Sangfor: How to Setup Secure SD-WAN Enterprise Solution.

Table of Content

1. Introduction Secure SD-WAN
2. Sangfor Secure SD-WAN Solution
3. Scenario
4. Configuration
   • Head-Quarters Configuration
   • Branch Configuration
   • HQ Status
   • BR Status
5. SD-WAN Path Selection
6. Conclusion

Introduction

Secure SD-WAN using NGAF, or Next-Generation Firewall, refers to the use of advanced firewall technology in conjunction with Software-Defined Wide Area Network (SD-WAN) technology to improve network security and performance. SD-WAN allows for the dynamic routing of network traffic over multiple connections, such as broadband and cellular, to optimize performance and reduce costs. By integrating a NGAF, organizations can apply security policies to traffic traversing the WAN, protecting against threats such as malware and unauthorized access. This combination of SD-WAN and NGAF can also improve visibility and control over network traffic, enabling organizations to more effectively manage and secure their networks.

Sangfor Secure SD-WAN Solution

Sangfor Secure SD-WAN is a solution offered by Sangfor Technologies, a leading provider of network security and cloud computing solutions. This solution combines the benefits of Software-Defined Wide Area Network (SD-WAN) technology with advanced security features provided by Next-Generation Firewall (NGAF) technology. The solution allows for the dynamic routing of network traffic over multiple connections, such as broadband and cellular, to optimize performance and reduce costs. At the same time, it offers advanced security features such as malware protection, intrusion prevention, and unauthorized access prevention to protect the network from various types of threats. The Sangfor Secure SD-WAN solution also provides detailed visibility and control over network traffic, enabling organizations to more effectively manage and secure their networks.

Scenario

A VPN device can act as a HQ or branch

The basic configurations for establishing a VPN connection between HQ and branch or mobile are as follow:

(1) HQ: Need to configure VPN path, webagent, and local users. (Provides VPN access services and provides access to account verification of other VPN users. DLAN in HQ requires WEBAGENT configuration and VPN account for access. Generally, server side of the network is HQ.)

(2) Branch: Just configure the connection management. (Access to HQ side. Generally, branch as client network.)

Configuration

The Dashboard of Sangfor NGAF and navigate to Network tab.

Head-Quarters Configuration

I will be using two well known ISP in my region. Note that, this is an internal isolated network just for demonstration using the ISP names.

Now lets navigate to the IPSec VPN and select Basic setting.
Click Add and configure accordingly

This is how it looks likes.

Lets navigate to Local Users

Configure the webagent, basically the IP address of your wan interface

Click Add user and create a user for Branch NGAF connecting

Branch Configuration

Navigate to Network Tab -> IPSec VPN Tab -> and configure the same WAN ISP as shown below.

On VPN Connection Tab click add
Configure the HQ User settings on this and click save to establish connection.

HQ Status

Branch Status

SD-WAN Path Selection

SD-WAN path selection refers to the mechanism that directs network traffic in a software-defined wide area network (SD-WAN) to take the most efficient and reliable route. This is achieved by evaluating and comparing multiple paths, such as Internet, MPLS, and LTE, based on criteria such as bandwidth, latency, jitter, and cost, and selecting the path that provides the best performance and meets the network’s requirements and policies. The goal of SD-WAN path selection is to optimize network performance, reduce network costs, and ensure high network availability and security.

Navigate to SD-WAN Path Selection Tab -> Click Add
Now we can configure the path selection to the requirements

Intranet Services

You can choose an existing intranet service or choose to add a new intranet service.

Selection Mode

Can choose designated line mode or multi-line load mode, choose according to user’s needs.

Specific path is used to select a certain line according to the specified intranet service, which is often used for video conferencing services, or certain services that require lines.
Multipath according to the internal network service, select multiple lines to load according to the line quality or application type.

The we have Based on session.

Also Based on Application Packets

Conclusion

In conclusion, the integration of a Next-Generation Firewall (NGAF) into a Software-Defined Wide Area Network (SD-WAN) solution can significantly improve the security and performance of an organization’s network. SD-WAN allows for dynamic routing of traffic over multiple connections for optimal performance and cost savings, while the NGAF provides advanced security features such as malware protection and unauthorized access prevention. Together, SD-WAN and NGAF offer enhanced visibility and control over network traffic, enabling organizations to better manage and secure their networks. Overall, Secure SD-WAN using NGAF is a powerful solution that can help organizations to improve their network performance and security.