SANGFOR NGAF V8.0.

47 Associate

Content Security
1 Traffic Visibility

2 URL Filtering

3 File Filtering

4 Sangfor Engine Zero

5 Email Security
1. Traffic Visibility
Traffic visibility
Traditional packet filtering firewall control the packet filtering by ACL to make their network security.

ACL control the traffic based on the source/destination IP, source/destination Port, protocol.

IP header TCP/UDP header Data

Is it safe enough
with ACL?
Traffic visibility
Many Invisible Security Risk in the Network

Traditional Security Defense

Technology
Certified Users are not all Legal
Backdoor

Traffic through the Firewall

Normal users Normal traffic ERP

are not all Safe !

New attack/abnormal traffic

0-day attack
Attack using the new vuln. Website
Lurked hackers
Attack in the normal
traffic
Vuln.
Normal traffic
Illegal users OA
Info. stealing/abnormal behavior

Traffic to C&C server

0-day
Access to new domain
Non-compliance information leakage
Supply Chain
Normal users DNS get packet System
Traffic visibility
With the high identification rate application database, we can get all network traffic composition
in time, making our traffic under our control and more security.

More than 10000 applications

2. URL Filtering
URL Filtering

What’s the URL filtering?

NGAF identify the URL is allowed or denied by detecting the HTTP request, then take the
corresponding action.

Why do we need URL filtering?

• Inappropriate content: Porn, adult content, drugs so on.
• Phishing and Malicious link, the website with the trojan, virus.
• Website unrelated with works: online video, game.
URL Filtering
URL database:
• More the 60 types; • URL category lookup
• Millions of website; • Customize the URL
• Update every two weeks
URL Filtering
HTTP Identification Theory:
HTTP website identification. After the endpoint device resolve the domain name through DNS, three-way
handshake was complete and sends a get request. The host field in the get request packet is the specific URL of
the website. NGAF recognizes which website that user visits by capturing this field. For example, when the
endpoint device visits www.gov.cn, packet capture can get the following packet.
URL Filtering
HTTP Identification Theory:
If NGAF filters the URL, after the endpoint device makes a get request (i.e. completes HTTP identification), the
device will disguise as a website server and send a packet of status code 302 to the endpoint device. The source
IP is the IP address of the website server (actually sent by the NGAF, and the device identification ip.id is
0x7051). The content of the packet is to inform the endpoint device of the rejection page to visit the website
server.
URL Filtering
HTTPS Filtering Theory:
HTTPS website identification. After parsing the domain name through DNS, the endpoint device has
performed 3-way handshake with the website server. The endpoint began to send a Client hello
message (the first stage of SSL handshake). The server_name field in this message contains the
domain name visited, NGAF extracts the Server_Name field to identify https's website. As shown in
the figure below: Access the packets captured at https://www.baidu.com on the endpoint.
URL Filtering
HTTPS Filtering Theory:
For HTTPS website filtering, after the endpoint device sends the Client hello message, we identify the website and then
send RST packets (ip.id is also 0x7051) to the terminal device in the same way as http blocking, disguising the web
server to disconnect the terminal device from the web server and thus controlling access to the HTTPS website.

Difference with HTTP filtering: HTTPS is encrypted throughout, and it is impossible to hijack and forge specific
packets without doing SSL man-in-the-middle hijacking, thus making it impossible to redirect to the rejection interface.
URL Filtering - Configuration Guideline
1. In Object > Content Identification Database > URL Category, add a new self-define URL category and
fill in the self-defined URL. (Skip this step if you don't use customization)

2. In Objects > Security Policy Template > Content Security to add a new template, in URL filtering select
the respective website category.

3. In Policy > Network Security > Policies, add a new policy for internet access scenario. LAN zone and
LAN subnet was selected as source, All network segment and WAN zone was selected as destination.
Select the content security template from steps 2, other security protection may enable based on your
needs.
URL Filtering - Configuration Guideline
Company B has purchased a NGAF and deployed as gateway. Besides blocking the access for counteraction,
illegal website, customer also wish to block the access to microblog and http://game.baidu.com
URL Filtering - Configuration Steps
1. In Object > Content Identification Database > URL Category, add a new self-define URL category
and fill in the self-defined URL(game.baidu.com)
URL Filtering - Configuration Steps
2. In Objects > Security Policy Template > Content Security, add a new template, in URL filtering select
the respective website category.
URL Filtering - Configuration Steps
3. In Policy > Network Security > Policies, add a new policy for internet access scenario. LAN zone and
LAN subnet was selected as source, All network segment and WAN zone was selected as destination.
Select the content security template from steps 2, other security protection may enable based on your
needs.
URL Filtering – Precautions
1. Single arm mode does not support URL filtering

2. URL filtering is based on domain checking. It does not conflict with the detection method of
WAF.

3. In order to achieve better filtering effect, the URL database needs to be kept up to date.
3. File Filtering
Function Description
File protection able to detect or filter the data that passes through NGAF. The following 3 aspect
is protected by file protection:

1. Virus files in HTTP and HTTPS sites.

2. Virus files transmitted via FTP.
3. Virus files transmitted via SMB network shares.

X
Application Scenario
It is mainly used when the intranet needs to access the extranet and there is a risk of virus infection. The data
passing through the NGAF needs to be analyzed and virus files found will be blocked.
Configuration Guideline
Prerequisite
1. It is necessary to clearly limit the size of virus files that will be scan (default 2M, the size of
the file will affect the performance).
2. It is necessary to clearly limit the compression level of virus files that will be scan (default 4
layers, the size of the file will affect the performance).
3. Is it an HTTPS environment, decryption must be enabled if it is a HTTPS environment.

Configuration Steps
1. In Objects > Security Policy Template > Content Security, enable all the module which is
related to File Protection.
2. In Policies > Network Security > Policies, configure a policy for internet access scenario
and select the respective content security template
Case Study
Customer has purchased a NGAF and deployed as a gateway. Currently it needs to perform detection of data
on the external network, block files or websites which is containing viruses and prohibit the transmission of
executable files.
Configuration Steps
1. In Objects > Security Policy Template > Content Security, enable all the module which is
related to File Protection.

Filtering file and detecting the

virus file in FTP/HTTP protocol.
If filter some file type, NGAF
don’t detect the file contained
virus or not.
Configuration Steps
2. In Policies > Network Security > Policies, configure a policy for internet access scenario and
select the respective content security template
Precautions
1. Content security policy support decryption, you should enable decryption Policy.
2. Mail protection support mail attachments with virus, malicious link, XSS attack, file filter, Collision Attack.
3. Mail protection default detect port 25,110,143, it can support other port by custom.
4. When clients accept malicious mail, NGAF don't deny it even if the action of policy is deny, but NGAF will
tamper the mail subject if the action of policy is deny.
5. The log of HTTP/HTTPS download/upload, FTP download/upload is recorded in Application Control, not in
Content Security Policy.
4. Sangfor Engine Zero
Steps for computer virus infection
Infected other file and triggered Replicate itself to another program or disk Dormant state
destruction mechanism

Onset Triggerin Infectio Incubatio

Phase g phase n Phase n Phase

Execute specific condition to trigger Execute specific program

Destruction
Mechanism

Triggering Dissemination
Mechanism Mechanism

Infection Lead-in
Mechanism Mechanism
Sangfor Engine Zero
Sangfor Engine Zero ( Sangfor AI-based Vanguard Engine ) is an artificial intelligence malicious file
detection engine which this engine uses deep learning technology to analyze and synthesize hundreds
of millions of original features, combined with the domain knowledge of security experts, and finally
selects thousands of most efficient high-dimensional features for the identification of malicious files.
• Based on Artificial Intelligence(AI) technology, it has powerful generalization ability to identify
unknown viruses or new variants of known viruses.
• The detection effect of ransom virus has reached the industry leading level, including
WannaCry, BadRabbit and other viruses, and has a better detection effect on non-lesoviruses.
• Cloud + device + end linkage , relying on the security data of Sangfor Neural-X, Sangfor Engine
Zero can continue to evolve, constantly update the model and improve detection capabilities, thus
forming a perfect combination of local traditional engine, artificial intelligence detection engine
and cloud killing engine.

Neural-X is a global big data security analysis platform established by SANGFOR.

Advantage of Engine Zero
• Transmission of various mainstream protocol file type virus transmission,including SMB v1/v2/v3 protocol, and
greatly improve the detection rate of malicious files by adopting the SAVE smart file detection engine (antivirus).
• Support the detection of malicious domain names and URL in the body of the email.
• Provide a wider antivirus capability, support document, script’s non-PE file detection and office macro virus
antivirus function.
• The size limit of antivirus files can be flexibly adjusted, and the size limit in the web UI can be 1-20M.
• Support the detection of compressed files and the number of layers can be configured. The web UI can be
adjusted up to 16 layers.
• Stable and reliable high-level features which is based on AI technology. It has strong generalization ability and
able to identify unknown viruses or new variants of known viruses.
• We are the top leader in the industry for ransomware detection. ransomware viruses which has large impact in
the industry such as WannaCry, BadRabbit, Globelmposter, etc. SAVE is able detect new variants. At the same time,
it also has a good detection effect on non-ransomware viruses.
• It is lightweight and less resource was used. Besides, we are industrial leading for isolation network environment
detection.
• Cloud brain+ edge device + correlated action, it is relying on the massive security data of the security cloud brain.
SAVE is able to continuously evolve and improve detection capabilities. Unknown threats can be detected at the
cloud in minute level and synchronize the whole network. It constitutes the overall solution of Sangfor Security
Cloud Brain + Security Gateway NGAF/CC/IAG+ Endpoint Security EDR.
Application Scenario
Engine Zero Scenario
• Main issue: At present, there is a weak security awareness of end users in enterprises and
institutions, and more than 90% of employees need to use PC to work every day. Endpoint are an
important node of "data exchange" with the Internet, and the awareness of employees is weak.
Therefore, 80% of security events in the enterprise network come from endpoint. Endpoint have
become strategic attack vector for hackers.
• Functional value：You can deploy NGAF as edge and turn on Engine Zero. It is able to detect the
spreading of malicious file when the intranet and internet is communicating. It will intercept the
malicious file and reduce the risk of virus transmission from gateway to intranet, resulting in
infected endpoint.
Configuration Guideline
Prerequisite
• It is necessary to clearly limit the size of virus files that will be scan (default 2M, the size of the
file will affect the performance).
• It is necessary to clearly limit the compression level of virus files that will be scan (default 4
layers, the size of the file will affect the performance).
• Is it an HTTPS environment, decryption must be enabled if it is a HTTPS environment.

Configuration Steps
1. In Objects > Network Objects, configure the respective endpoint IP.
2. In Objects > Security Policy Template > Content Security, enable all the module which is
related to Engine Zero.
3. In Policies > Network Security > Policies, configure a policy for internet access scenario and
select the respective content security template.
Case Study
Due to the particularity of the enterprise, a user cannot impose too many restrictions on intranet users surfing the
Internet, and the safety awareness of employees is also relatively poor. It is difficult to distinguish legal websites
from illegal websites, resulting in occasional endpoint virus infection on the Internet. Then call the Information
Technology Department to ask for virus antivirus. Not to mention the heavy workload, it is also very easy to
cause greater security risks after horizontal proliferation.
Currently users purchase a an NGAF and need to deploy it at the edge of the network. After deploying NGAF ,
there are also no restrictions on intranet users' access to the Internet. However, if it involves virus transmission,
it needs to be identified and blocked in time. The simple logical topology is shown in the figure below:

Internet website which

Testing PC Switch contain malware
NGAF

192.200.244.106 192.200.244.105 173.173.3.1

173.173.3.10:80
Configuration Steps
1. In Objects > Network Objects, configure the respective endpoint IP.
Configuration Steps
2. In Objects > Security Policy Template > Content Security, enable all the module which is
related to Engine Zero.
Configuration Steps
3. In Policies > Network Security > Policies, configure a policy for internet access scenario and
select the respective content security template. Configuration of policy from left to right in the
diagram below.
Sangfor Engine Zero Precautions
1. NGAF default file size for virus file detection is 2M and 4 layers of compressed file, if you need to adjust
the detection of file size and compression level after pre-confirmation. You can modify it in Policies >
Network Security > Policies > Advanced, as shown below.
Sangfor Engine Zero Precautions
2. If the website is HTTPS encrypted, you need to enable the decryption function to enable virus detection and
scanning.
3. After virus detection and blocking, you may go to Monitor > Security Logs and filter Website Access
Blocking and Email Protection to view the respective logs.

4. When using virus sample to test on site, users should be careful and prevent testing in the existing network
environment to prevent incident caused by the execution of viruses by mistake. You may test it in an
environment of test virtual machine.
5. Email Security
Function Description
• The mail security function can protect emails passing through NGAF. It supports POP3, SMTP and IMAP
mail protocols, mainly for the following three aspects:
1. Detect malicious domain names and URLs in the body of the email.
2. Filter the types of email attachments.
3. Scan the email which contain malware.
• By default, NGAF will block malicious emails sent by risk alert on the subject of malicious emails received
by the email client.
Application Scenario
It is mainly used in the intranet for sending and receiving mail. It is necessary to detect and protect mail
security, file type viruses will be detected and intercept the virus files.
Configuration Guideline
Prerequisite
• It is necessary to clearly limit the size of virus files that will be scan (default 2M, the size of the file will
affect the performance).
• It is necessary to clearly limit the compression level of virus files that will be scan (default 4 layers, the size
of the file will affect the performance).
• It is necessary to clarify what ports used by the mail protocol (default is 25, 110 and 143)

Configuration steps
1. In Objects > Security Policy Template > Content Security, add a new template and select all of the
options which is related to email protection (You may skip if you are using the default template)
2. In Policy > Network Security > Policies, create a new policy and configure the respective source and
destination. You may select the template which created in step 1 and other protection may be enable
accordingly.
Case Study
Customer has purchased NGAF and deployed as gateway. Now it is necessary to protect the email security of
users who use the email client on the intranet to send email. It is necessary to carry out security detection and
filter emails attached with common threatening file types.
Configuration Steps
1. In Objects > Security Policy Template > Content Security, add a new template and select all the options
which is related to email protection

Detecting email
Detecting emailcontents
contentscontains
containstwo
twopart:
part:
•• Abnormal
Abnormal account:
account:detect
detectthethemax
maxattempts
attemptslogin
per minute
login of one of
per minute account. (Collision
one account. attack)
(Collision
• attack)
Phishing email: detect the contains contained the
fishing links
• Phishing or some
email: malicious
detect script.contained
the contains
IfIf a the
filefishing links
signatures
signatures or some
selected
selected malicious
ininthe Filter
the script.
email
Filter email
attachments and
attachments andVerify
Verifyfiles
fileswith
withEngine
EngineZero at
Zero
thethe
at same time,
same we we
time, onlyonly
do filter email
do filter attachmetns.
email
attachmetns.
Configuration Steps​
2. In Policy > Network Security > Policies, create a new policy and configure the respective source and
destination. You may select the template which created in step 1 and other protection may be enable
accordingly.
Precautions
1. NGAF default file size for virus file detection is 2M and 4 layers of compressed file, if you need to adjust
the detection of file size and compression level after pre-confirmation. You can modify it in Policies -
Network Security - Policies - Advanced, as shown below.

2. When users uses virus samples for virus testing on the spot, please pay attention not to do it in the user's
current network environment to prevent incidents caused by misoperation which leads to virus execution.
You can choose to test in the environment of the test virtual machine.
Thank you !
[email protected]
community.sangfor.com

Sangfor Technologies (Headquarters)

Block A1, Nanshan iPark, No.1001
Xueyuan Road, Nanshan District,
Shenzhen, Guangdong Province,
P. R. China (518055)