Professional Documents
Culture Documents
Network Secure - 8.0.85 - VSYS Scenario Practice - EN
Network Secure - 8.0.85 - VSYS Scenario Practice - EN
Released on 2023-11-24
Disclaimer
Products, services or features described in this document, whether wholly or in part, may
be not within your purchase scope or usage scope. The products, services or features
you purchase must be subject to the commercial contract and terms as agreed by you
and Sangfor. Unless otherwise provided in the contract, Sangfor disclaims warranties of
any kind, either express or implied, for the content of this document.
Due to product version upgrades or other reasons, the content of this document will be
updated from time to time. Unless otherwise agreed, this document is used for reference
only, and all statements, information, and recommendations therein do not constitute
any express or implied warranties.
SANGFOR Network Secure Best
Technical Support
For technical support, please visit: https://www.sangfor.com/en/about-us/contact-
us/technical-support
Intended Audience
This document is intended for:
FAE,PreSales,TAC
Note Icons
English Icon Description
Change Log
Contents
1 Virtual System Feature............................................................................................4
1.1 Layer-2 Isolation...........................................................................................4
1.1.1 Scenario Introduction...........................................................................4
1.1.2 Test Topology......................................................................................4
1.1.3 Precondition........................................................................................4
1.1.4 Test Process........................................................................................7
1.1.4.1 Step1........................................................................................7
1.1.4.2 Step2........................................................................................8
1.2 Layer-3 Acess...............................................................................................9
1.2.1 Scenario Introduction...........................................................................9
1.2.2 Test Topology......................................................................................9
1.2.3 Precondition......................................................................................10
1.2.4 Test Process......................................................................................11
1.2.4.1 Step1......................................................................................11
1.2.4.2 Step2......................................................................................12
1.2.4.3 Step3......................................................................................13
1.3 Vsys Access Internet through Public System..................................................14
1.3.1 Scenario Introduction.........................................................................14
1.3.2 Test Topology....................................................................................14
1.3.3 Precondition......................................................................................15
1.3.4 Test Process......................................................................................18
1.3.4.1 Step 1.....................................................................................18
SANGFOR Network Secure Best
1.1.3 Precondition
1. Deploy the Network Secure Platform into layer-2 mode.
SANGFOR Network Secure Best
2. Configure two virtual systems, which are vsys10 and vsys2 respectively.
vsys10
vsys2
PC1
SANGFOR Network Secure Best
PC2
PC3
PC4
SANGFOR Network Secure Best
1.1.4.1 Step1
Configure the access control list policy in vsys10, which permit access from
L2_trust_A zone to L2_untrust_A
Sending icmp packets to other side on both PC, it is expected that PC1 can access
PC2 successfully, while the reverse access will fail.
SANGFOR Network Secure Best
The above testing process can be applied to vsys2, and the testing process is
consistent with that of vsys10.
1.1.4.2 Step2
Both of vsys2 and vsys10 cannot cross-access to each other since the network
between them is isolated.
PC1->PC3/PC4
SANGFOR Network Secure Best
PC3->PC1/PC2
1.2.3 Precondition
1. Create two vsys in public system(which is so called root system, representing
the overall device)
3. Bond the virtual interfaces to vsys10 and vsys2 respectively and select right
SANGFOR Network Secure Best
security zone.
4. Create access control list policy on two vsys to allow access among all zones.
1.2.4.1 Step1
Create a route in vsys10 with the destination pointing to vsys2, and Create a
route in vsys2 with the destination pointing to vsys10.
SANGFOR Network Secure Best
1.2.4.2 Step2
PC1
SANGFOR Network Secure Best
PC2
1.2.4.3 Step3
1.3.3 Precondition
1. Create two virtual systems named vsys1 and vsys2 and allocate eth1 to vsys1,
eth5 to vsys2.
7. In public system, configure the route, source NAT and access control list.
The source zone must be the zone of vsysif0 belonging, in public source NAT.
SANGFOR Network Secure Best
1.3.4.1 Step 1
In public system, view the parallel source NAT sessions from two PC.