SANGFOR provides next-generation firewalls (NGFWs) that offer several key advantages over traditional firewalls: 1) NGFWs provide deep packet inspection and bidirectional traffic analysis to defend against modern application layer attacks. 2) They leverage single-pass analysis algorithms and multi-core parallel processing to achieve high 10G throughput while introducing low latency. 3) In addition to application layer defenses, NGFWs also include traditional firewall capabilities like stateful inspection, IPS, and integrated IPsec VPN.

1. Founded in 2000, SANGFOR set a clear goal to build high-performance, reliable and
secure network devices that can increase the business growth of our clients while
decrease the Total Cost of Ownership (TCO) at the same time.
For more information, please kindly visit our official website at www.sangfor.com
or contact your local SANGFOR office in Mainland China, Hong Kong, US, UK,
Singapore, Indonesia, Malaysia and Thailand.
Next Generation Firewall was defined by Gartner based on the requirements of customers, the deep
understanding of security industry, and the vision of security market trends.
With more than 10 years of technology innovation, accumulated knowledge and experience of serving
customers in the network security business, SANGFOR believes that NGFW should be characterized by
following features:
Single-pass Analysis Algorithm
Multi-core Parallel Processing
10G throughput
Stable performance
Low latency
NGFW
Defending
against
Application
Layer Attacks
Traditional
Security
Capability
Authentication of Thousands of Applications
Enhanced Wed Defense
SQL Anti-attack
IPS Based on Applications
Anti CC Attack
Malware and Trojan Filtering
DOS, DDOS Attack Protection
Stateful Inspection
Access Control
Intergrade IPsec VPN
Router & NAT
Bidirectional
Contents
Inspection
Data Leak Protection
Unsafe URL Filtering
Application Info Hide
Anti Webpage Tampering
Application
Layer High
Performance
Superior to traditional UTM devices whose
performance degrades significantly in multi-functional
mode, SANGFOR’s comprehensive approach provides
the capability of 10G throughput with low latency in
microseconds when working in multifunctional mode.
Superior to traditional firewall that mainly focusing on
inbound threats, NGFW consolidates security with
bidirectional contents inspection function. Outbound
dataflow responded by server are also monitored.
Potential sensitive information leaks, webpage
tampering, and other threats are detected and
prevented.
Although threats on application layer become
prevailing, traditional threats on network layer should
not be discounted, as they are still causing serious
damages. NGFW provides traditional security
functions such as Stateful FW, IPS, and VPN to ensure
higher ROI and lower TCO for our customers in
long-term.
As 75% of overall attacks or threats targeting on
application layer, next generation firewalls should be
capable with full stack visibility, able to identify and
authenticate application layer protocols and contents,
able to provide end-to-end solution to defend against
network threats especially on application layer.
Traditional security devices are vulnerable to the
application layer threats due to the limitation of its
network layer focus.
Bidirectional Contents Inspection Application Layer High Performance
Defending against Application Layer Attacks Traditional Firewall Capability
Definition of Next-Generation Firewall
Copyright ©2013 SANGFOR Technologies. All Rights Reserved.

2. SANGFOR Next-Generation Firewall is designed with Application Control, Intrusion
Prevention and Web Security in mind, providing deep and fine-grained visibility over
Users, Applications and Contents. SANGFOR NGFW ensures end-to-end security
from layer 2 to layer 7 in multi-gigabit speed, in-bound and out-bound, and
distinguishes itself from traditional firewalls, and makes it the ideal choice for
customers in the business of service provider, enterprise, financial services, and
public sectors.
Today’s network attacks are getting more sophisticated. Traditional firewalls are no
longer effective to cope with ongoing and emerging threats.
As a platform of network security policies, SANGFOR NGFW enforces bidirectional
security policy on users, applications, URLs, data payload and contents. Superior to
traditional port and protocol based security policy, SANGFOR NGFW’s approach
allows IT organization to better defend increasingly sophisticated network threats, to
identify and block misuses of applications precisely and effectively.
SANGFOR NGFW is designed to defend attacks end-to-end from layer 2 to layer 7
with the focus on the application layer. The surging of application layer attacks are
becoming growing concerns, and causing serious information leaks and
infrastructure damages worldwide.
SANGFOR’s high scalable and extensible software and hardware architecture
ensures high performance in application layer processing. Leveraging its innovative
technology of Single-pass Analysis Algorithm and Multi-core Parallel Processing,
SANGFOR NGFW delivers 10G throughput with low latency in microseconds when
working in multifunctional protection mode.
Product Overview
Next Generation FirewallNext Generation Firewall
Scenarios
Internet access
zone Entire security for internet access.
Website one-stop security protection.
Anti Webpage tampering.
Sensitive business information leak protection.
Entire security for internet access.
Security reinforcement for core business system.
Sensitive business information leak protection.
WAN dataflow filtering.
WAN edge security protection.
DMZ zone
Data center
security zone
WAN edge
security zone

3. Integrated layer 2 to layer 7 Security Protection
By combining the static validating and filtering rule with the dynamic intelligence against attack processes of hackers,
SANGFOR NGFW’s comprehensive approach performs excellently in defending the top 10 mainstream security threats
releasedbyOWASPaswellasothercommon webattacks.TheWEBsystementirely protectsagainstSQLinjection,XSS
cross-site scripting, cross-site request forgery, malware, Trojans and other security issues.
Enhanced Web Anti-attack
Leveraging SANGFOR’s unique Six-Threat-Detection-Mechanisms (Signature based attack detection, Special attack
detection, Correlation analysis, Abnormal traffic detection, Abnormal protocol detection, and Deep content analysis),
NGFW enables the IT organization to consolidate its system security, and to identify attacks and high-risk security
breaches, such as: buffer overflow attacks, vulnerability attacks, abnormal protocols, worms, Trojans, back door
programs, DOS/DDOS attacks, scanning, spywares and other kinds of threats.
Application Based Deep Intrusion Prevention System
SANGFOR NGFW enables IT organization to detect viruses that originated from the well-known protocol (HTTP / FTP /
SMTP / POP3) and deeply hidden into the compressed files (ZIP / RAR / GZIP), to ensure timely and precise response
against viruses. By leveraging highly effective stream scanning technology, SANGFOR NGFW delivers great
performance in application layer, which significantly distinguishes it from traditional methods that easily become the
bottleneck of the whole network.
Comprehensive Anti-virus Detection
Abnormal dataflow and DOS/DDOS attacks are detected and filtered by SANGFOR NGFW. Security and stability of the
server are ensured. SANGFOR NGFW provides protection against DOS/DDOS attacks from layer 2 to layer 7, and
ensures all the DOS attacks based on data packages, IPs, TCP and HTTP protocols being blocked.
DOS/DDOS Attack Protection
SANGFOR NGFW’s comprehensive signature database of 3,000+ vulnerabilities, 300,000 virus/Trojan/malware, and
2,000+ WEB application threats provides IT organization with great ability to defend threats in various layers.
Partnered of MAPP (Microsoft Active Protections Program), SANGFOR’s vulnerability signature database is certified
with compatibility certificate from CVE (Common Vulnerabilities and Exposures). SANGFOR provides best-in-quality of
products and services.
Database updated by dedicated R&D team.
L7&above:
Data layer
Network Cable
L5-L7:
application layer
L4: transport layer
L3: network layer
L2: link layer
L1: physical layer
Business content
High risk requires
more protection
WEB application Architecture
WEB Service Architecture
Operations System
TCP/IP protocol stack
Network interface
Sensitive information leakage
Web page tampering
Vulnerability attack
SQL injection
cross-site scripting
Apps/server scanning
Weak password attack
Application layer DDoS
Worms, Viruses , Trojans
Access control,
Protocol anomaly,
Network layer DDoS
ARP cheating,
broadcast storm
Physical damage
Intelligent Security Defense System
Advanced Cross-modules Security Defense strategy
can be generated automatically by active defense
technology. For example, the FW can generate a new
firewall rule to block a certain IP if dangerous dataflow
or attacks are identified from this IP by other modules.
Itperformanceswellagainstautomaticattacksortools
and ensures system security with easy maintenance
and management.
Leveraging SANGFOR’s integrated IPsec VPN function,
more effective and secured wide area network can be
built up with higher ROI.
SANGFOR NGFW supports several deployment modes
such as gateway, bridge, bypass, virtual-wire and
hybrid as well as multiple link aggregation and
asymmetric routing function, which ensures a good
adaptability to complex-networking environments.
Customers can migrate from their traditional firewalls
to SANGFOR NGFW without compromise of any
current networking functioning, such as ACL, NAT,
router, VLAN. These functions are fully supported by
NGFW. Smooth deployment and easy management
from day one.
Integrated IPsec VPN Function Cross-modules Intelligent Defense Strategy
Complete Firewall Capabilities Flexible Deployment Modes
Intelligent Network Security Defense System
Access Security Network Security Application Security Business Security
One time analysis algorithm
Strategy linkage
Safety analysis and audit
port / server
scanning
weak password
scanning
server risk
assessment
Application route
IPSEC VPN
OSPF / RIP
User authentication
AD domain
integration
Network ACL
NAT
DOS / DDOS
Flow filtering
BM based on
applications
Application
Access control
IPS based on
applications
CC anti-attack
Anti-virus,
Anti-Trojans
Apps layer DOS/DDOS
URL filtering
Enhanced web security
SQL protection
sensitive information
webpage ADS
Web shell upload
Malicious plug-in
server/terminal
security report
Flow/site/apps
statistic report
SMS/
email alarm

4. Bidirectional Contents Inspection
Anti webpage tampering is a sub-function of NGFW, applying afterwards compensatory approach to protect the
security of the website. That means even though the hacker had circumvented the security defense system and
tampered the webpage, the modified webpage cannot be delivered to end users. By this method, the damage and
economy loss can be reduced to the least. Meanwhile, the administrator will be informed at runtime by NGFW alarm
service, allows the administrator to resolve the issue in time. Furthermore, NGFW provides redirection function that
redirects end users to the backup server to ensure normal operation of the business.
Compared with the traditional approach of installing anti webpage tampering software, SANGFOR NGFW’s solution is
more user-friendly and easy to maintain, no plugins required and no performance impact to the server.
Webpage Protection against Tampering
SANGFOR NGFW can protect sensitive information defined by the user against leaks. The sensitive information can
be identified, blocked and alarmed in different ways (SMS, E-MAIL…) by SANGFOR NGFW, ensuring an entire security
for data like user information / email accounts / MD5 encryption key / bank card / ID number / social security
account /credit card / mobile phone number.
User Defined Sensitive Info Leak Protection
Auto response information from WEB, FTP, MAIL or other servers, which may turn out to be a guideline for hackers to
process the attack, can be concealed by NGFW. For example, HTTP error page concealing, FTP information hiding.
Application Protocol and Content Concealing
NGFW is flexible and allows various levels of security priority on user-defined services or webpages. When accessing
services or webpages of higher priorities, strict authentication rules are enforced, such as SMS token or other
two-factor authentications. That means hackers cannot access the sensitive and important data or webpages even if
they have your username and password.
Enhanced User Login Authentication Protection
NGAF depth content detection technology: analyzing each
application command and scanning the content carried to
check for sensitive data, threat….
Features:
- The data is copied to the application layer
- Restore data content and realize the deep content
detection
- Understand the HTTP protocol, defense hidden attack
Server outbound content filtering
Webpage Defender: Static, Dynamic
Sensitive information leakage prevention:
ID Card, Credit card number, Financial data...
DOS attack
Application layer DOS attack
CC attack
Authority control
Exe file upload filtering
Upload viruses/Trojans filtering
Prevent web shell dataflow
Enhanced Web Defense
- SQL injection defense
- OS command injection defense
- XSS attack, CSRF attack
IPS based on application
- Server vulnerability defense
- Terminal vulnerability defense
Prevent port/server scanning
Prevent app vulnerability scanning
Weak password protection
Anti brute force attack
Core URL protection
website structure anti-scanning
Web Crawler defense
Users Hackers
Web application server
Scanning
Process
Attacking
Process
Destroy
Process
Application Layer High Performance
SANGFOR’s advanced multi-core parallel processing hardware architecture enables high performance computing in
application layer, outperforms traditional NP or ASIC architecture. Furthermore, the Lock-free Parallel Processing
technology is implemented to the computing process, produces real multi-core parallel processing, and significantly
enhances system throughput.
Multi-core Parallel Processing
Unlike UTM, NGFW significantly enhances the performance in application layer processing with the advanced
Single-pass Analysis Algorithm. Various threats are detected in single parsing without unpacking and packing the
message repetitively as in UTM.
Single-pass Analysis Algorithm
Leveraging the application authentication technology that has been accumulated for years, all packages passing
through the NGFW will be tagged with SANGFOR proprietary protocol during its core computing process. With the
proprietary protocol, threats can be identified more efficiently and precisely during the content detecting process.
For example, the FTP server-u related vulnerability that exists in the HTTP dataflow cannot generate threats to servers.
This is a guideline to optimize the algorithm and enhance the efficiency.
Hopping Scan Technology
CPU1
CPU2
CPU3
parallel processing
performance
1 2 3 N
CPU
NetworkingHardwareI/O
FW IPS WAF
Policy layer
Network layer