In this page you find:
The Endian UTM Appliance includes many useful services to prevent threats and to monitor the networks and the running daemons, whose activation and set up is explained in this section. In particular, among them, we highlight the various proxy services, such as the antivirus engine, as well as the intrusion detection system, high availability, and traffic monitoring. The available services appear as items in the sub-menu list on the left-hand side of the screen.
DHCP server - DHCP server for automatic IP assignment.
Dynamic DNS - Client for dynamic DNS providers such as DynDNS (for home / small office use).
Antivirus Engine - configure the antivirus engine used by the e-mail, web, pop, and FTP proxies.
Time server - enable and configure the NTP time server, set the time zone, or update the time manually.
Mail Quarantine - manage quarantined emails.
Spam Training - configure training for the spam filter used by the mail proxies.
Intrusion Prevention - configure snort, the IPS.
High availability - configure the Endian UTM Appliance in a high availability setup.
Traffic Monitoring - enable or disable traffic monitoring with ntop.
SNMP Server - enable or disable support for the Simple Network Management Protocol.
Quality of Service - IP traffic prioritisation.
The DHCP server is used by the clients (both workstations and servers) in the zones controlled by the Endian UTM Appliance to receive an IP address (“lease”), which can be either a dynamic or a fixed lease, and communicate with other devices.
The DHCP server page is divided into three tabs, namely Server configuration, Fixed leases, and Dynamic leases.
The DHCP server on an Endian UTM Appliance can be enabled on each active zone independently. For each of the zones enabled on the Endian UTM Appliance, this page show one checkbox, hence at least the Enable DHCP server on GREEN interface option appears. There are corresponding checkboxes for the ORANGE and BLUE zone.
Note
If both the BLUE zone and the hotspot are enabled, next to the BLUE option the message DHCP configuration is managed by hotspot appears, and the checkbox is disabled, because the IP assignment on the BLUE zone is managed by the hotspot.
At the bottom of the page, there is a textfield, labelled
Custom configuration lines, that can be used by advanced
users to write custom configuration lines to be added to the
dhcpd.conf file (e.g., custom routes to subnets). An example
is shown in this example.
Warning
The custom configuration lines must follow the syntax of
the /etc/dhcpd.conf file, since they are not checked for
errors and are inserted verbatim in the configuration file. Any
mistake might inhibit the DHCP server from starting correctly!
To customise the DHCP parameter for each zone, tick the checkbox. A
panel labelled Settings will appear: Click on it to expand
it and show the available options:
The range of IP addresses to be supplied to the clients. These addresses have to be within the subnet that has been assigned to the corresponding zone. If some hosts should receive a fixed lease, (see below), make sure their IP addresses are included neither in this range nor in the range of the OpenVPN address pool (see ) to avoid conflicts.
Leaving these two fields blank will use the whole IP range of the zone for dynamic leases.
Tick this checkbox to use fixed leases only. No dynamic lease will be assigned.
The default and the maximum time in minutes before the assignment of each lease expires and the client requests a new lease from the DHCP server.
The default domain name suffix that is passed to the clients and that will be used for local domain searches.
The default gateway that the clients in the zone will used. If left blank, the default gateway is the Endian UTM Appliance itself.
The DNS used by the clients. Since the Endian UTM Appliance contains a caching DNS server, the default value is the firewall’s own IP address in the respective zone, though a second server or even the primary value can be changed.
The NTP servers used by the clients, to keep the clocks synchronised. Leave blank to use the Endian UTM Appliance's default NTP server.
The WINS servers used by the clients. This option is only needed for the Microsoft Windows networks that use WINS.
Once done, click on the Save button at the bottom of the page, then on the Apply button in the green callout that will appear to restart the DHCPD server with the new configuration.
It is sometimes necessary or desirable for certain devices to always use the same IP address while still using DHCP, for example servers that provide a service (like, e.g., a VPN server or a code repository) or devices like printers or scanners.
A fixed lease is also called Static IP Address, since a device will always receive the same IP address when requesting a lease from the DHCP server.
This tab contains the list of all the fixed leases defined in the local networks, providing several information about that lease: The device’s MAC Address and the assigned IP address, a remark, and the available actions.
By clicking on the Add a fixed lease link, a static IP address can be assigned to a device. The devices are identified by their MAC addresses.
Note
Assigning a fixed lease from the DHCP server is very different from setting up the IP address manually on a (client) device. Indeed, in the latter case, the device will still contact the DHCP server to receive its address and to announce its presence on the network. When the IP address required by the device has already been assigned, however, a dynamic lease will be given to the device.
The following parameters can be set for fixed leases:
The client’s MAC address.
The IP address that will always be assigned to the client.
An optional description of the device receiving the lease.
By clicking on Advanced options, the panel will expand, to
allow the configuration of three additional options:.
The address of the TFTP server. This and the next two options are useful only in a few cases (see below for an example).
The boot image file name. Option needed only for thin clients or network boot.
The path of the boot image file.
If this checkbox is not ticked, the fixed lease will be stored but
not written down to the file dhcpd.conf.
Below the table, a drop-down menu labelled Choose an action will allow to enable or to disable simultaneously all the fixed leases or all the selected ones.
A use case for a fixed lease.
A use case that shows the usefulness of a fixed lease is the case of thin clients or disk-less workstations on the network that use PXE, i.e., boot the operating system from an image supplied by a networked tftp server. If the tftp server is hosted on the same server with the DHCP, the thin client receives both the lease and the image from the same server. More often, however, the tftp server is hosted on another server on the network, hence the client must be redirected to this server by the DHCP server, an operation that can be done easily adding a fixed lease on the DHCP server for the thin client, adding a next-address and the filename of the image to boot.
Besides the information supplied during the fixed lease creation, the list allow each lease to be enabled or disabled (by ticking the checkbox), edited, or deleted, by clicking on the icons in the Actions column. Editing a lease will open the same form as the creation of a new lease, whereas deleting a lease will immediately remove it from the configuration.
Note
All leases assigned by the DHCP server are stored by default
in the /var/lib/dhcp/dhcpd.leases file. Although the DHCP
daemon takes care of cleaning that file, it may happen that the
file stores leases that have already been expired and are quite
old. This is not a problem and does not interfere with the normal
DHCP server working. A typical entry in that file is:
lease 192.168.58.157 {
starts 2 2013/06/11 13:00:21;
ends 5 2013/06/14 01:00:21;
binding state active;
next binding state free;
hardware ethernet 00:14:22:b1:09:9b;
}
After the DHCP server has been activated, and at least one client has
received a (dynamic) IP address, this tab will feature the list of the
clients, with these additional information: assigned dynamic IP
addresses, the MAC address of the connecting device and its hostname,
the expiry date and time, and the status, which can be either
expired or active.
A DNS server provides a service that allows to resolve the (numeric) IP address of a host, given its hostname, and vice-versa, and works perfectly for hosts with fixed IP address and hostname.
DDNS providers, like DynDNS or no-IP, offer a similar service when the IP addresses is dynamic, which is normally the case when using residential ADSL connections: Any domain name can be registered and associated to a server with a dynamic IP address, which communicates any IP address change to the DDNS provider. To be compatible and to integrate with the root DNS servers, each time IP address changes, the update must then be actively propagated from the DDNS provider.
The Endian UTM Appliance includes a dynamic DNS client for 14 different providers and if enabled, it will automatically connect to the dynamic DNS provider to communicate the new IP address whenever it changes.
Note
If no dynamic DNS account has been set up, detailed instruction to register a new one, detailed online helps and howtos are available on the web site of the providers.
This page displays the list of the Dynamic DNS accounts. Indeed, more than one DDNS provider can be used. For each account, the list shows information about the service used, the hostname and domain name registered, if the anonymous proxy and the wildcards features are active, if it is enabled, and the available actions.
New accounts can be created by clicking on the Add a host link, providing the following parameters:
The drop-down menu shows the available DDNS providers.
This option only applies to the no-ip.com provider. The checkbox must be ticked if the Endian UTM Appliance is connecting to the Internet through a proxy.
Some dynamic DNS providers allow all the sub-domains of a domain point to the same IP address. This is a situation in which two hosts like www.example.myddns.org and second.example.myddns.org are both located on the same IP address. Ticking this box enables the feature, making all the possible sub-domains redirect on the same IP address. The feature must be configured also in the account on the DDNS provider server, if available.
The hostname and domain as registered with the DDNS provider, for instance “example” and “myddns.org”
The credentials given from dynamic DNS provider to access the service.
Activate this option if the Endian UTM Appliance is not directly connected to the Internet, i.e., there is another router or gateway before accessing the Internet. In this case, the service at http://checkip.dyndns.org can be used to find the IP address of the router.
Tick this checkbox to enable the account, which is the default.
Note
The dynamic DNS provider only resolves the domain name and not the associated services. If some service must be accessed from the Internet to the Endian UTM Appliance or to some host behind the Endian UTM Appliance, it is necessary to set up some port forwarding rules (see ).
After making a change in the configuration or to immediately update the dynamic DNS for all the defined accounts, click on the Force update button. This proves useful for example when the uplink has been disconnected and the REDIP has changed: When this happens, updating all the DDNS accounts is required, otherwise the services offered via DDNS will be unreachable.
New in version 5.2: Bitdefender antivirus
The antivirus engines available on Endian UTM Appliance are: Bitdefender, ClamAV and Panda Antivirus. They can be used for the research of viruses and malware within files and documents and in conjunction with the proxy services, to scan files (web pages, archives, spreadsheets, text documents and so on) that pass through the Endian UTM Appliance.
Depending on which antiviruses are installed, the page is organised into tabs: If Panda antivirus and Bitdefender are not installed, only the tab ClamAv antivirus appears, otherwise, also the Global Settings, Bitdefender Antivirus and Panda Antivirus tabs are present.
Archive bomb and DoS.
Archive bombs are archives that use a number of tricks to overload an antivirus software to the point that they hog most of the resources of the device hosting it, an action called DoS attack. The result is that the device can not be operate anymore and it must be hard rebooted.
These tricks include: Small archives made of large files with repeated content that compress well (for example, a file of 1 GB size containing only zeros compresses down to just 1 MB using zip); multiple nested archives (i.e., zip files inside zip files); archives that contain a large number of empty files, and so forth. Decompressing archive files with any of those characteristic poses a serious challenge to the normal activities of a server or a workstation, since a lot of resources are needed (especially RAM and CPU) and taken away from users’ availability.
The Global Settings tab contains several drop-down menus, to choose which antivirus to use for which service. It is indeed possible to use both antiviruses at the same time, but not for the same service
Choose the antivirus that will be used by default for all services. The choice made in this drop-down menu will set accordingly the values of the other options.
Choose from each of the four drop-down menus the antivirus for each proxy service individually.
Note
This option is available only on software, virtual, and appliances bigger than the Mercury 100 included. For all other appliances, the same antivirus engine will be used for all services.
This tab contains all the option to configure Panda Antivirus. A single option appears above two panels, namely File content analysis and Packaged and/or compressed files, which group all remaining file scanning options.
Select from the drop-down menu the update cycle of the anti-virus signatures: hourly, daily, weekly, or monthly.
The scan options to be configured are grouped in two sections:
The following three options define how Panda Antivirus deals with files that have been recognised as infected.
Tick the checkbox to enable the automatic cleaning of files during the anti-malware scan. When disabled, the option causes the deletion of the infected file, without trying to heal the file.
Use the heuristic analysis of malware, to search for new types of malware that may not have been yet included in signatures.
Choose the desired sensitivity level of the heuristic analysis, among the three available values: low, medium, and :strong: high.
These options concern the behaviour of the anti-virus when dealing with compressed files. More information about here.
The maximal recursion level within the compressed files.
Tick the checkbox to activate the control of the size of decompressed files.
The maximum size in kilobytes of decompressed files allowed for uncompressed items.
The highest nesting level allowed for compressed files.
There are two options available for the Bitdefender Antivirus:
Select from the drop-down menu how often the signatures should be downloaded. Available options are hourly, daily, weekly, and monthly.
By ticking the checkbox, infected files will be automatically cleaned.
Note
When updating from the 5.1 to the 5.2 version, Bitdefender will be automatically set as default antivirus.
This tab consists of two boxes: The first to configure ClamAV, and in particular its management of archive bombs, and the second showing the current synchronisation status of the signature.
To avoid DoS attacks, ClamAV is configured to not scan archives with certain attributes, that can be modified here.
Archives larger than this size in Megabytes are not scanned.
An archive which recursively contains nested archives whose value exceeds this number will not be scanned.
Archives containing more than this number of files are not scanned.
Archives whose uncompressed size exceeds the compressed archive size by more than X times, where X is the compression ration specified here, are not scanned. The default value is 1000.
Note
The compression rate for a normal file, depending on the algorithm used, is about between 10 and 15. That is, the uncompressed size of a file is between 10 to 15 times the size of the archive.
What should happen to an archive that is not scanned because it passed the limit set in at least one of the above settings. Choices are Do not scan but pass and Block as virus. In the first case the file is not scanned and passes the control, so that the recipient of the e-mail needs to carefully examine it, while in the second case it is considered as a virus and therefore blocked.
Note
When a file is larger that the size specified in the Max. archive size field above and the policy here is Block as virus, the file is blocked. However, since it is downloaded until the size limit is reached, it may give the impression that the download did not complete successfully. To avoid this behaviour, change either this option or the size above.
It is technically impossible to scan encrypted (i.e., password protected) archives, but they might represent a security risk. To block them, tick this checkbox.
This option appears on the right-hand side of the page and allows to choose the frequency of download of ClamAV signatures, which change over time and must be kept up to date to be able to recognise even the most recent viruses and malware. There are four available options: hourly (default), daily, weekly, and monthly).
Hint
Moving the mouse over the question marks displays the exact time when the updates are performed in each case - the default setting is one minute past the full hour.
This box shows a couple of information about the signatures virus. At the top of the box, a message like the following is displayed:
Last signature updated on Sep 16 13:21:28 from db.local.clamav.net which loaded a total of 1040149 signatures.
This message reports in bold typeface the date and time of the latest download, the server from which the signatures have been downloaded, and the number of signatures downloaded.
Note
No signatures are downloaded if there is no proxy service using ClamAV as antivirus. In this case the box reports the message
None of the activated services are currently using ClamAV
Antivirus. Therefore updates are disabled.
Below the message, a list shows the types of the signatures downloaded, the time of the last synchronisation, their version, and the time of the last update. The update and synchronisation times may differ if the last synchronisation check did not contain any signature update.
A click on the Update signatures now button performs an immediate update (regardless of scheduled updates, which will continue as before), that might take some time, while a click on the Search the online virus database opens in a new browser tab the ClamAV’s online database, to look for information about a specific virus.
Hint
Since the databases of signatures may be updated several times a day from the provider, it is suggested to set the download to a high frequency of updates.
The Endian UTM Appliance uses NTP to keep its system time synchronised with time servers on the Internet. The settings available are grouped into two boxes, Use a network time server to automatically synchronise time, and Adjust manually to manually modify the time and date.
A number of time server hosts on the Internet are preconfigured and used by the system, along with the time zone. Available options are the following.
Tick the checkbox to replace the default NTP servers. This might
prove necessary when running a setup that does not allow the
Endian UTM Appliance to reach the Internet. Several time servers addresses
can be supplied, one per line, in the small form that will show up;
each of them will be written in the configuration file, as value of
the server option. For better performance, at least two
time server should be provided here.
Hint
Each custom time server can be written as a hostname or
IP address. Entries can be also vendor-specific, like e.g.,
0.endian.pool.ntp.org.
The timezone is normally selected during the initial setup, but it can be changed by choosing a new one from the drop-down menu.
At the bottom of the box, a click on the Save button will restart the NTP daemon, applying the new settings, while an immediate synchronisation can be done by clicking on the Synchronize now button.
The second box gives the possibility to manually change the system time. While this is not recommended, this action proves useful when the system clock is way off and an immediate update of the Endian UTM Appliance‘s clock to the correct time is needed.
Indeed, automatic synchronisation using time servers is not done instantly, but the clock is slowed down or sped up a bit to recover and align to the correct time. If however the discrepancy between the system clock and the time servers is significantly large, the ntp daemon will not be able to recover. Therefore, manual synchronisation represents the only solution to correct the time.
To manually change the time and date, provide In the textfields that appear in this box the correct Year, Month, Day, Hours, and Minutes, then click on the Set time button.
Do not mind about the seconds: After the manual set up of the time, the ntp daemon will take charge of aligning the system’s time to the time server’s time.
The mail quarantine is a special place on the Endian UTM Appliance hard disk where all the e-mails that the SMTP proxy recognises as containing spam, malware, viruses, or with suspicious attachments are stored instead of being delivered. Here, those e-mails can be safely analysed and actions can be taken to manage them. To activate the mail quarantine, go to and in the SPAM settings, Virus Settings, and File settings boxes, choose the option move to default quarantine location from the drop down menus.
E-mails that land in the Mail Quarantine will remain in a special folder on the Endian UTM Appliance until the Quarantine retention time has been reached (see Quarantine settings in the SMTP Proxy module). However, when there are many quarantined e-mail stored on disk, the quarantine folder might be filled up and it becomes necessary to manually delete quarantined e-mails.
The space dedicated to the mail quarantine depends on several factors, like e.g., the type of appliance, the size of the quarantined e-mails -especially if they have large attachment, other active services, and so on.
The Mail quarantine is organised in two tabs: Quarantine and Summary Reports. The former contains a list of the e-mail stored in the quarantine and allows to browse and manage them, while the latter allows to generate periodical reports about the quarantine’s content and manage their dispatch.
The mail quarantine page contains a table with the list of all mail moved to the quarantine, above which there is a navigation bar to browse the e-mails.
The table contains the following information about the mail saved in the quarantine.
A checkbox that allows to select one or more messages at a time and carry out an action on all of them.
The date and time when the e-mail was moved in the quarantine.
The reason for which the e-mail was not delivered, which can be one of Malware - the e-mail contains viruses or other types of threats, Spam - the e-mail has been marked as spam, Banned - the e-mail has an attachment that can not be sent, and Bad Header - the information contained in the header are not valid.
The sender of the e-mail.
The recipient to which the e-mail was originally sent.
The subject of the e-mail.
The size of the e-mail.
The number of the attachments to the e-mail.
The actions that can be done on each e-mail.
Below the table, a drop-down menu labelled Choose an action will allow to release or delete all the emails or only the selected ones.
When clicking on the view message 
icon, the list of
emails is replaced with a 3-boxed page, showing various details about
the selected e-mail.
This box presents a more detailed view of the e-mail’s data reported in the e-mail list: The reason why the e-mail ended in the quarantine, the sender and recipients, along with carbon copy (CC) addressee, subject, date and time of receiving, and the e-mail’s size.
The full header of the original e-mail, which can give useful information, among which for example the path followed by the e-mail.
If the email has one or more attachments, they are shown here along with their details. Moreover, every HTML attachment is shown with its full source code.
At the bottom, there is an option available:
The e-mail will be removed from the quarantine after its release to the original recipient.
Periodical reports about quarantined e-mails can automatically be sent to inform the original recipient of the e-mail. In this page it is possible to activate and manage the frequency and settings of this service.
Note
This functionality requires that the SMTP Proxy be correctly set up and running, otherwise it would not send any reports.
Alternatives to notify recipients of quarantined e-mails.
There are two approaches to notify users that they received one or more e-mails that ended in the quarantine:
Selecting a whole incoming domain. In this case, all users in that domain will be notified, unless they are in an appropriate list. Incoming domains can be configured in the SMTP Proxy module (). See option Do not send summary report emails to these addresses below.
By explicitly listing users that shall receive notifications. See option Send summary report emails to these addresses below.
These two approaches are not exclusive: It is allowed to employ both of them.
Moreover, there is also the possibility to supply a list of sender addresses whose e-mail will never be part of any summary report.
Finally, wildcards and regular expressions can be used to avoid the necessity to write a long list of addresses.
Warning
Make sure to not misuse wildcards! In particular, writing a single asterisk * on a line will send an email notification to every user in every domain managed by the Endian UTM Appliance.
The summary reports service is not enable by default. To start it,
click on the grey switch 
labelled Enable Summary Reports
Emails. It will turn green and a number of configuration options
appear.
By ticking the checkbox, the default address will appear as the sender of the report.
Note
The default e-mail address is the one specified during the network configuration, see step 6 of the Network configuration.
A custom sender address can be specified here, provided that the previous option is not ticked.
The report can be sent Daily, Weekly, or Monthly.
Note
If the value of option Quarantine retention time in is lower than 30 (days), the Monthly option will not be available.
Two options are available in this drop-down menu. Select Emails received after last report to include only newer quarantined e-mails (i.e., those that arrived after the last report was sent), or All emails in the quarantine to send a bulk of all the quarantine content.
The language used to write the summary report, chosen by the available values English, German, Italian, and Japanese.
This form can be used to include a custom message in the report.
Hint
For example, include an e-mail address that the user can contact to ask for information or release the quarantined e-mail.
This multiselect box allows to chose which data to include in the summary report for each quarantined e-mail. By default, only the sender, the reason for being in quarantine, the subject, and the date are included, but also the recipient address, information about the attachment, and the size can be included.
This multiselect box allows to choose which domains shall be monitored for dangerous e-mails and send them to the quarantine. When users in one of these domains receive a mail that ends in the quarantine, they will be notified with an email
Hint
To add a new domain to this box, add it in .
The list of recipients that will always receive the summary reports, one per line.
Warning
Make sure to not misuse wildcards! In particular, writing a single asterisk * on a line will send an email notification to every user in every domain managed by the Endian UTM Appliance!
A list of e-mail addresses, one per line, of an incoming domain that will never receive summary reports.
A list of sender whose e-mails will never be included in the summary reports, one per line.
See also
Configuration of the SMTP proxy.
The Endian UTM Appliance includes SpamAssassin as the engine to find and fight spam e-mails. While it is successful in the vast majority of the cases, SpamAssassin needs to be trained to improve its abilities to intercept spam e-mails. The configuration of the training for the antispam engine can be done in this page: Indeed, SpamAssassin can learn automatically which e-mails are spam and which are not (the so called ham mails). To be able to learn, it needs to connect to an IMAP host and check the pre-defined folders for spam and ham messages.
The page for SpamAssassin consists of two boxes, one that contains a list of IMAP hosts used for learning, Current spam training sources, with the possibilities to manage them at various levels, and another one, SpamAssassin Rule Update Schedule, to modify the scheduling of the updates.
The first box allows the configuration and management of the training sources, by means of two links and two buttons. Each link will reveal a new panel in which to specify the various configuration values.
The two buttons, located at the top right of the box, allow to immediately start an action that will be performed on all the defined connections.
To check all the connections at once. This operation can take some time if many training sources have been defined or the connection to the IMAP servers is slow.
Immediately starts the training. The button is replaced by the
Training is running ... label.
Note
Training can take a very long time, depending on many factors: The number of the sources, on the connection speed, and most importantly on the number of e-mails that will be downloaded.
The default configuration, which is initially empty, is not used for training, but only provides values that are later inherited by the real training sources which can be added right below. By clicking on the Edit default configuration link, these setting can be configured:
The IMAP host that contains the training folders.
The login name for the IMAP host.
The password of the user.
The name of a folder that contains only ham messages. It can be, for example, a dedicated folder that stores only ‘clean’ messages, or even the Inbox.
The name of a folder that contains only spam messages.
The time interval between two consecutive checks, which can either be disabled or be an hourly, daily, weekly, or monthly interval. The exact time scheduled is shown when moving the mouse cursor over the question marks. If disabled, the antispam engine must be manually trained.
Additional spam training sources can be added in the panel that appears upon clicking on the Add IMAP spam training source link. The options for the additional training hosts are the same as the default configuration options, except for the scheduling, which is always inherited from the default configuration, and for three new available options:
The training source will be used whenever SpamAssassin is trained. If not enabled, the source will not be used during the automatic training, but only for manual ones.
A comment about this source.
Whether the e-mails should be deleted after they have been processed.
The other options can be defined like in the default configuration: When they differ, they override the default values. To save the configuration of a source it is necessary to click on the Add Training Source button after all the desired values have been set.
Note
The antispam engine can be also trained in another way if the SMTP Proxy is enabled for incoming as well as for outgoing mails: This is done by sending spam mails to the special addresses spam@spam.spam and non-spam mails to ham@ham.ham. The hostnames spam.spam and ham.ham are added to the network configuration right after the network setup and are aliases for localhost. If these two addresses are not present, they can be added to the host configuration in on the Endian UTM Appliance.
In this box it is possible to schedule the automatic download of SpamAssassin signatures among the four options: Hourly, Daily, Weekly, and Monthly.
The Endian UTM Appliance includes the well known intrusion detection (IDS) and prevention (IPS) system snort, which is directly built into iptables, to intercept and drop connections from unwanted or distrusted sources.
The page contains two tabs, Intrusion Prevention System and Rules.
Changed in version 5.0: The Editor Tab has been incorporated in the Rules tab.
If snort is not active, a grey switch next to the
Enable IPS label appears on the page and can be clicked on
to start the service. After a short interval, the page will contain
some options to configure the service, grouped in boxes.
Intrusion Prevention System settings
This box allows to define the automatic download and installation of the snort rules.
Ticking this box will let the Endian UTM Appliance automatically download the snort rules from the Endian Network.
Note
If the Endian UTM Appliance is not registered, or its maintenance has expired, rules are not downloaded anymore. An informative message is also shown at the bottom of the page.
The frequency of download of the rules: A drop-down menu allows to choose one of the hourly, daily, weekly, or monthly options. This option appears only if the previous option has been activated.
Emerging Threats SNORT rules
This box contains a button to download Emerging Threats’ rules from the Endian repository, and an informative message that informs of the last time the rules have been manually downloaded:
Rules last updated: 2017-08-01 10:48:31
By clicking on this button, the signatures for the IPS service will be immediately downloaded from the emeringthreats.net web site.
Custom SNORT Rules
This box can be used to upload to the Endian UTM Appliance a file containing custom SNORT rules.
Pick one file from the file selection window that opens upon clicking this button.
Click on this button to upload the file and use it with snort.
On the Rules tab appears the list of rulesets that are stored on the Endian UTM Appliance, along with the number of rules they contain and the actions that can be done on them.
At the bottom of the list, the Choose an action button can be used to carry out an action on more than one rulesets at once, by selecting them (tick the checkbox on the left of their filename) and pressing one of the button underneath the list.
The rule policies in snort.
By default, the policy for all the rulesets is set to
alert, shown by the icon 
. This means that
whenever a flow of traffic will match the corresponding rule or
ruleset, the traffic will be allowed to pass and the intrusion
attempt will be logged.
This behaviour can be changed by clicking on the alert icon to
toggle the policy into block, shown by the icon
, with the result that the intrusion attempt will be
blocked, but no message will be recorded in the log files.
After a policy of a rule or of a whole ruleset has been changed, it is necessary to click on the Apply button, for the changes to be applied.
After selecting and clicking on the Edit button, the list of the rules included in the selected ruleset(s) is shown. The list can be narrowed down by entering some terms in the text box next to the Search label. To go back to the previous page, click on the Back button.
Warning
Turning on the IPS only implies that snort is running, but it does not yet filter the traffic. For snort to filter packets, the Allow with IPS Filter policy must be selected for the rules defined in the various Firewall configuration pages.
The Endian UTM Appliance supports an HA mode, that can easily be setup using at least two Endian UTM Appliances, one of which assumes the role of the active (i.e., master) firewall, while the remaining are standby (i.e., slave) firewalls.
The idea behind high availability is to have identical systems connected together in a way that when the master fails, one of the slaves immediately takes over and becomes the new master, providing for transparent failover: This provides unparalleled hardware availability and redundancy for critical network operations and security. One typical scenario in which failover takes place is the event of a hardware failure on the primary system.
When there is only one slave, though, it will immediately take over the master’s duties and allows a seamless failover transition to the secondary Endian UTM Appliance. This modality is the one supported by Endian, therefore to start up the HA service, one master and one slave Endian UTM Appliances must be configured according to the following guidelines.
Note
The Endian HA system is supported on both Endian hardware and software appliances. Regardeless of choosing hardware or software, the high availability module requires two completely identical hardware platforms (e.g. 2 Minis, 2 Macros, 2 x86 systems, etc.), equipped with the same software packages.
An important point to focus on when deploying high availability is that a duplication method for each and every connection to the Endian UTM Appliance must be provided. Every connection of the primary unit (e.g., WAN, LAN, etc.) must be replicated across the standby unit(s) to ensure that complete replication capabilities exist.
HA setup and updates.
Even with HA enabled, it is still necessary to install any available update on each node independently. The correct procedure to minimise any downtime is the following:
Install all the available updates on the slave node and reboot it if required.
Turn off the master node and verify that the slave node takes over correctly.
Check the slave node.
Power on the master node and install all the updates on it. Reboot it if required.
In this page initially there is only one option:
Enable HA on the Endian UTM Appliance, disabled by default, by choosing Yes.
Warning
HA does currently not support the automatic synchronisation of the hotspot’s database
After choosing Yes, a second drop-down menu and some more options appear.
Choose from the drop-down menu if the Endian UTM Appliance acts as master or slave. Depending on this choice, different configuration options are available. Configuring a slave unit, however, requires that a Master unit have already been set up.
For the master side, the following options are available:
The special subnet to which all Endian UTM Appliance that are part of a same HA setup must be connected and defaults to 192.168.177.1/24. Unless this subnet is already used for other purposes within the local network, there is no need to change it.
The first IP address of the management network. It is automatically set to 1 on the network chosen, and defaults to 192.168.177.1.
The next four options can be filled in to be notified by e-mail when a failover event occurs. They are configured the same way as they were configured for other event notifications in
The e-mail address to which the notification e-mail should be sent.
A custom e-mail address that will be appear as the sender of the notification.
The subject of the notification e-mail.
The SMTP server used to send the notification e-mail.
Choose from the drop-down menu whether to enable or not the spanning tree protocol, STP. This option and the next one are important when the Endian UTM Appliance is in gateway mode.
The priority of the bridge. It must be 1 on the master side.
A second box will appear after HA has been activated, with the list of the slaves with their IP address, a link to access their management GUI, and the possibility to delete a slave.
The HA management network.
The Endian UTM Appliance uses a special network to connect the master to slave unit(s), which defaults to 192.168.177.0/24. If this network has already been used in other zones, simply assign to the HA management network a different range of IP addresses, like, e.g., 172.19.253.0/24 or 10.123.234.0/28.
The requirements of the management network are:
It must be a private subnet, unique and disjoint from the other zones.
It must be large enough to accommodate the master and all the slaves, therefore if there are only a master and a slave devices, even a network as small as 192.168.177.0/29 suffices.
The management network will be created as an interface on the GREEN network, and it will show up as such on the device or when viewing the network status.
Warning
Make sure that the management network can be reached from the current LAN setup, or it will not be possible to login to the master unit!
After the master unit has been configured, the second Endian UTM Appliance, that is going to be the slave, can be set up.
For the slave side the following are the available options.
The IP address of the master unit, which defaults to
192.168.177.1/24 if the management network had not be
changed. This value must match the one that appears as
value of the Master IP Address option on the master unit.
The password of the console root user (not the graphic administration interface!) on the master.
These data will be used by the slave to retrieve from the master all the information needed and to keep the synchronisation.
Choose from the drop-down menu whether to enable or not the spanning tree protocol, STP. On the slave side, this option must have the same value as in the master side.
The priority of the bridge. On the slave side, it must be higher than the one on the master side. If on the slave this value has been set to 1, set it here to 2.
Right after saving, the connection to the devices will be temporarily lost, since the management network is created and then the master and the slave begin to synchronise.
After the synchronisation process is complete, the slave itself cannot be reached anymore via its old IP address (be it its factory default or its previous GREENIP address), since it has gone in standby mode and is connected to the master only through the management network. Any change made on the primary unit (the activation of a service, the change of one setting, the deletion of a VPN user, and so on) will automatically be synced to the slave unit(s) with the exception of updates, upgrades, or device backups (these have to be performed manually on the slave unit).
Moreover, the slave Endian unit will automatically appear on the master’s list of slaves and switch to an informational-only web interface that can be accessed from the master, by following the Go to Management GUI link next to each of the entries of the list of slaves.
The RED MAC Address
During the HA failover, the RED interface MAC address is not replicated onto the slave unit. This can represent a problem if the ISP requires to use the Sticky IP setup. In this situation, the IP address assigned from the ISP is determined from the MAC address of the client’s network interface, similarly to a fixed IP asssigned from a DHCP server to a client. it may not be possible to reconnect with the slave unit. To avoid this situation, it is necessary to utilise the spoofed MAC address feature on the RED interface in order for HA to work properly. This will ensure that when the HA is activated the MAC address will carry over to the standby unit and will not require manual intervention. This can be achieved on the slave, before activating it, by ticking the option Use custom MAC address under and specifying the MAC address of the RED interface on the Master. Alternatively, the MAC address can be entered in the step 4 of the network installation wizard, writing the master’s MAC address in the Spoof MAC address with option.
See also
A step by step guide to configure HA on the Endian UTM Appliance.
Note
The traffic monitoring service is not available on the Mini appliances, due to their limited available resources.
Traffic monitoring is done by ntopng and can be enabled or disabled by clicking on the main switch on this page. Once traffic monitoring is enabled a link to its administration interface appears in the lower section of the page. In the administration interface, the traffic can be visualised and analysed by host, protocol, local network interface and many other types of information: All these operations can be carried out directly from the Traffic Monitoring module in The Logs and Reports Menu.
Only one option is available in this page, unless it is a Mini appliance, in which case there is no option at all.
By default, information about the history of each host is not stored on disk. Tick the checkbox to enable per-host logging.
Warning
When this option is enabled, a number of files for each host is written on disk and updated every time that that host connects to the Endian UTM Appliance. With traffic monitoring active and a high network traffic, disk space may be quickly filled up and disk access may become a bottleneck in the system’s performances.
The SNMP is used to monitor network-attached devices, and can be used e.g., to control the status of the internal infrastructure.
To enable the SNMP Server is sufficient to click on the grey switch next to the Enable SNMP server label: Once done so, a few options will appear in the Settings box.
A key that is needed to read the data with an SNMP client.
An identification string that can be set to anything, but it is suggested that it describe the location of the Endian UTM Appliance.
The SNMP Server requires to configure an e-mail address as the system contact, and the global e-mail address provided during the installation procedure is used by default. In order to use a custom e-mail address, tick the checkbox to activate the next option.
Write the e-mail address of the administrator to be contacted.
The purpose of the QoS module is to prioritise the IP traffic that is flowing through the Endian UTM Appliance depending on the service. In other words, the QoS is a convenient way to reserve a given amount of the available bandwidth (both incoming and outgoing) for a given service. Applications that typically need to be prioritised over bulk traffic are interactive services such as SSH or VoIP.
The QoS configuration options are arranged into four tabs: Devices, Classes, Rules and Tagging.
The Device tab is also the starting page for the QoS and is initially empty. Once populated, a table showing a list of all the Quality of Service devices appears and for each device, some parameters and the available actions are displayed.
New QoS devices can be added by clicking on the Add Quality of Service Device link above the list and by configuring a few options.
The network interface that will be used by this device. Choices are among the existent network interfaces, the zones enabled on the system, the uplinks, and the OpenVPN tunnels if defined, and can be selected from a drop-down menu.
The downstream speed of the interface.
The upstream speed of the interface.
Enable the QoS (default) or not.
When editing a device, the same form opens as when adding a new device, in which to modify the current device’s parameters.
For every device added, four items will appear under the Classes tab: Three for high, medium, and low priority, respectively, and one for bulk traffic (see below).
This tab shows a list of all Quality of Service classes that have been created, if any. For each entry, several data are shown. New items can be added by clicking on the Add Quality of Service Class link above the list of classes. The parameters to configure are the same shown in the list:
The name of the Quality of Service class.
The drop down menu allows to choose the Quality of Service device for which the class was created.
Hint
At least one QoS device must have been created before defining a QoS class.
The amount of bandwidth that has been reserved for this class from the device’s overall available bandwidth, either in percentage or in kilobit per second.
The maximum amount of bandwidth this class may use, either in percentage or in kilobit per second.
The priority of the class, from 0 (low) to 10 (high), selected from a dropdown menu
Note
The sum of reserved percentages can not be greater than 100 per device. Moreover, the reserved bandwidth can not be higher than the limit bandwidth.
Classes can be moved up or down the list: Items closer to the top of the list are the first to be processed when the bandwidth does not suffice for all the traffic and the Endian UTM Appliance needs to choose which traffic should be prioritised.
The third tab displays a list of the already defined Quality of Service Rules and allows to specify which type of traffic should belong to each of the classes. To add a new Quality of Service rule click on the Add Quality of Service Rule link. In the form that will open, which is very similar to the one used to define firewall rules, several values should be configured. Many drop-down menus are employed here to ease the choices and guide through the configuration.
Hint
To define rules that resemble those involving IPsec users in the 2.5.X version, it is necessary to specify the following values for the two options:
Source: The zone to which the IPsec user was bridged.
Destination Network/IP: the remote subnet behind the IPsec user.
Choose from the drop-down menu the traffic source, either a Zone or interface, a network, an IP or MAC address. Depending on this choice, different values can be specified: A zone or interface from the available ones from those that will be displayed, or one or more IP addresses, networks, or MAC addresses.
Choose the destination device or traffic class from the drop-down menu.
Write in the text area the target network or IP addresses, which must be reachable from the device or traffic class chosen in the previous option.
These two drop-down menus are used to define the service, protocol, and destination port for the rule (when choosing one of TCP, UDP, or TCP + UDP protocols). Some predefined combinations Service/Protocol/Port exists, like HTTP/TCP/80, <ALL>/TCP+UDP/0:65535, or <ANY>, which is a shortcut for all services, protocols, and ports. Finally, in the Destination port, one or more custom port number can be supplied (this proves useful when some service does not run on a standard port).
Choose from the drop-down menu which tag to use to mark the
traffic: a TOS flag, a DSCP class or a
DSCP value. Depending on the choice, one of the
following options will appear, unless <ANY> is chosen.
By choosing TOS or DSCP class in the previous drop-down menu allows to choose a suitable value for the traffic to match from another drop-down menu.
This filed appears only when DSCP value is chosen in the Type option above. It allows to enter a custom value for DSCP, that will be used to fire the rule when matched.
Tick the checkbox to enable the rule.
A comment to identify the rule.
Note
If there is more than one service in a Quality of Service class, then all these services together will share the reserved bandwidth.
The fourth tab is different from the others as it is used to classify and prioritise traffic. In other words, the traffic can be marked or tagged to allow external devices to handle it accordingly. This is particularly useful in a scenario with limited bandwidth and the uplink device, e.g., a modem, can only prioritise traffic based on TOS or DSCP flags in the packets. When clicking on the Add Quality of Service Rule link the editor opens, which is similar to the one under the Rules tab. These are the available options:
Choose from the drop-down menu the traffic source, either a Zone or
interface, a network or an IP, or a MAC address. Depending on this
choice, different values can be specified: A zone or interface from
the available ones from those that will be displayed, or one or
more IP addresses, networks, or MAC addresses. The default value is
<ANY>, meaning the rule will be applied to all traffic.
Choose from the drop-down menu the traffic destination, either a Zone or interface, a network or an IP. Depending on this choice, different values can be specified: A zone or interface from the available ones from those that will be displayed, or one or more IP addresses or networks.
These two drop-down menus are used to choose the service, protocol, and destination port for the rule (when choosing one of TCP, UDP, or TCP + UDP protocols). Some predefined combinations Service/Protocol/Port exists, like HTTP/TCP/80, <ALL>/TCP+UDP/0:65535, or <ANY>, which is a shortcut for all services, protocols, and ports.
In this textfield one or more custom port numbers can be supplied; this proves useful when some service does not run on a standard port).
Choose from the drop-down menu which tag to use to mark the traffic: a TOS flag, a DSCP class or a DSCP value. Depending on the choice, one of the following three options will appear.
This dropdown appears only when TOS is chosen in the Type option above. It allows to define the TOS flag that will be set in all matching packets.
This dropdown appears when choosing DSCP Class in the Type option above. It allows to define the DSCP class that will be set in all matching packets.
This field appears only when DSCP value is chosen in the Type option above. It allows to enter a custom value for DSCP, that will be set in all matching packets.
Tick the checkbox to enable the rule.
A comment to identify the rule.