#Configuration# Internet Distribution At Sangfor NGAF Device
  

Sangfor Jojo Lv5Posted 2024-Jul-19 11:33

*Product: NGAF
  
*Version: 8.0.47
  
*1. Introduction
  
1.1 Scenario


In this article, I will share internet distribution configurations for users/servers. This distribution uses the Sangfor firewall. The topology scheme in this paper is that the ISP provider provides one IP (10.0.20.6/24) which is then set in the Sangfor interface and distributed to the server IP (192.168.0.86/23).
  
  
The test results showed that the internet from the ISP could be distributed to the server well. To ensure that via the PC Server, ping and traceroute are carried out to a global website, for example, www.google.com. As for the steps, you can follow the instructions below.

  
1.2 Requirements
  
1) The organization has an NGAF Firewall device
  
2) Have at least 1 ISP (Internet Service Provider)
  
3) Have 1 PC for testing
  
  
*2. Configuration Guide
  
The local network segment for the server is made class C with network 192.168.0.0/23, from the ISP provider we get IP 10.0.20.6/24 and the gateway is 10.0.20.1/24.
  
2.1. Create Zones
  
In this scenario, we will create 2 (two) zones, namely the ISP zone created with the name L3_Untrust_Kominfo, and another zone, namely the Server zone created with the name L3_Trust_Server.
  
a.  Untrust Kominfo Zone
  
The steps are as follows below::
  
1. Click Network >Zones >Add

2. Insert Name: L3_Untrust_Kominfo
Type: Layer3
Interface: eth3

3. Click Save, If successful it will look like the image below

  
b.  Trust Server Zone
  
The steps are as follows below:
  
1. Click Network > Zones >Add

2. Insert Name: L3_Trust_Server
Type: Layer3
Interface: eth1


3. Click Save, If successful, it will look like the image below.

2.2. Setting the Interfaces
  
The next step after creating the zones is to configure the interface where we will enter the zone that was created above. eth1 interface for L3_Trust_Server Zone, and eth3 for L3_Untrust_Kominfo Zone.
  
a. Configure eth3 (L3_Untrust_Kominfo)
  
1. Click the menu Network >Interface > Eth3

2. Choose Status: enabled
Description: WAN(Diskominfo)
Type: layer 3
Zone: L3_Untrust_Kominfo
Basic Attribute: WAN attribute (checklist)
Ip static: 10.0.20.6/24
Nexhope: 10.0.20.1 (this is a gateway from ISP)
Click Save, like the image below.

           
  
b. Configure eth1 (L3_Trust_Server)
  
1. Clicke menu Network >Interface >Eth1

2. Choose Status: enabled
Description: Server-DataCenter
Type: layer 3
Zone: L3_Trust_Server
Ip static: 192.168.0.1/23
Click Save, like the image below.

           
  
2.3. CreateThe Network Objects
  
The next step is to create a network object. The steps are as follows:
1. Click menu Objects > Network Objects >Add

2. Choose Type: IP Address
Name: IP Address Server
Protocol: IPV4
IP: 192.168.0.0/23
  
Click Save like the image below

           
3. If successful, it will look like the image below.

2.4. AddPolicy Based Routes
  
After the above steps have been carried out, the next step is to add policy-based routes. In the Sangfor NGAF firewall this can be done as follows:

1. Click menu Network >Routes >Policy >Based Routes >Add

2. Input the information:
Route Type: Source-based-route
Protocol: IPV4
Name: Internet ISP Kominfo
Status: enabled
Move to: Top
Src Zone: L3_Trust_Server
Src Address: IP Address Server
Destination: ISP>All
Services: Any
Outbound Interface: Interface > Eth3
  
In detail as in the following image below:

3. Click Save, if successful it will look like the image below:

2.5. Add SNAT
  
The next step is to create NAT for access to the internet.
1. Click Policies >NAT >Ipv4 NAT >add

2. Then choose,
Type: Source NAT
Name: SNAT Internet Server
status: Pilih enabled
Move To: Top
Src Zone: L3_Trust_Server
Src Address: IP Address Server
Dst Zone/Interface: Zone >L3_Untrust_Kominfo
Dst Address: All
Services: Any
Translate Src IP To: Outbound Interface
  
In detail as in the following image below,

           
3. Click Save, If successful it will look like the image below


2.6. Testing
  
The final stage that can be done is to carry out tests on the server computer side. example (ip 192.168.0.86/23). First, we enter the IP of the server that is already running. Second, we ping an internet site, for example www.google.com, and third, we do a traceroute to the global site to ensure that the path we take is correct.
  
From the checking results, the following were obtained:
  
a. IP Interface Server

  
b. Ping google.com
The computer successfully pinged the global site www.google.com

  
c. Traceroute google.com
  
The computer can do a traceroute to the global site www.google.com with the path that is taken, namely the ISP Kominfo gateway 10.0.20.1.
  
*3. Precaution
   
1) Before setting up distribution on the firewall, you can ensure that the internet from your ISP is functioning normally.
2) You can change the IP that we use and adapt it to your environmental conditions.
3) Make sure to follow these steps carefully and check the DNS you are using.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

This article is written by @Medic who is a technical engineer in the network security field. If you want to know more about him, click here.



If you want to share articles like troubleshooting cases or configuration guides and get paid 4000 coins, please click the link below to register for this event.

This topic contains more resources

You must log in to download or view the file. Not registered yet? Register

x

Like this topic? Like it or reward the author.

Creating a topic earns you 5 coins. A featured or excellent topic earns you more coins. What is Coin?

Enter your mobile phone number and company name for better service. Go

Sheikh_Shani Lv2Posted 2024-Jul-24 21:56
  
Thanks For Sharing
Newbie517762 Lv5Posted 2024-Jul-23 15:25
  
Thank you for the useful information.
Prosi Lv3Posted 2024-Jul-22 10:15
  
Thank you for this valuable information
CLELUQMAN Lv4Posted 2024-Jul-22 09:55
  
very nice. i like this kind of tutorial/guide. keep up the good work
AriAri Lv2Posted 2024-Jul-20 12:25
  
Good instruction
Enrico Vanzetto Lv4Posted 2024-Jul-19 19:53
  
HI, thanks for sharing. Useful if your isp don't give you a dedicated public ip address to use as your wan.
vesogi7900 Lv2Posted 2024-Jul-19 11:44
  
Thanks to share.