Network Secure - 8.0.85 - VSYS Scenario Practice - EN

SANGFOR Network Secure Best Practice
SANGFOR Network Secure VSYS

Scenario Practice
Document Version 1.0
Released on 2023-11-24
Version 01 (Mar.24, 2021) Confidentiality: Public in Company 1

SANGFOR Network Secure Best
Copyright © Sangfor Technologies Inc. 2023. All rights reserved.
Unless otherwise stated or authorized, Sangfor Technologies Inc. (hereinafter referred to

as "Sangfor") and its affiliates reserve all intellectual property rights, including but not
limited to copyrights, trademarks, patents, and trade secrets, and related rights to text,
images, pictures, photographs, audio, videos, charts, colors, and layouts as presented in
or concerning this document and content therein. Without prior written consent of
Sangfor, this document and content therein must not be reproduced, forwarded,
adapted, modified or displayed or distributed by any other means for any purpose.
Disclaimer
Products, services or features described in this document, whether wholly or in part, may
be not within your purchase scope or usage scope. The products, services or features
you purchase must be subject to the commercial contract and terms as agreed by you
and Sangfor. Unless otherwise provided in the contract, Sangfor disclaims warranties of
any kind, either express or implied, for the content of this document.
Due to product version upgrades or other reasons, the content of this document will be
updated from time to time. Unless otherwise agreed, this document is used for reference
only, and all statements, information, and recommendations therein do not constitute
any express or implied warranties.
Technical Support
For technical support, please visit: https://www.sangfor.com/en/about-us/contact-
us/technical-support
Send information about errors or any product related problem to

tech.support@sangfor.com.
Intended Audience
This document is intended for:
 FAE，PreSales，TAC
Note Icons
English Icon Description
Indicates an imminently hazardous situation which, if not avoided, will

result in death or serious injury.
Indicates a potentially hazardous situation which, if not avoided, could

result in death or serious injury.
Indicates a hazardous situation, which if not avoided, could result in

minor or moderate injury.
Indicates a hazardous situation, which if not avoided, could result in

settings failing to take effect, equipment damage, or data loss.
NOTICE addresses practices not related to personal injury.
Calls attention to important information, best practices, and tips.

NOTE addresses information not related to personal injury or
equipment damage.
Change Log
Date Document Version Change Description
2023-11-24 V1.0 This is the first release of this document.

Contents
1 Virtual System Feature............................................................................................4
1.1 Layer-2 Isolation...........................................................................................4
1.1.1 Scenario Introduction...........................................................................4
1.1.2 Test Topology......................................................................................4
1.1.3 Precondition........................................................................................4
1.1.4 Test Process........................................................................................7
1.1.4.1 Step1........................................................................................7
1.1.4.2 Step2........................................................................................8
1.2 Layer-3 Acess...............................................................................................9
1.2.1 Scenario Introduction...........................................................................9
1.2.2 Test Topology......................................................................................9
1.2.3 Precondition......................................................................................10
1.2.4 Test Process......................................................................................11
1.2.4.1 Step1......................................................................................11
1.2.4.2 Step2......................................................................................12
1.2.4.3 Step3......................................................................................13
1.3 Vsys Access Internet through Public System..................................................14
1.3.1 Scenario Introduction.........................................................................14
1.3.2 Test Topology....................................................................................14
1.3.3 Precondition......................................................................................15
1.3.4 Test Process......................................................................................18
1.3.4.1 Step 1.....................................................................................18
1 Virtual System Feature

1.1 Layer-2 Isolation
1.1.1 Scenario Introduction

Different segments can be isolated by virtual systems in layer 2 mode.
1.1.2 Test Topology
1.1.3 Precondition
1. Deploy the Network Secure Platform into layer-2 mode.
2. Configure two virtual systems, which are vsys10 and vsys2 respectively.
vsys10
vsys2
3. Configure the sub-interface with vlan tag in these PC.
PC1
PC2
PC3
PC4
1.1.4 Test Process
1.1.4.1 Step1
Configure the access control list policy in vsys10, which permit access from
L2_trust_A zone to L2_untrust_A
Sending icmp packets to other side on both PC, it is expected that PC1 can access
PC2 successfully, while the reverse access will fail.
The access logs can display the policy hits
The above testing process can be applied to vsys2, and the testing process is
consistent with that of vsys10.
1.1.4.2 Step2
Both of vsys2 and vsys10 cannot cross-access to each other since the network
between them is isolated.
PC1->PC3/PC4
PC3->PC1/PC2
1.2 Layer-3 Acess

Sometimes it is necessary to establish parallel access between vsys systems,
which requires establishing connectivity through virtual sub interfaces.
1.2.2 Test Topology

1.2.3 Precondition
1. Create two vsys in public system(which is so called root system, representing
the overall device)
2. Add two sub interfaces in public system.
3. Bond the virtual interfaces to vsys10 and vsys2 respectively and select right
security zone.
4. Create access control list policy on two vsys to allow access among all zones.
1.2.4 Test Process
1.2.4.1 Step1
Create a route in vsys10 with the destination pointing to vsys2, and Create a
route in vsys2 with the destination pointing to vsys10.
1.2.4.2 Step2
Configure PC1 and PC2 address，vlan tag and default route.
PC1
PC2
1.2.4.3 Step3
PC1 initiates a ping test to PC2 to check the session of vsys

1.3 Vsys Access Internet through Public

System

The same internal network segment can access simultaneously the internet through
the public system, and they do not affect each other.
1.3.2 Test Topology

1.3.3 Precondition
1. Create two virtual systems named vsys1 and vsys2 and allocate eth1 to vsys1,
eth5 to vsys2.
2. In vsys1, configure the IP and zone for eth1 and vsysif1.

3. In vsys1, configure access control list, route and source NAT.
4. In vsys2, configure the IP and zone for eth5 and vsysif2.
5. In vsys2, configure access control list,route and source NAT.

6. In public system，configure the IP and zone for eth2 and vsysif0.
7. In public system, configure the route, source NAT and access control list.
The source zone must be the zone of vsysif0 belonging, in public source NAT.
1.3.4 Test Process
1.3.4.1 Step 1
Initiate ping tests from PC1 and PC2 to the server

In public system, view the parallel source NAT sessions from two PC.

Network Secure - 8.0.85 - VSYS Scenario Practice - EN

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Secure - 8.0.85 - VSYS Scenario Practice - EN

Uploaded by

Copyright:

Available Formats

SANGFOR Network Secure Best Practice

SANGFOR Network Secure VSYS

Document Version 1.0

Version 01 (Mar.24, 2021) Confidentiality: Public in Company 1

Copyright © Sangfor Technologies Inc. 2023. All rights reserved.

Unless otherwise stated or authorized, Sangfor Technologies Inc. (hereinafter referred to

Send information about errors or any product related problem to

Indicates an imminently hazardous situation which, if not avoided, will

Indicates a potentially hazardous situation which, if not avoided, could

Indicates a hazardous situation, which if not avoided, could result in

Indicates a hazardous situation, which if not avoided, could result in

Calls attention to important information, best practices, and tips.

Date Document Version Change Description

2023-11-24 V1.0 This is the first release of this document.

1 Virtual System Feature

1.1.1 Scenario Introduction

1.1.2 Test Topology

3. Configure the sub-interface with vlan tag in these PC.

1.1.4 Test Process

The access logs can display the policy hits

1.2 Layer-3 Acess

1.2.1 Scenario Introduction

1.2.2 Test Topology

2. Add two sub interfaces in public system.

1.2.4 Test Process

Configure PC1 and PC2 address，vlan tag and default route.

PC1 initiates a ping test to PC2 to check the session of vsys

1.3 Vsys Access Internet through Public

1.3.1 Scenario Introduction

1.3.2 Test Topology

2. In vsys1, configure the IP and zone for eth1 and vsysif1.

3. In vsys1, configure access control list, route and source NAT.

4. In vsys2, configure the IP and zone for eth5 and vsysif2.

5. In vsys2, configure access control list,route and source NAT.

6. In public system，configure the IP and zone for eth2 and vsysif0.

1.3.4 Test Process

Initiate ping tests from PC1 and PC2 to the server

You might also like