Endian banner

The System Menu

The System menu provides several information about the Endian UTM Appliance and its status, and allows to define the network setup and some access modalities (e.g., via SSH or for the Endian support).

The sub-menu on the left-hand side contains the following items, which allow for some basic administration tasks and to monitor the running activities of the Endian UTM Appliance.

  • Dashboard - overview of the system and of the connections status.

  • Network configuration - network and network interface configuration.

  • Event notifications - set up of notification via e-mail or SMS.

  • Updates - management of system updates.

  • Support - support request form.

  • Endian Network - Endian Network registration information.

  • Connect to Switchboard - automatically connect an Endian device to the Switchboard.

  • Passwords - set system passwords.

  • Web console - a console shell on the browser.

  • SSH access - enable/configure SSH access to the Endian UTM Appliance.

  • GUI settings - web interface language settings.

  • Backup - backup or restore Endian UTM Appliance settings as well as reset to factory defaults.

  • Shutdown - shutdown or reboot the Endian UTM Appliance.

  • License Agreement - a copy of the User License Agreement.

New in version 5.0.5: Connect to Switchboard procedure.

The remainder of this section will describe the various parts that compose the System menu items.

Dashboard

The Dashboard is the default landing page, the one that is displayed upon every login. It encompasses several boxes (“plugins”) organised in two columns that provide a complete overview of the running system and of its status and health. The top of each box reports the name of the box, and a click on the openplugin icon of each plugin will show only its title bar. The information visible on screen are updated at regular intervals.

Plugins can moved around by simply clicking on them, then dragging&dropping them in the desired position. One configuration option is available.

Show settings

By clicking on this link, a small table will open, that shows the available plugins, their description, and the refresh interval. Each plugin can be enabled or disabled and the update interval customised by selecting the Update interval from the drop-down menu.

The available plugins and the information they display are described next.

System Information Plugin

It shows several information about the installed system. It usually presents the hostname and domainname of the Endian UTM Appliance in the title.

Appliance: The appliance type.

Version: The version of the firmware.

Kernel: The current running kernel.

Uptime: The time since the last reboot.

Update status: A message depending on the Endian UTM Appliance status:

  • up to date. No updates are available.

  • update required. New packages can be installed: A click on the message leads to the Updates page where it is possible to review the list of new packages.

  • Please register. The system has not yet been registered to Endian Network: A click on the message will open the Endian Network page on the Endian UTM Appliance, in which to compile a form to complete the registration.

Maintenance: The remaining days of validity of the maintenance support, or the not registered string.

Support access: Whether the support team can access the Endian UTM Appliance or not. In the former case, it is also shown the date until the access is granted.

Hardware Information Plugin

It shows the main hardware information of the Endian UTM Appliance and the resource availability. All the information are provided with the absolute value (graphically with a small bar and in number at the end of a line) and the percentage of their use. The only exception is the CPU load, which shows only the percentage of use, in graphic and numbers.

CPU x: The load of the CPU, where x represents the CPU number, for those appliance that have more than one CPU.

Memory: The amount of the RAM memory used.

Swap: How much swap disk space is used. A high percentage here usually means there is something not working correctly.

Main disk: The usage of the root partition.

Data disk: The usage of the /var partition.

Configuration disk: The space occupied by the partition containing all the Endian UTM Appliance services and settings, /var/efw

Log disk: The amount of space used in the partition containing the logs, /var/log, including archive

The numeric values on the right-hand side of the shows the dimension of the partition, i.e., the amount of total space available.

Warning

A partition on the hard disk (e.g., main disk, data disk, and especially /var/log) must never be filled up more than 95% or more, as this can cause service disruption and data loss.

See also

There are a few suggestions to free space on filled up partitions in this guide.

Service Information Plugin

This plugin carries information about events recorded by some of the most important services installed on the Endian UTM Appliance and their actual status. A click on the name of the service shows or hides the tasks carried out by the service.

For each running service is shown a summary of the tasks accomplished during the last hour and the last day and there is the possibility to open in a new window the respective Live Logs.

Hence, if some number in the summaries sounds strange or not common compared to the normal activities (e.g., the IDS has detected some attack), the logs can be controlled to search for some useful message that has been recorded.

Supported services are:

Intrusion Detection: The number of attacks logged by snort.

SMTP Proxy: Statistics about processed email sent through the Endian UTM Appliance.

HTTP Proxy: Statistics about the web pages accessed using the HTTP proxy.

POP3 Proxy: E-mails received, viruses found, and spam e-mails received.

Hint

Inactive services are marked with the OFF message.

Network Information Plugin

It shows information about the network interfaces of the firewall and the traffic. The upper part of this plugin shows several data about the network interfaces of the Endian UTM Appliance: Their name, type, link (Up if a connection is established, Down otherwise), and the In- and Outgoing traffic. The latter two data are updated in real-time.

When ticking the checkbox near the device name, that device is shown in the graphs underneath. The devices’ name is coloured according to the zone they serve.

The lower part of the plugin contains two charts: The first one shows the incoming traffic, while the second one the outgoing traffic.

The traffic of each interface is coloured according to the zone it belongs to; Bridges built on one device are shown in the same colour as the device. and different interfaces belonging to the same bridge are shown with a different shade of color.

Like the traffic data in the upper part, both charts are updated in real-time.

Hint

Up to six interfaces can be selected and shown in the charts.

Signatures Information plugin

This plugin shows the timestamp (date and hour) of the last time that signatures for a service have been downloaded. In case a service has not yet been enabled, it is not shown in the list.

The services that may appear here are: Clamav, IPS, Panda, and Urlfilter.

Note

If for one uplink the option Disable signature updates if uplink is online is active (see Network ‣ Interfaces ‣ Uplink Editor), signatures will not be downloaded and the message Signature download is disabled by uplink configuration will be displayed.

Network configuration

The configuration of the networks and of the network interfaces serving the zones is fast and easy with this 8-step wizard. It is possible to freely navigate back and forth the step, using the <<< and >>> buttons and even decide at any moment to cancel the actions done so far. Only at the last step it is required to confirm the new settings: In that case, all the changes made will be applied. Note that while applying the new settings, the web interface might not respond for a short period.

The Stealth Uplink mode.

The Stealth Uplink mode represents a new possibility to seamlessly integrate the Endian UTM Appliance into an existent network infrastructure without the need to modify the existent routing or firewalling rules.

The Stealth Uplink mode requires a Endian UTM Appliance equipped with at least two NIC serving the same zone, which can be GREEN, ORANGE, or BLUE. One of these interfaces routes all the traffic directed from the zone to a gateway and in practice represents the Endian UTM Appliance’s ‘uplink’.

The presence of an explicit interface designated as ‘uplink’ allows to distinguish a direction for the traffic flowing outside the zone served by the Stealth Uplink and to filter it using the outgoing firewall. This is the main difference with the no uplink mode (previously known as Gateway mode) in which there is no possibility to filter outgoing traffic and therefore the application control was not applicable.

The Stealth Uplink operating mode requires a particular set up in the Endian UTM Appliance’s firewall setup.

  • System access rules are handled normally.

  • Port forwarding and Destination NAT rules can also be configured normally. However, being the outgoing interface in the same zone as the internal network, the rules will be applied from both sides of the zone.

  • Source NAT is not applied for outgoing connections in this setup as otherwise the behaviour would not be transparent anymore.

  • The outgoing firewall is used for all the traffic that flows from the zone served by the Stealth Uplink through the NIC designated as uplink, allowing to exploit the abilities of the application control.

  • The interzone firewall is employed for all the remaining traffic between the other zones, if defined. It the Stealth Uplink bridge is composed by three or more interfaces, and hence two or more serve the corresponding zone, also the traffic among these and the other zones can be filtered by the interzone firewall.

Due to the availability of this uplink mode, also the GUI of the network configuration wizard has changed, especially in the first page of the wizard, to clarify the differences among the various uplinks and the configuration options available for each of them.

The 8 steps in which the wizard is divided are:

2/8 - Choose network zones

The Endian UTM Appliance separates the networks connected to it into four main zones, as described in this section. At this point the two most important zones - GREEN and RED - have already been encountered during the installation: This step allows to enable one or two additional zones, depending on the services that should be provided by the Endian UTM Appliance: ORANGE -used as the DMZ network portion- and BLUE -used as segment for wireless clients. Their full configuration will be possible in the next step.

Note

In the Endian UTM Appliance, one network interface is reserved for the GREEN zone and another one has possibly been assigned to the RED zone, if the RED interface requires a network card. This might limit the choices here to the point that the ORANGE or BLUE zone cannot be enabled, due to lack of additional network interfaces.

3/8 - Network Preferences

This step concerns the configuration of the GREEN zone, if needed, and of any zone chosen in the previous step. For each of the zones enabled, the following options can be configured:

Enable DHCP server on this zone

This option is available only for the GREEN zone and allows you to enable the DHCP service automatically after finishing the network configuration procedure.

IP address

The IP address (such as 192.168.0.1) of the interface, which should not be already in use in the network.

Hint

Good practice suggest that the last octet be 1, since the interface will gather the traffic of the whole subnet.

Remember also that a change in the IP addresses of an Endian UTM Appliance, especially in a production environment, might require to adjust additional settings elsewhere, for example the HTTP proxy configuration in the workstations, otherwise the web browsers will not work correctly.

Warning

When configuring the interfaces of the GREEN zone, make sure to not remain locked out of the web interface! This situation may occur for example when changing the GREEN IP address into one that is not reachable from the current GREEN segment and then saving the settings. In this case the only access to the Endian UTM Appliance is via serial console.

Network mask

Define the network mask from a drop-down menu containing the possible masks (e.g., /24 - 255.255.255.0).

Hint

All the devices connected to the same subnet shall have the same netmask to communicate properly.

Add additional addresses

Additional IP addresses for different subnets can be added to the interface here.

Interfaces

Map a network interface to a zone, with the following rules:

  1. Each interface can be mapped to only one zone and each zone must have at least one interface.

  2. When more than one interface is assigned to a zone, these interfaces will be bridged together and act as if they were part of a switch.

For each available interface these information are shown:

  • A colored checkbox, showing which zone the interface serves. No color means that the interface is not assigned to any zone.

  • Port, the number of the port.

  • Link, shows the current status by means of icons: linkok -the link is active, nolink -no link or no cable plugged in, linkna -no information from the driver.

  • Description, the interface’s PCI identification string, as returned by lspci. The string is trimmed, but it can be shown by moving the mouse on the ?.

  • MAC, the interface’s MAC address.

  • Device, the logical name of the device.

    Note

    Internally, the Endian UTM Appliance handles all zones as bridges, regardless of the number of the assigned interfaces. Therefore, the Linux name of the interfaces is brX, not ethX.

Finally, the system’s host name and domain name can be set in the two text boxes at the bottom of the screen.

Private IP Addresses

It is suggested to follow the standard described in RFC 1918 (which has been recently been updated by RFC 6761) and to use for the zone’s setup only the IP addresses contained in the network segments reserved for private use by the IANA, which are:

10.0.0.0 to 10.255.255.255 (10.0.0.0/8, 16,777,216 addresses)
172.16.0.0 to 172.31.255.255 (172.16.0.0/12, 1,048,576 addresses)
192.168.0.0 to 192.168.255.255 ( 192.168.0.0/16, 65,536 addresses)

This choice avoids incurring in DNS resolution errors, as IP addresses not falling within these ranges are likely to have been reserved by other organisations as their public IPs. Moreover, different IP ranges must be used in the different network segments for each interface, for example:

IP = 192.168.0.1, network mask = /24 - 255.255.255.0 for GREEN
IP = 192.168.10.1, network mask = /24 - 255.255.255.0 for ORANGE
IP = 10.0.0.1, network mask = /24 - 255.255.255.0 for BLUE

Note also the first and the last IP address of a network segment (which are usually .0 and .255) are reserved as the network address and the broadcast address respectively, and must not be assigned to any device.

4/8 - Internet access preferences

Changed in version 3.0-20141505: with the introduction of the Bridged and No uplink network modes, this page has slightly changed.

This step allows the configuration of interface chosen in step 1, that connects to the Internet or to any other untrusted network outside Endian UTM Appliance.

Depending on the Network mode chosen in step 1, different options are present here. For the No uplink modes, only one option is present.

Default gateway

The IP address of the gateway that will take charge of routing the network traffic flowing outside the zone. The gateway’s IP address must fall within the network in which the Endian UTM Appliance is located.

An additional option is available when the Bridged mode has been selected:

Bridged zone

This drop-down menu allows to choose to which zone the traffic will be bridged to, among those that have been activated.

When the network mode is Routed, there are more options available and depend on the selected uplink type. At the bottom of the page appear two options that are commonly available, namely MTU and Spoof MAC address with, described below, and the choice of the DNS resolver, available for almost all interface types, which is wither Dynamic or Manual: In the latter case, one valid IP address of a DNS server must be provided manually in the next step. The other configuration options are:

Ethernet DHCP

Only one available option, namely the DNS choice.

Ethernet Static

The IP address and network mask of the RED interface, as well as the IP address of the default gateway, that is, the IP address of the gateway that connects the Endian UTM Appliance to the Internet or to another untrusted network. Optionally, the Ethernet hardware address (MAC address) of the interface can be specified.

Mobile Broadband (3G/4G)

When using this type of connection the system will automatically try to detect the modems that are being used. There are 2 sub-screens once all the modems have been detected.

  1. In the first one select the modem that you want to configure.

  2. In the second sub-screen the system will try to identify your provider and pre-populate the configuration fields for you. Should this step fail please enter the information manually in the Select provider, Select APN and Access Point Name fields.

    If required also enter your Username and Password. The Authentication method is pre-configured as PAP or CHAP and can be changed if needed (if unsure leave it like this).

    Finally you can choose whether you want to specify custom DNS servers or those of your provider by choosing manual or automatic for the DNS option.

Note

Some SIM cards require a personal identification number (PIN) to work, but this is not supported. To allow those cards to work with Endian UTM Appliance, the PIN should be removed from the card.

PPPoE

To configure PPPoE, fill in the form with the username and password assigned by the provider, and the authentication method. Optionally, the provider’s service and concentrator name can be configured, though this is usually not needed.

Hint

If unsure whether to select PAP or CHAP authentication, keep the default option.

Analog Modem

While Endian UTM Appliance supports most modern UMTS modems, some care is required when using them in conjunction with Endian UTM Appliance. On one side, some UMTS modems are USB mass storage devices as well and usually register two devices (e.g., /dev/ttyUSB0, /dev/ttyUSB1): In this case the first device /dev/ttyUSB0 is the modem, the second one is the storage. These types of modem can cause problems when restarting the firewall because the Endian UTM Appliance tries to boot from the USB mass storage device. On the other side, some SIM cards require a personal identification number (PIN) to work, but this is not supported. To allow those cards to work with Endian UTM Appliance, the PIN should be removed from the card.

Note

The SIM card must be plugged in when the Endian UTM Appliance is turned off.

There are 2 sub-screens for this choice.

  1. In the first one, specify to which serial port the modem is connected to and whether it is an analog modem or an UMTS/HSDPA modem.

    Hint

    The /dev/ttyS0 device is reserved for the serial console and is therefore not available as port for modems.

  2. In the second one, configure the modem’s bit-rate, the dial-up phone number or access point name, the username and password that have been assigned by the provider and the authentication method (if unsure, keep the default PAP or CHAP). For UMTS modems it is also necessary to specify the access point name.

The common options are:

MTU

The MTU size of the packets sent over the network.

Spoof MAC address with

Specify a custom MAC address for the RED interface. This setting is required for the proper failover of slave devices in an HA setup. See High availability for more information about the RED address in HA setups.

The MTU size.

While the vast majority of the ISPs uses a standard value of 1500 bytes, in some circumstances the standard MTU size results too high. If that happens, some strange network behaviours will noticed, like e.g., downloads which always stop after a while or connections which will not work at all.

If the ISP does not use a standard MTU size, it is easy to discover the correct one, by sending special ICMP packets with a specific value, that can be lowered until no errors are encountered: At theist point, the MTU size is correct and this value should be entered in the configuration options.

In order to send the icmp packets do the following:

Log in to the EFW and choose a host which can be actually reached (e.g., the ISP’s DNS, which should always be reachable) and ping that host with the following command:

ping -c1 -M do -s 1460 <host> (please refer to the ping(8) manpage for more info).

If the MTU size 1460 is correct, ping replies like the following one are received:

PING 10.10.10.10 (10.10.10.10) 1460(1488) bytes of data.
1468 bytes from 10.10.10.10: icmp_seq=1 ttl=49 time=75.2 ms

If however the current MTU size is still too big for packets of the size 1460, an error message like this will appear:

PING 10.10.10.10 (62.116.64.82) 1461(1489) bytes of data.
ping: sendmsg: Message too long

Retry with different packet sizes (i.e., the value after the -s option), until the correct size has found and no error is displayed. The value shown within brackets in the ping command’s output is the MTU size. In this example the output is 1460(1488), therefore 1488 is the value to select for the MTU size.

An MTU value lower than 1500 may cause problems also in the OpenVPN setup and require to adjust some setting there.

5/8 - Configure DNS resolver

This step allows to define up to two IP addresses for the DNS server, unless they are assigned automatically: In this case, no configuration option can be set and it is safe to move to the next one. If only one DNS server should be used, the same IP address must be entered twice. The IP address(es) of the DNS must be accessible from the Endian UTM Appliance, otherwise URL and domain resolution will not work.

See also

Changes to the RED interface, i.e., the uplink, and the DNS server can be modified later, separately from the other network configuration:

Uplink editor

Menubar ‣ Network ‣ Interfaces ‣ [edit uplink]

6/8 - Configure default admin mail

The configuration of a global administrator e-mail address that will be used by all services to send e-mails, is done here. The administrator e-mail address is then used for notifications, in case of problems or emergencies .These email addresses will be used by the Event notifications.

There are three fields to configure.

Admin email address

A valid e-mail address to which the system e-mails should be sent.

Sender email address

A valid e-mail address that appears as the sender address. A custom sender address proves useful if the recipient wants to filter messages sent by the Endian UTM Appliance.

Address of smarthost

The SMTP server through which the email should be sent.

Hint

Although all the fields may be left blank, it is suggested to supply at least one valid Admin e-mail address.

7/8 - Apply configuration

This step informs that the network setup is now finished and all the new settings have been gathered. Clicking on the OK, apply configuration button will save the settings and apply the configuration by restarting all the necessary services and daemons.

8/8 - End

In the last step, all the configuration files are written to the disk, all the devices are reconfigured and the network-depending services and daemons (e.g., the firewall and ntpd) are restarted as necessary. The whole process may take up to 20 seconds, during which the connection to the administration interface and through the Endian UTM Appliance may not be possible.

The administration interface will then reload automatically. If the GREENIP address has changed, the GUI will be reloaded at the new IP address. In this case or in case the hostname changed, a new SSL certificate is generated to identify the new host.

Note

To change later only some of the settings in the network configuration (e.g., the hostname or the network range of a zone), simply start the network configuration, skip all the steps until the one in which to make the desired changes, edit the appropriate values, then proceed to the last step and finally save.

Event notifications

Whenever some critical event takes place on the Endian UTM Appliance (e.g., a partition is filling up, someone accesses it via SSH or HTTPS, or there are updates available), the event notification functionality allows to be immediately informed by e-mail or SMS. It is also possible to associate a python script to each event, to take immediate actions as a consequence of the event.

Four tabs are available in this page: Configuration, Events, SMS, and Scripts.

Configuration

This tab contains the basic options to configure the E-mail and SMS settings to send the notifications.

To start the event notification functionality, click on the grey switch swoff and wait a few seconds.

The options available are the following, grouped in Email settings and SMS settings.

Use default email settings

Tick the checkbox to use the default e-mail address, otherwise a few more options to configure the SMTP server options will appear.

Hint

The default email address is the one specified during the Installation wizard or in step 6 of Menubar ‣ System ‣ Network configuration.

Use SMTP proxy service

Tick the checkbox to use the system’s SMTP proxy. Additional options appear if this option is not selected

Email sender address

The e-mail address that appear as the sender of the e-mail.

Email recipient address

The e-mail address to which the e-mail will be delivered.

Use smarthost for email delivery

Tick the checkbox to configure the smarthost to be used for delivering the notification e-mail.

Note

While the SMTP proxy supports encryption, when an external smarthost is used as SMTP Proxy, neither the SSL/TLS nor the STARTTLS protocols can be used.

Smarthost address

The URL or IP address of the smarthost.

Smarthost port

The port on which the smarthost listens to.

Connection security

Choose from the drop-down menu which type of security can be used: None, STARTTLS, or SSL/TLS.

Smarthost requires authentication

Tick the checkbox if the smarthost requires credentials to send email. The next two option will appear.

Smarthost username

The username to be used to authenticate with the smarthost.

Smarthost password

The password associated with the username supplied in the previous option. A click on the checkbox on the right-hand side will show the password.

Authentication method

Select which method the smart host shall use to authenticate the user.

The next two options are used to configure notification by SMS.

Destination phone number country prefix

The country code to which the phone number belongs to.

Destination phone number

The actual phone number to which the SMS will be sent..

Events

This tab shows a list of all the events that can produce a notification message and allows to configure the actions to be done when each of the events takes place. Right above the list there is a small navigation bar and a search field: The latter can be used to filter only the relevant items.

Warning

If SMS notification is active and the hostname of the Endian UTM Appliance is very long, it can happen that the SMS will not be able to report the entire notification message, because the message will be trimmed to ca. 157-159 characters. For this reason, we suggest that, in case of a long hostname, also activate e-mail notification.

The list contains six columns:

Event ID

The 8-digit ID ABBCCCCD code of the event. See ref:below <eventid> for more information about the IDs.

Description

A short description of the event.

Email

A ticked checkbox means that an e-mail is sent when the event takes place.

SMS

A ticked checkbox means that an SMS is sent when the event takes place.

Script

The script that is executed when the event occurs.

Actions

The only action available is to modify the corresponding event by clicking on the swedit icon.

When modifying an event, a new panel appears above the list with the following configuration options displayed.

Event ID and Description

These are the identifier of the event and are automatically generated by the system, so they can not be modified.

Send email for this event

By ticking this checkbox, an e-mail will be sent upon the occurrence of the event.

Send SMS for this event

By ticking this checkbox, an SMS will be sent upon the occurrence of the event.

Run custom script for this event

By choosing this option, a custom script will be executed when the event takes palce, rather than sending an SMS or an e-mail. The script must have already been uploaded to the Endian UTM Appliance -see the Scripts tab for more information. By ticking the checkbox, a drop-down menu appears on the right-hand side.

Custom script to run

Choose the script to be associated to the event from this drop-down-menu.

Note

At least one script must have been uploaded in order to be able to associate it to the event. See section Scripts below.

Event ID explained

Each event that takes place on the Endian UTM Appliance is assigned a unique, 8-digit code, A-BB-CCCC-D built from the following four fields:

  • A represents the layer number, i.e., the system’s component in which the event has taken place:

    • 1 = kernel

    • 2 = system

    • 3 = services

    • 4 = configuration

    • 5 = GUI

  • BB is the module number

  • CCCC is a sequential number assigned to the event

  • D is the severity of the event, i.e., the degree of badness of the event. The lower the number, the worst the severity:

    • 0 : critical event

    • 1 : an error

    • 4 : a warning

    • 6 : a recovery from a bad state

    • 8 : an informational message.

The following table shows the list of all the IDs that correspond to an event. Note that, depending on the type of appliance, some event may not be occur on the Endian UTM Appliance (e.g., on appliances without RAID controllers, events 10100011, 10100026, and 10100038 will never occur).

Event ID

Description

10100011

One device of the RAID array failed.

10100026

The rebuild of RAID array has completed.

10100038

Start recovery of RAID array.

20100016

One uplink has gone online.

20100024

One uplink has gone offline.

20100036

The system has started.

20100044

The system has shut down.

20100054

The system is rebooting.

20110030

All uplinks have gone offline.

20110046

All uplinks are online.

20110054

An uplink is dead.

20110066

An uplink turned back alive.

20200018

An SSH user has successfully logged in from a remote

location.

20200024

An SSH user failed to log in from a remote location.

20300014

A disk is getting full.

20400014

An user has failed to log in to the management

interface.

20500018

The number of available SMS is low

20500028

There is no SMS left

20700018

OpenVPN client opened tunnel on an interface

20700218

OpenVPN client closed tunnel on an interface

20800014

An OpenVPN user failed a login failed

20800024

An IPsec/Xauth use failed to login

20800034

An L2TP user failed to login

20800048

An Open VPN user has logged in successfully

20800058

An IPsec/Xauth user has logged in successfully

20800068

An L2TP user has logged in successfully

20800078

An Openvpn user has logged out

20800088

An IPsec/Xauth user has logged out

30100018

The system upgrade has completed successfully.

30100021

The system upgrade has failed.

30100038

There are system updates available.

40100016

The remote access to support user has been revoked.

40100024

The remote access to support users has been granted.

40100034

The access for support user has been extended until …

SMS

Besides for event notifications, SMS are used by the hotspot, to activate accounts or tickets. Bundles can be purchased from Endian S.r.l., Italy and added here to the Endian UTM Appliance.

This box is divided into two parts: at the top there it is possible to add SMS bundles, while at the bottom some information about the SMS contingent is displayed.

Enter Activation Code …

To add a new SMS bundle, it must be first purchased on the Endian Network, after which an activation code will be generated. This activation code must be supplied in this textbox.

Activate

After supplying a valid activation code, clicking on this button will add an SMS contingent that will be used for sending the notifications.

Available SMS

The number of SMS that are at disposal.

Reserved SMS

The number of SMS that have already been used, but not yet delivered to the recipient. This event may occur for example if the recipient was not reachable.

Scripts

Besides sending an e-mail or an SMS, a third option allows to upload and execute a Python scripts right after an event occurs on the Endian UTM Appliance. In this tab it is possible to upload and to associate Python scripts to the various events, more precisely, to each event can be assigned one Python script.

At the bottom appears a table of the scripts already uploaded, which is initially empty and shows the following information about each script:

  • Name: The name given to the script.

  • Description: A description of the script.

  • Actions: The available actions for the script:

    • swedit modify the script. By clicking on this icon, a panel appears in which to manage the script.

    • download download the script on the local workstation.

    • delete remove the script from the Endian UTM Appliance.

On top of the table, a clock on the Add new script hyperlink allows to upload a Python script on the Endian UTM Appliance. Uploaded script must follow some guidelines, see below for more. The following options are available.

Name

The name given to the script.

Description

An optional description of the script, like e.g., its purpose.

Upload Python script file

Click on the Browse… button to open a dialog window from which to choose the file to upload.

Requirements for the Python scripts.

Python scripts that shall run on the Endian UTM Appliance must follow a few design guidelines to ensure the proper interaction with the system, which can be summarised as follows.

  1. The script must be importable. In other words, the script can use other Python modules installed on the system, but can not rely on Python modules which are not present on the system

  2. The script must implement a class called ScriptEvent.

  3. A method called process must be implemented in the ScriptEvent Class. This method is the one that will be invoked when the event to which it is associated to takes place.

  4. The process method must accept the **kwargs parameter, that is, it must accept a dictionary of key : value parameters.

An example script that satisfies the above requirements -and therefore can be uploaded to the Endian UTM Appliance is the following one.

import time

class ScriptEvent(object):
  def __init__(self):
    self.filename = "/tmp/fubar"

  def process(self, **kwargs):
    open(self.filename, "a").write("Hello world, it is now %s\n" %
    time.time())

See also

The Endian code documentation, useful to write own scripts will soon be available.

Updates

The management of the software updates is done from here. It is possible at any time to manually check for available updated packages, or to schedule a periodic check.

In this page there are two boxes: One with the current status of the system and one to schedule a routine check for updates.

Status

The Status box informs whether the system needs updates or not. In the former case, a list of available packages is presented, while in the latter a message like the following one is shown.

Your Endian Firewall is up to date!
Last upgrade performed on 10.03.2017, 15:22:50
Last checked for updates on 25.05.2017, 11:04:58

These options are available:

Check for new updates

A manual check for updated packages is started, and any upgradable package found is listed here. Individual packages can be chosen from the list and installed.

Note

In order to check for updates, a valid maintenance is required, otherwise no update will show up, even if available.

Start update process NOW

The update process is launched: The system downloads the updated packages which are then installed, replacing the old ones.

Warning

When an upgrade process ends, there is the possibility that the Endian UTM Appliance requires to be rebooted; this will be marked by a message that appears on the GUI, and when logging in from either the serial console or SSH.

When this message appears, please reboot the appliance as soon as possible, to avoid possible malfunctioning.

Schedule for retrieving the update list

The Schedule box allow to set up a periodic job, governed by the cron daemon, that retrieves the list of updated packages. The available options are Hourly, Daily, Weekly, and Monthly. Moving the mouse over the small ? next to each option shows a tool-tip with the exact time at which the job will run.

Support

In this page it is possible to submit support requests for assistance to the Endian support, provided that the system has a valid and maintenance subscription and is registered to the Endian Network.

The page is divided in two boxes with different purposes: The first one contains a link to open the support’s home page, while in the second one it is possible to allow the support team to access to the Endian UTM Appliance using SSH and HTTPS.

Visit Support Web Site

If the Endian UTM Appliance is not registered to Endian Network, this box will display the following message:

Currently no running maintenance available.

To access support, register with Endian Network first

Note

If the system is not registered, support request can be made to one of the several forums or mailing lists mentioned in the Endian web sites section.

With a valid maintenance subscription, this box contains one option.

Please visit our Support Web Site

By clicking on this link, a new tab in the browser will open, where it is possible to find directions on how to fill in an assistance request to the support team.

Access for the Endian Support Team

Optionally, access to the firewall can be grant via SSH, a secure, encrypted connection that allows a member of the support staff to log in to the Endian UTM Appliance, verify its configuration and inspect it to find out where the problem lies. The box contains an informative message, the status of the access, which is either DENIED or ALLOWED. When the status is DENIED a button appears at the bottom of the box:

Allow access

Clicked on this button to grant 4 days of access to the Endian UTM Appliance to the support team.

When the support team access is allowed, a new message appears under the status message: Access allowed until: followed by the date and time when access to the Endian UTM Appliance will be revoked. Moreover, there are two buttons at the bottom of the box.

Deny access

Immediately revoke the grant to access the Endian UTM Appliance.

Extend access for 4 more days

If the support team needs more time to inspect the Endian UTM Appliance, a click on this button extends the access grant by four more days.

Note

When enabled, the support team’s public SSH key is copied to the system and access is granted via that key. The support team will not authenticate with username/password to the Endian UTM Appliance. The root password of the Endian UTM Appliance is never disclosed in any way to the support team.

Endian Network

If the Endian UTM Appliance has been purchased with a maintenance package, it can be registered and connected to the Endian Network, the Endian solution that allows a company an easy and centralised monitoring, managing, and upgrading of all its registered systems.

Many functionalities of the Endian UTM Appliance (e.g., access for the support team, SMS notification, and so on) require that the appliance be registered to the Endian Network.

If the system has not yet been registered or if the maintenance has expired, this page shows only a form that must be filled in order to register the appliance.

Why is the registration to Endian Network important?

A system must be registered within twenty (20) days from the purchase of the activation code, otherwise no support can be supplied.

If case thirty days have passed, while the Endian UTM Appliance will continue to work and offer the services that have already been configured, access from Endian Network, GUI, SSH and serial console will be forbidden. This means that no support can be provided on the Endian UTM Appliance, since the support team has no possibilities to connect to it. Moreover, updated can no longer be installed.

To regain complete access to the Endian UTM Appliance, a new activation code or maintenance renewal must be purchased.

This page is organised into two tabs, namely Subscription and Remote Access.

Subscription

If the firewall has not yet been registered to the Endian Network, the registration form is shown, that must be filled in before submitting the request for registration. After the registration has been completed, the Subscriptions tab shows three boxes:

System information

Here are shown basic information about the Endian UTM Appliance: Serial number, activation code, model of the appliance, and the maintenance package chosen.

Registration Status

A summary of the system information recorded on Endian Network: the System name, the organisation for which the Endian UTM Appliance is registered, system ID, and the date of the last update, that is, the date when the Endian UTM Appliance was registered.

Your Activation Keys

To receive updates from and to participate in the Endian Network, at least one valid, not expired activation key is required. There is a key for each channel, but typically just one or two, shown with its expiry date and the days of maintenance left.

An expired key is shown by its channel name stricken-through and by the expired string in the corresponding Days left column. This happens usually for optional channels.

Remote Access

The Remote Access tab allows to choose whether the Endian UTM Appliance can be reached through the Endian Network and by which protocol. To allow access, click on the grey switch on swoff the top of the page: Its color will turn green, and two access options can be chosen, by ticking the checkbox:

Enable HTTPS access …

Allow the Endian UTM Appliance to be reached via the web interface.

Enable SSH Access …

Allow to login via a secure shell to the Endian UTM Appliance. Activating this option automatically activates the SSH access.

See also

A step-by-step lesson to register the Endian UTM Appliance to the Endian Network is available here.

Switchboard and EasyVPN

New in version 5.0.5.

Changed in version 5.1: Renamed from Connect to Switchboard.

In this page it is possible to connect and register a Endian UTM Appliance to a Switchboard instance using the plug and connect procedure.

Note

This functionality is not yet available for all appliances.

In order for a Endian UTM Appliance to be eligible to be connected to the Switchboard, a few requirements must be satisfied:

  1. The network wizard (see Network configuration) has been successfully carried out and the zones have been configured.

  2. The Endian UTM Appliance has not yet been registered to Endian Network. If it was, it must be deleted from Endian Network.

  3. There must be a working uplink and must be able to connect to the Internet.

If the Endian UTM Appliance satisfies these two conditions, it will be possible to start the procedure.

Note

The plug and connect procedure can be carried out from the web console, by choosing option 6 and following the instructions.

The first time this page is accessed, it contains only one option.

Activation Code

Enter a valid Activation Code. then press on Next >> to register the Endian UTM Appliance to the Switchboard.

Once done, the page will change and show the Activation code and the claim period, that is, the date and hour within which the plug and connect procedure must be carried out to successfully connect the Endian UTM Appliance.

There is only one option here.

Extend claim period

By clicking on this button, the claim period will be extended for 24 hours.

At this point, it is possible to claim the Endian UTM Appliance from the Switchboard and allow its remote management. When also this step has been completed, the Endian UTM Appliance will also be registered to Endian Network (and reachable from it) and on this page a few information are shown:

  • The message You are connected to the Switchboard.

  • Switchboard instance. The name given to the Switchboard on which the Endian UTM Appliance has been claimed.

  • Gateway name. The name of the Endian UTM Appliance as registered on the Switchboard.

See also

On our portal there are howtos available that describe in details the plug and connect and claim procedures.

Users

Changed in version 5.1: This section was previously known as Passwords.

This page allows the management of web users.

Web users

In this tab it is possible to create new users that can access EMI and initially contains a table which lists only the admin user, which can not be deleted.

New accounts for web users can be created by clicking on the Add web frontend user link above the table. In the panel that opens, the following options can be configured.

Username

The username of the account, which is case-sensitive and must be unique.

Remark

A description of the user.

Password, Confirm Password

The password assigned to the user.

Hint

Passwords need to be at least 6 characters long; good passwords should be at least 8 characters long and include letters, numbers, and special characters like e.g., $ % @ !.

GUI Profile

Choose from the drop-down menu which Profile to assign to the new user. There is currently only one profile available, which gives access to all the GUI.

Web Console

The web console provides an applet which emulates a terminal within the browser window, that serves as a CLI to carry out administrative tasks.

The functionalities of the web console are the same found upon logging in via serial console or SSH. On the bottom left of the applet, a message shows the status of the console: Connected or Disconnected. It is possible to exit at any time by typing exit in the console and then pressing Enter on the keyboard, like in any normal console.

When disconnected, click again on the Web console sub-menu item to reconnect. On the bottom right of the applet, two hyperlinks show up:

Enable virtual keyboard.

When clicking on this link, a keyboard applet appears below the console, that can be used to type and execute commands by clicking the mouse on the various keys.

Note

When the web console status is disconnected (i.e., when you issue the exit command), this applet does not communicate with the console.

Disable input

This link toggles the possibility to send input from the keyboard to the web console.

Hint

This option has no effect on the virtual keyboard.

SSH access

This screens allows to enable remote SSH access to the Endian UTM Appliance, which is disabled by default. Access using SSH proves useful in several scenarios: necessity to control log files, troubleshooting, manual editing of configuration files, and in general is reserved for advanced tasks, like the customisation of services or the implementation of a workaround for an existing bug, and so on.

This page is initially empty, after the SSH access is activated by clicking on the grey switch swoff, two boxes are shown in the page: Secure Shell Options and SSH host keys.

If it is the first time that the SSH service is activated, it will take a few moment before the Endian UTM Appliance is accessible, since new SSH host keys must be generated.

When the SSH service is started, the following configuration options are displayed:

Allow password based authentication

Permit logins using password authentication.

Allow TCP forwarding

When this option is ticked, other protocols can be tunneled through SSH. See Example SYS-1 for a sample use case.

Allow public key based authentication

Logins with public keys are allowed. The public keys of the clients that can login using key authentication must be added to the file /root/.ssh/authorized_keys.

Save

Click on this button at the bottom of the box to save the setting of the above four options.

Note

The SSH access is automatically activated when at least one of the following options is true:

  • Endian support team access is allowed in Menubar ‣ System ‣ Support.

  • High availability is enabled in Menubar ‣ -Services -> High Availability.

  • SSH access from Endian Network is enabled in Menubar ‣ System ‣ Endian Network ‣ Remote Access.

At the bottom of the page, a table shows the three host keys, generated, during the first start: ECDSA 256 bits, RSA2 2048 bits, and DSA 1024 bits. For each key, it is shown the file that contains it, its fingerprint, and its size in bits.

SSH password

Changed in version 5.1: Moved from the Passwords section.

In this page it is possible to modify the password of the root user, used for console and SSH access.

GUI settings

A few configuration options for the GUI are present here:

Select your language

The language that will be used for the web interface (section names, labels, all the strings) and can be selected from a drop-down menu. The languages currently supported are: English, German, Italian, Simplified Chinese, Japanese, Portuguese, Russian, Spanish, and Turkish.

Display hostname in window title.

When activated by ticking the checkbox, this option displays the hostname of the Endian UTM Appliance in the browser’s window title,

Hint

The hostname is set in step 3 of the Network configuration (System ‣ Network configuration).

Certificate Management

Choose from the drop-down menu a Certificate that will be used to encrypt the HTTPS traffic to the GUI of the Endian UTM Appliance.

Note

The options are the same that can be selected for the OpenVPN’s Server configuration (VPN ‣ OpenVPN Server ‣ Server configuration). Please refer to that section for more information.

In the Community release it is also possible to click on the Help translating this project link, which will open the Endian Firewall Community translation page: Here it is possible to contribute to the missing translations. Any help is appreciated!

Backup

In this section it is possible to create new backups of the current Endian UTM Appliance status and configuration or restore one of these backups when needed. Backups can be saved locally on the Endian UTM Appliance host, on a USB stick, or downloaded to a workstation. It is suggested to keep a copy of the backups in a safe location.

Whenever a vfat-formatted USB stick is plugged in into the Endian UTM Appliance, it is automatically detected and mounted. In this case, a few additional USB-related options are displayed throughout the page.

Here it is also possible to reset the configuration to factory defaults, to create fully automated backups, and to carry out various other backups-related tasks.

This section is organised into two tabs, Backup and Scheduled backups: The former is used to manage manual backups, while the latter to set up automatic backups.

Backup

In the Backup tab there are four boxes, each corresponding to a different task that can be done with backups: Backup sets, Encrypt backup archives, Import backup archive, and Reset configuration to factory defaults and reboot.

Backup sets

In the first box, a table shows the backups stored on the Endian UTM Appliance, both manually and scheduled ones. If a USB stick is plugged in in the Endian UTM Appliance and detected, also backups stored on it are displayed.

For each item it is shown:

  • The creation date

  • The content included in the backup. Each letter correspond to a different element of the, see below for more details.

  • A remark. The string “Auto - backup before upgrade” means that an automatic backup has been made before a package or system upgrade.

  • The available actions:

    • downenc download the encrypted backup *

    • download download the backup on the current workstation.

    • delete remove the backup

    • reload restore the backup on the Endian UTM Appliance.

*

only available if option Encrypt backup archives is active - see below.

The content of each backup is marked by at least one of the following letters or symbols, corresponding to the option specified during its creation:

  • Archive. The backup contains archived log files.

  • Cron. The backup has been created automatically by a scheduled backup job.

  • Database dumps. The backup contains a database dump.

  • Encrypted. The backup file is encrypted.

  • Hardware. Information about the appliance’s hardware is included.

  • Log files. The backup contains today’s log files.

  • Settings. The backup contains the configurations and settings.

  • USB. The backup has been saved to a USB stick.

  • ! (Error). Something did not succeed while sending the backup file by email.

Above the table there is a link Create new Backup: When clicking on it, a dialogue box opens up in which to select the data to be included in the backup. The letter in parenthesis corresponds to those listed above.

Current configuration (S)

The backup contains all the configuration settings, including all the changes and customisation done so far, or, in other words, all the content of the /var/efw directory.

Include database dumps (D)

The content of the database will also be backed up.

Warning

The database dumps may contain sensitive data, so whenever a backup contains a database dump, make sure that it is stored in a safe place.

Include log files (L)

Include the current log files (e.g., /var/log/messages), but not log files of the previous days.

Include log archives (A)

Include also older log files that have been rotated, and are stored under the /var/log/archive/ directory. Backups created with this option may become very big after some time.

Include hardware data (H)

Include data about the appliance’s hardware. It is needed when restoring a backup on an appliance of the same type, while this information should not be included when the backup is imported into a different appliance’s model (e.g., from a Mercury to a Macro).

Remark

A comment about the backup, that will appear in the Remark column of the table. Hence, it should be meaningful enough to allow a quick recall of the content.

Create backup on USB Stick

Store the backup on the plugged in USB stick.

Note

This option is only available if an USB stick is plugged in the Endian UTM Appliance and it has been correctly mounted.

At least one of the checkboxes must be ticked to create a new backup. After clicking on the Create backup button, the files required by the backup are gathered and assembled into the archive. After a few minutes, depending on what has been included in the backup, the new backup appears in the list. The end of the backup process is marked by a yellow callout that appears above the box, showing the message Backup completed successfully.

Note

Backup on USB sticks are stored under the /mnt/usbstick/efw-backups directory. For any backup stored on the USB stick, a symlink will be created under the /var/backups/ directory. If the USB stick containing the backups is removed from the Endian UTM Appliance, they will still show up in the list but will not be accessible.

The format and name of the backup files.

Backup files are created as tar.gz archives, using standard Linux’s tools tar and gzip. The files stored in the archive can be extracted using the tar zxf archivename.tar.gz or tar vzxf archivename.tar.gz to see all the file processed and extracted and see some informative message on the screen the v option meaning verbose. The name of the backup file is created to be unique and it conveys the maximum information possible about its content, therefore it can become quite a long string, like e.g., backup-20130208093337-myappliance.mydomain-settings-db-logs-logarchive.tar.gz, in which 20130208093337 is the timestamp of the backup’s creation, in the form YYYYMMDDHHMMSS -in this example, 8th of February 2013 at 9:33:37 AM. This choice allows the backups to be lexicographically ordered from the oldest one to the most recent one; myappliance.mydomain are the Endian UTM Appliance’s hostname and domainname as set in Step 3 of the Network configuration (Menubar ‣ System ‣ Network configuration), and settings-db-logs-logarchive represent the content of the backup. In this case it is a full backup, since all four parts appear in the name. For example, a backup containing only settings and logs will be identified by the string settings-logs.

Encrypt backup archives

The second box in the page allows to encrypt all the future backups by providing a GPG public key. The following options are available:

Encrypt backup archives

Tick the checkbox if the archives should be encrypted. This option applies to both manual and scheduled backups.

Import GPG public key:

Select the GPG public key by clicking on the Browse… (or Choose file… on Chrome browsers) button to upload the key file from the local file system.

Once a key has been uploaded and the Encrypt backup archives option is ticked, information about the key will be shown above the options, like in the following example:

The following GPG public key will be used to encrypt the backup archives:

pub   1024R/00000000 2010-10-10 [expires: 2020-10-09]
      Key fingerprint = 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
uid                  Jane Doe <j.doe@example.org>
sub   1024R/00000001 2010-10-10 [expires: 2020-10-10]

Hint

It is a good practice to encrypt a backup archive whenever it contains sensible data, like for example the hotspot’s users data and billing information.

Import backup archive

The third box in the page allows to import a backup from a local workstation to the Endian UTM Appliance.

Browse…

The backup file can be selected by clicking on this button. A pop up window will open, in which to select the backup file from the local file system.

Remark

This field can be used to write a custom description of the imported backup.

Finally, the backup is uploaded by clicking on the Import button. The backup will appear in the backup list at the top of the page, and can be restored by clicking on the restore icon reload.

Note

It is not possible to import encrypted backups on the Endian UTM Appliance: Any encrypted backup must be decripted before being uploaded.

Reset configuration to factory defaults and reboot

The fourth box allows to wipe out all configurations and settings done so far and reboot the system with the default configuration. This result is achieved by clicking on the only option available:

Factory defaults

A click on this button will start the factory default process: A backup copy of the current settings is created and immediately after the Endian UTM Appliance is rebooted and brought back to the factory defaults, including its default IP address, 192.168.0.15.

Note

Since this potentially is a quite dangerous option, a pop-up window will ask for confirmation before starting the process. After clicking on OK, the process starts and can not be interrupted.

Scheduled backups

Automated backups of the system can be enabled and configured in the Scheduled backups tab, which contains two boxes, Scheduled automatic backups and Send backups via email.

Scheduled automatic backups

In the first box, automatic backups are enabled and configured. When enabled, the elements of the Endian UTM Appliance to be included in the backup can be chosen as seen in the Backup Sets box in the other tab. The only difference is that for scheduled backups there is no possibility to specify a remark. The additional options are:

Enabled

Enable scheduled backups.

Keep # of archives

Choose from the drop-down how many backups to keep on the Endian UTM Appliance (from 2 up to 10, but they can be exported to save space).

Schedule for automatic backups

The frequency between backups, either hourly, daily, weekly, or monthly.

Scheduled backups will always be stored on the Endian UTM Appliance.

Send backups via email

In the second box, the system can be configured to send the backups by e-mail. Backups sent by e-mail will not contain the log archives, because their size might be so large to prevent a correct delivery of the email.

The following otpions are available.

Enabled

Allows backup archives to be sent via e-mail.

email address of recipient

The e-mail address to which to send the e-mail with the backup.

email address of sender

The e-mail address that will appear as the sender’s e-mail address, which proves useful when backups should appear to have been sent from a special address (say, backups@myappliance.mydomain), and must be provided if the domain or hostname are not resolvable by the DNS.

Address of smarthost to be used

The address of a smarthost to be used to send the e-mails, which is needed in case the outgoing e-mails should not be sent directly by the Endian UTM Appliance, but from a different SMTP server.

Note

The explicit address of a smarthost is needed if the SMTP proxy (Menubar -> Proxy -> SMTP) is disabled.

Send a backup now

A click on this button will save the settings and immediately try to send an e-mail with the backup’s archive as attachment.

This action that serves also as a test for the correctness of the data supplied (Email addresses and smarthost if needed).

See also

A guide to create a backup on a USB stick.

Shutdown

In this page it is possible to either shutdown or reboot the Endian UTM Appliance, by clicking on the Shutdown or the Reboot button respectively.

Warning

The shutdown or reboot process starts immediately after clicking on the respective button, with no further confirmation request.

After a reboot, it is possible to continue to use the GUI without a new authentication.

License Agreement

This section displays the license agreement between Endian and the owner of the Endian UTM Appliance.

Note

After an upgrade, if the license agreement changes, at the first login it is necessary to accept the new license agreement before accessing the upgraded system and being allowed to use the Endian UTM Appliance

Table Of Contents

Previous topic

Getting Started

Next topic

The Status Menu

Documentation archive

Version 3.2
Version 3.0
Version 2.5
Version 2.4
Version 2.3
Version 2.2
Version 2.1

Other products

Endian Hotspot 5.0
Endian 4i Edge 5.0