How to migrate ADC configurations from Sangfor to ZEVENET

POSTED ON 7 February, 2023

Overview

Reading this article shows you’re considering other ADC options besides Sangfor and possibly determining if ZEVENET would provide the necessities for your business. Sangfor Announced the end of life(sale) for some of their security and networking products. ZEVENET is what you need to carry your business needs to the next adventure.

Unlike Sangfor, ZEVENET provides all features an ADC requires to function efficiently. These include Layer 4 and 7 load balancing, Web Application and Network Security, High Availability, Global load balancing, etc.

This article will demonstrate a few configurations based on Sangfor IAM and NGAF. These will help adapt to ZEVENET fast.

Prerequisites

To migrate from Sangfor ADC to ZEVENET, ensure you exhaust the following prerequisites.

  1. Install an Instance of ZEVENET ADC on your PC, bare-metal, virtual environment, or a cloud platform. For on-premise deployment, request an evaluation.
  2. Gain access to the Web User interface by following this quick Installation guide.
  3. Ensure you are still familiar with Sangfor Networking concepts. We will discuss more of them in the section below.
  4. Learn how to create a virtual server in the ZEVENET load balancer by following the guide: Layer 4 and Layer 7 Virtual Server Configuration.

Basic Concepts

Link Load balancing: This functionality in Sangfor NGAF enables outbound traffic to balance among multiple WAN connections, preventing downtime in case one ISP goes down. ZEVENET Implements Link load balancing through the DSLB Farm.

NGAF: This Next-Generation Firewall provides the security functionality to protect a network from malicious payloads. It includes web app protection, Access control, IPS, etc. ZEVENET uses the IPDS module to provide Next-Gen firewall functionality. The IPDS module provides API protection, web app protection, RBL, Blacklists, etc.

High Availability: Maintains uptime of a network in active-passive or active-active pair configurations. In case of event failure of a master node or one node in an active-active situation, the Network will switch to the healthy node. ZEVENET Implements High Availability through a cluster. One may navigate through System >> Cluster.

Access Control: This functionality denies or permits access to a single IP or IP range. These IPs could be spammers’ IPs. One may also deny access or allow entire geo locations using Access control. ZEVENET implements access control through IPDS >> Blacklists. One may configure Sources as either “Local” or “Remote.”

SSL Decryption & Inspection: For the firewall to monitor encrypted HTTPS traffic effectively, one must enable SSL Decryption such that the firewall inspects and filters out all malicious payloads. ZEVENET offers similar functionality on an HTTPS Farm. One may configure Ciphers to “SSL Offloading” to decrypt SSL traffic.

IPSEC VPN: This Sangfor VPN functionality enables site-to-site connection of a company’s branch networks to the headquarters through a secure tunnel. To enable a site-to-site VPN on ZEVENET, Access Network >> VPN and create a ZSS(site to site) profile.

Example configurations: IPSEC VPN

A site-to-site VPN enables secure connections of two or more private Networks over the internet. For example, you may need to connect branches of an organization to its headquarters and let them perform as if they were in the same private Network.

IPSec is often the protocol used. This protocol provides data encryption, integrity, and authentication between participating peers, both ZEVENET and Sangfor VPNs come with site-to-site VPN functionality.

If you are migrating from Sangfor, this section will demonstrate both configurations for an easier transition.

Sangfor configurations

With Sangfor, one may configure Branch and HQ configurations separately. Let’s start with Branch configurations.

Create VPN Interface

  1. Create VPN >> IPSec VPN >> VPN Interface.
  2. In the Interfaces section, click the Add button.
  3. Select an Interface from the drop-down.
  4. Enter a Netmask and click the Save button.
  5. Click the check on the Interface to turn its status to enabled.
  6. In the VPN Interface IP section, enter the IP Address and click Save.

Create Basic Configurations

  1. Click VPN >> IPSec VPN >> Basics.
  2. Enter the Primary webAgent(Primary Socket).
  3. Ensure the MTU value(224-2000) is “1500”.
  4. Leave the Default listening port as “4009”.
  5. Click the Save button.

Add Local Users

  1. Click VPN >> IPSec VPN >> Local Users.
  2. Click the button New User.
  3. Enter the Username to Identify a branch.
  4. Enter a Password for that User and confirm it.
  5. Select the Authentication method as “Local.”
  6. Select the Algorithm as “DES.”
  7. Select the User Type as “Branch user.”
  8. Select the User Group, or leave it as a “Default group.”
  9. Click the Save button.

These are the HQ configurations where all branches will connect.

Add a Virtual Interface

  1. Click VPN >> IPSec VPN >> VPN Interface.
  2. Click the Add button within the Interface section.
  3. Select a Network Interface for your VPN.
  4. Enter the Netmask and click the Save button.
  5. Within the VPN Interface IP section, enter the IP Address in IPV4 and click the Save button.

Add VPN Connections

  1. Click VPN >> IPSec VPN >> VPN connections.
  2. Click the Add button.
  3. Enter a Name to Identify this connection.
  4. Within the Primary webAgent field, enter the webAgent socket, e.g., 192.168.0.102:4009.
  5. Enter the Branch’s Username, Password, and confirmation PWD.
  6. One may monitor the configurations through the Status Navigation.

ZEVENET configurations

In this section, we will use the previous configurations from Sangfor to set up ZEVENET IPSec configurations with the Site-site-site VPN profile.

VPN Profile

  1. Click Network >> VPN >> Create VPN.
  2. Enter a Name to Identify the VPN.
  3. Select the VPN Profile as “ZSS(Site to Site).”
  4. The Authentication method is a secret. Enter a Password for this profile.

Local Gateway configurations

  1. Enter the Local Gateway* in IPV4 or IPV6.
  2. Enter the subnet in the field Local net/CIDR*.

Remote Gateway configurations

  1. Enter the Remote Gateway* in IPV4 or IPV6.
  2. Enter the subnet in the field Remote net/CIDR*

IKE Phase 1 configurations

  1. Select a suitable Authentication* method(s).
  2. Select suitable Encryption* methods.
  3. Select the necessary DH group(s).

IKE Phase 2 configurations

  1. Select the Protocol as either “AH” or “ESP.”
  2. Select a suitable Authentication method(s).
  3. Select similar Encryption(s) as in Phase 1.
  4. Select the DH group(s) as in Phase 1.
  5. Select a Pseudo-Random Function(s) of your own preference.
  6. Click the Apply button to Save the configurations.

For more resources, read:
Understanding VPN IPSec modes
Network | VPN | Create

Example configurations: High Availability

With scaling networks and increasing numbers of users, organizations need a network infrastructure to function continuously and reliably without interruption, even during component failure or planned maintenance. With Products like ZEVENET, we can achieve this through redundancy and failover mechanisms that minimize downtime and ensure that critical applications and services are always accessible.
As you migrate from Sangfor, we will describe both Sangfor and ZEVENET configurations to address similar functionality.

Sangfor configurations

  1. Click System >> Network >> High Availability.
  2. For Active-Passive configurations, click on the Active-Standby option.
  3. Click on the Settings button to open the configurations page.
  4. Set the Device Name.
  5. Select the Priority of the current device as either High or Low. Priority on both Active and Standby devices cannot be the same.

Basics

  1. Within the Basics page, select the Primary Link from the Network Interfaces, and enter the Remote IP.
  2. Optionally select the Secondary Link from the Network Interfaces and enter the Remote IP.
  3. Enter a shared secret for the devices to join High Availability.
  4. In the Tracked Interface Group section, choose Production Interfaces.
  5. Click Next to go to the Detection page.

Detection

  1. Set the Heartbeat Timeout in seconds.
  2. Enable ARP Probe for the device.
  3. Enter the Probe IP Address, Detection Timeout(sec), Detection Recovery Interval(sec), and Detection Interval (ms).
  4. Enable ICMP Probe and enter an IP or domain for probe testing.
  5. Click Next to go to the Actions tab.

Action

  1. Ensure the Remove tracking capability from the Interfaces checkbox is disabled.
  2. Click Next to shift to the Advanced tab.

Advanced

  1. Ensure you have enabled Simultaneous upgrades.
  2. Click the Commit button to save the settings. The Device will require to re-login.
  3. Repeat the settings within the standby device. However, ensure that the priority is set to low.

ZEVENET Configurations

In this section, we will configure HA to show similar functionality to what we described in the previous Sangfor.

  1. Click System >> Cluster.
  2. Select the Local IP address of the Local Node from the Interfaces.
  3. Enter the Remote IP of the remote node.
  4. Enter the Remote Node Password.
  5. Reenter the Password to Confirm remote node password.
  6. Click the Apply button to save the configurations.
  7. Within the configure cluster section, click the edit button with the pencil icon upon hovering over the configured remote node.
  8. For active-active HA, live the Failback to “disabled.” For active-passive configurations, change failback to that of the current device.
  9. For heartbeat checks, enter a Check Interval.
  10. Click the Apply button to save.

For more resources about High Availability, read: System | Cluster

For Video resources, watch

Additional Resources

Web Application Firewall configuration.
Configuring SSL certificates for the load balancer.
Using the Let’s encrypt program to autogenerate an SSL certificate.
Datalink/Uplink load balancing With ZEVENET ADC.
DNS load balancing with ZEVENET ADC.

Share on:

Documentation under the terms of the GNU Free Documentation License.

Was this article helpful?

Related Articles