications. The bandwidth assurance

and bandwidth limitation functions are provided.
The bandwidth assurance function is to ensure bandwidth allocation

to important applications.
The bandwidth limitation function is to limit the total upstream and

downstream bandwidth and the bandwidth of each application for all
users, local users, domain users, domain security groups, domain
attributes, user attribute groups, source IP addresses, locations,
wireless networks, or terminal types.
The traffic sub-channel function is also provided for you to create

traffic sub-channels for better channel traffic allocation.
Bandwidth Management enables:
1. Dynamic bandwidth allocation to important Internet applications
2. Limiting the bandwidth allocated to Internet applications
3. Controlling the maximum bandwidth available to each IP address
4. Even bandwidth allocation among IP addresses within the same channel

Basic concepts:
Traffic channel: The entire bandwidth is divided, based on service

types and user groups under access control, into multiple parts, and
each part functions as a traffic channel. Traffic channels are classified
as bandwidth assurance channels and bandwidth limitation channels.
Bandwidth limitation channel: The maximum traffic rate of the

channel is specified. When the network load is heavy, the bandwidth
allocated to the channel does not exceed the specified value.
Bandwidth assurance channel: The maximum bandwidth and

minimum bandwidth of the channel are specified. When the network
load is heavy, the bandwidth allocated to the channel is not less than
the specified minimum value.
Traffic sub-channel: A traffic channel hierarchy is created. Traffic sub-

channels are used to further separate traffic channels for better
bandwidth management.
Penalty channel: It works with Quota Control Policy to impose a

penalty after a user exceeds a quota. Configure the penalty for the
Version 01 (Sep 27, 2021) 360

penalty channel. Generally, a small amount of bandwidth is allocated

to the penalty channel.
Line Bandwidth Allocation: It is to specify allocation of upstream and

downstream bandwidth to Internet lines. Suppose the IAG is deployed
in bridge mode. In that case, you must set the actual Internet line
bandwidth of the front-end gateway because the bandwidth for the
bandwidth limitation channel and the bandwidth for the bandwidth
assurance channel are set to a certain percentage of the Internet line
bandwidth.
Virtual line: It is used in the bridge mode to divide one physical line
into multiple virtual lines for Bandwidth Management channel
configuration.
3.7.2 Bandwidth Management Rules

When the bandwidth management system is enabled, traffic channel
matching is implemented based on data information transferred
through the IAG. The matching criteria include user group/user, IP
address, application type, effective time, and destination IP address
group. When a packet meets the criteria, a matching traffic channel is
identified.
A piece of data can match only one traffic control policy. Traffic
channels are matched in descending order. Therefore, channels with
more detailed matching criteria must be placed high in the list. Traffic
sub-channels are also matched in descending order. When a piece of
data matches a parent channel, the policy for the parent channel will
not implement immediately. Instead, the matching continues until a
sub-channel is matched, and the sub-channel does not contain
lower-level matching channels.
3.7.3 Bandwidth Channel Configuration
Version 01 (Sep 27, 2021) 361

Path: Bandwidth Management > Bandwidth Channel
Function Description
Enable Bandwidth If it is selected, the Bandwidth Management system is enabled.

Management System
Advanced It is to set the line idleness threshold and specify whether to enable
busy line protection.
Edit Line Bandwidth It is to set the Internet line bandwidth.
Bandwidth Channel It is to set and manage assurance channels, limitation channels, and
penalty channels.
New Channel It is to add channels, including level-1 channels, sub-channels, and

penalty channels. It can also add channels based on templates.
Edit You can select a channel, click Edit, and edit the channel.
Delete You can select a channel and click Delete
Enable It is to enable a channel in the Disabled state.
Disable It is to disable a channel in the Enabled state.
Up It is to move a channel up the list.
Down It is to move a channel down the list.
Move To It is to move a channel to a specified place.
View It is to filter the channel policies of the listed effective lines when
there are multiple lines. You can select all lines or a specific line.
Version 01 (Sep 27, 2021) 362

You can click the first icon to expand all channel policies and click the
second icon to collapse all channel policies so that only the level-1
channel policies are displayed. These icons are available when there
are sub-channels.
Table 5: Bandwidth description table
3.7.3.1 Line Bandwidth
It is to ensure the proper operation of important applications. You can set the
minimum bandwidth so that data of specified types have bandwidth not lower
than the minimum value even when the line is busy.
Example: A company leases a 10 Mbps line and has 1000 intranet users. The
company ensures that the finance department has at least 2 to 5 Mbps
bandwidth to access online banking websites and send and receive emails
even when the line is busy.
Step 1. Choose Bandwidth Management > Line Bandwidth and configure

Internet line bandwidth. Click Line 1. The Edit Line Bandwidth: Line 1 window
is displayed. In this example, the company leases a 10 Mbps line, and therefore
the values of Outbound and Inbound are set to 800 MB/s.
Step 2. Step 2 Choose Bandwidth Management > Bandwidth Channel
Select Enable Bandwidth Management System to enable Bandwidth

Management.
The Line Bandwidth section displays the total bandwidth of all Internet lines.
Click Edit Line Bandwidth. The Edit Line Bandwidth page is displayed.
Version 01 (Sep 27, 2021) 363

Click Advanced and set the line idleness threshold and specify whether to
enable busy line protection. See the following figure.
Low Bandwidth Usage Threshold: It is to set the line idleness threshold.

When the load of a line is lower than the idleness threshold, the limitation
channels with intelligent tuning enabled can increase the channel bandwidth to
a value greater than the user-defined upper limit to keep the load close to the
idleness threshold. When the load is higher than the threshold, the bandwidth
is decreased to the upper limit.
High Bandwidth Usage Threshold: It is used to ensure line availability during

peak traffic hours and improve the dynamic bandwidth assurance
performance. By default, busy line protection is disabled.
Version 01 (Sep 27, 2021) 364

You can select Enable High Bandwidth Usage Threshold to enable the
function and set the upper limits on the upstream and downstream traffic. The
default values are recommended.
In the Bandwidth Control section, select either of the following options:
Based on IP Addresses (When multiple IP addresses are connected to

the Internet with the same username, traffic control is implemented
for each IP address.)
Based on username (When multiple IP addresses are connected to

for all the IP addresses as a whole.)
To save the configuration, click Commit. To cancel the configuration, click

Cancel.
If you are not sure about the advanced settings, you can click Recommended Settings to
use the recommended settings.
3.7.3.2 Guarantee Channel
It is to ensure the use of important applications. Setting the minimum

bandwidth value ensures that the bandwidth occupied by specific data types is
not less than a particular value, thereby ensuring that important applications
can have the bandwidth and can be used normally when the line is busy.
Scenario
A company leased a 20Mbps telecommunication line, and there are 1,000

Internet users on the intranet. According to the company's business needs, it is
necessary to ensure that the bandwidth of the finance department when
accessing online banking websites and sending and receiving email data
cannot be less than 2Mbps when the line is busy, but the maximum cannot
exceed 5Mbps.
Version 01 (Sep 27, 2021) 365

Configuration Steps
1. Guarantee channel configuration
Step 1. Enter Bandwidth Mgt > Line Bandwidth edit Line. Set Outbound
and Inbound to 20mbps.
Step 2. Enter Bandwidth Mgt > Bandwidth Channel, check Enable

Bandwidth Management System (From the screenshot, it is showing two
lines, we only focus on the first line).
Step 3. Under Bandwidth Channel, click add > Parent Channel, select the
guaranteed channel. Enter channel name. “/” means it is a root channel, and
Version 01 (Sep 27, 2021) 366

you can create a child channel under the root channel.
2. Bandwidth Channel Configuration
Under Edit Channel > Channel Type, select Guaranteed Channel. Fill in the
inbound and outbound bandwidth.
Channel: It is used to set the target line, bandwidth channel type, restricted or
guaranteed bandwidth, and the bandwidth that a single user can use.
Target line: It is to select the applicable line of the channel. The channel will be
matched when the data goes through the selected line. There is only one line in
this example, so select Line 1 for Target Line.
Channel Type: Used to select the channel type (guaranteed channel or limited
channel) and define the bandwidth value. In this example, it is necessary to
guarantee the bandwidth for the personnel of the Finance Department to visit
the Internet banking category website and send and receive email data to
ensure at least 2Mbps and not more than 5Mbps. Check Guaranteed Channel,
set Outbound Bandwidth, Inbound Bandwidth, Min, and Max of bandwidth
Version 01 (Sep 27, 2021) 367

are 20% and 50% of the total bandwidth. If the total bandwidth is 20Mbps, the
guaranteed bandwidth is 2Mbps, and the maximum bandwidth is 5Mbps.
Priority: Divided into three categories: high, medium, and low, it refers to the
priority of this channel occupying idle bandwidth when other channels are idle.
Max Bandwidth Per User: Used to limit the bandwidth occupied by a single
user matching this channel. In this example, there is no need to limit the
maximum bandwidth of a single user, so do not check here.
Advanced: Take every WAN IP as a channel user so that it can share bandwidth
with LAN users equally and comply with Max Bandwidth Per User (this is often
selected for a server providing external service)
3. Object
Step 1. Select Object in Option, and set the application and target users for
the channel in the Objects column. In this example, bandwidth is guaranteed
for the personnel of the Finance Department to access online banking websites
and send and receive email data, so the applicable applications and applicable
objects need to be customized.
Version 01 (Sep 27, 2021) 368

Step 2. Customize the application for the channel. Check Specified in the
Application column. (Checking All Applications means that the channel is
valid for all types of data).
Step 3. Click select to check specific application types. Select the application
type and website type in the pop-up box Select Applications.
In this case, you need to visit the website of the Internet banking category and
the data for sending and receiving emails for bandwidth guarantee, then select
the application here: email/all, online banking/all, visit website/finance/online
payment, visit website/finance/bank website.
Step 4. Customize the channel applicable objects. Check Specific on the right
side of the Object column. (Checking All users means that the channel is valid
for all users).
Step 5. Click the blue font User button and select the specified object in the
pop-up box Objects. In this example, the bandwidth guarantee is required for
all the Finance Department users.
Step 6. Configure the effective period of the channel in the Schedule column.
The administrator can customize the effective period according to the working
hours of the enterprise. Click Add Schedule in the Schedule column to start
customizing the effective period of the strategy and click Add to add the
execution channel time.
Version 01 (Sep 27, 2021) 369

Step 7. If the effective channel date is preset, click the Setting button behind
the Date column to add a period or exclude a period. After setting, click the OK
button, and finally click Commit.
Version 01 (Sep 27, 2021) 370

Step 8. Configure the Destination IP Group of the strategy, which can be

used in conjunction with the Users in the Objects above. In this case, the
channel has been set in Applicable Users to be effective for financial
personnel, so here you can define Destination IP Group as all.
If you need to make more specific restrictions on IP, you can customize the IP
address segment. Click Add IP Group in the Destination column. Then
customize the effective IP address segment of the channel under the pop-up
Add IP Group menu.
Version 01 (Sep 27, 2021) 371

After the completion of the setting, the display is as follows.
Step 9. The set channel will appear in Bandwidth Channel. The channel
Version 01 (Sep 27, 2021) 372

configuration is complete.
1. When the total percentage of guaranteed bandwidth channels may exceed 100%, when it
exceeds 100%, the minimum bandwidth value of each guaranteed channel will be reduced
proportionally. For example, if we set up two channels, the first guaranteed bandwidth is set
to 30%, the second is set to 90%, the first is actually allocated to 30/(90+30)%, which is 25%,
and the second is actually Allocated to 90/(90+30)%, which is 75%.
2. Priority: When our actual bandwidth is free, the higher the priority, the more free
bandwidth is occupied.
3.7.3.3 Limited Channel
You can set the maximum bandwidth of a channel to implement traffic

control over the data transferred using the channel. The bandwidth
used by the channel must not exceed the maximum value.
Scenario:
A company leases a 10 Mbps line and has 1000 intranet users. Many
personnel of the marketing department often download files using
tools such as XunLei and P2P download tools, which occupy much
bandwidth and affect the office jobs of other departments. Therefore,
the Bandwidth Management system limits the bandwidth allocated to
the marketing department to download files to 2 Mbps and limits the
bandwidth allocated to each user to download files to 30 Kbps.
Step 1. Choose Bandwidth Management > Edit Line Bandwidth and

configure Internet line bandwidth. Click Line 1. The Edit Line Bandwidth
window is displayed. In this example, the company leases a 800 Mbps line, and
therefore the values of Outbound and Inbound are set to 800 Mbps.
Version 01 (Sep 27, 2021) 373

Step 2. Choose Bandwidth Management > Line bandwidth.

Management.
Click Edit Line Bandwidth Attributes. The Edit Line Bandwidth page is
displayed.
Click Advanced Settings and set the line idleness threshold, and
specify whether to enable busy line protection. See the following
figure.
Version 01 (Sep 27, 2021) 374

Low Bandwidth Usage Threshold: It is to set the line idleness

threshold. When a line load is lower than the idleness threshold, the
limitation channels with intelligent tuning enabled can increase the
channel bandwidth to a value greater than the user-defined upper
limit to keep the load close to the idleness threshold. When the load
is higher than the threshold, the bandwidth is decreased to the
upper limit.
High Bandwidth Usage Threshold: It is used to ensure line

availability during peak traffic hours and improve the dynamic
bandwidth assurance performance. By default, busy line protection is
disabled. You can select Low Bandwidth Usage Threshold to enable
the function and set the upper limits on the upstream and
downstream traffic. The default values are recommended.
In the Bandwidth Control section, select either of the following options:


Version 01 (Sep 27, 2021) 375

To save the
configuration,
click Commit. To
cancel the
configuration,
click Cancel.
Step 3. Configure the limitation channel.
In this example, traffic control is applied to P2P data downloads

performed by marketing personnel, and the bandwidth for P2P data
download applications is limited to 2 Mbps.
Version 01 (Sep 27, 2021) 376

On the Bandwidth Channel tab page, click Add and choose Add Parent
Channel. The Parent Channel page is displayed.
If Enable Channel is selected, the channel is enabled. Otherwise, it is disabled.
Enter the name of the channel in the Channel Name text box. The
Home Channel field displays the level of the channel and / indicates
a level-1 channel.
In the Channel Editing Menu, choose Bandwidth Channel Settings. The

related attributes for setting the channel are on the right.
Version 01 (Sep 27, 2021) 377

Bandwidth Channel Settings: It sets the effective line, channel type,

limited or assured bandwidth, and per-user bandwidth.
Target Line: It is to select the line applicable to the channel. That is,
the channel is used only when data is transferred through the selected
line. In this example, there is only one line. Therefore, select Line 1.
Channel Type: To select a channel type and set bandwidth thresholds.

In this example, the bandwidth for P2P data downloads performed by
marketing personnel is limited. Select Limitation Channel and set
Outbound Bandwidth and Inbound Bandwidth to 20% of the total
bandwidth each. The total bandwidth is 800 Mbps, and therefore the
limited bandwidth is 160 Mbps. Priority includes three options,
namely, High, Medium, and Low, which indicate the priority of
bandwidth allocation to the channel during peak traffic hours.
Restrain inbound P2P packet loss: To specify whether to control the

downstream packet loss rate of P2P download applications and
streaming media applications. It is recommended that this option be
selected only for P2P applications.
Version 01 (Sep 27, 2021) 378

Threshold can be exceeded if line is not busy: To specify whether to

enable the intelligent tuning function for the channel. If it is selected,
the function is enabled. You can click Low Bandwidth Usage
Threshold: go to the setting for "Threshold can be exceeded if line
is not busy". After the function is enabled, when the load of a line is
lower than the idleness threshold, the limitation channel can increase
the channel bandwidth to a value greater than the user-defined upper
limit to keep the load close to the idleness threshold. When the load is
higher than the threshold, the bandwidth is decreased to the upper
limit.
Limit Maximum Bandwidth Per User: To limit the bandwidth

available to each IP address using the channel. In this example, the
bandwidth for each user's P2P data download applications is limited
to 30 Kbps. Set Outbound and Inbound to 30 Kbps.
Advanced: If this option is selected, each external network IP

address can be regarded as a user in the channel so that bandwidth
can be fairly allocated among the users in the channel, and the
maximum bandwidth attribute set for each user applies to the
external network IP addresses. (This option is generally used by
servers providing services externally. Use it with caution.)
Version 01 (Sep 27, 2021) 379

Objects: To specify the application types to which the channel is

available. All Applications indicates all types of application. Specified
allows you to select application types. You can click Select and select
application types in the User-Defined Applicable Service and
Application dialog box that appears. In this example, select Download
Tool, P2P, and P2P Stream Media/All to implement traffic control for
P2P data download tools. Make sure that the Selected list is correct
and click OK.
Version 01 (Sep 27, 2021) 380

Applicable Object: It specifies the users, locations, and terminal types

to which the channel is available. All Users indicate all intranet users.
Specified indicates specified users and user groups. You can click
Objects and select objects in the User-Defined Applicable Object
dialog box that appears. In this example, bandwidth limitation must be
implemented for all users in the marketing department. Therefore,
select the Marketing Department user group and click OK.
Version 01 (Sep 27, 2021) 381

Scheduled: To set the effective time of the channel.
Destination: To select the destination IP address group.
After the parameters are set, the settings are displayed. See the following
figure.
Version 01 (Sep 27, 2021) 382

Click OK.
Step 4. The Bandwidth Channel tab page displays the configured channel.
Step 5. Configure the assurance channel.
In this example, bandwidth assurance is implemented to ensure that

finance department personnel can access online banking websites
and send and receive mails properly.
Version 01 (Sep 27, 2021) 383

Channel. The Add Parent Channel page is displayed.
If Add Parent Channel is selected, the channel is enabled. Otherwise, it is

disabled.
Enter the name of the channel in the Name text box. The Channel
field displays the level of the channel and / indicates a level-1
channel.
In the Channel Editing Menu, choose Channel. The related attributes for
setting the channel are on the right.
Channel: To set the effective line, channel type, limited or assured

bandwidth, and per-user bandwidth.
Target Line: To select the line applicable to the channel. That is, the
channel is used only when data is transferred through the selected
Version 01 (Sep 27, 2021) 384

Channel Type: To select a channel type and set bandwidth thresholds.

In this example, the finance department personnel must be allocated
160 to 400 Mbps bandwidth to access online banking websites and
send and receive emails. Therefore, select Guaranteed Channel and
set minimum and maximum Outbound Bandwidth and Inbound
Bandwidth to 20% and 50% of the total bandwidth. The total
bandwidth is 800 Mbps, and therefore the assured bandwidth is 160
Mbps while the maximum bandwidth is 400 Mbps. Priority includes
three options, namely, High, Medium, and Low, which indicate the
priority of allocating bandwidth of other channels to this channel when
the other channels are idle.
Version 01 (Sep 27, 2021) 385

Maximum
Bandwidth Per User: To limits the bandwidth available to each IP address
using the channel. This example does not involve this limitation. Therefore, do
not select this option.
Advanced Option: If this option is selected, each external network IP

maximum bandwidth attribute set for each user applies to external
network IP addresses. (This option is generally used by servers
providing services externally. Use it with caution.)
Object: It specifies the data types to which the channel is available.

The channel is available only when the criteria including applicable
application, applicable object, effective time, and destination IP
address group are met.
Version 01 (Sep 27, 2021) 386

Application: To specify the application types to which the channel is

available. All Applications indicates all types of application.
Customized allows you to select application types. You can click Select
and select application types and website types in the User-Defined
Applicable Service and Application dialog box that appears. In this
example, select Mail/All, Website Access/Online Payment, and
Website Access/Personal Banking to ensure access to online banking
websites and send and receive emails.
Version 01 (Sep 27, 2021) 387

Select Application: To specify the users, locations, and terminal types

to which the channel is available.
All Users indicate all intranet users. Specified indicates specified users
and user groups. You can click the links in blue and select objects in the
User-Defined Applicable Object dialog box that appears. In this
example, bandwidth assurance must be implemented for all users in the
finance department. Therefore, select the Finance Department user
group and click Commit.
Version 01 (Sep 27, 2021) 388

Schedule: To set the effective time of the channel.
Destination: To select the destination IP address group.
figure.
Version 01 (Sep 27, 2021) 389

Step 6. When the settings are saved, a message is displayed. Click Close.
The Bandwidth Channel tab page displays the configured channel. Ensure
that the channel is configured completely.
1. The aggregated bandwidth percentage of bandwidth assurance channels may be more

significant than 100%. In this case, the minimum bandwidth of each channel is reduced
proportionately. For example, two channels are created. The assured bandwidth of channel
one is set to 30%, while the assured bandwidth of channel two is set to 90%. In this case, the
actual assured bandwidth of channel 1 is 25% (30/(90+30)%), and the actual assured
bandwidth of channel 2 is 75% (90/(90+30)%).
2. Priority: If some bandwidth is available, the channel with a higher priority can use the
bandwidth first.
3.7.3.4 Traffic Sub-Channel
Traffic sub-channels are used to create more detailed bandwidth

allocation policies for assurance channels and limitation channels.
Scenario:
A company leases a 10 Mbps line and has 1000 intranet users. The
bandwidth for all the users to send and receive mails must not be
less than 3 Mbps or greater than 5 Mbps, even in peak traffic hours.
Because there are many marketing personnel and sending and
Version 01 (Sep 27, 2021) 390

receiving mails is vital to them, the bandwidth for them to send and
receive mails must not be less than 1 Mbps or greater than 2 Mbps
even in peak traffic hours in addition to the preceding assurance. The
bandwidth for each user in the marketing department to send or
receive mails must not exceed 20 Kbps.

Internet line bandwidth. Click Line 1. The Edit Line Bandwidth window is
displayed. In this example, the company leases a 800 Mbps line, and therefore
the values of Outbound and Inbound are set to 800 Mbps.
Step 2. Choose Bandwidth Management > Line Bandwidth.
Step 3. Configure a level-1 assurance channel.
In this example, bandwidth assurance is implemented for all users to

send and receive emails. In addition, bandwidth assurance is
implemented further for marketing personnel to send and receive
emails. This requirement can be achieved using a traffic sub-channel.
You must create an assurance channel for all users and then further
ensure bandwidth for the marketing department.
Version 01 (Sep 27, 2021) 391

Channel. The New Add Parent Channel page is displayed.
a level-1 channel.

Version 01 (Sep 27, 2021) 392

Bandwidth Channel Settings: Set the effective line, channel type,

Target Line: To select the line applicable to the channel. That is, the
channel is used only when data is transferred through the selected
Bandwidth Channel Type: To select a channel type and set bandwidth

thresholds. In this example, all intranet users must be allocated 240 to 400
Mbps bandwidth to send and receive emails. Therefore, select Guaranteed
Channel and set Minimum and Maximum bandwidth of Outbound
Bandwidth and Inbound Bandwidth to 30% and 50% of the total bandwidth.
The total bandwidth is 800 Mbps and therefore the assured bandwidth is 240
Mbps while the maximum bandwidth is 400 Mbps. Priority includes three
Version 01 (Sep 27, 2021) 393

options, namely, High, Medium, and Low, which indicate the priority of
allocating bandwidth of other channels to this channel when the other
channels are idle.
Objects: It specifies the data types to which the channel is available.

The channel is available only when the criteria including applicable
application, applicable object, effective time, and destination IP
address group are met.
Set Applicable Application to Customized and select Mail/All.
Set Applicable Object to All Users, Scheduled to All day, and Destination to
All. After the parameters are set, the settings are displayed. See the following
figure.
Step 4. Close the notification dialog box. The Bandwidth Allocation tab page
displays the configured channel.
Version 01 (Sep 27, 2021) 394

Then, set the sub-channel of the created assurance channel to limit the HTTP
application bandwidth for the marketing department. Select HTTP Application
Assurance, click Add, and choose Add Child Channel.
Step 5. Set the sub-channel.
On the Add Child Channel window that appears, set the sub-channel.
Enter the name of the channel in the Channel Name text box. The Home
Channel field displays the level of the channel, and /HTTP /HTTP Application
Assurance indicates a sub-channel.

Version 01 (Sep 27, 2021) 395

Bandwidth Channel Settings: To set the target line, channel type,

Target Line is the same as that of the parent channel. It is not set in this
example.
Bandwidth Channel Type: To select the assurance channel. In this

example, marketing personnel must be allocated with 1 to 2 Mbps/s
bandwidth for sending and receiving emails, each of them having a
maximum of 20 KB/s. Therefore, select Guaranteed Channel and set
Minimum and Maximum of Outbound Bandwidth and Inbound
Bandwidth to 33% and 33% of the total bandwidth. The total
bandwidth depends on the assured bandwidth and maximum
bandwidth of the parent channel. Priority includes three options,
namely, High, Medium, and Low, which indicate the priority of
allocating bandwidth of other channels to this channel when the
other channels are idle.
Version 01 (Sep 27, 2021) 396

Max bandwidth Per User is used to limit the unbound and outbound speed
per user IP address.
Channel Availability: It specifies the data types to which the channel

is available. The channel is available only when the criteria including
applicable application, applicable object, effective time, and
destination IP address group are met.
Set Applicable Application to Specified and select Mail/All. (Only the

applications among the applicable applications of the parent channel can be
selected.)
Set Applicable Object to Specified and select the marketing department.

(Only the objects among the applicable objects of the parent channel can be
selected.)
Set Scheduled to All Day and Destination to All.
Version 01 (Sep 27, 2021) 397

After the parameters are set, the settings are displayed. See the following figure.
Step 6. The Bandwidth Channel tab page displays the configured parent
channel and child channel.
1. The percentages defined by the sub-channel depend on the bandwidth calculated for the
parent channel. The actual traffic for the sub-channel does not exceed the traffic limit of the
parent channel.
2. The Bandwidth Management system supports three levels of sub-channels by default. A

sub-channel at each level contains one default channel for the traffic that does not meet the
channel criteria. Therefore, the default channel cannot be deleted.
3. The applications and objects defined for a sub-channel must be among the applications
and objects defined for its parent channel. Otherwise, the configuration fails.
3.7.3.5 Exclusion Policy
An exclusion policy is to transfer specified types of data through

none of the Bandwidth Management channels. It helps prevent
Version 01 (Sep 27, 2021) 398

traffic control over the data. For example, suppose an IAG is

deployed in bridge mode, and the DMZ of the front-end firewall is
connected to some servers. In that case, Bandwidth Management is
not required for the data exchanged with the servers over the
intranet.
Because the data is not transferred over the Internet, it does not
require Internet bandwidth control. In this case, an exclusion policy is
implemented for the applications and IP addresses of the servers.
Scenario:
An IAG is deployed in bridge mode. The DMZ of the front-end firewall

is connected to some servers, and an exclusion policy must be
implemented for the data exchanged between the IAG and the
servers.
Choose Object > IP Group, and add the IP addresses to be excluded.
3.7.3.6 Penalty Channel
You can set the maximum bandwidth of the channel so that traffic
control is implemented on the data transferred through the channel.
The bandwidth used to transfer the data will not be greater than the
maximum bandwidth specified. A penalty channel is similar to a
limitation channel. It works with the user quota policies configured at
Access Mgt > Policies > Add > Quota Control to impose a penalty
on a user who exceeds a quota, by connecting the user through the
penalty channel configured at Quota Control > Online Duration
Quota > Action If Threshold is Reached.
Scenario:
A company leases an 800 Mbps line and has 1000 intranet users.
Many personnel of the marketing department often download files
using tools such as XunLei and P2P download tools, which occupy
much bandwidth and affect the office jobs of other departments.
Therefore, the Bandwidth Management system is to limit the daily
download traffic to 1 GB and the monthly download traffic to 30 GB
for each user in the marketing department. If a user exceeds a quota,
Version 01 (Sep 27, 2021) 399

the user is connected through the download traffic penalty channel

corresponding to the marketing department. The channel limits the
total bandwidth allocated to the user to 256 Kbps and limits the
download bandwidth allocated to the user to 128 Kbps as a penalty.

Internet line bandwidth. Click Line 1. The Edit Line Bandwidth window is
displayed. In this example, the company leases an 800 Mbps line, and
therefore the values of Outbound and Inbound are set to 800 Mbps.
Step 2. Choose Bandwidth Management > Channel Configuration.

Management.
Click Edit Line Bandwidth. The Edit Line Bandwidth page is displayed.
Click Advanced and set the line idleness threshold and specify whether
to enable busy line protection. See the following figure.
Version 01 (Sep 27, 2021) 400

Low Bandwidth Usage Threshold: Set the line idleness threshold.

When the load of a line is lower than the idleness threshold, the
limitation channels with intelligent tuning enabled can increase the
upper limit.
High Bandwidth Usage Threshold: It is used to ensure line availability during

peak traffic hours and improve the dynamic bandwidth assurance
performance. By default, busy line protection is disabled. You can select High
Bandwidth Usage Threshold to enable the function and set the upper limits
on the upstream and downstream traffic. The default values are
recommended. In the Bandwidth Control section, select either of the
following options:

Version 01 (Sep 27, 2021) 401


To save the configuration, click OK.
To cancel the configuration, click Cancel.
Step 3. Configure the penalty channel.
In this example, traffic control is applied to transferred data of

marketing personnel, and the total bandwidth is limited to 256 Kbps.
Version 01 (Sep 27, 2021) 402

On the Bandwidth Management tab page, click Add and choose Add Limited
BM Channel. The Add Limited BM Channel page is displayed.
a level-1 channel.

Bandwidth Channel Settings: Set the channel type, limited bandwidth, and
per-user bandwidth.
Version 01 (Sep 27, 2021) 403

Bandwidth Channel Type: Select a channel type and set bandwidth

thresholds. In this example, the bandwidth for data transfer
performed by marketing personnel is limited. Select Limited
Channel and set Outbound Bandwidth and Inbound Bandwidth to
20% of the total bandwidth each. The total bandwidth is 800 Mbps,
and therefore the limited bandwidth is 4 Mbps. Priority includes
three options, namely, High, Medium, and Low, which indicate the
priority of bandwidth allocation to the channel during peak traffic
hours.
Restrain inbound P2P packet loss: To specify whether to control

the downstream packet loss rate of P2P download applications and
streaming media applications. It is recommended that this option be
selected only for P2P applications.
Threshold can be exceeded if line is not busy: Specify whether to

enable the intelligent tuning function for the channel. If it is selected,
the function is enabled. You can click Threshold can be exceeded if
line is not busy to go to the page to set the line idleness threshold.
After the function is enabled, when the load of a line is lower than
the idleness threshold, the limitation channel can increase the
upper limit.
Version 01 (Sep 27, 2021) 404

Maximum Bandwidth Per User: Limit the bandwidth available to

each IP address using the channel. In this example, the data transfer
bandwidth for each user in the marketing department is limited to 128
Kbps. Set Outbound and Inbound to 128 Kbps.
Advanced Option: If this option is selected, each external network IP

maximum bandwidth attribute set for each user applies to the
external network IP addresses. (This option is generally used by
servers providing services externally. Use it with caution.)
Channel Availability: It specifies the data types to which the channel

is available. The channel is available only when the criteria, including
applicable application, effective time, and destination IP address
group are met.
Version 01 (Sep 27, 2021) 405

Objects: Specify the application types to which the channel is available.

Applications indicate all types of applications. Specified allows you to
select application types. You can click Select and select application types
in the User-Defined Applicable Service and Application dialog box
that appears. In this example, select All to implement traffic control over
all data. Make sure that the Selected list is correct and click OK.
Scheduled: Set the effective time of the channel.
Destination: Select the destination IP address group.
Version 01 (Sep 27, 2021) 406

figure.
Click OK. You will be prompt a window as shown below:
Step 4. The Bandwidth Allocation tab page displays the configured channel.
Step 5. Access the Access Mgt tab page, click Add, and choose Quota
Control.
Version 01 (Sep 27, 2021) 407

Step 6. Configure a user quota policy.
In this example, the daily download traffic of each user in the marketing
department cannot exceed 1 GB, and the monthly download traffic cannot
exceed 30 GB.
If Enable This Policy is selected, the policy is enabled. Otherwise, it is disabled.
Enter the name of the policy in the Policy Name text box and the description
of the policy in the
Description text box to facilitate management.
Quota Policy: Select the user limitation type and set related parameters. In
this example, the traffic quota for P2P download tools such as XunLei must be
limited for the marketing department. Select Flow Quota and set the
parameters.
You can select the start day of each month within the range of 1 to 28. For
example, if you choose 8, May 8 to June 8 is regarded as one month. Each
month consists of 30 days.
Version 01 (Sep 27, 2021) 408

Flow Quota Per User Settings is to set detailed limitation parameters.

Statistics Collection Time specifies the period in which statistics are collected.
You can define a period. In this example, the period is set to All Day. Intended
Application is to specify the application types involved in the statistics. In this
example, Download Tool/All, P2P/All, and P2P Streaming Media/All are
selected. Select Daily Quota and set the daily traffic quota for each user. In
this example, it is set to 1 GB. Select Monthly Quota and set the monthly
traffic quota for each user. In this example, it is set to 30 GB.
Action If Threshold is Reached is to set the handling method used after a

user exceeds a quota. The methods include sending an alarm mail, notifying an
administrator, displaying a user notification page when a user's quota reaches
a specific percentage and imposing a penalty on a user. In this example, the
method of imposing a penalty on a user is described. For details of the other
methods, see the User Quota Policy section.
Version 01 (Sep 27, 2021) 409

Select Penalty, Add to Traffic Control Channel, and then the Download
Traffic Penalty Channel for Marketing Department policy.
Object is to select the users, locations, terminal types, and destination

areas to which the policy is applicable. In this example, the marketing
department is selected.
Click Commit.
User Quota displays the configured policy.
Quota Policy provides five limitation means, including traffic quota, duration quota, traffic
rate control, concurrent connections control, and online terminal limit. For a detailed
Version 01 (Sep 27, 2021) 410

description, see policy management in section 3.4. This section describes the method to
configure a penalty channel and only one type of user quota policy.
3.7.4 Quota Control

User restriction policies can limit the flow and duration of the internet that
users can use, including flow quotas, online duration control, concurrent
connection number control, and the number of online terminal restrictions.
Following the example of the penalty channel in the previous article, we
continue to configure the user quota policy.
3.7.4.1 Flow Quota
In the previous article, we have completed the penalty channel configuration

as required. Next, you only need to configure the traffic quota policy and call
the traffic penalty channel in the policy.
Scenario
An enterprise requires that the daily Thunder downloads and P2P downloads
of the marketing department cannot exceed 1G, and the total number of
downloads per month cannot exceed 30G, so configure the traffic quota
strategy as required.
Step 1. Click Add of Bandwidth Management > Quota Control and click
Quota Control. In the pop-up Quota Control menu bar, check Enabled, and
fill in the policy name and description information.
Version 01 (Sep 27, 2021) 411

Step 2. Check Flow Quota in the Quota Control column and configure the
traffic quota parameters in the Flow Quota column.
In this example, the quota is configured for the Thunder downloads and P2P
downloads of marketing personnel. The quota is up to 1G per day and 30G per
month. Therefore, check the Period column in the Flow Quota Per User
column as all day. You can set the period consistent with the custom time
period configuration method in the traffic channel above. Click Application
and check all P2P applications in the pop-up Select Application. Fill in 1GB for
daily quota and 30GB for monthly quota.
Step 3. In the Action If Threshold is Reached column, you can configure the
following three penalties for users who exceed the duration quota.
Version 01 (Sep 27, 2021) 412

⚫ Select to send an alert message by email to notify the administrator that the
user has oversubscribed information (this function requires the IAG to
complete the docking with the company's mailbox system to send the alarm
email normally).
⚫ Select to remind users who are about to exceed or exceed their quota and
inform the user that his time quota is about to be exceeded.
⚫ Choose to add excess users to the penalty channel or prohibit excess users
from surfing the Internet. Suppose you need to penalize oversubscribed
users through a penalty channel. In that case, you need to configure the
penalty channel in Bandwidth Control in advance, and then select Apply
limited BM Channel on the Other action page, and then select the
corresponding penalty. The channel imposes penalties on excess users.
Step 4. In the Quota Control column, click Objects to select the target of the
quota policy to take effect. This example aims to limit the P2P downloads of
marketing personnel, so select marketing personnel in the applicable objects.
Step 5. Click the Advanced menu bar in the Quota Control column.
Advanced configuration includes Expiry Date, Privilege of Admin in Same
Role, Give view privilege to administrator in lower-level role.
Step 6. After completing the configuration, the quota policy just configured
will be displayed in the quota control list.
Version 01 (Sep 27, 2021) 413

3.7.4.2 Online Duration Quota
Duration quota is to limit the online time of a single user during the effective
period of the policy. When a user’s application time or online time exceeds the
limit during the policy's effective period, the user will be prohibited from going
online or calling the penalty channel for corresponding punishment. There are
two types of duration: application duration quota and online duration quota.
Users can select the corresponding quota type according to their needs.
Application Quota
Step 1. Check Application in the Daily Duration Quota Per User column on
the Online Duration Quota interface. In the Duration column, you can
customize the quota period according to the needs of the enterprise.
Version 01 (Sep 27, 2021) 414

Step 2. In the Application column, you can select the applications that require
quotas according to the needs of the enterprise, or you can select all
applications and then set the whitelist application in the Excluded
Application.
Step 3. Click Excluded Application.
Step 4. On the pop-up Excluded Application page, click Select under the
Specified column, and select the application to be excluded in the pop-up
interface or fill in the port of the corresponding application in Excluded Port.
Version 01 (Sep 27, 2021) 415

Step 5. In the Online Duration Quota column, you can configure a single
user's online duration configuration, the unit is minute, and the maximum
setting is 1440 minutes (24 hours).
Version 01 (Sep 27, 2021) 416

Online Duration
Check Online Duration in the Daily Duration Quota column on the

duration quota interface. In the Type column, you can define the daily
online duration of a single user according to your needs. At the same
time, you can also set excluded applications, and users will not be
counted in the duration when using the applications added to the
excluded column.
The following three punishment measures can be configured for users who
exceed the time limit in the Action If Threshold is Reached column.
⚫ Select to send an alert message by email to notify the administrator that the
user has oversubscribed information.
⚫ Select to remind users who are about to exceed or exceed their quota and
inform the user that his time quota is about to be exceeded.
⚫ Another action would direct reject internet access.
Version 01 (Sep 27, 2021) 417

3.7.4.3 Bandwidth
The bandwidth limit is to detect the flow rate of a single user during
the effective period of the policy. When the total bandwidth (upstream
or downstream flow) of all applications (specific applications) of the
user during the effective period of the policy, continues to exceed the
set flow threshold for how many minutes, this user will be prohibited
from surfing the Internet or calling the punishment channel for
corresponding punishment.
Step 1. In the Period column in the Bandwidth Per User column of the
Bandwidth interface, customize the limitation period according to the needs
of the enterprise.
Step 2. In the Application column, check specific applications or all
Version 01 (Sep 27, 2021) 418

applications according to requirements.
Step 3. In the Type column, you can select the type of traffic detected by the
strategy. You can choose the flow rate of inbound traffic, outbound traffic or
bidirectional.
Step 4. Fill in the flow rate threshold for policy detection in the Max
Bandwidth column and fill in the time required in the Above Threshold For
column. For example, if an enterprise wants to limit users whose total traffic
exceeds 2Mbps for 30 minutes, fill in 2Mbps in the Max Bandwidth column
and 30 minutes in the Above Threshold For.
Version 01 (Sep 27, 2021) 419

3.7.4.4 Concurrent Connection
Concurrent connection control is to limits the maximum number of

concurrent connections for a single user. You can restrict users from using
scanning tools or P2P download tools that open many connections at the same
time. It can also reduce the probability of viruses spreading through intranet
scanning and many connections to other machines.
In the Concurrent Connection Per User option, the maximum value

that can be filled in is 65535.
When the number of connections currently established by the user

exceeds the connection value in Concurrent Connection Per User,
the administrator can be notified by email. At the same time, the user
can choose to prohibit the user from creating new connections or
specify the number of minutes for the user to prohibit Internet access.
Version 01 (Sep 27, 2021) 420

3.7.4.5 Online Endpoint
Online Endpoint limit is to limit the number of terminals that a single

user can be online at the same time. You can combine the strategy
applicable object to make different terminal quota strategies for
different users so that different users can have different numbers of
Endpoint online.
Version 01 (Sep 27, 2021) 421

Step 1. Choose Bandwidth Management > Bandwidth Configuration >

Exclusion Rules, click New, and add an exclusion policy.
Step 2. Set the exclusion policy.
Set Policy Name and Application Category. If the application type is

uncertain, you can select All. Set Destination to the group specified in Step 1.
Version 01 (Sep 27, 2021) 422

Step 3. Click Commit.
3.7.5 Virtual Line Configuration

For an IAG working in the bridge mode, all the data is transferred through the
IAG using the same line, regardless of the number of lines connected to the
front-end device and the number of egresses of the device in multi-bridge
mode. By default, the IAG performs traffic control over all the lines as a whole.
If multiple lines must be controlled separately in bridge mode, virtual lines are
required.
As shown in the following figure, there is only one default virtual line: line 1. If
no other line is configured, line 1 must be the total bandwidth of all the
physical lines if multiple Internet lines connected to the front-end device or the
local device are configured with various egresses in multi-bridge mode.
However, the IAG cannot control the traffic of multiple Internet lines separately
in this case.
Scenario
The IAG is deployed in bridge mode, as shown in the following figure. The
firewall has two egresses, including one 10 Mbps line from China Telecom and
one 10 Mbps line from China Unicom. The P2P traffic of the lines must be
controlled separately so that the P2P traffic of each line does not exceed 20%
of the bandwidth.
Configuration Steps
Step 1. Configure two virtual lines on the IAG, each corresponding to an

Internet line of the firewall. Set the bandwidth of the virtual lines separately
based on the actual bandwidth of the corresponding Internet lines.
Choose Bandwidth Management > Line Bandwidth, click Line 1, and set the
bandwidth value of the line
Assume that line 1 in this example corresponds to the line from China
Telecom. The following figure shows the configuration for line 1.
Version 01 (Sep 27, 2021) 423

Choose Bandwidth Management > Line Bandwidth, click Add, and set the
bandwidth value of line 2. Assume that line 2 in this example corresponds to
the line from China Unicom. The following figure shows the configuration for
line 2.
Step 2. Configure virtual line rules.
The rules help distribute data between the virtual lines and
correspond the virtual lines with the physical lines. Generally, the
front-end device has route selection rules. You can copy the route
settings of the front-end device to the virtual line rules. Refer to the
firewall route selection settings shown in the following figure and set
the virtual line rules.
Choose Bandwidth Management > Line Bandwidth > Virtual Line List and
click Add. On the Edit Virtual Line Rule page that appears, select virtual line 1
for the data transferred to the IP addresses 202.96.0.0/24 through the line
from China Telecom.
Version 01 (Sep 27, 2021) 424

LAN IP: To set the source IP addresses of packets.
WAN IP Address: To set the destination IP addresses of packets.
Service: To set the protocol of packets.
Bridge List: It is used in the multi-bridge mode to specify the bridge

that forwards packets to the virtual line.
Specify Line: To specify the virtual line destination of the data that
meets the preceding criteria.
Step 3. Set rules for the other virtual lines until the virtual line rules are the
same as the line rules of the firewall.
Step 4. Control the P2P traffic of the two virtual lines separately.
Choose Bandwidth Management > Line Bandwidth and set the limitation
channel policy of line 1.
Channel. The Add Parent Channel page is displayed.
Version 01 (Sep 27, 2021) 425

Set the effective line, channel type, limited or assured bandwidth, and per-user
bandwidth. Set traffic control for line 1 (line from China Telecom). Set Target
Line to Line 1.
Channel Type: Outbound Bandwidth and Inbound Bandwidth to 20% of the

total bandwidth each. The total bandwidth is 10 Mbps, and therefore the
limited bandwidth is 2 Mbps.
Max Bandwidth Per-User Policy: It specifies how bandwidth is

allocated among the users using the channel. The default option is
Even, which means that the bandwidth is allocated evenly among the
users.
Channel Availability: Specifies the application types to which the channel is

available. Click Select and select applications types in the User-Defined
Applicable Service and Application dialog box that appears. In this example,
select P2P/All and P2P Streaming Media/All to implement P2P traffic control.
Click OK.
Version 01 (Sep 27, 2021) 426

Object: It specifies the users, user groups, and IP addresses to which

the channel is effective. If you select All Users, it is effective to all
intranet users. After selecting applicable objects, click OK.
Step 5. Control the P2P traffic of the two virtual lines separately.
Use the method for setting the limitation channel policy of line 1 to
set the limitation channel policy of line 2.
Step 6. The Bandwidth Channel tab page displays the configured channels.
The limitation channel configuration is complete.
Version 01 (Sep 27, 2021) 427

Example: The device serves as a bridge, and the firewall is equipped with two
ports, covering the international and local lines. The policy-based routing
enables international line traffic to go through the international line with the
bandwidth of 3 Mb/s and local line traffic to go through the local line with 7
Mb/s. It is required that P2P data going through the two lines are subject to
traffic control, so that respective bandwidths of P2P data occupied on the two
lines do not exceed 10%, and the region is China.
Step 1. Ensure the region identified in Country/Region is correct.
Choose Object -> IP Address Database -> Country/Region -> My

Country/Region: China.
Step 2. Configure virtual lines.
Choose Bandwidth Management -> Virtual Lines -> Create a virtual line
named as International, with the outbound and inbound width of 3M, and a
virtual line named as Local, with the outbound and inbound width of 7M.
Step 3. Configure virtual line rules.
Choose Bandwidth Management -> Virtual Line Rule -> Create two virtual
line rules, one of the WAN IP’s rule selects Overseas to specify the
international line, and the other one selects Local to specify the local line.
Version 01 (Sep 27, 2021) 428

Step 4. Configure traffic control.
Choose Bandwidth Management -> Channel -> Enable the traffic control
switch to create a new channel. Select International as the target line, and set
the limited bandwidth.
Bandwidth Usage Range: To set what types of data will be matched to this
Version 01 (Sep 27, 2021) 429

channel, i.e., the usage range of channel. Click Select custom application, and
select application type in a pop-up box Custom Applicable Services and
Applications. In this example, P2P-related data needs to be subject to traffic
control, and applications including P2P/All, and P2P Steam Media/All should
be selected. Click OK to complete the settings of applicable applications.
Objects: To set users, user group, and IP addresses to which this channel is
effective; checking All indicates that the channel is effective to all LAN users;
after selecting the Objects, click OK to complete the settings.
Step 5. Perform traffic control on application data of P2P on two virtual lines.
Set the limited channel policy of line 2 (local line) using a method similar to that
in the international line, which is not repeated here.
Step 6. After the settings are completed, set channels will be displayed in the
Bandwidth Channel, indicating that the configuration of the limited channel is
complete.
Version 01 (Sep 27, 2021) 430

1. Virtual line rules are matched in descending order.
2. Virtual line rules can be configured in batches to select lines based on destination IP
addresses and bridges. On the Virtual Line Rules page, click Batch Import and set rules.
3. Virtual Line Rules can be imported and exported.
3.7.6 DNS Server Proxy

Sangfor's Internet access control supports DNS server proxy. Users can set
DNS proxy scope based on end-user group, access website type, access
domain name, and destination DNS server. It also supports various types of
proxy, including redirect to specified DNS server, redirect to the specified
line, resolve fixed IP addresses, and discard.
When multiple Internet links are deployed in the network, most users will be
assigned to the same link because all LAN users write the DNS server of a
particular ISP. As a result, the link always remains in a busy state, which results
in a situation where the access speed of users on this link slows down while
the other link stays in an idle state. The uneven utilization of links leads to a
waste of Internet resources and cannot guarantee the access speed of users.
With the DNS server transparent proxy of Sangfor's Internet access control,
regardless of the ISP to which users' DNS server addresses, the DNS server
requests can be forwarded by Sangfor's Internet access control device and
returned to LAN PCs via a proper DNS server. In this respect, based on the
preset load algorithm, traffic can be assigned to various links according to the
configured link utilization policy. It makes the traffic on both links in the users'
network always meet the administrator's expectation and ensures the
utilization of all links.
⚫ Redirect to DNS server: DNS server's IP address
⚫ Resolve as IP: Resolve the domain name to an IP address directly
Version 01 (Sep 27, 2021) 431

⚫ Discard: Discard DNS server requests directly
⚫ Redirect to specified line: redirect to the specified port (ISP)
1. The specified line displays the networking interface in the routing mode and the virtual
line in the bridge mode.
2. In the redirect to specified line policy, lines that are not configured with DNS server are
not available, and a message displays that only lines configured with DNS server can be
selected.
3.7.6.1 Redirect to DNS Server
1. Prepare an IAG device configured with routing or bridge mode
2. Redirect user A's request to access the domain name www.baidu.com to

the DNS server 114.114.114.114 in the LAN, which is compulsory, to access
the domain name.
Specific configuration
1. Configure DNS Server Policy – Criteria.
Select user A, define access domain name as "www.baidu.com" and the

destination DNS server of the tested user PC's DNS as "3.3.3.3".
Version 01 (Sep 27, 2021) 432

2. Configure DNS Server Policy - Proxy Action.
Select "Redirect to DNS Server" for Proxy Action and enter the DNS address
to be resolved
Configure an ineffective DNS server for the destination DNS server; configure
an ineffective DNS server for the tested PC.
1. The nslookup command on the tested PC does not succeed, but

www.baidu.com able to ping.
2. If the ping command has been performed, use ipconfig/flushdns to clear

the cache.
Version 01 (Sep 27, 2021) 433

3.7.6.2 Resolve to specified IP
1. Prepare an IAG device configured with routing or bridge mode
2. Redirect the access to specified domain names to the specified IP, which is
mandatory.
3. The user's request to access the domain name www.qq.com will be

resolved to 6.7.6.7, which is mandatory.
1. Configure DNS Server Policy - Criteria
For all users, define the access domain name as "www.qq.com" and the
destination DNS server of the tested user PC's DNS as "All".
Version 01 (Sep 27, 2021) 434

2. Configure DNS Server Policy - Proxy Action.
Select Resolve to IP address for Proxy Action and enter the IP address to be
resolved.
Lookup domain name www.qq.com directly using nslookup command on the

tested PC.
Version 01 (Sep 27, 2021) 435

3.7.6.3 Directly Discard Access to Some Domain Names
1. Prepare an IAG device configured with routing or bridge mode.
2. Discard access to specific domain names, which is mandatory.
3. Directly discard the user's access to the domain name

"www.sangfor.com.cn".
For all users, define the access domain name as "www.sangfor.com.cn" and the
Version 01 (Sep 27, 2021) 436

2. Configure DNS Server Policy - Proxy Action
Select Drop packet for Proxy Action.
Look up domain name www.sangfor.com.cn directly using nslookup command
Version 01 (Sep 27, 2021) 437

on the tested PC or access the website directly via a browser.
3.7.6.4 Redirect Access to Specified Line
1. Prepare an IAG device configured with routing or bridge mode.
2. The device must enable multiple lines.
3. The device must be configured with a link load function.
4. Redirect the access to specified domain names to the specified line, which
is mandatory.
5. Users access the domain name www.sina.com.cn via Line 5.
1. Configure DNS Server to enable DNS server for the line (virtual line).
Version 01 (Sep 27, 2021) 438

The DNS configuration can be conducted in three places: Deployment Mode,

Interface Configuration, or Traffic Control Management - Line Configuration.
For all users, define the access domain name as "www.sina.com.cn" and the
Version 01 (Sep 27, 2021) 439

3. Configure DNS Server Policy - Proxy Action
Select Redirect to specified line for Proxy Action and enter the networking
interface of the specified line.
Only lines configured with DNS server and DSCP/TOS value can be selected,
and this function does not take effect when link load is not enabled.
The tested PC directly accesses domain name www.sina.com.cn and view it in
Version 01 (Sep 27, 2021) 440

Traffic Statistics – Connections.
3.7.6.5 DNS Failed Over
The two scenarios of Redirect to DNS Server and Forward to Specified Line
of the DNS proxy provide escape mechanisms. When a particular line is broken,
the DNS proxy policy becomes invalid.
⚫ The link load is not enabled and directly uses the default route.
⚫ The link load is enabled, and the load strategy is adopted; if the load is also
abnormal, the default route is adopted.
⚫ The new default route page supports adjusting the default route order.
⚫ The default route failover mechanism based on line failure detection (DNS
and ping).
3.7.6.6 Precautions
1. The scenario of redirecting to LAN DNS server: The DNS proxy action
redirects to the DNS server in the LAN (DNS server is in the DMZ zone).
Outcomes
Redirection to DNS server in the LAN fails (if the user's PC is configured with an
effective DNS server, use the own DNS server; an ineffective DNS server will
result in network disconnection).
Solution
Configure the firewall to allow DMZ > LAN traffic.
2. In the scenario of starting global exclusion and pass-through, is the DNS

server proxy function effective?
Configure DNS server to Drop packet. After adding the domain name to global
exclusion, the Drop packet of DNS server proxy stop being effective.
Version 01 (Sep 27, 2021) 441

After starting pass-through, DNS server proxy does to takes effect.
3. In the bridge mode, DNS detection detects by sending a package from the
DMZ interface. The deployment scenario should ensure that the package
sent from the DMZ interface can reach the port.
3.7.7 Link Load Balancing

To ensure the Internet experience of core users and core applications, while
being limited by limited high-quality bandwidth resources, users eagerly hope
to be able to use applications that do not require high real-time and stability
(such as P2P, P2P streaming media, web streaming media, games, etc.) Drain
traffic to links with large bandwidth and average quality, channel core users
(such as management, etc.), and core applications (such as video conferencing,
etc.) requiring high real-time and stability to high-quality lines. This way is
guaranteed for those application experiences with high real-time requirements
significantly improve work efficiency.
IAG traffic routing supports improving users' bandwidth usage via traffic
optimization functions, such as IP address, protocol, user routing, application
routing, bridge scenario routing, and DNS proxy.
Description of Diversion Scheme
Sangfor application diversion scheme supports various flexible deployment

methods, can implement application diversion via routing deployment, and
also can be combined with routers/firewalls offered by mainstream
manufacturers. It also supports tag-based diversion, meeting scenarios to
which different links of clients are accessed.
Version 01 (Sep 27, 2021) 442

Sangfor Internet access control adopts technologies including application

routing, DNS transparent proxy, and link busy control. You can implement an
allocation mechanism to allocate the links based on factors including load
situations of links, time range, user group, and access objects to improve the
optimized usage of the links further.
It also supports setting the diversion range in accordance with factors including
endpoint user group, Internet access application, access domain name, source
IP address range, destination IP address range, transmission protocol, and IP
layer DSCP/TOS marking, and supports multiple load methods including
dynamic load (high-priority lines preferred), specified lines, load based on
carrier, load based on line bandwidth, load based on residual bandwidth and
lease line backup based on VPN, to improve the diversion effect.
Application Routing Technology
The Sangfor Internet access control adopts the application routing technology
to implement an allocation mechanism to allocate the links based on factors
including load situations of links, time range, user group, and access objects,
and accessed application types to improve the optimized usage links further.
Dynamic Diversion Technology
The Sangfor Internet access control adopts the dynamic diversion technology.
Version 01 (Sep 27, 2021) 443

When the high-quality line is idle, other users and traffic also can go through it.
When the line is busy, the traffic of non-important applications and non-
important users will be diverted. The high-quality line guarantees the Internet
access experience of the core users and core applications.
Routing Support Description
The routing mode and bridge mode support link load balancing, DSCP, and
TOS marking.
Default load policy priority: Disable the default load policy, and prefer to use
the line with the highest usage priority, the load based on carrier,
residual bandwidth, bandwidth ratio, and even load assignment.
Preferred load policy: It specifies lines, multi-line load, residual bandwidth,

preferred usage of above lines, bandwidth ratio, even load assignment, and
lease line backup based on VPN.
3.7.7.1 Bridge Mode Routing
This scenario often applies to high school.
AD devices are deployed on multiple lines of the unit port, and the IAG bridge
model is serially deployed to realize linkage with port devices to implement
routing. The "important applications" go through line 1, and non-working
applications such as games go through line 2.
Implementation Method
The IAG device is configured with link load balancing to specify that the line AD
and IAG device use the TOS tags to mark the lines simultaneously.
Test Topology
Deployment of the bridge mode of the IAG device: There are two WAN lines, in
which line 1 is the ISP1 (with the bandwidth of 800M), and line 2 is the ISP2
(with the bandwidth of 500M).
Prerequisites
The IAG device has at least two WAN lines.
Version 01 (Sep 27, 2021) 444

Configuration Method
Configuration of deployment mode: Configure the deployment mode to the

bridge mode and configure a DNS address.
1. Define the lines.
Under Bandwidth Management > Line Bandwidth.
Version 01 (Sep 27, 2021) 445

Under Bandwidth Mgt > Link Load Balancing > Add > Add Preferred Link
Load Balancing Policy. The TOS value in the virtual lines should be defined
and keep in line with AD.
2. Link load balancing
Choose Bandwidth Management > Link Load Balancing
Version 01 (Sep 27, 2021) 446

Core applications go through line 1; Non-important applications go through

line 2:
Configuration Results.
The Link Load Balancing function should be enabled in advance.
3.7.7.2 Route Mode Routing
Scenario
The client's branch uses IAG on the prefectural-municipal port, and employees
in the branch need to access the LAN applications in the provincial branch’s
intranet. The IAG in the branch and the port device in the provincial branch
(the headquarters) are connected to VPN; meanwhile, the branch and the
provincial branch also are connected to the lease line. When the lease line is
normal, the branch should access the applications in the provincial branch
using this line. When the lease line is disconnected, it is automatically switched
to a VPN line.
Version 01 (Sep 27, 2021) 447

Implementation Method
The IAG is equipped with link load balancing, it will go through a lease line by
default and switch to VPN when the lease line is abnormal.
Test Topology
Configuration of device route mode: There are two WAN lines, one connects
the VPN and the other one connects to the headquarters as the lease line.
Prerequisites
1. The IAG is equipped with two WAN lines at least, one is connects the VPN,
and the other is used to connect the lease line.
Version 01 (Sep 27, 2021) 448

2. The network segment of branch LAN and network segment of the

headquarters LAN to be accessed should be described to introduce overall
deployment in the branch and the headquarters. For example, which
device in the headquarters is used to offer VPN connection and the lease
line is connected to which networking interface of which device.
3. Confirm whether the VPN device in the headquarters is our VPN device or a
third-party VPN device. If the VPN device is the former, the headquarters
should create a VPN account in advance for the connection of branch VPN;
if it is the latter, we should know parameters related to connection from
stage 1 to stage 2 of the third-party VPN.
Expected Result
When the lease line and VPN are connected normally, the branch preferentially
goes through the lease line to access the applications in the headquarters and
switches to the VPN line when the lease line is disconnected.
Configuration Method
Configuration of VPN branch IAG
1. Configuration of deployment mode: Configure the deployment mode as

the route mode, and configure LAN and WAN interfaces and IP addresses
of two LAN and WAN lines.
Version 01 (Sep 27, 2021) 449

2. Configuration of static route: If the branch LAN is a three-tier environment,

a backhaul route gateway of LAN also needs to be added to direct to a
Version 01 (Sep 27, 2021) 450

three-layer switch of LAN. The static route is not required because the LAN
is a two-tier environment in this environment.
3. VPN configuration: Configure VPN Connections to connect the VPN device

in the headquarters.
After the configuration is complete, the VPN connection is successful. Then you
can see the VPN connection is successful. The route of the network segment of
the headquarters LAN directs to the VPNTUN port.
VPN device of a third party, rather than Sangfor, used by the headquarters is also
supported. However, the third-party connection shall be configured for VPN configuration.
Moreover, if the headquarters' VPN device or network is to support the lease line for branch
LAN's access to headquarters applications, the backhaul from the headquarters to the
branch LAN should use the lease line. If the branch LAN access headquarters' applications
via the VPN, the backhaul should use the VPN.
Link Load Configuration
1. Configure the IP groups in the LAN and of the headquarters for branch
IAG.
2. In Link Load, go to Bandwidth Management > Link Load to add new

multi-line Load routing as the backup for the VPN lease line.
Version 01 (Sep 27, 2021) 451

3. In Link Load, perform link failure detection for the two WAN lines.
Version 01 (Sep 27, 2021) 452

In terms of link failure detection, two link state detection options are available: DNS
resolution and ping command, which you can choose at your disposal.
Disconnection detected by either the ping command or DNS server means that the line is
not connected.
You can enter multiple addresses for the ping or DNS server, and if anyone from these
addresses successfully connected, it means that the line can be connected.
Auto Detect indicates whether automatic detection is enabled. If not, the network is
deemed connected as long as the networking interface has power.
Screenshots of the VPN configuration in headquarters
Generally, the VPN in headquarters is pre-installed, and route deployment and

settings are already configured in advance.
Check deployment mode. The deployment mode is configured with the

gateway mode and two WAN lines. Line 2 is a lease line connected to branch
IAG.
Version 01 (Sep 27, 2021) 453

1. Static route: The IAG LAN is a two-tier environment without static routes.
2. VPN configuration: Configure the addresses and ports for monitoring the
server-side with the headquarters VPN and create an account.
Version 01 (Sep 27, 2021) 454

Link Load Configuration：
⚫ Define IP groups
⚫ Configure the multi-line Load routing
Version 01 (Sep 27, 2021) 455

1. The headquarters device can be a VPN device of Sangfor or a third party. The private
branch line can connect to the headquarters via either the headquarters' VPN device or
other devices in the headquarters LAN. However, the headquarters should ensure that the
backhaul from the headquarters uses the lease line if the branch LAN data access
headquarters applications via the lease line, and the same goes to VPN. The headquarters
should have relevant Link Load Balancing or routing rules configured.
Version 01 (Sep 27, 2021) 456

2. Headquarter accessing to branch LAN can use the lease line preferentially and, if it is
disconnected, use the VPN line, after the routing policy is configured at the headquarters.
Testing
1. Normally, the IAG LAN tests applications in the headquarters LAN via the
lease line, and there should not be traffic on the IAG VPN.
2. Unplug the lease line for the WAN line on the eth1 port, and the data
should switch to VPN. Data can be found on the VPN.
Version 01 (Sep 27, 2021) 457

Distinct applications for the unplugging-and-switch testing are recommended. For example,
test http://172.18.1.10 when the lease line is in a normal state and test other servers'
applications when the lease line is disconnected. Disconnect the application before
beginning a new test, if the same application is used for the unplugging-and-switch testing.
3.7.7.3 Specified Routing of Lines
The client's IAG has two WAN lines, one belonging to Line 1 and the other
belongs to Line 2. The LAN data shall access the Line 1 network via Line 2 or
access the Line 1 network via the Line 2.
Solution: Link Load policy, specifies the LAN Src IPs' lines based on the
destination IPs.
Version 01 (Sep 27, 2021) 458

3.7.7.4 Multi-Line Link load
Descriptions for loading method
Prefer the line with the highest priority: When there are multiple lines, the
device presents the status of each line. According to line status, the
administrator defines their priority and uses the line with higher priority
preferentially; when the traffic is heavy, configuration to ensure services for
preferred users is supported, and non-core applications shall be taken away.
Based on dst ISP: load the traffic to the corresponding ISP's line according to
the ISP to which a destination IP belongs. It requires the administrator to
define the DNS server of each line. Traffic requested by DNS servers supports
an independent definition of the loading method.
Version 01 (Sep 27, 2021) 459

Even load assignment: All links have equal chances of load assignment and
are selected sequentially.
Weighted Round Robin: select all links based on weight proportion, which
means that those with more significant weight proportion have greater
chances of being selected and vice versa. The weight proportion is based on
the line bandwidth.
Based on remaining bandwidth: Assign traffic based on the ratio of traffic

and select lines with a low ratio of traffic taking up the bandwidth
Version 01 (Sep 27, 2021) 460

Prefer the link at top: Support link backup. Suppose there are links 1, 2, and
3, and select the first remaining link as the port. Only the preferred load policy
supports this routing method.
Load exclusion policy: The default load policy is unique and supports the
exclusion of lines with the load.
3.7.7.5 Bandwidth Management Overview
In Bandwidth Mgt, you can click View to enter the line visualization state to
view the current usage.
3.7.7.6 Precautions
1. Routing mode, link load routing, DNS server proxy, default routing
function, and visible loaded link state.
2. Bridge mode, link load routing, DNS server proxy, and visible loaded link
state.
Version 01 (Sep 27, 2021) 461

3. DNS server proxy is not supported for IAG in proxy mode. When IAG is in
the proxy mode, DNS server requests are initiated by the local ADC proxy,
and the DNS server proxy cannot serve as the proxy of the packages of the
local ADC.
4. When IAG is in proxy mode, routing for ISP load based on DNS server load
is not supported. In essence, routing for ISP load based on DNS server load
requires a proxy for DNS server; when IAG is in the proxy mode, DNS
requests are initiated by the local ADC rather than the drive.
5. When IAG is in the proxy mode, application routing is not supported (TCP
proxy is not supported, and the effect cannot be reached.).
6. Active-active mode does not synchronize network-related configuration.

Link load and DSCP are network-related configurations. It only takes effect
at a single node.
7. When global exclusion and pass-through are enabled, the link load
function will not have package loss, and the function still takes effect.
8. The link load function does not support alarms.
9. When IAG is in proxy mode or SSL decoding is enabled, link load is not
supported.
10. In the application routing scenario, some applications have subdivisions.

Each subdivision application is regarded as an application. Selecting all
applications in the same category is recommended to avoid compromising
effects, for example, WeChat and Facebook.
11. Priority in the routing mode: pass-through route > static route >
dynamic route > DNS serve proxy (Redirect to specified line) >
preferred load policy > default load policy > default route. (when the
VPN is not configured and neither the lease line backup)
12. Pass-through route > static route > dynamic route > DNS serve proxy
(Redirect to the specified line) > preferred load policy > default load
policy > default route > system default route.
13. VPN route > pass-through route > static route > dynamic route > DNS
serve proxy (Redirect to the specified line) > preferred load policy >
default load policy > default route > system default route.
14. Priority in the bridge mode: DNS serve proxy (Redirect to the specified
Version 01 (Sep 27, 2021) 462

line) > preferred load policy > default load policy.
15. DNS server proxy action only conflicts with link load policy when
configuring redirection to the specified line. When the tow policies conflict
configuration, DNS server proxy action has higher priority, and the
redirected line to which it redirects prevails.
16. In LAN - IAG (bridge) - proxy server - F5 scenario, the link load function is
not supported
17. When there are several WAN lines for link load configuration, it is required
to configure the link failure detection function. Otherwise, the link load
policy cannot take effect after configuration.
18. The default load policy cannot customize the user/application/time of

taking effect.
3.8 Audit Policy

Traffic and Internet duration audit and web content audit.
3.8.1 Internet Access Audit

You can set policies on auditing Internet access behaviors of intranet
users on Audit Policy. You can use different function SNs to separate
behavior audit from the content audit. You can enable the function
SN of behavior audit to record behavior only during auditing, or you
Version 01 (Sep 27, 2021) 463

can allow the function SN of content audit to record all the content
during auditing.
If only the function SN of behavior audit is enabled, Audit Policy includes

Application, Flow/Online Duration, and Webpage Content.
To set an Audit Policy, perform the following steps:
Step 1. Click Add and choose Audit Policy. The page for editing the Audit
Policy is displayed.
Step 2. Select Enabled to enable the policy.
If you do not select this checkbox, the configured policy does not take effect.
Step 3. Specify Name and Description. The policy name is the unique
identifier of the policy. It cannot be the same as an existing one and is
Version 01 (Sep 27, 2021) 464

mandatory. The description information is a policy overview and is optional.
Step 4. On the Audit Policy page, set the Audit Policy as required. On the
Audit Policy page, choose the desired audit type, and set the policy details on
the right. Internet access behavior audit policies include Application,
Flow/Online Duration, and Webpage Content. (For more information about
these three types of audit modules, see the subsequent chapters.)
Step 5. Set Object. The configured policy applies to the selected user groups
and users.
Step 6. Specify Advanced. You can set Expiry Date, View, and Edit in Privilege
of Admin in Same Role, and Give view privilege to administrator in lower-level
role.
3.8.1.1 Auditing Application
Access Audit enables auditing on Internet access behavior and

content of intranet users accessing the Internet over the IAG.
To audit the Internet access behavior of users, enable the function

SN of Internet access behavior audit. The outgoing HTTP packets,
website visits or downloads, emails, IM content, FTP content, TELNET
content, and Internet access behaviors are audited.
HTTP Data Outgoing: You can select Web-based BBS posting to record
intranet users’ behavior of visiting and posting on web BBSs. The log records
the posting information except for the post subjects and content. You can
select Web Mail contents to record intranet users’ behavior of sending mails
through webpages. The log records the mail information except for the mail
subjects and content. You can select Web-based attachment upload
(including WebMail) to audit file names of attachments uploaded over
webpages. To audit attachments of webmails, select this checkbox. You can
select Web-based text upload to record behaviors of uploading text over
HTTP. If this checkbox is selected, there will be a large number of logs.
Therefore, you are recommended to select Web-based BBS posting and Web
Mail contents instead. You can select Microblogging contents to record
intranet users’ behavior of posting microblogs through the Microblog desktop
client and web browser. The microblog subjects and content are not recorded.
To audit the file names of image and video attachments posted on microblogs,
select Include microblog attachment (such as image, video and music).
Version 01 (Sep 27, 2021) 465

Website Browsing / Downloads: To record the URLs of webpages accessed by

intranet users and the names of files downloaded from websites. You can
select All to audit all URLs. You can also select Specified to specify URL types,
so that only access to the URLs of the specified types is recorded. When you
click Specified, the Select page is displayed. On the page, you can select the
URL group to be audited. (For details of setting URL groups, see Section 3.5.4.)
If you select File name of downloaded file, the names of files downloaded
from websites using the HTTP protocol are audited, and file content is not
recorded.
You can also set the level of URL record details at Access Mgt > Advanced >
Logging. For more information, see Section 3.7.2.1.
Email: It is used to audit intranet users' attempts to send and receive mails using
the mail client. You can select Outgoing email (SMTP) to audit intranet users'
attempts to send mails. In this case, mail information excluding subjects and
bodies is logged. You can select Incoming email (POP3/IMAP) to record
intranet users' attempts to receive emails. In this case, email information
excluding subjects and bodies is logged.
Version 01 (Sep 27, 2021) 466

The email receiving protocol and email sending protocol must be POP3/IMAP and SMTP.
IM: It is used to audit instant messaging between intranet users with

IM tools. The tool options include MSN, Yahoo, Google-Talk, Fetion,
WebQQ, and Web-MSN. Other IM chats: It specifies whether to
audit IM content when an IM type is added to the audit rule library.
FTP: To audit the names and content of files uploaded by intranet

users using FTP and the names of files downloaded by intranet users
using FTP.
Telnet: To audit the commands run by intranet users using Telnet.

The port number must be 23.
Version 01 (Sep 27, 2021) 467

Application: To audit intranet users' Internet access behaviors. You can select
Access to other applications (exclusive of contents) to audit the identifiable
Internet access behaviors. You can also select Access to unidentified
applications (on which address and port. It incurs massive logs) to audit
the Internet access behaviors that the IAG cannot identify. If this option is
selected, the IAG records destination IP addresses and port numbers using a
large number of logs. By default, this option is not selected, and you are
recommended to use the default setting.
To audit users' content, enable content audit SNs. Then, the outgoing
HTTP packets, website visits or downloads, emails, IM content, FTP
content, TELNET content, and Internet access behaviors are audited.
Example: Configure a policy for auditing web BBS post content, text,
and images sent using microblogs, webmails and attachments, users'
webpage access attempts, names of files downloaded from websites,
and various types of identified Internet access behaviors.
Step 1. Select Access Audit, and the Access Audit page is on the right. Click
Add and then the button below Item. In the Select Item window that appears,
select the objects to be audited.
Version 01 (Sep 27, 2021) 468

Step 2. The Select Item window includes the HTTP Data Outgoing, Website
Browsing/Downloads, Email, IM, FTP, Telnet, and Application menu items.
You can click the menu items to go to the corresponding configuration
modules.
Step 3. Outgoing HTTP Packets: You can select Web-based BBS posting to
audit the content of posts created by intranet users in BBSs. The logs record all
post information, including subjects and bodies of posts.
You can select Web Mail contents to audit the bodies (excluding attachments)
of emails sent by intranet users through webpages. You can also select Web-
based attachment upload (including WebMail) to audit the attachments
uploaded through webpages. This option is required for auditing webmail
attachments. You can select Web-based text upload to record all the text
uploaded over HTTP.
If this checkbox is selected, there will be a large number of logs. Therefore, you
are recommended to select Web-based BBS posting and Web Mail contents.
You can select Microblogging contents to audit intranet users’ behavior of
posting microblogs through the Microblog desktop client and web browser. To
audit the images and videos posted on microblogs, select Include microblog
attachment (such as image, video and Music). Configure the policy for
auditing web BBS post content, text, and images posted using microblogs and
webmails, and attachments. See the following figure.
Version 01 (Sep 27, 2021) 469

Website Browsing / Downloads: To record the URLs of webpages accessed by

intranet users and the names of files downloaded from websites. You can
select All to audit all URLs. You can also select Specified to specify types of
URLs, so that only the access to the specified type of URLs is recorded.
When you click Specified, the Select page is displayed. On the page, you can
select the URL group to be audited. (For details of setting URL groups, see
Section 3.3.4.) If you select File name of downloaded file, the names of files
downloaded from websites using the HTTP protocol are audited, and file
content is not recorded.
You can also set the level of URL record details at Access Mgt > Advanced >
Logging.
Configure the policy for auditing access of intranet users to webpages

and names of files downloaded from webpages.
Email: To audit intranet users' attempts to send and receive mails

using the mail client. You can select Outgoing email (SMTP) to audit
the information about mails, including mail attachments that sent by
Version 01 (Sep 27, 2021) 470

intranet users. You can select Incoming email (POP3/IMAP) to audit

the information about mails, including mail attachments, received by
intranet users.
IM: To audit instant messaging between intranet users with IM tools.

The tool options include MSN, Yahoo, Google-Talk, Fetion, WebQQ,
and Web-MSN. Other IM chats: To specify whether to audit IM
content when an IM type is added to the audit rule library.
FTP: To audit the names and content of files uploaded by intranet

users using FTP and the names of files downloaded by intranet users
using FTP.
Version 01 (Sep 27, 2021) 471

Telnet: To audit the commands run by intranet users using Telnet. The
port number must be 23.
Application: To audit intranet users' Internet access behaviors. You can select
Access to other applications (exclusive of contents) to audit the identifiable
Internet access behaviors. You can also select Access to unidentified
applications (on which address and port. It incurs massive logs) to audit
the Internet access behaviors that the IAG cannot identify. If this option is
selected, the IAG records destination IP addresses and port numbers using a
large number of logs. By default, this option is not selected, and you are
recommended to use the default setting.
Configure the policy for auditing various types of identified Internet access
behaviors. See the following figure.
Version 01 (Sep 27, 2021) 472

Step 4. Step 3 After selecting audit options, click OK. The Application page is
displayed. Set Schedule to All Day and Action to Audit.
Step 5. Click OK. The policy for auditing Web-based BBS posting,
Microblogging contents, WebMail contents, and Web-based attachment
upload, users’ visited URL, the file name of download file, and various types of
identified Internet access behaviors is configured.
The behaviors and content of web MSN users can only be audited if the web MSN users log
in using HTTP. If the users log in via HTTPS, the behaviors and content cannot be audited.
3.8.1.2 Auditing Traffic and Internet Access Duration
Version 01 (Sep 27, 2021) 473

Flow/Online Duration is to specify whether to collect statistics on

various applications' traffic and Internet access duration. If you
choose to collect the statistics, you can query the data center for
traffic and Internet access duration of various applications used by
intranet users to access the Internet.
Select Flow/Online Duration, and the Flow/Online Duration page appears on

the right.
If you select Log application traffic based on user group, statistics on the
traffic for each application to access the Internet through the IAG are collected
and sorted by group. If you select Log application traffic for each user as
well, the statistics can be collected by the user. This option provides a basis for
Internet access traffic statistics collection and sorting in the data center. The
options must be selected to query the data center for Internet access traffic
information and rankings.
If you select Log online duration for each user based on application,
statistics on the Internet access duration of each application that accesses the
Internet through the IAG are collected. If this option is not selected, statistics
on Internet access duration (including the total duration) of applications are
not collected. You cannot query the data center for Internet access duration
information and rankings.
If you select Ignore the traffic caused by the system rather than by user,
such as system update, statistics on the Internet access duration of only the
applications that are not in the Excluded Applications List and access the
Internet through the IAG are collected.
If you click Excluded Applications, the Excluded Applications window is

displayed. It consists of three sections: Applications (exempted from online
duration quota policy), Specified, and Excluded Port.
Version 01 (Sep 27, 2021) 474

The Applications (exempted from online duration quota policy) defines some
application traffic, such as the traffic for background software updates. You
can enable or disable the list. In the Specified, you can select the applications
to be excluded. You can enter the port numbers in the Excluded Port list to be
excluded from the Internet access duration statistics collection.
If you select URL access traffic, statistics on the traffic for accessing the
Internet through the IAG are collected by the domain name.
If you select URL access duration, statistics on the duration of

accessing the Internet through the IAG are collected by the domain
Version 01 (Sep 27, 2021) 475

name.
3.8.1.3 Auditing Webpage Content
Webpage Content is to specify whether to audit the content of webpages

accessed by intranet users. You can choose to audit webpage titles, webpage
bodies, or content of only the webpages that contain specified keywords.
Select Webpage Content. The Webpage Content page appears on the right. It
consists of the Webpage Content Audit and Keyword (independent from
the settings above) sections.
If you select Not to Audit, the IAG does not audit the titles and content of the
webpages accessed.
If you select Audit webpage caption and contents, the IAG audits both the
titles and content of the webpages accessed by intranet users.
If you select All URL categories, the IAG audits both the titles and
content of all the webpages accessed by intranet users.
If you select Specified URL categories, the IAG audits the titles and
content of only the specified webpages accessed by intranet users.
You can click Select and then specify the web pages. When you click
Select, the page shown in the following figure is displayed.
Version 01 (Sep 27, 2021) 476

Keyword (independent from the settings above) is to audit only the web
pages containing specified keywords.
Click Add. The page for adding Keyword Group is displayed. Click the
Keyword drop-down list box and select the keyword group to be
used. For more information on setting Keyword Group, see Section
3.5.10. Next, click the Schedule drop-down list box and select the
effective time of the keywords. For more information on setting
effective time groups, see Section 3.5.9. Click the Action drop-down
list box and select the handling method to be used by the IAG when it
detects a specified keyword. The list includes the Log contents,
Version 01 (Sep 27, 2021) 477

Reject, and Log contents & reject requests options.
If a specified keyword is detected and Action is set to Log contents, the titles and content
of the webpages involved are audited. If a specified keyword is detected and Action is set to
Reject, the webpages' content is rejected.
1. You can use different function SNs to separate behavior audit from content audit for
Internet access audit policies. If the IAG is upgraded from an earlier version, the content
audit is enabled by default.
2. If behavior audit is enabled, the Content Audit module will not be available in the
Internet access audit policy on the console.
3.8.2 Ingress Client Audit

External device audit can check removable storage media and offline
terminal audit.
⚫ Removable storage device: Audit the read and write logs of U disk and
mobile hard disk through the Ingress Client.
⚫ Offline endpoint audit: Supports auditing when the access client is

disconnected from the IAG (when the laptop is taken away from the
company).
Version 01 (Sep 27, 2021) 478

Offline audit requires that the terminal has been connected to the IAG and obtained the
corresponding policy to take effect.
3.8.2.1 Application Ingress Client Audit
Client application audit includes five types of objects: IM audit, mail client
attachment audit, remote, operation and maintenance, and file transfer. The
above applications can be updated according to the rule base.
Version 01 (Sep 27, 2021) 479

⚫ IM audit: Audit the content of IM chat records and outgoing attachments of

intranet users through access to the client. Multiple IM applications of
WeChat, Dingding, and QQ are available, and content auditing or
attachment auditing can be individually checked according to requirements.
⚫ Mailbox attachment audit: Audit the email attachments sent by intranet

users using the mail client by accessing the client.
⚫ Remote control: Audit the files transmitted by the terminal through remote
software through access to the client. Currently, there are four remote
software options, including TeamViewer, Sunflower, AnyDesk, and RDP.
⚫ Operations Audit the files sent by the terminal through operation and
maintenance tools through access to the client. Currently, it includes four
operation and maintenance tools: XShell, PShell, MobaXterm, and
SecureCRT.
⚫ File transfer: Audit the files transferred by the terminal through file
transfer tools through access to the client. Currently, it includes four file
transfer tools: WinSCP, XFtp, FileZilla, and SecrusFX.
⚫ Action: Audit or do not audit is optional.
⚫ Effective time: You can choose from work time, off-work time, and all day.
⚫ File type: The file type can be filtered, and the file type can be defined in
System/Object/File Type Group.
⚫ Offline audit: Support for enabling offline auditing (that is, auditing when
the access client is disconnected from the IAG).
3.8.2.2 Ingress Client Application Audit
Scenario
Set an audit strategy to audit the terminal's IM chat

content/attachments, including the terminal after it is offline.
Configuration Step
Step 1. Ingress Client Audit > Application in the navigation menu, click Add,
and select Ingress Client Audit.
Version 01 (Sep 27, 2021) 480

Step 2. Fill in the policy name and description information, select the
application, then click Add, select IM audit, and select offline audit to enable.
Version 01 (Sep 27, 2021) 481

Step 3. Select Objects. The selected user groups and users here will all match
this audit policy. Click OK to complete the policy configuration.
Step 4. The user uses the WeChat client to chat and send files.
Step 5. Audit results can check under the log center.
3.8.2.3 Ingress Client Audit USB Device
USB device audit can check removable storage devices and offline endpoint
audit.
Version 01 (Sep 27, 2021) 482

⚫ Removable storage device: Audit the read and write logs of U disk and
mobile hard disk through access to the client.
⚫ Offline endpoint audit supports audit when the access client is disconnected
from the IAG (the laptop is taken away from the company).
Offline audit requires that the terminal has been connected to the IAG and obtained the
corresponding policy to take effect.
3.9 Endpoint Management

With the popularity of smart terminals such as tablets and mobile phones, in a
mixed network environment of wireless and fixed networks, some company's
Version 01 (Sep 27, 2021) 483

internal employees may privately set up wireless AP (Access Point) and use the
wireless AP to export to the company network. These APs are weak due to
weak security measures. It is extremely easy to be cracked by outsiders,
leading to internal network leaks and threats to information security.
The security of terminal behavior can also prevent some employees from
surfing the Internet through proxy software, circumventing permission control,
and causing loopholes and risks to internal network management. The
terminal access management function can help users manage the access of
different terminals to the network, identify wireless smart terminals and other
devices through private AP access and terminal proxy Internet behavior, and
prevent wireless smart terminal device access causing wireless security
loopholes and leaks
3.9.1 Endpoint Connection Sharing
3.9.1.1 Shared Connection Management
It is to set the maximum number of endpoint devices allowed for a single IP

address or user, preventing intranet users from functioning as Internet proxies
for others. When the shared connection is detected, and the limit is exceeded,
the IP address or user is locked. See the following figure.
Enable connection sharing detection: To enable the shared connection

detection function. Connection Sharing: To configure shared connection
detection. When you click Connection Sharing, the window shown in the
following figure is displayed.
Version 01 (Sep 27, 2021) 484

Endpoints:
All: indicates that connection sharing between PCs, between mobile

endpoint devices, and between PCs and mobile endpoint devices is
detected.
PCs: indicates that connection sharing between PCs is detected.
Lockout Options: It is to disable Internet access when the maximum

number of endpoint devices sharing a connection is reached.
Allow exception if: It is to specify the exceptions where Internet

access is not disabled when the maximum number of endpoint
devices sharing a connection is reached. For example, suppose the
maximum number is set to 2 but one PC and one mobile endpoint
device can use the same IP address to access the Internet. In that case,
Internet access is not disabled, and connection sharing is recorded.
Lock IP Address: indicates that all Internet access data from a

specified IP address is rejected when connection sharing using the IP
address is detected.
Lock user account: indicates that all Internet access data of a

specified user is rejected when connection sharing using the
Version 01 (Sep 27, 2021) 485

username is detected.
Click Commit.
Status List: It displays the IP addresses and usernames that are used
to share Internet connections. You can lock and unlock users on the
page or add users to the excluded users list.
Filter: It is to filter user types in the list. You can select all users,
locked users, unlocked users, or select users based on IP addresses.
Excluded Users: It is to add users, user groups, and IP addresses to a

list so that they are excluded from detection of connection sharing.
Version 01 (Sep 27, 2021) 486

Click Excluded Users (Groups) and select trusted users and user groups. See
Click Add and enter the trusted IP addresses or IP address ranges. See the
following figure.
Version 01 (Sep 27, 2021) 487

Click Commit.
Trends: It is to calculate the number of users who use shared Internet

connections in the previous 7 or 30 days. The statistics can be collected by
source IP address or username. See the following figure.
To view more information about users who use shared Internet connections,
click Report Center.
3.9.1.2 Mobile Endpoint Management
It is to detect and block untrusted mobile endpoint device’s Internet access

attempts. See the following figure.
Enable Mobile Endpoint Verification: It enables or disables the mobile

endpoint device detection function globally.
Version 01 (Sep 27, 2021) 488

Mobile Endpoint Management Configuration Options: To specify the

method for handling a detected attempt of a mobile endpoint device. The
options include Lock Endpoint and Send alert by mail. If Lock Endpoint is
not selected, the IAG does not block the Internet access attempts of the APs
and mobile endpoint devices in the mobile endpoints list.
You can select Send alert by mail, click Alarm Options, and set alarm options.
You can select Lock Endpoint and define the lockout period.
Selecting Identify DHCP clients is to strengthen the capability to identify such

endpoints after the mobile endpoint accessing the network. This function is a
new one, in addition to the existing application capability of endpoint
identification. To support the function of DHCP mobile endpoint identification,
mirror the DHCP protocol to the device. This requires configuring the mirror
port in the device gateway page to allow the device to capture data package at
a specified networking interface.
DHCP mobile endpoint identification is the endpoint type displayed in the

online user list and the mobile endpoint interface. The types include Android,
IOS, etc.
Mobile Endpoints List: It displays the IP addresses, usernames, home groups,

endpoint types, details, status, and last detection time of connected mobile
endpoints. Mobile endpoint detection is implemented based on traffic
characteristics. If an AP works in NAT mode, a hotspot IP address is displayed.
If the AP works in another mode, a mobile endpoint IP address is displayed.
Version 01 (Sep 27, 2021) 489

Click Export List to export the mobile endpoints list to a CSV file. The
content and format of the file are the same as the mobile endpoints
list.
The mobile endpoints list page displays up to 1000 entries generated

within the previous week. You can click Report Center and query
more information on the mobile endpoint management page.
Excluded Users: It is for administrators to prevent the IAG from

blocking the Internet access attempts of listed mobile endpoints.
Click Excluded Users and select trusted users and user groups.
Version 01 (Sep 27, 2021) 490

Click Add and enter the IP addresses of APs or the network segments
where the APs provide the DHCP function.
Trends: It calculates the number of mobile endpoints detected in the
Version 01 (Sep 27, 2021) 491

previous 7 or 30 days. You can click Report Center and query more
information on the mobile endpoint management page. See the
following figure.
3.9.2 Anti-Proxy
With anti-proxy, users’ Internet access through proxy tools can be
detected and blocked, as shown below:
To detect the use of proxy tools, enable proxy detection. But proxy tools will
not be blocked. To configure anti-proxy, click Settings and configure the
options on the following page:
Version 01 (Sep 27, 2021) 492

Version 01 (Sep 27, 2021) 493

To select proxy tools that you want to detect, restrict or block, click on Select
next to Proxy Tool, as shown in the following figure:
Version 01 (Sep 27, 2021) 494

To block specified proxy tools, select the option Block proxy tools. The proxy
tools application containing Block with IAG in its name means the block is
based on the network flow. The proxy tools application containing Block with
Endpoint Secure in its name means it is required to correlate with Endpoint
Secure to block the application based on the process. If that option is not
selected, the use of proxy tools will be detected but not blocked.
The details for the correlation block with Endpoint secure can refer to the
configuration guide IAG_v13.0.19_Sangfor anti-proxy IAG and ES correlation
Configuration Guide.
To block official websites that offer proxy tool download, select Block
websites offering proxies. It can also add some of the specific URL or IP
addresses in Block specific addresses that offer the proxies services.
It also can add the Internal DNS server to whitelist inside DNS Server address,
Version 01 (Sep 27, 2021) 495

to prevent misjudgment, and it also supports to insert the IP address or

domain that detect as the misjudgment into the IP address and domain
whitelist.
To alert the user when access is denied, select the option Give alert to user.
By clicking Preview next to that option, you may view the webpage to which
the user is redirected when Internet access is denied. To modify that webpage,
go to System > General > Custom Webpage > Others, as shown below:
To lock the user when the proxy is detected, select the option Take action and
specify Lockout Period (minute). What is more, you can apply to limit BM
channel or reject Internet access.
⚫ Apply limited bandwidth management (BM) channel: If this option is

selected, you need to select a limited BM channel. If there is no available
limited BM channel, you need to add one in Bandwidth Mgt > Bandwidth
Channel, as shown below:
⚫ Reject Internet access: If this option is selected, Internet access will be

denied when the use of the specified proxy tool is detected.
Version 01 (Sep 27, 2021) 496

There are three tabs on the Anti-Proxy page: Proxy Tools, Excluded Users,
Trends.
The following information on the Proxy Tools tab: IP Address, Username,

Group, Endpoint Device, Proxy Tool, Status and Time, etc., and up to 1000
entries in the last seven days can be displayed. You may log in to the report
center for more entries by clicking on Report Center at the upper-right corner
on that tab.
On the Excluded Users tab, you can add the user that you want to use
the proxy tool and specify IP address to allow the use of the proxy tool
on that address.
To select users or groups you want to exclude, click on Select

user/group, as shown in the following figure. You can select local
users, domain users, and security groups.
To add an IP address that you want to exclude, click Add in IP

Addresses list and specify it on the following page:
Version 01 (Sep 27, 2021) 497

On the Trends tab, it displays the trend of the use of proxy tools over
the last 7 or 30 days, as shown below:
3.9.3 Internet Security

Version 01 (Sep 27, 2021) 498
Internet security provides security protection for Internet access in terms of

content security, terminal security and network security, including leak
detection, Malware detection, terminal monitoring and response, patch
detection, anti-inside DOS attack, anti-ARP spoofing, malicious URL, and SAVE
anti-virus.
It provides three-dimensional overall network security services. The interface is

consists of two modules: Security Events and Security Configuration.
3.9.3.1 Security Events
The Security Events is mainly used to display insecurity behaviors detected by

the device and analysis users and security events. If you have access to the
Sangfor Neural-X, you can also see the hot events. The interface is as follows:
Users: Infected user is in red, and the user likely infected is in orange
Security Event: Display Botnet, Malicious URL, Inside Dos Attack, and Virus
check details.
Filter: You can filter the type of security event.
Version 01 (Sep 27, 2021) 499

Block: You can block a user by entering the username or IP address.
Endpoint correlation is also available at Sangfor Endpoint Secure products.

After the Endpoint Secure correlation, risky users can be blocked by correlation
with Endpoint Secure deepened analysis.
Security Events:
Version 01 (Sep 27, 2021) 500

3.9.4 Security Configuration
3.9.4.1 Security Capabilities
The Security Capabilities consist of three parts: Capability Diagram,

Overview, Update Calendar.
3.9.4.1.1 Capability Diagram
Users can have an overall understanding of the security capabilities of the

device with the security capability topology.
The device will be linked to Neural-X to build a three-dimensional threat-

protection system. After accessing the Sangfor Neural-X, you can get multi-
source/massive threat intelligence, Sangfor Engine Zero, Signature Database
Version 01 (Sep 27, 2021) 501

Pluses Experience, real-time cloud detection, big data smart analysis and
detection, and real-time cloud correlation. Combined with devices, it provides
three-dimensional security services for you from terminal security, content
security, and network security.
In the figure, the enabled function is in the green selected state. Users can link
to the corresponding configuration page by clicking; The unenabled function is
displayed as gray unselected, and the user can also link to the corresponding
configuration page by clicking.
3.9.4.1.2 Overview
The Overview consists of three parts: Update Overview, Update and Top 10 Hot
Events.
Version 01 (Sep 27, 2021) 502

Update Overview: Outline the security capabilities of the device
Shortest minutes: The shortest period from the outbreak to the device
update detection defense capability of all new threats in the last month.
Scans in Cloud: Shows the average number of daily cloud scans in the last
month after the device is linked to Neural-X
Security Events: The number of security events in the last month
Updates: Security capability cloud update trend in the previous month
Top 10 Hot Events: top 10 hot events on the network
3.9.4.1.3 Update Calendar
Display the security capability update in the last month, showing Update 0.
When there is an update time, there is no update. When the user put the
mouse on the update entry, it will display the specific update content and
update amount, including URL rule base, malicious URL rule base, application
identification rule base, the Malware rule base, and the hotspot time update, it
will display the updates and its quantity of the day.
Version 01 (Sep 27, 2021) 503

3.9.5 Security Configuration

The specific configuration page of the Internet security module.
3.9.5.1 All Terminal Security
Three parts are included: Malware Detection, End Secure (EDR), and Patch
Check.
3.9.5.1.1 Malware Detection
Sangfor Malware Detection uses the combination of botnet behavior analysis

and feature recognition to identify and block Malware suspected of having
Trojan in the LAN security domain. It has built-in cloud security detection
technology and reports the unknown virtual risk to the cloud virtual sandbox
to Execute and release the analysis result report, effectively preventing the
host from accessing the illegal malicious URL.
Version 01 (Sep 27, 2021) 504

Select the Enabled for enabling.
Excluded Addresses: IP addresses that do not need to be detected and can be

added to the whitelist.
Excluded Websites: Websites that do not need to be detected and can be

Action: You can choose to Give Alert (combination with the "System
Management - System Configuration - Alarm Option") and Block access to
malicious URL or Block source IP.
3.9.5.1.2 End Secure (EDR)
As an endpoint detection and response platform and a lightweight endpoint +
Version 01 (Sep 27, 2021) 505

management platform solution, Sangfor Endpoint Secure utilizes the capability

of constant detection of endpoint threats and the response option of isolating
threat events with one click. The Sangfor Endpoint Secure, with correlated
response in combination with NGAF, IAG, and Cyber Command products,
constitute the new generation of secure protecting systems.
This function applies to scenarios already using Endpoint Secure products.
In the endpoint deployment of Endpoint Secure, Correlation to Sangfor IAG is

added. See the picture below:
In the IAG endpoint's Endpoint Detection and Response (EDR) page, enter
the IP address of the Endpoint Secure platform to connect to the platform.
After the connection is completed: The page displays Endpoint Secure's

service information, the number of connected endpoints, and correlated
actions.
Version 01 (Sep 27, 2021) 506

Click Go to EDR management platform to go to the management platform of

Endpoint Secure.
Click View Correlation Details to go to the details page of the correlated

endpoint.
Click Push Configuration to enable this function and configure Applicable

Object of this policy. It realizes pushing the reminder web page of deploying
Endpoint Secure client to endpoints within the applicable scope, helping the
LAN promote the Endpoint Secure client.
Version 01 (Sep 27, 2021) 507

Enable Push Configuration: This function is by default closed. Enable it on

demand.
Applicable Object: applicable to LAN IP addresses or IP segment.
Redirection URL: for generating, copying, and adding Endpoint Secure devices
Connection configuration for Endpoint Secure EDR .
Interval(s): define the interval for pushing the web page to clients who do not
have the agent installed. It is 300 s, by default.
For endpoints within the applicable address scope that do not have the agent
installed, the timed redirection page is as follows:
Version 01 (Sep 27, 2021) 508

Upon receiving this redirection page, download the corresponding installation

package for the operating system to the client and complete the installation.
The only redirection of accessing the HTTP web page is supported; accessing the HTTP web
page is not supported.
Click Disconnect from EDR to disconnect the correlation between the device
and Endpoint Secure.
3.9.5.1.3 Patch Check
The Windows patch detection function can detect patches and patch update
prompts that are not currently installed on the client computer on time,
enabling users with insufficient security awareness to actively improve the
security of the operating system and help administrators reduce the work
pressure from the LAN security.
Version 01 (Sep 27, 2021) 509

See details in Patch Detection Rule.
3.9.5.2 Network Security
3.9.5.2.1 Anti-DoS
A DOS attack (denial of service attack) is usually aimed at consuming server-

side resources and forcing the service to stop responding. The server responds
to the blocking by forging the request data that exceeds the server's
processing power The Anti-DoS function of the SANGFOR device can prevent
the DOS attack on the LAN from the external network and prevent the LAN
poisoning or the DOS attack initiated by the attack tool.
The LAN DOS attack function of the IAG only focuses on the direction of the
LAN port.
The configuration interface is as follows:
Version 01 (Sep 27, 2021) 510

Enabled: the switch to enable Anti-DoS.There are three detection methods,

namely SYN flooding, UDP flooding, ICMP flooding.
SYN flooding: TCP SYN flooding occurs in the fourth layer of OSI, using the
characteristics of the TCP protocol, i.e., the three-way handshake. The attacker
sends a TCP SYN, which is the first packet in the TCP three-way handshake.
When the server returns an ACK, the attacker does not re-confirm it. Then the
TCP connection is in a suspended state called In the semi-connected state, if
the server does not receive the re-confirmation, it will repeatedly send an ACK
to the attacker. It will cause further resource waste to the server. The attacker
sends a large number of such TCP connections to the server. Since each one
cannot complete the three-way handshake, these TCP connections will
consume CPU and memory due to the suspended state on the server, and the
server may crash and cannot serve normal users.
Version 01 (Sep 27, 2021) 511

UDP flooding: The attacker sends a large number of UDP packets to the
server, and the server sends a large number of replies.
ICMP flooding: The source IP address of the attacker sending the packet is the
IP address of the attacker, and the destination IP address is the broadcast
address of the network segment where the attacker is located, so that a large
number of ICMP echo replies are sent to the attacker.
Never block the internal IP below: Do not perform DOS defense on the IP
address filled in the list. For example, the intranet has a server that provides
services to the public network and provides more connections to the public
network. In this case, it is recommended to exclude the server's address to
avoid being considered illegal by the DOS defense.
Advanced
LAN subnets: The LAN subnets refer to the LAN segment that accesses the
Internet through the device. Users who are not in the list default to the
attacker. When it is enabled, user data that is not in the list will be blocked, and
users in the list will be blocked if there is an attack.
Block for (minutes): Sets the blocking time of the attacking host after the
device detects the attack in the unit of a minute.
Select Give Alert to enable mail alert. For details, see System Management →
System Configuration → Alarm Option.
Click Commit to save the configuration.
Version 01 (Sep 27, 2021) 512

3.9.5.2.2 ARP Protection
ARP spoofing is a common LAN virus. A computer with this virus sends an ARP
spoofed broadcast packet to the LAN irregularly, which will bring interference
and damage to the regular communication of the LAN machines. In severe
cases, the entire network is disconnected.
The device realizes the ARP Protection by cooperating with the access client of
the LAN PC.
The device protects the ARP cache by refusing ARP requests or replies with
attack features to achieve its own immunity.
If the access control user of the device is bound to the IP/MAC, the bound
IP/MAC information will prevail in the device.
The LAN PC executes the ARP Protection through cooperation with the access
client. After the access client is installed, the access client communicates with
the device to obtain the correct IP/MAC relationship between the device and
the gateway and perform the static binding.
The configuration interface is as below:
Version 01 (Sep 27, 2021) 513

Enable ARP Protection: It is the master switch that enables ARP protection.
Enable static ARP: If the gateway of the LAN PC is not the interface address of
the device, it needs to be set here. For example, if the device uses the bridge
mode, the gateway address of the LAN PC should be the interface address of
the front router (or firewall). Then we can fill the interface IP/MAC of the front
router into the box below. Suppose the LAN PC is installed with the access
client. In that case, it can obtain the correct gateway IP/MAC for binding, which
will ensure the correct IP/MAC of the PC gateway and regular communication
between the PC and the gateway.
MAC Broadcast Interval (sec): Set the interval for the broadcast gateway (that
is, the LAN interface of the device) MAC. The recommended interval is 10
seconds.
Select Give Alert to enable mail alert. For details, see System
Version 01 (Sep 27, 2021) 514

Management→System Configuration→Alarm Option.
3.9.5.2.3 Malicious URLs
Based on the Sangfor Cloud Engine and multi-malware detection mechanism,

comprehensive judgment can be made using static detection, dynamic
sandbox, taint checking, manual analysis, and other technologies. It identifies
malicious URLs in real-time to protect user services from impacts, including
phishing and malicious websites, vulnerability exploitation, mining page,
malicious jumps, cross-site scripting attacks, and virus files.
Check the Enable Malicious URL Detection for enabling.

added to the whitelist
Excluded Websites: Websites that do not need to be detected and can be added
to the whitelist
Version 01 (Sep 27, 2021) 515

Action: Select the Give alert (combination with the System Management -
System Configuration - Alarm Option) and Block access to malicious URL.
3.9.5.2.4 SAVE Antivirus
SAVE (Sangfor AI-based Vanguard Engine) combines various machine learning

algorithms such as deep learning and incorporates the integrated learning to
make full use of the detection advantages of each algorithm. It can capture
effective file information quickly and accurately. The detection rate for
ransomware reaches the industry-leading level. In addition, through the
continuous convergence of Sangfor Neural-X, EDR, and AF products to analyze
hot threats, the SAVE AI security detection engine can evolve in time to
improve detection capabilities and cover the latest viruses.
SAVE antivirus is mainly for virus scanning and removal of the data passing
through the device to protect the security of the LAN computer. The device can
perform virus scanning and removal under four common protocols: HTTP, FTP,
POP3, and SMTP. The device has a built-in SAVE engine developed by Sangfor,
which has a high virus recognition rate and high scanning and removal
efficiency. Unlike the traditional rule base update, the SAVE engine is still in a
rule base to maintain the habit. The current update cycle is two months.
The SAVE antivirus settings interface includes the antivirus switch for four
protocols, websites with no need for antivirus or file whitelist.
The Settings interface is as shown below:
Version 01 (Sep 27, 2021) 516

Protect HTTP download against virus, Protect FTP download against virus,
Protect POP3/IMAP against virus and Protect SMTP against virus are used
to enable the antivirus switches for these four protocols.
Excluded Websites (URL): Set the access data to particular websites with no
need for antivirus. The input is in URL format, supporting the wildcard and one
entry per row.
Enable file whitelist: To define files that do not require antivirus.
Action: Check the "Give alert" and use it with the Alarm Option. For details, see
System Management, System Configuration, Alarm Option.
Version 01 (Sep 27, 2021) 517

Antivirus Database Update page:
Update Service Expires On: It displays the automatic update expiration date
of SAVE antivirus. During the expiration date, during which the device will
automatically connect to the server of Sangfor Technologies Inc. to update the
Antivirus Database.
Antivirus Database Release On: It displays the current date of the Antivirus
Database.
Upload Antivirus Database: Manually import the downloaded Antivirus

Database file into the device and complete the Antivirus Database update. Click
Browse to select the SAVE engine model file to be imported and complete the
Antivirus Database update.
3.9.6 Endpoint Reminder Policy

The terminal reminder policy is the function of reminding users of online
behaviors. This function periodically redirects HTTP traffic to the specified
announcement page to send the announcement information delivered to the
end user through the browser. The administrator can configure the terminal
reminder policy to push the announcement page to the online users.
Configuration Steps:
Step 1. In Endpoint Mgt/Reminder Policy, click Add to select a reminder

policy.
Version 01 (Sep 27, 2021) 518

Step 2. Click to enable the policy and fill in the policy name and policy
information. The policy name is the unique identifier of the policy and cannot
be repeated and is required. The description information is a summary
description of the policy and is optional.
Step 3. Click Option to enter the policy setting page, check the announcement
page, and set the corresponding terminal reminder policy.
Remind: You can choose to push the announcement page at regular intervals or
regularly push.
Every (min): Set the time interval. The range is 1-1440.
Every day at (hh:mm: ss): Push the announcement page at the set time.
Bulletin Board (need to ensure that users can access the page normally)
⚫ Use predefined bulletin board: The specific settings of the built-in

announcement content in the settings need to go to
System/General/Custom Web Page.
Version 01 (Sep 27, 2021) 519

⚫ Use external announcement page: Set the URL of a custom page in URL,
and you can directly link to the announcement page you need by way of URL.
Step 4. Click Object to configure applicable groups and users. The user
groups and users selected here will fully match this terminal reminder policy.
Step 5. Click Advanced, you can configure the policy expiration date, the
privilege of admin in the same role, and give view privilege to the administrator
in a low-level role.
Step 6. Click Commit to complete the configuration.
Step 7. When the user visits the HTTP website at the interval of setting the
reminder frequency, the prompt page will appear.
3.9.7 Endpoint Connection Control Case Study
3.9.7.1 Connection Sharing Case Study
Scenario
Telecom provides schools with basic broadband access equipment. It has

formulated management regulations to stipulate that students cannot use
telecom campus accounts to share the Internet. As long as school students use
Version 01 (Sep 27, 2021) 520

a proxy or private proxy tools, high-privileged users will act as low-privileged

users to access the Internet. The management system is useless.
Some management devices use the method of installing controls and blocking
the process to disable the proxy, which is extremely inconvenient; the use of
the anti-proxy function of IAG can provide the function of disabling the
endpoint to use the intranet proxy without plug-ins.
Configuration Steps
Step 1. In the Endpoint Mgt/Endpoint Connection Control/Connection

Sharing in the navigation menu page, enter the configuration page of
connection sharing, and select Enable connection sharing detection.
Step 2. On the connection sharing options page, click setting, and select the
statistics method to count all endpoints. Set the number of endpoints reached
two or more, and lock the user for 30 minutes.
Endpoints Select All to identify the sharing between PC and PC, PC and mobile
terminal, and mobile terminal and mobile terminal.
What Would You Like to Lock: Select Lock IP address, only one user is
allowed to go online for one IP address?
Step 3. Verification method:
Version 01 (Sep 27, 2021) 521

⚫ After the PC is connected to the network, the IP address is automatically

obtained through DHCP. The test account is used to pass the IAG platform
authentication, and it can go online normally.
⚫ Install 360 computer WIFI on the PC, start 360WIFI, and release the hotspot.
⚫ The mobile phone connects to the SSID sent by the PC, and the proxy can
go online.
⚫ Use the browser on the PC to access the webpage and use the WeChat and
other App applications on the mobile phone. After some time, the two
terminals are detected as shared Internet access.
Exceptions are allowed: the number of single IP computer terminals is 1, and mobile
terminals are 1. Refers to the sharing of Internet access between a computer and a mobile
terminal will be allowed. The shared surfing behavior of two PCs or two mobile terminals
will be blocked.
Step 4. Effect.
Mobile phone one and mobile phone two access the Internet through a proxy
within 5 minutes (the fastest test is about 1 minute). There will be a web page
that is blocked by the device's anti-sharing Internet access. And the shared
access management page recognizes the type of mobile phone and terminal.
The rendering of the mobile phone opening the web page is as follows.
3.9.7.2 Mobile Endpoint Case Study
Scenario:
Due to the popularity of smart terminals such as tablet computers and mobile
phones and their characteristics that they can only use wireless networks to
access the Internet, employees may use some wireless APs to access the
company’s wired network and wireless terminals (such as mobile phones).
They may access the company’s network through wireless APs. It may lead to
exposure of the intranet and threats to information security.
Version 01 (Sep 27, 2021) 522

Configuration Steps
Step 1. Enter the Endpoint Mgt/Endpoint Connection Control/Mobile

Endpoint page in the navigation menu page, and check Enable mobile
endpoint verification.
Step 2. Click settings to jump to the mobile endpoint management

configuration option page.
When the device discovers a mobile endpoint, you can set the settings to send
alarm alert emails, lock the mobile terminal’s Internet access, and enable the
Identify DHCP clients function.
Alarm Options: refer to the chapter on alarm options.
Lock endpoint: You can customize the lockout period.
Enable the Identify DHCP clients: To enhance the ability of mobile terminals
to identify this type of terminal after accessing the network, it also supports the
DHCP mobile terminal identification function based on the original application
identification terminal ability and mirrors the DHCP protocol data to the device.
Configure the mirror port on the interface to provide the device to capture the
data packets of the specified network port. Please prepare an empty network
Version 01 (Sep 27, 2021) 523

port as the mirror port in advance.
Step 3. Mobile endpoint management is applied to all users by default. You

can select excluded user groups and excluded IPs in the excluded users list.
Step 4. After the completion of configurations, when mobile terminal traffic

accesses and passes through the IAG, it will be recognized and intercepted by
the IAG, and the terminal will prompt as follows.
1. DHCP mirror port configuration supports dual device and multi-device synchronization
and does not support BBC configuration delivery.
2. The modification of the DHCP mirror port configuration supports administrator operation
authority (non-administrator has no authority), and the administrator operation log will be
recorded.
3.10 Internet Security

Internet security provides security protection for Internet access in content
security, terminal security, and network security. It includes leak detection,
Malware detection, terminal monitoring and response, patch detection, anti-
inside DOS attack, anti-ARP spoofing, malicious URL, and SAVE anti-virus.
It provides three-dimensional overall network security services. The interface is

consists of two modules: Security Events and Security Configuration.
3.10.1 Security Events

The Security Events displays insecurity behaviors detected by the device and
analysis users and security events. If you have access to the Sangfor Neural-X,
you can also see the hot events. The interface is as follows:
Version 01 (Sep 27, 2021) 524

Users: Infected user is in red, and the user likely infected is in orange.
Security Event: Display Botnet, Malicious URL, Inside Dos Attack, and Virus.
check details.
Filter: You can filter the type of security event.
Block: You can block a user by entering the username or IP address.
Version 01 (Sep 27, 2021) 525

Endpoint correlation is also available at Sangfor Endpoint Secure products.

After the Endpoint Secure correlation, risky users can be blocked by correlation
with Endpoint Secure deepened analysis.
Security Events:
3.10.2. Security Configuration
3.10.2.1 Security Capabilities
Version 01 (Sep 27, 2021) 526

The Security Capabilities consists of three parts: Capability Diagram,

Overview, and Update Calendar.
3.10.2.1.1 Capability Diagram
Users can have an overall understanding of the security capabilities of the

device with the security capability topology.
The device will be linked to Neural-X to build a three-dimensional threat-

protection system. After accessing the Sangfor Neural-X, you can get multi-
source/massive threat intelligence, Sangfor Engine Zero, Signature Database
Pluses Experience, real-time cloud detection, big data smart analysis and
detection, and real-time cloud correlation. Combined with devices, it provides
three-dimensional security services for you from terminal security, content
security, and network security.
Version 01 (Sep 27, 2021) 527

In the figure, the enabled function is in the green selected state. Users can link
to the corresponding configuration page by clicking on it; The disabled function
is in grey unselected state, and the user can also link to the corresponding
configuration page by clicking on it.
3.10.2.1.2 Overview
The Overview consists of three parts: Update Overview, Update and Top 10
Hot Events.
Version 01 (Sep 27, 2021) 528

Update Overview: Outline the security capabilities of the device.
Shortest minutes: The shortest period from the outbreak to the device
update detection defense capability of all new threats in the last month.
Scans in Cloud: This shows the average number of daily cloud scans in the last
month after the device is linked to Neural-X.
Security Events: The number of security events in the last month.
Updates: Security capability cloud update trend in the last month
Top 10 Hot Events: top 10 hot events on the network
3.10.2.1.3 Update Calendar
When you click on display the security capability in last month, it will show
update 0, it is because during that time, the device was not connected and did
the update from the neutral-x. When the user puts the mouse on the update
entry, it will display the specific update content and update amount, including
the URL rule base, malicious URL rule base, application identification rule base,
the Malware rule base, and the hotspot time update. It will show the updates
Version 01 (Sep 27, 2021) 529

and the quantity of the day.
3.10.2.2 Security Configuration
The configuration page of the Internet security module.
3.10.2.2.1 All Terminal Security
Three parts are included: Malware Detection, End Secure (EDR), and Patch
Check.
3.10.2.2.1.1 Malware Detection
Sangfor Malware Detection uses the combination of botnet behavior analysis

and feature recognition to identify and block Malware suspected of having
Trojan in the LAN security domain. It has built-in cloud security detection
technology and reports the unknown virtual risk to the cloud virtual sandbox
to Execute and release the analysis result report, effectively preventing the
host from accessing the illegal malicious URL.
Version 01 (Sep 27, 2021) 530

Select the Enabled for enabling.

Excluded Websites: Websites that do not need to be detected and can be

Action: You can choose to Give Alert (combination with the System
Management - System Configuration - Alarm Option and Block access to
malicious URL or Block source IP.
Version 01 (Sep 27, 2021) 531

3.10.2.2.1.2 End Secure (EDR)
As an endpoint detection and response platform and a lightweight endpoint +

management platform solution, Sangfor Endpoint Secure utilizes the capability
of constant detection of endpoint threats, and the response option of isolating
threat events with one click. The Sangfor Endpoint Secure, with correlated
response in combination with NGAF, IAG, and Cyber Command products,
constitutes the new generation of the secure protecting system.
This function applies to scenarios already using Endpoint Secure products.
In the endpoint deployment of Endpoint Secure, Correlation to Sangfor IAG is

added. See the picture below:
In the IAG endpoint's Endpoint Detection and Response (EDR) page, enter
the IP address of the Endpoint Secure platform to connect to the platform.
After the connection is completed:
This page displays Endpoint Secure's service information, the number of

connected endpoints, and correlated actions.
Version 01 (Sep 27, 2021) 532

Click Go to EDR management platform to go to the management platform of

Endpoint Secure.
Click View Correlation Details to go to the details page of the correlated

endpoint.
Version 01 (Sep 27, 2021) 533

Click Push Configuration to enable this function and configure Applicable

Object of this policy. This realizes pushing the reminder web page of deploying
Endpoint Secure client to endpoints within the applicable scope, helping the
LAN promote the Endpoint Secure client.
Enable Push Configuration: This function is disabled by default. Please enable

it on demand.
Applicable Object: applicable to LAN IP addresses or IP segment.
Redirection URL: for generating, copying, and adding Endpoint Secure

devices.
Connection configuration for Endpoint Secure EDR.
Interval(s): define the interval for pushing the web page to clients who do not
have the agent installed. It is 300 s, by default.
Version 01 (Sep 27, 2021) 534

For endpoints within the applicable address scope that do not have the agent
installed, the timed redirection page is as follows:
Upon receiving this redirection page, download the corresponding installation

package for the operating system to the client and complete the installation.
Accessing to HTTP web page is not supported, only redirection of accessing to HTTP web
page is supported.
Click Disconnect from EDR to disconnect the correlation between the device
and Endpoint Secure.
3.10.2.2.1.3 Patch Check
The Windows patch detection function can detect patches and patch update
prompts that are not currently installed on the client computer on time,
Version 01 (Sep 27, 2021) 535

enabling users with insufficient security awareness to actively improve the

security of the operating system and help administrators reduce the work
pressure from the LAN security.
See details in Patch Detection Rule.
3.10.2.2.2 Network Security
3.10.2.2.2.1 Anti-DoS
A DOS attack (denial of service attack) aims to consume server-side resources

and force the service to stop responding. The server responds to the blocking
by forging the request data that exceeds the server's processing power so that
the normal user request cannot be answered. The Anti-DoS function of the
SANGFOR device can prevent the DOS attack on the LAN from the external
network and prevent the poisoning of the LAN or the DOS attack initiated by
the attack tool.
The LAN DOS attack function of the IAG only focuses on the direction of the
LAN port.
The configuration interface is as follows:
Version 01 (Sep 27, 2021) 536

Enabled: Click to enable Anti-DoS. There are three detection methods, namely
SYN flooding, UDP flooding, ICMP flooding.
SYN flooding: TCP SYN flooding occurs in the fourth layer of OSI, using the
characteristics of the TCP protocol, i.e., the three-way handshake. The attacker
sends a TCP SYN, which is the first packet in the TCP three-way handshake.
When the server returns an ACK, the attacker does not re-confirm it. Then the
TCP connection is in a suspended state called In the semi-connected state, if
the server does not receive the re-confirmation, it will repeatedly send an ACK
to the attacker. It will cause further resource waste to the server. The attacker
sends a very large number of such TCP connections to the server. Since each
one cannot complete the three-way handshake, these TCP connections will
consume CPU and memory due to the suspended state on the server, and the
server may crash and cannot serve normal users.
UDP flooding: The attacker sends a large number of UDP packets to the
server, and the server sends a large number of replies.
Version 01 (Sep 27, 2021) 537

ICMP flooding: The source IP address of the attacker sending the packet is the
IP address of the attacker, and the destination IP address is the broadcast
address of the network segment where the attacker is located so that a large
number of ICMP echo replies are sent to the attacker.
Never block the internal IP below: Do not perform DOS defense on the IP
address filled in the list. For example, the intranet has a server that provides
services to the public network and provides more connections to the public
network. In this case, it is recommended to exclude the server's address to
avoid being considered illegal by the DOS defense.
Advanced
LAN subnets: The LAN subnets refer to the LAN segment that accesses the
Internet through the device. It is enabled, user data that is not in the list will be
blocked, and users in the list will be blocked if there is an attack.
Block for (minutes): Sets the blocking time of the attacking host after the
device detects the attack in the unit of a minute.
Select Give Alert to enable mail alert. For details, see System Management →
System Configuration → Alarm Option.
3.10.2.2.2.2 ARP Protection
ARP spoofing is a common LAN virus. A computer with this virus sends an ARP
spoofed broadcast packet to the LAN irregularly, which will bring interference
Version 01 (Sep 27, 2021) 538

and damage to the regular communication of the LAN machines. In severe

cases, the entire network is disconnected.
The device realizes the ARP Protection by cooperating with the access client of
the LAN PC.
The device protects the ARP cache by refusing ARP requests or replies with
attack features to achieve its immunity.
If the access control user of the device is bound to the IP/MAC, the bound
IP/MAC information will prevail in the device.
The LAN PC executes the ARP Protection through cooperation with the access
client. After the access client is installed, the access client communicates with
the device to obtain the correct IP/MAC relationship between the device and
the gateway and perform the static binding.
The configuration interface is as below:
Version 01 (Sep 27, 2021) 539

Enable ARP Protection: It is the master switch that enables ARP protection.
Enable static ARP: If the gateway of the LAN PC is not the interface address of
the device, it needs to be set here. For example, if the device uses the bridge
mode, the gateway address of the LAN PC should be the interface address of
the front router (or firewall). Then we can fill the interface IP/MAC of the front
router into the box below. If the LAN PC is installed with the access client, it can
obtain the correct gateway IP/MAC for binding, which will ensure the correct
IP/MAC of the PC gateway and normal communication between the PC and the
gateway.
MAC Broadcast Interval (sec): Set the interval for the broadcast gateway (that
is, the LAN interface of the device) MAC. The recommended interval is 10
seconds.
Select Give Alert to enable mail alert. For details, see System
Version 01 (Sep 27, 2021) 540

Management→System Configuration→Alarm Option.
3.10.2.2.2.3 Malicious URLs
Based on the Sangfor Cloud Engine and multi-malware detection mechanism,

comprehensive judgment can be made using static detection, dynamic
sandbox, taint checking, manual analysis, and other technologies. Malicious
URLs are identified in real-time, mainly including phishing and malicious
websites, vulnerability exploitation, mining page, malicious jumps, cross-site
scripting attacks, and virus files, to protect user services from impacts.
Select the Enable Malicious URL Detection.

Excluded Websites: Websites that do not need to be detected and can be added
Version 01 (Sep 27, 2021) 541

to the whitelist.
Action: Select the Give alert combination with the System Management >
System Configuration > Alarm Option and Block access to malicious URL.
3.10.2.2.2.4 SAVE Antivirus
SAVE (Sangfor AI-based Vanguard Engine) combines various machine learning

algorithms such as deep learning and incorporates the integrated learning to
make full use of the detection advantages of each algorithm. It can capture
effective file information quickly and accurately. The detection rate for
ransomware reaches the industry-leading level. In addition, through the
continuous convergence of Sangfor Neural-X, EDR, and AF products to analyze
hot threats, the SAVE AI security detection engine can evolve in time to
improve detection capabilities and cover the latest viruses.
SAVE antivirus is for virus scanning and removal of the data passing through
the device to protect the security of the LAN computer. The device can perform
virus scanning and removal under four common protocols: HTTP, FTP, POP3,
and SMTP. The device has a built-in SAVE engine developed by Sangfor, which
has a high virus recognition rate and high scanning and removal efficiency.
Unlike the traditional rule base update, the SAVE engine is still in a rule base to
maintain the habit. The current update cycle is two months.
The SAVE antivirus settings interface includes the antivirus switch for four
protocols, websites with no need for antivirus or file whitelist.
The Settings interface is as shown below:
Version 01 (Sep 27, 2021) 542

Protect HTTP download against virus, Protect FTP download against virus,
Protect POP3/IMAP against virus and Protect SMTP against virus are used
to enable the antivirus switches for these four protocols.
Excluded Websites (URL): Set the access data to particular websites with no
need for antivirus. The input is in URL format, supporting the wildcard and one
entry per row.
Enable file whitelist: To define files that do not require antivirus.
Action: Check the Give alert and use it with the Alarm Option. For details, see
System Management, System Configuration, and Alarm Option.
Antivirus Database Update page:
Version 01 (Sep 27, 2021) 543

Update Service Expires On: It displays the automatic update expiration date
of SAVE antivirus. During the expiration date, the device will automatically
connect to the server of Sangfor Technologies Inc. to update the Antivirus
Database.
Antivirus Database Release On: It displays the current date of the Antivirus
Database.
Upload Antivirus Database: Manually import the downloaded Antivirus

Database file into the device and complete the Antivirus Database update. Click
Browse to select the SAVE engine model file to be imported and complete the
Antivirus Database update.
3.11 System
3.11.1 Object
The objects defined on the Objects page are the basis for the device
to perform online behavior filtering, online behavior audit, and
Bandwidth Management.
Application Signature and Advanced App Signature: All kinds of

common online applications are defined. SANGFOR R&D personnel
analyze the data characteristics and behavior characteristics of
common applications and formulate related rules. Choose Access
Mgt > Policies > Add > Access Control, and then you can reference
these two types of objects to control online applications. Based on
the two types of application identification rules, SSL management,
Internet access audit, and terminal reminders can be implemented.
Version 01 (Sep 27, 2021) 544

On the Bandwidth Mgt page, traffic control can be performed for

different applications based on the application identification rules. On
the Exclusion Rule page, you can choose not to measure and control
the Internet access duration of some applications based on the
application identification results. The Application Signature can be
periodically updated by accessing the SANGFOR server. SANGFOR will
periodically update the Application Signature on the server for
recognizing the latest applications and versions on the Internet.
On the Custom Application page, you can define application rules

and set packet characteristics. If packet capturing and packet
characteristics analysis capabilities are available, related rules can be
defined on the Custom Application page. Generally, you are not
advised to define rules to avoid application identification errors
caused by conflicts with the embedded application identification rules.
Application identification errors will cause some control and audit
functions to fail.
The URL Database contains and classifies common URLs. Specifically,

it contains the embedded URL Database of SANGFOR, URL Database
defined by the customer, and intelligent URL identification library.
Choose Access Mgt > Policies > Add > Access Control, and then you
can reference this type of object to control URL access.
You can set Ingress rules on the Ingress Rule Database page,
including detecting the client OS, processes, files, and registries.
Encrypted IM chat contents can be audited through Ingress control.
The Ingress rules set on the Ingress Rule Database page can be referenced on
the page displayed after you choose Access Mgt > Policies > Ingress Policy,
thereby implementing detection and control of client PCs.
On the Services page, you can set network services based on

conditions, including port and protocol. You can refer the type of object
Version 01 (Sep 27, 2021) 545

on the page displayed after you choose Access Mgt > Policies > Add >
Access Control. Network access data is controlled by detecting the
port and protocol of packets. This type of object can also be referenced
on the page displayed after choosing System > Firewall > Firewall
Rules.
On IP Group, you can set IP groups, which can be referenced in setting IP

address-based control. IP groups can be referenced on the page displayed
after you choose Access Mgt > Policies > Add > Access Control, Bandwidth
Mgt > Bandwidth Channel, or System > Firewall > Firewall Rules.
On Schedule, you can set schedules. Most control functions on the

device can be implemented based on time segments. Therefore, you
can set time segments on Schedule, which can be invoked in control
policies. These schedule groups can also be referenced during
behavior queries and report statistics in the data center.
The keywords set in Keyword Group can be referenced on the page displayed
after you choose Access Mgt > Policies > Add > Access Control > Search
Keyword.
The file types set in File Type Group can be referenced on the page displayed
after you choose Access Mgt > Policies > Add > Access Control > File Type, or
Bandwidth Mgt > Bandwidth Channel.
Location Object Group: The set location object group is to select location
objects when associating applicable objects in Web Access -> Web Access
Permission, and Traffic Mgt.
Trusted Certificate Authority: When the LAN user accesses the WAN using
SSL protocol, the device can verify the legality of the certificate. Suppose the
certificate used by the SSL protocol falls in the scope of Trusted Certificate
Authority. In that case, it indicates that the certificate is legal, and the client
can delete or add a trusted SSL certificate. When SSL Certificate Link Control
Version 01 (Sep 27, 2021) 546

is enabled in Web Access -> Web Access Permission -> SSL Mgt -> SSL
Security Protection, SSL certificate detection is enabled.
3.11.1.1 Application Signature
There are two types of application characteristics identification libraries.
The first type of application identification rule aims to detect the application
type of packets based on multiple conditions, including the characteristic value
or protocol, port, direction, packet length, and packet content. This type of rule
can effectively detect application types that cannot be identified by port or
protocol, such as Facebook and P2P applications.
The first type of rules can be further divided into embedded rules and custom
rules. Embedded rules cannot be modified and are updated by the device
periodically. A license is required to authorize the update of embedded rules,
and Internet access must be available. Custom rules can be added, deleted,
and modified. For details about custom rules, see section 3.3.3. SSL
management, Internet access audit, terminal reminders, and Bandwidth
Management are controlled and audited based on application identification
results. Therefore, the application library is very important. An embedded
application identification library cannot be edited or deleted. Some
applications can be disabled but those involving basic protocol identification
cannot be disabled.
The second type of application refers to URL groups defined on the page
displayed after choosing Objects > Application Signature. URL groups are a
sub-class of the Visited Websites type. This type is used to recognize websites
visited by intranet users based on HTTP data. URL groups are classified into
embedded URL groups and custom URL groups. URL groups cannot be edited
or added to the Application Signature. Instead, they are reused here. To edit a
URL group, choose Objects > Application Signature. For details, see section
3.5.4.
Version 01 (Sep 27, 2021) 547

Application identification rules can be referenced on the page displayed after

you choose Access Mgt > Policies > Add > Access Control to control the
application types and visited website types.
3.11.1.1.1 Viewing the Application Signature
In the navigation area, choose Objects > Application Signature. The

Application Signature pane is on the right.
The value behind Total Applications indicates the total number of

embedded application rules and URL groups on the device.
Current Database Released indicates the date of the embedded application

identification library. Update Service Expires indicates the upgrade validity
period of the embedded application identification library.
Version 01 (Sep 27, 2021) 548

Application classification labels are displayed on the Tags column. The

application name is a type of additional classification information
about applications. An application can belong to only one application
class but can have multiple labels. For example, Xunlei Download
belongs to the Download Tools class and has two labels: High
Bandwidth Consumption and Reduce the Work Efficiency. Labels may
be referenced in defining Internet access policies, which facilitates
Access Control.
Click All, and all application types will be displayed on the Application
Signature pane on the right. The device has six embedded labels: Security
risks, Send Email, High Bandwidth Consumption, Reduce the Efficiency of
Work, Forum and Microblog Posts, and Disclosure Risk. These embedded
labels will be updated accordingly as the application identification library is
updated. Applications with embedded labels cannot be deleted or added. To
define labels, click Tags. All labels can be referenced on the page displayed
after choosing Access Mgt > Policies > Add > Access Control.
In Filter, select a rule type. Select All to filter all rules meeting the
search condition, enabled to filter enabled rules meeting the search
condition, and Disabled to filter disabled rules meeting the search
condition. Input a keyword in Search, for example, Facebook, and
press Enter, as shown in the following figure.
Version 01 (Sep 27, 2021) 549

Click Database Manual Update to manually import application identification rule files to
the device.
The procedure for adding a label and associate it with applications is as

follows:
Click Tags, click Add, and enter the label name.
In the position for associating applications, click Select and select applications
as required.
Version 01 (Sep 27, 2021) 550

Click OK. A label is added and associated with applications successfully.
3.11.1.1.2 Enabling/Disabling Application Identification

Rules
In the navigation area, choose Objects > Application Signature. The

Application Signature pane on the right. Next, select an application (for
details, see section 3.3.1.1). For example, to disable the application rule of
transferring files through Facebook, filter out the applications for transferring
files through Facebook, as shown in the following figure.
Version 01 (Sep 27, 2021) 551

On the Status column, click of an application to disable a type of application

rule. Click of an application to enable a type of application rule.
1. The application identification rules of some basic protocols cannot be disabled, such as
HTTP. If a basic protocol is disabled, the data identification based on this protocol will be
affected. Therefore, it is not allowed to disable such rules on the device.
2. In the Application Signature, the Mobile Applications maps application software running
on mobile endpoints such as smartphones and tablets.
Version 01 (Sep 27, 2021) 552

3. Some URL groups are not included in the application type Visited websites. Instead, they
belong to the corresponding application type as web applications. For example, microblog
URLs are included in the application type Microblog. Suppose control of microblog
applications is enabled in Internet access policies. In that case, the device can control the
behaviors of accessing microblog applications by using a web browser and behaviors of
accessing microblog clients.
The following figure shows the web-based applications.
3.11.1.2 Advanced App Signature
The Advanced App Signature is used to recognize application types of all kinds
of Internet access data. It differs from the Application Signature in the
identification mode. The Advanced App Signature can recognize encrypted
data, such as ciphertext or plaintext P2P applications, Skype, SSL, SANGFOR
VPN data, web proxy, and PiPi. See the following figure.
3.11.1.3 Enabling/Disabling Advanced App Signature
In the navigation area, choose Objects > Advanced App Signature. The
Advanced App Signature panel is on the right.
Version 01 (Sep 27, 2021) 553

On the Status column, click of an application to disable a type of application

rule. Click of an application to enable a type of application rule.
3.11.1.3 Editing P2P Behavior Identification Rules
P2P behavior identification rules are another type of application identification

and are used for intelligent identification of P2P data that cannot be
recognized in the Application Signature. P2P behavior rules can be edited. Click
P2P Behavior and the rule editing dialog box will be shown.
You can select Enabled to enable this rule.
Name: specifies the name of the intelligent identification rule. Category:

specifies the application type to which the rule belongs. Description: specifies
the description of the rule.
Version 01 (Sep 27, 2021) 554

The preceding three fields cannot be edited.
In Sensitivity, you can set the sensitivity of the rule to high, medium,
low, and very low. Errors may exist in the intelligent identification of
P2P applications. Therefore, you can set the sensitivity to improve the
identification accuracy. You can adjust the sensitivity level based on
the data identification conditions. For example, suppose there is a
large amount of unrecognized data. In that case, the connected ports
are all random high-end ports, and the destination IP addresses are
unknown. The data may be unrecognized P2P data. In this case, you
can set the sensitivity to a high level. On the other hand, if some
application data is mistakenly recognized as P2P data, it may be
because the sensitivity level is too high. To solve this problem, adjust
the sensitivity to a lower level.
In Excluded Port, set one or more ports that are to be excluded from
scanning. If the destination port of data is an exclusion port, the
device will not perform P2P identification for the data.
3.11.1.4 Editing Web Online Proxy Identification Rules
Web online proxy identification rules can be edited. Click Web Online Proxy to
display the rule editing dialog box.
Version 01 (Sep 27, 2021) 555

You can select Enabled to enable this rule.
Name: specifies the name of the intelligent identification rule. Category:

specifies the application type to which the rule belongs. Description: specifies
the description of the rule.
In the second notes point in the above figure, Settings will automatically link to
the page displayed after you choose System > General > Update > Database
Update.
In the third notes point in the above figure, Settings will automatically link to
the page displayed after choosing System > General > Global Exclusion. You
can add the destination addresses of misjudged network applications to the
global exclusion address list to reduce the misjudgment rate.
3.11.1.2 Custom Application
On the Custom Application page, you can define application identification

rules. You can define applications that do not exist in the embedded
Version 01 (Sep 27, 2021) 556

Application Signature. Applications can be defined in terms of data direction, IP

address, protocol, and port.
In the navigation area, choose Objects > Custom Application. The Custom
Application pane is on the right.
3.11.1.2.1 Adding Custom Application Rules
On the Custom Application page, click Add. In the Add Custom Application
window, you can add custom application rules.
Example: Traffic needs to be guaranteed for emails of the company

(SANGFOR), but there is no such application type. In this case, you can define a
company email application rule as follows:
1. Select Enabled and set basic application information, including the rule
name, description, application type, and application name. You can select
an existing type or define one.
2. Set the packet type.
Version 01 (Sep 27, 2021) 557

Direction: Specifies the direction of packets passing the device. The

device will recognize data in the specified direction.
Protocol: Specifies the protocol type of data. In this example, emails are sent
over TCP.
Dst Port: Specifies the destination port of data. In this example,

emails are sent over the TCP 25 port. IP Address: Specifies the
source IP address, destination IP address, or destination IP address
after proxy identification.
Target Domain: Specifies the destination domain name of

packets. In this example, set this field to the domain name mail
address of SANGFOR, for example, mail.sangfor.com.cn.
3. Click Commit. The setting of the rule is complete.
Version 01 (Sep 27, 2021) 558

4. Set the priority of the defined rule. The embedded Application

Signature also contains mail identification rules. If the embedded rules
take precedence, data may be preferentially matched to embedded
mail identification rules instead of the custom rule. Therefore, set the
custom rule to a higher priority. Specifically, select Give Priority to
custom applications on the Custom Application page.
5. Choose Bandwidth Mgt > Bandwidth Channel and set a guaranteed

channel for this application to ensure the bandwidth required for
sending emails using the company mail address. For details, see
section 3.6.3.1.
You are recommended to set the destination port, IP address, and domain name when a
custom rule is defined. If the identification conditions are too general, the customs rule may
conflict with the embedded application identification rules. As a result, identification errors
may occur, thereby causing some control and audit functions to fail.
3.11.1.2.2 Enabling, Disabling, and Deleting Custom

Application Rules
On the Custom Application page, select a custom rule and click Enable,
Disable, or Delete.
3.11.1.2.3 Importing and Exporting Custom Application

Rules
Click Import to add a custom application rule. Click Export to export a custom
application rule.
Version 01 (Sep 27, 2021) 559

3.11.1.3 URL Database
The URL Database is a collection of different types of URLs defined based on

webpage contents. The URL Database aims to help the device identify websites
to implement access control and traffic control for different websites. The URL
Database contains a URL Database list and an intelligent URL identification
system. The URL Database list consists of embedded URL groups and custom
URL groups. SANGFOR periodically updates embedded URL groups on the
server. The device visits the server over the Internet to update embedded URL
groups. This type of update requires authorization. When embedded URL
groups cannot meet the requirements, custom URL groups can be defined.
The URL Database is reused in the Application Signature. Therefore, to filter

the websites visited by intranet users, choose Access Mgt > Policies > Add >
Access Control and set website types.
3.11.1.3.1 URL Database List
The URL Database list consists of an embedded URL Database and a

custom URL Database. The device periodically updates the embedded
URL Database, but the update must be authorized by using a license,
and Internet access must be available. In the custom URL Database,
URLs can be added, deleted, and modified. For details, see section
3.3.4.1.2–3.3.4.1.4.
In the navigation area, choose Objects > URL Database. Next, double-
click on the URL Database page, and then the update time and
upgrade validity period of the embedded URL Database are displayed
in the upper part of the page.
Version 01 (Sep 27, 2021) 560

3.11.1.3.1.1 URL Lookup
In the navigation area, choose Objects > URL URL Database. Click URL
Lookup. In the URL Lookup window, enter a domain name and click Go. The
URL type is displayed in the query result.
Fuzzy search is not supported in URL Lookup.
Version 01 (Sep 27, 2021) 561

3.11.1.3.1.2 Adding URL Groups
You can add a URL group to define URLs. On the URL Database page, click
Add. The Add URL Category window is displayed, as shown in the following
figure.
Name: specifies the name of the URL group.
Description: specifies the description of the URL group.
In URL, add URLs as required. URLs can be matched using wildcards.
In Domain Name Keyword, match a URL group based on a URL keyword. If a

domain name contains the keyword, it is identified as the URL group. Domain
name keyword matching has a lower priority than the embedded URL
Database and custom URL Database.
1. The asterisk (*) can be used as a wildcard. For example, to set a URL to indicate a sub-
page of Sina, including news.sina.com.cn, sports.sina.com.cn, and ent.sina.com.cn, enter
Version 01 (Sep 27, 2021) 562

*.sina.com.cn in URL. The asterisk (*) can be used to match a first-class domain name and
can be placed only at the headmost of the URL instead of in the middle of the URL.
Otherwise, the URL is invalid.
2. After a custom URL group is added, an intelligent identification URL group with the same
name will be added to the intelligent URL identification system.
3.11.1.3.1.3 Deleting URL Groups
You can delete a custom URL group. An embedded URL group cannot be
deleted. To delete a URL group, select a custom URL group on the URL
Database, and click Delete.
3.11.1.3.1.4 Modifying URL Groups
You can modify a custom or embedded URL group.
Specifically, you can modify the description, URLs, and domain name keyword
of a custom URL group. However, you cannot modify the name, description, or
existing URLs of an embedded URL group. You can only add URLs and domain
name keywords.
Click the name of a URL group and modify related information in the Edit URL
Category window. For details, see section 3.5.4.1.2.
Version 01 (Sep 27, 2021) 563

3.11.1.3.1.5 Updating URL Groups
On the URL Database List page, click Database Manual Update. Then, select
an embedded library file and click Open.
3.11.1.3.1.6 Importing and Exporting URL Database
On the URL Database page, click Import & Export, choose Export, select the
save path, and click OK to export all custom URL Database contents.
Choose Import and upload a .csv file.
Version 01 (Sep 27, 2021) 564

If the name of a URL group to be imported is duplicate with an existing URL group, the
existing URL group will be overwritten. If the name of a URL group to be imported is unique,
it is imported as a new URL group.
3.11.1.4 Ingress Rule Database
Ingress detection involves detecting PCs on the intranet by using an Ingress

program installed on the client. Detected contents include the OS, processes,
files, and registries. Encrypted IM chat contents and files transmitted over QQ
or MSN can be audited through Ingress control. You can set detection (Ingress)
rules on the Ingress Rule Database page, which will be applied on the page
displayed after you choose Access Mgt > Policies > Ingress Policy. For details,
see section 3.5.1.1.5. If an Ingress system is configured, a user can access the
Internet only when related rules are met. When a user accesses the Internet
for the first time, an Ingress control must be installed. Multiple Ingress rules
are embedded into the device. You can also define Ingress rules as required.
3.11.1.4.1 Ingress Rules
In the navigation area, choose Objects > Ingress Rule Database > Ingress
Rules. On the Ingress Rules page, you can add or delete Ingress rules.
3.11.1.4.2 Adding Ingress Rules
On the Ingress Rules page, click Add and choose a rule type, which may be
Operating System Based Rule, Process Based Rule, File Based Rule,
Registry Based Rule, Task Based Rule, Patch Based Rule or Other. See the
Version 01 (Sep 27, 2021) 565

following figure.
3.11.4.1.2.1 Adding Operating System Based Rules
You can set rules for detecting the OS of clients. Access the Ingress Rules
page, click Add, and select Operating System Based Rule. The Operating
System Based Rule page is displayed.
Version 01 (Sep 27, 2021) 566

Name: specifies the name of the rule to be added. The length of the rule name
must be equal to or shorter than 95 characters.
Category: specifies the type of the rule. You can select a rule type from the
drop-down list or enter a rule type. The length of the entered rule type must be
equal to or shorter than 95 characters.
Description: specifies the description of the rule.
Required Operating System lists the OS versions allowed on intranet PCs that
need to access the Internet through the device. For example, SANGFOR
requires that all PCs on the intranet run Windows XP and that SP4 must be
installed on the PCs to protect against viruses. PCs that do not meet the
requirements cannot access the Internet through the device. The settings are
shown in the following figure.
Rule-breaking Operation: Select the actions of the device on users who do

not conform to the rules, such as Reject request and giver alert, Stop
Process, Give alert, or Log event only (Log event only means that no action is
Version 01 (Sep 27, 2021) 567

taken on client data, and logs will be recorded in the console and the data
center).
3.11.4.1.2.2 Adding Process Based Rules
You can set rules for detecting processes running on clients.
Access the Ingress Rules page, click Add and select Process-Based Rule. The
Process Based Rule page is displayed.
Name: specifies the name of the process rule to be added.
Category: specifies the type of the rule. You can select an embedded rule type
or define one.
Status: specifies the status of processes to which the rule is applied. If

Running is selected, you can select Reject request and give alert, Stop the
Version 01 (Sep 27, 2021) 568

process, Give alert or Report only from Action.
If Not running is selected, you can select Reject request and give alert, Start
process, Give alert or Report only from Action.
Process Name: specifies the full name of a process. No wildcard is supported.
Window Name: specifies the full name of a window. No wildcard is supported.
Program Path: specifies the installation path of the program. System

environment variables are supported. See the following figure.
Status can be set to Running or Not Running. If Running is selected, you can
set advanced conditions, including the process's MD5 value and program size.
Version 01 (Sep 27, 2021) 569

If Running is selected in Status, you can select Disable Web access, Stop the
process or Not operating (only submitting report) in Rule Operation.
If Not Running is selected in Status, you can select Disable Web access, Start
the process or Not operating (only submitting report) in Rule Operation.
3.11.4.1.2.3 Adding File Based Rules
You can set rules for detecting files on clients.
Access the Ingress Rules page, click Add, and select File Based Rule. The File
Based Rule page is displayed.
Name: specifies the name of the rule to be added.
Category: specifies the type of the rule. You can select an embedded rule type
or define one.
Status: specifies the status of files to which the rule is applied. If File Exists is
Version 01 (Sep 27, 2021) 570

selected, you can select Reject request and give alert, Delete file, Give alert
or Log Event only from Action.
If File does not exist is selected, you can select Reject request and give alert,
Give alert or Log Event only from Action.
File Path: specifies the storage path of files. System environment

variables are supported. See the following figure.
If Exist is selected, you can set advanced conditions. See the following figure.
You can set the MD5 value, file size, and the number of days after which files
are updated. Click OK.
Version 01 (Sep 27, 2021) 571

If File exists is selected in Status, you can select Disable Web access, Delete
file or Not operating (only submitting report) in Rule Operation.
If File does not exist is selected in Status, you can select Disable Web access
or Not operating (only submitting report) in Rule Operation.
3.11.4.1.2.4 Adding Registry Rules
You can set rules for detecting registries on clients.
Access the Ingress Rules page, click Add and select Registry Based Rule. The
Registry Based Rule page is displayed.
Name: Specifies the name of the registry rule to be added.
Category: Specifies the type of the rule. You can select an embedded rule type
or define one.
Description: Specifies the description of the rule.
Version 01 (Sep 27, 2021) 572

Status: Specifies whether an entry is available in the registry. If Specified item

exists in registry is selected, you can select Reject request and give alert, Delete
entry, Give alert or Log Event only from Action.
If Specified item does not exist in registry is selected, you can select Reject
request and give alert, Give alert or Log Event only from Action.
Registry Item: Specifies an entry, the path displayed on the left pane of the
Required Registry Item window.
Key: Specifies the key of the entry.
Value: Specifies the value of the registry.
You can set the status to specify items in the registry or specify items not in the
registry.
3.11.4.1.2.5 Adding Task Based Rules
You can set scheduled tasks. The Ingress client invokes custom executable
programs, JavaScript, and VBScript. You can set return values in these
executable files. The Ingress client takes actions based on the return values.
Access the Ingress Rules page, click Add and select Task Based Rule. The
Task Based Rule page is displayed.
Version 01 (Sep 27, 2021) 573

Category: Set the type to which the rule belongs.
Name and Description: Set the name and description information of the rule.
Execute program:
Program Type includes Executable Program, Jscript and Vbscript.
Version 01 (Sep 27, 2021) 574

Program Path: Used to enter the detailed path of the program script stored
on the server. The path must be a network address where all users applying to
this rule can execute permissions.
Scheduled Execution includes Start running periodically and run only once
when the ingress program starts on the computer.
Execution Permission includes Execute as the current user and Execute as

SYSTEM User. Execute as the current user refers to the permission of the PC
account logged in by the current user, and Execute as SYSTEM User refers to
the account with the highest level of system permission. With Execute as
SYSTEM user, the low-level account has no execution permission that can be
prevented.
Execution Result Check includes Check returned results and Disabled, and
is used to set whether the execution results of the task script need to be
checked. Operation timeout is to set the timeout duration. If 1 is returned
and If 2 is returned, process the different return results obtained after the
task script check. Actions can be selected as Log event only, give alert, and
Reject request and give alert.
When the program path is configured, if the server is configured with the account and
password for login again, and the client does not save the account and password, the
program execution will fail. You have to access the server via the client and save the account
and password. If the server does not set the account and password, the planned task can be
successfully executed.
3.11.4.1.2.6 Adding Patch Based Rules
Patch Based Rule checks whether the terminal updates the vulnerability patch
in time as required by the organization.
On the Ingress Rule edit page, click Add to pop up the new ingress type, and
select Patch-based rule to pop up the page to add Patch-based rule.
Version 01 (Sep 27, 2021) 575

Category: Set the category to which the rule belongs.
Name and Description: Set the name and description information of the rule.
Patch Check: You check by Severity or Specified patches.
For Severity, you can check Critical Windows Updates. Severity customizes
the patches in patch checking. For patch names and details, please refer to the
Version 01 (Sep 27, 2021) 576

patch contents.
Patches include some commonly used patches. If you need to customize

patches, you can edit Custom Patches.
Check Failure in obtaining PC patch information shall be processed as

violation. If the detection fails, it shall also be processed as a violation.
Action: Select the actions of the device on users who do not conform to the
rules, such as Give Alert or Log event only (Log event only means that no
action is taken on client data, and logs will be recorded in the console and the
data center at this time).
Version 01 (Sep 27, 2021) 577

3.11.4.1.2.7 Adding Others
Access the Ingress Rules page, click Add, and select Others. The Others page is
displayed.
If Reject user who logs in as Administrator is selected, you can prevent

clients from accessing the Internet as the super administrator.
3.11.1.4.3 Deleting Ingress Rules
On the Ingress Rules page, select a custom Ingress rule and click Delete. The
displayed message asking for your confirmation, click Yes.
Version 01 (Sep 27, 2021) 578

3.11.1.4.4 Modifying Ingress Rules
On the Ingress Rules page, select a custom Ingress rule and click its name.
Then, in the dialog box for editing the Ingress rule, modify the settings as
required except the rule name.
3.11.1.4.5 Editing Ingress Rules in Batches
On the Ingress Rules page, select multiple custom Ingress rules and click Edit.
You can edit only the rule type in batches.
Version 01 (Sep 27, 2021) 579

3.11.1.4.6 Importing and Exporting Ingress Rules
On the Ingress Rules page, select custom Ingress rules and click Export.
Embedded Ingress rules cannot be exported. Click Import and select an
Ingress rule file to import and Ingress rule.
The imported rule file must be in ZIP format and must contain IngressRuleExport.conf, and
the IngressRuleExport.conf file must be at the outermost layer.
3.11.1.4.7 Combined Ingress Rule
You can combine Ingress rules in AND or OR relationships.
3.11.1.4.8 Adding Combined Ingress Rule
In the navigation area, choose Objects > Ingress Rule Database > Combined
Ingress Rule. On the Combined Ingress Rule page, click Add. The page shown
in the following figure is displayed.
Version 01 (Sep 27, 2021) 580

Name: Specifies the name of the Combined Ingress Rule to be added.
Category: Specifies the type of the Combined Ingress Rule.
Action: Specifies the action to be performed if the rule is not met. It can be set
to Reject or Report only.
Logic: Specifies the condition for the Combined Ingress Rule to take
effect. A Combined Ingress Rule can be set to take effect when any
member rule is effective or when all member rules are effective. When
the specified member rule is met, the specified action will be
performed.
Version 01 (Sep 27, 2021) 581

Ingress Rules: Select a custom rule and click Add to move it to the right pane.
Example: The administrator requires intranet users to install Kaspersky or

Rising. If an intranet user does not install either antivirus software, the user
cannot access the Internet.
1. Set two Ingress rules for detecting Kaspersky and Rising. The device
detects the processes of the antivirus software.
Version 01 (Sep 27, 2021) 582

The actual antivirus software processes prevail. The process names provided in this
example are for reference only.
2. Set a Combined Ingress Rule to combine the preceding two rules.

According to the customer requirements, Internet access is allowed if
either antivirus software is installed. Therefore, set Logic to Rules are
with AND logic. The Combined Ingress Rule takes effect when neither
antivirus software process is running. Set the action to Reject.
Version 01 (Sep 27, 2021) 583

3. Associate the composite Ingress rule with an Internet Access Policy and
associate the policy to users/user groups. For details, see section 3.5.1.1.6.
3.11.1.4.9 Deleting and Modifying Combined Ingress Rules
On the Combined Ingress Rule List page, select a Combined Ingress Rule and
click Delete. Alternatively, click the name of a Combined Ingress Rule and
modify the settings as required except the rule name. See the following figure.
Version 01 (Sep 27, 2021) 584

3.11.1.5 Service
Service is referenced on the page displayed after you choose System >
Firewall > Firewall Rules or Access Mgt > Policies > Add > Access Control >
Service.
Version 01 (Sep 27, 2021) 585

On the Service page, define all types of services, including the ports and
protocols used by the services. Then choose Firewall > Firewall Rules and
determine the filtering rule based on the defined services or choose Access
Mgt > Policies > Add > Access Control > Service and determine the Internet
access permission based on the defined services.
In the navigation area, choose Objects > Service. The Service pane is
displayed on the right.
On the Service page, click Add. The Service window is displayed.
Version 01 (Sep 27, 2021) 586

Service Name: specifies the name of a service to be defined.
Services: specifies the service protocol type and port number. Click TCP, UDP,
ICMP, and Others in turn and enter the corresponding port in the text box in
the lower part.
Click Commit. The setting of a network service is complete.
After clicking Others, you can enter a protocol ID. The protocol ID 0 indicates all protocols.
3.11.1.6 IP Address Database
There is an IP Group, ISP, Country/Region On the IP Address Database page.
3.11.1.6.1 IP Group
You can define an IP address group that contains a collection of IP addresses.

The IP address group can be an IP address segment on the intranet, an IP
address range on the public network or all IP addresses. The IP groups defined
on the IP Group page can be used for the following purposes:
⚫ Define source and destination IP addresses of Firewall Rules on the page

displayed after choosing Firewall > Firewall Rules. Define destination IP
addresses on the page displayed after you choose Access Mgt > Policies >
Add > Access Control > Service.
Version 01 (Sep 27, 2021) 587

⚫ Referenced on the page displayed after you choose Bandwidth Mgt >
Bandwidth Channel. In the navigation area, choose Objects > IP Group.
The IP Group page is on the right.
Click Add. The Edit IP Group window is displayed.
Name: Specifies the name of the IP group to be added.
Description: Specifies the description of the IP group.
IP Address: Specifies the member IP addresses of the IP group. Enter

an IPv6 address or an IPv6 address range in each row. The IP address
range format is start address–end address, for example, 192.168.0.1-
192.168.0.100.
Resolve Domain: A button for resolving the IP addresses of some

domain names. Resolved IP addresses will be automatically added to
Version 01 (Sep 27, 2021) 588

the IP address list.
The domain name parsing function requires Internet access.
3.11.1.6.2 ISP
On the ISP page, you can set the IP address segment of the network carrier.
This IP address segment is invoked during multiline routing in policy-based
routing.
Click Delete to delete the selected Internet service provider (ISP) address
library.
Click Add to add an ISP address library. The configuration page is as follows.
Version 01 (Sep 27, 2021) 589

Name: Specifies the name of the ISP.
Description: Specifies the description of the ISP address library.
IP Address: Specifies the IP segment of the ISP (carrier).
WHOIS: Specifies the WHOIS flag of the ISP address segment. A

WHOIS flag uniquely identifies the address of a carrier.
Auto Update: Specifies whether to update the ISP address library

automatically. Automatic update is enabled by default.
WHOIS Server: Specifies the server for updating the ISP address library.
Update Internal: Specifies the automatic update interval. It can be set to

Every day, Every week, or Every month.
Latest Updated: Indicates the latest update time.
Latest Message: Indicates the number of ISP address segments updated

recently.
By default, the device contains four ISP address libraries: China Unicom, China Telecom,
China Mobile, and the education network.
Version 01 (Sep 27, 2021) 590

3.11.1.6.3 Country/Region
1. From the Navigation bar, select IP Address Database and click on the
Country/Region tab. Create a new customs area as below.
Version 01 (Sep 27, 2021) 591

2. In Virtual Line Rule, select the custom area.
3.11.1.6.3.1 Location lookup
When there is some abnormal traffic, the admin can use location lookup to
search for the IP location and take action accordingly.
3.11.1.6.3.2 Change IP Location
When admin/technical support has confirmed that the IP address has been
miscategorized, but the actual location of the IP is from another place.
Admin/technical support can manually change the IP location.
Version 01 (Sep 27, 2021) 592

3.11.1.6.3.3 Update IP Address Database
Under the circumstance that the device can access the Internet, the IP address
database will be updated in real-time. It can also be manually updated to
obtain the latest IP address database. If the IP address database is already the
latest one, there will be a prompt for not updating during the manual update.
Version 01 (Sep 27, 2021) 593

3.11.1.7 Schedule
On the Schedule page, you can define common time segment combinations,
which can be referenced when you set the validation and expiration time of
rules on the page displayed after choosing Firewall > Firewall Rules, Access
Mgt > Policies, or Bandwidth Mgt > Bandwidth Channel.
In the navigation area, choose Objects > Schedule. The Schedule

pane is displayed on the right, as shown in the following figure.
Click Add. The Schedule page is displayed.
Version 01 (Sep 27, 2021) 594

Name: Specifies the name of the schedule group to be added.
Description: Specifies the description of the schedule group.
Date: Specifies the validation date and expiry date. A maximum of 10 dates
can be set.
Click Settings. The schedule configuration page is displayed, as shown in the

following figure.
Included: A date within the specified included date segment can match the
schedule group.
Version 01 (Sep 27, 2021) 595

Excluded: A date that is not within the specified excluded date

segment can match the schedule group. This field can be used to
exclude holidays and festivals.
Click Add to set a time segment. See the following figure.
You can add multiple discontinuous time segments. To delete a time segment,
select it and click Delete.
Defined time segments are displayed in Preview. The horizontal

coordinate indicates the time point, and the vertical coordinate
indicates the date range.
3.11.1.8 Keyword Group
You can set and group keywords, which can restrict search and upload on the
page displayed after choosing Access Mgt > Policies > Add > Access Control >
Search Keyword. In the navigation area, select Objects > Keyword Group.
The Keyword Group pane is on the right.
Click Add. The Edit Keyword Group page is displayed.
Version 01 (Sep 27, 2021) 596

Name: Specifies the name of the keyword group to be added.
Description: Specifies the description of the keyword group.
Keyword: Each row on the table is considered an independent

keyword. It is considered to be matched if any keyword is matched. A
maximum of five keywords can be entered in a row, which needs to be
separated with a comma (,). If multiple keywords are entered in a row,
it is considered matched if all the keywords are matched.
3.11.1.9 File Type Group
On the File Type Group page, you can define file types as required, which can
be used to restrict the upload and download of HTTP and FTP files on the page
after choosing Access Mgt > Policies > Add > Access Control > File Type. You
can set traffic control based on file types on the page after choosing
Bandwidth Mgt > Bandwidth Channel.
In the navigation area, choose Objects > File Type Group. The File Type
Group pane is on the right.
Version 01 (Sep 27, 2021) 597

Click Add. The Add File Type Group window is displayed, as shown in the
following figure.
Name: Specifies the name of the file type group.
Description: Specifies the description of the file type group.
File Extensions: Specifies the file types. Enter the file name extensions, such
as *.mp3 or mp3.
3.11.1.10 Location
On the Location page, you can classify locations by wireless network, IP

segment, or VLAN.
Version 01 (Sep 27, 2021) 598

In the navigation area, choose Objects > Location. The Location pane is on
the right.
Click Add. The Location window is displayed, as shown in the following figure.
Name: Specifies the name of the location group.
Description: Specifies the description of the location group.
Type: Specifies the type of the location group, which can be set to IP Segment,
or VLAN.
IP Segment: You can select an IP group or enter an IP address range.

Only one IPv6 address or IP address segment can be entered in each
row.
Version 01 (Sep 27, 2021) 599

VLAN: Enter a VLAN ID, one in each row.
Location objects can be imported and exported. You can export location objects
in .inf format. Location objects can also be searched by IP address. Location
objects cannot be searched by VLAN ID or wireless network. When you search
location objects by IP address, the IP address segment needs to be displayed.
For example, location object A is 2.2.2.2–5.5.5.5. If you search for 3.3.3.3, the
location object needs to be displayed.
Version 01 (Sep 27, 2021) 600

Location objects can be referenced by Internet access policies and traffic control policies,
but cannot be referenced by authentication policies.
A user belongs to only one location. User locations will be recorded when logs
are kept.
Location objects cannot be duplicated. There are three types of location objects:
SSID, IP segment, and VLAN. You can set location objects of the same type to be
unique but cannot set location objects of different types to be unique. For
example, the IP address of an SSID may be contained in the location defined by
an IP segment. If there are duplicate location objects of different types, the
device can identify location objects by SSID, IP address, and VLAN in turn. A
maximum of 1000 location objects is supported.
3.11.2 Network
3.11.2.1 Deployment
You can set the device's operating mode to route, single-arm, bridge, or bypass
on the Deployment Mode panel.
Select an appropriate deployment mode so that the device can be smoothly

deployed on the network and operate correctly.
Route mode: In this mode, the device functions as a router, the network
structure is modified to a large extent, and all functions of the device can be
implemented.
Single-arm mode: The device functions as a proxy server and proxies internal
users’ access to the Internet. Most device features can be implemented in this
mode, and no changes will be made to the network topology.
Bridge mode: The device is considered a network line with the filtering
function. This mode is usually enabled when the original network structure
cannot be modified. In bridge mode, the device is smoothly deployed on the
Version 01 (Sep 27, 2021) 601

network, and most functions of the device can be implemented.
Bypass mode: The device is connected to the mirrored port of the intranet
switch or a hub. The device monitors and controls Internet access data on the
intranet based on mirrored data without modifying the network environment
and causing network interruption. In bypass mode, some functions of the
device cannot be implemented due to poor controllability.
Authentication mode: You can switch between the authentication mode and
the common mode. When there are multiple branches across the nation on
the Internet, it is required for the headquarters to deploy a user authentication
center and sent a unified authentication interface to all branches. Since the
traffic for authentication is not significant, switching to the authentication
mode is feasible despite a relatively significant number of users.
In the navigation area, choose Network > Deployment. The Deployment

pane is on the right. Click Settings, and three deployment modes are
displayed: route, bridge, and bypass. Next, select a deployment mode for the
device.
Before deploying the device on the network, you are advised to configure
information, including the deployment mode, interfaces, routes, and device
users. The default IP addresses of interfaces of the device are listed in the table
below.
Version 01 (Sep 27, 2021) 602

Interface IAG
ETH0 (LAN) 10.251.251.251/24
ETH1 (DMZ) 10.252.252.252/24
ETH2 (WAN1) 200.200.65.61/22
Table 6: Interface Table
3.11.2.1.1 Route mode
In route mode, the device functions as a router. The device is typically

deployed at the egress of the intranet or behind a router to implement
Internet access for the LAN. The following figure shows a typical deployment
scenario.
Example: The customer's network covers L3—the device functions as a

gateway to implement Internet access for intranet users. A public network line
(fiber) is available and assigned a fixed IP address.
Version 01 (Sep 27, 2021) 603

1. Configure the device and log in to the device by using the default IP
address. For example, to log in by using the LAN interface, whose default
IP address is 10.251.251.251/24, configure an IP address on this network
segment on the PC and log in to the device by accessing
https://10.251.251.251. The default login username and password are both
admins.
2. In navigation area, choose System > Network > Deployment. On the

Deployment pane on the right, click Settings. On the page shown in the
following figure, select the route mode and click Next.
3. Define a LAN interface and a WAN interface. Specifically, select an idle

network interface and click
4. Add to move it to the corresponding network interface list.
LAN interface list: A network interface added to the LAN interface list
Version 01 (Sep 27, 2021) 604

serves as an internal network interface and needs to be connected to the

internal network.
WAN interface list: A network interface added to the WAN interface list
serves as a WAN interface and needs to be connected to the external
network. If multiple WAN interfaces are required, apply for multi-line
authorization.
DMZ interface list: A network interface added to the DMZ interface list
serves as an internal network interface. Important servers can be
connected to the DMZ, and the firewall settings on the device can restrict
the access of intranet users, thereby ensuring the security of the servers.
For details about firewall settings, see section 3.2.2.
The default LAN interface is eth0, the default DMZ interface is eth1, and
the default WAN interface is eth2. It is recommended that the positions of
these network interfaces not be modified and conform to the device panel
Other idle network INTERFACES can be added to any interface list.
5. Click Next and configure the IP address of the LAN interface.
In this example, set the IP address of LAN interface eth0 to

192.168.20.1/255.255.255.0.
Version 01 (Sep 27, 2021) 605

The current IAG version is compatible with IPv6. Therefore, IPv6 addresses can be
configured for the network interfaces, gateway, and DNS. The following is an example of
configuring IPv4 addresses.
If virtual local area networks (VLANs) are divided on the switch, and the LAN
interface of the device is a trunk interface, VLAN needs to be enabled. In this
example, an L3 switch is used, and therefore VLAN does not require to be
enabled.
In IP Address, enter the ID and IP address of each VLAN. The IP address

assigned to a VLAN must be idle. If VLAN 2 exists and resides on network
segment 10.10.0.0/255.255.0.0, and IP address
10.10.0.1 is not used on the intranet, 2/10.10.0.1/255.255.0.0 can be entered in

the IP address list. Add information about other VLANs one by one on different
rows.
Version 01 (Sep 27, 2021) 606

6. Configure WAN interface eth2.
The WAN interface supports three modes: Auto assigned, Specified, and
PPPoE. In this example, the public network line is an optical fiber and
assigned a fixed public network IP address. Therefore, select Specified.
If the public network IP address is automatically obtained over DHCP,

select Auto assign. In this example, the public network IP address has
been assigned. Therefore, enter the assigned public network IP address,
gateway address, and DNS address.
If PPPoE is employed, connect the WAN interface to a modem. If Enable is selected in Auto
Dial-up, automatic dialup will be performed after the connection line is disconnected
abnormally or the device is restarted. Enter the dialup account and password.
7. Configure DMZ interface eth1. Set the IP address and subnet mask.
Version 01 (Sep 27, 2021) 607

8. Configure IPv4 SNAT rules. When the device functions as a gateway and
directly connect to the public network line, proxy settings need to be
completed on the device to implement Internet access for intranet users.
Set the proxy network segment and select a WAN interface, which can be
set to a single network interface or all network interfaces in the WAN
interface list.
A proxy rule is added in NAT on the page displayed after choosing

System > Firewall > IPv4 SNAT. The rule name and IP address to which a
source address is translated cannot be modified here. They can be
modified on the IPv4 SNAT page. If Internet access needs to be achieved
for users on another network segment through a proxy, add another IPv4
SNAT rule on IPv4 SNAT.
Version 01 (Sep 27, 2021) 608

9. Confirm the configuration information and click Commit.
Restart the device for the configurations to take effect. Click Yes in the
dialog box that asks for your confirmation.
Version 01 (Sep 27, 2021) 609

10. In this example, the LAN interface and the intranet are not on the same
network segment. Therefore, a system route from the device to the
intranet needs to be added. In the navigation area, choose Network >
Static Routes. On the Static Routes pane on the right, click Add to add
routes. For details, see section 3.2.3.3. If the intranet covers multiple
network segments, add multiple system routes.
11. Add a user or user group or add a user authentication policy on the
Authentication Policy to avoid Internet access failures caused by the lack of
identity authentication.
12. Connect the device to the network. Specifically, connect the WAN interface
to the public network line and the LAN interface to the intranet switch.
Configure the route of the intranet switch to direct to the LAN interface of
the device.
1．When the device operates in route mode, the gateway addresses of all PCs on the LAN
point to the IP address of the device’s LAN interface or the L3 switch, and the gateway
address point to the device. The device performs NAT for Internet access data or forwards
the data.
2．The IP addresses of the WAN, LAN, and DMZ interfaces must be on different network
segments.
Version 01 (Sep 27, 2021) 610

3．After an 802.1q-VLAN address is configured for the LAN interface. The LAN interface can
connect to the trunk interface of an L2 switch that supports VLAN. The device (one-armed
router) can then forward data among VLANs and implement firewall rules between LANs.
The device can implement
4．Access control between different VLANs.
5．If the route mode is set to asymmetric digital subscriber line (ADSL) dialup, select PPPoE
when setting the IP address of the WAN interface in step 5 and fill in the dialup account and
password. Other operations are the same.
6．If a front-end device is configured, set the IP address of the WAN interface to be on the
same network segment as the IP address of the LAN interface of the front-end device. Other
operations are the same.
7．If DHCP is enabled on the front-end device, configure the WAN interface to automatically
obtain an IP address and ensure normal communication between the WAN interface and
DHCP server.
3.11.2.1.2 Single Arm Mode
In Single Arm mode, this unit is connected to a switch without changing the
network topology and thus has no impact on the network. This unit functions
as a proxy server, controls and audits Internet access since data go through it.
Take the following scenario as an example. The unit is deployed in Single Arm
Version 01 (Sep 27, 2021) 611

mode and for proxy, accelerate, and control Internet access. The network
topology is as shown below:
Perform the following steps:
1. Add an IP address entry on PC, which resides on the network segment

10.251.251.251/24. Then, open the web browser and enter the IP address
of IAG (https://10.251.251.251) into the address bar to visit the Web admin
console of IAG. On the login page, log in to the IAG console with the default
account admin/admin.
2. Navigate to System > Network > Deployment page. Click Settings, select
Single Arm Mode, and click Next.
Version 01 (Sep 27, 2021) 612

3. Select the eth0 interface and configure IPv4 address, gateway, and DNS
server for the interface. IPv6 address is also supported in this mode. Then,
click Next. (In this example, the eth0 interface of the unit should be
connected to the switch)
4. Select an available interface as Manage Interface and configure an IPv4

address for the interface (IPv6 address is also supported). Default Mange
interface is eth1, through which users can connect to this unit. After
configuring the Manage interface, click Next.
Version 01 (Sep 27, 2021) 613

5. Make sure the network settings are correct. Then, click Commit.
Clicks Commit, and the following dialog pops up to notify you that applying the
settings requires restarting the device. To apply the changes, click Yes.
Version 01 (Sep 27, 2021) 614

3.11.2.1.3 Bridge Mode
In bridge mode, the device is considered a network line with the filtering
function. This mode is usually enabled when the original network structure
cannot be modified. Deploy the device between the original gateway and the
intranet users. You only need to configure the device without modifying the
configurations of the original network or intranet users. The device is invisible
to the original network and intranet users, which are the characteristic of the
bridge mode.
Operating environment 1: The device functions as a bridge with one input

and one output.
Operating environment 2: If Virtual Router Redundancy Protocol (VRRP) or

Hot Standby Router Protocol (HSRP) is enabled on the intranet, the device can
be deployed in multi-bridge mode to implement basic audit control functions
Version 01 (Sep 27, 2021) 615

without affecting Active-Standby handovers of the original firewalls. The

following figure shows the two operating environments.
Example: VRRP is enabled between the two firewalls and the switch. The
virtual IP address of the firewalls is 192.168.1.1. The device is deployed
between the switch and firewall as a bridge with two inputs and two outputs.
Version 01 (Sep 27, 2021) 616


admins.

following figure, select the bridge mode and click Next.
3. Add a LAN interface and a WAN interface to form a bridge and configure
two bridges. See the following figure.
Version 01 (Sep 27, 2021) 617

LAN Interface: Select an internal network interface from LAN Interface.
WAN Interfaces: Select a WAN interface from WAN Interface.
Bridge: Bridges are defined in Bridge. Data can be forwarded between

interfaces on a bridge and cannot be forwarded between interfaces on
different bridges.
If Enable bridge state propagation is selected, when a network interface on a

bridge changes from connected to disconnected or disconnected to connected,
the status of the other network interface changes accordingly. It ensures that
the status of the two network interfaces on a bridge is synchronous. This
function is to notify the peer device that the link is faulty or resumes normal in
a redundancy environment. We recommend you select this item.
4. Set the bridge IP addresses.Set two bridge IP addresses for the device. In
this example, the two bridges are on different network segments. Assign
two idle IP addresses as bridge IP addresses.
VLAN data passes through the device. Therefore, VLAN information needs
to be configured, including the VLAN ID, VLAN IP address (an idle IP
address is assigned to each VLAN), and VLAN mask.
Version 01 (Sep 27, 2021) 618

Network access data on the intranet will not be affected if no idle IP address is available.
However, in this case, the device has no IP address for communication with the intranet and
external network and some functions will be affected, such as embedded library update,
web authentication, and Ingress. To solve this problem, connect the management interface
to the intranet switch so that the device can communicate with the intranet and external
network. The following will describe the configuration in detail.
When the device operates in bridge mode, the bridge IP address can be empty.
The bridge IP addresses must be on different network segments, and the VLAN
IDs must be unique.
5. Configure the management interface. The management interface is in the

DMZ. Select an idle network interface (not a bridge interface) as the
management interface.
Version 01 (Sep 27, 2021) 619

6. Configure the gateway address and DNS address. Configure the default
gateway and DNS address. In this example, two idle IP addresses are
assigned as the bridge IP addresses. The default gateway points to the
virtual IP address of the front-end firewall.
Set a public network IP address assigned by the carrier as the DNS

address. Select Bypass firewall rule to enable the firewall rule that allows
all data between the WAN and the LAN.
Version 01 (Sep 27, 2021) 620

Restart the device for the configurations to take effect. In the displayed
dialog box asking for your confirmation, click Yes.
8. Add a user or user group or add a user authentication policy on the

Authentication Policy to avoid Internet access failures caused by the lack of
identity authentication.
9. onnect the device to the network. Specifically, connect WAN1 and WAN2 to
FW1 and FW2, and LAN1 and LAN2 to the intranet switch.
1．When the device operates in bridge mode, the gateway addresses of all PCs on the LAN
do not need to be modified. Retain the internal interface IP address that points to the front-
end device.
2．During data penetration, ensure that the WAN connects to the front-end router and the
LAN connects to the intranet switch. In this way, online behaviors can be monitored and
controlled when data is transmitted from the LAN to the WAN.
4．The bridge mode is implemented at the data link layer (the second layer of the OSI
model). Several network interfaces of the device are bridged. The data at the data link layer
and above layers can be penetrated. The IP/MAC address binding function and DHCP
function enabled on the original gateway can be implemented to support the data
penetration function at the data link layer.
5．The device does not provide the NAT function in bridge mode.
6．The VPN function of the device is unavailable in bridge mode.
7．To enable functions such as antivirus and mail filtering, or to enable the device to
automatically upgrade the URL Database and enable applications to identify the rule library
and antivirus library, you need to configure the bridge IP address, default gateway, and DNS
and ensure that the device can access the external network. To check whether the device
can access the external network, upgrade the console and perform a ping test.
Version 01 (Sep 27, 2021) 621

8．If functions that need to be redirected to the device are required, such as web
authentication and Ingress. The intranet covers multiple network segments, enabling
indirect routes to the network segments of the intranet to direct to the routing device of the
network intranet.
9．In bridge mode, the device supports VLAN trunk penetration, and 802.1q-VLAN
addresses can be configured as bridge IP addresses. In other words, the device can be
connected to the VLAN trunk in transparent mode.
3.11.2.1.4 Bypass Mode
The device monitors and controls function in bypass mode without modifying
the original network structure or causing network interruption. The device is
connected to the mirrored port of the switch or to a hub to ensure that
Internet access data of intranet users passes through this switch or hub. Both
outbound and inbound data are mirrored, thereby implementing monitoring
and control on Internet access data. In bypass mode, the network will not be
interrupted even if the device breaks down. Typical application scenarios are
shown in the figures below.
Example: The network topology is shown in the following figure. The device is
to be deployed in bypass mode. The customer requires that Internet access
data of all network segments on the intranet is under monitoring, that the
device automatically updates the embedded rule library, that web
authentication is performed for intranet users, and the device console can be
Version 01 (Sep 27, 2021) 622

logged in from the intranet at any time for management.
Based on the customer requirements and network topology, deploy the device
in bypass mode to communicate with both the external network and the
intranet. However, the device cannot access networks over a mirrored port. To
solve this problem, connect the device's management interface (DMZ interface)
to the intranet switch and assign an idle IP address for the device to
communicate with the public network and intranet. Then, connect the DMZ to
the intranet switch.
admins.

following figure, select the bypass mode and click Next.
Version 01 (Sep 27, 2021) 623

3. Configure the IP address of the management interface. In bypass mode,

the default management.
4. Interface is eth0, which can be modified.
IP Address: Enter the IP address assigned to the device's management

device (DMZ interface). In this example, the DMZ interface needs to be
connected to the intranet switch. Therefore, enter an IP address for
communication with the switch and intranet.
Default Gateway: Enter the IP address of the switch's network interface

connected to the DMZ interface. Enter idle public network IP addresses in
Preferred DNS and Backup DNS.
5. Select a mirrored port and configure the monitoring network segments
Version 01 (Sep 27, 2021) 624

and server list.
In Listened IP Address, enter the network segments to be monitored and

the IP addresses to be excluded from monitoring. Enter the network
segment 192.168.1.0/255.255.255.0 here. The access data from this
network segment to other network segments will be monitored, and
access data within this network segment will not be monitored. An
excluded network segment should be entered in the correct format. For
example, if you enter -192.168.1.1-192.168.1.10 when IP addresses within
the range 192.168.1.1-192.168.1.10 access other network segments
(external network), the data will not be monitored.
In Advanced, set the monitoring server list. If an IP address on a

monitored network segment is accessed, the data will be monitored. For
example, a web server exists on the intranet, and the customer needs to
record the data when intranet users access this web server. Data will not
be monitored for access within a network segment. Therefore, add the IP
address of this webserver to the monitoring server list.
Some TCP control functions can be implemented in bypass mode based on

the monitoring. In other words, only data that can be monitored can be
controlled.
Version 01 (Sep 27, 2021) 625

Restart the device for the configurations to take effect. In the displayed
dialog box asking for your confirmation, click Yes.
Version 01 (Sep 27, 2021) 626

1．The bypass mode applies when a hub or the switch acts as a mirrored port. If the switch
does not have a mirrored port, a hub can be deployed before the switch.
2．In bypass mode, the traffic rankings, and active connection rankings are displayed as
invalid.
3．In bypass mode, TCP control is achieved by sending reset packets through the DMZ
interface. Therefore, ensure that PCs and public network servers can receive the reset
packets sent through the DMZ interface.
4．Many functions cannot be implemented in bypass mode, such as VPN and DHCP
functions.
5．In bypass mode, the device mainly implements the monitoring function, and the control
function is not as comprehensive as in route mode and bridge mode. Only TCP connections
can be restricted, such as URL filtering, keyword filtering, and mail filtering. User Datagram
Protocol (UDP) connections are not restricted, such as P2P connections.
6．In bypass mode, the traffic diagrams are displayed only when the mirrored interface is a
WAN interface. When a WAN interface is connected, there is only received traffic and no
transmitted traffic.
3.11.2.1.5 Mode switch
When IAG mode switches to authentication mode or the authentication mode

switches to IAG mode, the default configuration shall be recovered. It is
recommended to back up the original configuration before switching.
Version 01 (Sep 27, 2021) 627

The following is the interface after switching to the authentication mode:
Refer to Chapter 3.3, Chapter 3.13, and Chapter 3.6 for the configuration of
modules Real-time Status, System Management, and User Authentication
and Management.
3.11.2.2 Network Interface Configuration
You can configure network interface information on the Interfaces page in

route mode and bridge information in bridge mode.
3.11.2.2.1 Configuring Network Interfaces in Route mode
In the navigation area, choose System Management > Network > Interfaces.
The Interfaces pane is on the right, as shown in the following figure.
Version 01 (Sep 27, 2021) 628

Status: indicates the connection status and MTU of a network interface.

indicates a connected interface and indicates a disconnected interface.
Physical Interface: indicates the corresponding physical interface on the

device.
Zone: indicates the logical interface area of a network interface. A LAN interface
functions as an intranet interface and therefore needs to add to the LAN. A WAN
interface acts as a WAN interface and needs to add to the WAN. If multiple WAN
interfaces are required, apply for multi-line authorization. A DMZ interface
functions as an intranet interface. Important servers can be connected to the
DMZ, and the firewall settings on the device can restrict the access of intranet
users, thereby ensuring the security of the servers. For details about firewall
settings, see section 3.2.2.
Type: Indicates the type of a network interface, which can be electrical or

optical.
IP Address: Indicates the IP address of a network interface.
MAC Address: Indicates the address of the physical network adapter of a

network interface.
MTU: Indicates the MTU of a network interface, which ranges from 700 to
1800. The MTU must be set to at least 1280 if IPv6 is enabled. Otherwise, It will
clear the IPv6 addresses.
Version 01 (Sep 27, 2021) 629

Operating Mode: Indicates the operating mode of the physical

network adapter of a network interface.
Inbound: Indicates the receiving rate of a network interface.
Outbound: Indicates the sending rate of a network interface.
Dialup Log: Indicates the dialup log information about a network interface.
The procedure for configuring a network interface is as follows:
On the Interfaces page, click the name of the physical interface. For example,
to configure eth0 on the LAN, click eth0. The LAN Interface page is displayed,
as shown in the following figure.
An IPv4 or IPv6 address can be configured for the network interface.

In IP Address, enter the ID and IP address of each VLAN. The IP
address assigned to a VLAN must be idle. If VLAN 2 exists and resides
Version 01 (Sep 27, 2021) 630

on network segment 10.10.0.0/255.255.0.0, and IP address 10.10.0.1

is not used on the intranet, 2/10.10.0.1/255.255.0.0 can be entered in
the IP address list. Add information about other VLANs (802.1q) one
by one on different rows.
To configure eth2 on the WAN, click eth2, and the WAN Interface
Configuration page is displayed.
If Specified is selected in Address, a fixed IP address assigned by the carrier

can be configured for this network interface, or auto-assign can be enabled,
depending on the actual situation.
Version 01 (Sep 27, 2021) 631

In PPPoE, Internet access is implemented through ADSL dialup. The carrier

provides the dialup username and password. Click Advanced and configure
dialup attributes in the displayed dialog box.
We recommend you set the handshake time to 20, timeout duration

is set to 80, and maximum timeout times set to 3.
In Line Attribute, configure the outbound and inbound bandwidths.
3.11.2.2.2 Configuring Bridges in Multi-Bridge Mode
In the navigation area, choose System > Network > Network Interface
Configuration. The Interface
Version 01 (Sep 27, 2021) 632

pane is displayed on the right, as shown in the following figure.
Status: Indicates the connection status and MTU of a network interface.

indicates a connected interface and indicates a disconnected interface.
Interface: Indicates the corresponding physical interface on the device.
Zone: Indicates the logical interface area: bridge or management interface.
Type: Indicates the type of a network interface, which can be electrical or

optical.
IP Address: Indicates the IP address of a network interface.
MAC Address: Indicates the address of the physical network adapter of a

network interface.
MTU: Indicates the MTU of a network interface, which ranges from 700 to
1800. The MTU must be set to at least 1280 if IPv6 is enabled. Otherwise, it will
clear the IPv6 addresses.
Operating Mode: Indicates the operating mode of the physical network

adapter of a network interface.
Version 01 (Sep 27, 2021) 633

Inbound: Indicates the receiving rate of a network interface.
Outbound: Indicates the sending rate of a network interface.
To configure a bridge, click its name. The Bridge Configuration page shown in
the following figure is displayed. To change the IP address of the default
gateway, change it to another IP address on the same segment. Otherwise, you
need to change it on the Deployment page.
Version 01 (Sep 27, 2021) 634

An IPv4 or IPv6 address can be configured for the bridge. In IP Address, enter
the ID and IP address of each VLAN. The IP address assigned to a VLAN must
be idle. If VLAN 2 exists and resides on network segment
10.10.0.0/255.255.0.0, and IP address 10.10.0.1 is not used on the intranet,
2/10.10.0.1/255.255.0.0 can be entered in the IP address list. Add information
about other VLANs (802.1q) one by one on different rows.
In bridge mode, you can define the management interface—click Interfaces.

On the MANAGE Interface page, set the IP address, which can be an IPv4 or
IPv6 address.
3.11.2.3 High Availability
There are two high availability (HA) modes: Active-Standby and Active-Active. In
Active-Standby mode, two devices interwork with each other over a
communications interface for mutual backup. This mode applies when there are
two lines in Active-Standby mode. The two devices connect to the active and
standby lines. When the active line fails, the standby line and standby device
become active. The configurations on the standby device are the same as those
on the active device.
Version 01 (Sep 27, 2021) 635

In Active-Active mode, multiple devices interwork over the communications

interface for synchronizing configurations and user status information. The
devices work at the same time. In this way, when a line fails, the device can
seamlessly switch to another line, ensuring consistency in the policy and user
status. It is similar to the working principle in a VRRP environment. Both modes
aim to ensure network stability. However, they differ in the number of working
devices. In Active-Active mode, multiple devices work at the same time. In Active-
Standby mode, the two devices work in mutual backup mode, and only one
device is online. Choose an HA mode depending on the actual environment.
3.11.2.3.1 Active-Standby Mode

In Active-Standby mode, two devices interwork with each other over an HA
interface for mutual backup. This mode applies when there are two lines in
Active-Standby mode. The two devices connect to the active and standby lines.
When the active line fails, the standby line and standby device become active.
The configurations on the standby device are the same as those on the active
device. The following figure shows the topology.
Active-standby deployment in route mode:
Version 01 (Sep 27, 2021) 636

1. Select the Active-Standby mode and set related parameters. In the

navigation area, choose System > Network > High Availability. See the
following figure.
2. Select Active-Standby and click Settings. The dialog box shown in the
following figure is displayed.
Device Name: Enter a name for distinguishing the current device from the
other.
Version 01 (Sep 27, 2021) 637

Priority: Set the priority of two devices. The recommended host priority is
high, and the standby priority is low.
3. Configure the active device.
Primary Link: in the active/standby mode, you can set two sets of HA
ports, the Primary Link and the Secondary Link. The Primary Link is a
required option. The Secondary Link is a fillable option. In addition, the
network configuration of Primary Link and Secondary Link are not
synchronized. In active/standby mode, you can use the network port of the
DMZ port or other unconfigured area.
Shared Secret: Configure a key used by the active device to connect to the
standby device. This key must be the same as that configured for the
standby device.
Tracked Interfaces Groups: Configure the interfaces groups to be

tracked. The interface that is not used by the device does not need to be
selected. In addition, the interfaces in the interfaces group are in the state
of mutual backup. When all the interfaces in the same interfaces group are
offline at the same time, the interfaces group enters the fault state.
Alarm Options: Click alarm options, you can jump to the email alarm
events settings page and select the high availability event, as shown below:
Version 01 (Sep 27, 2021) 638

4. Detection method.
Heartbeat Timeout: Active-standby heartbeat timeout setting.
Active unit remains active always while standby unit is failed:

Including ARP detection and ICMP detection, when the standby device is
already in the fault state, and the current device only has ARP detection
failure or ICMP detection failure, the host status is still working normally.
ARP detection is to detect the address of the uplink or downlink device of

the device. If any one of the detections fails, the ARP detect fails. In
addition, the ARP detection can set the detection timeout, the detection
recovery interval, and the detection interval.
ICMP detection mainly detects the connectivity of the filled host IP or

domain name. The probe IP/domain name can support multiple entries.
Only when all IP or domain name detection fails, ICMP detection failure.
The ICMP detection can set the detection timeout, the detection recovery
interval, and the detection interval.
Version 01 (Sep 27, 2021) 639

5. Action.
Remove tracking capability from interfaces: This feature is not selected

by default. When the device enters standby, all interfaces in the monitoring
interfaces group are disabled. The device is used to notify the device to
switch between uplink and downlink devices.
Click Submit and the configuration of the active device is complete.
6. Active-standby mode of version 12.0.14 or higher. Update via web or issue

updated software version via BBC. Select Accompanied Update to
complete the version update for the two devices without splitting the
active and standby devices.
Version 01 (Sep 27, 2021) 640

7. Configuration of the standby device.
After low has been selected on the priority of the standby device, the
configuration method is the same as the active device. Please note that the
standby device's priority cannot be the same as the active device. The
primary link of the standby device needs to write the address of the active
device. Detection method and Action refer to the active device
configuration.
Version 01 (Sep 27, 2021) 641

8. Connect the active and standby devices according to the physical topology,
and connect the primary link interface of the two devices.
9. Power on the active device first, followed by the standby device. After the
normal operation, the configuration of the active device is synchronized to
the standby device through the primary link. After the active and standby
devices are successfully established, the status is as follows:
3.11.2.3.2 Active-Active Mode
The Active-Active mode applies to the VRRP-enabled intranet. Devices on the

intranet work in hot backup and load sharing modes. The deployment of the
devices will not affect the operation and switchover of the original network. As
shown in the following figure, configure multiple SANGFOR IAGs in Active-
Active mode. Ensure that the device can work properly after a VRRP switchover
Version 01 (Sep 27, 2021) 642

due to a link fault. In addition, ensure that the device configuration and user
status are consistent with those on the other device. The following figure
shows a typical application scenario.
In Active-Active mode, no physical interface is required if a node device can

route to the control device.
1. In the navigation area, choose System > Network > High Availability. The
High Availability page is displayed.
2. Select Active-Active and click Settings. The HA mode configuration page is
Version 01 (Sep 27, 2021) 643

displayed, as shown in the following figure.
Device Name: Enter a name for distinguishing the current device from the
other.
Role of This Device: Select Controller or Node. If Controller is selected,

you only need to configure a shared key. If Node is selected, you need to
configure the IP address and shared key of the control device. We select
Controller here.
Shared Secret: Configure a key used by the control device to connect to a

node device. This key must be the same as that configured for the node
device.
Alarm Options: Click alarm options, you can jump to the email alarm
events settings page and select the high availability event, as shown below:
Version 01 (Sep 27, 2021) 644

3. Set another device as a node device. The configuration page is shown as

follows.
Host IP: Enter the IP address of the control device.
Shared Secret: Configure a key used by the control device to connect to a

node device. This key must be the same as that configured for the control
device.
After configuration, the page showing the information about the online
device is displayed.
Version 01 (Sep 27, 2021) 645

The Controller can synchronize the configuration, click Sync Now, and the
device will send a synchronization signal. Perform device configuration
synchronization and information synchronization. All node states are
displayed, named Online Node, showing all online nodes.
The configurations on the node device cannot be modified and can only be
synchronized from the control device.
The precautions for configuring an HA mode are as follows:
1. In Active-Standby mode, the two devices need to be connected using a heartbeat cable
instead of a serial cable. Therefore, the deployment mode needs to be adjusted. A direct
upgrade is not supported by default.
2. In Active-Standby mode, if the HA interface of the standby device is connected, the

connection will fail. During connection, an error message indicating the failure reasons will
be displayed.
3. In Active-Standby mode, a DMZ interface or a network interface that does not belong to
any zone can be used. The network configuration of the HA interface will not be
synchronized. If a DMZ interface is configured as the HA interface, the network
configuration of the DMZ interface will not be synchronized either.
Version 01 (Sep 27, 2021) 646

4. In Active-Active mode, the status of online users is synchronized in real-time. In other

words, if a new user is authenticated, the user status will be immediately synchronized.
However, the online status of users (only the IP address and MAC address are bound) that
do not require authentication will not be synchronized.
5. The Active-Active mode is exclusive with an Ingress policy or the security desktop. If an
Ingress policy or security desktop policy is configured, the Active-Active mode cannot be
enabled.
6. In Active-Active mode, no physical interface is required if a node device can route to the
control device.
7. After a device is added to an Active-Active or Active-Standby group. It does not need to

restart.
8. A device supports only Active-Active in bridge mode and Active-Active and Active-Standby
in route mode. If Active-Standby is used in bridge mode, an upgrade cannot be performed,
and a message will be displayed, prompting the customer to change the HA mode to Active-
Active.
High availability support in various modes is as follows:
SPs can be synchronized by default, but those with a special mark cannot. For
KBs and custom devices, synchronization is supported if the installed patch
packages are the same (insensitive to the sequence). New configurations of
custom devices also support synchronization.
If the R versions are inconsistent, synchronization is not supported.
The description of the HA indicators status is as follows:
Version 01 (Sep 27, 2021) 647

Active-Standby Active-Active
Active Device Standby Device Control Device Node Device
Disconnected Off Off Off Off
Connected Steady green Blinking at 1 Hz Steady green Blinking at 1 Hz
Table 7: HA comparison table
If the active or control device is disconnected, the HA indicator will always on

(indicating abnormal status).
3.11.2.4 Static Routes
On the Static Routes pane, you can set static routing policies. When the device
needs to communicate with IP addresses on different network segments, static
routes must be configured. IPv4 and IPv6 static routes can be added.
In the navigation area, choose System > Network > Static Route. The Static
Route pane is displayed on the right, as shown in the following figure.
The following describes an application scenario of IPv4 static routes.
The device functions as a gateway in route mode on the customer's network,.

The IP address of the LAN interface is 192.168.1.12/255.255.255.0, and PCs on
the intranet are on network segment 192.168.2.0/255.255.255.0. An L3 switch is
deployed between PCs on the intranet and the device. When a PC on the intranet
accesses the Internet, the data is forwarded to the device by the L3 switch.
However, when the device forwards data to the PC, the destination is unclear
because the PC's IP address is on another network segment. As a result, Internet
access failure occurs.
To solve this problem, a static route needs to be set for forwarding the data
destined for network segments on the intranet to the L3 switch, and the L3
switch will forward the data to corresponding PCs on the intranet.
Version 01 (Sep 27, 2021) 648

Click Add. The Static Route page is displayed.
Destination: Destination network ID.
Subnet Mask: Subnet mask of the target network.
Next-Hop IP: Next-hop IP address to the target network.
Interface: Interface through which data is forwarded.
Do not enter the networking interface IP address as the next IP address
Version 01 (Sep 27, 2021) 649

Click Routing Table to display all system routes, including IPv4 and IPv6
routes.
The device does not support dynamic routing protocols. You need to configure routes on
the Static Route page.
3.11.2.5 Dynamic Routing
OSPF opens and sets up OSPF dynamic routing protocols for IAG devices,
including network configuration, interface configuration, parameter
configuration, information display, debugging options, etc. In addition, these
devices support IPv4 OSPF. It is shown in the figure below:
Version 01 (Sep 27, 2021) 650

Check Enable OSPF to enable it, and show the prompts below:
Click Yes to save the configuration.
Configure Virtual Link: When the area where IAG devices are located is not
adjacent to the OSPF backbone area, the virtual link needs to be enabled and
configured. Click Set Virtual Link to pop up the following page:
Check Enable to enable the virtual link.
Version 01 (Sep 27, 2021) 651

Area ID: Enter the ID of the backbone area.
Router ID: Enter the router ID on the opposite terminal establishing the virtual
link, to indicate which router the virtual link is established.
Timer: Set Hello packet interval, retransmission interval, transmission delay,

Dead time, in seconds.
Hello Time: The retransmit interval of Hello messages, with a default value of
10s.
Retransmit Interval: The retransmit interval of connection status message

adjacent to the interface, with a default value of 10s.
Delay: The estimated time to transmit a link-state update packet, with a

default value of 5s.
Dead Time: If the Hello message has not been received after the dead time,
the OSPF neighbor is considered unreachable, and it is generally set to 4 times
the Hello interval, with a default value of 40s.
Encryption: Set the encryption method for message transmission in plaintext,

MD5, or no authentication.
Password: The password used for message encryption.
Click Advanced Settings to set up the route redistribution and NBMA neighbor
configuration, as shown in the following figure:
Version 01 (Sep 27, 2021) 652

3.11.2.6 HOSTS
The HOSTS file is a built-in host file on the unit, containing the mapping
information of IP addresses and domain names/host names.
Navigate to System > Network > Hosts page, as shown below:
To add a new Host entry, click Add and specify the fields on the following page.
Version 01 (Sep 27, 2021) 653

IP Address: Specifies the IP address that a host name is mapped to.
Host Name: Specifies the corresponding host name.
3.11.2.7 GRE Tunnel
GRE Tunnel: Used to configure GRE Tunnel and support GRE OVER IP, GRE
OVER OSPF, and GRE OVER IPSECVPN. The settings interface is shown below:
Click Add to show the GRE tunnel adding page as follows:
Version 01 (Sep 27, 2021) 654

Tunnel Alias: Add an alias for the number of the tunnel port and customize
the alias.
IP Address: Used as the IP address of the new tunnel, the network segment
where the IP address is located in the OSPF running network segment.
Zone: The zone where the outbound interface is located; you can select LAN
area or WAN area.
Src Address: The source addresses the actual public network routing of the
outbound interface at the source port.
Dst Address: The actual public network routing destination address of the
inbound interface at the destination port.
GRE Key: Shared key, which shall be consistent at two ports.
Advanced: Set MTU value, message check, and link-state check, shown as
follows:
Click Commit to finish GRE tunnel settings.
3.11.2.8 Open Ports on WAN Interface
In System>Network Configuration>Advanced, add the page of Open Ports on

the WAN Interface. By adding, deleting, enabling, and disabling, the access to
equipment through the WAN interface can be effectively controlled to facilitate
customer service to enable or disable the WAN interface quickly.
Version 01 (Sep 27, 2021) 655

By default, four commonly used ports are provided and closed. When required
to open the ports, click the Disable button to switch to the Enable button in
green. Finally, click Commit to save the changes.
To customize requirements, click Add button, and enter the port number and
description.
After submission, the port is open.
Version 01 (Sep 27, 2021) 656

3.11.2.9 DHCP
DHCP is a service for automatically assigning IP addresses to PCs on the intranet.

It is available only when the device works in route mode. Choose System >
Network > DHCP. The device can assign IP addresses to PCs connecting to the
LAN and DMZ interfaces. The DHCP service needs to be configured separately
for the two network interfaces.
For example, the device in route mode acts as a gateway for implementing
Internet access for intranet users. Intranet users are connected to the LAN
interface, whose IP address is 192.168.1.1. Totally 100 PCs on the intranet need
to be assigned IP addresses. The IP address pool is 192.168.1.100–
192.168.1.199. The PC of the manager needs to be assigned a fixed IP address
192.168.1.100.
Version 01 (Sep 27, 2021) 657

1. Enable the DHCP service.
2. In Interface, select an interface for which DHCP is to be enabled. Select

the LAN interface here. Set the leas duration and DHCP network
parameters.
In Lease, set the usage time of the assigned IP address.
In Options, set the gateway address, DNS addresses, and WINS addresses.
3. In DHCP IP Address Pool, set a range of IP addresses available for

automatic assignment.
4. Click Reserved IP Addresses and set a reserved IP address. Then,

according to the MAC address, assign a fixed IP address to the PC.
Version 01 (Sep 27, 2021) 658

Click Add and enter the name, fixed IP address, MAC address, and
hostname in the dialog box.
To view the DHCP operating status and IP address assignment status, choose Status >
DHCP Status > Status in the navigation area.
3.11.2.10 Protocol Extension
In some network environments, packets are encapsulated using a series of

special protocols such as PPPoE and Multiprotocol Label Switching (MPLS).
Compared with common IP packets, these protocol packets are added with a
specific header so that common devices with the protocol analysis function
cannot parse these packets.
The SANGFOR IAG peels off the special protocol headers, analyzes these
packets' characteristics and matches the packets with embedded special
protocol rules. Then the device can authenticate, audit, and control the raw
data.
Currently, the SANGFOR IAG can peel off packet headers of the following
protocols: VLAN, MPLS, PPPoE, L2TP, LWAPP, CAPWAP, WLTP, and user-defined
protocols.
Version 01 (Sep 27, 2021) 659

Example: A PC needs to connect to the PPPoE server through dialup and

access the Internet after authentication. The SANGFOR IAG is deployed in
bridge mode between the PC and the PPPoE server and needs to audit and
control the online behaviors of the PC.
In the navigation area, choose System > Network > Protocol Extension. The
Network Protocol Extension pane is on the right, as shown in the following
figure.
In Protocols, Select PPPoE de-encapsulation and click Commit to enable

PPPoE de-encapsulation. After configuring the corresponding audit and control
policies, the IAG can audit and control the PC that accesses the network
through PPPoE dialup.
Version 01 (Sep 27, 2021) 660

If packets of a special protocol not in the protocol de-encapsulation list exist,

select Custom Protocol Stripping and define the de-encapsulation of this type
of packet. In Ethernet Header, specify the start position and characteristics of
the header in the entire packet (including the Ethernet header). In IP Header
Start Position, specify the start position of an IP header after the packet is
encapsulated using this special protocol.
If the special protocol is in the protocol de-encapsulation list but does not use
the default port for communication, for example, L2TP does not use the
default port 1701 for communication, double-click the protocol rule and edit
port information. The information about ports can be separated by a comma
(,).
If multiple special protocols in the protocol de-encapsulation list exist, select

the corresponding protocol rules.
1. Protocol de-encapsulation is not supported in route mode.
2. Protocol de-encapsulation is supported in bridge mode. Data can be authenticated,

audited, and controlled after protocol de-encapsulation. Some functions are unavailable in
special environments, such as:
• Web authentication, Ingress authentication, rejection page, and intelligent reminder

page that involve redirection.
• SSL content identification.
• MSN file transfer control.
• Kerberos authentication or SSO.
• Mail filtering and gateway virus removal that involves a proxy.
3. Protocol de-encapsulation is supported in bypass mode. After protocol de-encapsulation

is enabled, automatic authentication and audit are supported, and control is not supported.
4. In an environment with protocol de-encapsulation enabled, you cannot use a computer

name or MAC address as the username or bind a MAC address.
5. Some data may have two IP headers after being encapsulated by a special protocol such
as L2TP. After protocol de-encapsulation, the outer IP header (lower layer) is peeled off.
Therefore, authentication, audit, and control are performed based on the inner IP header
Version 01 (Sep 27, 2021) 661

(upper layer). The Internet access policies of the device should not block the communication
that is performed based on the outer IP header.
6. By default, the device supports the de-encapsulation of single-layer 802.1q VLAN headers
regardless of whether protocol de-encapsulation is enabled. If 802.1q is used together with
other protocols, such as PPPoE, VLAN (Q-in-Q) de-encapsulation, and PPPoE de-
encapsulation need to be selected.
7. After protocol de-encapsulation is enabled, protocol data cannot be compressed or

encrypted.
3.11.2.11 Optical Bypass Module
When a power failure occurs, the device restarts due to a breakdown, or a

network interface becomes abnormal, the device will stop processing data and
switch to an optical bypass module. The optical bypass module configuration
page is displayed only in bridge mode, as shown in the following figure.
Select Enable External Optical Bypass module to enable the optical bypass
module. Next, an optical bypass switch needs to be connected.
Before enabling the optical bypass module for the first time, connect an optical bypass
switch.
At this time, a message will prompt and ask you to restart the device.
In Type, select optical bypass. Currently, only domestic bypass switches are
supported. See the following figure.
Version 01 (Sep 27, 2021) 662

Click Add Optical Bypass Module to add an optical bypass mode. In the Add
Optical Bypass Module dialog box, Optical Module ID and Bridge. Enter the
module ID on the bypass switch in Optical Module ID. See the following figure.
3.11.3 VPN Configuration
3.11.3.1 DLAN Operating Status
You can view the information about the current VPN connections and network
traffic on this page. See the following figure.
You can click Tunnel NAT State and query the tunnel NAT status.
You can click Refresh to refresh the current page after VPN status changes.
You can click Display Options and select options from the list. All the options
are selected by default.
Version 01 (Sep 27, 2021) 663

You can click Start Service to start the VPN service. You can click Stop Service
to stop the VPN service.
3.11.3.2 Multi-line Options
If multiple WAN port lines are used, they must be set through Multi-line
Options. You can add, delete, and modify the line information and modify the
SDWAN path selection policy.
When the device has a multi-WAN port and enables multiple lines, check
Enabled and add multiple lines.
Click the Add to add a line. The dialog box appears as follows:
Version 01 (Sep 27, 2021) 664

The Use static Internet IP address option should be filled in according to the
actual situation. The setting is not necessary if it is a dynamic IP address.
1． When the line type is Ethernet, you must fill in Test DNS, and the filled DNS address
must be a normal public network DNS address. If it is an ADSL dial-up line, it can be left
blank.
2． The Bandwidth Preset item should be filled with the bandwidth parameters according
to the actual situation of the line.
Click the Advanced on the Multi-line Options interface, and the Multiline Advanced
Settings will appear as follows:
Version 01 (Sep 27, 2021) 665

Check Enable DNS detection to enable the status detection for multi-lines.
Interval (1-120) set the interval frequency of the DNS detection through the multi-line
status detection function. This setting is activated only when DNS detection is enabled.
3.11.3.3 SDWAN Path Selection
The SDWAN function is an update of the original SANGFOR VPN multi-lines,

which increases the QOE identification by service classification to the specified
link and link quality, supports the designated key services to take the designated
line, or selects the optimal line according to the link quality.
Main SDWAN functions:
1. Identify applications based on LAN services;
It supports three routing modes. If the peer device has no routing, the path is
wan1-wan1 by default. Otherwise, the optimal path is preferred (If the line label
is not configured, it should be processed as per the wan1-wan1 by the same ISP).
a) Specified path: Select a path according to the LAN service. It is often used
in video conferencing services or some services that have some
requirement for lines.
b) Residual bandwidth load: The connection is allocated according to the

idle bandwidth ratio of the real-time line. It is often used for file
uploading or downloading service and services with fewer requirements
for line quality.
c) Prioritize the top-quality line: Select the top-quality line based on the real-
time quality of the line. It is often used for services that have high
Version 01 (Sep 27, 2021) 666

requirements for line quality.
2. In case of a line fault, the line will switches within 1s, without disconnecting
the service.
3. Traffic-control priority function (five levels: Highest; High; Medium; Low;

Lowest). The bandwidth should be ensured for the service of the higher
priority.
4. Fully-loaded line switching function. If the loaded path is used, one fully-
loaded line will automatically switch to another line.
Before the configuration of the SDWAN Path Selection, you have to

complete the Multi-line Options first.
The default Global line selection policy cannot be deleted. Add a new
SDWAN Path Selection policy:
Name: It is used to define the name of the policy, which can be

customized to strengthen memory and deepen understanding.
LAN Service: Select the LAN service that activates the line.
Version 01 (Sep 27, 2021) 667

Mode: Can choose specific or multiple option.
3.11.3.3.1 Specified Path
Prioritize the use of the preferred. If the preferred path is busy or fails, it
attempts to match the next one after it.
For example, the headquarters and branches have the specified link and VPN
link. The video conference will select the specified path while other services will
use VPN paths.
If Line 1 is the static Internet IP and the Line 2 is the specified path, the devices
wan1 and wan2 correspond to Line 1 and Line 2.
1. VPN connection is set up between the headquarters and branches.
2. Add a video conference service in Advanced > Edit LAN Service.
3. Add the OTHERS use VPN under the Advanced> Edit LAN Service, and
select all services.
Version 01 (Sep 27, 2021) 668

4. Select the Specified for path selection mode. Select the Line 1 for VPN
Path. Next, select the OTHERS use VPN.
Version 01 (Sep 27, 2021) 669

5. Create a SDWAN policy Video. Select the Selected Video for LAN Service.
Select Specified for the Mode. Select the specified path.
6. Make sure that the Video SDWAN path selection policy on the interface.
In this way, the branch can use the specified path to have a video
conference with the headquarters through the VPN. Others in the VPN
tunnel go through the Internet line so that the video conference traffic is
guaranteed.
Notes on path selection:
1. Paths of the same ISP will be chosen preferentially
2. If all the specified paths are busy or fail, it will choose the optimal one from the remaining
lines
Version 01 (Sep 27, 2021) 670

3.11.3.3.2 Multi-line Load
3.11.3.3.2.1 Load Based on Residual Bandwidth Ratio
The headquarters and the branch have two VPN links. The branch accesses the
headquarters' service according to the dynamic loads based on the residual
bandwidth.
1. Create a SDWAN policy; select all services for the service, Multiline
Options for the mode, two lines of the branch for the load path, and
Based on bandwidth ratio for the LB mode.
1. Through the check, the flow rate displayed by the VPN detailed connection information is
lower than the configured bandwidth because the VPN will be encrypted, and the data
packet will be added with the VPN header field.
Version 01 (Sep 27, 2021) 671

2. The current version does not display the status of each connection line in the foreground.
The tool cannot control the flow rate of each TCP connection, so it only can be seen that two
lines are fully loaded with bandwidth in the foreground.
3. It only supports multi-connection load, not single-connection load.
3.11.3.3.2.2 Path Selection Based on Link Quality
The headquarters and the branch have two VPN links. The branch accesses the
services of headquarters according to the path selection based on the link
quality.
1. Create a SDWAN policy; select all services for the service, Multiline
Options for the mode, two lines of the branch for the load path, and
Prefer the optimal path for the LB mode.
1. The delay statistics of the detailed connection information line will have an error of less
than 5ms; the out-of-order packets will be counted into the packet loss rate, so sometimes
Version 01 (Sep 27, 2021) 672

the packet loss rate value will be displayed without the packet loss, which may be due to the
out-of-order packet.
2. When the link quality changes, the current connection information will not perform the
path selection, and only the newly-built connection will perform the path selection.
3.11.3.2.3 Service Priority
Under the SDWAN Path Selection, the service priority is classified into five
levels: Highest; High; Medium; Low; Lowest. SDWAN performs traffic control
(QoS priority) on data through service priority.
For the usage scenario, the headquarters and the branch have two VPN links:
ISP1 and ISP2. Generally, the branch accesses the headquarters' service
according to the dynamic load based on the residual bandwidth. Thus, when
the video conference needs traffic, the traffic of the video conference is
guaranteed preferentially.
1. Add a video conference service in Advanced > Edit LAN Service.
Version 01 (Sep 27, 2021) 673

2. Add the OTHERS use VPN under the Advanced > Edit LAN Service, and
select All Services for LAN Service.
Version 01 (Sep 27, 2021) 674

3. Create a SDWAN policy OTHERS use VPN, select the current branch, and
select All Services for LAN Service, Multiline Options for the mode, two
lines of the branch for the load path, Based on bandwidth ratio for the
LB mode, and Low for Service Priority.
Create a SDWAN policy OTHERS use VPN, select the current branch, and
select All Services for LAN Service, Multiline Options for the mode, two
lines of the branch for the load path, Based on bandwidth ratio for the
LB mode, and Low for Service Priority.
4. Create a SDWAN policy Video, select the current branch, and select the
Video for LAN Service, Specified for the mode, Telecom for the line, and
Highest for Service Priority.
Version 01 (Sep 27, 2021) 675

3.11.3.4 Basic Settings
Set the Web agent information, MTU value of VPN data, minimum compression
value, VPN monitoring port, VPN connection mode, broadcast packets, and
performance information required for configuring VPN connections.
Web agent indicates the addresses of the dynamic IP addressing file in the web
servers, including the active Web agent address and standby Web agent
address. See the following figure.
If it is dynamic addressing (non-fixed IP at headquarters), enter WebAgent

Web address (usually ended in .PHP). After WebAgent is entered, you can click
the Test button to see if it can be connected. If the headquarters is of fixed IP,
Version 01 (Sep 27, 2021) 676

enter the address in the IP address: port format, such as 202.96.134.133:4009.

Click Modify Password to set the WebAgent password to prevent illegal users
from embezzling the WebAgent to update the false IP address. Next, click
Shared Key to set the shared key to preventing illegal device access. After that,
click to view the shared key. The login key refers to the administrator's
password.
If WebAgent Password is set, it cannot be recovered once it is lost, and you have to contact
the customer service center of Sangfor to regenerate a file excluding the WebAgent
password and replace the original file. If Shared Key is set, all VPN sites cannot be
interconnected with each other until they must set the same Shared Key. In the case of
multiple lines and fixed IPs, WebAgent can be filled in the format of IP1 # IP2: Port.
MTU Value (224-2000) sets the maximum MTU value for VPN data. The default
value is 500.
Min Compression Value (99-5000) sets the minimum packet size for VPN data
compression. The default value is 100.
VPN Listening Port (Default: 4009) sets the monitoring port for the VPN
service. The default value is 4009. You can change it as required.
Modify MSS is used to set the maximum splice of VPN data for the UDP mode.
Version 01 (Sep 27, 2021) 677

Generally, the default values of the MTU Value, Minimum Compression Value, and Modify
MMS parameters are recommended. However, if you need to change the values, contact
SANGFOR technical engineering for help.
Directly connects to Internet and Indirect connects to Internet sets the

type of connection between the gateway and Internet. If Internet IP addresses
can be detected or port mapping can be implemented to allow Internet users
to access the VPN port of the gateway, you can select Directly connects to
Internet. Otherwise, select Indirect connects to Internet.
Click Advanced. The window shown in the following figure is displayed.
Threads: Sets the maximum number of VPNs connected to a VPN device. The
Version 01 (Sep 27, 2021) 678

default value is 20, and a maximum of 1280 VPNs are allowed. If you need to
change the value, contact SANGFOR's technical engineers for help.
Broadcast: Specifies whether broadcast packets are transferred in

VPN channels. Only the broadcast packets for the specified ports are
transferred to prevent broadcast storms at both ends of a VPN.
Applications such as My Network and IPMSG require broadcast
packets.
Multicast Service: Specifies whether multicast packets are

transferred in VPN channels. Some video applications may require
multicast packets.
After setting the parameters, click Save.
3.11.3.5 User Management
Manage VPN connection account information, set the usernames and

passwords that can be used to connect to VPNs, specify whether to enable
hardware authentication or DKEY authentication.
Select whether to use virtual IP addresses, set the account encryption

algorithm and account validity period, assign intranet permissions to accounts,
group users, and set common attributes for group members. See the following
figure.
When you click Detect USB-Key, the system checks whether the computer used
to log in to the gateway console is connected with a USB key. If no USB key driver
is installed, it asks you whether to download the driver. You can click Download
USB Key Driver to download the driver and then install it.
Version 01 (Sep 27, 2021) 679

Before generating a USB key, you must install the USB key driver. Otherwise, the computer
cannot identify the USB key hardware. To prevent USB key installation failures caused by
program conflict, exit the third-party antivirus and firewall software during driver
installation.
You can enter a username or user group and click Search to find the user or
user group, and then edit the found user or user group. A found user is
highlighted. See the following figure.
You can click Advanced Search and set filters for searching for users. You can
select the username fuzzy match option. (If it is not selected, an exact keyword
match is implemented. Separate keyword using a comma.) The search result
includes the following information: user group, group attribute (unlimited,
enabled, or disabled), status (unlimited, enabled, or disabled), type (unlimited,
mobile, or branch), DKEY status (unlimited, enabled, or disabled), and user
idleness duration (unlimited, one year, one month, one week, or user-defined).
Version 01 (Sep 27, 2021) 680

You can click Search to search for information. You can click Cancel to cancel
information.
You can click Delete to delete selected users.
You can click New User to set account information, including the
username, password, description, algorithm, and type. See the
following figure.
Version 01 (Sep 27, 2021) 681

Username: Define the user name. If the authentication method is the

certificate authentication, the user name must be the same as the "Issued to"
field of the site certificate.
Password: Set a password.
Confirm Password: Make sure that the password is correctly set.
Description: Add a description of a new user to facilitate management.
Authentication: Set user authentication types, including local authentication

(i.e., hardware device authentication), LDAP authentication, RADIUS
Version 01 (Sep 27, 2021) 682

authentication, and certificate authentication.
Before using Radius authentication or LDAP authentication, set the authentication server in
LDP Authentication or Radius Authentication.
Algorithm: You can select from the DES, 3DES, AES, SANGFOR_DES, AES192
and AES256. Two peers must use the same algorithm.
User Type: Specifies the type of user.
Inherit Group Attributes: To group users. If you select this option, the User
Group settings are activated. You can add a user to a user group so that the user
uses the common attributes of the group.
Add a user group before using the Inherit Group Attributes option. After a user is added
to a group, the Algorithm, Enable My Network Places, Permission Settings, and
Advanced parameters cannot be set separately.
Enable Hardware Authentication: Sets certificate authentication based on

hardware features. After it is selected, select a certificate file (*.id) corresponding
to the user.
Enable DKEY: Specifies whether to enable DKEY authentication for mobile users.
If it is selected, connect the DKEY to a USB port of the computer and click DKEY
Generate DKEY.
Enable Virtual IP Address: Assign a virtual IP address to a mobile user. Suppose

Mobile is selected and a virtual intranet IP address (within the virtual IP address
pool) is manually set for the user. In that case, the user uses this IP address as
his/her virtual intranet IP address after being connected. If the virtual IP address
Version 01 (Sep 27, 2021) 683

is 0.0.0.0, the system automatically assigns an intranet IP address from the

virtual IP address pool to the user.
Effective Time and Enable Expiry Time: Sets an account's effective time and
expiration time.
If a VPN user uses the My Network service, Enable My Network must be

selected.
Enable Compression: Use an encryption algorithm to encrypt data transferred

between the gateway and a user.
This parameter sets SANGFOR's proprietary VPN technology. It ensures high bandwidth use
efficiency when the bandwidth is low and speeds up data transmission. However, it does not
apply to all network environments. You can set it based on the actual situation.
Disable Internet Service for the User After Connecting to HQ: This option is
valid only for mobile users. If selected, a mobile user connected to a VPN can
access the VPN but cannot access the Internet.
Allow users to log in concurrently: Enable multiple users to log in to a VPN

with the same account. Not allow password change online: Specifies
whether a mobile user can change its login password after logging in to a VPN.
If it is deselected, the password change is allowed.
Edit LAN Service Access Right: Assign permissions to users

connected to a VPN. This helps specifies the services accessible to
users. By default, there is no limit.
Version 01 (Sep 27, 2021) 684

Before assigning permissions, add the required services at Select LAN Service. For details,
see the Intranet Service Settings section.
Advanced: Configure advanced attributes applicable to users connected to a

VPN, including route selection policy settings, multicast service settings, channel
parameter settings, and intra-channel NAT settings. Route selection policy
settings are configured to dynamically select the optimal transmission line
among multiple lines based on line conditions. Multicast service settings are
configured to support the applications such as video applications that use the
multicast protocol between servers and branches. Channel parameter settings
are configured to control the traffic of branch VPNs. Intra-channel NAT settings
are configured to handle the address conflict between two branches when they
belong to the same intranet segment and are connected to a server. The
following figure shows the configuration page.
Version 01 (Sep 27, 2021) 685

For details of route selection policy settings, see Section 3.2.3.4 "Multi-Line
Route Selection Policy." For more information on multicast service settings, see
Section 3.10.12.3.
Version 01 (Sep 27, 2021) 686

Channel parameter settings cover the VPN channel timeout interval, dynamic
rate detection, and channel traffic control.
Timeout: When the network has a significant delay and high packet loss rate,
you can set a timeout interval on a SANGFOR VPN for the network. The timeout
interval of each channel depends on the server configuration. The default
timeout interval is 20s. For a poor network environment, you can increase the
timeout interval.
Enable tunnel dynamic probe: When the local or peer end has many lines, this
option is applicable. After it is selected, the SANGFOR VPN regularly detects each
line's delay and packet loss rate and selects an optimal line based on the
detection result for data transmission.
Enable tunnel traffic control: When there are multiple VPN branches or mobile
users, this option prevents one branch or user from occupying all the
bandwidth, which slows down data transmission for the other branches or
users. You can assign upstream bandwidth and downstream bandwidth to each
connected user to ensure each user's appropriate data transmission rate.
The setting of Enable tunnel traffic control is a value range other than a specific value. For
example, if you set it to 100 kbps, the bandwidth varies within the range of 80 to 120 kbps.
Version 01 (Sep 27, 2021) 687

Tunnel NAT: Used to perform SNAT on multiple conflicted site network

segments so that each site can access the server and communicate with the
server normally without modifying the specific network segment of each site.
Only site users can enable Tunnel NAT.
Click Add to enter the matched source subnet segment, proxy subnet segment,
and subnet mask required by this rule in the dialog box and to allow the device
to assign an IP segment from the virtual IP pool automatically. The page is as
follows:
Version 01 (Sep 27, 2021) 688

Source Subnet Segment: Real LAN subnet segment of the site.
Proxy Subnet Segment: Virtual segment of the converted site.
Subnet Mask: Real LAN subnet mask of the site.
The subnet mask must be matched in configuration. NAT in the tunnel only performs NAT
on the masked network segment, and the host number remains the same.
Before using Tunnel NAT in Advanced, add the site's required virtual IP network segment in
the Virtual IP Pool.
Click Add Group to set the user group name, description, and common
attributes of group members. The page is as follows:
Version 01 (Sep 27, 2021) 689

LAN Permissions and Advanced are the same as those buttons in New User.
Refer to the corresponding description in New User.
Click Import Domain User to import a user account from the LDAP server (set
up an LDAP server on the LDAP Settings page before importing). The imported
user uses the LDAP authentication method by default and does not contain a
password. The page as follows:
Version 01 (Sep 27, 2021) 690

Check the users to be imported, select the user type, including mobile user or
branch user, a user group, encryption algorithm, compression, and network
neighborhood, and then click Import to import users from LDAP server into
VPN device.
Click Import Text User to import user information from TXT or CSV files. You
can choose to import users into a user group and use group properties. You
can also set whether the imported user type is mobile or site. TXT file is
formatted as "user name, password" and other user information cannot be
imported. CSV file is formatted as the same as TXT files. Replace the English
comma with an empty column. The page is as follows:
Version 01 (Sep 27, 2021) 691

Click Export User to export the user from the device to local for saving. You can
choose whether the exported user password is encrypted or unencrypted. The
page is as follows:
Default User: This will be matched if the user cannot be found in the user list
and the authentication method is consistent with the default user. In addition,
when there are multiple sites of certificate authentication in LAN, the default
user is enabled and selected as certificate authentication, and the
corresponding rules are configured. Therefore, it is unnecessary to add
certificate authentication users to the user list one by one. The default user
with the authentication enabled is configured as follows:
Version 01 (Sep 27, 2021) 692

Version 01 (Sep 27, 2021) 693

As shown in the above figure, certificate authentication rules are an additional

function compared with ordinary users, and the certificate authentication rules
can be configured. According to the rules, the peer certificate can be resolved
for rule matching. When the matching fails, the default action will be enabled.
3.11.3.6 Connection Management
To implement the interconnection of multiple network nodes to create a mesh

network, the IAG provides the function for managing and setting network node
interconnection. You can set the function on the Connection Management
page.
This function must be enabled only when this device is used as a branch and needs to
connect to HQ devices. If this device is an HQ device, you do not need to enable this
function.
You can click Add to add a link to the HQ. See the following figure.
Version 01 (Sep 27, 2021) 694

HQ Name and Description are used to indicate a link. You can set them as
required.
Primary Webagent and Secondary Webagent specifies the Web agents

corresponding to the HQ to be connected. You can click Test to check whether
the Web agents work properly. See the following figure.
Test requests are sent from the local computer instead of the device. If the Web agents are
set to domain names, a test success indicates that the corresponding page exists.
Otherwise, the page does not exist. If the Web agents are set to fixed IP addresses, a test
success indicates that the information entered in the IP address format: Port number is
correct. However, the test success does not mean that the VPN connection is successful.
Version 01 (Sep 27, 2021) 695

Protocol: It can be set to TCP or UDP to indicate VPN packet type. The default
option is UDP.
Data Encryption Key, Username, and Password must be set according to the
account information provided by the HQ.
Cross-ISP Access option: It is applicable when the HQ has interconnected lines

from different carriers, and packet loss often occurs. You can set it to Low
Packet Loss Rate, High Packet Loss Rate, or Manual Setup.
Certificate: Check if the headquarters choose the certificate.
Peer Root Certificate: Check it when the same CA does not issue the
certificate used by the headquarters as the local one.
The inter-carrier function must be activated when necessary. Otherwise, it is not effective.
For IAG interconnection, both IAGs must enable this function. For interconnection between
a module user and the IAG, only the IAG must enable the function.
You can click Edit LAN Service Access Right and assign permissions to the
Version 01 (Sep 27, 2021) 696

peer end connected to a VPN. It enables you to specify the local services
available to the peer end. After setting the preceding parameters, select Allow
to activate the connection. Then, click Save.
3.11.3.7 Virtual IP Address Pool
Virtual IP Pool supports the creation of a virtual IP address pool for branch
users. The interface is shown as follows:
In the IP pool of the branch user, the virtual IP segment for the branch's access
to the headquarters replaces the original segment at the branch to a segment
in the virtual IP pool, solving the LAN IP conflicts when two branches for the
same segment accessing the headquarters. Click New, select Branch user for
type, set the Start IP and End IP for virtual IP addresses (Click Get to calculate
the applicable End IP automatically), netmask, and a number of segments of
the branch. See the picture below:
Start IP: The first IP address of the branch virtual IP segment.
End IP: The last IP address of the branch virtual IP segment.
Get: Automatically calculate the last IP address of the virtual IP segment.
Version 01 (Sep 27, 2021) 697

Number of Segments: The number of virtual IP segments needed.
Subnet mask: The subnet mask of the virtual IP segment. It shall be consistent
with the subnet mask at the branch.
After setting the branch virtual IP segment, create a new user in VPN
Information Settings/User Management, select Branch for user type, and
then configure the branch segments to be switched in Advance/NAT Settings
in Tunnels.
3.11.3.8 Local Subnet List
List the intranet subnets of a hardware device so that VPN users can access the
intranet subnets of the HQ. For example, if the HQ has to subnets
(192.200.100.x and 192.200.200.x), you can set the local subnet list to enable
interconnection among mobile users, branch users, and HQ intranet users. The
1. Configure the subnets that require interconnection on the Local Subnet

List page. See the following figure.
Click Add and add a subnet segment and subnet mask.
Subnet Segment and Subnet Mask must be set to the network ID and subnet
mask of a network
segment other than the directly connected network segment of the LAN/DMZ
port of the IAG at the local end.
Version 01 (Sep 27, 2021) 698

2. Set reachable routes for the subnets in the Static Routes window. (For
details, choose System > Network > Static Routes.
The local subnet list acts as a statement. The network segments defined in the list are
regarded by SANGFOR's VPN device and software client as VPN network segments. This is
because all the packets intended for the network segments are encapsulated in the VPN
channels for transmission when the packets reach the VPN device or software client.
Therefore, if subnet segments are added to the list, static routes are required to access the
subnets.
3.11.3.9 Inter-channel Routing Settings
The IAG provides a powerful inter-channel routing function for VPNs. It enables
interconnection among VPNs (software/hardware) to create a real mesh VPN
network.
For example, the HQ (Shenzhen 192.168.1.x/24) and the branches (Shanghai

172.16.1.x/24 and Guangzhou 10.1.1.x/24) set up VPN connections (the
branches connect to the HQ through connection management), but the two
branches do not have VPN connections. An inter-channel routing rule can be
set to enable the connection between the branches. The configuration
procedure is as follows:
1. Select Enable Routing in the Inter-channel Routing Settings window for

the Shanghai branch, click Add, and add the route to the Guangzhou
branch. See the following figure.
Version 01 (Sep 27, 2021) 699

Source IP: Indicates the network ID of the source IP address. In this example,
set it to 172.16.1.0. Subnet Mask (Source): Indicates the subnet mask of the
source IP address. In this example, set it to 255.255.255.0.
Destination IP: Indicates the network ID of the destination IP address. In this

example, set it to 10.1.1.0.
Subnet Mask (Destination): Indicates the subnet mask of the destination IP

address. In this example, set it to 255.255.255.0.
Destination Route User: Indicates the VPN user to whom the route points.
Source IP and Destination IP are used to match the source IP address and destination IP
addresses of data. When data in a VPN channel matches the settings, the route is used to
send the data to the specified VPN device. Destination User indicates the destination VPN
device of data to be routed. In this example, the username shanghai is specified in the
Connection Management window for the Shanghai branch to connect to the HQ through a
VPN. Therefore, data with the username shanghai is sent to the HQ.
Version 01 (Sep 27, 2021) 700

2. Select Enable Routing in the Inter-channel Routing Settings window for

the Guangzhou branch, click New, and add the route to the Shanghai
branch. See the following figure.
Source IP: Indicates the network ID of the source IP address. In this example,
set it to 10.1.1.0. Subnet Mask (Source): Indicates the subnet mask of the
source IP address. In this example, set it to 255.255.255.0.
Destination IP: Indicates the network ID of the destination IP address. In this

example, set it to 172.16.1.0.
Subnet Mask (Destination): Indicates the subnet mask of the destination IP

address. In this example, set it to 255.255.255.0.
Destination User: Indicates the VPN user to whom the route points. In this
example, set it to Guangzhou.
The inter-channel routing function can also be configured to send branches'

Internet data to the HQ, where the data is forwarded to the Internet through
the HQ's Internet egress. For example, you can set the Shanghai branch to
Version 01 (Sep 27, 2021) 701

access the Internet through the HQ.
If a branch accesses the Internet through the HQ, you must choose System Management >
Firewall > NAT Proxy and add proxy rules for VPN network segments. For details, see the
firewall setup description.
3.11.3.10 Third party connection
The IAG provides a function for interconnecting with third-party VPN devices. It
can set up standard IPSec VPN connections with third-party VPN devices.
3.11.3.10.1Phase I
Set the information about the VPN devices that must set up standard IPSec
connections with the IAG. See the following figure.
Outgoing Line: indicates the line used to set up standard IPSec VPN
connections with the peer end. Select a line egress and click Add. The Edit
Peer Device dialog box is displayed. See the following figure.
Version 01 (Sep 27, 2021) 702

Device Name: Define the name of the phase I policy.
Description: Add a policy description.
Address Type: The types include fixed IP address, dynamic IP address, and
dynamic domain name. If you select static IP Address at Peer End, you must
enter the fixed IP address and the pre-shared key. See the following figure.
Version 01 (Sep 27, 2021) 703

If you select Dynamic Domain Name at Peer End, you must set the dynamic
domain name and the pre-shared key. See the following figure.
Version 01 (Sep 27, 2021) 704

If you select Dynamic IP Address at Peer End, you must set the pre-shared
key. In this case, connections can be set up only in the aggressive mode. See
Version 01 (Sep 27, 2021) 705

Work as secondary appliance: The same device supports backup tunnels. If

the master and backup tunnels are established, and the master tunnel is
disconnected, data packets will only be sent to the opposite terminal through
the backup tunnel.
When you click Advanced, the Advanced Settings dialog box is displayed. See
Version 01 (Sep 27, 2021) 706

ISAKMP Lifetime: Set the survival period of the phase I policy. The unit can
only be second.
Max Attempts: Set the number of retries during negotiation at phase I.
Mode: Specifies the negotiation modes supported in phase I, including the

main mode and aggressive mode.
D-H Group: Set the Differ-Hellman group for the two parties performing
negotiation. The options include MODP768 Group (1), MODP1024 Group (2),
and MODP1536 Group (5).
Version 01 (Sep 27, 2021) 707

Select Enable DPD to enable the DPD function, which helps a VPN device to
detect device faults that occur at the peer end of a channel.
Detection Interval: Set the interval for detecting the peer end status. It ranges
from 5s to 60s.
Max Timeout Count: Set the number of times that detecting the peer end
status times out. It ranges from 1 to 6. It is regarded that the peer end device is
faulty when the number reaches its max.
ISAKMP algorithm list:
Authentication: Select an authentication algorithm for phase I. The options

include MD5, SHA-1, and SM3.
Encryption: Select an encryption algorithm for phase I. The options include

DES, 3DES, AES, SANGFOR_DES, SCB2, and SM4.
Select Save to enable the configured policy.
1. Standard IPSec supports only the routing mode but does not support the bridge and one-
armed mode. Standard IPSec does not allow both ends to set their peers to the dynamic IP
address mode at the same time.
2. If you set ISAKMP Encryption Algorithm to SANGFOR_DES, both ends must be SANGFOR
devices.
Version 01 (Sep 27, 2021) 708

3.11.3.10.2 Phase II
Configure the inbound policy and outbound policy of VPNs. See the following
figure.
Inbound Policy Settings send rules for the packets sent from the peer end to
Version 01 (Sep 27, 2021) 709

the local end. Click Add. The Policy Setup dialog box is displayed. See the
following figure.
Policy Name: Define the name of the inbound policy.
Source Type: Indicates the IP address or IP address segment of the

VPN peer end allowed to access the local end.
Peer Device: Select the peer device, which is defined in phase I.
Inbound Service: Select the services that can access the local device. The
services must be predefined at VPN Configuration > Advanced Settings >
LAN Service.
Expiry Time: Set the effective time of a policy. The time must be predefined at
VPN VPN Configuration > Settings > Time and Schedule Settings.
You can select Enable Expiry Time and set the expiration time of the policy.
Select Enable This Policy and click Save.
Outbound Policy Ssend rules for the packets sent from the local end to the
peer end. Click Add. The Policy Setup dialog box is displayed. See the
following figure.
Version 01 (Sep 27, 2021) 710

Policy Name: Define the name of the outbound policy.
Source: Indicates the IP address or IP address segment of the VPN

local end allowed to access the peer end.
Peer Device: Select the peer device, which is defined in phase I.
SA Lifetime: Set the survival period of the phase II policy. The unit can only be
second. Outbound Service: Select the services that can access the peer device.
The services must be predefined at VPN Configuration > Advanced Settings
> LAN service.
Version 01 (Sep 27, 2021) 711

Security Options: Select the security policy for negotiation. Configure the
policy on the Security Options tab page.
Expiry Time: Set the effective time of a policy. The time must be predefined at
VPN VPN Configuration > Settings > Time and Schedule Settings.
You can select Enable Expiry Time and set the expiration time of the policy.
Select Enable This Policy. If the peer end adopts PFS, select Enable Perfect
Forward Secrecy. Click Save.
1. If PFS is enabled, the DH groups set in phase I and phase II for the peer VPN device must
be the same. Otherwise, IPSec VPN connections cannot be set up.
2. The outbound service, inbound server, and time settings for outbound and inbound
policies are extended rules of SANGFOR. The rules are effective only to the local device and
are not negotiated when VPN connections are set up with third-party devices. The source IP
addresses in the outbound policies and inbound policies correspond to Source and Peer
Service.
3.11.3.11 Security Options
Set the security parameters used when standard IPSec connections are set up
with the peer end. See the following figure.
Before setting up IPSec connections with a third-party device, confirm the

connection policy used by the device. The policy includes the protocol (AH or
ESP), authentication algorithm (Null, MD5, SHA-1, or SM3), and encryption
algorithm (DES, 3DES, AES, SANGFOR_DES, SCB2, or SM4). Next, click Add and
add options. See the following figure.
Version 01 (Sep 27, 2021) 712

Click Save.
SANGFOR's VPN gateway uses the configured connection policy to set up IPSec
connections with the peer end.
The encryption algorithm specified in the security options encrypts the data used in phase II
of a standard IPSec connection. If multiple devices using different connection policies are
interconnected, add the policies to the security options.
The source IP addresses in the outbound policies and inbound policies correspond to
Source and Peer Service.
The outbound service, inbound server, and time settings for outbound and inbound policies
are extended rules of SANGFOR. The rules are effective only to the local device and are not
negotiated when VPN connections are set up with third-party devices.
Version 01 (Sep 27, 2021) 713

3.11.3.12 Object
It consists of the Schedule and Algorithm sub-modules.
3.11.3.12.1 Schedule
Define the common period combinations, which can be used in the User
Management and Intranet Permissions windows. The current time of the IAG
prevails. See the following figure.
When you click Add, the Schedule dialog box is displayed. See the following
figure.
Version 01 (Sep 27, 2021) 714

In this example, a period called Business Hours is defined. Select period

combinations and click Invalidate Rule. (By default, all periods are valid.) In
this case, rules are ineffective in the selected periods. Click Save.
3.11.3.12.2 Algorithm List Settings
View and add data encryption algorithms supported by the IAG. The algorithms
encrypt the data transferred in the VPN network set up by the hardware device
to ensure data security. See the following figure.
The IAG provides the DES, 3DES, MD5, AES, SHA-1, SINFOR_DES, SCB2, SM2,
SM3, and SM4 encryption and authentication algorithms. You can add other
algorithms as required. Before adding them, contact SANGFOR.
Version 01 (Sep 27, 2021) 715

3.11.3.13 Certificate Management
3.11.3.13.1 Certificate Request
If you configure the certificate authentication in User Management, you need

to add the certificate information in Certificate Management, as shown above.
Extend Identification Information: Content optional.
Password Settings: Select a password standard, support the international

commercial key standard, RSA's key length such as 512, 1024, 2048, and 4096,
and the commercial encryption digest algorithms such as SHA1 and SHA2.
After parameters are configured and submitted, a certificate application file

and a key file will be generated. Click Download to download the application
file, which is a CSR file.
Version 01 (Sep 27, 2021) 716

3.11.3.13.2 Certificate List
In the certificate list, the certificates to be used are imported, including local
certificate and root certificate, shown as follows:
Name: Customize the name.
Certificate Type: Select the local certificate or root certificate type, as shown in
Version 01 (Sep 27, 2021) 717

Select CRE Local Certificate:
Select key: Come from the list of certificates applied.
CA Root certificate: Import the applied CA root certificate.
Local Certificate: Import the generated certificate.
Select CRE Root Certificate:
Version 01 (Sep 27, 2021) 718

Certificate Name: Customize the name.
CA Root Certificate: Import the following roots generally:
⚫ The root used for the local certificate.
⚫ If the root issued by the certificate of the opposite terminal is not the same
as the local terminal’s local certificate, the root of the opposite terminal also
needs to be imported.
Select PKCS # 12 Certificate to import:
Version 01 (Sep 27, 2021) 719

Certificate Name: Customize the name.
CA Root Certificate: CA root certificate used by local certificate.
Local Certificate: Import a certificate in P12 format.
Protection Password: It is the password at the time of certificate generation in

P12 format.
Select PKCS #7 Certificate to import:
Version 01 (Sep 27, 2021) 720

Name: Customize the name.
Select Key: Come from the application information list. Namely, select the
application information corresponding to the certificate to be imported.
The imported root certificate or local certificate can be downloaded.
3.11.13.14 Advanced Settings
It consists of LAN Services, VPN Interface, LDAP Server, and Radius Server
Settings.
3.11.13.14.1 Intranet Service Settings
The IAG can assign access permissions to VPN users, allow a specific IP address
or mobile user in the intranet of a branch to access only the specified intranet
services provided by specified computers, and set service parameters of
inbound and outbound policies third-party device interconnection. By
assigning service access permissions, the device can manage VPN channel
security.
Version 01 (Sep 27, 2021) 721

Assigning intranet service permissions includes two steps: creating intranet

services and giving permissions to users. By default, the system does not
impose access permission limits on VPN users. The following provides an
example:
The branch user branch1 with the intranet IP address 172.16.1.200 is allowed
to access only the HQ's FTP server, whose IP address is 192.168.1.20. Access
requests from other IP addresses and requests for accessing other services are
rejected. The configuration procedure is as follows:
In the LAN Service window, click Add. The Edit LAN Service dialog box is
displayed. You can set Service Name to a value that can be easily identified.
Select a protocol type. (In this example, the FTP service uses the TCP protocol.)
1. Click Add. The IP Address Range Settings dialog box is displayed. Set the
Version 01 (Sep 27, 2021) 722

parameters. See the following figure.
Source IP Address: In this example, set it to the intranet IP address

172.16.1.200 of the peer end in the branch.
Source Port: It ranges from 1 to 65535.
Destination IP Address: In this example, set it to the IP address 192.168.1.20

of the FTP server in the HQ's intranet.
Destination Port: The FTP service port number is 20 or 21.
The intranet service settings configured here are definitions. You then must assign intranet
permissions to user accounts in the User Management window. The settings can also be
used as the parameters for Local Service in Outbound Policy and Peer Service in Inbound
Version 01 (Sep 27, 2021) 723

Policy for interconnection with third parties. For details, see the "Interconnection with Third
Parties" section.
2. Select Branch1 in the User Management window and click Permission

Settings. See the following figure.
3. In the Permission Settings dialog box, move the service configured for
Branch1 to the list on the right and select Allow. in this example, only the
service is allowed. Therefore, set Default Action to Reject.
After the preceding steps, the branch user branch1 with the intranet IP
address 172.16.1.200 can access the HQ's FTP server at 192.168.1.20. FTP
server access requests from other IP addresses in the same intranet as
Branch1 are rejected.
After the settings are configured, computers at the HQ cannot access Branch1, because the
destination IP addresses contained in Branch1's responses to the access requests from the
computers are not 192.168.1.20. The responses are blocked according to the intranet
permission settings.
3.11.13.14.2 VPN Interface Settings
Set the intranet interface mask of the IPSec VPN service and the IP address and
mask of the VPN virtual network adapter for the device. See the following
figure.
VPN Intranet Settings: Notify the peer VPN device of the mask of the local
VPN network segment. If you select an interface mask, the network segment
Version 01 (Sep 27, 2021) 724

corresponding to the mask is notified to the peer VPN device. If the network
segment connected to the DMZ port needs to access the VPN, select the DMZ
port and set a subnet mask.
Click Add, add an idle intranet interface and set the intranet mask of the local
VPN device. The value 0.0.0.0 indicates that the mask of the network port is used.
You can select an intranet interface and click Delete to delete it.
You can click Edit and modify the masks of selected intranet interfaces.
Local VPN Interface Settings: Set the IP address and mask of the VPN virtual
network adapter of the device. Generally, the default IP address is
recommended. However, if an IP address conflict occurs, you can click Specify
and enter an IP address that not in use.
The VPN interface is a virtual interface of the device but not a physical interface.
Version 01 (Sep 27, 2021) 725

Generally, Use Automatically Assigned VPN Interface IP Address is recommended.

However, if IP conflict occurs, enter an IP address manually. Click Save.
If the configuration is incorrect, an error is reported. See the following figure.
The Saving settings fails message is displayed in the upper-left corner. You
can click View Error Information to view the details.
After you click View Error Information, a page is displayed detailing the cause
of the error.
3.11.13.14.3 Multicast Service
To meet the requirements of applications such as VoIP and video conferencing

applications, SANGFOR's VPN gateway supports the inter-channel multicast
service. You can define the multicast service. The IP address range is 224.0.0.1
to 239.255.255.255, and the port number range is 1 to 65535. See the following
figure.
When you click Add, the multicast service editing page is displayed. You can set
the IP address and port number of the service. See the following figure.
Version 01 (Sep 27, 2021) 726

Click Add and add IP addresses and port numbers. See the following figure.
Version 01 (Sep 27, 2021) 727

Click Save. See the following figure.
When creating a user in the User Management window, select the multicast
service in Multicast Service. See the following figure.
3.11.13.14.4 LDAP Server Settings
The VPN service of the IAG supports third-party LDAP authentication. If you
need to enable this-party LDAP authentication, set LDAP information on the
LDAP Server Settings tab page (including the LDAP server's IP address, port
number, and administrator password). See the following figure.
Set the LDAP server information and click Advanced. The LDAP Advanced
Settings dialog box is displayed. Set the parameters as required. See the
Version 01 (Sep 27, 2021) 728

following figure.
3.11.13.14.5 Radius Server Settings
The VPN service of the IAG supports third-party Radius authentication. If you
need to enable third-party Radius authentication, set Radius information on
the Radius Server Settings tab page (including the IP address, port number,
shared key, and Radius protocol of the Radius server). See the following figure.
Version 01 (Sep 27, 2021) 729

3.11.4 Firewall
The Firewall page contains four panels: Firewall Rules, IPv4 SNAT, IPv4
DNAT, and IPv6 NAT. On the Firewall Rules, you can set specific rules to filter
the data forwarded between different device interfaces. Filtering conditions
include the destination protocol and port, source IP address, destination IP
address, and time. On the IPv4 SNAT panel, you can set source network
address translation (SNAT) rules for Internet access of intranet users or other
Source NAT purposes. On the IPv4 DNAT panel, you can publish intranet
servers to the public network, and destination network address translation
(DNAT) rules need to be set for Destination NAT. The NAT settings apply only
when the device is deployed in route mode.
3.11.4.1 Firewall Rules
You can set specific rules to filter the data forwarded between different
interfaces of the device. Filtering conditions include the destination protocol
and port, source IP address, destination IP address, and time. The Firewall
Rules panel is shown in the following figure. In Direction, set the direction to
which a filtering rule applies, which can be LAN<->DMZ, DMZ<->WAN,
WAN<->LAN, LAN<->LAN, DMZ<->DMZ, VPN<->WAN, or VPN<->LAN. After
selecting a filtering direction, you can manage Firewall Rules on the right pane,
including deleting or adding Firewall Rules.
Version 01 (Sep 27, 2021) 730

For example, internal web servers are connected to the device's demilitarized
zone (DMZ), and common internal users are connected to the local area
network (LAN) zone. For server security purposes, users in the LAN zone can
access only Transmission Control Protocol (TCP) port 80 (web service) of the
servers in the DMZ, and other data is not allowed to be forwarded to the DMZ.
In this case, Firewall Rules between the LAN zone and DMZ need to be set. The
1. Select LAN > DMZ in Firewall Rules. In the LAN > DMZ pane, click Add.
The following objects are referenced: network services, IP groups, and
schedule groups. For details about these objects, see sections 3.3.6
through 3.3.9.
2. Enter the rule name in Name and priority value in Priority No. The priority
value specifies the priority of the rule. A smaller priority value indicates a
higher priority. Enter the description of this rule in Description.
3. Set a rule to allow HTTP packets from the LAN zone to the DMZ.
Specifically, select Allow from Action, HTTP from Service, and All from
Source and Destination or enter an IP group. Select All Day from
Schedule and specify a period. Select LAN->DMZ from Data Flow. See the
following figure.
Version 01 (Sep 27, 2021) 731

After you set the filtering rule, HTTP packets are allowed, and other data is
rejected by default.
4. Modify the filtering rule if required. Select the filtering rule and click Delete
to delete the rule. Click Enable to enable the filtering rule. Click Disable to
disable the filtering rule. Click Move Up or Move Down to change the
priority of the filtering rule. A filtering rule with a smaller priority value will
be preferentially matched.
To edit a rule, click the rule's name and then edit the rule in the displayed
dialog box.
By default, the firewall module will reject the traffic. However, the LAN > WAN dual and the
LAN > DMZ are allowed by configuring the filtering rule of the firewall by factory settings.
Version 01 (Sep 27, 2021) 732

3.11.4.2 IPv4 SNAT
On the IPv4 SNAT panel, you can set SNAT rules for translating source IP
addresses of data that meets the specified conditions and is forwarded by the
device. For example, when the device operates in route mode, it serves as a
proxy to implement Internet access of intranet users, and SNAT rules need to
be set for translating source IP addresses. You can manage SNAT rules,
including adding and deleting SNAT rules. See the following figure.
Example 1: A network segment 192.168.1.0/255.255.255.0 exists on the

intranet of the customer. The device is deployed in route mode and connected
to two public network lines. The device is required to implement Internet
access for intranet users.
1. On IPv4 SNAT, click Add. In the dialog box shown in the following figure,
select Enabled and enter a rule name in Name.
2. In WAN Interface, set a WAN interface used for data forwarding. This rule
will be matched only when data is forwarded to the specified network
interface. In this example, the device needs to forward the data from two
WAN interfaces. Therefore, select All WAN interfaces. See the following
figure.
Version 01 (Sep 27, 2021) 733

3. In Source Address, set the source IP address for which SNAT is to be

performed. If All is selected, the source IP address is not restricted. If
Specified is selected, this rule will be matched only if the source IP address
meets the conditions. In this example, the device implements Internet
access for users on the network segment 192.168.1.0/255.255.255.0.
Therefore, specify the network segment 192.168.1.0/255.255.255.0 in
Specified.
4. In Mapped Src IP, set the range of IP addresses to which source IP

addresses of data meeting the conditions are translated. If WAN interface
IP is selected, source IP addresses will be translated into the IP address of
the WAN interface specified in step 2. If Specified IP is selected, source IP
addresses will be translated into the specified IP addresses.
Click Advanced to set more specific matching conditions, including the

destination IP address translation condition and protocol conversion
condition. These two conditions are not set in this example.
Version 01 (Sep 27, 2021) 734

5. Modify the IPv4 SNAT rule if required. Select the rule and click Delete to
delete the rule. Click Enable to enable the rule. Click Disable to disable the
rule. Click Move Up or Move Down to change the priority of the rule. A
rule with a smaller priority value will be preferentially matched. To edit a
rule, click the rule's name and then edit the rule in the displayed dialog
box.
6. Add a filtering rule to allow data from the LAN to the wide-area network
(WAN). For details, see section 3.2.2.1.
Example 2: The device operates in route mode. There are two external
network lines: a telecom line and an education network line. According to the
customer's requirements, when a computer on internal network segment
192.168.1.0/255.255.255.0 accesses service port 80 on network segment
202.3.3.0/255.255.255.0 education network, the source IP address of the
computer will be translated to the IP address of the WAN1 interface, which is
202.96.1.1.
1. Add two IP groups: education network segment and internal network

segment. The following figure shows an example of defining IP group
Education Network Segment.
Version 01 (Sep 27, 2021) 735

2. Set the Link Load Balancing. The device routes data from the internal
network segment to the education network segment over WAN1
(Education Network Line) based on the specified Link Load Balancing. For
details, see section 3.2.3.4.
3. On IPv4 SNAT, click Add. In the dialog box shown in the following figure,
select Enabled and enter a rule name in Name.
Version 01 (Sep 27, 2021) 736

4. In the WAN interface, set a WAN interface used for data forwarding. In
this example, address translation is performed for data forwarded over
WAN1. Therefore, select WAN1 from Interface.
5. In Source Address, set the source IP address for which SNAT is to be

performed. In this example, the network segment is
192.168.1.0/255.255.255.0. Therefore, select Specified and set the source
IP address segment.
6. In Mapped Src IP, set the range of IP addresses to which source IP

addresses of data meeting the conditions are translated. In this example,
source IP addresses will be translated to the IP address of WAN1, which is
202.96.1.1. Therefore, select Specified IP and set the IP address.
Version 01 (Sep 27, 2021) 737

7. In this example, destination IP addresses and ports need to be matched.

According to the requirement of translating source IP addresses for access
requests to service port 80 on education network segment
202.3.3.0/255.255.255.0, click Advanced and set the destination IP address
translation and protocol conversion conditions. See the following figure.
8. Modify the IPv4 SNAT rule if required. Select the rule and click Delete to
rule with a smaller priority value will be preferentially matched. To edit a
rule, click the rule's name and then edit the rule in the displayed dialog
box.
9. Add a filtering rule to allow data from the LAN to the wide-area network
(WAN). For details, see section 3.2.2.1.
Version 01 (Sep 27, 2021) 738

The NAT settings apply only when the device is deployed in route mode.
3.11.4.3 IPv4 DNAT
On the IPv4 DNAT panel, you can configure the device to perform DNAT for
data. For example, publish an intranet server and map the services of this
server to the public network so that Internet users can access these services.
Example 1: An intranet server 192.168.1.2 provides HTTP services. There are

two public network lines on the device. The customer requires that Internet
users can access the HTTP services provided by the intranet server over public
network line.
1. On the IPv4 DNAT panel, click Add and select Basic Rule or Advanced
Rule, as shown in the following figure.
The Basic Rule option sets a simple IPv4 DNAT rule for which only
necessary conditions need to be set, whereas the Advanced Rule option
applies to complex IPv4 DNAT requirements. In this example, select Basic
Rule. In the displayed dialog box, select Enabled and set the rule name.
Version 01 (Sep 27, 2021) 739

2. In Protocol, set the data conditions of this DNAT rule and the destination
IP address and port.
In Protocol: select the type of protocol data for which IPv4 DNAT needs to
be performed. In Dst Port, seta destination ports. In this example, NAT
needs to be performed for HTTP service access data. Therefore, select TCP
from Protocol and set Dst Port to 80. Set the IP address to which the
destination IP address will be translated in Mapped IP Address, and the
port to which the destination port will be converted in Mapped to Port. In
this example, the destination IP addresses of access data to service port 80
will be translated to 192.168.1.2. See the following figure.
Version 01 (Sep 27, 2021) 740

Select Allow, and TCP port 80 access data in six directions will be allowed:
LAN<->WAN, DMZ<->WAN, and LAN<->DMZ.
3. Modify the IPv4 DNAT rule if required. Select the rule and click Delete to
rule with a smaller priority value will be preferentially matched.
dialog box.
Example 2: A server with the IP address 192.168.1.80 exists on the intranet.

The device operates in route mode. WAN1 connects to the intranet through a
fiber. A public network IP address 202.96.137.89 exists, and the domain name
is www.sangfor.com. A DNAT IPv4 DNAT rule needs to be configured to publish
the intranet server to the public network so that users on the LAN
(192.168.1.0/255.255.255.0, connected to the LAN interface) can access
192.168.1.80 by visiting the domain name www.sangfor.com.
1. On the IPv4 DNAT panel, click Add and select Advanced Rule. On the
displayed IPv4 DNAT page, select Enabled and set the rule name.
2. In the WAN interface, set a WAN interface, and DNAT will be performed
for the data forwarded over this WAN interface to the device. In this
example, the public network IP address corresponding to the domain
name www.sangfor.com is the IP address of WAN1. Therefore, select
WAN1.
Version 01 (Sep 27, 2021) 741

3. In Source Address, set the source IP address in the DNAT rule. In this
example, the intranet server is mapped to the public network, and the
public network IP address is not fixed. Therefore, select All.
4. In Destination Address, set the destination IP address in the DNAT rule. In

this example, DNAT is performed for access requests to the IP address of
WAN1. Therefore, select Specified interface IP and WAN1.
5. In Protocol, set the protocol and port for DNAT. In this example, DNAT is
performed for access requests to service port 80. Therefore, select All in
Src Port as the source port is usually random.
Version 01 (Sep 27, 2021) 742

6. In Mapped IP, set the IP address to which the IP addresses of data

meeting the conditions are translated. In this example, the IP address of
the destination server is 192.168.1.80. Therefore, select Specified IP and
enter 192.168.1.80.
7. In Mapped Port, set the port to which the ports of access requests
meeting the conditions are converted. In this example, the port of the
destination server 192.168.1.80 is 80. Therefore, select Specified and enter
80.
8. Select Allow firewall automatically allows data, and TCP port 80 access
data in six directions will be allowed: LAN<->WAN, DMZ<->WAN, and
LAN<->DMZ.
Version 01 (Sep 27, 2021) 743

LAN server accessible to internal user on WAN IP needs to be selected

when intranet users need to access a server on the same network segment
by using public network IP addresses. After this option is selected, the
source IP addresses of data from the intranet are translated into the
corresponding interface IP address of the device. Intranet users cannot
access this server by using public network IP addresses. The device will
automatically create a SNAT rule for source IP address translation. In this
example, users on the LAN need to access a server on this LAN by using
public network IP addresses. Therefore, select 192.168.20.1 (LAN).
9. Modify the IPv4 DNAT rule if required. Select the rule and click Delete to
rule with a smaller priority value will be preferentially matched.
dialog box.
The IPv4 DNAT settings only apply when the device is deployed in route mode.
3.11.4.4 IPv6 NAT
On the IPv6 NAT panel, you can set source and destination IPv6 NAT. Source
NAT involves translating the source IP addresses of data that meets the
conditions and is forwarded by the device. Destination NAT involves translating
the destination IP addresses of data meeting the conditions.
You can manage source IPv6 NAT rules, including adding and deleting rules.
Version 01 (Sep 27, 2021) 744

Example 1: The customer has obtained an IP address prefixed 2000::/64 from

carrier A and assigned this IP address to a PC on the intranet. The customer
then switches to carrier B and is assigned an IP address prefixed 3000::/64. The
customer does not want to modify the internal IP address structure. IPv6 NAT
is therefore required.
1. Click Add and select Source NAT. See the following figure.
Name: Enter the rule name.
Description: Enter the description of this rule.
Source: Select an internal network interface of the source zone from Interface
and enter the prefix of an internal IPv6 address in IP Addr/Prefix, for example,
2000::/64.
Destination: Select a network interface of the destination zone for data

forwarding.
Version 01 (Sep 27, 2021) 745

Source NAT: Set the range of IPv6 addresses to which source IP addresses of
data meeting the conditions are translated. In this example, source IP
addresses will be translated to 3000::/64.
2. Click Add and select Destination NAT. See the following figure.
Name: Enter the rule name.
Description: Enter the description of this rule.
Source: Select a WAN interface of the source zone from Interface and enter
the prefix of an internal IPv6 address in IP Addr/Prefix, for example, 3000::/64.
Destination: Enter the IP Addr/Prefix of the destination address.
Destination NAT: Set the range of IPv6 addresses to which destination IP

addresses of data meeting the conditions are translated. In this example,
destination IP addresses will be translated to 2000::/64. See the following
figure.
Version 01 (Sep 27, 2021) 746

3.11.5 General
General involves the configuration of licenses, administrator accounts, system
time, automatic upgrade, alarm options, global exclusion addresses, backup
and recovery, terminal page, report center, and advanced settings.
3.11.5.1 Authorization
Authorization settings include Device License, Multi-Function License, Security

License, Application Signature Database, Third-Party URL Database License,
Software Update License, and Service License Expiration Date.
Device License: The device license activates the device and authorizes the
number of lines, number of branches, and mobile users.
Multi-Function License: The function license activates multi-function

authorization, including the VPN, audit (including behavior audit and content
audit), data center USB Key check, and SSL monitoring functions.
Security License: The antivirus SN authorizes the upgrade of the virus

definition library of the antivirus module.
Application Signature Database: This license activates the update validity

period of embedded libraries, including the URL Database, application
Version 01 (Sep 27, 2021) 747

identification library, and audit rule library.
Software Update License: This license upgrades the software of the device.
Third-Party URL Database License: This license activates the update validity
period of the URL Database from third parties.
Sangfor URL Database: This license activates the update validity period of URL
Database from Sangfor.
Click Edit and enter the license to activate the authorization of the
corresponding function.
3.11.5.2 Administrator
On the Administrator page, you can set a user account for managing the
device on the console. In the navigation area, choose System > General >
Administrator. The Administrator pane is displayed on the right, as shown in
Click Add to add an administrator account, Delete to delete an administrator

account, Enable to enable an administrator account, Disable to disable an
administrator account, or Administrative Role to define the permission of an
administrator account. When multiple administrators are required for
hierarchical management, you need to define the permission level of each
administrator. In the administrator account list, administrator accounts are
displayed in descending order of permission level. If two administrators share
the same jurisdiction scope, the administrator with a higher permission level
can modify the policy created by the administrator with a lower permission
level. The policy created by the administrator with a higher permission level
takes precedence over that created by the administrator with a lower
permission level. The role of "administrator" is embedded. An account as the
role "administrator" can manage the entire organization structure and add and
Version 01 (Sep 27, 2021) 748

delete administrator accounts.
Example 1: Add a console administrator.
1. Add a role. Different roles have different priorities. The administrator

accounts are displayed in descending order of priority. An administrator
with a lower priority cannot modify objects created or modified by an
administrator with a higher priority. Click Administrative Role. The
Administrative Role dialog box is displayed. Click Add, enter the
username and description of the role to be added and click Commit.
2. Create an administrator account. Click Add. The Administrator Roles

dialog box for creating an administrator account is displayed. Set related
parameters on the Login Security tab.
Version 01 (Sep 27, 2021) 749

Username: Enter the username of the account for logging in to the console.
Administrator Role: Select the role defined in step 1.
Login Security: Enter the account's password for logging in to the console in
New Password and Retype Password. You can also set the IP address used
by the administrator account to log in to the console. You can set a single IP
address or an IP address segment. Set one IP address in each row and can set
a maximum of 32 rows.
Mail Verification: By enabling it, entering users who need mail verification on
Version 01 (Sep 27, 2021) 750

the gateway console will automatically pop up the verification code acquisition
and input box.
3. On the Realm page, set the permission for the added administrator
account to manage a user group. Click Select and select a group in the
displayed organization structure.
4. In Permission, set whether the administrator account can view or edit

other modules on the console.
Version 01 (Sep 27, 2021) 751

Example 2: Create an administrator role "Manager" and an administrator

account emily. Set the password to @1234abcd. Grant the permission for
managing the Director Group and viewing and editing the Users and Object
pages. Assign the role "Manager" to the administrator account.
1. Add a role. On the Administrator page, click Administrative Roles. In the

Administrative Roles dialog box, click Add, enter the role name Manager
and description of the role, and click OK.
Version 01 (Sep 27, 2021) 752

2. Create an administrator account. On the Administrator page, click Add. In

the Administrator dialog box, enter the username emily and description
of the account, and select the role Manager. On the Login Security page,
enter the password @1234abcd and confirm the password.
Version 01 (Sep 27, 2021) 753

3. On the Realm page, click Select, select Director Group in the displayed
organization structure, and click Commit.
4. On the Permission page, grant permission for viewing and editing the
Users and Object pages and click Commit. The administrator account
emily is created and associated with the role Manager successfully.
Version 01 (Sep 27, 2021) 754

5. Log in to the console with the account emily. You can view online users in
the Network department group and mail approval information, manage
the Director Group group and Internet access policies, Objects, and set
user authentication.
Version 01 (Sep 27, 2021) 755

Example 3: Add two administrator roles, Campus administrator and School

administrator, and two administrator accounts test1 and test2. Associate
test1 to the Campus administrator role, which can manage all students. Log
in as test1 and define a policy to prevent all students from playing games in
class. Associate test2 to the School administrator role, which can manage the
computer school students. Log in as test2 and define a policy to prevent
computer school students from accessing Facebook in class.
1. Add two administrator roles: Campus administrator and School

administrator.
In the Administrative Roles list, roles are displayed in descending order of

permission level. As shown in the following figure, the permission level of
the Campus administrator role is higher than that of the School
administrator role.
Version 01 (Sep 27, 2021) 756

2. Create two administrator accounts test1 and test2. Associate test1 to the
Campus administrator role, which can manage all students. Associate
test2 to the School administrator role, which can manage the computer
school students.
Version 01 (Sep 27, 2021) 757

Version 01 (Sep 27, 2021) 758

3. Log in to the console with the administrator account test1 and define a
policy named No Game During Class Time, which applies to the All-
students user group. For details about defining a policy, choose Access
Mgt > Policies. See the following figure.
4. Log in to the console with the administrator account test2 and define a No
Facebook policy during Class Time, which applies to the IT school in All
students user groups. For details about defining a policy, choose Access
Mgt > Policies. See the following figure.
Version 01 (Sep 27, 2021) 759

The priority of a policy depends on the permission level of the role that creates
this policy. The policy created by the campus administrator takes precedence
over that created by the school administrator. If the campus administrator
test1 selects Give view privilege to administrator in lower-level role, the
school administrator test2 cannot modify the policy defined by test1. Only the
school administrator has permission to view the policy. See the following
figure.
An administrator cannot modify the Internet Access Policy defined by another

administrator of the same permission level if their jurisdiction scopes are
different. For example, test2 and test3 are associated with the Campus
administrator role, but test2 is authorized to manage the computer school,
and test3 is authorized to manage the management school. The two
administrators cannot modify the Internet Access Policy defined by the peer.
1. The role determines the level of an administrator. In the Administrative Roles list, roles
are displayed in descending order of priority.
2. A higher-level administrator can set whether to allow a lower-level administrator to view

the defined policy or allow an administrator of the same level to view and edit the defined
policy.
3. By default, a lower-level administrator cannot modify the Internet Access Policy defined
by a higher-level administrator.
4. If administrator A selects Give view privilege to administrator in lower-level role for

the defined Internet Access Policy, administrator B of the same level can edit this policy only
if they share the same jurisdiction scope of B covers that of A.
5. If administrator A selects Give view privilege to administrator in lower-level role for

the defined Internet Access Policy, higher-level administrator C can edit this policy only if
they share the same jurisdiction scope or C covers that of A.
6. The priority of an Internet Access Policy depends on the level of the administrator that
creates it. A policy created by a higher-level administrator has a higher priority. The
Version 01 (Sep 27, 2021) 760

priorities of policies created by the same level of administrators can be adjusted. For details
about the matching sequence of Internet access policies, see section 3.5.1.4.
7. After an administrator is deleted, the user groups and users created by this administrator
are unaffected. Therefore, the priority of the Internet Access Policy created by this
administrator remains unchanged, and the created administrator becomes admin.
8. By default, the Administrator role exists with the highest permission and cannot be
deleted. Therefore, only an administrator of the Administrator role can create roles and
administrator accounts.
9. To delete an administrator role, delete the administrator of this role and the Internet
Access Policy created by this role, and then delete this administrator role.
3.11.5.2.1 Email Verification
The dual-factor verification is added to the admin account. By default, this

function is disabled. To use this function, select Email verification in the
corresponding admin account.
Enabling this function for the admin account is not recommended
Version 01 (Sep 27, 2021) 761

Configure Email Notification:
Version 01 (Sep 27, 2021) 762

After configuration, log into the device console:
Normally log into the console if the account does not have Email Notification
configured.
The verification code box appears if the account has Email Notification
configured:
Version 01 (Sep 27, 2021) 763

Enter the verification code received by email.
Complete authentication and then log into the console.
3.11.5.2.2 Admin Account of External Authentication Server
External authentication function is added to the admin account, which

supports TACACS+/RADIUS/LDAP protocol. TACACS+ protocol does not support
IPv6, RADIUS, and LDAP support IPv6. It is mandatory to select either one of
local authentication and external authentication. Local authentication is by
default enabled for a new admin account.
If it is required to put all admin accounts on the authentication server, click

External Auth Server to configure the external authentication server:
Version 01 (Sep 27, 2021) 764

After configuration, add a new admin account, add username, select External
authentication and submit.
Version 01 (Sep 27, 2021) 765

Switch to the Disable status if local accounts and external accounts are not
used.
Version 01 (Sep 27, 2021) 766

3.11.5.3 Date/Time
On the Date/Time page, you can set the system time of the SANGFOR IAG. You
can directly change the system time or by synchronizing the system time with
the time server.
In Date/Time, you can view the current system time or manually set the
system time. Click Sync with Local PC to synchronize the system time with the
time on the PC from which you log in to the console or click System Time to
refresh the system time in real-time.
You can also set the system time to be synchronized with the time server.
Specifically, select a time zone where the device resides in Time Zone, select
Sync Time with NTP Server, and set an Internet time server. Then the device
will automatically synchronize its time with the time server.
Version 01 (Sep 27, 2021) 767

3.11.5.4 Update
You can configure and manage system update, proxy server, and database
update on the Update page.
3.11.5.4.1 System Update
On the System Update page, you can upload an upgrade package to upgrade
the device's software, as shown in the following figure.
3.11.5.4.2 Proxy Server
The device needs to access the Internet to upgrade embedded libraries. If the
device cannot access the Internet and an HTTP proxy server exists, you can set
the proxy server on the Proxy Options page so that the device can access the
Internet through the proxy server to upgrade embedded libraries. Select
Enable Proxy Server, enter the proxy server's IP address and port number,
select Authentication required, and enter the username and password. See
Version 01 (Sep 27, 2021) 768

3.11.5.4.3 Database Update
On the Database Update page, you can manage the upgrade of the virus
database, URL database, system patch, application signature database, and
audit rule database.
Click Enable to enable the automatic upgrade of embedded libraries, Disable

to disable the automatic upgrade function and Refresh to view real-time
version information about embedded libraries.
Click to manually upgrade a rule library within the validity period of the
upgrade service.
Click to roll back the rule library to the version before the upgrade. The
application identification rule library and Ingress Rule Database support
rollback.
Version 01 (Sep 27, 2021) 769

Click Upgrade Server. On the Upgrade Server page, configure an upgrade

server to which the device is to be connected. It is recommended that Auto
Select Server be selected so that the device automatically detects an available
upgrade server.
3.11.5.5 Alarm Options
On the Alarm Options page, you can configure the device to alert the
administrator by mail in any of the following cases:
⚫ Inside Dos attack is detected
⚫ ARP spoofing attack is detected
⚫ High Availability event
⚫ Mobile endpoint related alert
⚫ Botnet is detected
⚫ Virus is detected
⚫ Malicious URL is detected
Version 01 (Sep 27, 2021) 770

⚫ Sensitive keyword is detected
⚫ Disk error
⚫ Throughput exceeds threshold
⚫ Report Center related error
⚫ CPU usage exceeds threshold
⚫ Memory usage exceeds threshold
⚫ Give alert when MAC address is excluded automatically
⚫ License is about to expire or expires
⚫ Key business disconnectivity
⚫ Network issue
⚫ Simultaneous upgrade error
Select Enable Email Alarm to enable the event alarm function for the device.
In Event, select alarm events based on the actual situation.
Click Throughput exceeds threshold to set throughput exceeds threshold

alarms. You can set the duration and alarm threshold of the outbound traffic,
inbound traffic, and total traffic. When you set Period (minute) to 5 and
Maximum (Kbps) to 100, an alarm will be reported if the traffic exceeds 100
kbps for 5 minutes. When both parameters are set to 0, no alarm will be
reported. Click OK for the settings to take effect. See the following figure.
Click CPU usage exceeds threshold to set the CPU usage exceeds threshold
Version 01 (Sep 27, 2021) 771

alarm. You can set the duration and alarm threshold. When you set Period
(minute) to 5 and Threshold (%) to 90, an alarm will be reported if the CPU
usage exceeds 90% for 5 minutes. When both parameters are set to 0 or CPU
usage exceeds threshold is not selected, no alarm will be reported. Click
Commit for the settings to take effect. See the following figure.
Click Memory usage exceeds threshold to set the memory usage exceeds the
threshold. You can set the duration and alarm threshold. When you set Period
(minute) to 5 and Threshold (%) to 90, an alarm will be reported if the
memory usage exceeds 90% for 5 minutes. When both parameters are set to 0
or Memory usage exceeds threshold is not selected, no alarm will be
reported. Click Commit for the settings to take effect. See the following figure.
Click Key Service Inspection Alarm to set key service inspection alarm. Use
regular ping packet to detect whether service is normal. In addition, inspection
frequency, number of inspection packet and target hosts to be inspected can
be set.
When the device is in the deployment mode of active-standby mode, upon

update demand, click Accompanied Update Alarm. When the accompanying
update fails, alarms will be sent.
Probe Interval (mins): Each inspection interval for the destination IP address
to be inspected.
Packets per Probe: the packet number in each round of inspection for a
destination IP address. If the ping packets are lost by 100% in a round of
Version 01 (Sep 27, 2021) 772

inspection, it is considered that the host cannot be normally accessed.
Target Hosts: Enter the target hosts to be inspected, with an IP address or

domain name in a row (ipv4, ipv6, and domain name are supported). IP
segment and subnet are not supported.
At most, 64 target hosts can be entered.
3.11.5.5.1 Email Alarm
Email Delivery Option: By default, email delivery uses global settings.
If it is required to set different recipient addresses and delivery intervals, set

the option. See the picture below:
Version 01 (Sep 27, 2021) 773

Attack Alarm: set the recipient address and delivery interval of the attack
alarm email. Details of other alarms will not be stated here. See the picture
below:
Select Use global settings to use the global settings in the SMTP server.
Custom delivery options: Can customize the recipient, subject, and interval of
the delivery.
Subject: Customize the subject of the alarm email. Enter any text that is easy
to be recognized but be sure not to enter special characters.
Version 01 (Sep 27, 2021) 774

Interval: Set the interval of delivering the alarm email.
SMTP server: Set the mail server for sending alarm emails and the recipient
addresses, etc.
In Email Delivery, specify the recipient address, alarm mail subject, and
interval for sending alarm notification mails.
Recipient: Specifies the mailbox for receiving alarm notification mails.
Subject: Specifies the title of an alarm notification mail. You can enter any text.
Interval: Specifies the interval for sending alarm notification mails. Click Send
Testing Email to send a test mail.
For Notification Options, please refer to the section 3.11.3.10.14 for the
configuration.
Version 01 (Sep 27, 2021) 775

3.11.5.5.2 Syslog Alarm
Click Syslog Server Settings to go to System Config > Advanced and

configure the external Syslog server.
3.11.5.5.3 SNMP Trap Alarm
Click SNMP Trap Settings to go to System Config > Advanced > Enable
Version 01 (Sep 27, 2021) 776

SNMP, and SNMP Trap functions to connect to SNMP server.
See Section 3.12.3.10.9 SNMP Options for configuration plan of SNMP trap
connection
3.11.5.6 Global Exclusion
On the Global Exclusion page, you can add the IP address of an intranet user
or a destination server to the list. Then the data will be monitored or controlled
when the intranet user accesses the Internet, or the destination server is
accessed. You can set an IPv4 address, IPv6 address, or domain name in the
list.
Version 01 (Sep 27, 2021) 777

In Predefined Excluded Addresses, the addresses of upgrade servers of

antivirus software and firewall are listed to avoid upgrade failures caused by
conflicts with the defined policies. You can disable an address in the
embedded exclusion address list, but you cannot delete any address.
In Custom Excluded Addresses, you can add exclusion addresses. Specifically,

click Add, enter the description and address in the displayed Add Excluded
Address dialog box, and click OK for the settings to take effect.
Version 01 (Sep 27, 2021) 778

3.11.5.7 Backup/Restore
On the Backup/Restore page, you can download and save the device
configurations or import a backed-up device configuration file.
Version 01 (Sep 27, 2021) 779

Backup Configurations: Click Download to back up the device configurations.
Restore Configurations: You can recover device configurations from a backup

file. You can recover device configurations in either of the following ways:
⚫ Restore from auto backup
The device automatically backs up the configurations at midnight every day. By

default, configuration files will be retained for a month. Select a configuration
file and click Restore.
⚫ Restore from backup on local PC
Click Upload, select a backup file, and click Restore.
Restore to Factory Defaults: You can click Restore to Factory Defaults to

restore the device's factory settings. Exercise caution when you perform this
operation.
Restore to Factory Defaults is used to restore the device to factory defaults,
Version 01 (Sep 27, 2021) 780

not including logs in the data center. Cautions should be taken to use this
function.
3.11.5.8 Custom Webpage
On the Custom Webpage page, you can define the custom page to which the
device redirects. Two types of pages can be defined: bulletin board and other
pages, which include the following:
⚫ Access Denied
⚫ Virus Detected
⚫ Daily Online Online duration quota has been Used Up
⚫ Ingress Client
⚫ Online duration quota is About to be Used Up
⚫ Flow Quota is About to be Used Up
⚫ Daily Flow Quota has been Used Up
⚫ Monthly Flow Quota has been Used Up
⚫ Traffic Reaches Threshold
⚫ User Locked
⚫ SSO Before Access
⚫ Connection Sharing Detected
⚫ Access on Mobile Devices is Denied
On the Bulletin Board pane, click the name of a Bulletin Board. The Edit
Predefined Bulletin Board dialog box is displayed, as shown in the following
figure.
Version 01 (Sep 27, 2021) 781

In
the Edit Predefined Bulletin Board dialog box, you can change the source
code to change the page to be displayed. We recommend you change the text
and pictures only. If you make other changes, some links will be missing.
Click Resource File to upload .jpg or gif pictures to be displayed on a

customized page. Specifically, click Resource File, select an object to be
uploaded, and change the picture and Java script name in Edit Page.
Click Restore Default to resume the original page.
Click to display the code view to present text in the format of code. Click
to display the customized Bulletin Board in full screen.
Click Commit to save the customized page. Click View to preview the
customized page. Click Clone to copy the customized page.
Click Download to download the customized page. After modification, click

Update to update a .zip package to configure the page.
Version 01 (Sep 27, 2021) 782

For the customization of other pages, see the procedure for customizing a
Bulletin Board.
3.11.5.9 Report Center
On the Report Center page, you can configure information about the external
and internal report centers. The external report center contains server
information, and the internal report center contains automatic log deletion
options. See the following figure.
On the Sync Policy page, you can set the IP address of the external report
center, name of the synchronization policy, Pre-Shared key, and Web-Access
port of the report center.
Click to test the connectivity between the device and the data center
server.
Click and the device will send an immediate synchronization instruction to

the data center server to synchronize log data.
Click External Report Center to access the web UI of the external report
center. The default username and password for logging in to the external
report center are both admin. See the following figure.
Version 01 (Sep 27, 2021) 783

Click New, and the Edit Sync Policy interface appears. Add new report center
server.
IP Address: Enter the address of the server to be installed with an external

report center. It supports IP address or domain name. It is required to ensure
that the device can correctly resolve the corresponding domain name.
Type: Select either BA (behavior awareness system) or DLA (domestically

launched attacks).
Listening Port: By default, the communication port for BA is TCP810, and that
for DLA is TCP1081.Enter the synchronization account information for external
report center options in Policy Name and Connection Secret Key (connection
to DLA needs no secret key).
Web-Access Port is used to set the port that the external report center uses to
provide web service. Click Commit after configuration.
Version 01 (Sep 27, 2021) 784

On the Internal Report Center page, set disk alarm parameters and
automatic log deletion parameters.
Disk Usage Alarm Options:
Days Access Control Logs are Preserved: specifies the retention period of
logs in days.
Version 01 (Sep 27, 2021) 785

Disk Usage Alarm Threshold: When the disk usage exceeds the specified
threshold and the log retention period is not reached, a warning will be
reported by mail.
You can set mail warning information on the Alarm Options page.
Auto Logs Deletion:
Set disk usage threshold. Delete access control logs on the earliest day if
threshold is reached: When the specified disk usage in percentage is
exceeded, the system will automatically delete the access control logs
generated on the earliest day.
Enable automatic deletion: The maximum number of reserved days is disabled

by default, and the default value is 365.
When there are many logs, you can select Disable Internal Report Center (to
save resources and enhance logging performance) to ensure that the device
can record complete logs and improve the audit performance. However, after
this option is selected, the internal report center is not accessible. In this case,
it is recommended that an external report center be installed.
Click OK to finish the settings.
3.11.5.10 Advanced Settings
On the Advanced page, you can complete other system settings of the device,
including Web UI, Proxy, Remote Tech Support, Syslog Server, Central
Management, Device Name, Server Certificate, SNMP, and other Options.
3.11.5.10.1 Web UI
On the Web UI page, you can set the Default Encoding, Speed Unit, Radix,
HTTPS Port, Inactivity Timeout, and Issue SSL Certificate To, and click
Certificate to download a certificate. See the following figure.
Version 01 (Sep 27, 2021) 786

Default Encoding: specifies the default code for processing monitored data
when the code of the data cannot be recognized. The default code can be GBK
or BIG5.
Speed Unit: specifies the unit of monitored network traffic. Click to select a
unit.
Radix: specifies the conversion scale of the traffic unit. It can be 1000 or 1024.
HTTPS Port: specifies the port used for logging in to the console. The default
port is TCP 443. Inactivity Timeout: specifies the timeout duration of the
console. If the administrator does not perform any operation on the console
within the specified period, the system will be automatically disconnected.
Max Attempts: The default allowed login number is 5, which is consistent with
the default value of the old version, and can be modified in the new version
within 1 - 90.
Issue SSL Certificate To: specifies the IP address or domain name to which
the SSL certificate for logging in to the console is issued.
Click Certificate to download an SSL certificate of the console. After this

certificate is installed, the SSL certificate warning message will no longer be
Version 01 (Sep 27, 2021) 787

displayed on the login page of the console.
3.11.5.10.2 Proxy
When a proxy server is required for Internet access, all user data is forwarded
to the proxy server. Modules including the firewall determine whether to reject
a connection based on the destination address and port. Therefore, many
functions are unavailable. To ensure that modules including the firewall to be
functional, the modules must correctly identify the actual destination address
and port of data forwarded to the proxy server.
The following figure shows the network topology.
Version 01 (Sep 27, 2021) 788

Ensure that the data bound to the proxy server is forwarded to the device first.
The proxy server must connect to the WAN interface of the device.
By default, the device will detect all proxy data. You can configure the device to
detect the data of a fixed proxy server on the Proxy page. See the following
figure.
Enter the IP address of a proxy server or an IP address range.
The device will detect whether the data destined for an IP address listed on the
Proxy page is proxy data and control the Internet access permission
accordingly. If the list is blank, the device will detect all data, which reduces the
working efficiency of the device. Therefore, it is recommended that the IP
address of a proxy server is listed.
3.11.5.10.3 Remote Tech Support
On the Remote Tech Support page, you can set whether to allow remote login
to the device from a WAN interface, Report unidentified URL, Report system
error, and Report unidentified application, and whether to Enable Access
Backstage.
Version 01 (Sep 27, 2021) 789

Enabled: Specifies whether to allow remote login to the device from a WAN
interface. If this option is selected, the ping function is automatically enabled
for the WAN interface of the device.
Report unidentified URL: Specifies whether to upload unrecognized URLs

automatically. After this option is selected, URLs that the URL Database cannot
recognize will be reported to the manufacturer. Information about the
company will not be leaked.
Report system error: Specifies whether to report system errors automatically.

After this option is selected, information about system errors will be
automatically reported to the manufacturer. Information about the company
will not be leaked.
Report unidentified application: Specifies whether to upload unknown

application information automatically. After this option is selected, information
about unknown applications will be automatically reported to the
manufacturer. Information about the company will not be leaked.
After technical support assistance is enabled, technical support engineers can

remotely connect to the device and intranet.
Click to enable access to the system backstage, which

will be disabled after one day by default.
Version 01 (Sep 27, 2021) 790

To download the black box in the last 1- 30days, click the Download Black Box
button.
3.11.5.10.4 Syslog Server
On the Syslog Server pane, you can synchronize the System Logs, Email Alarm
Logs, and Admin Logs on the device to the configured Syslog server.
Syslog Server IP Address: specifies the IP address of the Syslog server.
System Logs: includes debugging logs, information logs, alarm logs, and error
logs. Select Debug Logs to synchronize the debugging logs on the device to the
Syslog server. Select Info Logs to synchronize the information logs on the
device to the Syslog server. Select Warning Logs to synchronize the alarm logs
Version 01 (Sep 27, 2021) 791

on the device to the Syslog server.
Select Error Logs to synchronize the error logs on the device to the Syslog
server.
Select Email Alarm Logs to synchronize the email alarm logs on the device to
the Syslog server. Select Admin Logs to synchronize the administrator
operation logs to the Syslog server.
3.11.5.10.5 Central Management
On the Central Management page, you can set whether to incorporate the
IAG into centralized management. After the IAG is incorporated into centralized
management, the administrator of the central end can deliver policies to the
IAG. In addition, the permission of a controlled end can be assigned by the
central end.
The device supports central management and control of BBC or X-Central

(cloud image).
Configuration for connection to BBC:
Not connected central management console is for decontrol by entering

password after adding into central management. The administrator of the
Version 01 (Sep 27, 2021) 792

central terminal owns the password. Here, the option is grey, which means
that the device has not connected to the central terminal. You can click after
connect to the central terminal.
BBC Server Address is for setting the central management device to be

connected to. The administrator of the central terminal owns the address.
Click to test if the IP address and the port number can be

connected to.
Device Name is for entering the username of the central terminal of central
management.
Selecting Sync credentials if any change is made means that the device
name of the local controlled terminal will synchronize with that set in this
terminal.
Password: Enter the password for connecting to the central terminal of central
management.
Configuration for connection to X-Central:
CorpID is for entering the corporate ID of X-Central.
Version 01 (Sep 27, 2021) 793

Device Name is for entering the username of the central terminal of central
management.
Selecting Sync credentials if any change is made means that the device name
of the local controlled terminal will synchronize with that set in this terminal.
Password: Enter the password for connecting to the central terminal of central
management.
After the IAG is connected to the center end for centralized management, the configurations
delivered by the central end cannot be edited or deleted on the controlled end.
3.11.5.10.6 Device Name
You can set device names to distinguish controlled devices when multiple
devices are connected to the central end, or to distinguish devices that
synchronize data to the external data center when multiple devices perform
data synchronization by using the same account. See the following figure.
If no device name is set, the centralized management account is used as the device name by
default after the device is connected to the central end for centralized management.
3.11.5.10.7 Server Certificate
A certificate needs to be generated when the device is connected to the central

end for centralized management. A hardware certificate uniquely identifies an
IAG. A hardware certificate can be generated and imported to central end, to
prevent other IAG from connecting to the central end using the same account.
Version 01 (Sep 27, 2021) 794

3.11.5.10.8 SNMP
On the SNMP page, you can set and enable the SNMP function for the IAG. See
Enable SNMP v1/v2: To enable SNMPv1 and SNMPv2. You need to set a
community name. You can view the running status of the device based on the
specified community name on an SNMP client.
Enable SNMP v3: To enable SNMPv3.
Version 01 (Sep 27, 2021) 795

UMS User: Specifies the UMS username.
Authentication Required: To enable identity authentication and set an

identity Auth Method, which can be set to MD5 or SHA.
Encryption: To enable DES encryption and set an encryption password.
Enable SNMP TRAP: Used to send the device alarm log to SNMP server
actively. It is disabled by default, and default port is 162.
Download MIB: Click this button to download the MIB of the device and
import it to the SNMP management software to monitor the parameters of the
device.
3.11.5.10.9 DNS Service
If you need to use IAG as a DNS server, you need to check this option.
3.11.5.10.10 Open Interface
Increasingly more client environments are deployed with a centralized

management platform, and the administrator intends to realize centralized
management and maintenance of IAG devices, etc.
The systems that support restful interface all support data reading and management of IAG
devices through the "open interface" function.
Version 01 (Sep 27, 2021) 796

Shared Secret Key is for setting the shared password for the third-party
management platform.
Allow IP using this interface is the IP of the third-party management

platform.
See Download Interface Description Document for details.
3.11.5.10.11 Other Options
VPN Port Location: Includes the LAN and WAN.
Version 01 (Sep 27, 2021) 797

LAN Zone: Default value, indicating that the VPNTUN interface belongs to the
LAN by default.
WAN Zone: If WAN is selected, all data passing the VPNTUN interface will be
regarded as data sent from the LAN to the WAN and be authenticated, audited,
and controlled.
NAT ESP Packets: It is enabled by default. Under special circumstances, when

IPSec Encapsulating Security Payload (IPSec ESP) protocol is used, and the
security parameter index (SPI) values in the same connection are found to be
inconsistent, this function needs to be disabled.
NAT ALG: It is enabled by default. With this function enabled, the network
address translation on the application level gateway (NAT ALG) is configured
for SIP and H323 video protocols by the device. When the video client enables
NAT traversal, this function needs to be disabled.
Privacy options: Provide the option to join the User Experience Improvement
Program.
View logs: Show privacy log.
Version 01 (Sep 27, 2021) 798

3.11.5.10.12 Redirection/Proxy
When the IAG is deployed in bridge mode, if the bridge IP address cannot
communicate with endpoints, functions involving redirection such as web
authentication, Ingress, and proxy detection, require the communication with
PCs on the intranet, which can be implemented by the IAG using virtual IP
addresses by default.
Redirection: Involves authentication redirection and rejection redirection.
If Enable destination-based routing, and specify port to forward

redirected data is selected, the device will query routing rules and select an
egress before sending redirection packets. By default, the WIWO principle is
observed in sending redirection packets.
Proxy: Includes mail proxy and SSL proxy.
If Enable destination-based routing, and specify port to forward proxy

data is selected, the device will query routing rules and select an egress before
sending proxy data. By default, the WIWO principle is observed in sending
proxy data.
Select Do not restore address to disable the address recovery function. In

bridge mode, the proxy address recovery function is enabled by default.
However, the address recovery function is not supported in route mode.
Version 01 (Sep 27, 2021) 799

In Virtual IP, set virtual IPv4 and IPv6 addresses. The client will be redirected
to a virtual IP address.
3.11.5.10.13 Advanced Configuration for Internet Access by

SNAT Proxy
After the device starts the SNAT proxy function, when LAN users access the
public network, the source IP addresses, and source ports of LAN users are
transformed to device IP addresses at the WAN interface and a random port
that has not been occupied.
Because a user IP address seen in the public network is a device IP address at

the WAN interface and the port is a random value, the network supervisor
cannot trace its source by public network information. For this reason, it is
stipulated that the source port of every LAN user passing the NAT should
remain in a given range.
This function is by default not enabled and only used for network security connection.
3.11.3.10.14 Notification Options
The notification options support SMS notification and email notification.
Version 01 (Sep 27, 2021) 800

3.11.3.10.14.1 SMS notification
Add the SMS notification server and complete its configuration.
Configuration for SMS platform
The configuration panel is in System Management >Advanced > Notification

> SMS Notification.
Version 01 (Sep 27, 2021) 801

Delivery Module includes two categories: Deliver by predefined SMS module

and Delivery by SMS module on external server.
The default selection is Deliver by predefined SMS module, which is for the
following two scenarios:
1. Message delivery by GSM modem, which is directly connected to the IAG

device serial port.
2. The message is delivered by an external SMS gateway or server
Delivery by SMS module on external server is for the following scenario:
Message delivery by GSM modem is not directly connected to the device but to
another PC.
In this case, the PC should be installed with a message delivery program. Click
Download to get the program. After installation, enter the IP address and the
SMS central port of the PC.
Parameter Setting is for configuring the parameters for message delivery.
Version 01 (Sep 27, 2021) 802

The configuration is shown in the picture below:
Type is for configuring the gateway type for message delivery.
GSM modem: for GSM SIM cards, which are typically those of China Mobile
and China Unicom.
CDMA modem: for SDMA SIM cards, which are typically those of China
Telecom. China Mobile V2, China Mobile V3, China Unicom, and China Telecom
V3 are the SMS gateway types of various ISPs.
HTTP: used in combination with the Webservice SMS gateway.
Type: When GSM modem is selected, configure as follows:
Version 01 (Sep 27, 2021) 803

Country Code: The country code corresponding to the phone number. For
example, 86 is for China.
SMS Center: The SMS Center number of the corresponding ISP to which the
SIM card in the GSM modem belongs.
COM Port is the serial port that the GSM modem uses. Available options are
COM0, COM1, and COM2.
COM Baud Rate: The default selection is 115200, which applies to the
corresponding GSM modem of IAG. Other COM Baud rates cannot be chosen
for the GSM modem of IAG; otherwise, it may not normally send the message.
When China Mobile V2, China Mobile V3, China Unicom, or China Telecom V3 is
selected, configure as follows:
Server Address is for entering the IP address of SMS gateway.
Server Port: Enter the port which is actually monitored by the SMS gateway.
Enter the rest relevant parameters of Parameter Setting, as provided by the

SMS provider, including Corporate Code, Service Code, SP No., No.,
Username and Password.
Version 01 (Sep 27, 2021) 804

The HTTP is selected when the client has a Webservice SMS gateway server.
The device sends some parameters to the server's URL, and the interface of
the SMS gateway sends messages accordingly when receiving the parameters.
Country Code: the country code corresponding to the SMS platform. For
example, 86 is for China.
URL: Enter the interface URL address for receiving the SMS parameters in the
SMS gateway.
Encoding, SOAP Version, and Request Type: Select according to the server
type.
SMS Message Template: The command template sent to the SMS server when
IAG needs to send messages. It is provided by the SMS server maintenance
personnel and imported into this configuration page.
Version 01 (Sep 27, 2021) 805

Click Test Validity, and the configuration page for testing SMS appears:
Test Validity is for testing if the GSM modem or the SMS gateway can send
messages normally. Enter the phone number for receiving messages and click
Commit to send the testing message.
After configuration of SMS notification server, enable on the SMS platform by

going to AuthenticationServer - SMS Based Authentication.
Version 01 (Sep 27, 2021) 806

Alternatively, click SMS Notification > Verification Code in Notification to

select the configured SMS platform server.
Sangfor's modems are as shown in the picture below, having two types including GSM and
CDMA.
Configure SMS Notification. Select the SMS server, and define SMS content. It
supports SMS passwords, self-registration approval, and new endpoint
approval.
Version 01 (Sep 27, 2021) 807

3.11.3.10.14.2 Email Notification Server
Configure the email notification server:
Version 01 (Sep 27, 2021) 808

The notification content supports authentication verification and self-

registration approval:
3.11.5.11 Sangfor Device Connection
IAG device supports connection to Sangfor's Cyber Command for IAG to
Version 01 (Sep 27, 2021) 809

synchronize user information to Cyber Command and correlated with it. It

realizes a pop-up notification of Internet access and account freezing.
User Information Synchronization
IAG device can synchronize user authentication information to Cyber

Command (CCOM) device (The sharing of user authentication information
among Sangfor devices include local password authentication, external
password authentication, SMS verification, single sign-on, dkey authentication
information).
For device configuration, go to User Authentication and Management > Sing

Sign-On (SSO) > Sangfor Appliance, and configure forwarding policy and
shared key in Send user credentials to other Sangfor appliances.
Then configure the CCOM device.
In the CCOM, go to System Config-Device Management - New to add a new

Internet access control device by configuring the IAG IP and shared secret key
for the correlated device.
Version 01 (Sep 27, 2021) 810

After configuration, in Asset Center - Endpoint, click User List to view the
user list:
If user information is not synchronized, click Synchronize Now to synchronize

manually:
Version 01 (Sep 27, 2021) 811

Note that clicking Synchronize Now can immediately synchronize the IAG device's user
information and update it to the CCOM platform. However, this does not clear up the
original user data on the CCOM.
Open Ports on WAN Interface
The purpose of open ports is to configure Device Correlation later on.
If the IAG device is deployed in routing mode, the CCOM device needs to open
the TCP9998 port on the WAN interface.
If it is in bridge mode or bypass mode, there is no need for this configuration.

Only allow the TCP9998 port between IAG and CCOM in the network.
Version 01 (Sep 27, 2021) 812

Device Correlation
Support two correlation methods, including Auto-negotiation and Shared

Secret. If both are enabled, passing either one of the authentication methods
means that correlation is completed.
⚫ If there are relatively few IAG devices in the environment, choose the
correlation method randomly.
⚫ If there are relatively more IAG devices in the environment, choose auto-
negotiation to reduce configuration.
⚫ If there are multiple CCOM devices in the environment, choosing shared

secret to avoid negotiation error is recommended.
Method 1: Auto-negotiation
IAG configuration
In System Management > System Config > Device Correlation > Enable
correlation for Sangfor devices.
Version 01 (Sep 27, 2021) 813

In System Management > System Config >Device Correlation > Correlation

Options, select Auto-negotiation.
CCOM configuration
In the CCOM, go to System Config > Device Management > New to add a
new Internet access control device by configuring the IAG IP and shared secret
key for the correlated device. There is no need to configure advanced options.
Version 01 (Sep 27, 2021) 814

The device automatically negotiates the authentication account and the secret
key:
Upon configuration completion, the status of the successfully correlated CCOM

device can be seen on the IAG device.
Likewise, the status of the correlated IAG device can be seen on the CCOM.
Version 01 (Sep 27, 2021) 815

Method 2: Share Secret.
IAG configuration
In System Management > System Config > Device Correlation > Enable
correlation for Sangfor devices.
In System Management > System Config > Device Correlation >

Correlation Options, select Shared Secret.
Version 01 (Sep 27, 2021) 816

Version 01 (Sep 27, 2021) 817

CCOM configuration
In CCOM, go to System Config - Device Management - New to add a new

Internet access control device by configuring the IAG’s IP and shared secret key
for the correlated device. It is required to configure the advanced options in
accordance with that on the IAG device.
Version 01 (Sep 27, 2021) 818

Upon configuration completion, the successfully correlated CCOM device

status can be seen on the IAG device, and the device name is the customized
one.
Likewise, the status of the correlated IAG device can be seen on the CCOM.
Version 01 (Sep 27, 2021) 819

On the CCOM device, click More > Response Tool Kit > Correlated Response
> Correlated IAG.
Internet Accessing Prompting
Support manual and automatic correlation prompting. Manual correlation

prompting includes individual and batched Internet access prompting.
Individual manual Internet access prompting.
On the risky endpoint page, click a single IP address to correlate or click More -
> Correlated Response -> correlated IAG interface to add a new device. The
prompt message of Internet access prompting can either use the system
recommendation or be customized. The interface is shown as below:
Version 01 (Sep 27, 2021) 820

Automatic Internet access prompting
The user can go to More -> Correlated Response -> correlated IAG interface
to start automatic Internet access prompting. The interface is as follows:
Internet access prompting effect: use the pop-up recommended by the system,
which is as shown in the picture.
Version 01 (Sep 27, 2021) 821

Account freezing
1. Correlate IAG in the page of compromised hosts and the secondary page
of risky endpoints, as shown below:
2. Add a new correlated device by going to More > Correlated Response >
correlated IAG page:
Freeze Online User List on IAG device.
3.11.6 Diagnostics
3.11.6.1 System Logs
On the System Logs page, you can view each module's run logs and therefore
determine whether the modules run properly.
Click Filter. The Filter page that is displayed selects a log type, as shown in the
following figure.
Version 01 (Sep 27, 2021) 822

In Filter, enter a program name.
Click Commit. Then the logs of the selected types are displayed.
In Date, select the date to view system logs generated during the specified
period.
3.11.6.2 Capture Packets
The capture packets tool captures the packets passing through the device to
quickly locate problems. It can be used to detect errors. Click Options to
display the Options dialog box, as shown in the following figure.
Version 01 (Sep 27, 2021) 823

Max Packets: Specifies the maximum number of packets to be captured.
Interface: Specifies the interfaces on which packets will be captured.
Expression: Specifies the expression for filtering packets to be captured. The

standard TCPDUMP format in Linux is used.
IP Address: Specifies the IP address in the packets to be captured.
Port: Specifies the port in the packets to be captured. Click Capture to start
capturing packets.
Click Stop to stop capturing packets. A .pcap file is generated, as shown in the
following figure.
Click Delete to delete the specified file, download to download the file to the
specified path, or Refresh to view real-time information about the packet
Version 01 (Sep 27, 2021) 824

capturing results. The file can be opened using Sniffer or Ethereal.
Support capturing packets on more than one interface simultaneously.
Support customizing expression for capturing packets.
3.11.6.3 Web Console
On the command console, you can view simple information about the device.
Supported commands include arp for viewing the arp table, mii-tool for listing
the connections of a network interface, ifconfig for viewing network interface
information, ping for testing the connectivity of the host address, telnet for
testing the connectivity of the port, ethtool for viewing information about the
network adapter, route for displaying the routing table, and traceroute for
tracing the packet forwarding path. Input any command on the command
console and press Enter, as shown in the following figure.
Version 01 (Sep 27, 2021) 825

3.11.6.4 Troubleshooting
On the Troubleshooting page, you can query which module of the device
rejects a packet and the rejection reasons to quickly locate a configuration
error or test whether some rules take effect. Click Settings. On the Filter page,
set all kinds of filtering conditions, as shown in the following figure.
Specified IP: Specifies an IP address for which the rejection list is enabled. By
Version 01 (Sep 27, 2021) 826

default, the rejection list applies to all network segments. Click Protocol
Conditions and set the protocol type and port range for filtering interception
logs, as shown in the following figure.
Protocol Type can be set to All, TCP, UDP, ICMP, or Others.
Select Improve Logs Readability to display interception logs in Chinese. If this

option is not selected, interception logs are displayed in English.
Select Enable Pass-Through and set an IP address or IP address segment. The

Internet access policies are ineffective for the specified IP addresses. Packets
that should be rejected according to the Internet access policies will be allowed
to pass.
Click Advanced and set whether to enable straight-through transmission for the
traffic control module, as shown in the following figure.
If BM module does not allow data pass-through is selected, the Bandwidth

Management policies are still effective. It protects the network environment
against excessively heavy traffic that occurs because all data are transmitted
straight through. If this option is not selected, the Bandwidth Management
policies are not effective. By default, straight-through transmission is not
Version 01 (Sep 27, 2021) 827

enabled for the Bandwidth Management module.
Click Enable to enable the interception logging and straight-through

transmission functions.
Status shows the enabling status of the straight-through transmission and

interception logging functions, as shown in the following figure.
Click Close to disable the interception logging and straight-through

transmission functions.
Click Refresh to view interception logs, the packet interception conditions, as

After the interception logging and straight-through transmission functions are enabled, if
the administrator does not manually click Close, these functions are still enabled even if the
device is restarted.
3.11.6.5 Shutdown
The Restart Device and Restart Service buttons are available on the
Shutdown page, as shown in the following figure.
Version 01 (Sep 27, 2021) 828

4 Use Cases
4.1 SSO Configuration
4.1.1 SSO Configuration for the AD Domain
4.1.1.1 SSO Implemented by Delivering a Login Script

Through Domains
Domain server login script (logon.exe) and logout script (logoff.exe) are
configured. When a user logs in to or logs out of the domain, the login or
logout script is executed according to a delivered domain policy to log in or out
the user at the device.
Version 01 (Sep 27, 2021) 829

The process is as follows:
1. The PC requests domain login.
2. The domain server returns login success information to the PC.
3. The PC executes the logon.exe script and reports the domain login
success information to the device.
Configuration Case: The users in the intranet segment 192.168.1.0/24 must

adopt the AD domain SSO authentication mode. After they are authenticated,
the users use domain accounts to access the Internet. In addition, users and IP
addresses are bound automatically. When SSO fails, the authentication page is
displayed for users to enter AD domain accounts and passwords for
authentication.
Step 1. Choose User Authentication > External Authentication Server and

set LDAP Server. (For details, see Section 3.6.2.2.)
Step 2. Set the authentication policy. Choose User Authentication >

Authentication Policy > New Authentication Policy. Set the authentication
policy according to the IP or MAC addresses of the users who require SSO.
Version 01 (Sep 27, 2021) 830

Setting the authentication scope:
Setting the authentication mode:
Version 01 (Sep 27, 2021) 831

Setting the handling method to be used after authentication:
Version 01 (Sep 27, 2021) 832

Click Commit.
Step 3. Enable SSO, select the SSO mode, and set the shared key. Choose User
Authentication > SSO Options > Microsoft AD Domain.
Select Auto Deliver Scripts, Execute Specified Login Script, and Obtain Login
Information, which indicates the SSO is implemented by delivering the login
script. Enter the shared key in Shared Key. See the following figure.
The shared key is used to encrypt the communication between the device and
Version 01 (Sep 27, 2021) 833

the AD domain server and must be specified exactly the same in the login
script. Click Download Domain SSO Program to download the login and logout
scripts.
Step 4. Configure the login script on the AD domain server.
1. Log in to the domain server and choose Server Manager on the menu, as
2. Choose Manage Users and Computers in Active Directory.
3. In the displayed window, right-click the domain to be monitored and

choose Properties.
Version 01 (Sep 27, 2021) 834

4. In the displayed window, click Group Policy. Double-click the group policy
Default Domain Policy.
5. In the displayed Group Policy Object Editor window, choose User

Configuration > Windows Settings > Scripts (Logon/Logoff).
Version 01 (Sep 27, 2021) 835

6. Double-click Logon on the right. In the displayed Logon Properties

window, click Show Files in the lower-left corner. A directory is opened.
Save the login script file in the directory and close it.
Version 01 (Sep 27, 2021) 836

7. In the Logon Properties window, click Add. In the Add a Script window,
click Browse, choose the login script file logon.exe, and enter the IP
address of the device, port number (fixed to 1773 and 1775 for IPv4, or to
1775 for IPv6), and shared key (exactly the same as that configured on the
device). The parameter values must be separated by space. Click Apply
and then OK. Then close the windows one by one.
Version 01 (Sep 27, 2021) 837

Step 5. Configure the logout script on the LDAP. The logout script helps users
who are logged out of the domain server log out of the device.
1. Perform the steps for configuring the login script. In step 6, double-click
Log off instead.
Version 01 (Sep 27, 2021) 838

2. In the displayed Logoff Properties window, click Show Files in the lower-
left corner. A directory is opened. Save the logout script file logff.exe in
the directory and close it.
Version 01 (Sep 27, 2021) 839

3. In the Logoff Properties window, click Add. Add a Script window, click
Browse, choose the AD logout script file logoff.exe, and enter the IAG IP
address specified during logout script parameter configuration. Close the
pages one by one.
4. Choose Start > Run. Enter gpupdate and click OK. The group policy takes
effect.
Version 01 (Sep 27, 2021) 840

Step 6. Log in to the domain on a computer. If the login is successful, you can
access the Internet.
1. The primary DNS of the PC must be set to the IP address of the domain server. Otherwise,
the domain IP address cannot be resolved, resulting in domain server login failure.
2. If the DNS or IP address is changed after the first successful login, the user can log in to
the computer with the correct password because Windows remembers the previous valid
password. However, the user cannot log in to the domain in this case. The SSO fails, and an
authentication dialog box requesting the username and password is displayed when the
user tries to access the Internet.
3. The domain server, device, and PC must communicate with each other properly.
4.1.1.2 Obtaining Login Information Using a Program

(SSO Without a Plug-in)
The IAG has an ADSSO program, which can regularly connect to the Ad domain
and detect the
domain login success status of a PC on the domain server to implement SSO.
Version 01 (Sep 27, 2021) 841

1. The PC logs in to the domain.
2. The SSO client program obtains the information about the user who
successfully logs in to the LDAP server domain.
3. The user becomes online on the IAG.
Configuration Case: The users in the intranet segment 192.168.2.0/24 must

adopt the AD domain SSO authentication mode. After they are authenticated,
the users use domain accounts to access the Internet. In addition, users and
MAC addresses are bound automatically (through layer 3). When SSO fails, the
users can access the Internet without being authenticated. They use MAC
addresses as their usernames, but they are categorized as temporary users.
The permissions for the limited group are assigned to the users for Internet
access, and they cannot be added to the organization structure.
Step 1. Choose Users > External Authentication Server and set the
authentication AD domain server. (For details, see Section 3.6.2.2.)
Version 01 (Sep 27, 2021) 842

Step 2. Set the authentication policy. Choose Users > Authentication Policy >
Add Authentication Policy. Set the authentication policy according to the IP
or MAC addresses of the users who require SSO.
Setting the authentication scope:
Setting the authentication mode:
Version 01 (Sep 27, 2021) 843

Setting the handling method to be used after authentication:
Version 01 (Sep 27, 2021) 844

Step 3. Because the customer's environment involves layer 3 and MAC

addresses must be bound. Therefore, the function for transferring MAC
addresses through layer 3 must be configured. Choose Users > Advanced >
MAC Filtering Across L3 Switch, and configure the function. For details, see
Section 3.6.4.4.
Step 4. Enable SSO on the device and set the IP address of the domain server.
Choose Users > Single Sign On SSO > MS AD Domain and perform
configuration.
Select Enable Domain SSO. Select Domain SSO.
Version 01 (Sep 27, 2021) 845

Click Add to add an AD domain server.
Step 5. Verify that the AD domain server configuration takes effect.
1. Make sure that the RPC service works properly on the AD domain server.
Version 01 (Sep 27, 2021) 846

2. Make sure the Kerberos DES encryption is enabled on the AD domain

server.
If it is disabled, the SSO client may not be able to log in to the domain server
(not due to other factors such as the network and username).
To resolve the problem, run gpedit.msc and choose Computer Configuration

> Windows Settings > Security Settings > Local Policy > Security Options >
Network Security. Configure Kerberos and select the encryption types
DES_CBC_CRC and DES_CBC_MD5.
3. Obtain user configuration from event logs.
Enable event log audit of the AD domain.
Access the Control Panel and click Administrative Tools.
Version 01 (Sep 27, 2021) 847

Edit Group Policy Management.
Version 01 (Sep 27, 2021) 848

Edit Default Domain Controllers Policy.
Enable Audit logon events and Audit account logon events.
4. Obtain user configuration using NetSession.
Modify the group policy of the AD domain. If SSO is enabled for only
specified groups, modify the related group policies.
Version 01 (Sep 27, 2021) 849

Update the group policy.
4.1.1.3 SSO Implemented Using IWA
You can enable IWA on the IAG to add the IAG and intranet computers to the
AD domain. When an intranet user logs in to the domain and accesses a
webpage, the user is authenticated on the IAG. The configuration procedure is
as follows:
Add. Set the authentication policy according to the IP or MAC addresses of the
users who require SSO.
Version 01 (Sep 27, 2021) 850

configuration.
Select Enable Integrated Windows Authentication and perform

configuration. See the following figure.
Click Test. The test result is displayed.
Click OK. After about 1 minute, the loudspeaker icon in the lower-
right corner will indicate whether you have joined the domain
successfully.
Step 4. Log in to the domain and access a webpage. View the online user list
of the IAG, which displays the users who have been authenticated.
Version 01 (Sep 27, 2021) 851

4.1.1.4 SSO Implemented in Monitoring Mode
In this mode, the IAG intercepts data of the PC that logs in to the domain
server and obtains login
information from the data, thereby implementing SSO. No component needs

to be installed on the domain server, but the data of intranet PCs that log in to
the domain server needs to be mirrored through the device or listening port to
the device. The device captures the login information by listening to the UDP 88
port. After successful login to the domain, the user can access the Internet
directly without being authenticated by the device. It applies to scenarios
where the domain server is deployed within or out of the intranet. The SSO
configurations for these two deployment modes of the domain server are
described as follows:
Scenario 1: Domain server deployed on the intranet.
The data flow is as follows:
1. Domain login data of a PC is not transferred to the IAG but forwarded

within the intranet.
2. A mirroring port is configured on the switch to mirror the domain login

data of the PC to the IAG.
3. If the user logs in to the domain successfully, the device authenticates the
user automatically. The procedure is as follows:
Version 01 (Sep 27, 2021) 852

configuration.
Select Obtain login profile by monitoring the data of computer logging into
domain. Enter the IP address and the listening port of the domain server in
Domain Controllers. If there are multiple domain servers, enter the IP address
and the listening port of each domain server in one line. See the following
figure.
Version 01 (Sep 27, 2021) 853

Step 4. The domain login data of the intranet does not pass through the
device. You must set a mirroring port and connect it to the mirroring port on
the switch forwarding login data. Click Others and set the mirroring port of the
device. The mirroring port must be an available one not in use.
Scenario 2: Domain server deployed out of the intranet
1. The packets of a PC logging into the domain pass through the device.
Version 01 (Sep 27, 2021) 854

2. The intranet interface of the device is used as a listening port. No more

listening port is required. The procedure is as follows:
The LDAP server is not located on the intranet of the device. Before user
authentication, access to the domain server must be allowed. Choose
Authentication Policy > Action > Advanced > Before authentication, added
to group, set the group to be used before authentication, and configure the
Internet access policy to allow this group to access the domain server.
configuration.
Select Obtain login profile by monitoring the data of computer logging

into domain. Enter the IP address and the listening port of the domain server
in Domain Controllers. If there are multiple domain servers, enter the IP
address and the listening port of each domain server in one line.
Version 01 (Sep 27, 2021) 855

In monitoring mode, only the user login information is monitored. The logout data is not
captured. Therefore, the logout state is not obtained. In this case, the PC may have logged
out while the user is not removed from the online user list on the device.
4.1.2 Proxy SSO Configuration

It applies to the environment where users use proxies to access the Internet,
and each user has a proxy server account. In proxy SSO mode, when the proxy
server authenticates a user, the user is also authenticated by the device.
Version 01 (Sep 27, 2021) 856

4.1.2.1 SSO in Monitoring Mode
In the monitoring mode, proxy SSO is implemented by monitoring login data. It

is applicable in two scenarios.
Scenario 1: Proxy server deployed out of the intranet. See the following figure.
1. Users can access the Internet through a proxy server, and the device
monitors the interaction between PCs and the proxy server.
2. When the proxy server authenticates the PCs, they are also authenticated
by the device. The configuration procedure is as follows:
The proxy server is not located on the intranet of the device. Before user
authentication, access to the domain server must be allowed. Choose
Authentication Policy > Action > Advanced > Before authentication, added
to group, set the group to be used before authentication, and configure the
Internet access policy to allow this group to access the proxy server.
Version 01 (Sep 27, 2021) 857

Step 2. Step 2 Choose Users > Single Sign On SSO > Proxy and perform
configuration. Select Proxy Enable Proxy SSO.
Select Proxy, obtain login profile by monitoring the data of computing logging
into the proxy server.
In Proxy Server List, enter the IP address and listening port of the proxy
server. If there are multiple proxy servers, enter the one IP address and port
number in each row. Set the port numbers to those for proxy authentication.
Step 3. Log in to the proxy server on a computer. If the login is successful, you
If the proxy server is an ISA server that adopts IWA, the Compatible with
Kerberos option needs to be selected for implementing SSO. This option is
applicable only when login packets pass through the IAG and inapplicable to
the mirroring mode and bypass mode.
In this scenario, if Show Disclaimer is selected at Authentication Policy >

Action > Advanced, redirection must be implemented at the DMZ port.
Otherwise, users cannot be authenticated and access the Internet.
Version 01 (Sep 27, 2021) 858

Scenario 2: Proxy server deployed in the intranet. See the following figure.
1. Users can access the Internet through a proxy server, and the IAG does not
forward the authentication data.
2. A mirroring port is configured on the switch to mirror the data sent from
PCs to the proxy server to the IAG.
3. When the proxy server authenticates the PCs, they are also authenticated
by the device. The configuration procedure is as follows:
Step 2. Choose Users > Single Sign On SSO > Proxy and perform
configuration. Select Proxy > Enable Proxy SSO.
Select Proxy > Obtain login profile by monitoring the data of computer logging
into the proxy server.
In Proxy > Proxy Server Address List, enter the proxy server's IP address and
Version 01 (Sep 27, 2021) 859

listening port. If there are multiple proxy servers, enter the one IP address and
port number in each row. Set the port numbers to those for proxy
authentication. See the following figure.
Step 3. If the login data does not pass through the device, set a mirroring port
connected to the mirroring port on the switch forwarding login data packets.
Click Others, and set the mirroring port. The mirroring port must be an
available one not in use.
This mode does not support Compatible with Kerberos.
Version 01 (Sep 27, 2021) 860

4.1.2.2 SSO in ISA Mode
It is applicable when the ISA server is located in the intranet and ISA login data
does not pass through the device. An extended plug-in can be registered with
the ISA server and used to send ISA login information of PCs to the device,
which makes users login to the device. See the figure below.
1. PCs undergo proxy authentication by the ISA through the HTTP proxy.
2. The ISA sends PC login success information to the IAG.
3. The IAG authenticates the PCs and allows the PCs to access the Internet.
Step 2. Step 2 Choose Users > Single Sign On SSO > Proxy and perform
configuration. Select Proxy > Enable Proxy SSO.
Select Proxy, obtain login profile by executing logon control through proxy.
Enter the shared key in Shared Key. See the following figure.
Version 01 (Sep 27, 2021) 861

Step 3. Download the ISA SSO login plug-in and a sample configuration file
from the device, configure the ISA server, register the plug-in, and configure
SangforAC.ini.
1. Save the plug-in MyAuthFilter.dll to the ISA installation directory, such as

C:\Program Files\ISA server\.
2. Run regsvr32 "C:\Program Files\ISA server\MyAuthFilter.dll" to register the

plug-in.
3. Save the sample configuration file SangforAC.ini to the root directory of

drive C. The following describes the configuration file:
Config
acip=192.168.0.1 IP address of the device.
key=123 Packet encryption key for logging in to the ISA. It must be the same as
that configured on the device.
cycle=30 Minimum intervals for an IP address to send login packets (unit:

second). This reduces the packet sending frequency by preventing an IP
address from sending a login packet every time it initiates a session to access a
website.
Version 01 (Sep 27, 2021) 862

logpath= Debug log path. If it is blank, the debug log function is disabled. If it is
set, the debug log function is disabled. Enable it when necessary. In addition,
make sure that the NETWORK SERVICE user can read and write the directory.
maxlogsize=1 Maximum size of a debug log file (unit: MB). When the size
reaches the upper limit, its content is deleted.
charset=UTF-8 The supported encoding types include UTF-8, UTF-16, GB2312,

GB18030, and BIG5.
4. Check the ISA plug-in panel to make sure that the Sangfor ISA Auth Filter
plug-in is enabled.
1. After modifying SangforAC.ini, you must register the plug-in again.
2. The ISA plug-in cannot log out a domain user of the device when the user logs out of the
domain or shut down the computer. You can set a timeout interval on the device console to
log out the user of the device. See the following figure.
3. The IAG and ISA server must use the same key, which is different from other SSO keys.
4. The ISA server must not block data of its UDP 1773 port connected to the IAG.
5. If the proxy server is in the IAG WAN, users must be allowed to access the proxy server
before being authenticated.
To allow them to access the proxy server, do as follows:
Version 01 (Sep 27, 2021) 863

Choose Authentication Policy > Action > Advanced, select Before

authentication, added to group, and set a group.
Configure the Internet access permissions of this group to include

the IP address and port number of the proxy server.
4.1.3 POP3 SSO Configuration

A customer's network includes a mail server, and user information is stored in
a POP3 server. Before accessing the Internet, users use clients such as Outlook
and Foxmail to log in to the POP3 server to send or receive mail. When user
login information is detected in monitoring mode, the device identifies and
authenticates the users so that the users do not need to enter usernames and
passwords again. It applies to scenarios where the POP3 server is deployed
within or out of the intranet. The POP3 SSO configurations for these two
deployment modes of the POP3 server are described as follows:
Scenario 1: POP3 server deployed in the intranet
Version 01 (Sep 27, 2021) 864

1. A user uses a mail client to communicate with the POP3 server, and the
device monitors the communication.
2. When the mail client logs in to the POP3 server, the device authenticates
the user so that the user does not need to enter a password again for
accessing the Internet.
3. Because data is exchanged in the intranet, the data for logging in to the
POP3 server does not pass through the device. Therefore, a listening port
must be configured on the device.
Step 2. Choose Users > Single Sign On SSO > POP3 and perform
configuration. Select Enable POP3 SSO.
In POP3 Server Address List, enter the IP address and listening port
of the POP3 server. If there are multiple POP3 servers, enter the one
IP address and port number in each row. Set the port numbers to
those for POP3 authentication (default: TCP110). See the following
figure.
Version 01 (Sep 27, 2021) 865

Step 3. In this example, the login data does not pass through the device, set a
mirroring port connected to the mirroring port on the switch forwarding login
data packets. Click Others, and set the mirroring port. The mirroring port must
be an available one not in use.
Step 4. The PC receives mail using the mail client. After successful POP3 server
login, it can access the Internet.
Version 01 (Sep 27, 2021) 866

Scenario 2: POP3 server deployed out of the intranet
1. The packets of a PC logging into the POP3 server pass through the device.

listening port is required. The procedure is as follows:
Step 2. Choose Users > Single Sign On SSO > POP3 and perform
configuration. Select Enable POP3 SSO.
In POP3 Server Address List, enter the IP address and listening port
of the POP3 server. If there are multiple POP3 servers, enter the one
IP address and port number in each row. Set the port numbers to
those for POP3 authentication (default: TCP110). See the following
figure.
Version 01 (Sep 27, 2021) 867

Step 3. The PC sends and receives mail using the mail client. After successful
POP3 server login, it can access the internet.
If the POP3 server is in the IAG WAN, users must access the POP3 server before being
authenticated.
To allow them to access the POP3 server, do as follows:
Choose Authentication Policy > Action > Advanced, select Before

authentication added to group, and set a group.
Version 01 (Sep 27, 2021) 868

Configure the Internet access permissions of this group to include the

IP address and port number of the POP3 server.
4.1.4 Web SSO Configuration

Generally, it applies to customers who have their own web servers,
and the web servers store account information. A customer wants its
web server and the device to authenticate users at the same time
before the users access the Internet. It applies to scenarios where the
web server is deployed within or out of the intranet.
Version 01 (Sep 27, 2021) 869

Scenario 1: Web server deployed in the intranet
1. A user logs in to the web server. The entire process uses plaintext data,
and the device monitors the communication.
2. The keywords contained in the feedback sent from the server after
authentication are checked to determine whether the user is
authenticated. If the user is authenticated. Web SSO is successful.
Step 2. Step 2 Choose Users > Single Sign On SSO > Web and perform
configuration. Select Enable Web SSO.
Version 01 (Sep 27, 2021) 870

Set Web Authentication Server to the IP address of the web server.
Set User Form Name to the name of the username form submitted to the
server during web authentication.
Set Authentication Success Keyword or Authentication Failure Keyword

for identifying whether web SSO is successful. For example, if you set
Authentication Success Keyword and the keyword is contained in the result
sent back using the POST method, web SSO is successful. For example, if you
set Authentication Failure Keyword and the keyword is included in the result
sent back using the POST method, web SSO fails.
Step 3. In this example, the login data does not pass through the device, set a
mirroring port connected to the mirroring port on the switch forwarding login
data packets. Click Others and set the mirroring port. The mirroring port must
be an available one not in use.
Version 01 (Sep 27, 2021) 871

Step 4. Log in to the specified website, such as the BBS website in the
example, on a computer. If the login is successful, you can access the Internet.
Scenario 2: Web server deployed out of the intranet
1. The packets of a PC logging into the web server pass through the device.

listening port is required. If the user successfully logs in to the web server,
web SSO is successful.
Version 01 (Sep 27, 2021) 872

Step 2. Choose Users > Single Sign On SSO > Web and perform
configuration. Select Enable Web SSO.
Step 3. Log in to the specified website, such as the BBS website in the
example, on a computer. If the login is successful, you can access the Internet.
4.1.5 Configuration of SSO Implemented with

Third-Party Devices
4.1.5.1 SSO Implemented with Ruijie SAM
Note: Below configuration is use with Rujie SAM system, do the following screesnhots
will taken in Chinese word.
Ruijie SAM is a broadband authentication and charging management system

commonly used by colleges and level-2 carriers. Before accessing the Internet,
a user must be authenticated by Ruijie SAM. After a user logs in to or logs out
of Ruijie SAM, the user is logged in to or logged out of the IAG automatically.
Version 01 (Sep 27, 2021) 873

1. A PC logs in to or logs out of Ruijie SAM.
2. Ruijie SAM's database server notifies the IAG of user login or logout to
implement SSO. The procedure is as follows:
Step 2. Choose Users > Single Sign On SSO > Third-Party Server and
perform configuration. Select Ruijie SAM system and configure the shared
key. See the following figure.
Version 01 (Sep 27, 2021) 874

Step 3. Download the Ruijie SAM SSO program from the device and configure
the database server of Ruijie SAM to enable the database server to send user
authentication information to the IAG after a user logs in to Ruijie SAM through
a PC.
The following provides an example to describe how to configure the

database server SQL Server 2005 of Ruijie SAM.
1. Click Click Here to Download below Ruijie SAM system to download

rjsam.zip (including logon.exe and trigger SQL scripts) to the server. After
the file is decompressed, the content that shown in the following figure is
obtained.
Version 01 (Sep 27, 2021) 875

2. Copy logon.exe that the triggers must call to the related directory of the
server.
3. The directory 2005 stores the trigger SQL statements customized for SQL
Server 2005. Take logon_trigger.sql as an example. Open the file, copy all
its content to the query manager of the SQL Server, and modify the
following configuration in the content as required (same for
logout_trigger.sql and update_trigger.sql):
4. The three triggers mentioned above call the xp_cmdshell command of the
master database, but SQL Server 2005 disallows calling the command by
default. Therefore, you must run xp_cmdshell.sql to allow calling the
command. See the following figure. In SQL Server 2005 Management
Studio, open the file and click Run.
5. Access SQL Server 2005 Management Studio and locate SAMDB.
6. Locate the ONLINE_USER table and click the trigger directory icon. No
entry is displayed on the Object Resource Manager Details tab page on
the right. No trigger has been created for the ONLINE_USER table. See the
Version 01 (Sep 27, 2021) 876

following figure.
7. Open the 2005 directory and double-click the three files described in step
3. They are opened in SQL Server 2005 Management Studio. Click Run on
the toolbar. The trigger corresponding to the active tab page is installed.
Go to another two-tab pages and perform the same operations to install
the triggers.
8. Access the Object Resource Manager Details tab page and refresh the
page. The triggers installed are displayed.
Version 01 (Sep 27, 2021) 877

9. To delete a trigger, right-click the trigger on the Object Resource Manager

Details tab page and choose Delete. In the dialog box that is displayed,
click OK.
Version 01 (Sep 27, 2021) 878

Step 4. When Ruijie SAM authenticates a user, the device authenticates the
user as well.
1. SQL Server 2000 and SQL Server 2005 have similar trigger installation processes. For SQL
Server 2000, you need to select the triggers in the 2000 directory to install. If the stored
procedure xp_cmdshell is used, xp_cmdshell.sql does not need to be run.
2. If the Ruijie SAM database name is not SAMDB, change SAMDB in use SAMDB in the first
trigger SQL statement to the actual database name. If the table name and field names are
different from those in the example, change them accordingly.
3. In the trigger SQL statements, pay attention to the field shown in the following figure. If
multiple users may log in or log out at the same time, increase the value of @i according to
the number of Internet users in the organization. Generally, the value must not exceed 2000
(high-end devices support the maximum value of 3000). If you retain the default value, when
two users log in at the same time, the IAG authenticates only one of them, and therefore the
other user cannot access the Internet.
Version 01 (Sep 27, 2021) 879

See the following figure. The value indicates that a maximum of 10 users can log in or log
out at the same time.
4.
In the trigger SQL statements, pay attention to the fields shown in the following figure.
When logon.exe sends authentication information to the IAG, logging is not performed by
default to ensure server performance. If logging is required, use the last line to replace the
first line in the following figure. That is, add the -1 parameter to enable the logging function.
Then, logs similar to that in the following figure are generated in users' main directories on
the database server.
5. The device and trigger scripts must use the same key, different from other SSO keys.
6. The device must be able to communicate with Ruijie SAM. Ruijie SAM connects to the UDP
port 1773 of the device to send authentication information to the device. Data about users
logging in to Ruijie SAM does not need to be sent to the device.
7. This method applies to all database systems using MS SQL Server 2000/2005 in addition
to Ruijie SAM. You need to modify the SQL scripts for the other database systems so that
the related database names, table names, and field names are correct.
4.1.5.2 SSO Implemented with Devices Supporting the

HTTP SSO Interface
Version 01 (Sep 27, 2021) 880

The HTTP SSO interface provided by the device can provide the SSO
function based on the HTTP/HTTPS protocol and GET method for any
third-party devices.
1. A PC accesses the web authentication server through HTTP/HTTPS and

logs in to or logs out of the server.
2. The login/logout page of the server is configured to notify the IAG to log in
or log out the related user, which achieves SSO. After the IAG authenticates
the PC, it can access the Internet. The procedure is as follows:
Step 2. Choose User Authentication > Single Sign On SSO > Third-Party Server
and perform configuration.
Select Enable HTTP SSO Interface and set the IP addresses of the devices
accessible to the interface.
Version 01 (Sep 27, 2021) 881

Step 3. Click Download Sample, which includes Logon.js and Logon.html.

Modify Logon.html and configure the web authentication server.
Step 4. When a PC logs in to or logs out of the HTTP/HTTPS server, it is logged

in or logged out on the IAG.
1. The HTTP SSO interface is suitable for implementing SSO with Dr. COM's charging
management systems. It can work with other web authentication systems, but secondary
web server development is required to implement SSO.
2. If this function is not required, do not select Enable HTTP SSO Interface.
Version 01 (Sep 27, 2021) 882

4.1.5.3 SSO Implemented with H3C CAMS
H3C CAMS is similar to Ruijie SAM, a broadband authentication and

charging management system commonly used by colleges and level-2
carriers. The IAG works with H3C CAMS using an interface provided by
H3C CAMS and regularly obtains user information from H3C CAMS to
update its online user line or user list for SSO. See the following figure.
1. A PC is authenticated by H3C CAMS.
2. The IAG synchronizes information about the organization structure and

online users from H3C CAMS as scheduled.
3. The PC accesses the Internet as an online user whose information is

obtained by the IAG.
Step 2. Choose User Authentication > External Authentication Server and
Version 01 (Sep 27, 2021) 883

set the H3C CAMS server. (For details, see Section 3.4.2.2.)
perform configuration.
Select H3C CAMS and select the H3C CAMS server configured on the External
Authentication Server page.
Step 4. When H3C CAMS authenticates a user, the user can access the Internet
through the IAG.
1. H3C CAMS allows automatic user information synchronization, which is set at Users >
User Synchronization. (For details, see Section 3.4.3.2.2.)
2. In some cases, a user is authenticated by the IAG (depending on Interval for Obtaining
Authenticated User) after being authenticated by the authentication server. Therefore, it is
recommended that the authentication policy be configured not to require user
authentication after an SSO failure.
4.1.5.4 SSO Implemented with Dr. COM
Dr. COM is an authentication and charging management system commonly used

in education, telecom, radio, television industries, and governments. The IAG
can work with Dr. COM to authenticate users regardless of whether Dr. COM
uses the B/S or C/S authentication mode. Before accessing the Internet, a user
Version 01 (Sep 27, 2021) 884

must be authenticated by Dr. COM. When the user logs in to or logs out of Dr.
COM, the user is also logged in or out on the IAG. See the following figure.
1. A PC logs in to or logs out of the Dr. COM authentication server.
2. The Dr. COM authentication server notifies the IAG of user login or logout
to implement SSO. The procedure is as follows:
perform configuration. Select Dr. COM and set its IP address. See the following
figure.
Version 01 (Sep 27, 2021) 885

Step 3. Configure Dr. COM. For details, contact its vendor.
4.1.5.5 SSO Implemented with H3C IMC
Before accessing the Internet, a user must be authenticated by H3C

IMC. When the user logs in to or logs out of H3C IMC, the user is also
logged in or out on the IAG. See the following figure.
Version 01 (Sep 27, 2021) 886

1. A PC logs in to or logs out of the H3C IMC authentication server.
2. The H3C IMC authentication server notifies the IAG of user login or logout
to implement SSO. The procedure is as follows:
perform configuration. Select H3C IMC and set its IP address. See the following
figure.
Step 3. Configure H3C IMC. For details, contact its vendor.
4.1.6 SSO Implemented with Another SANGFOR

Device
The IAG can work with another IAG or an SG to implement authentication. Two
SANGFOR devices are deployed, one for authentication and the other for audit
and control. After a user is authenticated on the authentication IAG, the audit
and control IAG can synchronize the user information from the authentication
IAG for audit and control. See the following figure. (IAG A is used for
authentication, while IAG B is used for audit and control.)
Version 01 (Sep 27, 2021) 887

1. A PC logs in to or logs out of IAG A.
2. The PC notifies IAG B of user login or logout to implement SSO. The

Step 2. Choose Users > Single Sign On SSO > SANGFOR Devices and perform
configuration.
Select Receive Authentication Information from Other SANGFOR Devices

and set the shared key. See the following figure.
Version 01 (Sep 27, 2021) 888

Then, IAG B can receive authentication information from IAG A. It ensures

authentication information consistency between the IAG.
Step 3. For IAG A deployed in bridge mode, select Send users credential to
other Sangfor appliancesand set the related device IP address and the shared
key. See the following figure.
Then, IAG A can forward all the authentication information to IAG B, so that IAG
B deployed in bypass mode can identify online users and be synchronized with
IAG A. If IAG B is a SANGFOR Internet access optimization device deployed in
Version 01 (Sep 27, 2021) 889

bypass mode, users can access some data only through a proxy. The proxy
server is set on IAG B and authenticates users on IAG B. In this case, users
authenticated by IAG A are also authenticated by IAG B. Then, the users can
access the data using the proxy server because the information about online
users is shared between IAG A and IAG B.
4.1.7 SSO Implemented with a Database System

Suppose a database system is deployed for storing and managing user
authentication information and the organization structure. In that case, SQL
statements can be configured on the SANGFOR IAG for querying the user list
and authenticated users from the database system and synchronizing the
information to the local organization structure and online user list, thereby
implementing SSO by working with the database system. After a user is
authenticated in the database, the user is automatically authenticated on the
IAG. When the user is logged out of the database, the user is also logged out of
the IAG. Currently, the supported database types include Oracle, MS SQL
Server, DB2, and MySQL. See the following figure.
Version 01 (Sep 27, 2021) 890

1. A PC is authenticated by the authentication server, and the authentication

information is updated to the database server.
2. 2. The IAG regularly queries the database server for online users and
updates its online user list.
3. The PC accesses the Internet as an online user whose information is

obtained by the IAG. The procedure is as follows:
database server. (For details, see Section 3.6.2.2.)
Step 3. Choose Users > Single Sign On SSO > Database and perform
configuration.
Select Enable SSO with Database Authentication, select the database server,
and set SQL statement kfor queries.
Set Database to the database server that is set in step 1.
Set SQL Statement to the select statement that can query online users. The
IAG runs this select statement to query online users in the user information
table of the database. The result set returned by the SQL statement cannot
contain more than two columns. The first column specifies usernames, and the
second specifies IP addresses. The number of records found cannot exceed
200,000.
The default value of Sync Interval (sec) is 30s. Generally, it indicates the
maximum duration from the time when a user is authenticated on the
Version 01 (Sep 27, 2021) 891

authentication server to the time when the user is authenticated on the IAG.
1. The online user list consists of only the username and IP address columns. It does not
support synchronization of other user attributes, such as the attributes indicating whether a
user account is disabled or expires. By default, all the user accounts synchronized are
enabled and never expire.
2. Database authentication allows automatic user information synchronization, which is set

at Users >
Automatic User Synchronization. (For details, see Section 3.6.3.2.1.)
3. In some cases, a user is authenticated by the IAG (depending on the settings of Sync
Interval (sec) after being authenticated by the authentication server. Therefore, it is
recommended that the authentication policy be configured not to require user
authentication after an SSO failure.
4.2 Configuration That Requires No User

Authentication
Configuration Case 1: A customer requires that authenticating the intranet
users within the 10.10.10.0/24 segment for Internet access must be
transparent so that the users do not perceive the existence of the IAG.
Endpoint devices are identified by IP addresses and can access the Internet
without authentication. Users connected to the Internet are not added to the
organization structure, and the Internet access permissions of the Intranet
Group are assigned to the users.
Version 01 (Sep 27, 2021) 892

Step 1. Choose Users > Authentication Policy > Add and enable user
authentication. Set IP/MAC address. In this example, set it to 10.10.10.0/24.
In Authentication Method, select Open Authentication. In Username, select

Take IP address as username.
Version 01 (Sep 27, 2021) 893

In Action:
The customer requires that authenticated users are not added to the
organization structure. Therefore, do not select Add Non-Local/Domain Users
to Group. To enable the users to access the Internet with the permissions of
Intranet Group, set Group Used by Non-local/Domain Users for Network
Access to /Intranet Group/.
Version 01 (Sep 27, 2021) 894

Step 2. When a user accesses the Internet, the user's IP address is used as the
username and authenticated. Information about the user can be viewed in the
online user list.
Configuration Case 2: A customer requires that the intranet users within the
10.10.10.0/24 segment can access the Internet without authentication. After
user authentication, IP addresses are used as usernames and added to the
organization structure. The users are added to the Intranet Group. Because
intranet IP addresses are fixed, the customer wants the IAG to automatically
bind users with IP addresses and MAC addresses so that intranet users cannot
change their IP addresses when accessing the Internet. If they change their IP
addresses, they cannot be authenticated on the IAG and cannot access the
Internet. L3 switches are deployed between the intranet and the IAG.
Step 1. Choose Users > Authentication Policy > Add and enable user
authentication. Set Authentication Scope. In this example, set it to
10.10.10.0/24.
Version 01 (Sep 27, 2021) 895

In Authentication Method, select Open Auth.
In Username, select Take IP address as username.
Version 01 (Sep 27, 2021) 896

In Action:
The customer requires that authenticated users are added to the organization
structure and the Intranet Group.
Set Add Non-Local/Domain Users to Group Select Add user account to local
user database Select Automatic binding.
Version 01 (Sep 27, 2021) 897

Click OK.
Step 2. Because L3 switches are deployed between the intranet and the IAG,
the SNMP function of the IAG must be enabled, which obtains users' real AMC
addresses from the switches based on the SNMP protocol. In this scenario, the
switches must support the SNMP function.
Choose Advanced > MAC Filtering Across L3 switch and configure the IP
addresses, MAC addresses, and SNMP information of the L3 switches. See
Section 3.6.3.4.
Step 3. When a user accesses the Internet, the user's IP address is used as the
username and authenticated. Information about the user can be viewed in the
online user list.
Version 01 (Sep 27, 2021) 898

The binding relationships between IP addresses and MAC addresses

set up during user authentication are registered. You can query the
relationships on the IP/ Bind IP/MAC Address tab page.
4.3 Configuration That Requires Password

Authentication
4.3.1 SMS Authentication
4.3.1.1 Sending SMS Messages Through an SMS Modem
SANGFOR's SMS modem is a tool that can be connected to the IAG to send SMS
messages. To send SMS messages in this way, you must prepare a serial cable,
a SANGFOR SMS modem, and a SIM card.
Configuration Case: A customer has the 192.168.1.0/24 intranet segment,

which is assigned using DHCP to its visitors. Its employees may also use the
segment.
The customer requires that all the visitors using this network segment must be
authenticated using SMS messages. Authenticated visitors are not added to the
organization structure of the IAG, and the Internet access permissions of the
Visitor group are assigned to the visitors. The employees using this network
segment have usernames in the organization structure, and therefore they can
be authenticated using passwords. After being authenticated, the employees
can access the Internet based on the permissions corresponding to their
usernames.
Step 1. Install the SIM card in the SMS modem.
Step 2. Use the serial cable (male-to-female cable) delivered with the SMS
modem to connect the SMS modem to the CONSOLE port on the rear of the
IAG and fasten the connectors to make sure that the SMS modem, serial cable,
and IAG are connected properly.
Step 3. Click to go to System Management > Advanced Configuration >

Notification Options to set SMS notification server:
Version 01 (Sep 27, 2021) 899

Set Message Delivery Module to Use built-in SMS Module.
Set Gateway Type to an SMS modem type, which can be a GSM modem or
CDMA modem.
GSM Modem: It is installed with a GSM SIM card.
CDMA Modem: It is installed with a CDMA SIM card.
Set SMS Center to the SMS service number of the local SMS service
provider. For example, the SMS service number of Shenzhen Mobile
is 8613800755500.
Set Serial Port to the serial port connected to the SMS modem. For
example, the first serial port is COM0.
Set Baud Rate to the baud rate of the SMS modem,

which is generally 11520. Click Test to send a test
SMS message.
Click Test Validity to send a test message and check if it is sent successfully.
Enable the configured SMS platform in Authentication Server → SMS Based

Authentication:
Version 01 (Sep 27, 2021) 900

Step 4. Choose Users > Authentication Policy > Add and enable SMS
authentication. Set IP address/MAC address. In this example, set it to
Version 01 (Sep 27, 2021) 901

192.168.1.0/24.
In Authentication Method, select Password based.
Set Authentication Server to Local Users and SMS Authentication.
Version 01 (Sep 27, 2021) 902

Action: Users authenticated using SMS messages are not local users or
domain users. Select the /Visitor/ group. Then, visitors authenticated using
SMS messages can access the Internet based on the permissions assigned to
the group.
Employees are authenticated using local accounts and access the

Internet based on the permissions assigned to local users. They are
not limited by the permissions assigned to the Visitor group.
The visitors authenticated using SMS messages are not added to the
organization structure on the IAG. Therefore, do not select Add Non-
Local/Domain Users to Group.
Version 01 (Sep 27, 2021) 903

Step 5. Create local accounts for the employees. Choose Users > Users >
Local User and create local groups and accounts for authentication.
Step 6 When endpoint devices access the Internet through the IAG,
they are redirected to the authentication page.
A visitor selects SMS Authentication, enters his/her mobile number, and clicks
Obtain Verification Code. The SMS module sends a verification code to the
mobile number. After receiving the code, the visitor enters the code and clicks
Login for authentication.
Version 01 (Sep 27, 2021) 904

An employee selects Password Authentication, enters the username and

password of a local account, and clicks Login for authentication. See the
following figure.
4.3.2 WeChat and QR Code Authentication
Note: Due to this wechat developer only has Chinese version, so the screenshot will
be taken in Chinese word.
Configuration Case: A customer has an intranet segment 192.168.3.0/24

dedicated to authenticating users using WeChat or QR codes. A mobile user
can follow the WeChat public account by tapping or scanning and be
authenticated for Internet access. When a PC user accesses the Internet, a QR
code is displayed. To access the Internet, the PC user must use a mobile phone
that has been authenticated to scan the QR code. After being authenticated,
the users are not added to the local organization structure of the IAG and can
access the Internet based on the permissions assigned to the Limited Group.
Version 01 (Sep 27, 2021) 905

1. Apply for a WeChat public account and enable the developer mode on the
WeChat public platform. (If OPENIDs are not used as usernames to access
the Internet through scanning, you do not need to enable the developer
mode.)
2. Choose Users > External Authentication Server and add the WeChat
authentication server and QR code authentication server.
3. Choose Users > Authentication Policy and set an authentication policy

for the network segment 192.168.3.0/24.
4. Demonstrate WeChat authentication through tapping or scanning.
5. Demonstrate QR code authentication. The configuration procedure is as

follows:
Step 1. Apply for a public account on the WeChat public platform and enable
the developer mode.
We recommend that you apply for a service account on the platform and
get certified by the platform. Then, you can adopt both the tapping and
scanning means for a good user experience.
Access https://mp.weixin.qq.com/, click the registration link in the

upper-right corner and follow the instructions to select an account,
enter the related information, and upload required materials to
complete registration.
Version 01 (Sep 27, 2021) 906

Step 2. Step 2: Add WeChat based authentication server in the User

authentication > External Authentication Server.
Select Enable Click to Connect to Wi-Fi:
To use the third-party service platform of WeChat, configure Third-Party

Service Platform Connection Options. For sample codes and description
documents, download Third-Party Service Platform-Developer Documentation
from the interface.
Select Connect to Wi-Fi via WeChat:
1. Apply on the WeChat public platform for enabling the function of

connecting to Wi-Fi via WeChat:
Version 01 (Sep 27, 2021) 907

2. Create a new shop.
3. Add a new device.
Version 01 (Sep 27, 2021) 908

The names of the network and Wi-Fi should be consistent
4. Obtain SSID and other information.
Version 01 (Sep 27, 2021) 909

5. Configure the connect to Wi-Fi via WeChat policy.
Step 3. Choose Users > External Authentication Server and add the QR
code authentication server.
Version 01 (Sep 27, 2021) 910

Authenticator: In this example, select All Users, which are all the authenticated
users. This means that a mobile phone of an authenticated user can be used to
scan a QR code to implement authentication. To assign the approving
permission only to specified groups and users, click and select them in the
organization structure.
User validation: Show captive portal and user information is selected, the
approver scans the QR code for authentication. Then the mobile phone of the
approver displays a page prompting for information about Internet access
users.
Version 01 (Sep 27, 2021) 911

If Not show captive portal and log in as authenticator is selected, users

accesses the Internet as the approver and have the permission of the
approver. In this case, the approver must be a public account.
Step 4. Choose User Authentication > Authentication Policy and add an

authentication policy. Setting the authentication scope:
Set Authentication Method to Password-based and WeChat Server to QR Code

Server.
Version 01 (Sep 27, 2021) 912

Action: Users authenticated using WeChat or QR codes are not local users or
domain users. Select the /Visitor/ group. Then, visitors authenticated can
access the Internet based on the permissions assigned to the group.
The visitors authenticated using WeChat or QR code are not added to the
organization structure on the IAG. Therefore, do not select Add Non-
Local/Domain Users To Group.
Version 01 (Sep 27, 2021) 913

Step 5. Demonstrate WeChat authentication. User authentication by means of

tapping:
1. A customer connects to a hotspot in a store. The web browser displays the

portal page, instructing the customer to start WeChat.
2. The customer starts WeChat and follows the WeChat public account of the
store.
3. The customer can use the following methods to access the Internet:
Method 1: Tap Access Internet on the WeChat public account page. WeChat
displays the Internet access message, which can be customized at User
Authentication > Custom Authentication Page.
Method 2: Send the specified letter w (not case-sensitive). WeChat returns the
Internet access message.
Version 01 (Sep 27, 2021) 914

User authentication by means of scanning:
1. A customer enters a store and sees a poster introducing WeChat

authentication for Internet access and a WeChat QR code. The customer
connects to a hotspot.
2. The customer starts WeChat and scans the QR code. The page for
following the WeChat public account of the store is displayed.
3. The customer follows the account and taps Allow Access Internet. The
user is authenticated and can access the Internet. The username displayed
in the online user list of the IAG is an OPENID of the WeChat user.
Step 6. Demonstrate QR code authentication.
A customer enters a store and connects to a hotspot using a PC or tablet PC.

The customer opens a web browser, and it displays the authentication page.
The customer selects QR Code Authentication.
Version 01 (Sep 27, 2021) 915

Use a mobile phone that has been authenticated to scan the QR code with
WeChat. The PC displays the Authentication success message. Then, the
customer can access the Internet.
4.3.3 Password Authentication

Configuration Case 1: The PCs in a customer's intranet segment
192.168.1.0/255.255.255.0 are authenticated using usernames and passwords.
The PCs are assigned fixed IP addresses. The administrator wants to bind the
users with MAC addresses to log in only through their PCs. The administrator
also wants to specify the relationships between the IP addresses and MAC
addresses not to change their IP addresses. If they do so, they cannot be
authenticated by the IAG and cannot access the Internet.
Step 1. The customer wants to authenticate all the PCs in the

192.168.1.0/255.255.255.0 segment using usernames and passwords.
Therefore, set the authentication mode for the PCs first.
Choose User Authentication > Authentication Policy and set an

authentication policy.
Set the authentication scope to 192.168.1.0/255.255.255.0.
Version 01 (Sep 27, 2021) 916

Set Authentication Method to Password-Based and Authentication Server to

Local User.
Version 01 (Sep 27, 2021) 917

Set Action to Automatic Binding and select Bind user account to IP address and
MAC address.
The local users are added or imported manually by administrators and are not
automatically added to the organization structure on the IAG. Therefore, do not
select Add Non-Local/Domain Users to Group.
Version 01 (Sep 27, 2021) 918

Step 2. You must bind MAC addresses. If the intranet and IAG are on layer 2,
no additional configuration is required. If L3 switches are deployed between
the intranet and IAG, MAC addresses must be transferred through layer 3. In
this case, configure the intranet switchers to support SNMP. Choose
Advanced > MAC Filtering Across L3 Switch and configure the IP addresses,
MAC addresses, and SNMP information of the L3 switches. See Section 3.6.3.4.
Step 3. Choose Users > Users > Local User, and add a local user group and
local users. For details, see Section 3.6.3.1.1.
Step 4. When a user within the network segment accesses the Internet and
opens a webpage. The authentication page of the IAG is displayed. Enter a
username and password and click Login.
Version 01 (Sep 27, 2021) 919

After authentication, choose Users > Bind User and view the automatically
bound MAC addresses. Choose Users >Bind IP/MAC Address and view the
binding relationships between IP addresses and MAC addresses.
Configuration Case 2: The PCs in a customer's intranet segment

192.168.2.0/255.255.255.0 are authenticated using passwords for Internet
access. Some users must enter domain accounts during authentication, while
some others must enter local group accounts. After authentication, users are
automatically bound with IP addresses. They do not need to be authenticated
again within ten days after successful authentication if they access the Internet
using the authenticated IP addresses. Within this network segment, only
domain users and users in the Internet Group can be authenticated.
authentication domain server. (For details, see Section 3.6.2.2.)
Step 2. The customer wants to authenticate all the PCs in the

192.168.2.0/255.255.255.0 segment using local user passwords and domain
server passwords. Therefore, set the authentication mode for the PCs first.
Choose Users > Authentication Policy and set an authentication policy. Set
the authentication scope to 192.168.2.0/24.
Version 01 (Sep 27, 2021) 920

Set Authentication Method to Password based and Authentication Server to

Local User and Domain Server.
Version 01 (Sep 27, 2021) 921

Set Action to automatic binding and select Bind user account to IP address and
MAC address. Select Enable open authentication and set the validity period to
10 days.
Version 01 (Sep 27, 2021) 922

Advanced: Enable user login restriction, select Add Non-Local/Domain Users

to Group, and select domain users and the Internet Group.
Function: Within this network segment, only domain users and users in the
Internet Group can be authenticated.
Version 01 (Sep 27, 2021) 923

Step 3. Choose Users > Users > Local User and add a local user group and
Step 4. When a user within the network segment accesses the Internet and
opens a webpage. The authentication page of the IAG is displayed.
For a local user, enter the username and password of a local user account and
click Login. For a domain user, enter the username and password of a domain
account and click Login.
Version 01 (Sep 27, 2021) 924

4.4 Other Configuration Cases

Configuration Case 1: Configuring user-defined attributes. When the existing
attributes are not enough, you can add user-defined attributes for users and
use the attributes to set Internet access policies and traffic control policies for
the users with the same attributes.
Within the intranet segment 192.168.1.0/255.255.255.0, users are

authenticated using passwords. User-defined attributes are set to distinguish
male users from female users. The Internet access policy is configured to
disallow them to access shopping and entertainment websites for female
users. For male users, the Internet access policy is configured to disallow them
to use gaming applications. Step 1 The customer wants to authenticate all the
PCs in the 192.168.1.0/255.255.255.0 segment using passwords. Therefore, set
the authentication mode for the PCs first.
Step 1. ChooseUsers > Authentication Policy and set an authentication

policy. Set the authentication scope to 192.168.1.0/24.
Version 01 (Sep 27, 2021) 925

Set Authentication Method to Password based and Authentication Server to

Local User.
Step 2. Choose Advanced > Custom Attributes and set user-defined

attributes.
Attribute name: Gender
Attribute value: a sequence including two values Male and Female
Version 01 (Sep 27, 2021) 926

Step 3. Choose Users > Users > Local User and add a local user group and
You can select an attribute value when adding user.
Version 01 (Sep 27, 2021) 927

Step 4. For female users, configure the Internet access policy to disallow them
to access shopping and entertainment websites.
Version 01 (Sep 27, 2021) 928

Apply this policy to the users whose attribute values are Female.
Step 5. For male users, configure the Internet access policy to disallow them
to use gaming applications.
Version 01 (Sep 27, 2021) 929

Apply this policy to the users whose attribute values are Male.
Version 01 (Sep 27, 2021) 930

Configuration Case 2: The intranet users are authenticated using

passwords. The customer has a hosted web server on the Internet at
http://www.sangfor.com.cn. The users must be allowed to access the
server before being authenticated.
Step 1. Set a URL group for the URL to be accessed.
Choose Define Object > URL Classification Library and click New to add a
URL group.
Step 2. Set an Internet access policy to allow accessing the URL.
Version 01 (Sep 27, 2021) 931

Choose Access Mgmt > Policies and click New to add an Internet access
policy. Associate the policy with the Temporary Group.
users to be authenticated using passwords.
In the Authentication Method, select Password based.
Version 01 (Sep 27, 2021) 932

Choose Action > Advanced, select Add Non-Local/Domain Users to Group,

and select the Temporary Group.
Version 01 (Sep 27, 2021) 933

Step 4. When a user accesses the Internet and opens a webpage. The
authentication page of the IAG is displayed. However, when the user accesses
www.sangfor.com.cn, no authentication page is displayed.
Configuration Case 3: A customer has an AD domain server on its intranet,

and intranet users must be authenticated using AD domain SSO. If SSO for a
user fails, a notification page must be displayed when the user accesses a
webpage. The user can download a manual SSO tool from the page and run
the tool to implement SSO.
Step 1. Choose Users > External Authentication Server and set the AD
domain authentication server.
Version 01 (Sep 27, 2021) 934

Set Authentication Method to SSO. Select Predefined webpage for users

who fail to be authenticated during SSO.
The page enables users to download the manual SSO tool.
Step 3. Enable SSO, select the SSO mode, and set the shared key. Choose
Users > Single Sign On > MS AD Domain.
Select Obtain login profile by executing logon script through domain,

which indicates the SSO is implemented by delivering the login script. Enter the
shared key in Shared Key. See the following figure.
The shared key is used to encrypt the communication between the IAG
Version 01 (Sep 27, 2021) 935

and the AD domain server and must be specified exactly the same in
the login script. Click Download Domain SSO Program to download
the login and logout scripts.
Step 4. Configure the login script on the AD domain server. For details, see
Section 4.4.1.1.
Step 5. After a user logs in through SSO, the user can access the Internet.
Download and run the tool.
SSO is implemented successfully for the user.
Configuration Case 4: A customer has an ISA server, and intranet users

access the Internet through the ISA server, which functions as a proxy.
Version 01 (Sep 27, 2021) 936

The IAG is deployed between the ISA server and a switch to implement
control and audit. Intranet users must be able to access the Internet
without being authenticated. On the IAG, IP addresses are used as
usernames.
Step 1. Deploy the IAG in bridge mode. Connect the IAG to the switch using an
intranet port and to the ISA server using the Internet port.
In Authentication Method, select Open Auth and set Take IP address as

username.
Version 01 (Sep 27, 2021) 937

Step 3. Because the IAG connects to the switch using the intranet port and to
the ISA server using the Internet port, data from the Internet is transferred
through the intranet port of the IAG, and data from the intranet is transferred
to the ISA server through the Internet port. Therefore, to prevent Internet IP
addresses from being added to the online user list of the IAG, Internet data
must be excluded as follows:
Choose Users > Advanced > Authentication Options and select Open auth
for data flow from WAN to LAN interface.
Step 4. Configure the proxy settings of PCs to exclude the IAG IP address.
Version 01 (Sep 27, 2021) 938

4.5 CAS Server Authentication Case

Requirements:
There is a central authentication service(CAS) server deployed in the

network. Users’ information, such as accounts and passwords, are
stored on this server. For users using password-based authentication,
the customer wants connecting users to log in to the IAG unit to be
authenticated against the CAS server.
How CAS Server Authentication Works:
User credentials submitted to the IAG unit will be forwarded to a third-

party authentication server (CAS server) and verified on this server.
Then, verification results are returned to the IAG unit, which
determines the user authentication outcome. If the verification
succeeds, it indicates that the user is successfully authenticated on IAG
uni.
Network Topology:
Version 01 (Sep 27, 2021) 939

Configuration Steps:
Step 1. Ensure that the CAS server is deployed correctly in the network and
obtain the CAS server account and the URL used to connect to the CAS server
(URL example: https://ip:8443/cas/login).
Step 2. Deploy the IAG unit in Route mode in this case, and configure a
corresponding deployment
mode on the IAG Web Admin console. The static route needs to be
configured if the intranet is a layer 3 network.
Step 3. Add a third-party auth system in Users > Authentication > External
Auth Server and configure related parameters. Specify a name for the new
authentication system, set the URL to the one obtained in Step 1, keep the
default keyword value, and select cas2.0 in the Version field.
If the CAS server version is earlier than V4.0.0, the Version field should be cas2.0; if the
server version is later than V4.0.0, the Version field should be cas3.0. In this case, the CAS
server version is earlier than V4.0.0.
Step 4. Create an authentication policy in Users > Authentication >

Authentication Policy, configure applicable objects as per your need, and
select Password based as the authentication method. In Auth Server field,
choose the third-party auth system created in Step 3, as shown below.
Version 01 (Sep 27, 2021) 940

Step 5. When attempting to access the Internet, the internal user will be
redirected to the CAS authentication page, which requires the user to provide a
username and password.
Version 01 (Sep 27, 2021) 941

If the user passes the authentication against the CAS server, the user
information can be viewed in System > Status > Online Users, which means
he/she has logged into the IAG unit successfully.
1. CAS server authentication is applicable to the following deployment modes: Route mode,
Bridge mode, and Bypass mode.
2. If CAS server is deployed between IAG unit and external network, CAS server address
should be added into custom excluded address list in System > General > Global
Exclusion. Otherwise, users cannot be redirected to the CAS authentication page.
4.6 Policy Configuration Cases
4.6.1 Configuring a Policy for Blocking P2P and P2P

Streaming Media Data for a User Group
Requirement: The user group and its sub-groups of the marketing
department cannot use P2P and P2P streaming media applications
during business hours.
Step 1. In the navigation area, choose Access Mgt > Policies and Access
Policy page is displayed on the right. Click Add and select Access Control. The
Version 01 (Sep 27, 2021) 942

Access Control page is displayed. Enter the policy name and description.
Step 2. Choose Access Mgt > Access Control > Application. The Application
Control page is displayed on the right. Click Add.
Step 3. Click Add, Select Applications window is displayed.
Version 01 (Sep 27, 2021) 943

Step 4. Select P2P and P2P streaming media.
Version 01 (Sep 27, 2021) 944

Step 5. Click OK. The application control page is displayed. Set the effective
time to the office hours and action to Reject. Click OK.
Version 01 (Sep 27, 2021) 945

Step 6. Select Object and associate the policy with users and user groups.
Step 7. Click Commit. The policy is successfully set.
Version 01 (Sep 27, 2021) 946

4.6.2 Configuring an IM Monitoring Policy for a

User Group
Requirement: An IM monitoring policy must be configured for the marketing
department and engineering department to monitor QQ messages and files
transferred using QQ.
Step 1. Step 1 In the navigation area, choose Access Mgt > Policies and the
Access Control page is displayed on the right. Click Add and choose Audit
Policy. The Audit Policy page is displayed. Enter the policy name and
description.
Step 2. Choose Access Mgt > Audit Policy > Application. The Application
page is displayed on the right. Click Add.
Click and select all involved IM objects on the Select IM page.
Version 01 (Sep 27, 2021) 947

Click OK. See the following figure.
Version 01 (Sep 27, 2021) 948

Step 3. Set user groups on the Object page.
Click Commit.
Step 4. In the navigation area, choose Access Mgt > Access Control and the
Access Control page is displayed on the right. Click Add and choose Ingress
Policy. The Ingress Policy page is displayed. The policy is used to monitor
encrypted QQ messages and the files transferred using QQ.
Enter the policy name and description. Click below Type and select the
option for monitoring IM messages. Set the effective time to Whole Day.
Version 01 (Sep 27, 2021) 949

Click Add, click below Type and select the option for monitoring
outbound IM files. Set the effective time to Whole Day.
Step 5. Set user groups on the Objects page.
Click Commit.
Version 01 (Sep 27, 2021) 950

Step 6. When users from the marketing department or engineering

department access the Internet, The IAG installs an admission client for them.
The users can access the Internet only after the client is installed. A user must
log in to a computer as an administrator so that the client can be installed on
the computer.
4.6.3 Enabling the Audit Function for a User Group

Requirement: The audit function is enabled only for the network department
to audit all network behaviors and check the URLs accessed by users during
business hours.
Step 1. In the navigation area, choose Access Mgt > Audit Policy, and the
Audit Policy page is displayed on the right. Click Add and choose Internet
Access Audit Policy. The Internet Access Audit Policy page is displayed.
Enter the policy name and description.
Step 2. Choose Options > Application. The Application Audit page is

displayed on the right. Click Add. The page for adding audit objects is
displayed.
Version 01 (Sep 27, 2021) 951

Step 3. Click below Audit Object. The Select Item window is displayed.
Select Website Browsing or Downloads, select visit URL and set the accessed
URL to be audited. Set Schedule to Office Hours.
Step 4. Click Add. The page for adding audit objects is displayed. Select Access
to other appications (exclusive of contents) and Access to unidentified
applications (on which address and port. It incurs massive logs). Set the
Internet access behaviors that all devices can identify. Set Schedule to All Day.
Step 5. Select applicable objects.
Version 01 (Sep 27, 2021) 952

Step 6. Click Commit.
4.7 Endpoint Device Management

Configuration Cases
4.7.1 Configuring the Sharing Prevention Function

Requirement: A customer has many PCs and mobile endpoint devices that
share hotspots on its intranet. The PCs and mobile endpoint devices must be
disabled to access the Internet through proxies.
Step 1. In the navigation area, choose Endpoint Device > Connection

Sharing. The Connection Sharing page is displayed on the right. Select Enable
Shared Connection Detection. See the following figure.
Version 01 (Sep 27, 2021) 953

Step 2. On the Connection Sharing page, select options. See the following
figure.
Set Endpoints to All. It indicates that connection sharing between PCs, mobile
endpoint devices, and PCs and mobile endpoint devices is detected.
Set Lockout Options to Lock IP Address, so that only one user can use one IP
address to access the Internet.
Version 01 (Sep 27, 2021) 954

Step 3. Choose Endpoint Device > Connection Sharing and select Enable
Connection Sharing Detection. See the following figure.
You only need to enable the mobile endpoint device management function.
Step 4. Choose Connection Sharing > Enable Connection Sharing

Detection. Access the Excluded Users page on the right and add the users,
user groups, and IP addresses not involved in detection are added to the
trusted list. See the following figure.
4.7.2 Mobile Endpoint Management Configuration

Cases
Requirement: Mobile endpoint devices can access the Internet only through
Version 01 (Sep 27, 2021) 955

trusted wireless APs. The configuration procedure is as follows:
Step 1. In the Navigation menus page, go to Endpoint Access

Management > Mobile Endpoints and then enter Mobile Endpoint on the
right side, as shown below:
Select Enable mobile endpoint verification, and then Upon discovery of

mobile endpoint, reject.
Step 2. Go to Endpoint Access Management > Mobile Endpoints and then

enter the configuration page of Excluded Users to add users, user groups, or
IP addresses that can access mobile endpoints as excluded users. See the
picture below:
4.7.3 Configuring Anti-Proxy

By default, proxy detection is enabled, but the use of the proxy tool will not be
blocked. However, if the use of the proxy tool is detected, a prompt message
will appear on the dashboard, as shown in the following figure:
Version 01 (Sep 27, 2021) 956

To configure anti-proxy, you can click on Anti-Proxy Settings, and then you will
be redirected to the Anti-Proxy page.
If you want to block the use of the proxy tool, you need to do the following:
1. Navigate to Endpoint Device > Anti-Proxy, as shown below:
2. Click on Settings to configure anti-proxy options on the following page:
Version 01 (Sep 27, 2021) 957

By default, All is selected for Proxy Tool. You can select proxy tools as per your
need. To block specified proxy tools, select the option Block proxy tools.
Select the option Give alert to user to alert the user when the use of the
specified proxy tool is detected.
3. Select the option Take action, and the option Reject Internet access.
Then Internet access will be denied when the use of the specified proxy
Version 01 (Sep 27, 2021) 958

tool is detected.
After configuring anti-proxy, if any user tries to access the Internet through a
proxy tool like FreeGate, he/she will be redirected to the following page:
4.8 Comprehensive Configuration Cases
4.8.1 Customer Network Environment and

Requirement
A customer has a network structure shown in the following figure. The Internet
line bandwidth is 10 Mbps, and the customer has about 500 intranet users
accessing the Internet. Because of the limited Internet access bandwidth and
some users download or watch movies online during business hours, website
access is slow, affecting work efficiency.
Version 01 (Sep 27, 2021) 959

The customer purchases SANGFOR's IAG and wants to implement the following
configuration:
1. Deploy the IAG without changing the original network environment if

possible.
2. Bind IP addresses with MAC addresses so that employee cannot change

their IP addresses.
3. Disallow employees to download P2P files or watch streaming media

during business hours, disallow them to access illegal or unhealthy
websites, and audit employees' behaviors of sending emails (through
webpages or clients), posting content on forums, posting microblog
content, and sending QQ messages.
4. Not to control Internet access behaviors of the director team but audit the
behaviors.
5. Ensure website access bandwidth at all times. Allocate at least 60% of the
bandwidth for this purpose. Limit the bandwidth for P2P applications,
download applications, and online streaming media applications to 20% or
less.
4.8.2 Configuration Idea

1. As required by the customer, deploy the IAG between the core switch and
Version 01 (Sep 27, 2021) 960

firewall in bridge mode. Set the bridge mode, bridge IP address, and
system routes.
2. Divide users into a common employee group and director group.
3. Select Enable Cross-L3 MAC Address Identification and set the IP

address, MAC address, and OID of the L3 switch.
4. Create two authentication policies to bind the IP addresses and MAC

addresses of directors, add directors to the director group, and bind the IP
addresses and MAC addresses of common employees and add common
employees to the common employee group.
5. For the common employee group, create an Internet access policy to

control the P2P applications and online streaming media applications
during business hours and block access to illegal and unhealthy websites.
Create an Internet access audit policy to audit applications, outbound
content sent via HTTP, and mail content. Create an admission policy to
audit IM messages.
6. Create an Internet access audit policy to audit the Internet access

behaviors of directors.
7. Create a bandwidth assurance channel to allocate 60% to 100% of the

channel bandwidth for accessing websites. Create a bandwidth limitation
channel to allocate a maximum of 20% of the channel bandwidth to P2P
applications, download applications, and online streaming media
applications during business hours.
4.8.3 Configuration Process

Step 1. Use a cross-connected cable to connect computers to the ETH0 (LAN)
port of the IAG. Assign the 10.251.251. X/24 IP addresses to the computers. Log
in to the IAG console at https://10.251.251.251.
Step 2. Set the bridge mode. Assign the 10.10.10.3/29 IP address as the bridge
IP address of the IAG.
The IP address belongs to the network segment for direct connection between
the firewall ad L3 switch. Choose System > Network > Deployment, click
Configure, and select the bridge mode.
Version 01 (Sep 27, 2021) 961

Click Next and select the bridge port numbers. In this example, ETH0 and ETH2
are used as a pair of bridge port numbers. ETH0 is used for the LAN, and ETH2
is used for the WAN.
Click Next and set the bridge IP address of the IAG.
Version 01 (Sep 27, 2021) 962

Click Next and set the IP address of the DMZ management port. You can retain
the default settings.
Click Next and set the gateway and DNS for accessing the Internet.
Version 01 (Sep 27, 2021) 963

Click Next and click Commit.
Step 3. Add a common employee group and a director group for local users at
Users > Local User > Add Group/User.
Version 01 (Sep 27, 2021) 964

You can add multiple groups and separate the group names with a comma.
Then click Commit.
Version 01 (Sep 27, 2021) 965

Step 4. In this example, the L3 switch forwards data between the IAG and
intranet users. Therefore, select MAC Filtering Across L3 Switch so that users'
IP Addresses and MAC addresses can be bound correctly on the IAG. Choose
Users > Advanced > MAC Filtering Across L3 Switch.
Tick Enable MAC Filtering across L3 switch. Select Add and add a server and
enter the MAC address of the L3 switch to the exclusion list.
Version 01 (Sep 27, 2021) 966

Click Commit.
Step 5. Add an authentication policy for the common employee group and
another for the director group at Users > Authentication > Authentication
Policy.
Click Add and set an authentication policy for the common user group. See the
following figure.
Version 01 (Sep 27, 2021) 967

Version 01 (Sep 27, 2021) 968

Version 01 (Sep 27, 2021) 969

Click Commit.
Click Add and set an authentication policy for the director group. See the
following figure.
Step 6. Set the Internet access permissions for the common user group at
Policies > Access Control.
Click Add and select the Internet access policy. Choose Access Control and set
access control over P2P applications and online streaming media applications
for office hours and block access to illegal and unhealthy websites.
Version 01 (Sep 27, 2021) 970

Click Object, choose Local Users, and select Common User Group.
Click Commit.
Set the Audit policy for the common user group. Add the policy,
select Audit policy, and add audit objects.
Version 01 (Sep 27, 2021) 971

Version 01 (Sep 27, 2021) 972

Click OK.
Click Object, choose Local Users, and select Normal User Group.
Version 01 (Sep 27, 2021) 973

Click Commit.
Set the admission policy for the common user group. Add the policy, select
Ingress Policy and enable IM message monitoring.
Click Object, choose Local Users, and select Normal User Group.
Version 01 (Sep 27, 2021) 974

Click Commit.
Step 7. Set the Internet access audit policy for the director group. Select Audit
Policy and add audit objects.
Version 01 (Sep 27, 2021) 975

Click Object, choose Local Users, and select Director Group.
Version 01 (Sep 27, 2021) 976

Click Commit.
Step 8. Set the Bandwidth Management policy. Set the line bandwidth at
Bandwidth Management > Line bandwidth.
Click Line 1 and set the upstream and downstream bandwidth.
Click Commit.
Set the Bandwidth Management channel at Bandwidth Management >

Bandwidth Channel. Select Enable Bandwidth Management System.
Version 01 (Sep 27, 2021) 977

Click Add, select Add Parent Channel, and set the assurance channel for
website access.
Version 01 (Sep 27, 2021) 978

Click OK.
Click Add, select Add Parent Channel, and set the limitation channel
for P2P applications, download applications, and streaming media
applications.
Version 01 (Sep 27, 2021) 979

Version 01 (Sep 27, 2021) 980

Click OK.
Step 9. Install the IAG. Connect the ETH0 (LAN) port of the IAG to the L3 switch
and the ETH2 (WAN) port to the intranet port of the firewall.
4.9 SNMP Trap Configuration Case
4.9.1 Basic Configuration
4.9.1.1 Enable Email Alarm
A. Go to System > General > Alarm Options to enable email alarm.
Version 01 (Sep 27, 2021) 981

B. Configure the required alarm events. For the convenience of the test, the
memory usage exceeds the threshold to the minimum value, as shown below:
Version 01 (Sep 27, 2021) 982

C. Click the SNMP Trap settings button.
D. Enable SNMP, enable SNMP TRAP, configure trap server IP and port.
Version 01 (Sep 27, 2021) 983

4.9.2 Testing Procedure
4.9.2.1 Test with the mib browser tool
A. Import IAG's MIB library.
Version 01 (Sep 27, 2021) 984

B. Configured in this document is SNMPV1V2, SNMPV2 configured on the

server side.
C. Click on Tools-Trap Receiver.
D. The General page configuration item confirms that the port and community
name are consistent with IAG.
Version 01 (Sep 27, 2021) 985

4.9.3 Testing Results

After the configuration is completed, wait for the alarm to be sent actively.
The test environment did not do transcoding, so the hexadecimal value

appears.
After manual transcoding:
4.10 International Bandwidth Configuration

Cases
4.10.1 Network Environment and Requirement
Demand:
In Indonesia, the bandwidth was offered at a different rate for local and
Version 01 (Sep 27, 2021) 986

international bandwidth. The International bandwidth will be more expensive

than the local bandwidth. For example, the price offered by ISP first media is as
follows. (IX= International Bandwidth; IIX= Local Bandwidth)
ISP has provided two types of packages. The first package is 1Mbps of
International Bandwidth + 5Mbps of Local bandwidth. The second package is
2Mbps of International Bandwidth + 5Mbps of Local Bandwidth. In this
situation, we can see the difference between the two packages is just 1Mbps.
Version 01 (Sep 27, 2021) 987

But customer needs to pay more RP1,000,000 to select the second package.
We can know that the price of International Bandwidth is around five times of
Local Bandwidth.
When the International Bandwidth has reached the limit, it couldn’t occupy on
Local Bandwidth. Whereas if the Local Bandwidth has reached the limit, it
couldn’t occupy International Bandwidth. Even though ISP has provided two
lines for customers to access the internet, from the user’s view, there is only 1
line to access the internet.
4.10.2 Proposed Solution
There are two types of customer environment situations: International and

Local Line, while the other would be a separation of International and Local
Line. It supports IAG bridge, route, and also single-arm mode. As conventional
bandwidth control does not support categorizing local and international
bandwidth differently, hence current version of IAG could come in handy by
introducing the newly enhanced bandwidth management module.
4.10.3 Configuration Guide

1. Configure the correct location, local line, and international line from the
Version 01 (Sep 27, 2021) 988

virtual line, which under the bandwidth management category.
2. After configured, the admin can view which user has utilized most of the
International Bandwidth from the internal data center.
3. Able to check which application has utilized most of the International
Version 01 (Sep 27, 2021) 989

Bandwidth.
Version 01 (Sep 27, 2021) 990

4. Limit the user/application bandwidth that has utilized most of the

International Bandwidth to solve the problem of bandwidth is not well
distributed.
Version 01 (Sep 27, 2021) 991

Generate International Report from the internal data center.
Version 01 (Sep 27, 2021) 992

Appendix: Usage of SANGFOR Device

Upgrade System
SANGFOR device upgrade system 6.0 can be used to upgrade the kernel
version of the IAG. See the following figure.
When the SANGFOR device upgrade system connects to the IAG for
an upgrade, the computer must be able to synchronize with the
Internet time.
Version 01 (Sep 27, 2021) 993

If the computer running the system can obtain Internet time during
such an upgrade, the system can directly load an upgrade package to
upgrade the IAG.
If the customer environment has special requirements during such an

upgrade, for example, the computer running the system is located in
an intranet and cannot access the Internet, you can reallocate the
computer to an area with Internet access and run the system to
synchronize with the Internet time. Then, you can reallocate the
computer back to the intranet without shutting down the system and
connect the system to the IAG to upgrade the IAG.
The SANGFOR device upgrade system consists of the device IP address, device
search, administrator password, and options modules. The following describes
the functions of the modules.
Device IP Address: Enter the IP address of the IAG to be upgraded.
Device Search: Search for the IP addresses of LAN ports of all the SANGFOR
devices within the same intranet with 2 layers. See the following figure.
Password: Enter the administrator password for logging in to the

IAG. The password is the one corresponding to the admin account.
You can select Remember Password to save the current login
Version 01 (Sep 27, 2021) 994

password of the IAG. Then, you do not need to enter the password
next time you log in to the IAG through the system.
Options: Set the options related to upgrades. See the following figure.
Click Connect to log in to the current IAG for an upgrade. See the following
figure.
Version 01 (Sep 27, 2021) 995

You can choose to upgrade the IAG online or load an upgrade package to
upgrade the IAG. After selecting the correct upgrade package, click Next to
start the upgrade.
Product Upgrade Procedure
1. Download an upgrade package to a local directory.
2. Start the gateway, upgrade the client and choose Manage Upgrade
Package > Load Upgrade Package to load the local package.
3. Choose System > Direct Connection to log in to the IAG.
4. Choose Upgrade > Upgrade Firmware. The IAG displays an upgrade

success message and restarts.
5. If you need to restore the default settings, log in to the IAG and choose
Upgrade > Restore Default Settings.
You can upgrade the hardware firmware only under the instruction of SANGFOR technical
engineers.
Version 01 (Sep 27, 2021) 996

Version 01 (Sep 27, 2021) 997

Sangfor Iag v13.0.19 User Manual en 20210927

Uploaded by

Copyright:

Available Formats

Sangfor Iag v13.0.19 User Manual en 20210927

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sangfor Iag v13.0.19 User Manual en 20210927

Uploaded by

Copyright:

Available Formats

Sangfor IAG 13.0.

Product Version 13.0.19

Released on Sep. 27 2021

Version 01 (Mar.24, 2021) Confidentiality: Public in 1

Sangfor Technologies Inc.

Copyright © Sangfor Technologies Inc. 2021. All rights reserved.

Unless otherwise stated or authorized, Sangfor Technologies Inc. (hereinafter referred

Products, services or features described in this document, whether wholly or in part,

Version 01 (Sep.27, 2021)

Send information about errors or any product related problem to

Version 01 (Sep 27, 2021) 2

About This Document

Indicates an imminently hazardous situation which, if not avoided,

Indicates a potentially hazardous situation which, if not avoided,

Indicates a hazardous situation, which if not avoided, could result

Indicates a hazardous situation, which if not avoided, could result

NOTICE addresses practices not related to personal injury.

Calls attention to important information, best practices, and tips.

NOTE addresses information not related to personal injury or

Sep. 27, 2021 This is the first release of this document.

Version 01 (Sep 27, 2021) 3

Version 01 (Sep 27, 2021) 4

3.3.1.1.1 Displayed Panels .................................................................... 47

Version 01 (Sep 27, 2021) 5

3.5 Access Management ...................................................................................... 120

Version 01 (Sep 27, 2021) 6

3.5.2.4.2 Managed Authentication..................................................... 280

Version 01 (Sep 27, 2021) 7

3.7.3.5 Exclusion Policy ...................................................................... 398

Version 01 (Sep 27, 2021) 8

3.9.4.1.2 Overview ................................................................................ 502

Version 01 (Sep 27, 2021) 9

3.11.1.4.4 Modifying Ingress Rules ................................................. 579

Version 01 (Sep 27, 2021) 10

3.11.3.2.3 Service Priority.................................................................... 673

Version 01 (Sep 27, 2021) 11

3.11.5.6 Global Exclusion ...................................................................... 777

Version 01 (Sep 27, 2021) 12

4.1.5.1 SSO Implemented with Ruijie SAM ...................................... 873

Version 01 (Sep 27, 2021) 13

Version 01 (Sep 27, 2021) 14

1.1 Environment Requirement

⚫ Input voltage: 110V-230V

1.3 Product Appearance

SANGFOR IAG Hardware Device

Version 01 (Sep 27, 2021) 15

No. Interface/Indicator Usage

2 WAN2 (eth3) Network interface to be defined as WAN2 interface

3 DMZ (eth1) Network interface to be defined as DMZ interface

4 WAN1 (eth2) Network interface to be defined as WAN1 interface

5 LAN (eth0) Network interface to be defined as LAN interface

6 POWER Indicator Power indicator of IAG gateway device

7 ALARM Indicator Alarm indicator of IAG gateway device

Table 1: Interface Description1

1.4 Configuration and Management

Version 01 (Sep 27, 2021) 16

eth0 (LAN) 10.251.251.251/24

eth1 (DMZ) 10.252.252.252/24

eth2 (WAN1) 200.200.20.61/24

Table 2: IP address table