In this page you find:
The System menu provides several information about the Endian UTM Appliance and its status, and allows to define the network setup and some access modalities (e.g., via SSH or for the Endian support).
The sub-menu on the left-hand side contains the following items, which allow for some basic administration tasks and to monitor the running activities of the Endian UTM Appliance.
Dashboard - overview of the system and of the connections status.
Network configuration - network and network interface configuration.
Event notifications - set up of notification via e-mail or SMS.
Updates - management of system updates.
Support - support request form.
Endian Networky - Endian Network registration information.
Passwords - set system passwords.
Web console - a console shell on the browser.
SSH access - enable/configure SSH access to the Endian UTM Appliance.
GUI settings - web interface language settings.
Backup - backup or restore Endian UTM Appliance settings as well as reset to factory defaults.
Shutdown - shutdown or reboot the Endian UTM Appliance.
Credits - acknowledgement to all contributors.
License Agreement - a copy of the User License Agreement.
The remainder of this section will describe the various parts that compose the System menu items.
New in version 2.5: Updates, Web Console, Licence Agreement.
New in version 3.0.5: Improved event management module with more events added and ability to upload python scripts to be associated to events.
The Dashboard is the default page, the one that is displayed upon every login. It encompasses several boxes (“plugins”) organised in two columns that provide a complete overview of the running system and of its health. The top of each box reports the name of the box. The Dashboard has lately undergone some changes in its usability and new features have been added to improve the interaction with the user. The information visible on screen are updated at regular intervals.
Several enhancement have been introduced to the plugins in recent releases.
Drag & Drop. Each of the six boxes can be moved around and rearranged in either of the two columns. While moving, a green rectangular box will preview the position of the plugin.
New in version 2.5.
Personalisation. A click on the Show settings link underneath the main bar will open a small table showing the available plugins, their description, and the refresh interval. Any of them can be enabled or not and consequently displayed or not on the Dashboard.
New in version 2.5.
Signatures updates plugin, described below.
New in version 2.5.
The available plugins and the information they display are described here.
It shows several information about the installed system. It usually presents the hostname and domainname of the Endian UTM Appliance in the title.
Appliance: The appliance type.
Version: The version of the firmware.
Kernel: The current running kernel.
Uptime: The time since the last reboot.
Update status: A message depending on the Endian UTM Appliance status:
“up to date”. No updates are available.
“update required”. New packages can be installed: A click on the message leads to the Updates page where it is possible to review the list of new packages.
“Register for enterprise”. The system has not yet been registered to Endian Network: A click on the message will open the Endian Network page, in which to compile a form to complete the registration.
Maintenance: The remaining days of validity of the maintenance support.
Support access: Whether the support team can access the Endian UTM Appliance or not. In the former case, it is also shown the date until the access is granted.
This plugin also shows the remaining days of validity of the additional modules Panda Antivirus and Commtouch, if purchased.
It shows the main hardware information of the Endian UTM Appliance and the resource availability. All the information are provided with the absolute value (graphically with a small bar and in number at the end of a line) and the percentage of their use. The only exception is the CPU load, which shows only the percentage of use, in graphic and numbers.
CPU x: The load of the CPU, where
x
represents the CPU number, for those appliance that have more than one CPU.Memory: The amount of the RAM memory used.
Swap: How much swap disk space is used. A high percentage here usually means there is something not working correctly.
Main disk: The usage of the root partition.
Temp: The space used in the
/tmp
partition.Data disk: the usage of the
/var
partition.Configuration disk: The space occupied by the partition containing all the Endian UTM Appliance services and settings.
Log disk: The amount of space used in the partition containing the logs.
The latter values, showing disk space availability, can vary depending on the appliance, since the data, system, and log partitions may be located in different places.
Warning
A partition on the hard disk (e.g., main disk, data disk, /var/log) shall never have a usage of 95% or more, as this can cause malfunctioning and data loss.
Information about the most important services installed on the Endian UTM Appliance, along with their actual status, are displayed by this plugin. For each service is shown the status, either ON or OFF, and a summary of the tasks accomplished during the last hour and the last days. A click on the service’s name expands or collapses additional information on the tasks carried out by the service. For running services, there is the possibility to open in a new window the respective Live Logs. Hence, if some number in the summaries sounds strange (e.g., a number of email rejected that is twice as normal) or not common compared to the normal activities (e.g., the IDS has detected some attack), the logs can be controlled to search for some useful message that has been recorded. The services currently supported by this plugin are:
Intrusion Detection: The number of attacks logged by snort.
SMTP Proxy: Statistics about the e-mails processed. The number of e-mail currently in the postfix-queue, of the received e-mails and how many of them were clean, the number of viruses found, and how many e-mails were blocked.
HTTP Proxy: The numbers of cache misses and hits of squid and of the viruses found.
POP3 Proxy: Statistics about the received, blocked, and virus-containing e-mails that went through the POP3 Proxy.
Hint
Inactive services are marked with a red OFF message.
It shows information about the network interfaces of the firewall and the traffic. The upper part of this plugin shows several data about the network interfaces of the Endian UTM Appliance: Their name, type, link (Up if a connection is established, Down otherwise) and status (Up if the device is activated, Down if not), and the In- and Outgoing traffic. The latter two data are updated in real-time. When ticking the checkbox near the device name, that device is shown in the graphs underneath. The devices’ name is coloured according to the zone they serve.
The lower part of the plugin contains two charts: The first one shows the incoming traffic, while the second one the outgoing traffic on each of the interfaces chosen. The traffic of each interface is coloured according to the zone it belongs to, different interfaces serving the same zone have different nuances. Bridges built on one device are shown in the same colour as the device. Like the traffic data in the upper part, both charts are updated in real-time.
Hint
Up to six interfaces can be selected and shown in the charts.
This plugin shows information about the actual status of those services requiring the download of signatures that are installed and enabled on the Endian UTM Appliance. In case no signature has been downloaded and no service has already been enabled, the message No recent signature updates found is displayed, otherwise the plugin presents the signatures installed for the variuos daemons and the timestamp (date and time) of the last download. The list includes the signatures for the anti-spyware, antivirus, contentfilter, and intrusion prevention services.
This plugin shows a table detailing the uplinks’ connection status. For each defined uplink are shown name, IP address, status, uptime, whether it is active or not , managed or manual . The circular arrow , when clicked, allows to immediately reconnect the corresponding uplink. Of particular interest is the Status field of each individual uplink, which can be:
Stopped: Not connected.
Inactive: Not connected.
Connecting: Not yet connected, but a connection is ongoing.
Connected or UP: The connection has been established and it is fully operational.
Disconnecting: The uplink is closing the connection. The Endian UTM Appliance keeps pinging the gateway and announces when it becomes available.
Failure: There was a failure while connecting to the uplink.
Failure, reconnecting: There was a failure while connecting to the uplink, but the Endian UTM Appliance is now trying again.
Dead link: The uplink is connected, but the hosts that were defined in the uplink configuration (Menubar ‣ Network ‣ Interfaces, option Check if these hosts are reachable in the Uplink editor) to check the connection could not be reached. In other words, the uplink is not operational.
Managed and manual uplink.
Each uplink can be operated in either managed mode, which is the default, or manual mode. In managed mode, the Endian UTM Appliance monitors and restarts the uplink automatically when needed. If managed mode is disabled, the uplink has to be activated or deactivated manually: This implies that there will be no automatic reconnection attempt if the connection is lost, but clicking on Reconnect is required to restart a nonoperational uplink. The management mode of an uplink can be selected under Menubar ‣ Network ‣ Interfaces.
While an uplink should always be managed to allow for a quick reconnection in case of a connection loss, the manual mode proves useful for troubleshooting or testing connections before actually establishing them.
The configuration of the networks and of the network interfaces serving the zones is fast and easy with this 8-step wizard. It is possible to freely navigate back and forth the step, using the <<< and >>> buttons and even decide at any moment to cancel the actions done so far. Only at the last step it is required to confirm the new settings: In that case, all the changes made will be applied. Note that while applying the new settings, the web interface might not respond for a short period.
New in version 3.0-2014-May: stealth uplink
Changed in version 3.0-2014-May: Gateway mode has been renamed into No uplink mode
Changed in version 3.0.5: Removed legacy ADSL and ISDN network types from default installation.
The Stealth Uplink mode.
The Stealth Uplink mode represents a new possibility to seamlessly integrate the Endian UTM Appliance into an existent network infrastructure without the need to modify the existent routing or firewalling rules.
The Stealth Uplink mode requires a Endian UTM Appliance equipped with at least two NIC serving the same zone, which can be GREEN, ORANGE, or BLUE. One of these interfaces routes all the traffic directed from the zone to a gateway and in practice represents the Endian UTM Appliance’s ‘uplink’.
The presence of an explicit interface designated as ‘uplink’ allows to distinguish a direction for the traffic flowing outside the zone served by the Stealth Uplink and to filter it using the outgoing firewall. This is the main difference with the no uplink mode (previously known as Gateway mode) in which there is no possibility to filter outgoing traffic and therefore the application control was not applicable.
The Stealth Uplink operating mode requires a particular set up in the Endian UTM Appliance’s firewall setup.
System access rules are handled normally.
Port forwarding and Destination NAT rules can also be configured normally. However, being the outgoing interface in the same zone as the internal network, the rules will be applied from both sides of the zone.
Source NAT is not applied for outgoing connections in this setup as otherwise the behaviour would not be transparent anymore.
The outgoing firewall is used for all the traffic that flows from the zone served by the Stealth Uplink through the NIC designated as uplink, allowing to exploit the abilities of the application control.
The interzone firewall is employed for all the remaining traffic between the other zones, if defined. It the Stealth Uplink bridge is composed by three or more interfaces, and hence two or more serve the corresponding zone, also the traffic among these and the other zones can be filtered by the interzone firewall.
Due to the availability of this uplink mode, also the GUI of the network configuration wizard has changed, especially in the first page of the wizard, to clarify the differences among the various uplinks and the configuration options available for each of them.
The 8 steps in which the wizard is divided are:
The first page of the network configuration wizard contains two boxes: Network modes, in which to choose the operating mode of the uplink, and Uplink type, in which to select the uplink.
The first box allows to choose the operating mode of the uplink used by the Endian UTM Appliance, among three possible, mutually exclusive choices. When selected or when the mouse hovers over one of the options, a brief description appears.
Routed. This choice corresponds to the classical uplinks available in Endian UTM Appliance, except for the Gateway mode.
Bridged. The new Stealth Uplink mode.
No uplink. This choice corrsponds to the mode previously known as Gateway mode.
Note
When in No uplink mode, rules defined in the outgoing firewall, which filters the traffic going from the Endian UTM Appliance through the uplink, are not taken into account.
The next box appears only upon selection of the Routed option, since in the other cases the mode automatically determines the RED interface.
At installation time, the Endian UTM Appliance receives a default GREEN IP. This screen allows to choose the type of the RED interface (i.e., the type of uplink) among those supported by the Endian UTM Appliance.
The RED interface is in a LAN and has fixed IP address and netmask, for example when connecting the RED interface to a simple router but with the convenience that the Endian UTM Appliance be always reachable at the same IP address.
The RED interface receives its network configuration via (dynamic) DHCP from a local server, router, or modem, i.e., the RED interface is connected to a simple router but without the need to have a fixed address.
The RED interface is connected to an ADSL modem. This option is only needed when the modem uses bridging mode and requires to use PPPoE to connect to the provider. This option should not be confused with the ETHERNET STATIC or ETHERNET DHCP options, used to connect to ADSL routers that handle the PPPoE themselves.
The RED interface connects to an ADSL modem via a USB or PCI cable, not via an Ethernet one.
The RED interface is an ISDN connection.
Note
Starting with the 3.0.5 release, ADSL and ISDN uplink types have been removed from the default installation. However, older appliances can still keep on using them if configured. Newer appliances will be able to use these two network types by installing the respective packages.
The RED interface is an analog (dial-up) or UMTS (cell-phone) modem.
A small box recalling the number of network interfaces available on the system is shown to the right of the available choices. The RED interface can be fully configured during step 4.
The Endian UTM Appliance separates the networks connected to it into four main zones, as described in this section. At this point the two most important zones - GREEN and RED - have already been encountered during the installation: This step allows to enable one or two additional zones, depending on the services that should be provided by the Endian UTM Appliance: ORANGE -used as the DMZ network portion- and BLUE -used as segment for wireless clients. Their full configuration will be possible in the next step.
Note
In the Endian UTM Appliance, one network interface is reserved for the GREEN zone and another one has possibly been assigned to the RED zone, if the RED interface requires a network card. This might limit the choices here to the point that the ORANGE or BLUE zone cannot be enabled, due to lack of additional network interfaces.
This step concerns the configuration of the GREEN zone, if needed, and of any zone chosen in the previous step. For each of the zones enabled, the following options can be configured:
The IP address (such as 192.168.0.1) of the interface, which should not be already in use in the network.
Hint
Good practice suggest that the last octet be 1, since the interface will gather the traffic of the whole subnet.
Remember also that a change in the IP addresses of an Endian UTM Appliance, especially in a production environment, might require to adjust additional settings elsewhere, for example the HTTP proxy configuration in the workstations, otherwise the web browsers will not work correctly.
Warning
When configuring the interfaces of the GREEN zone, make sure to not remain locked out of the web interface! This situation may occur for example when changing the GREEN IP address into one that is not reachable from the current GREEN segment and then saving the settings. In this case the only access to the Endian UTM Appliance is via serial console.
Define the network mask from a drop-down menu containing the possible masks (e.g., /24 - 255.255.255.0).
Hint
All the devices connected To the same subnet shall have the same netmask to communicate properly.
Additional IP addresses for different subnets can be added to the interface here.
Map a network interface to a zone, with the following rules:
Each interface can be mapped to only one zone and each zone must have at least one interface.
When more than one interface is assigned to a zone, these interfaces will be bridged together and act as if they were part of a switch.
For each available interface these information are shown:
A colored checkbox, showing which zone the interface serves. No color means that the interface is not assigned to any zone.
Port, the number of the port.
Link, shows the current status by means of icons: -the link is active, -no link or no cable plugged in, -no information from the driver.
Description, the interface’s PCI identification string, as returned by lspci. The string is trimmed, but it can be shown by moving the mouse on the ?.
MAC, the interface’s MAC address.
Device, the logical name of the device.
Note
Internally, the Endian UTM Appliance handles all zones as
bridges, regardless of the number of the assigned
interfaces. Therefore, the Linux name of the interfaces
is brX
, not ethX
.
Finally, the system’s host name and domain name can be set in the two text boxes at the bottom of the screen.
Private IP Addresses
It is suggested to follow the standard described in RFC 1918 (which has been recently been updated by RFC 6761) and to use for the zone’s setup only the IP addresses contained in the network segments reserved for private use by the IANA, which are:
10.0.0.0 to 10.255.255.255 (10.0.0.0/8, 16,777,216 addresses)
172.16.0.0 to 172.31.255.255 (172.16.0.0/12, 1,048,576 addresses)
192.168.0.0 to 192.168.255.255 ( 192.168.0.0/16, 65,536 addresses)
This choice avoids incurring in DNS resolution errors, as IP addresses not falling within these ranges are likely to have been reserved by other organisations as their public IPs. Moreover, different IP ranges must be used in the different network segments for each interface, for example:
IP = 192.168.0.1, network mask = /24 - 255.255.255.0 for GREEN
IP = 192.168.10.1, network mask = /24 - 255.255.255.0 for ORANGE
IP = 10.0.0.1, network mask = /24 - 255.255.255.0 for BLUE
Note also the first and the last IP address of a network segment (which are usually .0 and .255) are reserved as the network address and the broadcast address respectively, and must not be assigned to any device.
Changed in version 3.0-20141505: with the introduction of the Bridged and No uplink network modes, this page has slightly changed.
This step allows the configuration of interface chosen in step 1, that connects to the Internet or to any other untrusted network outside Endian UTM Appliance.
Depending on the Network mode chosen in step 1, different options are present here. For the No uplink modes, only one option is present.
The IP address of the gateway that will take charge of routing the network traffic flowing outside the zone. The gateway’s IP address must fall within the network in which the Endian UTM Appliance is located.
An additional option is available when the Bridged mode has been selected:
This drop-down menu allows to choose to which zone the traffic will be bridged to, among those that have been activated.
When the network mode is Routed, there are more options available and depend on the selected uplink type. At the bottom of the page appear two options that are commonly available, namely MTU and Spoof MAC address with, described below, and the choice of the DNS resolver, available for almost all interface types, which is wither Dynamic or Manual: In the latter case, one valid IP address of a DNS server must be provided manually in the next step. The other configuration options are:
The IP address and network mask of the RED interface, as well as the IP address of the default gateway, that is, the IP address of the gateway that connects the Endian UTM Appliance to the Internet or to another untrusted network. Optionally, the Ethernet hardware address (MAC address) of the interface can be specified.
Only one available option, namely the DNS choice.
To configure PPPoE, fill in the form with the username and password assigned by the provider, and the authentication method. Optionally, the provider’s service and concentrator name can be configured, though this is usually not needed.
Hint
If unsure whether to select PAP or CHAP authentication, keep the default option.
There are 3 sub-screens for this choice.
In the first one, select from the drop-down menu the appropriate driver for the modem, among the possibilities offered.
In the second one, choose the ADSL type from the drop-down menu among the four choices: PPPoA, PPPoE, static IP, or DHCP.
Finally, depending on the selection made in the previous two steps, some of the following settings are required, which can be asked to the ADSL provider:
VPI/VCI numbers and the encapsulation type
the username and password assigned by the provider and the authentication method (if unsure, keep the default PAP or CHAP)
the IP address and network mask of the RED interface,
the IP address of the default gateway (required for static IP only);
Note
If PPPoE was chosen at point 2. above, then the configuration is exactly like explained in the previous paragraph, PPPoE.
To configure the ISDN connection, the modem driver, phone numbers (the provider’s number and the number used to dial out), as well as the username and password that have been assigned by the provider, and the authentication method are needed (if unsure, keep the default PAP or CHAP). Also specify whether the IP address of the DNS should be assigned automatically or set manually.
While Endian UTM Appliance supports most modern UMTS modems, some care is
required when using them in conjunction with Endian UTM Appliance. On one
side, some UMTS modems are USB mass storage devices as well and
usually register two devices (e.g., /dev/ttyUSB0
,
/dev/ttyUSB1
): In this case the first device
/dev/ttyUSB0
is the modem, the second one is the
storage. These types of modem can cause problems when restarting
the firewall because the Endian UTM Appliance tries to boot from the USB mass
storage device. On the other side, some SIM cards require a
personal identification number (PIN) to work, but this is not
supported. To allow those cards to work with Endian UTM Appliance, the PIN
should be removed from the card.
Note
The SIM card must be plugged in when the Endian UTM Appliance is turned off.
There are 2 sub-screens for this choice.
In the first one, specify to which serial port the modem is connected to and whether it is an analog modem or an UMTS/HSDPA modem.
Hint
The
/dev/ttyS0
device is reserved for the serial console and is therefore not available as port for modems.In the second one, configure the modem’s bit-rate, the dial-up phone number or access point name, the username and password that have been assigned by the provider and the authentication method (if unsure, keep the default PAP or CHAP). For UMTS modems it is also necessary to specify the access point name.
The IP address of the default gateway - that is, the IP address of the gateway that connects the Endian UTM Appliance to the Internet or another untrusted network.
The common options are:
The MTU size of the packets send over the network.
Specify a custom MAC address for the RED interface. This setting is required for the proper failover of slave devices in an HA setup. See High availability for more information about the RED address in HA setups.
The MTU size.
While the vast majority of the ISPs uses a standard value of 1500 bytes, in some circumstances the standard MTU size results too high. If that happens, some strange network behaviours will noticed, like e.g., downloads which always stop after a while or connections which will not work at all.
If the ISP does not use a standard MTU size, it is easy to discover the correct one, by sending special ICMP packets with a specific value, that can be lowered until no errors are encountered: At theist point, the MTU size is correct and this value should be entered in the configuration options.
In order to send the icmp packets do the following:
Log in to the EFW and choose a host which can be actually reached (e.g., the ISP’s DNS, which should always be reachable) and ping that host with the following command:
ping -c1 -M do -s 1460 <host> (please refer to the ping(8) manpage for more info).
If the MTU size 1460 is correct, ping replies like the following one are received:
PING 10.10.10.10 (10.10.10.10) 1460(1488) bytes of data. 1468 bytes from 10.10.10.10: icmp_seq=1 ttl=49 time=75.2 msIf however the current MTU size is still too big for packets of the size 1460, an error message like this will appear:
PING 10.10.10.10 (62.116.64.82) 1461(1489) bytes of data. ping: sendmsg: Message too longRetry with different packet sizes (i.e., the value after the -s option), until the correct size has found and no error is displayed. The value shown within brackets in the ping command’s output is the MTU size. In this example the output is 1460(1488), therefore 1488 is the value to select for the MTU size.
An MTU value lower than 1500 may cause problems also in the OpenVPN setup and require to adjust some setting there.
This step allows to define up to two IP addresses for the DNS server, unless they are assigned automatically: In this case, no configuration option can be set and it is safe to move to the next one. If only one DNS server should be used, the same IP address must be entered twice. The IP address(es) of the DNS must be accessible from the Endian UTM Appliance, otherwise URL and domain resolution will not work.
See also
Changes to the RED interface, i.e., the uplink, and the DNS server can be modified later, separately from the other network configuration:
Menubar ‣ Network ‣ Interfaces ‣ [edit uplink]
The configuration of a global administrator e-mail address that will be used by all services to send e-mails, is done here. The administrator e-mail address is then used for notifications, in case of problems or emergencies .These email addresses will be used by the Event notifications.
There are three fields to configure.
A valid e-mail address to which the system e-mails should be sent.
A valid e-mail address that appears as the sender address. A custom sender address proves useful if the recipient wants to filter messages sent by the Endian UTM Appliance.
The SMTP server through which the email should be sent.
Hint
Although all the fields may be left blank, it is suggested to supply at least one valid Admin e-mail address.
This step informs that the network setup is now finished and all the new settings have been gathered. Clicking on the OK, apply configuration button will save the settings and apply the configuration by restarting all the necessary services and daemons.
In the last step, all the configuration files are written to the disk, all the devices are reconfigured and the network-depending services and daemons (e.g., the firewall and ntpd) are restarted as necessary. The whole process may take up to 20 seconds, during which the connection to the administration interface and through the Endian UTM Appliance may not be possible.
The administration interface will then reload automatically. If the GREENIP address has changed, the GUI will be reloaded at the new IP address. In this case or in case the hostname changed, a new SSL certificate is generated to identify the new host.
Note
To change later only some of the settings in the network configuration (e.g., the hostname or the network range of a zone), simply start the network configuration, skip all the steps until the one in which to make the desired changes, edit the appropriate values, then proceed to the last step and finally save.
Changed in version 3.0-2014-December: The event notification GUI and functionalities have been improved and largely rewritten.
Whenever some critical event takes place on the Endian UTM Appliance (e.g., a partition is filling up, or there are updates available), there is the option to be immediately informed by e-mail about it and to promptly take some actions to solve a problem, if required.
Four tabs are available in this page: Configuration, Events, SMS, and Scripts.
The Configuration tab contains the basic options to set up the notification of events that take place on the Endian UTM Appliance.
To start the event notification functionality, click on the grey .
The options available are the following.
Tick the checkbox to use the default administrator e-mail address as specified in the Installation wizard or in step 6 of Menubar ‣ System ‣ Network configuration.
Tick the checkbox to use the system’s SMTP proxy, if available.
If the previous two options are not selected, the next few options appear.
The e-mail address that appear as the sender of the e-mail.
The e-mail address to which the e-mail will be delivered.
Tick the checkbox to reveal a couple of options to set up the SMTP server that will be used to send the notification e-mail.
Note
While the SMTP proxy supports encryption, when an external smarthost is used as SMTP Proxy, neither the SSL/TLS nor the STARTTLS protocols can be used.
The URL of the smarthost.
The port on which the smarthost listens to.
Tick the checkbox if credentials shall be supplied to successfully connect to the smarthost. The next two option will appear.
The username to be used to authenticate with the smarthost.
The password associated with the username supplied in the previous option.
Select which method the smart host shall use to authenticate the user.
There are two further options that are used to configure to which telephone number SMS shall be sent.
The country code to which the phone number belongs to.
The actual phone number.
Changed in version 3.0-2014-December: increased the number of events.
New in version 3.0-2014-December: Option to associate custom python scripts to events.
This tab shows a list of all the events that can produce a notification message and allows to configure the actions to be done when each of the events takes place. Right above the list there is a small navigation bar and a search field: The latter can be used to filter only the relevant items.
Warning
If SMS notification is active and the hostname of the Endian UTM Appliance is very long, it can happen that the SMS will not be able to report the entire notification message, because the message will be trimmed to ca. 157-159 characters. For this reason, we suggest that, in case of a long hostname, also activate e-mail notification.
The list contains six columns:
The 8-digit ID ABBCCCCD code of the event, which is built as follows:
A represents the layer number, i.e., the system’s component in which the event has taken place:
1 = kernel
2 = system
3 = services
4 = configuration
5 = GUI.
BB is the module number
CCCC is a sequential number assigned to the event
D is the severity of the event, i.e., the degree of badness of the event. The lower the number, the worst the severity:
0 : critical event
1 : an error
4 : a warning
6 : a recovery from a bad state
8 : an informational message.
A short description of the event.
A ticked checkbox means that an e-mail is sent when the event takes place.
A ticked checkbox means that an SMS is sent when the event takes place.
The script that is executed when the event occurs.
The only action available is to modify the corresponding event by clicking on the icon.
When modifying an event, a new panel appears above the list with the following configuration options displayed.
Event ID and Description are unchangeable as they identify the event and are automatically generated by the system.
By ticking this checkbox, an e-mail will be sent upon the occurrence of the event.
By ticking this checkbox, an SMS will be sent upon the occurrence of the event.
Instead of sending an SMS or an e-mail right after an event, a custom script can be executed, that shall be upload using the Scripts tab. By ticking the checkbox, a drop-down menu appears on the right-hand side.
When the previous option is selected, the script to be executed must be chosen from this drop-down-menu.
The following table shows the list of all the IDs that correspond to an event. Note that, dependind on the type of appliance, some event may not be occur on the Endian UTM Appliance (e.g., on appliances without RAID controllers, events 10100011, 10100026, and 10100038 will never occur).
Event ID |
Description |
---|---|
10100011 |
One device of the RAID array failed. |
10100026 |
The rebuild of RAID array has completed. |
10100038 |
Start recovery of RAID array. |
20100016 |
One uplink has gone online. |
20100024 |
One uplink has gone offline. |
20100036 |
The system has started. |
20100044 |
The system has shut down. |
20100054 |
The system is rebooting. |
20110030 |
All uplinks have gone offline. |
20110046 |
All uplinks are online. |
20110054 |
An uplink is dead. |
20110066 |
An Uplink turned back alive. |
20200018 |
An SSH user has successfully logged in from a remote location. |
20200024 |
An SSH user failed to log in from a remote location. |
20300014 |
A disk is getting full. |
20400014 |
An user has failed to log in to the management interface. |
20500018 |
SMS credit alert: only … SMS left |
20600018 |
Digital Input Rising Trigger on an input |
20600028 |
Digital Input Falling Trigger on an input |
20700018 |
OpenVPN client opened tunnel on an interface |
20700218 |
OpenVPN client closed tunnel on an interface |
20800014 |
An OpenVPN user failed a login failed |
20800024 |
An IPsec/Xauth use failed to login |
20800034 |
An L2TP user failed to login |
20800048 |
An Open VPN user has logged in successfully |
20800058 |
An IPsec/Xauth user has logged in successfully |
20800068 |
An L2TP user has logged in successfully |
20800078 |
An Openvpn user has logged out |
20800088 |
An IPsec/Xauth user has logged out |
20500028 |
SMS credit alert: no SMS left |
30100018 |
The system upgrade has completed successfully. |
30100021 |
The system upgrade has failed. |
30100038 |
There are system updates available. |
40100016 |
The remote access to support user has been revoked. |
40100024 |
The remote access to support users has been granted. |
40100034 |
The access for support user has been extended until … |
SMS notifications are used by the hotspot, to activate accounts or tickets.
This box is divided into two parts: at the top there it is possible to add SMS bundles, while at the bottom some information about the SMS contingent is displayed.
To add a new SMS bundle, it must be first purchased on the Endian Network, after which an activation code will be generated. This activation code must be supplied in this textbox.
After supplying a valid activation code, clicking on this button will add an SMS contingent that will be used for sending the notifications.
The number of SMS that are at disposal.
The number of SMS that have already been used, but not yet delivered to the recipient. This event may occur for example if the recipient was not reachable.
New in version 3.0-2014-December: upload and management of custom scripts that shall be triggered upon an event takes place.
Besides sending an e-mail or an SMS, a third option has been introduced, which consist of upload and execute Python scripts right after an event occurs on the Endian UTM Appliance. In this tab it is possible to upload and to associate Python scripts to the various events, more precisely, to each event can be assigned one Python script.
At the bottom appears a table of the scripts already uploaded, which is initially empty and shows the following information about each script:
Name: The name given to the script.
Description: A description of the script.
Actions: The available actions for the script:
modify the script. By clicking on this icon, a panel appears in which to manage the script.
download the script on the local workstation.
remove the script from the Endian UTM Appliance.
On top of the table, a clock on the Add new script hyperlink allows to upload a Python script to the Endian UTM Appliance and execute it upon an event occurs. Uploaded script shall adhere to some guidelines, reported below. The following options are available.
The name given to the script.
A description of the script, e.g., its purpose.
Click on the button underneath to open a dialog window from which to choose the file to upload.
Requirements for the Python scripts.
Python scripts that shall run on the Endian UTM Appliance must follow a few design guidelines to ensure the proper interaction with the system, which can be summarised as follows.
The script must be importable. In other words, the script can use other Python modules installed on the system, but can not rely on Python modules which are not present on the system
The script must implement a class called ScriptEvent.
A method called process must be implemented in the ScriptEvent Class. This method is the one that will be invoked when the event to which it is associated to takes place.
The process method must accept the **kwargs parameter, that is, it must accept a dictionary of key : value parameters.
An example script that satisfies the above requirements -and therefore can be uploaded to the Endian UTM Appliance is the following one.
import time
class ScriptEvent(object):
def __init__(self):
self.filename = "/tmp/fubar"
def process(self, **kwargs):
open(self.filename, "a").write("Hello world, it is now %s\n" %
time.time())
See also
The Endian code API documentation is available in the documentation.
Changed in version 2.5: Moved from the Endian Network sub menu
The management of the software updates is done from here. It is possible at any time to manually check for available updated packages, or to schedule a periodic check.
In this page there are two boxes: One with the current status of the system and one to schedule a routine check for updates.
The Status box informs whether the system needs updates or not. In the former case, a list of available packages is presented, while in the latter the message “Your Endian UTM Appliance is up to date!” is displayed. Moreover, additional messages inform of the last date and time when a check for updates and the last upgrade have been carried out. These options are available:
A manual check for updated packages is started, and any upgradable package found is listed here. Individual packages can be chosen from the list and installed.
The update process is launched: The system downloads the updated packages which are then installed, replacing the old ones.
Note
In order to check for updates, a valid maintenance is required, otherwise no update will show up, even if available.
The Schedule box allow to set up a periodic job, governed by the cron daemon, that retrieves the list of updated packages. The available, mutually exclusive, options are Hourly, Daily, Weekly, and Monthly. Moving the mouse over the small ? next to each option shows a tool-tip with the exact time at which the job will run.
In this page it is possible to manage requests for assistance to the Endian support.
Note
To be able to submit a support request, the system must be registered to the Endian Network. If not, the “Currently no running maintenance available.” message will be displayed.
If the system is not registered, support request can be made to one of the several forums or mailing lists enumerated in the Endian web sites section.
The page is divided in two boxes with different purposes: The first one containes a link to open the support’s home page, while in the second one it is possible to grant SSH access to the support team.
This box contains only a hyperlink to the home page of the support.
By clicking on this link, a new tab in the browser will open, where it is possible to find directions on how to fill in an assistance request to the support team.
Optionally, access to the firewall can be grant via SSH, a secure, encrypted connection that allows a member of the support staff to log in to the Endian UTM Appliance, verify its configuration and inspect it to find out where the problem lies. The box contains an informative message, the status of the access, which is either DENIED or ALLOWED. When the status is DENIED a button appears at the bottom of the box:
Allow access
Clicked on this button to grant 4 days of access to the Endian UTM Appliance to the support team.
When the support team access is allowed, a new message appears under the status message: Access allowed until: followed by the date and time when access to the Endian UTM Appliance will be revoked. Moreover, there are two buttons at the bottom of the box.
Immediately revoke the grant to access the Endian UTM Appliance.
If the support team needs more time to inspect the Endian UTM Appliance, a click on this button extends the access grant by four more days.
Note
When enabled, the support team’s public SSH key is copied to the system and access is granted via that key. The support team will not authenticate with username/password to the Endian UTM Appliance. The root password of the Endian UTM Appliance is never disclosed in any way to the support team.
If the Endian UTM Appliance has been purchased with a maintenance package, it can be registered and connected to the Endian Network, the Endian solution for an easy and centralised monitoring, managing, and upgrading of all the registered Endian UTM Appliance systems, with just a few clicks. Note that many functionalities of the Endian UTM Appliance (e.g., support, sms notification, and so on) require that the appliance be registered to the Endian Network.
This page is organised into two tabs, namely Subscription and Remote Access.
If the firewall has not yet been registered to the Endian Network, the registration form is shown, that can be filled in before submitting the request for registration. After the registration has been completed, the Subscriptions tab shows three boxes:
Basic data about the Endian UTM Appliance: Serial number, activation code, model of the appliance, and the maintenance package chosen.
A summary of the Endian Network support status: System name, organisation for which the Endian UTM Appliance is registered, system ID, and the date of the last update.
To receive updates from and to participate in the Endian Network, at least one valid (i.e., not expired) activation key is required. There is a key for each support channel, but typically just one, shown with the expiry date and the days of maintenance left. An expired key is shown by its channel name stricken-through and by the expired string in the corresponding Days left column.
The Remote Access tab allows to choose whether the Endian UTM Appliance can be reached through the Endian Network and by which protocol. To allow access, click on the grey switch on the top of the page: Its color will turn green, and two access options can be chosen, by ticking the checkbox:
The Endian UTM Appliance can be reached via the web interface.
Login via a secure shell to the Endian UTM Appliance is allowed. Activating this option automatically activates the SSH access.
See also
A step-by-step lesson to register the Endian UTM Appliance on the Endian Network is available here.
In this page passwords can be changed for each of three default users, by writing each new password twice and then by pressing the corresponding Change Password button:
The user that can connect to the web interface for administration.
A special user that can only manage uplinks, with a limited interface access. It is not present in recent versions of the Endian UTM Appliance.
The user that can login to the shell for administration. Logins can be made either via the serial console, or remotely with an SSH client.
Hint
Passwords need to be at least 6 characters long.
New in version 2.5.
The web console provides an applet which emulates a terminal within the browser window, that serves as a CLI to carry out administrative tasks.
The functionalities of the web console are the same found upon logging in via serial console or SSH. On the bottom left of the applet, a message shows the status of the console: Connected or Disconnected. It is possible to exit at any time by typing exit in the console and then pressing Enter on the keyboard, like in any normal console.
When disconnected, click again on the Web console sub-menu item to reconnect. On the bottom right of the applet, two hyperlinks show up:
When clicking on this link, a keyboard applet appears below the console, that can be used to type and execute commands by clicking the mouse on the various keys.
Note
When the web console is disconnected, this applet does not communicate with the console.
This link toggles the possibility to send input from the keyboard to the web console.
Hint
This option has no effect on the virtual keyboard.
This screens allows to enable remote SSH access to the Endian UTM Appliance. This is disabled by default and it is the recommended setting. There are two boxes in the page: Secure Shell Access Settings and SSH host keys.
The SSH access is activated by clicking on the grey switch . The SSH service is started, and after a few seconds, some configuration options are displayed:
Example SYS-1 - Traffic Tunnelling over SSH.
Assume that a service such as telnet (or any other service that can be tunneled through SSH) is running on a computer inside the GREEN zone, say port 23 on host myhost with IP address 10.0.0.20. To setup a SSH tunnel through the Endian UTM Appliance to access the service securely from outside the LAN, i.e., from the RED zone. While GREEN access from the RED interface is in general not recommended, it might prove useful in some cases, for example during the testing phase of a service.
Enable SSH and make sure the host can be accessed, i.e., configure the firewall in Menubar ‣ Firewall ‣ System access for myhost to be reachable from the outside.
From an external system connect to the Endian UTM Appliance using
the command ssh -N -f -L 12345:10.0.0.20:23
root@appliance where -N
tells SSH not to execute
commands, but just to forward traffic, -f
makes SSH run in
the background and -L 12345:10.0.0.20:23
maps the external
system’s port 12345 to port 23 on myhost, as it can be seen
from the Endian UTM Appliance.
The SSH tunnel from port 12345 of the external system to port 23 on myhost is now established. On the external system now it suffices to telnet to port 12345 on localhost to reach myhost.
This is only needed for old SSH clients that do not support newer versions of the SSH protocol.
Warning
The activation of the SSH version 1 is strongly discouraged, since this version is not maintained anymore, deprecated, and contains well known vulnerabilities that could be exploited by malicious users. SSH clients nowadays shall always use version 2 of SSH, which is more secure and reliable.
Ticking this option lets other protocols be tunneled through SSH. See SYS-1 example for a sample use case.
Permit logins using password authentication.
Logins with public keys are allowed. The public keys of the clients
that can login using key authentication must be added to the file
/root/.ssh/authorized_keys
.
Click on this button at the bottom of the box to save the setting of the above four options.
Note
The SSH access is automatically activated when at least one of the following options is true:
Endian support team access is allowed in Menubar ‣ System ‣ Support.
High availability is enabled in Menubar ‣ -Services -> High Availability.
SSH access is enabled in Menubar ‣ System ‣ Endian Network ‣ Remote Access.
At the bottom of the page, a box details the public SSH host keys of the Endian UTM Appliance, that have been generated during the first start of the openSSH server, along with their fingerprints and their size in bits.
New in version 2.5: Japanese language
New in version 3.0: Simplified Chinese, Portuguese, Russian, Spanish, and Turkish languages.
Two configuration options for the GUI are present here. The first option is the language that will be used for the section names, the labels, and all the strings used in the web interface and can be selected from a drop-down menu. The languages currently supported are: English, German, Italian, Simplified Chinese, Japanese, Portuguese, Russian, Spanish, and Turkish.
The second option is to display the hostname of the Endian UTM Appliance in the browser’s window title, activated by ticking the checkbox Display hostname in window title.
In the Community release it is also possible to click on the Help translating this project link, which will open the Endian UTM Appliance translation page. Any help is appreciated!
In this section the management of the backups can be carried out: Creation of backups of the current Endian UTM Appliance configuration and system rollback to one of these backups when needed. Backups can be saved locally on the Endian UTM Appliance host, on a USB stick, or downloaded to a workstation.
It is also possible to reset the configuration to factory defaults, to create fully automated backups, and to carry out various other administrative tasks concerning backups.
This section is organised into two tabs, Backup and Scheduled backups: The former is used to manage manual backups, while the latter to set up automatic, scheduled backups.
In the Backup tab there are four boxes, that allow to manage the manual backups.
The first box contains a list of the backups stored on the Endian UTM Appliance - both manually and scheduled ones, an option to create a new backup, and the legend of the symbols that accompany each backup. If a USB stick is plugged in in the Endian UTM Appliance and detected, also backups stored on it are displayed.
When clicking on the Create new Backup button, a dialogue box opens up in which to select the data to be included in the backup.
The backup contains all the configuration settings, including
all the changes and customisation done so far, or, in other
words, all the content of the /var/efw
directory.
The content of the database will also be backed up.
Warning
The database dumps may contain sensitive data, so whenever a backup contains a database dump, make sure that it is stored in a safe place.
Include the current log files (e.g.,
/var/log/messages
, but not log files of the previous
days.
Include also older log files, that have been rotated, like
e.g., /var/log/messages.YYYYMMDD.gz
, etc. Backups
created with this option may become very big after some time.
A comment about the backup, that will appear in the Remark column of the table. Hence, it should be meaningful enough to allow a quick recall of the content.
At least one of the checkbox must be ticked to create a new backup.
The format and name of the backup files.
Backup files are created as tar.gz archives, using standard Linux’s tools tar and gzip. The files stored in the archive can be extracted using the tar zxf archivename.tar.gz or tar vzxf archivename.tar.gz to see all the file processed and extracted and see some informative message on the screen, the v option meaning verbose. The name of the backup file is created to be unique and it conveys the maximum information possible about its content, therefore it can become quite a long string, like e.g., backup-20130208093337-myappliance.mydomain-settings-db-logs-logarchive.tar.gz, in which 20130208093337 is the timestamp of the backup’s creation, in the form YYYYMMDDHHMMSS -in this example, 8th of February 2013 at 9:33:37 AM. This choice allows the backups to be lexicographically ordered from the oldest one to the most recent one; myappliance.mydomain are the Endian UTM Appliance’s hostname and domainname as set in Step 3 of the Network configuration (Menubar ‣ System ‣ Network configuration), and settings-db-logs-logarchive represent the content of the backup. In this case it is a full backup, since all four parts appear in the name. For example, a backup containing only settings and logs will be identified by the string settings-logs.
In order to create a backup on a USB external drive, a USB drive (even a stick) must be plugged in in the Endian UTM Appliance. It is suggested to use a FAT32/VFAT filesystem, as this maximises portability to other systems. When the stick is detected, the message USB stick detected will appear on the right-hand side of the box, along with a new option Create backup on USB stick. The checkbox next to this option must be ticked for the backup to be stored on the stick.
Click on the Create Backup button to create the backup. After a short time, during which the files required by the backup are gathered and assembled into the archive, the new backup appears in the list. The end of the backup process is marked by a yellow callout that appears above the box, showing the message Backup completed successfully.
The list of available backups, which is initially empty, presents for every backup the creation date, the content shown by a set of letters, the remark, and the list of actions available on each backup file. Automatic backups are marked with the string Auto - backup before upgrade.
The content of each backup is marked by at least one of the following letters or symbols, corresponding to the option specified during its creation:
A, Archive. The backup contains archived log files.
C, Cron. The backup has been created automatically by a scheduled backup job.
D, Database dumps. The backup contains a database dump.
E, Encrypted. The backup file is encrypted.
L, Log files. The backup contains today’s log files.
S, Settings. The backup contains the configurations and settings.
U, USB. The backup has been saved to a USB stick.
!, Error. Something did not succeed while sending the backup file by email.
The available actions are to export an archive to the local workstation, to delete it , or to restore it on the Endian UTM Appliance.
The second box makes available the option to encrypt all the backups by providing a GPG public key. Select the GPG public key by clicking on the Choose file button to upload the key file from the local file system. Make sure the checkbox Encrypt backup archives is ticked, then upload the key file by clicking on Save.
Hint
Encrypt backup archives whenever saving sensible data in the backup file, like for example the passwords of users stored in the database or hotspot’s users data and billing information.
The third box lets a previously saved backup archive be uploaded to the Endian UTM Appliance. The backup file can be selected by clicking on the Choose file button and then choosing the backup file from the local file system. Optionally, some note to the backup can be added in the Remark field. Finally, the backup is uploaded by clicking on the Import button. The backup appears after a short period in the backup list at the top of the page, and can be restored by clicking on the restore icon .
Note
It is not possible to import encrypted backups on the Endian UTM Appliance: Any encrypted backup must be decripted before being uploaded.
The fourth box allows to wipe out all configurations and settings done so far and reboot the system with the default configuration. This result is achieved by clicking on the Factory defaults button: The configuration of the Endian UTM Appliance is reset to the factory defaults and rebooted immediately, right after a backup copy of the current settings has automatically been saved.
Automated backups of the system can be enabled and configured in the Scheduled backups tab, which contains two boxes.
In the first box, automatic backups are enabled and configured. When enabled, the elements of the Endian UTM Appliance to be included in the backup can be chosen as seen in the Backup Sets box in the other tab. The only difference is that for scheduled backups there is no possibility to specify a remark. Additional options are:
Enable scheduled backups.
Choose from the drop-down how many backups to keep on the Endian UTM Appliance (from 2 up to 10, but they can be exported to save space).
The frequency between backups, either hourly, daily, weekly, or monthly.
In the second box, the system can be configured to send or not the backups by e-mail. The following otpions are available.
Allows backup archives to be sent via e-mail.
The e-mail address to which to send the e-mail with the backup.
The e-mail address that will appear as the sender’s e-mail address, which proves useful when backups should appear to have been sent from a special address (say, backups@myappliance.mydomain), and must be provided if the domain or hostname are not resolvable by the DNS.
The address of a smarthost to be used to send the e-mails, which is needed in case the outgoing e-mails should go through a SMTP server, like, e.g., the Company’s SMTP server, rather than to be sent directly by the Endian UTM Appliance.
Hint
The explicit address of a smarthost is needed if the SMTP proxy (Menubar -> Proxy -> is not enabled. SMTP) is disabled.
A click on this button will save the settings and immediately try to send an e-mail with the backup’s archive as attachment, ab action that serves also as a test for the correctness of the data supplied.
See also
A guide to create a backup on a USB stick.
Option to either shutdown or reboot the Endian UTM Appliance, by clicking on the Shutdown or the Reboot button respectively, are provided in this page.
Warning
The shutdown or reboot process starts immediately after clicking on the respective button, with no further confirmation request.
After a reboot, it is possible to continue to use the GUI without the necessity of an authentication.
This section displays the license agreement between Endian and the owner of the Endian UTM Appliance.
Note
After an upgrade, if the license agreement changes, at the first login it is necessary to accept the new license agreement before accessing the upgraded system and being allowed to use the Endian UTM Appliance
Version 2.5
Version 2.4
Version 2.3
Version 2.2
Version 2.1