Help
  • FAQ
    browse most common questions
  • Live Chat
    talk with our online service
  • Email
    contact your dedicated sales:
0

Key Parameters of Next-Generation Firewalls

Author : AIVON February 03, 2026

Content

 

Overview

Sangfor WAF. Main WAF functions include parameter injection protection, unauthorized access prevention, uploaded file inspection, HTTP field validation, sensitive data leakage protection, and secure configuration settings.

 

Traffic Handling

The device proxies all HTTP traffic. SSH is not blocked.

Network

Interfaces

eth0 can only be used as a routed interface and its mode cannot be changed. The reserved management address 10.251.251.251/24 cannot be removed.

VLAN subinterfaces: used to connect to the routed port when VLAN trunking is configured. Subinterfaces do not support IPv6.

VLAN interfaces do not support IPv6. Aggregation interfaces do not support IPv6.

GRE interface: the physical source interface must be the actual public IP; the IP assigned on the GRE interface is the tunnel IP.

Interface grouping can include multiple interfaces. The HA interface cannot be included in the grouping.

No interface IP may be configured within 1.1.1.0/24.

Ports and Link Aggregation

Aggregation modes:

  • Load-balance mode - hash: distributes traffic by hashing packet source/destination IP or MAC values.
  • Load-balance mode - RR: round-robin forwarding packets across member interfaces.
  • Active-standby mode: the member with the largest eth port number is the active interface; others act as standby.

Aggregation protocol:

  • Only static aggregation is supported. Dynamic aggregation protocols are not supported. Aggregation protocol must match on both ends.

Virtual Wire

Virtual wire supports aggregated ports and appears in pairs. It does not send ARP, nor does it query the MAC address table, which prevents CAM table confusion from MAC aging.

IPv6

Supports source-IP policy routing. Does not support application-based routing or multi-link load balancing.

To enable dual-stack IPv4/IPv6, a device reboot is required.

NAT64 and DNS64

  • Supports IPv6-to-IPv6 NAT on some versions (e.g., 807).
  • Supports port mapping from external IPv6 to internal IPv4 on some versions.
  • NAT64 performs two-way address translation: both source and destination IPs are translated.
  • DNS64 synthesizes A-record queries into AAAA responses.

Note on IPS/WAF/botnet logging: the source and destination IPs in attack logs will be the translated IPv4 addresses, since NAT6-to-4 occurs before protection is applied. This makes true source tracing infeasible.

Limitations and Notes

  • Does not resolve "sunroof" scenarios.
  • Does not support SLA/AC stateless address auto-configuration protocol.
  • Does not support hash-based port aggregation.
  • Does not support subinterfaces in some contexts.
  • Does not support UDP large-packet 46 translation.
  • Does not support ALG.
  • Only supports matching rules; cannot match behavior-based rules.
  • Does not support runtime status display for some features.
  • Does not support IPv6 heartbeat for HA.
  • Supports VLAN and aggregation.

 

WAN Attribute

Purpose and behavior:

  1. Some AF versions do not have WAN attribute flow control; traffic auditing will be disabled in that case.
  2. From AF 6.8, lack of WAN attribute can prevent VPN services from starting.
  3. From AF 7.1, policy routing no longer requires WAN attribute; prior versions required WAN attribute on the interface for policy routing.
  4. Destination NAT that requires symmetric source and destination (return via the same public IP) requires the WAN attribute.
  5. Application traffic ranking requires WAN attribute support for certain modes.

Interface modes:

Before 7.1, AF allowed selecting WAN attribute on routed, transparent, aggregated, and virtual-wire interfaces. From 7.2, subinterfaces can also be selected as WAN interfaces.

WAN Inbound Routing

Inbound WAN interfaces cannot forward arbitrary data except for virtual server, DNS, source NAT, port mapping, remote login, or when matching smart or static routes.

If AF is configured for VPN, the external interface must have "match IPSEC VPN egress line" selected; otherwise VPN services may not start.

Management Interface

eth0 is the management interface and can only be used as a routed interface. The default management IP 10.251.251.251/24 cannot be removed. Management interfaces cannot be used as monitor ports.

Starting with some versions (e.g., 809), the default management IP can be modified. When management access control is enabled, the specified management peer IP must be used by the admin PC to access the device.

vlan0 and ARP Proxy

1.1.1.1 is used for redirect pages and to hide the AF source IP. 1.1.1.1 is paired with 1.1.1.2 for internal hiding.

ARP proxy: when internal AF interfaces and directly connected servers are on different subnets, the device can proxy ARP responses to protect internal hosts. The interface used by the ARP proxy must be a routed port and should be assigned an IP that does not conflict with other segments.

 

Routing

Policy Routing

VLAN interfaces and subinterfaces do not support policy routing. Multi-link policy routing supports link bundling.

Commands and route table notes:

  • Use "ip rule" to view policy routing rules.
  • Use "ip route show table" to inspect a given table (for example, VPN tables).

AF route table classification:

  • System tables (default three): 255 local, 254 main, 253 default.
  • Policy routing tables: id 1-237, generated by the policy routing UI.
  • VPN tables: id 240-249 (240 ipsec vpn, 239 ssl vpn, and others for Sangfor vpn and multi-line).
  • Temporary table id: 238.

Priority order: local(0) > vpn(239,240,241) > temporary(300) > policy routing tables(10000) > main(32766).

Routing preference: vpn > static/direct > dynamic routing > policy routing > default route.

Use "ip route get x.x.x.x" to see which route entry matches reaching a given address.

Asymmetric Forwarding and Deployment Modes

AF supports TRUNK and ACCESS transparent deployments. Route mode is not supported in some TRUNK/ACCESS scenarios.

 

High Availability (HA)

HA requires configuring basic information, configuration synchronization, and HA settings. Two pairs of interfaces are required: one HA port and one sync port. Add all business ports except the data sync and HA ports to the interface link list. Parent-child link and mismatched IP scenarios are not supported in some firmware versions.

Some versions only support single HA (single active device), which can be a single point of failure. A single AF node should not exceed half of a single AF device's performance capacity. Data sync port speed should not be lower than business port speed.

Secondary Pass-Through Deployment

Use case: TCP unidirectional traffic traverses AF multiple times. Secondary traffic can be exempted (bypassed).

Limitations: If intermediate devices perform NAT, AF cannot be configured for secondary pass-through. Recommended deployment: place the ingress interface for secondary pass-through in a layer-2 environment; if deployed in layer-3, NAT and policy-route functionality may be lost.

For mirror port to business port secondary pass-through scenarios, create separate policies for the mirror destination and the original source/destination IPs.

 

SNMP and Logging

SNMP can be enabled to monitor device and interface status. SNMP Trap can actively send trap messages. Syslog uses UDP port 514 by default.

 

Optical Port Bypass and Reset Behavior

Optical port bypass cannot be enabled simultaneously with HA on some models.

AF-initiated TCP reset packets: before 806 the IP ID was 0x5826. From 806 and later, the IP ID is 0x7051.

 

Security Protection Modules

  • WAF
  • IPS
  • DoS
  • Botnet detection

Real-time vulnerability analysis works by passively analyzing server response packets to detect potential vulnerabilities.

 

ARP Spoofing Defense

Supports broadcast gateway MAC checks and rejects ARP spoofing broadcast packets.

 

Email Security

Supports POP3 and SMTP. Incoming mail is not blocked but will be flagged. Outgoing mail can be intercepted and will be flagged.

 

Honeypot Redirection

When honeypot redirection is used, the real client may not see the accessed domain in AF logs. AF logs may not show DNS query source IPs for redirected sessions.

 

ACL and Domain Control

Domain-based ACL control is supported under Network Parameters -> Application Control. In ACL settings, domain query mode should be set to active. BBC distribution is not supported for this feature in some deployments.

 

SNAT and DNAT Processing Order

SNAT: content security policies (Content Security -> Content Security Policy) are matched first, then source NAT rules under Firewall -> Address Translation are applied.

DNAT: destination NAT under Firewall -> Address Translation is applied first, then content security policies are matched.

 

Antivirus (SAVE)

Supported document types: doc, docx, pdf, ppt, pptx, ps1, rtf, xls, xlsx, etc.

Supported script and executable types: bat, cmd, com, exe, pe, elf, bin, perl, pl, plx, etc.

 

Cloud, Network, and Endpoint Integration (Cloud-Network-Endpoint)

Modules:

  • Cloud: cloud intelligence services
  • Network: AF
  • Endpoint: EDR

Actions:

  • Remediation: AF issues tasks to EDR; after cloud threat intelligence lookup, malware can be isolated and follow-up actions automated.
  • Forensics: AF forwards discovered malicious domain access to EDR, which can link with cloud intelligence for further investigation.

Cloud delivery: MGR cloud delivery allows local devices to access cloud features without on-premises deployment.

 

NTA (Network Traffic Analysis) and AF Inspection

AF includes inspection scripts for versions 6.7 and later.

 

Bypass and Direct-Pass Modes

Direct-pass policies still mark packets as non-dropped, so logs and some blocking records can still be shown in the system. Layer-2 direct-pass works similarly to packet forwarding and is effective only in transparent or virtual-wire modes, not in routing mode. Enable with caution in HA deployments.

Modules that do not take effect under direct-pass include:

  • Address translation (NAT)
  • DoS/DDoS protections that rely on packet-level attack detection
  • Traffic auditing (IP/app/user traffic ranking)
  • Connection control

Even when direct-pass is enabled, policies are still evaluated but not enforced for blocking.

 

High Availability Details

When synchronization roles are consistent, the device with the larger HA IP becomes master. The device that last changed the sync role is considered master. For centralized management, both master and slave must be registered with the management platform; otherwise the device may show as offline.

Features:

  • Supports OSPF-based route synchronization to ensure fast convergence after failover.
  • When monitor ports are added, AF assigns virtual MAC addresses to new virtual ports. Virtual MAC format: VRRP MAC prefix 00-00-5E + interface number + VRID (for example, VRID 101 and eth1 yields 00-00-5E-00-01-65).

Notes:

  • Standby devices may disable automatic configuration sync and still respond to traffic on non-monitored ports. A standalone HA management port can be configured for the standby unit.
  • Avoid using bypass group interfaces as monitored ports where possible.
  • Switch ports connected to AF should enable STP portfast.
  • Prefer aggregated active-standby interfaces for HA; NIC types of aggregated members should match.
  • Preemption is disabled by default; enabling it requires risk assessment.
  • To avoid frequent failovers, when link checks fail, HA switching will occur at a 5-minute interval.
  • Detection modes: strong-strong (both master and backup check links), strong-weak (master checks links; backup monitors interface but does not check link state).

 

BBC Centralized Management

Supported versions include BBC 2.5.2 and 2.5.3. Default port is 5000.

Key features:

  • Central templates can push configurations to branch devices and manage those configurations.
  • Supports offline import or online updates for upgrading branch AF devices.
  • Supports centralized upgrades of multiple catalogs.
  • Centralized distribution of security rule libraries and custom rules.
  • Branch devices can report overview, business security, and user security information to the central platform.
  • Centralized alarm settings and branch alarm reporting.
  • Supports multi-device centralized management scenarios and includes 15 built-in regions for policy distribution.

Use cases include rack deployment, security policy template push, and VPN distribution by BBC. Upgrade and rule distribution can be done via offline packages or online updates; some package types have online upgrade restrictions.

Custom rule libraries can be pushed from BBC to branch devices; once delivered, they are shown in gray on the local device and cannot be edited locally.

 

Deployment and Onboarding

BBC can auto-provision devices via one-time email links that include WAN, LAN, admin username/password, and admin email address. BBC requires a configured mail server for this feature.

HA devices can join BBC in different modes: single host sync-only, active-standby where master joins and standby syncs, and active-active where both devices can be registered.

 

SD-WAN

"Remaining bandwidth ratio load" will prefer lines configured under Traffic Management -> Virtual Line Configuration. If flow control is not enabled, it will fall back to the line bandwidth configured on the interface. This load method only supports lines configured on physical interfaces, not virtual interfaces like VLANs. SD-WAN route selection supports TCP, UDP, and ICMP only.

 

Auto-VPN and Licensing

License and module notes:

  • Gateway serial: function consistent with previous versions, but PDLAN user access is not supported from AF 8.0.7 onward.
  • SSL VPN: functionality remains consistent and is now under the "basic network" serial grouping.
  • IPSEC VPN module: on some models (e.g., AF500) this module may be disabled by default and must be separately enabled; other models enable it by default.
  • Basic features are enabled by default and support IPS, APT modules.
  • Enhanced features are paid options and support modules such as WAF, PVS, and tamper protection.
  • Latest threat defense rule updates are paid; they support all rule updates except antivirus, contingent on module activation.
  • Gateway antivirus and antivirus engine updates are paid features.
  • Unknown threat real-time detection and gateway antivirus subscription services are paid. Cloud intelligence licensing structure has been simplified compared with older versions.
  • Portal protection subscription, cloud security operations subscription, software upgrades, and maintenance are available as paid services with behavior consistent with previous versions.

 

Miscellaneous

AF versions 6.7 and later include inspection scripts for device checks. Some connection server issues were resolved in AF 8.0.7.

Related Blogs
Intrusion Alarm System Design and Applications

Intrusion Alarm System Design and Applications

Read More
Quantum-Enhanced Network Security

Quantum-Enhanced Network Security

Read More
NPS and common NAT traversal tools

NPS and common NAT traversal tools

Read More
Connect with us
Products & Service
Company
About AIVON
Contact
News
Blog
Support
FAQ
Payment Options
Shipping Method
How to Order
Payment
2025 AIVON.COM All Rights Reserved
Intellectual Property Rights | Terms of Service | Privacy Policy | Refund Policy