IAM 11.2 User Manual
1
SANGFOR IAM11.2
User Manual
2016 January
www.sangfor.com
IAM 11.2 User Manual
2
www.sangfor.com
3
Table of Content
IAM 11.2 User Manual
Table of Content
Declaration
About This Document
Organization
Conventions....................................................................................................................................... 9
Symbol Conventions
Technical Support
Acknowledgment
Chapter 1 IAM Installation
1.1 Environment Requirement........................................................................................................ 11
1.2 Power
1.3 Product Appearance
1.4 Configuration and Management
1.5 Wiring Method of Standalone
1.6 Wiring Method of Redundant System.......................................................................................16
Chapter 2 IAM Console
2.1 Web UI Login
2.2 Configuration
Chapter 3 Functions
3.1 System
.........................................................................................................................................
.................................................................................................................................................
................................................................................................................................
.......................................................................................................................................
........................................................................................................................
.............................................................................................................................
.............................................................................................................................
.......................................................................................................................
.........................................................................................................................................
..................................................................................................................
...............................................................................................
...................................................................................................
............................................................................................................................
..............................................................................................................................
2.1.1 Log into the Web Console
2.1.2 Remove the Certificate Alert Dialog
.............................................................................................................................
.................................................................................................................................
........................................................................................................................................
3.1.1 Status
3.1.2 Firewall............................................................................................................................51
3.1.3 Network.......................................................................................................................... 65
..............................................................................................................................
3.1.1.1 Dashboard
3.1.1.2 Online users
3.1.1.3 Connection Quality
3.1.1.4 Traffic Statistics
3.1.1.5 Internet Activities
3.1.1.6 Locked Users
3.1.1.7 DHCP Status......................................................................................................... 50
3.1.1.8 Security Events
3.1.2.1 Firewall Rules
3.1.2.2 IPv4 SNAT
3.1.2.3 IPv4 DNAT
3.1.2.4 IPv6 NAT
3.1.3.1 Deployment
3.1.3.2 Network Interface Configuration
3.1.3.3 Static Routes
3.1.3.4 Policy-Based Routing
3.1.3.5 High Availability
3.1.3.6 HOSTS
3.1.3.7 DHCP
............................................................................................................
.............................................................................................................
............................................................................................................
...............................................................................................................
.................................................................................................................
..................................................................................................................
...............................................................................................
...............................................................................
.........................................................................................................
..............................................................................................
....................................................................................................
................................................................................................
........................................................................................................
.....................................................................................................
.......................................................................................................
.........................................................................................................
........................................................................
........................................................................................................
.........................................................................................
.................................................................................................
3
8
9
9
10
10
10
11
11
11
13
13
17
17
17
18
20
22
22
22
22
29
32
40
47
49
51
51
53
59
63
65
92
99
101
106
115
116
www.sangfor.com
IAM 11.2 User Manual
4
3.1.3.8 Protocol Extension.............................................................................................118
3.1.3.9 Optical Bypass Module
3.1.4 General
3.1.4.1 Licensing
..........................................................................................................................
............................................................................................................
3.1.4.2 Administrator
3.1.4.3 Date/Time
3.1.4.4 Update
..........................................................................................................
...............................................................................................................
3.1.4.5 Alarm Options
3.1.4.6 Global Exclusion
3.1.4.7 Backup/Restore
.....................................................................................................
....................................................................................................
......................................................................................
.................................................................................................
.................................................................................................
3.1.4.8 Custom Webpage.............................................................................................. 144
3.1.4.9 Report Center
3.1.4.10 Advanced Settings
3.1.5 Diagnostics
....................................................................................................................
3.1.5.1 System Logs
....................................................................................................
...........................................................................................
.......................................................................................................
3.1.5.2 Capture Packets................................................................................................. 158
......................................................................................................
.................................................................................................
...........................................................................................................
3.2 Proxy
3.1.5.3 Web Console
3.1.5.4 Troubleshooting
3.1.5.5 Shutdown
.......................................................................................................................................
3.2.1 Proxy Services............................................................................................................... 164
3.2.2 Proxies
3.2.2.1 HTTP Proxy
3.2.2.2 SOCKS4 Proxy
3.2.2.3 SOCKS5 Proxy
...........................................................................................................................
.........................................................................................................
.....................................................................................................
.....................................................................................................
3.2.3 ICAP Server Groups.......................................................................................................171
3.2.4 Cascading Proxy Servers
3.2.5 Forward
3.3 Object
.......................................................................................................................................
.........................................................................................................................
3.3.1 Application Signature
3.3.1.1 Viewing the Application Signature
3.3.1.2 Enabling/Disabling Application Identification Rules
...............................................................................................
....................................................................................................
....................................................................
.........................................
3.3.2 Advanced App Signature.............................................................................................. 183
3.3.2.1 Enabling/Disabling Advanced App Signature
3.3.2.2 Editing P2P Behavior Identification Rules
3.3.2.3 Editing Ultrasurf/Freegate Identification Rules
3.3.2.4 Editing Web Online Proxy Identification Rules
3.3.3 Custom Application
3.3.3.1 Adding Custom Application Rules
.......................................................................................................
.....................................................................
3.3.3.2 Enabling, Disabling, and Deleting Custom Application Rules
....................................................
.........................................................
................................................
..................................................
...........................
3.3.3.3 Importing and Exporting Custom Application Rules.........................................190
3.3.4 URL Database
................................................................................................................
3.3.4.1 URL Database List.............................................................................................. 191
3.3.5 Ingress Rule Database
3.3.5.1 Ingress Rules
3.3.5.2 Combined Ingress Rule
3.3.6 Service
...........................................................................................................................
...................................................................................................
......................................................................................................
......................................................................................
3.3.7 IP Group........................................................................................................................ 212
3.3.8 ISP
3.3.9 Schedule
..................................................................................................................................
........................................................................................................................
120
122
122
123
134
135
137
141
143
146
148
157
157
160
161
163
164
166
166
169
170
174
175
177
178
179
182
184
184
186
187
188
188
190
190
195
195
206
210
213
215
www.sangfor.com
IAM 11.2 User Manual
5
3.3.10 Keyword Group...........................................................................................................217
3.3.11 File Type Group
3.3.12 Location
3.4 Users
.........................................................................................................................................
3.4.1 Working Principle
3.4.1.1 Users Type
3.4.1.2 User Authentication
3.4.2 Authentication
3.4.2.1 Authentication Policy
3.4.2.2 External Auth Server
...........................................................................................................
.......................................................................................................................
..........................................................................................................
..........................................................................................................
..........................................................................................
..............................................................................................................
.........................................................................................
..........................................................................................
218
219
222
222
222
224
225
225
240
3.4.2.3 Single Sign-On....................................................................................................260
3.4.2.4 Custom Webpage
3.4.3 Users
.............................................................................................................................
3.4.3.1 Local Users
3.4.3.2 User Import
..............................................................................................
.........................................................................................................
........................................................................................................
273
278
278
302
3.4.3.3 User Binding.......................................................................................................306
3.4.3.4 IP&MAC Binding
3.4.4 Advanced
......................................................................................................................
3.4.4.1 Authentication Options
3.4.4.2 USB Key User
................................................................................................
.....................................................................................
.....................................................................................................
310
312
313
316
3.4.4.3 Custom Attributes..............................................................................................319
3.4.4.4 MAC Filtering Across L3 Switch
3.5 Access Mgt
3.5.1 Policies
3.5.1.1 Introduction to Policies
...............................................................................................................................
..........................................................................................................................
......................................................................................
.........................................................................
321
324
324
325
3.5.1.2 Adding Object for Access Control......................................................................330
3.5.1.3 Viewing Network Access Policies of Users
3.5.1.4 Matching Network Access Policies
3.5.1.5 Adding Policies
...................................................................................................
3.5.1.6 Adding a Policy Using a Template
3.5.1.7 Deleting an Ingress Policy
3.5.1.8 Editing Policies in Batches
..................................................................................
.................................................................................
....................................................................
......................................................................
........................................................
336
339
340
390
392
392
3.5.1.9 Enabling or Disabling a Policy............................................................................393
3.5.1.10 Changing the Policy Order
3.5.1.11 Importing/Exporting a Policy
3.5.2 Advanced Policy Options
3.5.2.1 Logging
...............................................................................................................
..............................................................................................
3.5.2.2 Web Access Options
3.5.2.3 Policy Troubleshooting
3.5.2.4 Excluded Application
...............................................................................
..........................................................................
..........................................................................................
......................................................................................
.........................................................................................
394
395
397
397
399
400
400
3.6 Traffic Management.................................................................................................................402
3.6.1 Overview
.......................................................................................................................
402
3.6.2 Bandwidth Management..............................................................................................403
3.6.3 Bandwidth Channel Configuration
3.6.3.1 Line Bandwidth
3.6.3.2 Limited Channel
3.6.3.3 Traffic Sub-Channel
..................................................................................................
.................................................................................................
............................................................................................
...............................................................................
403
404
412
421
3.6.3.4 Penalty Channel.................................................................................................428
3.6.3.5 Adding a Channel Using a Template
3.6.3.6 Exclusion Policy
..................................................................................................
..................................................................
438
438
www.sangfor.com
6
3.6.4 Line Bandwidth Configuration......................................................................................440
3.6.5 Virtual Line Configuration
3.7 Endpoint Device Connection Management
3.7.1 Shared Connection Management
3.7.2 Mobile Endpoint Management
3.8 Security Protection
3.8.1 Anti-DoS Attack
3.8.2 ARP Protection
3.8.3 Antivirus
3.9 VPN Configuration
..................................................................................................................
.............................................................................................................
..............................................................................................................
........................................................................................................................
...................................................................................................................
3.9.1 DLAN Operating Status.................................................................................................458
3.9.2 Basic Settings
3.9.3 User Management
................................................................................................................
........................................................................................................
3.9.4 Connection Management
3.9.5 Virtual IP Address Pool
.................................................................................................
3.9.6 Multi-Line Settings........................................................................................................477
3.9.7 Multi-Line Route Selection Policy
3.9.8 Local Subnet List
...........................................................................................................
3.9.9 Inter-channel Routing Settings
3.9.10 Third party connection
3.9.10.1 Phase I..............................................................................................................485
3.9.10.2 Phase II
.............................................................................................................
3.9.10.3 Security Options
3.9.11 Object
3.9.11.1 Schedule
..........................................................................................................................
..........................................................................................................
3.9.11.2 Algorithm List Settings.....................................................................................498
3.9.12 Advanced Settings
......................................................................................................
3.9.12.1 Intranet Service Settings
3.9.12.2 VPN Interface Settings
3.9.12.3 Multicast Service
3.9.12.4 LDAP Server Settings
3.9.12.5 Radius Server Settings
3.9.12.6 Dynamic Routing Settings................................................................................507
Chapter 4 Use Cases
4.1 SSO Configuration
..............................................................................................................................
....................................................................................................................
4.1.1 SSO Configuration for the AD Domain
4.1.1.1 SSO Implemented by Delivering a Login Script Through Domains
4.1.1.2 Obtaining Login Information Using a Program (SSO Without a Plug-in)
4.1.1.3 SSO Implemented Using IWA
4.1.1.4 SSO Implemented in Monitoring Mode
4.1.2 Proxy SSO Configuration...............................................................................................539
4.1.2.1 4 SSO in Monitoring Mode
4.1.2.2 SSO in ISA Mode................................................................................................ 543
4.1.3 POP3 SSO Configuration
4.1.4 Web SSO Configuration
................................................................................................
4.1.5 Configuration of SSO Implemented with Third-Party Devices
4.1.5.1 SSO Implemented with Ruijie SAM
4.1.5.2 SSO Implemented with Devices Supporting the HTTP SSO Interface...............563
4.1.5.3 SSO Implemented with H3C CAMS
4.1.5.4 SSO Implemented with Dr. COM
IAM 11.2 User Manual
.............................................................................................
............................................................................
.................................................................................
....................................................................................
.............................................................................................
.................................................................................
.....................................................................................
...............................................................................................
..............................................................................................
..................................................................................
.....................................................................................
.............................................................................................
.......................................................................................
.....................................................................................
.........................................................................
...................
..........
............................................................................
............................................................
................................................................................
...............................................................................................
.....................................
...................................................................
...................................................................
.......................................................................
441
445
445
449
452
453
454
456
458
459
461
469
471
479
481
482
485
491
495
497
497
498
498
501
503
505
506
508
508
508
508
521
535
535
539
547
551
555
555
565
566
www.sangfor.com
IAM 11.2 User Manual
7
4.1.5.5 SSO Implemented with H3C IMC.......................................................................568
4.1.6 SSO Implemented with Another SANGFOR Device
4.1.7 SSO Implemented with a Database System
4.2 Configuration That Requires No User Authentication
4.3 Configuration That Requires Password Authentication
4.3.1 SMS Authentication
......................................................................................................
4.3.1.1 Sending SMS Messages Through an SMS Modem
......................................................
.................................................................
............................................................
..........................................................
............................................
4.3.1.2 Sending an SMS Message Using an SMS Modem Installed on an External Server585
4.3.2 WeChat and QR Code Authentication
4.3.3 Password Authentication
..............................................................................................
..........................................................................
4.4 Other Configuration Cases.......................................................................................................611
4.5 CAS Server Authentication Case
4.6 Policy Configuration Cases
..............................................................................................
.......................................................................................................
4.6.1 Configuring a Policy for Blocking P2P and P2P Streaming Media Data for a User Group628
4.6.2 Configuring an IM Monitoring Policy for a User Group
...............................................
4.6.3 Enabling the Audit Function for a User Group.............................................................636
4.7 Endpoint Device Management Configuration Cases
4.7.1 Configuring the Sharing Prevention Function
4.7.2 Mobile Endpoint Management Configuration Cases
4.8 Comprehensive Configuration Cases
.......................................................................................
...............................................................
..............................................................
...................................................
4.8.1 Customer Network Environment and Requirement.................................................... 642
4.8.2 Configuration Idea
4.8.3 Configuration Process
Appendix: Usage of SANGFOR Device Upgrade System
Product Upgrade Procedure
........................................................................................................
...................................................................................................
........................................................................
..........................................................................................................
569
571
574
580
580
580
592
603
624
628
632
639
639
641
642
643
644
665
668
www.sangfor.com
IAM 11.2 User Manual
8
Declaration
Copyright © SANGFOR Technologies Co.Ltd. All rights reserved.
No part of the information contained in this document shall be extracted,
reproduced or transmitted in any form or by any means, without prior written
permission of SANGFOR.
SANGFOR, SANGFOR Technologies and the SANGFOR logo are the trademarks
or registered trademarks of SANGFOR Technologies Co. Ltd. All other trademarks used
or mentioned herein belong to their respective owners.
This manual shall only be used as usage guide, and no statement, information, or
suggestion in it shall be considered as implied or express warranties of any kind, unless
otherwise stated. This manual is subject to change without notice. To obtain the latest
version of this manual, please contact the Customer Service of SANGFOR Technologies
CO. Ltd
www.sangfor.com
IAM 11.2 User Manual
9
Item
Sign
Example
Button
Frame+shadow+
shading
The OK button can be simplified as OK.
Menu item
{}
The menu item System Setup can be simplified as
System Setup.
Choose cascading menu
items
→
Choose System Setup > Interface Configuration.
Drop-down list, option
button, check box
[ ]
The Enable User check box can be simplified as
Enable User.
Window name
Bold Font
Open the New User window.
Prompt
“”
The prompt “Succeed in saving configuration. The
configuration is modified. You need to restart the
DLAN service for the modification to take effect.
Restart the service now?” is displayed.
About This Document
Organization
Part I Describe the hardware server and software server requirement in order to install External
Data Center. Step of Installation included.
Part II Describe the interface and each of the function such as generate report, check online
behavior and system management. Justify overall configuration, setting and precaution.
This document takes SANGFOR IAM M5100 as an example. Equipment of different models
differs in both hardware and software specifications. Therefore, confirm with SANGFOR about
problems involving product specifications.
Conventions
GUI Conventions
www.sangfor.com
IAM 11.2 User Manual
10
Symbol Conventions
The symbols that may be found in this document are defined as follows:
Caution: alerts you to a precaution to be observed during operation. Improper operation may
cause setting validation failure, data loss, or equipment damage.
Warning: alerts you to pay attention to the provided information. Improper operation may
cause bodily injuries.
Note or tip: provides additional information or a tip to operations.
Technical Support
Email: tech.support@sangfor.com.hk
International Service Centre: +60 12711 7129 (7511) Malaysia: 1700817071
Website: www.sangfor.com
Acknowledgment
Thanks for choosing our product and user manual. For any suggestions on our product or user
manual, provide your feedback to us by phone or email.
www.sangfor.com
IAM 11.2 User Manual
11
Chapter 1 IAM Installation
1.1 Environment Requirement
Input voltage: 110V-230V
Temperature: 0-45℃
Humidity: 5%-90%
1.2 Power
1.3 Product Appearance
This chapter mainly describes the appearance and installation of SANGFOR IAM hardware device.
After correct installation, you can configure and debug the system.
The SANGFOR IAM device requires the following working environment:
To ensure long-term and stable running of the system, the power supply should be properly
grounded, dustproof measures taken, working environment well ventilated and indoor temperature
kept stable. This product conforms to the requirements on environment protection, and the
placement, usage and discard of the product should comply with relevant national law and
regulation.
The SANGFOR IAM device uses 110 ~ 230V alternating current (IAM) as its power supply. Make sure it
is well-grounded before being provided with power supply.
SANGFOR IAM Hardware Device
Above is the front panel of SANGFOR IAM hardware gateway device. The interfaces or indicators on
www.sangfor.com
12
the front panel are described respectively in the following table.
IAM 11.2 User Manual
www.sangfor.com
IAM 11.2 User Manual
13
No.
Interface/Indicator
Usage
1
CONSOLE Interface
Used for high-availability function (redundant system)
2
WAN2 (eth3)
Network interface to be defined as WAN2 interface
3
DMZ (eth1)
Network interface to be defined as DMZ interface
4
WAN1 (eth2)
Network interface to be defined as WAN1 interface
5
LAN (eth0)
Network interface to be defined as LAN interface
6
POWER Indicator
Power indicator of IAM gateway device
7
ALARM Indicator
Alarm indicator of IAM gateway device
1.4 Configuration and Management
Interface
IP Address
eth0 (LAN)
10.251.251.251/24
eth1 (DMZ)
10.252.252.252/24
eth2 (WAN1)
200.200.20.61/24
1.5 Wiring Method of Standalone
Table 1 Interface Description
The CONSOLE interface is only for debugging by technical engineers. The end users connect to
the device via the network interfaces.
Before configuring the device, please prepare a computer and make sure the web browser (for
example, Internet Explorer browser) of the computer can be used normally. Then connect the
computer with the IAM device to a same local area network (LAN) and then configure the IAM device
on the computer over the established network.
The default IP address settings for the network interfaces are described below:
Connect the power cable to the Power interface on the rear panel of the IAM device and switch on
www.sangfor.com
IAM 11.2 User Manual
14
Use standard RJ-45 Ethernet cable to connect the LAN interface to the local area network
Use standard RJ-45 Ethernet cable to connect the WAN1 interface with the networking
Use standard RJ-45 Ethernet cable to connect DMZ interface to the DMZ zone network.
Use straight-through cable to connect a WAN interface with the Modem, and crossover
Use straight-through cable to connect the LAN interface with the switch, and crossover
the power supply. The POWER indicator (in green) and ALARM indicator (in red) on the front panel
will be lighted. The ALARM indicator will go out one or two minutes later, indicating the device runs
normally.
Follow the instructions below to wire the interfaces:
and then configure the IAM device.
device, such as router, optical fiber transceiver, ADSL Modem, etc.
Generally, the Web server and Mail server providing services to wide area network (WAN)
are placed at the DMZ zone. The IAM device provides secure protection for these servers.
When wiring the interfaces, please use the correct cables for connection as instructed below:
cable to connect a WAN interface with the router.
cable to connect the LAN interface on the device with the network interface on the
computer.
If connections cannot be established while the corresponding indicator functions normally, please
check whether cables are correctly used for connections. The differences between straight-through
cable and crossover cable are the wire sequences at both ends, as shown below:
www.sangfor.com
IAM 11.2 User Manual
15
Wire Sequences of Straight-through Cable and Crossover Cable
After correct connections, log in to the console of IAM device and configure the deployment mode
according to the network topology (see section 3.1.3.1 Deployment).
1. Multi-line function of the IAM device allows multiple Internet lines to be connected in. In this
situation, connect the second networking device to WAN2 interface, the third networking
device to WAN3 interface, and so on.
2. When IAM gateway device is running, the POWER indicator (in green) keeps lighted, the
WAN LINK and LAN LINK indicators (in orange) keep lighted. The ACT indicator (in green) will
flicker if there is data flow. When the device is starting, the ALARM indicator is lighted (in red)
due to system loading and then goes out after one or two minutes, indicating successful startup
of the device. After startup, the ALARM indicator may flash, which means the device is writing
logs. However, if the ALARM indicator stays lighted for a long time and does not go out, please
www.sangfor.com
IAM 11.2 User Manual
16
1.6 Wiring Method of Redundant System
Use standard RJ-45 Ethernet cable to connect the WAN1 interfaces of the two IAM devices
Use the Console cable (among the accessories) to connect Console interfaces of the two
Use RJ-45 Ethernet cable to connect the LAN interfaces (eth0) of the two IAM devices to a
shut down the device and restart the device after 5 minutes. If this situation remains after
restart, please contact us.
If two IAM devices are deployed in high availability mode (HA), please wire the two devices to
external network and internal network as shown below:
Follow the instructions below to wire the two devices:
to a same switch (if multi-line function is applied, the wiring method is the same: just
connect the WAN interfaces of the two devices to a same external line), and then connect
the switch to other networking devices, such as router, fiber optical transceiver and ADSL
Modem, etc.
IAM devices.
same switch, and then connect the switch to the LAN switch, connecting it to the LAN.
After the two devices are correctly wired, switch on the power for both devices and then configure
them. The procedures for configuring the redundant system are the same as that for a standalone
device. You need only configure the active IAM device, which will automatically synchronize its
configurations to the standby IAM device.
www.sangfor.com
IAM 11.2 User Manual
17
Chapter 2 IAM Console
2.1 Web UI Login
2.1.1 Log into the Web Console
Step 1. Configure an IP address (for example, 10.251.251.100) on the 10.251.251.X subnet for the
The IAM device supports secure HTTPS login, using the standard port of HTTPS protocol. If you log
into the Web Console of the IAM device for the first time, type the default login address
https://10.251.251.251 in the address bar of the browser.
Using HTTPS to login to the WEBUI and manage the IAM device can avoid the potential risks
that the configurations may be intercepted during transmission.
After finishing all the wiring, you can then log into the Web User Interface (UI) to configure the
SANGFOR IAM device. Follow the procedures below to log into the console of the IAM device:
computer, and then type the default login IP address and port in the IE address bar:
https://10.251.251.251. Click <Go> and the following alert dialog appears:
www.sangfor.com
18
Step 2. Click <Yes> to open the login interface, as shown below:
Step 3. Type the user name and password, and click <Login> to log into the IAM device console. The
username and password are Admin by default.
2.1.2 Remove the Certificate Alert Dialog
Step 1. Log into the console, open the [System] > [General] > [Advanced] > [Web UI] page. Specify
IAM 11.2 User Manual
To view the version of the current IAM gateway device, click <Version>.
You can log into the console without installing any ActiveX. Non-IE browsers are also supported.
During the login to the console, the browser may pop up the certificate alert dialog. To remove it, do
as follows:
the IP address (to which the certificate will be issued) in the [Issue Console SSL Cert. To]
field. Here, the IP address refers to that of the network interface for login and it is the IP
address of the LAN interface by default. In this example, we suppose that you have logged
into the console through the default address of the LAN interface.
www.sangfor.com
19
Step 2. Click <Download Certificate> to download the certificate to the local computer and click
<Save> to save it.
Step 3. Locate the certificate in the local computer and double-click it to install.
IAM 11.2 User Manual
After the certificate is installed, the alert dialog will not pop up when you login through the default
address of the LAN interface.
Only when you login through the IP address specified in [Issue Console SSL Cert. To] and the
local computer has installed the certificate will this alert dialog be removed. If you login
through other address or the computer has not installed the certificate, the alert dialog will still
www.sangfor.com
IAM 11.2 User Manual
20
2.2 Configuration
If a <Commit> button is included on the configuration page, after you change the
The icon at the bottom-right of the page is for broadcasting some system messages
Most of the configuration pages include the icon. When you put your mouse cursor
pop up.
After logging in to the Web UI, you will see the following major modules: [System], [Objects], [Users],
[Access Mgt], [Bandwidth Mgt], [Endpoint Device] and [Security] as shown below:
The following instructions for the buttons and icons are applicable to all the configuration pages on
the IAM device and will not be described again in the subsequent sections:
configurations, you need click this button to apply your configuration changes. Generally, it
may take 5 to 10 seconds for the configuration changes to take effect. To make them take
effect immediately, click the icon at the bottom-right of the page.
or warning messages in real time.
over this icon, a brief description for the current configuration item will pop up.
When you modify the settings on the [System] > [Network] > [Deployment] page or [System] >
[System Time] page or default encoding on the [System] > [General] > [Advanced] > [Web UI
Options] page, the IAM device will restart and you need to re-login.
www.sangfor.com
IAM 11.2 User Manual
21
For most of the pages that display the configuration information and status in List View, you can
select the columns to be displayed to easily get your desired information and sort the information in
ascending or descending order according to your needs. For example:
1. On the [Members] page, you can select the columns that you want to display and the page will
only display the information of the selected columns, as shown below:
2. On the [Online Users] page, you can select [Sort Ascending] or [Sort Descending] to sort the
information in ascending or descending order by the corresponding column.
www.sangfor.com
IAM 11.2 User Manual
22
Chapter 3 Functions
3.1 System
3.1.1 Status
3.1.1.1 Dashboard
3.1.1.1.1 Displayed Panels
On the Status page, basic device information is displayed, including the Dashboard, Online Users,
Connection Quality, Traffic Statistics, Internet Activities, Locked Users, Dynamic Host Configuration
Protocol (DHCP) running status, and Security Events.
On the Dashboard page, System Resources are displayed, including the graph of Throughput on All
WAN Interfaces, Web-Access Connection Quality, Top Application by Traffic, Top Users by Traffic,
Application Bandwidth Distribution, Network Interface, Security Events and Internet Activities.
On the Dashboard page, click Displayed Panels. The following page is displayed:
www.sangfor.com
23
Select the status information to be displayed on the Dashboard page.
3.1.1.1.2 Restore Default Panels
3.1.1.1.3 Viewing Status
3.1.1.1.3.1 System Resources
IAM 11.2 User Manual
On the Dashboard page, click Restore Default Panels to show the following default panels: System
Resources, Throughput on ALL WAN Interfaces, Web-Access Connection Quality, and Top
Applications by Traffic.
The System Resources panel displays the overall conditions of device resources, including the CPU
usage, memory usage, disk usage, number of sessions, number of online users, daily connection
quality, number of ICS users over last 7 days, system time, and daily log summary. See the following
figure.
www.sangfor.com
IAM 11.2 User Manual
24
3.1.1.1.3.2 Throughput on ALL WAN Interfaces
Click to set whether to enable automatic refresh and the automatic refresh interval. See the
following figure.
Click Internal Report Center to access the homepage of the data center embedded in the device and
perform operations such as log query and measurement.
The Throughput on ALL WAN Interfaces panel displays the real-time conditions of data received and
transmitted on interfaces in a curve. See the following figure.
Click . The following figure is displayed.
www.sangfor.com
IAM 11.2 User Manual
25
3.1.1.1.3.3 Web-Access Connection Quality
You can set Period to display the data forwarding conditions of interfaces at a specific time. Data Unit
specifies the unit of traffic and Interface specifies the interface whose data forwarding conditions are
to be displayed.
The Web-Access Connection Quality panel displays the network quality information monitored by
the device, as shown in the following figure.
www.sangfor.com
26
Click and set the quality criteria.
3.1.1.1.3.4
Top Applications by Traffic
3.1.1.1.3.5 Top Users by Traffic
IAM 11.2 User Manual
The navigation path is Dashboard > Web-Access Connection Quality. For details, see section 3.2.1.3.
The Top Applications by Traffic panel displays the top 10 applications by traffic. You can rank the
applications by outbound traffic, inbound traffic, or bidirectional traffic.
Click to set the automatic refresh time. Set the username and application type to view details
about the user that uses the application.
The Top Users by Traffic panel displays the top 10 users by traffic. You can rank the users by
www.sangfor.com
IAM 11.2 User Manual
27
3.1.1.1.3.6 Application Bandwidth Distribution
outbound traffic, inbound traffic, or session quantity. Specifically, click Outbound to rank users by
outbound traffic or Inbound to rank users by inbound traffic.
Click to set the automatic refresh time. Set the username to view details about the applications
used by the user.
The Application Bandwidth Distribution panel displays the Application Bandwidth Distribution
dynamically in different colors. See the following figure.
Click . The following figure is displayed.
www.sangfor.com
IAM 11.2 User Manual
28
3.1.1.1.3.7 Network Interface
3.1.1.1.3.8
Security Events
Set the traffic rate unit in Data Unit, select All Lines, Line 1, or Line 2 in Line, and Bidirectional,
Outbound, or Inbound in Type.
The Network Interface panel displays the status, cable connection, real-time transmitted and
received traffic of each network interface. See the following figure.
indicates that a network interface is in the connected state, and indicates that a network
interface is in the disconnected state. Click to set the automatic refresh interval.
The Security Events panel displays the number of times that insecure behaviors are detected. See the
www.sangfor.com
IAM 11.2 User Manual
29
3.1.1.1.3.9
Internet Activities
3.1.1.2 Online users
3.1.1.2.1 Viewing Online Users
following figure.
Click to set the automatic refresh interval.
The Internet Activities panel displays real-time information about online behaviors of users. See the
following figure.
Click to set the automatic refresh interval.
The Online Users panel displays authenticated users that are online. See the following figure.
www.sangfor.com
IAM 11.2 User Manual
30
3.1.1.2.2 Filtering Online Users
The displayed information includes the username, group, IP address, endpoint device, Auth Method,
logged in time or locked time, online duration, and operation to be performed.
On the User Group panel, enter a keyword in the Search box to query online users of the
corresponding user group.
On the Online Users panel, you can search users by name or IP address. See the following figure.
Click Filter to specify the conditions for filtering users. See the following figure.
www.sangfor.com
IAM 11.2 User Manual
31
3.1.1.2.3 Locked Users
3.1.1.2.4 Unlocking Online Users
3.1.1.2.5 Forcibly Logging Out Online Users
Status can be set to All, Locked users or Active users.
Endpoint Device can be set to All, Mobile Device, PC, and Mobile Device & PC.
After selecting the Objects check box, you can filter users by username or IP address. After setting
the username or IP address, click Commit.
Select one or more users and click Lock to end the network connections of the selected users. The
procedure is as follows:
Select a user.
Click Lock or in the Operation column. The page shown in the following figure is displayed.
After setting the Lockout Period, click Commit. The status of the locked user changes, as shown in
the following figure.
The procedure for unlocking a user is as follows:
Select a locked user.
Click Unlock or the icon in the Operation column.
The administrator can forcibly log out online users, excluding temporary users, USB Key users, and
those that do not require authentication. If the administrator attempts to forcibly log out a
www.sangfor.com
IAM 11.2 User Manual
32
3.1.1.3 Connection Quality
temporary user, a USB KEY user, or a user that does not require authentication, the prompt shown in
the following figure is displayed.
Password-authenticated users and Single Sign-On (SSO) users can be forcibly logged out. The
procedure is as follows:
Select a user.
Click LogOut. The prompt shown in the following figure is displayed.
Click Yes to log out the user.
The Web-Access Connection Quality panel displays the network quality information about visited
websites. Quality evaluation is performed for all IP addresses used for Internet access. The evaluation
results fall into two categories: excellent and poor. If the quality evaluation result is poor, the device
provides analysis suggestions on potential problems. The device also provides the detection function
for a single user. If a problem cannot be solved based on the overall network quality evaluation result,
the device can perform detection for a single user, thereby providing more accurate data statistics.
See the following figure.
www.sangfor.com
IAM 11.2 User Manual
33
3.1.1.3.1 Monitoring Summary
You can view the current network quality monitoring status, recent network quality, current network
quality, and network diagnosis result.
Select Enable Web-Access Connection Quality Monitor, and click Yes in the displayed dialog box.
Click and set the quality criteria.
www.sangfor.com
34
Real-time quality (5 minutes): recorded every 5 minutes.
IAM 11.2 User Manual
By default, there are three quality levels: excellent, good, and poor. You can define the quality levels
in percentage.
When the number of active users is less than N, network quality is not detected. The user quantity is
10 by default and the value range is 1–100.
When the accumulated time of poor network quality exceeds N minutes in a day, the network quality
is considered poor. This time is 30 minutes by default and the value range is 10–300 minutes.
You can set a time period in Date to view the network quality conditions in a week.
You can set a website to be monitored in Website. By default, Website is set to All Websites. A
maximum of three monitoring object list can be defined. Each list contains a maximum of 100 domain
names. Click Custom Website List to change monitoring websites.
Click Settings to edit a website list.
www.sangfor.com
IAM 11.2 User Manual
35
Hover over the waveform and a popup menu is displayed, in which you can view network quality
details. When the network quality level is poor, you can click View to view the list of users with a low
Internet access speed.
www.sangfor.com
IAM 11.2 User Manual
36
1.
Traffic control is disabled.
2. Bandwidth resources are insufficient (if Hypertext Transfer Protocol (HTTP) traffic occupies 90%
The horizontal coordinate indicates the time and is marked at 5-minute intervals. Each scale point
shows the user information summary of the previous 5 minutes. For example, scale point 00:05
shows the information summary of 00:00–00:05.
The vertical coordinate indicates the number of online users, which is the sum of the number of users
with excellent network quality and the number of users with poor network quality.
Hover over the waveform to view the number of users with a high Internet access speed and the
number of users with a low Internet access speed.
The Assessment panel displays network quality details, including multiple possible
causes of poor network quality.
The possible causes and handling suggestions are listed as follows:
www.sangfor.com
IAM 11.2 User Manual
37
3. P2P traffic preempts bandwidth resources and rate limiting is recommended (if P2P traffic
4.
It is recommended that QoS-guaranteed channels be established (if the packet loss rate exceeds
5. In policy xxx, the limited traffic rate is too low.
6. In policy xxx, the limited connection quantity is too small.
7. The PPS bursts at a time today.
8. Domain name service (DNS) configuration errors exist.
9. An internal or external performance bottleneck prompt is displayed.
3.1.1.3.2 User-Based Detection
of the bandwidth resources for 10 consecutive minutes in a day).
occupies 90% of the bandwidth resources for 10 consecutive minutes in a day).
10% and no QoS-guaranteed channel is established).
Network quality detection can be performed for a single user to provide more accurate and detailed
data analysis results.
For example, if user A is found in the list of users with a low Internet access speed, you can click
User-Based Detection and enter the username or IP address in User, or click Select User and select
the user in the organization structure shown in the following figure.
www.sangfor.com
IAM 11.2 User Manual
38
Click OK. Then click Settings in Address to set a monitoring address.
www.sangfor.com
IAM 11.2 User Manual
39
In Redirection at Client Side, select Redirect browser on visit to www.baidu.com or Redirect
browser for any Web access request.
In Address, select Use address in built-in database or Specified.
Click OK. Then click Start.
The following takes www.google.com as an example.
When you access www. google.com, the access request is redirected to the test page.
www.sangfor.com
IAM 11.2 User Manual
40
3.1.1.4 Traffic Statistics
After you click Start Test, the device starts to test the network quality and the test progress is
displayed.
A message indicating detection in progress is displayed on the administrator page.
After the detection is complete, the following page is displayed:
The detection results are displayed on the administrator page.
The Traffic Statistics panel displays traffic information about online users and applications, status
www.sangfor.com
IAM 11.2 User Manual
41
3.1.1.4.1 Top Users by Traffic
3.1.1.4.1.1 Viewing User Rankings
3.1.1.4.1.2 Filtering Users
information about traffic management channels, and connection monitoring information.
The Top Users by Traffic panel displays the bandwidth usage of online users. See the following figure.
As shown in the preceding figure, you can rank users by the outbound or inbound traffic rate. The
displayed information includes the username, group, outbound and inbound traffic rates,
bidirectional traffic, number of sessions, locking status, button for obtaining the machine name, and
traffic details. In the Lock column, click to restrict a user from Internet access. In the Obtain
column, click Obtain to obtain the computer name of the corresponding user. In the Top Apps
column, click an application to display the traffic information about the user.
Click Auto Refresh: 5 seconds to set the refresh interval.
Click Refresh to refresh the information immediately.
Click Filter to specify the conditions for filtering users by traffic.
Set the line and application in the Type pane. See the following figure.
Line specifies the line to be viewed and App Category specifies the application to be viewed. After
setting the line and application, click Commit. The page shown in the following figure is displayed.
www.sangfor.com
IAM 11.2 User Manual
42
You can choose to display all applications, selected applications and unselected applications. The
selected applications are displayed in the right pane. Click OK to save the settings.
You can set the specific user or IP address in the Objects pane. See the following figure.
www.sangfor.com
IAM 11.2 User Manual
43
In the Objects pane, the User Group Filter, Username and IP address option buttons are mutually
exclusive. Below Group Filter, the slash (/) indicates all groups. After you click Select, the page shown
in the following figure is displayed.
www.sangfor.com
IAM 11.2 User Manual
44
3.1.1.4.1.3 Locked Users
3.1.1.4.1.4 Unlock Users
3.1.1.4.2 Top Apps by Traffic
3.1.1.4.2.1 Viewing Application Rankings
Select a group to be viewed or enter a group name and click OK.
In the Show pane, you can set the number of displayed users ranked by traffic. See the following
figure.
You can end a user connection by locking the user and then this user cannot access the Internet
within a period of time. Specifically, select a user in Top Users by Traffic, click Lock and set the
lockout period, in minutes. See the following figure.
To unlock a user, click Unlock Users. The Online Users page is displayed. See the following figure.
In the user list, select the user to be unlocked and click Unlock.
The Top Applications by Traffic panel displays rankings of applications by traffic in real time. See the
following figure.
As shown in the preceding figure, you can filter applications by bandwidth. The displayed information
www.sangfor.com
IAM 11.2 User Manual
45
3.1.1.4.2.2
Top Applications by Traffic
includes the application type, outbound and inbound traffic rates, bidirectional traffic, line, occupied
bandwidth in percentage, and user details about the application. Click a user in the Top User column,
information about users of this type of application is displayed, including the username, group, IP
address, upload rate, download rate, and total rate. See the following figure.
Click Auto Refresh: 5 seconds to set the refresh interval.
Click Refresh to refresh the information immediately.
Click Filter to specify the conditions for filtering applications. See the following figure.
In the Objects pane, set the line and user group. In Show, set the number of displayed applications
ranked by traffic. Then click Commit.
www.sangfor.com
IAM 11.2 User Manual
46
3.1.1.4.3 Flow Control
3.1.1.4.3.1 Viewing WAN Link Speed
3.1.1.4.3.2 Viewing Bandwidth Channel
The Flow Control panel displays real-time traffic information about channels for which traffic
management is enabled. See the following figure.
Click Auto Refresh: 5 seconds to set the refresh interval.
Click Refresh to refresh the information immediately.
BM System Status in the upper part of the Flow Control panel indicates whether the bandwidth
management system is started. You can view real-time traffic information about channels only when
the bandwidth management system is in the Running state.
Click Bandwidth Management to access the Bandwidth Management page.
The WAN Link Speed pane displays the overall traffic conditions, including the transient speed,
historical speed, preset speed, percentage, and historical traffic of each line and the main line.
The Bandwidth Channel tab page displays the traffic information about channels. See the following
figure.
The displayed information includes the channel name, line, real-time speed, percent, user quantity,
minimum bandwidth, maximum bandwidth, priority, and status. You can choose to display the traffic
history within a certain period of time. Select All channels or Operating channels from the View
drop-down list.
www.sangfor.com
IAM 11.2 User Manual
47
3.1.1.4.3.3 Viewing Exclusion Rule
3.1.1.4.4 Connection
3.1.1.4.4.1 Search by IP Address
3.1.1.4.4.2 Search by Username
3.1.1.5 Internet Activities
3.1.1.5.1
Viewing Internet Activities
The Exclusion Rules tab page displays the traffic information filtered out by the exclusion rule. See
the following figure.
The Connection panel displays information about active connections of specified users or IP
addresses. You can query the information by IP address or username. See the following figure.
By default, connection information is queried by IP address. For example, enter 192.168.19.14 and
click . The page shown in the following figure is displayed.
You can view the information about connections of the entered IP address, including the source IP
address, destination IP address, protocol, application type, application name, and direction.
Click Search by Username to query connection information by username. See the following figure.
The Internet Activities panel displays information about recent online behaviors of users. See the
www.sangfor.com
IAM 11.2 User Manual
48
3.1.1.5.2
Filtering Internet Activities
following figure.
You can view the online behaviors, access time, IP address, application type, application name, and
details.
Click Filter to specify the conditions for filtering online behaviors. See the following figure.
In the Type pane, set the users whose online behaviors are to be viewed. You can select any of User
Group, Username, and IP address.
In the Objects pane, set the network behaviors to be viewed. The available options include Search
Term, Forum and Microblog, Emails, Outgoing File, IM Chats, Websites Browsing, and Others.
In Action, set the actions to be viewed. The available options include Reject and Log.
www.sangfor.com
IAM 11.2 User Manual
49
3.1.1.6 Locked Users
3.1.1.6.1 Viewing the Locked Users
3.1.1.6.2 Filtering Locked Users
The Locked Users panel displays the users that are recently locked. See the following figure.
The displayed information includes the locked details, operation, locked time, IP address, violation
type, and remaining time.
Select a locked user and click Unlock to relieve the user.
Click Unlock All to relieve all users.
Click Filter to specify the punishment conditions. See the following figure.
www.sangfor.com
IAM 11.2 User Manual
50
3.1.1.7 DHCP Status
In the Objects pane, set the users to be filtered. You can select any of User Group, Username, and IP
address.
The DHCP Status panel displays the DHCP assignment conditions after DHCP is enabled. See the
following figure.
www.sangfor.com
IAM 11.2 User Manual
51
3.1.1.8 Security Events
3.1.2 Firewall
3.1.2.1 Firewall Rules
The displayed information includes the current DHCP status, allocated IP address, computer name,
Media Access Control (MAC) address, lease date, and lease term.
The Security Events panel displays detected insecure behaviors. See the following figure.
The insecure behavior types include Virus, DoS and ARP attack, and External line.
The number of occurrence times, last occurrence time, username and IP address of the last insecure
behavior, latest 10 insecure behavior logs, and details. Click a numerical value of occurrence times to
link to the data center and view detailed logs.
The Firewall page contains four panels: Firewall Rules, IPv4 SNAT, IPv4 DNAT and IPv6 NAT. On the
Firewall Rules, you can set specific rules to filter the data forwarded between different interfaces of
the device. Filtering conditions include the destination protocol and port, source IP address,
destination IP address, and time. On the IPv4 SNAT panel, you can set source network address
translation (SNAT) rules for Internet access of intranet users or for other Source NAT purposes. On the
IPv4 DNAT panel, you can publish intranet servers to the public network and destination network
address translation (DNAT) rules need to be set for Destination NAT. The NAT settings apply only
when the device is deployed in route mode.
You can set specific rules to filter the data forwarded between different interfaces of the device.
Filtering conditions include the destination protocol and port, source IP address, destination IP
address, and time. The Firewall Rules panel is shown in the following figure. In Direction, set the
direction to which a filtering rule applies, which can be LAN<->DMZ, DMZ<->WAN, WAN<->LAN,
LAN<->LAN, DMZ<->DMZ, VPN<->WAN, or VPN<->LAN. After selecting a filtering direction, you can
manage Firewall Rules on the right pane, including deleting or adding Firewall Rules.
www.sangfor.com
IAM 11.2 User Manual
52
For example, internal web servers are connected to the demilitarized zone (DMZ) of the device and
common internal users are connected to the local area network (LAN) zone. For server security
purposes, users in the LAN zone can access only Transmission Control Protocol (TCP) port 80 (web
service) of the servers in the DMZ and other data is not allowed to be forwarded to the DMZ. In this
case, Firewall Rules between the LAN zone and DMZ need to be set. The procedure is as follows:
1. Select LAN<->DMZ in Firewall Rules. In the LAN<->DMZ pane, click Add. The following objects are
referenced: network services, IP groups, and schedule groups. For details about these objects, see
sections 3.3.6 through 3.3.9.
2. Enter the rule name in Name and priority value in Priority No. The priority value specifies the
priority of the rule. A smaller priority value indicates a higher priority. Enter the description of this
rule in Description.
3. Set a rule to allow HTTP packets from the LAN zone to the DMZ. Specifically, select Allow from
Action, HTTP from Service, and All from Source and Destination or enter an IP group. Select All Day
from Schedule and specify a time period. Select LAN->DMZ from Data Flow. See the following figure.
www.sangfor.com
IAM 11.2 User Manual
53
3.1.2.2 IPv4 SNAT
After the filtering rule is set, HTTP packets are allowed and other data is rejected by default.
4. Modify the filtering rule if required. Select the filtering rule and click Delete to delete the rule. Click
Enable to enable the filtering rule. Click Disable to disable the filtering rule. Click Move Up or Move
Down to change the priority of the filtering rule. A filtering rule with a smaller priority value will be
preferentially matched.
To edit a rule, click the name of the rule and then edit the rule in the displayed dialog box.
On the IPv4 SNAT panel, you can set SNAT rules for translating source IP addresses of data that meets
the specified conditions and is forwarded by the device. For example, when the device operates in
route mode, it serves as a proxy to implement Internet access of intranet users and SNAT rules need
to be set for translating source IP addresses. You can manage SNAT rules, including adding and
deleting SNAT rules. See the following figure.
Example 1: A network segment 192.168.1.0/255.255.255.0 exists on the intranet of the customer. The
device is deployed in route mode and connected to two public network lines. The device is required to
implement Internet access for intranet users.
1. On IPv4 SNAT, click Add. In the dialog box shown in the following figure, select Enabled and enter
a rule name in Name.
www.sangfor.com
IAM 11.2 User Manual
54
2. In WAN Interface, set a WAN interface used for data forwarding. This rule will be matched only
when data is forwarded to the specified network interface. In this example, the device needs to
forward the data from two WAN interfaces. Therefore, select All WAN interfaces. See the following
figure.
3. In Source Address, set the source IP address for which SNAT is to be performed. If All is selected,
the source IP address is not restricted. If Specified is selected, this rule will be matched only if the
source IP address meets the conditions. In this example, the device implements Internet access for
users on the network segment 192.168.1.0/255.255.255.0. Therefore, specify the network segment
192.168.1.0/255.255.255.0 in Specified.
4. In Mapped Src IP, set the range of IP addresses to which source IP addresses of data meeting the
conditions are translated. If WAN interface IP is selected, source IP addresses will be translated into
the IP address of the WAN interface specified in step 2. If Specified IP is selected, source IP addresses
will be translated into the specified IP addresses.
Click Advanced to set more specific matching conditions, including the destination IP address
translation condition and protocol conversion condition. These two conditions are not set in this
example.
www.sangfor.com
IAM 11.2 User Manual
55
5. Modify the IPv4 SNAT rule if required. Select the rule and click Delete to delete the rule. Click
Enable to enable the rule. Click Disable to disable the rule. Click Move Up or Move Down to change
the priority of the rule. A rule with a smaller priority value will be preferentially matched.
To edit a rule, click the name of the rule and then edit the rule in the displayed dialog box.
6. Add a filtering rule to allow data from the LAN to the wide area network (WAN). For details, see
section 3.2.2.1.
Example 2: The device operates in route mode. There are two external network lines: a telecom line
and an education network line. According to the customer's requirements, when a computer on
internal network segment 192.168.1.0/255.255.255.0 accesses service port 80 on network segment
202.3.3.0/255.255.255.0 of the education network, the source IP address of the computer will be
translated to the IP address of WAN1 interface, which is 202.96.1.1.
1. Add two IP groups: education network segment and internal network segment. The following
figure shows an example of defining IP group “Education Network Segment ".
www.sangfor.com
IAM 11.2 User Manual
56
2. Set the Policy-Based Routing. The device routes data from the internal network segment to the
education network segment over WAN1 (Education Network Line) based on the specified
Policy-Based Routing. For details, see section 3.2.3.4.
2. On IPv4 SNAT, click Add. In the dialog box shown in the following figure, select Enabled and enter
a rule name in Name.
www.sangfor.com
IAM 11.2 User Manual
57
3. In WAN interface, set a WAN interface used for data forwarding. In this example, address
translation is performed for data forwarded over WAN1. Therefore, select WAN1 from Interface.
4. In Source Address, set the source IP address for which SNAT is to be performed. In this example,
the network segment is 192.168.1.0/255.255.255.0. Therefore, select Specified and set the source IP
address segment.
5. In Mapped Src IP, set the range of IP addresses to which source IP addresses of data meeting the
conditions are translated. In this example, source IP addresses will be translated to the IP address of
WAN1, which is 202.96.1.1. Therefore, select Specified IP and set the IP address.
www.sangfor.com
IAM 11.2 User Manual
58
6. In this example, destination IP addresses and ports need to be matched. According to the
requirement of translating source IP addresses for access requests to service port 80 on education
network segment 202.3.3.0/255.255.255.0, click Advanced and set the destination IP address
translation and protocol conversion conditions. See the following figure.
7. Modify the IPv4 SNAT rule if required. Select the rule and click Delete to delete the rule. Click
Enable to enable the rule. Click Disable to disable the rule. Click Move Up or Move Down to change
the priority of the rule. A rule with a smaller priority value will be preferentially matched.
To edit a rule, click the name of the rule and then edit the rule in the displayed dialog box.
8. Add a filtering rule to allow data from the LAN to the wide area network (WAN). For details, see
section 3.2.2.1.
www.sangfor.com
IAM 11.2 User Manual
59
3.1.2.3 IPv4 DNAT
The NAT settings apply only when the device is deployed in route mode.
On the IPv4 DNAT panel, you can configure the device to perform DNAT for data. For example,
publish an intranet server and map the services of this server to the public network so that Internet
users can access these services. See the following figure.
Example 1: An intranet server 192.168.1.2 provides HTTP services. There are two public network lines
on the device. The customer requires that Internet users can access the HTTP services provided by
the intranet server over either public network line.
1. On the IPv4 DNAT panel, click Add and select Basic Rule or Advanced Rule, as shown in the
following figure.
The Basic Rule option is used to set a simple IPv4 DNAT rule for which only necessary conditions need
to be set, whereas the Advanced Rule option applies to complex IPv4 DNAT requirements. In this
example, select Basic Rule. In the displayed dialog box, select Enabled and set the rule name.
2. In Protocol, set the data conditions of this DNAT rule and the destination IP address and port. In
Protocol, select the type of protocol data for which IPv4 DNAT needs to be performed. In Dst Port,
www.sangfor.com
IAM 11.2 User Manual
60
set a destination port. In this example, NAT needs to be performed for HTTP service access data.
Therefore, select TCP from Protocol and set Dst Port to 80. Set the IP address to which the
destination IP address will be translated in Mapped IP Address, and the port to which the destination
port will be converted in Mapped to Port. In this example, the destination IP addresses of access data
to service port 80 will be translated to 192.168.1.2. See the following figure.
Select Allow, and TCP port 80 access data in six directions will be allowed: LAN<->WAN, DMZ<->WAN,
and LAN<->DMZ.
3. Modify the IPv4 DNAT rule if required. Select the rule and click Delete to delete the rule. Click
Enable to enable the rule. Click Disable to disable the rule. Click Move Up or Move Down to change
the priority of the rule. A rule with a smaller priority value will be preferentially matched.
To edit a rule, click the name of the rule and then edit the rule in the displayed dialog box.
Example 2: A server with the IP address 192.168.1.80 exists on the intranet. The device operates in
route mode. WAN1 connects to the intranet through a fiber. A public network IP address
202.96.137.89 exists and the domain name is www.sangfor.com. A DNAT IPv4 DNAT rule needs to be
configured to publish the intranet server to the public network so that users on the LAN
(192.168.1.0/255.255.255.0, connected to the LAN interface) can access 192.168.1.80 by visiting the
domain name www.sangfor.com.
1. On the IPv4 DNAT panel, click Add and select Advanced Rule. On the displayed IPv4 DNAT page,
www.sangfor.com
IAM 11.2 User Manual
61
select Enabled and set the rule name.
2. In WAN interface, set a WAN interface and DNAT will be performed for the data forwarded over
this WAN interface to the device. In this example, the public network IP address corresponding to the
domain name www.sangfor.com is the IP address of WAN1. Therefore, select WAN1.
3. In Source Address, set the source IP address in the DNAT rule. In this example, the intranet server
is mapped to the public network and the public network IP address is not fixed. Therefore, select All.
4. In Destination Address, set the destination IP address in the DNAT rule. In this example, DNAT is
performed for access requests to the IP address of WAN1. Therefore, select Specified interface IP and
WAN1.
www.sangfor.com
IAM 11.2 User Manual
62
5. In Protocol, set the protocol and port for DNAT. In this example, DNAT is performed for access
requests to service port 80. Therefore, select All in Src Port as the source port is usually random.
6. In Mapped IP, set the IP address to which the IP addresses of data meeting the conditions are
translated. In this example, the IP address of the destination server is 192.168.1.80. Therefore, select
Specified IP and enter 192.168.1.80.
7. In Mapped Port, set the port to which the ports of access requests meeting the conditions are
www.sangfor.com
IAM 11.2 User Manual
63
3.1.2.4 IPv6 NAT
converted. In this example, the port of the destination server 192.168.1.80 is 80. Therefore, select
Specified and enter 80.
8. Select Allow firewall automatically allows data, and TCP port 80 access data in six directions will
be allowed: LAN<->WAN, DMZ<->WAN, and LAN<->DMZ.
LAN server accessible to internal user on WAN IP needs to be selected when intranet users need to
access a server on the same network segment by using public network IP addresses. After this option
is selected, the source IP addresses of data from the intranet are translated into the corresponding
interface IP address of the device. Intranet users cannot access this server by using public network IP
addresses. The device will automatically create an SNAT rule for source IP address translation. In this
example, users on the LAN need to access a server on this LAN by using public network IP addresses.
Therefore, select 192.168.20.1 (LAN).
9. Modify the IPv4 DNAT rule if required. Select the rule and click Delete to delete the rule. Click
Enable to enable the rule. Click Disable to disable the rule. Click Move Up or Move Down to change
the priority of the rule. A rule with a smaller priority value will be preferentially matched.
To edit a rule, click the name of the rule and then edit the rule in the displayed dialog box.
The IPv4 DNAT settings apply only when the device is deployed in route mode.
On the IPv6 NAT panel, you can set source and destination IPv6 NAT. Source NAT involves translating
the source IP addresses of data that meets the conditions and is forwarded by the device. Destination
NAT involves translating the destination IP addresses of data meeting the conditions.
You can manage source IPv6 NAT rules, including adding and deleting rules. See the following figure.
www.sangfor.com
IAM 11.2 User Manual
64
Example 1: The customer has obtained an IP address prefixed 2000::/64 from carrier A and assigned
this IP address to a PC on the intranet. The customer then switches to carrier B and is assigned an IP
address prefixed 3000::/64. The customer does not want to modify the internal IP address structure.
IPv6 NAT is therefore required.
1. Click Add and select Source NAT. See the following figure.
Name: Enter the rule name.
Description: Enter the description of this rule.
Source: Select an internal network interface of the source zone from Interface and enter the prefix of
an internal IPv6 address in IP Addr/Prefix, for example, 2000::/64.
Destination: Select a network interface of the destination zone for data forwarding.
Source NAT: Set the range of IPv6 addresses to which source IP addresses of data meeting the
conditions are translated. In this example, source IP addresses will be translated to 3000::/64.
2. Click Add and select Destination NAT. See the following figure.
www.sangfor.com
IAM 11.2 User Manual
65
3.1.3 Network
3.1.3.1 Deployment
Name: Enter the rule name.
Description: Enter the description of this rule.
Source: Select a WAN interface of the source zone from Interface and enter the prefix of an internal
IPv6 address in IP Addr/Prefix, for example, 3000::/64.
Destination: Enter the IP Addr/Prefix of the destination address.
Destination NAT: Set the range of IPv6 addresses to which destination IP addresses of data meeting
the conditions are translated. In this example, destination IP addresses will be translated to
2000::/64.
See the following figure.
On the Deployment Mode panel, you can set the operating mode of the device to route, single arm,
www.sangfor.com
IAM 11.2 User Manual
66
bridge, or bypass.
Select an appropriate deployment mode so that the device can be smoothly deployed on the
network and operate properly.
Route mode: In this mode, the device functions as a router, the network structure is modified to a
large extent, but all functions of the device can be implemented.
Single arm mode: The device functions as a proxy server and proxies internal users’ access to the
Internet. In this mode, most features of the device can be implemented and no change will be made
to the network topology.
Bridge mode: The device is considered a network line with the filtering function. This mode is usually
enabled when the original network structure cannot be modified. In bridge mode, the device is
smoothly deployed on the network and most functions of the device can be implemented.
Bypass mode: The device is connected to the mirrored port of the intranet switch or to a hub. The
device monitors and controls Internet access data on the intranet based on mirrored data without
modifying the network environment and causing network interruption. In bypass mode, some
functions of the device cannot be implemented due to poor controllability.
In the navigation area, choose Network > Deployment. The Deployment pane is displayed on the
right. Click Settings and three deployment modes are displayed: route, bridge, and bypass. Select a
deployment mode for the device.
Before deploying the device on the network, you are advised to configure information including the
deployment mode, interfaces, routes, and users of the device. The default IP addresses of interfaces
www.sangfor.com
IAM 11.2 User Manual
67
Interface
IAM
ETH0 (LAN)
10.251.251.251/24
ETH1 (DMZ)
10.252.252.252/24
ETH2 (WAN1)
200.200.65.61/22
3.1.3.1.1 Route mode
of the device are listed in the table below.
In route mode, the device functions as a router. The device is typically deployed at the egress of the
intranet or behind a router to implement Internet access for the LAN. The following figure shows a
typical deployment scenario.
Example: The customer's network covers L3. The device functions as a gateway to implement Internet
access for intranet users. A public network line (fiber) is available and assigned a fixed IP address.
www.sangfor.com
IAM 11.2 User Manual
68
1. Configure the device and log in to the device by using the default IP address. For example, to log in
by using the LAN interface, whose default IP address is 10.251.251.251/24, configure an IP address on
this network segment on the PC and log in to the device by accessing https://10.251.251.251. The
default login username and password are both admin.
2. In navigation area, choose System > Network > Deployment. On the Deployment pane on the
right, click Settings. On the page shown in the following figure, select the route mode and click Next.
3. Define a LAN interface and a WAN interface. Specifically, select an idle network interface and click
www.sangfor.com
IAM 11.2 User Manual
69
Add to move it to the corresponding network interface list.
LAN interface list: A network interface added to the LAN interface list serves as an internal network
interface and needs to be connected to the internal network.
WAN interface list: A network interface added to the WAN interface list serves as a WAN interface
and needs to be connected to the external network. If multiple WAN interfaces are required, apply
for multi-line authorization.
DMZ interface list: A network interface added to the DMZ interface list serves as an internal network
interface. Important servers can be connected to the DMZ and the firewall settings on the device can
restrict the access of intranet users, thereby ensuring the security of the servers. For details about
firewall settings, see section 3.2.2.
The default LAN interface is eth0, the default DMZ interface is eth1, and the default WAN interface is
eth2. It is recommended that the positions of these network interfaces not be modified and conform
to the device panel.
Other idle network interfaces can be added to any interface list.
4. Click Next and configure the IP address of the LAN interface.
In this example, set the IP address of LAN interface eth0 to 192.168.20.1/255.255.255.0.
www.sangfor.com
IAM 11.2 User Manual
70
The current IAM version is compatible with IPv6. Therefore, IPv6 addresses can be configured
for the network interfaces, gateway, and DNS. The following is an example of configuring IPv4
addresses.
If virtual local area networks (VLANs) are divided on the switch and the LAN interface of the device is
a trunk interface, VLAN needs to be enabled. In this example, an L3 switch is used and therefore
VLAN does not need to be enabled.
In IP Address, enter the ID and IP address of each VLAN. The IP address assigned to a VLAN must be
idle. If VLAN 2 exists and resides on network segment 10.10.0.0/255.255.0.0, and IP address
10.10.0.1 is not used on the intranet, 2/10.10.0.1/255.255.0.0 can be entered in the IP address list.
Add information about other VLANs one by one on different rows.
5. Configure WAN interface eth2.
The WAN interface supports three modes: Auto assigned, Specified, and PPPoE. In this example, the
public network line is an optical fiber and assigned a fixed public network IP address. Therefore,
select Specified.
If the public network IP address is automatically obtained over DHCP, select Auto assign. In this
example, the public network IP address has been assigned. Therefore, enter the assigned public
www.sangfor.com
71
network IP address, gateway address, and DNS address.
IAM 11.2 User Manual
If PPPoE is employed, connect the WAN interface to a modem. If Enable is selected in Auto
Dial-up, automatic dialup is performed after the connection line is disconnected abnormally or the
device is restarted. Enter the dialup account and password.
6. Configure DMZ interface eth1. Set the IP address and subnet mask.
www.sangfor.com
IAM 11.2 User Manual
72
7. Configure IPv4 SNAT rules. When the device functions as a gateway and directly connects to the
public network line, proxy settings need to be completed on the device to implement Internet access
for intranet users. Set the proxy network segment and select a WAN interface, which can be set to a
single network interface or all network interfaces in the WAN interface list.
A proxy rule is added in NAT on the page displayed after you choose System > Firewall > IPv4 SNAT.
The rule name and IP address to which a source address is translated cannot be modified here. They
can be modified on the IPv4 SNAT page. If Internet access needs to be achieved for users on another
network segment through a proxy, add another IPv4 SNAT rule on IPv4 SNAT. For details, see section
3.2.2.2.
www.sangfor.com
IAM 11.2 User Manual
73
8. Confirm the configuration information and click Commit.
www.sangfor.com
IAM 11.2 User Manual
74
Restart the device for the configurations to take effect. In the displayed dialog box asking for your
confirmation, click Yes.
9. In this example, the LAN interface is on a different network segment as that of the intranet and
therefore a system route from the device to the intranet needs to be added. In the navigation area,
choose Network > Static Routes. On the Static Routes pane on the right, click Add to add routes. For
details, see section 3.2.3.3. If the intranet covers multiple network segments, add multiple system
routes.
10. Add a user or user group or add a user authentication policy on Authentication Policy to avoid
Internet access failures caused by the lack of identity authentication.
11. Connect the device to the network. Specifically, connect the WAN interface to the public network
line and LAN interface to the intranet switch. Configure the route of the intranet switch to direct to
the LAN interface of the device.
1. When the device operates in route mode, the gateway addresses of all PCs on the LAN point
to the IP address of the LAN interface of the device, or to the L3 switch, of which the gateway address
points to the device. The device performs NAT for Internet access data or forwards the data.
2. The IP addresses of the WAN, LAN, and DMZ interfaces must be on different network segments.
3. After an 802.1q-VLAN address is configured for the LAN interface, the LAN interface can connect to
the trunk interface of an L2 switch that supports VLAN. The device (one-armed router) can then
forwards data among VLANs and implement firewall rules between LANs. The device can implement
www.sangfor.com
IAM 11.2 User Manual
75
3.1.3.1.2 Single Arm Mode
access control between different VLANs.
4. If the route mode is set to asymmetric digital subscriber line (ADSL) dialup, select PPPoE when
setting the IP address of the WAN interface in step 5 and fill in the dialup account and password.
Other operations are the same.
5. If a front-end device is configured, set the IP address of the WAN interface to be on the same
network segment as the IP address of the LAN interface of the front-end device. Other operations are
the same.
If DHCP is enabled on the front-end device, configure the WAN interface to automatically obtain an IP
address and ensure normal communication between the WAN interface and DHCP server.
In Single Arm mode, this unit is connected to a switch without changing the network topology, and
thus has no impact on the network. This unit functions as a proxy server, controls and audits
Internet access, since data go through it.
Take the following scenario for example. The unit is deployed in Single Arm mode and used to proxy,
accelerate and control Internet access. The network topology is as shown below:
www.sangfor.com
76
Perform the following steps:
1. Add an IP address entry on PC, which resides on the network segment 10.251.251.251/24. Open
2. Navigate to System > Network > Deployment page. Click Settings, select Single Arm Mode and
IAM 11.2 User Manual
web browser and enter IP address of IAM (https://10.251.251.251) into address bar to visit Web
admin console of IAM. On the login page, log in to IAM console with the default account
admin/admin.
click Next.
www.sangfor.com
IAM 11.2 User Manual
77
www.sangfor.com
IAM 11.2 User Manual
78
3. Select eth0 interface and configure IPv4 address, gateway and DNS server for the interface. IPv6
4. Select an available interface as Manage Interface and configure an IPv4 address for the interface
address is also supported in this mode. Then, click Next. (In this example, eth0 interface of the
unit should be connected to the switch)
(IPv6 address is also supported). Default Mange interface is eth1, through which users can
connect to this unit. After configuring Manage interface, click Next.
www.sangfor.com
IAM 11.2 User Manual
79
5. Make sure the network settings are correct. Then, click Commit.
Clicks Commit, and the following dialog pops up to notify you that applying the settings requires
www.sangfor.com
IAM 11.2 User Manual
80
3.1.3.1.3 Bridge Mode
restarting the device. To apply the changes, click Yes.
In bridge mode, the device is considered a network line with the filtering function. This mode is
usually enabled when the original network structure cannot be modified. Deploy the device between
the original gateway and the intranet users. You only need to configure the device without modifying
the configurations of the original network or intranet users. The device is invisible to the original
network and intranet users, which is the characteristics of the bridge mode.
Operating environment 1: The device functions as a bridge with one input and one output.
Operating environment 2: If Virtual Router Redundancy Protocol (VRRP) or Hot Standby Router
Protocol (HSRP) is enabled on the intranet, the device can be deployed in multi-bridge mode to
implement basic audit control functions without affecting Active-Standby handovers of the original
firewalls. The following figure shows the two operating environments.
www.sangfor.com
IAM 11.2 User Manual
81
Example: VRRP is enabled between the two firewalls and the switch. The virtual IP address of the
firewalls is 192.168.1.1. The device is deployed between the switch and firewall as a bridge with two
inputs and two outputs.
The procedure is as follows:
1. Configure the device and log in to the device by using the default IP address. For example, to log in
by using the LAN interface, whose default IP address is 10.251.251.251/24, configure an IP address on
this network segment on the PC and log in to the device by accessing https://10.251.251.251. The
default login username and password are both admin.
www.sangfor.com
IAM 11.2 User Manual
82
2. In navigation area, choose System > Network > Deployment. On the Deployment pane on the
right, click Settings. On the page shown in the following figure, select the bridge mode and click Next.
3. Add a LAN interface and a WAN interface to form a bridge and configure two bridges. See the
following figure.
LAN Interface: Select an internal network interface from LAN Interface.
WAN Interfaces: Select a WAN interface from WAN Interface.
Bridge: Bridges are defined in Bridge. Data can be forwarded between interfaces on a bridge and
www.sangfor.com
IAM 11.2 User Manual
83
cannot be forwarded between interfaces on different bridges.
If Enable bridge state propagation is selected, when a network interface on a bridge changes from
connected to disconnected or from disconnected to connected, the status of the other network
interface changes accordingly. This ensures that the statuses of the two network interfaces on a
bridge are synchronous. This function is used to notify the peer device that the link is faulty or
resumes normal in a redundancy environment. It is recommended that this item be selected.
4. Set the bridge IP addresses.
Set two bridge IP addresses for the device. In this example, the two bridges are on different network
segments. Assign two idle IP addresses as bridge IP addresses.
VLAN data passes through the device. Therefore, VLAN information needs to be configured, including
the VLAN ID, VLAN IP address (an idle IP address is assigned to each VLAN), and VLAN mask.
Network access data on the intranet will not be affected if no idle IP address is available. In this
case, the device has no IP address for communication with the intranet and external network and
some functions will be affected, such as embedded library update, web authentication, and Ingress.
To solve this problem, connect the management interface to the intranet switch so that the device
can communicate with the intranet and external network. The following will describe the
configuration in details.
When the device operates in bridge mode, the bridge IP address can be empty.
The bridge IP addresses must be on different network segments and the VLAN IDs must be unique.
www.sangfor.com
84
5. Configure the management interface.
IAM 11.2 User Manual
The management interface is in the DMZ. Select an idle network interface (not a bridge interface) as
the management interface.
6. Configure the gateway address and DNS address.
Configure the default gateway and DNS address. In this example, two idle IP addresses are assigned
as the bridge IP addresses. The default gateway points to the virtual IP address of the front-end
www.sangfor.com
IAM 11.2 User Manual
85
firewall. Set a public network IP address assigned by the carrier as the DNS address.
Select Bypass firewall rule to enable the firewall rule that allows all data between the WAN and the
LAN.
7. Confirm the configuration information and click Commit.
Restart the device for the configurations to take effect. In the displayed dialog box asking for your
confirmation, click Yes.
8. Add a user or user group or add a user authentication policy on Authentication Policy to avoid
Internet access failures caused by the lack of identity authentication.
9. Connect the device to the network. Specifically, connect WAN1 and WAN2 to FW1 and FW2
respectively, and LAN1 and LAN2 to the intranet switch.
1. When the device operates in bridge mode, the gateway addresses of all PCs on the LAN do
not need to be modified. Retain the internal interface IP address that points to the front-end device.
2. During data penetration, ensure that the WAN connects to the front-end router and the LAN
www.sangfor.com
IAM 11.2 User Manual
86
3.1.3.1.4 Bypass Mode
connects to the intranet switch. In this way, online behaviors can be monitored and controlled when
data is transmitted from the LAN to the WAN.
3. The bridge mode is implemented at the data link layer (the second layer of the OSI model). Several
network interfaces of the device are bridged. The data at the data link layer and above layers can be
penetrated. The IP/MAC address binding function and DHCP function enabled on the original gateway
can be implemented with the support of the data penetration function at the data link layer.
4. The device does not provide the NAT function in bridge mode.
5. The VPN function of the device is unavailable in bridge mode.
6. To enable functions such as antivirus and mail filtering, or to enable the device to automatically
upgrade the URL Database and enable applications to identify the rule library and antivirus library,
you need to configure the bridge IP address, default gateway, and DNS and ensure that the device can
access the external network. To check whether the device can access the external network, upgrade
the console and perform a ping test.
7. If functions that need to be redirected to the device are required, such as web authentication and
Ingress, and the intranet covers multiple network segments, enable indirect routes to the network
segments of the intranet to direct to the routing device of the intranet.
8. In bridge mode, the device supports VLAN trunk penetration and 802.1q-VLAN addresses can be
configured as bridge IP addresses. In other words, the device can be connected to the VLAN trunk in
transparent mode.
In bypass mode, the device provides monitoring and control functions without modifying the original
network structure or causing network interruption. The device is connected to the mirrored port of
the switch or to a hub to ensure that Internet access data of intranet users passes through this switch
or hub, and both outbound and inbound data is mirrored, thereby implementing monitoring and
control on Internet access data. In bypass mode, the network will not be interrupted even if the
device breaks down. Typical application scenarios are shown in the figures below.
www.sangfor.com
IAM 11.2 User Manual
87
Example: The network topology is shown in the following figure. The device is to be deployed in
bypass mode. The customer requires that Internet access data of all network segments on the
intranet is under monitoring, that the device automatically updates the embedded rule library, that
web authentication is performed for intranet users, and that the device console can be logged in from
the intranet at any time for management.
Based on the customer requirements and network topology, deploy the device in bypass mode so that
it can communicate with both the external network and the intranet. However, the device cannot
access networks over a mirrored port. To solve this problem, connect the management interface (DMZ
interface) of the device to the intranet switch and assign an idle IP address for the device to
communicate with the public network and intranet. Connect the DMZ to the intranet switch.
www.sangfor.com
IAM 11.2 User Manual
88
The procedure is as follows:
1. Configure the device and log in to the device by using the default IP address. For example, to log in
by using the LAN interface, whose default IP address is 10.251.251.251/24, configure an IP address on
this network segment on the PC and log in to the device by accessing https://10.251.251.251. The
default login username and password are both admin.
2. In navigation area, choose System > Network > Deployment. On the Deployment pane on the
right, click Settings. On the page shown in the following figure, select the bypass mode and click
Next.
www.sangfor.com
IAM 11.2 User Manual
89
3. Configure the IP address of the management interface. In bypass mode, the default management
interface is eth0, which can be modified.
IP Address: Enter the IP address assigned to the management device (DMZ interface) of the device. In
this example, the DMZ interface needs to be connected to the intranet switch. Therefore, enter an IP
address that can be used for communication with the switch and intranet.
Default Gateway: Enter the IP address of the network interface of the switch connected to the DMZ
interface.
Enter idle public network IP addresses in Preferred DNS and Backup DNS.
4. Select a mirrored port and configure the monitoring network segments and server list.
In Listened IP Address, enter the network segments to be monitored and the IP addresses to be
excluded from monitoring. Enter the network segment 192.168.1.0/255.255.255.0 here. The access
data from this network segment to other network segments will be monitored and access data within
this network segment will not be monitored. An excluded network segment should be entered in a
correct format. For example, if you enter -192.168.1.1-192.168.1.10, when IP addresses within the
range 192.168.1.1-192.168.1.10 access other network segments (external network), the data will not
be monitored.
In Advanced, set the monitoring server list. If an IP address on a monitored network segment is
accessed, the data will be monitored. For example, a web server exists on the intranet and the
www.sangfor.com
IAM 11.2 User Manual
90
customer needs to record the data when intranet users access this web server. Data will not be
monitored for access within a network segment. Therefore, add the IP address of this web server to
the monitoring server list.
Some TCP control functions can be implemented in bypass mode based on monitoring. In other
words, only data that can be monitored can be controlled.
5. Confirm the configuration information and click Commit.
www.sangfor.com
IAM 11.2 User Manual
91
Restart the device for the configurations to take effect. In the displayed dialog box asking for your
confirmation, click Yes.
1. The bypass mode applies when a hub is used or the switch as a mirrored port. If the switch
does not have a mirrored port, a hub can be deployed before the switch.
2. In bypass mode, the traffic rankings and active connection rankings are displayed as invalid.
3. In bypass mode, TCP control is achieved by sending reset packets through the DMZ interface.
Therefore, ensure that the reset packets sent through the DMZ interface can be received by PCs and
public network servers.
4. Many functions cannot be implemented in by pass mode, such as VPN and DHCP functions.
5. In bypass mode, the device mainly implements the monitoring function and the control function is
not as comprehensive as in route mode and bridge mode. Only TCP connections can be restricted,
such as URL filtering, keyword filtering, and mail filtering. User Datagram Protocol (UDP) connections
are not restricted, such as P2P connections.
www.sangfor.com
IAM 11.2 User Manual
92
3.1.3.2 Network Interface Configuration
3.1.3.2.1 Configuring Network Interfaces in Route mode
6. In bypass mode, the traffic diagrams are displayed only when the mirrored interface is a WAN
interface. When a WAN interface is connected, there is only received traffic and no transmitted
traffic.
You can configure network interface information on the Interfaces page in route mode and bridge
information in bridge mode.
In the navigation area, choose System Management > Network > Interfaces. The Interfaces pane is
displayed on the right, as shown in the following figure.
Status: indicates the connection status and MTU of a network interface. indicates a connected
interface and indicates a disconnected interface.
Physical Interface: indicates the corresponding physical interface on the device.
Zone: indicates the logical interface area of a network interface. A LAN interface functions as an
intranet interface and therefore needs to add to the LAN. A WAN interface functions as a WAN
interface and needs to add to the WAN. If multiple WAN interfaces are required, apply for multi-line
authorization. A DMZ interface functions as an intranet interface. Important servers can be
connected to the DMZ and the firewall settings on the device can restrict the access of intranet users,
thereby ensuring the security of the servers. For details about firewall settings, see section 3.2.2.
Type: indicates the type of a network interface, which can be electrical or optical.
IP Address: indicates the IP address of a network interface.
MAC Address: indicates the address of the physical network adapter of a network interface.
MTU: indicates the MTU of a network interface, which ranges from 700 to 1800. The MTU must be
set to at least 1280 if IPv6 is enabled. otherwise, IPv6 addresses will be cleared.
www.sangfor.com
IAM 11.2 User Manual
93
Operating Mode: indicates the operating mode of the physical network adapter of a network
interface.
Inbound: indicates the receiving rate of a network interface.
Outbound: indicates the sending rate of a network interface.
Dialup Log: indicates the dialup log information about a network interface.
The procedure for configuring a network interface is as follows:
On the Interfaces page, click the name of the physical interface. For example, to configure eth0 on
the LAN, click eth0. The LAN Interface page is displayed, as shown in the following figure.
www.sangfor.com
IAM 11.2 User Manual
94
An IPv4 or IPv6 address can be configured for the network interface. In IP Address, enter the ID and
IP address of each VLAN. The IP address assigned to a VLAN must be idle. If VLAN 2 exists and resides
on network segment 10.10.0.0/255.255.0.0, and IP address 10.10.0.1 is not used on the intranet,
2/10.10.0.1/255.255.0.0 can be entered in the IP address list. Add information about other VLANs
(802.1q) one by one on different rows.
To configure eth2 on the WAN, click eth2 and the WAN Interface Configuration page is displayed.
www.sangfor.com
IAM 11.2 User Manual
95
If Specified is selected in Address, a fixed IP address assigned by the carrier can be configured for this
network interface, or auto assign can be enabled, depending on the actual situation.
In PPPoE, Internet access is implemented through ADSL dialup. The dialup username and password
www.sangfor.com
IAM 11.2 User Manual
96
3.1.3.2.2 Configuring Bridges in Multi-Bridge Mode
are provided by the carrier. Click Advanced and configure dialup attributes in the displayed dialog
box.
It is recommended that the handshake time be set to 20, timeout duration be set to 80, and
maximum timeout times be set to 3.
In Line Attribute, configure the outbound and inbound bandwidths.
In the navigation area, choose System > Network > Network Interface Configuration. The Interface
pane is displayed on the right, as shown in the following figure.
Status: indicates the connection status and MTU of a network interface. indicates a connected
interface and indicates a disconnected interface.
Interface: indicates the corresponding physical interface on the device.
Zone: indicates the logical interface area: bridge or management interface.
Type: indicates the type of a network interface, which can be electrical or optical.
IP Address: indicates the IP address of a network interface.
MAC Address: indicates the address of the physical network adapter of a network interface.
MTU: indicates the MTU of a network interface, which ranges from 700 to 1800. The MTU must be
set to at least 1280 if IPv6 is enabled. otherwise, IPv6 addresses will be cleared.
www.sangfor.com
IAM 11.2 User Manual
97
Operating Mode: indicates the operating mode of the physical network adapter of a network
interface.
Inbound: indicates the receiving rate of a network interface.
Outbound: indicates the sending rate of a network interface.
To configure a bridge, click its name. The Bridge Configuration page shown in the following figure is
displayed. To change the IP address of the default gateway, change it to another IP address on the
same segment. Otherwise, you need to change it on the Deployment page.
www.sangfor.com
IAM 11.2 User Manual
98
An IPv4 or IPv6 address can be configured for the bridge. In IP Address, enter the ID and IP address of
each VLAN. The IP address assigned to a VLAN must be idle. If VLAN 2 exists and resides on network
segment 10.10.0.0/255.255.0.0, and IP address 10.10.0.1 is not used on the intranet,
2/10.10.0.1/255.255.0.0 can be entered in the IP address list. Add information about other VLANs
(802.1q) one by one on different rows.
In bridge mode, you can define the management interface. Click Interfaces. On the MANAGE
Interface page, set the IP address, which can be an IPv4 or IPv6 address.
www.sangfor.com
IAM 11.2 User Manual
99
3.1.3.3 Static Routes
On the Static Routes pane, you can set static routing policies. When the device needs to
communicate with IP addresses on different network segments, static routes must be configured.
IPv4 and IPv6 static routes can be added.
In the navigation area, choose System > Network > Static Route. The Static Route pane is displayed
on the right, as shown in the following figure.
The following describes an application scenario of IPv4 static routes.
On the customer's network, the device functions as a gateway in route mode. The IP address of the
LAN interface is 192.168.1.12/255.255.255.0 and PCs on the intranet are on network segment
192.168.2.0/255.255.255.0. An L3 switch is deployed between PCs on the intranet and the device.
When a PC on the intranet accesses the Internet, the data is forwarded to the device by the L3 switch.
However, when the device forwards data to the PC, the destination is unclear because the IP address
of the PC is on another network segment. As a result, Internet access failure occurs. To solve this
www.sangfor.com
IAM 11.2 User Manual
100
problem, a static route needs to be set for forwarding the data destined for network segments on the
intranet to the L3 switch and the L3 switch will forward the data to corresponding PCs on the
intranet.
Click Add. The Static Route page is displayed.
Destination: destination network ID.
Subnet Mask: subnet mask of the target network.
Next-Hop IP: next-hop IP address to the target network.
Interface: interface through which data is forwarded.
Click Routing Table to display all system routes, including IPv4 and IPv6 routes.
www.sangfor.com
Loading...