The Services Menu

The Endian UTM Appliance includes many useful services to prevent threats and to monitor the networks and the running daemons, whose activation and set up is explained in this section. In particular, among them, we highlight the various proxy services, such as the antivirus engine, as well as the intrusion detection system, high availability, and traffic monitoring. The available services appear as items in the sub-menu list on the left-hand side of the screen.

  • DHCP server - DHCP server for automatic IP assignment utm4i
  • Dynamic DNS - Client for dynamic DNS providers such as DynDNS (for home / small office use) utm4i
  • Antivirus Engine - configure the antivirus engine used by the e-mail, web, pop, and FTP proxies utm
  • Time server - enable and configure the NTP time server, set the time zone, or update the time manually utm4i
  • Spam Training - configure training for the spam filter used by the mail proxies utm
  • Intrusion Prevention - configure snort, the IPS availability setup utm4i
  • High availability - configure the Endian UTM Appliance in a high availability setup utm4i
  • Traffic Monitoring - enable or disable traffic monitoring with ntop utm
  • SNMP Server - enable or disable support for the Simple Network Management Protocol utm4i
  • Quality of Service - IP traffic prioritisation. utm4i

DHCP server utm4i

The DHCP server is used by the clients (workstations and servers) in the zones controlled by the Endian UTM Appliance to receive an IP address (“lease”), and allows to control the IP address assigned to them in a centralised way. Two types of leases can be assigned to clients: Dynamic and fixed. The DHCP server page is divided into two or three boxes, namely DHCP, in which to configure the DHCP server, Current fixed leases, showing the fixed leases, and Current dynamic leases that shows up only if at least one client has obtained a dynamic lease. Dynamic leases are assigned on a network basis within a given range that is configured in the first box, whereas fixed leases are assigned on a per-host basis and are configured in the second box.


When a client (be it either a host or another device such as networked printer) joins the network it will automatically get a valid IP address from a range of addresses and other settings from the DHCP service. The client must be configured to use DHCP, which is sometimes called “automatic network configuration”, and is often the default setting on most workstations. Dynamic leases are configured on a zone basis: for example, it is possible to enable them only for clients in the GREEN zone, while the other active zones receive only fixed leases.

It is however possible to let also devices in the ORANGE (DMZ) or BLUE (WLAN) zone to receive dynamic leases.


If the BLUE zone is enabled but managed by the hotspot, the message DHCP configuration is managed by hotspot appears, preventing to configure it here.

To customise the DHCP parameter for each zone, click on the small icon expand next to the Settings label. These are the available options:

Enable the DHCP server in the zone.
Start address, End address

The range of IP addresses to be supplied to the clients. These addresses have to be within the subnet that has been assigned to the corresponding zone. If some hosts should receive a fixed lease, (see below), make sure their IP addresses are included neither in this range nor in the range of the OpenVPN address pool (see Menubar ‣ VPN ‣ OpenVPN server) to avoid conflicts.

Leaving these two fields blank will use the whole IP range of the zone for dynamic leases.

Allow only fixed leases
Tick this checkbox to use fixed leases only. No dynamic lease will be assigned.
Default lease time, Max lease time
The default and the maximum time in minutes before the assignment of each lease expires and the client requests a new lease from the DHCP server.
Domain name suffix
The default domain name suffix that is passed to the clients and that will be used for local domain searches.
Default Gateway
The default gateway that the clients in the zone will used. If left blank, the default gateway is the Endian UTM Appliance itself.
Primary DNS, Secondary DNS
The DNS used by the clients. Since the Endian UTM Appliance contains a caching DNS server, the default value is the firewall’s own IP address in the respective zone, though a second server or even the primary value can be changed.
Primary NTP server, Secondary NTP server
The NTP servers used by the clients, to keep the clocks synchronised.
Primary WINS server, Secondary WINS server
The WINS servers used by the clients. This option is only needed for the Microsoft Windows networks that use WINS.

Advanced users might want to add some custom configuration lines to be added to the dhcpd.conf file (e.g., custom routes to subnets) by writing them in the text area at the bottom, marked with the Custom configuration lines label.


No syntax check on these lines is carried out: the lines are appended to the configuration file. Any mistake here might inhibit the DHCP server from starting!

Current fixed leases

It is sometimes necessary or desirable for certain devices to always use the same IP address while still using DHCP, for example servers that provide services like a VoIP box, a SVN repository, a file server, or devices like printers or scanners. A fixed lease is usually referred to as Static IP Address, since a device will always receive the same IP address when requesting a lease from the DHCP server.

This box reports the list of all the fixed leases currently active in the local network, providing several information about that lease. By clicking on the Add a fixed lease link, new fixed leases can be assigned to a device and insert all the information that will be displayed in the list. The devices are identified by their MAC addresses.


Assigning a fixed lease from the DHCP server is very different from setting up the IP address manually on a device. Indeed, in the latter case, the device will still contact the DHCP server to receive its address and to announce its presence on the network. When the IP address required by the device has already been assigned, however, a dynamic lease will be given to the device.

The following parameters can be set for fixed leases:

MAC address
The client’s MAC address.
IP address
The IP address that will always be assigned to the client.
An optional description of the device receiving the lease.
Next address
The address of the TFTP server. This and the next two options are useful only in a few cases (see below for an example).
The boot image file name. Option needed only for thin clients or network boot.
Root path
The path of the boot image file.
If this checkbox is not ticked, the fixed lease will be stored but not written down to the file dhcpd.conf.

A use case for a fixed lease.

A use case that shows the usefulness of a fixed lease is the case of thin clients or disk-less workstations on the network that use PXE, i.e., boot the operating system from an image supplied by a networked tftp server. If the tftp server is hosted on the same server with the DHCP, the thin client receives both the lease and the image from the same server. More often, however, the tftp server is hosted on another server on the network, hence the client must be redirected to this server by the DHCP server, an operation that can be done easily adding a fixed lease on the DHCP server for the thin client, adding a next-address and the filename of the image to boot.

Besides the information supplied during the fixed lease creation, the list allow each lease to be enabled or disabled (by ticking the checkbox), edited, or deleted, by clicking on the icons in the Actions column. Editing a lease will open the same form as the creation of a new lease, whereas deleting a lease will immediately remove it from the configuration.


All leases assigned by the DHCP server are stored by default in the /var/lib/dhcp/dhcpd.leases file. Although the DHCP daemon takes care of cleaning that file, it may happen that the file stores lease that have already been expired and are quite old. This is not a problem and does not interfere with the normal DHCP server working. A typical entry in that file is:

lease {
starts 2 2013/06/11 13:00:21;
ends 5 2013/06/14 01:00:21;
binding state active;
next binding state free;
hardware ethernet 00:14:22:b1:09:9b;

Current dynamic leases

When the DHCP server is active, and at least one client has received a (dynamic) IP address, a third box appears at the bottom of the page, containing the list of the currently assigned dynamic IP addresses. This list report the IP address, the MAC address, the hostname, and the expiry time of the lease associated to each client.

Dynamic DNS utm4i

A DNS server provides a service that allows to resolve the (numeric) IP address of a host, given its hostname, and vice versa, and works perfectly for hosts with fixed IP address and hostname.

DDNS providers, like DynDNS or no-IP, offer a similar service when the IP addresses is dynamic, which is normally the case when using residential ADSL connections: Any domain name can be registered and associated to a server with a dynamic IP address, which communicates any IP address change to the DDNS provider. To be compatible and to integrate with the root DNS servers, each time IP address changes, the update must then be actively propagated from the DDNS provider.

The Endian UTM Appliance includes a dynamic DNS client for 14 different providers and if enabled, it will automatically connect to the dynamic DNS provider to communicate the new IP address whenever it changes.


If no dynamic DNS account has been set up, detailed instruction to register a new one, detailed online helps and howtos are available on the web site of the providers.

This page displays the list of the Dynamic DNS accounts. Indeed, more than one DDNS provider can be used. For each account, the list shows information about the service used, the hostname and domain name registered, if the anonymous proxy and the wildcards are active, if it is enabled, and the possible actions. New accounts can be created by clicking on the Add a host link, providing the following parameters:

The drop-down menu shows the available DDNS providers.
Behind a proxy
This option only applies to the provider. The checkbox must be ticked if the Endian UTM Appliance is connecting to the Internet through a proxy.
Enable wildcards
Some dynamic DNS providers allow all the sub-domains of a domain point to the same IP address. This is a situation in which two hosts like and are both located on the same IP address. Ticking this box enables the feature, making all the possible sub-domains redirect on the same IP address. The feature must be configured also in the account on the DDNS provider server, if available.
Hostname and Domain
The hostname and domain as registered with the DDNS provider, for instance “example” and “”
Username and Password
The credentials given from dynamic DNS provider to access the service.
behind Router (NAT)
Activate this option if the Endian UTM Appliance is not directly connected to the Internet, i.e., there is another router or gateway before accessing the Internet. In this case, the service at can be used to find the IP address of the router.
Tick this checkbox to enable the account, which is the default.


It is still necessary to export a service to the RED zone to be able to use the domain name to connect to the Endian UTM Appliance from the Internet using its dynamic IP address, since the dynamic DNS provider only resolves the domain name and not the associated services. Exporting a service might typically involve setting up port forwarding (see Menubar ‣ Firewall ‣ Port forwarding / NAT).

After making a change in the configuration or to immediately update the dynamic DNS for all the defined accounts, click on the Force update button. This proves useful for example when the uplink has been disconnected and the REDIP has changed: When this happens, updating all the DDNS accounts is required, otherwise the services offered via DDNS will be unreachable.

Antivirus Engine utm

On all types of Endian UTM Appliance, with the notable exception of the New Mini Arm, there are two antivirus engines available, that can be used for the research of viruses and malware within files and documents: ClamAV and Sophos, with Clamav installed by default. Depending on which antiviruses are installed, the page is organised into one or three tabs: If Sophos is not installed, only the tab ClamAv antivirus appears, otherwise, also the Settings and Sophos Antivirus tabs are present.


On the New Mini Arm, however, only ClamAV is available, since there is no port of Sophos to the Arm architecture.

Settings utm4i

The Settings tab contains several drop-down menus, to choose which antivirus to use for which service. Indeed, it is possible to run a different antivirus for each of the four services that may require an antivirus: HTTP (web browsing), SMTP (outgoing e-mails), POP (incoming emails), and FTP (file transfer). It is however not possible to run both antiviruses on a same service.

The first drop-down menu can be used as a shortcut to select ClamAV or Sophos for all services. In this case, all the other menu values are set to that choice. The other four drop-down menus allow the individual selection for each service.

ClamAv Antivirus utm4i

The second tab, Clamav Antivirus, consists of two boxes: The first to configure ClamAV, and in particular its management of archive bombs, and the second showing the current synchronisation status of the signature.

Archive bomb and DoS.

Archive bombs are archives that use a number of tricks to overload an antivirus software to the point that they hog most of the resources of the computer hosting it, an action called DoS attack. These tricks include: Small archives made of large files with repeated content that compress well (for example, a file of 1 GB containing only zeros compresses down to just 1 MB using zip); multiple nested archives (i.e., zip files inside zip files); archives that contain a large number of empty files, and so forth. Decompressing archive files with any of those characteristic poses a serious challenge to the normal activities of a server or a workstation, since a lot of resources are needed (especially RAM and CPU) and taken away from users’ availability.

Clamav configuration

To avoid DoS attacks, ClamAV is configured to not scan archives with certain attributes, that can be modified here.

Max. archive size
Archives larger than this size in MB are not scanned.
Max. nested archives
An archive which recursively contains nested archives whose value exceeds this number will not be scanned.
Max. files in archive
Archives containing more than this number of files are not scanned.
Max compression ratio

Archives whose uncompressed size exceeds the compressed archive size by more than X times, where X is the compression ration specified here, are not scanned. The default value is 1000.


The compression rate for a normal file, depending on the algorithm used, is about between 10 and 15. That is, the uncompressed size of a file is between 10 to 15 times the size of the archive.

Handle bad archives

What should happen to an archive that is not scanned because it passed the limit set in at least one of the above settings. Choices are Do not scan but pass and Block as virus. In the first case the file is not scanned and passes the control, so that the recipient of the e-mail needs to carefully examine it, while in the second case it is considered as a virus and therefore blocked.


When a file is larger that the size specified in the Max. archive size filed above and the policy here is “Block as virus”, the file is blocked. However, since it is downloaded until the size limit is reached, it may give the impression that the download did not complete successfully. To avoid this behaviour, change either this option or the size above.

Block encrypted archives
It is technically impossible to scan encrypted (i.e., password protected) archives, but they might represent a security risk. To block them, tick this checkbox.

In the ClamAV signature update schedule panel on the right part of the box, another important aspect of running ClamAV can be configured: How often the antivirus signatures are downloaded. Indeed, to keep the system up to date, information about new viruses must be downloaded periodically from a ClamAV server. The default frequency of download is once every hour, but it can be configured shoosing among the four available options (hourly, daily, weekly, monthly). Moving the mouse over the question marks displays the exact time when the updates are performed in each case - the default setting is one minute past the full hour.

ClamAV virus signatures

This box shows a couple of information about the signatures virus. At the top of the box, a message like “Last signature updated on Sep 16 13:21:28 from which loaded a total of 1040149 signatures.” reports the date and time of the latest download (Sep 16 13:21:28), the server from which the signatures have been downloaded (, and the number of signatures downloaded (1040149).

Below the message, a list shows the types of the signatures downloaded, the time of the last synchronisation, their version, and the time of the last update. The update and synchronisation times may differ if the last synchronisation check did not contain any signature update.

A click on the Update signatures now button performs an immediate update (regardless of scheduled updates, which will continue as before), that might take some time, while a click on the Search the online virus database opens a new browser tab (or window) to ClamAV’s online database, to look for information about a specific virus.


Since the databases of signatures may be updated several times a day from the provider, it is suggested to set the download to a high frequency of updates.

Sophos antivirus utm4i

On the Sophos AntiVirus tab, a drop-down menu allows the selection of the update cycle, i.e., how often the new virus signatures for Sophos should be downloaded. Possible options are: hourly, daily, weekly, and monthly.

Time server utm4i

The Endian UTM Appliance uses NTP to keep its system time synchronised with time servers on the Internet. The settings available are grouped into two boxes.

Use a network time server

A number of time server hosts on the Internet are preconfigured and used by the system, but custom time servers can be specified after ticking the Override default NTP servers checkbox. This might prove necessary when running a setup that does not allow the Endian UTM Appliance to reach the Internet. Several time servers addresses can be supplied, one per line, in the small form that will show up.

This box also shows the current time zone setting, that can also be changed by choosing a different one from the drop-down menu. An immediate synchronisation can be done by clicking on the Synchronize now button.

Adjust manually

The second box gives the possibility to manually change the system time. While this is not recommended, this action proves useful when the system clock is way off and an immediate update of the Endian UTM Appliance‘s clock to the correct time is needed.

Automatic synchronisation using time servers is not done instantly, but the clock is “slow down” or “speed up” a bit to recover and align to the correct time, hence a system with a significant error in its time may require a long period to be corrected. In those cases, forcing a manual synchronisation represents a more drastic but immediate solution.

Spam Training utm

The Endian UTM Appliance includes SpamAssassin as the engine to find and fight spam e-mails. While it is successful in the vast majority of the cases, SpamAssassin needs to be trained to improve its abilities to intercept spam e-mails. The configuration of the training for the antispam engine can be done in this page: Indeed, SpamAssassin can learn automatically which e-mails are spam and which are not (the so called ham mails). To be able to learn, it needs to connect to an IMAP host and check the pre-defined folders for spam and ham messages.

The page for SpamAssassin consists of two boxes, one that contains a list of IMAP hosts used for learning, with the possibilities to manage them at various levels, and another one to modify the scheduling of the updates.

Current spam training sources

The first box allows the configuration of the training sources, by means of two links that, after clicking, will reveal two panels in which to specify the various configuration values. The default configuration, which is initially empty, is not used for training, but only provides values that are later inherited by the real training sources which can be added right below. By clicking on the Edit default configuration link, these setting can be configured:

Default IMAP host
The IMAP host that contains the training folders.
Default username
The login name for the IMAP host.
Default password
The password of the user.
Default ham folder
The name of a folder that contains only ham messages. It can be, for example, a dedicated folder that stores only ‘clean’ messages, or even the Inbox.
Default spam folder
The name of a folder that contains only spam messages.
Schedule an automatic spam filter training
The time interval between two consecutive checks, which can either be disabled or be an hourly, daily, weekly, or monthly interval. The exact time scheduled is shown when moving the mouse cursor over the question marks. If disabled, the antispam engine must be manually trained.

Additional spam training sources can be added in the panel that appears upon clicking on the Add IMAP spam training source link. The options for the additional training hosts are the same as the default configuration options, except for the scheduling, which is always inherited from the default configuration, and for three new available options.

The training source will be used whenever SpamAssassin is trained. If not enabled, the source will not be used during the automatic training, but only for manual ones.
A comment about this source.
Delete processed mails
Whether the e-mails should be deleted after they have been processed.

The other options can be defined just like in the default configuration and, when specified, they override the default values. To save the configuration of a source it is necessary to click on the Add Training Source button after all the desired values have been set. Several actions can be carried out on a source: It can be enabled, disabled, edited, removed, or the connection tested by clicking on the appropriate icon.

Two additional actions are available and will be performed on all the connections, by clicking on one of the buttons located on the top right of the box.

Test all connections
To check all the connections at once. This operation can take some time if many training sources have been defined or the connection to the IMAP servers is slow.
Start training now
Immediately starts the training. It is important to note that training can take a very long time, depending on many factors: The number of the sources, on the connection speed, and most importantly on the number of e-mails that will be downloaded.


The antispam engine can be also trained in another way if the SMTP Proxy is enabled for incoming as well as for outgoing mails. This is done by sending spam mails to spam@spam.spam. Non-spam mails can be sent to ham@ham.ham. For this to work it is necessary that spam.spam and ham.ham can be resolved: If not, these two hostnames can be added to the host configuration in Menubar ‣ Network ‣ Edit hosts ‣ Add a host on the Endian UTM Appliance.

SpamAssassin Rule Update Schedule

In this box it is possible to schedule the automatic download of SpamAssassin signatures among the four options: Hourly, daily, weekly, and monthly.

Intrusion Prevention utm4i

New in version 2.3: The intrusion Prevention System, based on snort.

The Endian UTM Appliance includes the well known intrusion detection (IDS) and prevention (IPS) system snort, which is directly built into iptables, to intercept and drop connections from unwanted or distrusted sources.

The page contains three tabs, Intrusion Prevention System, Rules, and Editor.

Intrusion Prevention System utm4i

If snort is not active, a grey switch next to the Enable Intrusion Prevention System label appears on the page and can be clicked on to start the service. A message appears, informing that the service is being restarted and after a short interval, the box will contain some options to configure the service.

Automatically fetch SNORT Rules
Ticking this box will let the Endian UTM Appliance automatically download the snort rules from the Endian Network.
Choose update schedule
The frequency of download of the rules: A drop-down menu allows to choose one of the hourly, daily, weekly, or monthly options. This option appears only if the previous option has been activated.
Custom SNORT Rules
A file containing custom SNORT rules that should be uploaded. Pick one file from the file selection window that opens upon clicking the Browse button, and upload it by clicking on the Upload custom rules button.

Changed in version 2.5: snort can not anymore be enabled independently in each zones, but only globally.

Rules utm4i

On the Rules tab appears the list of rulesets that are stored on the Endian UTM Appliance, along with the number of rules they contain and the actions that can be done on them, which are to enable or disable a ruleset, to change their policy, to edit and to delete a ruleset. All the actions, except for editing, can be carried out on more than one rulesets at once, by selecting them (tick the checkbox on the left of their filename) and pressing one of the button underneath the list.

By default, the policy for all the rulesets is set to alert. This behaviour can be changed by clicking on the alert icon to toggle the policy into block and the icon into a red shield. After clicking on the Apply button, that ruleset will not cause alerts anymore, but all the traffic that matches its rules will be blocked.

A ruleset can be deleted by clicking on the trash can icon, while a click on the pencil icon redirects to the Editor page in which to edit each rule independently.

Editor utm4i

At the top of the Editor page are shown the rulesets that can be edited. To chose more than one ruleset at once, hold the CTRL key and click on the rulesets.


When editing a ruleset in the Rules tab, the Editor page will open with that ruleset already selected.

After selecting and clicking on the Edit button, the list of the rules included in the selected ruleset(s) is shown. The list can be narrowed down by entering some terms in the text box next to the Search label. Like in the Rules page, the policy of every entry can be changed.


Turning on the IPS only implies that snort is running, but it does not yet filter the traffic. For snort to filter packets, the Allow with IPS Filter policy must be selected for the rules defined in the various Firewall configuration pages.

See also

The Firewall Menu
Menubar ‣ Firewall

A visual, step-by-step tutorial to set up IPS.

High availability utm4i

The Endian UTM Appliance can be run in an HA mode, that can easily be setup using at least two Endian UTM Appliances, one of which assumes the role of the active (i.e., master) firewall, while the remaining are standby (i.e., slave) firewalls.

If the master firewall fails, an election among the slaves takes place and one of them will become the new master, providing for transparent failover. If there is only one slave, though, it will immediately take over the master’s duties and allows a seamless failover transition to the secondary Endian UTM Appliance in the event of a hardware failure on the primary appliance. This provides unparalleled hardware availability and redundancy for critical network operations and security.

In order to start up the HA service, at least one master and one slave Endian UTM Appliances must be configured according to the following guidelines.


The Endian HA system is supported on both Endian hardware and software appliances. Regardeless of choosing hardware or software, the high availability module requires at least two completely identical hardware platforms (e.g. 2 Minis, 2 Macros, 2 x86 systems, etc.).

An important point to focus on when deploying high availability is that a duplication method for each and every connection to the Endian appliance must be provided. Every connection of the primary unit (e.g., WAN, LAN, etc.) must be replicated across the standby unit(s) to ensure that complete replication capabilities exist.

In this scenario, each network on the Endian UTM Appliance (WAN, LAN, etc.) is connected to an external managed switch which has a unique VLAN assigned to each network. This deployment option consumes the least amount of network ports and provides for enhanced extensibility. Another option is to replace a single managed (VLAN capable) switch with smaller, separate switches for each network (WAN, LAN, etc.). This setup however may not be cost-effective and could be less reliable since the failure of any switch could break failover partially or completely.


Since the HA runs automatically over the GREEN network, the heartbeat can be configured to run over the switch connection or alternatively, an additional Ethernet port can be assigned to the GREEN network to directly connect the master device to the slave unit. The advantage of adding a direct connection is that it removes the switch (and thus possible sources of problems, improving the overall reliability) from the failover equation. The decision on whether to implement this setup may largely depend on the overall reliability of the managed switch (dual power, port failure rate, warranty terms, etc.) – so the more reliable/redundant is the switch configuration, the less critical having a direct connection can become.

In this page, there is only one box, which initially contains only one option:

Enable High Availability
Enable HA on the Endian UTM Appliance, by default it is disabled.

After enabled, a second drop-down menu appears, High Availability side, that allows to configure the Endian UTM Appliance as master or slave. Depending on this choice, different configuration options are available. Configuring a slave unit, however, requires that a Master unit have already been set up.

For the master side, the following options are available:

Management network
The special subnet to which all Endian UTM Appliance that are part of a same HA setup must be connected and defaults to Unless this subnet is already used for other purposes, there is no need to change it.
Master IP Address
The first IP address of the management network. It is automatically set to 1 on the network chosen, and defaults to
Notification: recipient email address, Notification: sender email address, Notification: email subject, Notification: SMTP server to be used
These options can be filled in to be notified by e-mail when a failover event occurs. They are configured the same way as they were configured for other event notifications in Menubar ‣ System ‣ Event notification: A custom sender, recipient, and subject of the email and the SMTP smarthost used to send the email.

A second box will appear after HA has been activated, with the list of the slaves with their IP address, a link to access their management GUI, and the possibility to delete a slave.

The HA management network.

The Endian UTM Appliance uses a special network to connect the master to slave unit(s): If this network has already been used in other zones, none of the already defined network(s) is deleted nor any change should be made to them. Indeed, in such a case, simply assign to the HA management network a different range of IP addresses, like, e.g., or It is important to note that the only requirement of the management network is that it must be large enough to accommodate the master and all the slaves, so if there are only a master and a slave devices, even a network as small as should suffice. The management network will be created as an interface on the GREEN network, and it will show up us such on the device or when viewing the network status.


Make sure that the management network can be reached from the current LAN setup, or it will not be possible to login to the master unit!

After the master unit has been configured, the second Endian UTM Appliance, that is going to be the slave, can be set up. The same procedure shall be followed for every additional slave to configure.


It is strongly suggested to make a backup of the slave unit before configuring it and saving it on a safe place, since it may become useful to restore a slave unit after it is removed from its role.

For the slave side the following are the available options.

Master IP address
The IP address of the master unit, which defaults to if the management network had not be changed. This value must match the one that appears as value of the Master IP Address option on the master unit.
Master root password
The password of the console root user (not the graphic administration interface!) on the master.

These data will be used by the slave to retrieve from the master all the information needed and to keep the synchronisation.

Upon saving the setup, the connection to the device will be temporarily lost, since the management network is created and then the two devices (the master and the currently defined slave) begin to synchronise.

After the synchronisation process is complete, the slave itself cannot be reached anymore via its old IP address (be it its factory default or its previous GREENIP address), since it has gone in standby mode and is connected to the master only through the management network. Any change made on the primary unit (the activation of a service, the change of one setting, the deletion of a VPN user, and so on) will automatically be synced to the slave unit(s) with the exception of updates, upgrades, or device backups (these have to be performed manually on the slave unit).

Moreover, the slave Endian unit will automatically appear on the master’s list of slaves and switch to an informational-only web interface that can be accessed from the master, by following the Go to Management GUI link next to each of the entries of the list of slaves.

The RED MAC Address

During the HA failover, the RED interface MAC address is not replicated onto the slave unit. This can represent a problem if the ISP requires to use the Sticky IP setup. In this situation, the IP address assigned from the ISP is determined from the MAC address of the client’s network interface, similarly to a fixed IP asssigned from a DHCP server to a client. it may not be possible to reconnect with the slave unit. To avoid this situation, it is necessary to utilise the spoofed MAC address feature on the RED interface in order for HA to work properly. This will ensure that when the HA is activated the MAC address will carry over to the standby unit and will not require manual intervention. This can be achieved on the slave, before activating it, by ticking the option Use custom MAC address under Menubar ‣ Network ‣ Interfaces ‣ Edit main uplink ‣ Advanced settings and specifying the MAC address of the RED interface on the Master. Alternatively, the MAC address can be entered in the step 4 of the network installation wizard, writing the master’s MAC address in the Spoof MAC address with option.

See also

A step by step guide to configure HA on the Endian UTM Appliance.

Traffic Monitoring utm


The ntop service is not available on the Mini appliances, due to its limited available resources.

Traffic monitoring is done by ntop and can be enabled or disabled by clicking on the main switch on this page. Once traffic monitoring is enabled a link to the monitoring administration interface appears in the lower section of the page. This administration interface is provided by ntop, runs on the port 3001, and includes detailed traffic statistics. ntop displays summaries as well as more fine-grained information. The traffic can be analysed by host, protocol, local network interface and many other types of information. Several configurations options are available, for more information about ntop please refer to About ‣ Online Documentation on the ntop administration interface or visit the ntop documentation page.

SNMP Server utm4i

New in version 2.3: SNMP service

The SNMP is used to monitor network-attached devices, and can be used e.g., to control the status of the internal infrastructure.

To enable the SNMP Server is sufficient to click on the grey switch next to the Enable SNMP server label: Once done so, a few options will appear in the Settings box.

Community String
A key that is needed to read the data with an SNMP client.
An identification string that can be set to anything, but it is suggested that it describe the location of the Endian UTM Appliance.
Override global notification email address
The SNMP Server requires to configure an e-mail address as the system contact. The global e-mail address provided during the installation procedure is used by default. Nonetheless, to use a custom e-mail address, tick the checkbox and write a custom e-mail address into the System contact email address field that will activate right below.

Quality of Service utm4i

New in version 2.3: QoS

The purpose of the QoS module is to prioritise the IP traffic that is flowing through the Endian UTM Appliance depending on the service. In other words, the QoS is a convenient way to reserve a given amount of the available bandwidth (both incoming and outgoing) for a given service. Applications that typically need to be prioritised over bulk traffic are interactive services such as SSH or VoIP.

The QoS configuration options are arranged into three tabs: Devices, Classes, and Rules.

Devices utm4i

The Device tab is also the starting page for the QoS and is initially empty. Once populated, a table showing a list of all the Quality of Service devices appears and for each device, some parameters and the available actions are displayed.

New QoS devices can be added by clicking on the Create new item link above the list and by configuring a few options.

Target Device
The network interface that will be used by this devices. Choices are among the network interfaces or zones enabled on the system and can be selected from a drop-down menu.
Downstream Bandwidth (kbit/s)
The downstream speed of the interface.
Upstream Bandwidth (kbit/s)
The upstream speed of the interface.
Enable the QoS (default) or not.

The actions available on the devices are to edit, to enable/disable, or to remove a device and can be carried out by clicking on the respective icon. When editing a device, the same form opens as when adding a new device, in which to modify the current device’s parameters.

For every device added, four items will appear under the Classes tab: Three for high, medium, and low priority, respectively, and one for bulk traffic (see below).

Classes utm4i

This tab shows a list of all Quality of Service classes that have been created, if any. For each entry, several data are shown. New items can be added by clicking on the Create new item link above the list of classes. The parameters to configure are the same shown in the list:

The name of the Quality of Service class.
The Quality of Service device for which the class was created.
The percentage of bandwidth that has been reserved for this class from the device’s overall available bandwith.
The maximum percentage of bandwidth this class may use.
The priority of the class.


The sum of reserved percentages can not be greater than 100 per device. Moreover, the reserved bandwidth can not be higher than the limit bandwidth.

The actions available are to edit, to move, and to delete a class by clicking on the respective icon. Classes can be moved up or down the list: Items closer to the top of the list are the first to be processed when the bandwidth does not suffice for all the traffic and the Endian UTM Appliance needs to choose which traffic should be prioritised.

Rules utm4i

The third tab displays a list of the already defined Quality of Service Rules and allows to specify which type of traffic should belong to each of the classes. To add a new Quality of Service rule click on the Add Quality of Service Rule link. In the form that will open, which is very similar to the one used to define firewall rules, several values should be configured. Many drop-down menus are employed here to ease the choices and guide through the configuration.

Choose from the drop-down menu the traffic source, either a Zone or interface, a network, an IP or MAC address. Depending on this choice, different values can be specified: A zone or interface from the available ones from those that will be displayed, or one or more IP addresses, networks, or MAC addresses.
Destination Device/Traffic Class
Choose the device/class from the drop-down menu and then the destination IP addresses or networks.
Service/Port, Protocol
The next two drop-down menus are used to define the service, protocol, and a destination port for the rule (when choosing one of TCP, UDP, or TCP + UDP protocols). Some predefined combinations Service/Protocol/Port exists, like HTTP/TCP/80, <ALL>/TCP+UDP/0:65535, or <ANY>, which is a shortcut for all services, protocols, and ports. Finally, in the Destination port, one or more custom port number can be supplied (this proves useful when some service does not run on a standard port).
The type of TOS or DSCP value to match. See here for a description.
Match Traffic
Choosing TOS or DSCP class in the previous drop-down menu allows to choose a suitable value for the traffic to match from another drop-down menu. Otherwise, the choice DSCP Value allows to enter a custom value that should match the rule.
A comment to identify this rule.
Tick the checkbox to enable the rule.


If there is more than one service in a Quality of Service class, then all these services together will share the reserved bandwidth.