The System Menu¶
In this page you find:
The System menu provides several information about the UTM and its status, and allows to define the network setup and some access modalities (e.g., via SSH or for the Endian support).
The sub-menu on the left-hand side contains the following items, which allow for some basic administration tasks and to monitor the running activities of the UTM.
Settings–various settings related to common items used throughout the GUI
Event Notifications–set up of notification via e-mail or SMS
Support–support request form
Updates–management of system updates
Endian Network–Endian Network registration information
Connect to Switchboard–automatically connect an Endian device to the Switchboard
Users–add GUI users
Web console–a console shell on the browser
SSH access–enable/configure SSH access to the UTM
Backup–backup or restore UTM settings as well as reset to factory defaults
Shutdown–shutdown or reboot the UTM
License Agreement–a copy of the User License Agreement
New in version 6.0: The Settings page.
Changed in version 6.0: The GUI settings page has been removed and integrated into the new Settings page.
The remainder of this section will describe the various parts that compose the System menu items.
This page contains settings that are used in other parts of EMI. The configuration options available here were spread across different other pages in the GUI.
New in version 6.0.
Here it is possible to modify the name of the UTM.
Changed in version 6.0: These options were previously under the Network configuration (hostname and domain name) and GUI settings (Display hostname) configuration pages.
The hostname of the UTM.
- Display hostname in window title.
When activated by ticking the checkbox, this option displays the hostname of the UTM in the browser’s window title,
The hostname is set during the Configuration Wizard and can be changed by either a factory reset, of from the CLI using the netwizard command.
- Domain name
The name of the local domain of which the UTM will be part.
This page contains options about the language and the time zone.
- Select your language
Select from the drop-down menu which language to be used for the web interface (including section names, labels, and so on).
Supported languages are: English, German, Italian, Simplified Chinese, Japanese, Portuguese, Russian, Spanish, and Turkish.
Changed in version 6.0: This option was previously under GUI settings.
The timezone is normally selected during the initial setup, but it can be changed by choosing a new one from the drop-down menu.
Adjust time manually
In this panel there is the possibility to manually change the system time. While this is usually not recommended or not necessary, this action is the only possibility to synchronise the system clock when it is way off the real time.
Indeed, automatic synchronisation using time servers is not done instantly, but the clock is slowed down or sped up a bit to recover and align to the correct time. If however the discrepancy between the system clock and the time servers is significantly large, the ntp daemon will not be able to recover. Therefore, manual synchronisation represents the only solution to immediately correct and synchronise the time of the UTM's clock to the correct time.
Some service (for example, the connection to an external LDAP server to authenticate VPN users) might not work if the clock is not synchronised.
To manually change the time and date, provide In the textfields that appear in this box the correct Year, Month, Day, Hours, and Minutes, then click on the Set time button.
Do not mind about the seconds: After the manual set up of the time, the ntp daemon will take charge of aligning the system’s time to the time server’s time.
Outgoing mail server¶
Here it is possible to configure a SMTP mail server that will deliver the e-mails sent by the UTM, typically from the notification service. The following options are available.
- Email sender address
The address that will appear as the sender of the e-mail.
- Email recipient address for notifications
The address to which the e-mail will be sent.
- SMTP address
The IP address or domain name of the SMTP server.
- SMTP port
The port on which the SMTP server runs.
- Connection security
Choose from the drop-down menu which type of security is required by the connection, either STARTTLS or SSL/TLS.
- SMTP server required authentication
Tick the checkbox if authentication is required on the server side. The next three options appear
The username needed to authenticate on the SMTP server.
The password needed to authenticate on the SMTP server.
- Authentication method
The authentication methods required by the SMTP server: PLAIN, LOGIN, CRAM-MD5, and DIGEST-MD5 are supported. Multiple methods can be chosen by ticking the checkboxes in the multiselect drop-down menu.
- Test email recipient address
After values for the above options have been provided, verify their correctness by providing a valid e-mail address to which a test e-mail will be sent. Click on Send test email when done. If the test e-mail is delivered correctly, it is possible to save the settings.
Upstream proxy support¶
The settings in this box concern the upstream proxy, if there is one between the UTM and the Internet: in this case, click on the Disabled switch to activate the functionality, then fill in the next options accordingly.
The IP address of the upstream proxy server.
The port on which the proxy service runs on the server.
- Proxy server requires authentication
Tick the checkbox if authentication is needed on the the upstream proxy. The next two options will appear.
The username to connect to the proxy server, if needed.
The password to connect to the proxy server, if needed.
Management interface certificate¶
Here it will possible to manage the HTTPS certificate used to access EMI, the web interface of the UTM.
- Certificate configuration
This drop-down menu is used to select the method of creation of a new certificate. The available options are:
Select one certificate from those available, shown on the right-hand side of the drop-down menu. It is possible to see the full details of this certificate by clicking on the View details hyperlink.
A new drop-down menu appears, to allow the selection of a certificate that has already been created and stored on the UTM.
Create a new certificate from scratch. This option is only available if no host certificate has already been generated. A form will open where to specify all options necessary to create a new certificate. These are the same found in the new certificates generation editor, with two slight changes: Common name becomes System hostname and Organizational unit name becomes Department name.
By clicking on the Browse… button that appears underneath the drop-down menu it will be possible to select from the workstation and to upload an existing certificate. The password for the certificate, if needed, can be provided in the textfield on the right-hand side.
The Browse… button that appears underneath the drop-down menu can be clicked to select from the workstation and upload an existing certificate signing request. The validity of the certificate in days can be provided in the textfield on the right-hand side.
When a certificate has been chosen, below the Certificate configuration drop-down menu appear the name of the currently used certificate and the View details link. The latter will show all information about the certificate when clicked.
Changed in version 6.0.
The network configuration wizard is not offered anymore on the Endian appliances. Since release 6.0 it has been included in the Configuration Wizard and can be run only on either the first boot or after a factory reset has been carried out. The functionalities that were provided by this wizard can be found under the Network module, in the Uplink and in the new Zones and Interfaces sections.
Whenever some critical event takes place on the UTM (e.g., a partition is filling up, someone accesses it via SSH or HTTPS, or there are updates available), the event notification functionality allows to be immediately informed by e-mail or SMS. It is also possible to associate a python script to each event, to take immediate actions as a consequence of the event.
The configuration options for this functionality are grouped into four pages: Settings, Events, SMS, and Scripts.
This page contains the basic options to configure the E-mail and SMS settings to send the notifications.
To start the event notification functionality, click on the grey switch Disabled and wait a few seconds.
The options available are the following, grouped in Email settings and SMS settings.
- Use default email settings
Tick the checkbox to use the default e-mail address, otherwise a few more options to configure the SMTP server options will appear.
- Email sender address
The e-mail address that appear as the sender of the e-mail.
- Email recipient address
The e-mail address to which the e-mail will be delivered.
- Use smarthost for email delivery
Tick the checkbox to configure the smarthost to be used for delivering the notification e-mail.
While the SMTP proxy supports encryption, when an external smarthost is used as SMTP Proxy, neither the SSL/TLS nor the STARTTLS protocols can be used.
- Smarthost address
The URL or IP address of the smarthost.
- Smarthost port
The port on which the smarthost listens to.
- Connection security
Choose from the drop-down menu which type of security can be used: None, STARTTLS, or SSL/TLS.
- Smarthost requires authentication
Tick the checkbox if the smarthost requires credentials to send email. The next two option will appear.
- Smarthost username
The username to be used to authenticate with the smarthost.
- Smarthost password
The password associated with the username supplied in the previous option. A click on the checkbox on the right-hand side will show the password.
- Authentication method
Select which method the smart host shall use to authenticate the user.
The next two options are used to configure notification by SMS. SMS bundles can be added in the SMS section, System ‣ Event notification ‣ SMS.
- Destination phone number country prefix
The country code to which the phone number belongs to.
- Destination phone number
The actual phone number to which the SMS will be sent..
This page shows a list of all the events that can produce a notification message and allows to configure the actions to be done when each of the events takes place. Right above the list there is a small navigation bar and a search field: The latter can be used to filter only the relevant items.
If SMS notification is active and the hostname of the UTM is very long, it can happen that the SMS will not be able to report the entire notification message, because the message will be trimmed to ca. 157-159 characters. If this is the case, we suggest to also activate e-mail notification.
The list contains six columns:
- Event ID
The 8-digit ID ABBCCCCD code of the event. See ref:below <eventid> for more information about the IDs.
A short description of the event.
A ticked checkbox means that an e-mail is sent when the event takes place.
A ticked checkbox means that an SMS is sent when the event takes place.
The script that is executed when the event occurs.
The only action available is to modify the corresponding event.
When modifying an event, a new panel appears above the list with the following configuration options displayed.
- Event ID and Description
These are the identifier of the event and are automatically generated by the system, so they can not be modified.
- Send email for this event
By ticking this checkbox, an e-mail will be sent upon the occurrence of the event.
- Send SMS for this event
By ticking this checkbox, an SMS will be sent upon the occurrence of the event.
- Run custom script for this event
By choosing this option, a custom script will be executed when the event takes palce, rather than sending an SMS or an e-mail. The script must have already been uploaded to the UTM -see the Scripts page for more information. By ticking the checkbox, a drop-down menu appears on the right-hand side.
- Custom script to run
Choose the script to be associated to the event from this drop-down-menu.
At least one script must have been uploaded in order to be able to associate it to the event. See section Scripts below.
Event ID explained
Each event that takes place on the UTM is assigned a unique, 8-digit code, A-BB-CCCC-D built from the following four fields:
A represents the layer number, i.e., the system’s component in which the event has taken place:
1 = kernel
2 = system
3 = services
4 = configuration
5 = GUI
BB is the module number
CCCC is a sequential number assigned to the event
D is the severity of the event, i.e., the degree of badness of the event. The lower the number, the worst the severity:
0 : critical event
1 : an error
4 : a warning
6 : a recovery from a bad state
8 : an informational message.
The following table shows the list of all the IDs that correspond to an event. Note that, depending on the type of appliance, some event may not be occur on the UTM (e.g., on appliances without RAID controllers, events 10100011, 10100026, and 10100038 will never occur).
One device of the RAID array failed.
The rebuild of RAID array has completed.
Start recovery of RAID array.
One uplink has gone online.
One uplink has gone offline.
The system has started.
The system has shut down.
The system is rebooting.
All uplinks have gone offline.
All uplinks are online.
An uplink is dead.
An uplink turned back alive.
An SSH user has successfully logged in from a remote location.
An SSH user failed to log in from a remote location.
A disk is getting full.
An user has failed to log in to the management interface.
The number of available SMS is low
There is no SMS left
Digital Input Rising Trigger on an input
Digital Input Falling Trigger on an input
OpenVPN client opened tunnel on an interface
OpenVPN client closed tunnel on an interface
An OpenVPN user failed a login failed
An IPsec/Xauth use failed to login
An L2TP user failed to login
An Open VPN user has logged in successfully
An IPsec/Xauth user has logged in successfully
An L2TP user has logged in successfully
An Openvpn user has logged out
An IPsec/Xauth user has logged out
The system upgrade has completed successfully.
The system upgrade has failed.
There are system updates available.
The remote access to support user has been revoked.
The remote access to support users has been granted.
The access for support user has been extended until …
Besides using emails, also SMS can be used for event notifications; they need to be purchased in bundles from Endian S.r.l., Italy and then added to the UTM using this page.
This box is divided into two parts: at the top there it is possible to add SMS bundles, while at the bottom some information about the SMS contingent is displayed.
- Enter Activation Code …
To add a new SMS bundle, it must be first purchased on the Endian Network, after which an activation code will be generated. This activation code must be supplied in this textbox.
After supplying a valid activation code, clicking on this button will add an SMS contingent that will be used for sending the notifications.
- Available SMS
The number of SMS that are at disposal.
- Reserved SMS
The number of SMS that have already been used, but not yet delivered to the recipient. This event may occur for example if the recipient was not reachable.
Besides sending an e-mail or an SMS, a third option allows to upload and execute a Python scripts right after an event occurs on the UTM. In this page it is possible to upload and to associate Python scripts to the various events, more precisely, to each event can be assigned one Python script.
At the bottom appears a table of the scripts already uploaded, which is initially empty and shows about each script the name, description and the available actions.
On top of the table, a click on the Add new script button allows to upload a Python script on the UTM. Uploaded script must follow some guidelines, see below for more.
The following options are available for every uploaded script.
The name given to the script.
An optional description of the script, like e.g., its purpose.
The available actions for each script.
Requirements for the Python scripts.
Python scripts that shall run on the UTM must follow a few design guidelines to ensure the proper interaction with the system, which can be summarised as follows.
The script must be importable. In other words, the script can use other Python modules installed on the system, but can not rely on Python modules which are not present on the system
The script must implement a class called ScriptEvent.
A method called process must be implemented in the ScriptEvent Class. This method is the one that will be invoked when the event to which it is associated to takes place.
The process method must accept the **kwargs parameter, that is, it must accept a dictionary of key : value parameters.
An example script that satisfies the above requirements -and therefore can be uploaded to the UTM is the following one.
import time class ScriptEvent(object): def __init__(self): self.filename = "/tmp/fubar" def process(self, **kwargs): open(self.filename, "a").write("Hello world, it is now %s\n" % time.time())
The Endian code documentation, useful to write own scripts will soon be available.
In this page it is possible to submit support requests for assistance to the Endian support, provided that the system has a valid and maintenance subscription and is registered to the Endian Network.
The page is divided in two boxes with different purposes: The first one contains a link to open the support’s home page, while in the second one it is possible to allow the support team to access to the UTM using SSH and HTTPS.
Visit Support Web Site
If the UTM has not been registered to Endian Network, or its maintenance has expired, no support can be supplied by Endian, and this box will display the following message:
Currently no running maintenance available. To access support, register with Endian Network first
If the system is not registered, support request can be made to one of the several forums or mailing lists mentioned in the Endian web sites section.
With a valid maintenance subscription, this box contains one option.
- Please visit our Support Web Site
By clicking on this link, a new tab in the browser will open, where it is possible to find directions on how to fill in an assistance request to the support team.
Access for the Endian Support Team
Optionally, access to the firewall can be grant via SSH, a secure, encrypted connection that allows a member of the support staff to log in to the UTM, verify its configuration and inspect it to find out where the problem lies. The box contains an informative message, the status of the access, which is either DENIED or a date like Mon, 20 May 2019 12:12:18. When the status is DENIED a button appears at the bottom of the box:
- Allow access
Clicked on this button to grant 4 days of access to the UTM to the support team.
When the support team access is allowed, a new message appears under the status message: Access allowed until: followed by the date and time when access to the UTM will be revoked. Moreover, there are two buttons at the bottom of the box.
- Deny access
Immediately revoke the grant to access the UTM.
- Extend access for 4 more days
If the support team needs more time to inspect the UTM, a click on this button extends the access grant by four more days.
When enabled, the support team’s public SSH key is copied to the system and access is granted to them via that key. The support team will not authenticate with username/password to the UTM. The root password of the UTM is never disclosed in any way to the support team.
The management of the software updates is done from here. It is possible at any time to manually check for available updated packages, or to schedule a periodic check.
In this page there are two boxes: One with the current status of the system and one to schedule a routine check for updates.
The Status box informs whether the system needs updates or not. In the former case, a list of available packages is presented, while in the latter a message like the following one is shown.
These options are available:
- Check for new updates
A manual check for updated packages is started, and any upgradable package found is listed here. Individual packages can be chosen from the list and installed.
In order to check for updates, a valid maintenance is required, otherwise no update will show up, even if available.
- Start update process NOW
The update process is launched: The system downloads the updated packages which are then installed, replacing the old ones.
When an upgrade process ends, there is the possibility that the UTM needs to be rebooted, for example when a new kernel is installed; this will be shown by a message dialog that appears on the GUI, and with a text message shown upon logging in from either the serial console or SSH.
When this message appears, please reboot the appliance as soon as possible, to avoid possible malfunctioning.
IP addresses and ports needed to communicate with Endian Network
While connected to the internet, the UTM needs access to the Endian Network, to carry out several tasks and provide additional services:
To synchronise the system’s information with Endian Network.
To allow remote access to the owner, to the reseller, or to the support team for configuration of services, troubleshooting, and problem resolution.
To allow the purchase of SMS, that can be used for example with the Event notifications.
Special firewall rules allow traffic to flow to the required IP addresses; however, if there is another device in front of the UTM that blocks traffic, also on this device the access to those IP addresses must be allowed. The updated list of Endian Network IPs can be seen under Firewall ‣ Outgoing traffic ‣ System rules.
If the UTM has been purchased with a maintenance package, it can be registered and connected to the Endian Network, the Endian solution that allows a company an easy and centralised monitoring, managing, and upgrading of all its registered systems.
Many functionalities of the UTM (e.g., access for the support team, SMS notification, and so on) require that the appliance be registered to the Endian Network.
If the system has not yet been registered or if the maintenance has expired, this page shows only a form that must be filled in order to register the appliance.
Why is the registration to Endian Network important?
A system must be registered within twenty (20) days from the purchase of the activation code, otherwise no support can be supplied.
If case thirty days have passed, while the UTM will continue to work and offer the services that have already been configured, access from Endian Network, GUI, SSH and serial console will be forbidden. This means that no support can be provided on the UTM, since the support team has no possibilities to connect to it. Moreover, updated can no longer be installed.
To regain complete access to the UTM, a new activation code or maintenance renewal must be purchased.
Available options for Endian Network are organised into two page, namely Subscription and Remote Access.
This page shows a summary of all the information about the registration status of the UTM. If the firewall has not yet been registered to the Endian Network, the registration form is shown, that must be filled in before submitting the request for registration. After the registration has been completed, the page will contain three boxes.
Register your Endian UTM
In order to subscribe the UTM, it is necessary to have a valid account on Endian Network, that can be created by clicking on the link at the beginning of the box.
The following options are available.
Account and system information
The username on Endian Network to register the UTM.
The password associated to the username.
- Activation Code
The activation code required to register the UTM.
On hardware appliance, the activation code is printed on either the box or the appliance itself, or both.
- System name
The name given to the system, that will appear on Endian Network as well.
The name of the company which owns the UTM.
- Sender email address
The e-mail of the registrant.
The country in which the UTM is located
This section contains the license agreement, that must be accepted for a successful registration.
The following boxes appear only after a successful registration of the UTM.
Here are shown basic information about the UTM: Serial number, activation code, model of the appliance, and the maintenance package chosen.
This product is registered
A summary of the system information recorded on Endian Network: the System name, the organisation for which the UTM is registered, system ID, and the date of the last update, that is, the date when the UTM was registered.
Your Activation Keys
To receive updates from and to participate in the Endian Network, at least one valid, not expired activation key is required. There is a key for each channel, but typically just one or two, shown with its expiry date and the days of maintenance left.
An expired key is shown by its channel name stricken-through and by the expired string in the corresponding Days left column. This happens usually for optional channels.
The Remote Access page allows to choose whether the UTM can be reached through the Endian Network and by which protocol. To allow access, click on the Disabled button on the top of the page, that will turn green, and two access options will appear.
- Enable HTTPS access …
Allow the UTM to be reached via the web interface.
- Enable SSH Access …
Allow to login via a secure shell to the UTM. Activating this option automatically activates the SSH access.
A step-by-step lesson to register the UTM to the Endian Network is available in this article.
Connect to Switchboard¶
New in version 5.0.5.
Changed in version 5.1: Renamed from Connect to Switchboard.
In this page it is possible to connect and register a UTM to a Switchboard instance using the plug and connect procedure.
Connect to Switchboard¶
Requirements to use this functionality.
In order for a UTM to be eligible to be connected to the Switchboard, a few requirements must be satisfied:
The network configuration has been completed and the zones have been configured. This is important since it is not possible to change the UTM's network topology after registration.
The UTM has not yet been registered to Endian Network. If it already was, its registration must be deleted this can be carried out from the CLI by using the following command: en-client -x.
There must be a working uplink and the UTM must be able to connect to the Internet and with Endian Network.
Port TCP 443 (i.e., HTTPS) of the UTM must be able to freely access the Internet, because the Switchboard will connect to that port to complete the registration.
If the UTM satisfies these conditions, it will be possible to start the procedure.
The plug and connect procedure can be carried out from the web console, by choosing option 6 and following the instructions.
The first time this page is accessed, it contains a few data and two options.
- Activation Code
Enter a valid Activation Code. then press on Next >> to register the UTM to the Switchboard.
Once done, the page will change and show the Activation code and the claim period, that is, the date and hour until which the plug and connect procedure must be carried out to successfully connect the UTM.
The following options are present here.
- Extend claim period
By clicking on this button, the claim period will be extended for 24 hours.
- Set custom registry
By clicking on this button, the IP address of FQDN of the Switchboard can be specified.
This option can be used only if the UTM should be registered to an own instance of the Switchboard.
At this point, it is possible to claim the UTM from the Switchboard and allow its remote management. When also this step has been completed, the UTM will also be registered to Endian Network (and reachable from it) and on this page a few information are shown:
The message You are connected to the Switchboard.
Switchboard instance. The name given to the Switchboard on which the UTM has been claimed.
Gateway name. The name of the UTM as registered on the Switchboard.
On our portal there are howtos available that describe in details the plug and connect and claim procedures.
Changed in version 6.5.3: Updated to include the new Viewer user role.
In this page it is possible to create new users that can access EMI and initially contains a table which lists the admin user (by default). If additional users are added, then they will be displayed here. The default admin user is the only one that can neither be disabled, nor deleted.
New accounts for web users can be created by clicking on the Add web frontend user link above the table. In the panel that opens, the following options can be configured.
The username of the account, which is case-sensitive and must be unique.
A description of the user.
- Password, Confirm Password
The password assigned to the user.
Passwords need to be at least 8 characters long; good passwords should include letters, numbers, and special characters like e.g., $ % @ !.
- GUI Profile
Choose from the drop-down menu which Profile to assign to the new user. There is currently only one profile available, which gives access to all the GUI.
- User role
Here you can choose from the following options:
Administrator. This user role has full administrative permission to make changes on the Web UI of the UTM.
Viewer. This user role has view (only) permission and cannot make any changes on the Web UI of the UTM.
Hotspot Administrator. This user role is currently not used as the Hotspot is not available.
Hotspot Account Editor. This user role is currently not used as the Hotspot is not available.
Tick the checkbox to enable the web user account (enabled by default).
The web console provides an applet which emulates a terminal within the browser window, that serves as a CLI to carry out administrative tasks.
The functionalities of the web console are the same found upon logging in via serial console or SSH. On the bottom left of the applet, a message shows the status of the console: Connected or Disconnected. It is possible to exit at any time by typing exit in the console and then pressing Enter on the keyboard, like in any normal console.
When disconnected, click again on the Web console sub-menu item to reconnect. On the bottom right of the applet, two hyperlinks show up:
- Enable virtual keyboard
When clicking on this link, a keyboard applet appears below the console, that can be used to type and execute commands by clicking the mouse on the various keys.
When the web console status is disconnected (i.e., when you issue the exit command), this applet does not communicate with the console.
- Disable input
This link toggles the possibility to send input from the keyboard to the web console.
This option has no effect on the virtual keyboard.
This screens allows to enable remote SSH access to the UTM, which is disabled by default. Access using SSH proves useful in several scenarios: necessity to control log files, troubleshooting, manual editing of configuration files, and in general is reserved for advanced tasks, like the customisation of services or the implementation of a workaround for an existing bug, and so on.
If it is the first time that the SSH service is activated, it will take a few moment before the start of the SSH server, since new SSH host keys must be generated.
This page is initially empty, after the SSH access is activated by clicking on the grey switch, two boxes are shown in the page: Secure Shell Options and SSH host keys.
When the SSH service is started, the following configuration options are displayed:
Secure Shell Options
- Allow password based authentication
Permit logins using password authentication.
- Allow TCP forwarding
When this option is ticked, other protocols can be tunneled through SSH. See Example SYS-1 for a sample use case.
- Allow public key based authentication
Logins with public keys are allowed. The public keys of the clients that can login using key authentication must be added to the file
The SSH access is automatically activated when at least one of the following options is true:
Endian support team access is allowed in Menubar ‣ System ‣ Support.
SSH access from Endian Network is enabled in Menubar ‣ System ‣ Endian Network ‣ Remote Access.
SSH host keys
At the bottom of the page, a table shows the three host keys that were generated at the first start. For each key, it is shown the file that contains it, its fingerprint, and its size in bits.
SSH root password
In this page it is possible to modify the password of the root user, used for console and SSH access.
- Password, Confirm Password
Enter the new password in both fields. A tick on the checkbox on the right-hand side of the textfield will show the password in clear text.
In this section it is possible to create new backups of the current UTM status and configuration or restore an existing backup when needed. Backups are saved locally on the UTM or on a USB stick, and can be downloaded to a workstation. Optionally, especially if confidential information is stored on the UTM (like e.g., personal data or certificates used in VPN), the backup archive can be encrypted using a GPG key.
It is suggested to keep a copy of the backups in a safe location.
Whenever an USB stick is plugged in into the UTM, it is automatically detected and mounted. In this case, a few additional USB-related options are displayed throughout the page.
Here it is also possible to reset the configuration to factory defaults, to create fully automated backups, and to carry out various other backups-related tasks.
This section is organised into two pages, Backup and Scheduled backups: The former is used to manage manual backups, while the latter to set up automatic backups.
In the Backup page there are three boxes: Backups, Encrypt backup archives, and Factory defaults.
Changed in version 6.0: the Import backup functionality has been incorporated in the Backups box.
In the first box, a table shows the backups stored on the UTM, both manually and scheduled ones. If a USB stick is connected to the UTM, also backups stored on it are displayed.
For each item it is shown:
The creation date
The content included in the backup. Each letter correspond to a different element of the, see below for more details.
A remark. The string “Auto - backup before upgrade” means that an automatic backup has been made before a package or system upgrade.
The available actions, which include the Import backup functionality
Contents of the backups
The content of each backup is marked by at least one of the following letters or symbols, corresponding to the option(s) specified during its creation:
Archive. The backup contains archived log files.
Cron. The backup has been created automatically by a scheduled backup job.
Database dumps. The backup contains a database dump.
Encrypted. The backup file is encrypted.
Hardware. Information about the appliance’s hardware is included.
Log files. The backup contains today’s log files.
Settings. The backup contains the configurations and settings.
USB. The backup has been saved to a USB stick.
! (Error). Something did not succeed while sending the backup file by email.
Above the table, a click on one of the two buttons Create a new backup and Upload a backup will allow to carry out these two tasks.
Create new backup
This section appears after a click on the Create a new backup button.
In this box it is possible to select which data to include in the backup: The letter in parenthesis corresponds to those listed above.
- Include configuration (S)
The backup contains all the configuration settings, including all the changes and customisation done so far, or, in other words, all the content of the
- Include database dumps (D)
The content of the database will also be backed up.
The database dumps may contain sensitive data, so whenever a backup contains a database dump, make sure that it is stored in a safe place and possibly GPG-encrypted.
- Include log files (L)
Include the current log files (e.g.,
/var/log/messages), but not log files of the previous days.
- Include log archives (A)
Include also older log files that have been rotated, and are stored under the
/var/log/archive/directory. Backups created with this option may become very big after some time.
A comment about the backup, that will appear in the Remark column of the table. Hence, it should be meaningful enough to allow a quick recall of the content.
- Create backup on USB Stick
Store the backup on the plugged in USB stick.
This option is only available if an USB stick is plugged in the UTM and it has been correctly mounted.
Backup on USB sticks are stored under the
/mnt/usbstick/efw-backupsdirectory. For any backup stored on the USB stick, a symlink will be created under the
/var/backups/directory. If the USB stick containing the backups is removed from the UTM, they will still show up in the list, but will not be accessible.
At least one of the checkboxes must be ticked to create a new backup. After clicking on the Create backup button, the files required by the backup are gathered and assembled into the archive. After a few minutes, depending on what has been included in the backup, the new backup appears in the list. The end of the backup process is marked by a yellow callout that appears above the box, showing the message Backup archive created successfully.
The format and name of the backup files.
Backup files are created as tar.gz archives, using standard Linux’s tools tar and gzip. The files stored in the archive can be extracted using the tar zxf archivename.tar.gz or tar vzxf archivename.tar.gz to see all the file processed and extracted and see some informative message on the screen the v option meaning verbose. The name of the backup file is created to be unique and it conveys the maximum information possible about its content, therefore it can become quite a long string, like e.g., backup-20130208093337-myappliance.mydomain-settings-db-logs-logarchive.tar.gz, in which 20130208093337 is the timestamp of the backup’s creation, in the form YYYYMMDDHHMMSS -in this example, 8th of February 2013 at 9:33:37 AM. This choice allows the backups to be lexicographically ordered from the oldest one to the most recent one; myappliance.mydomain are the UTM's hostname and domainname as set in the Configuration Wizard, and settings-db-logs-logarchive represent the content of the backup. In this case it is a full backup, since all four parts appear in the name. For example, a backup containing only settings and logs will be identified by the string settings-logs.
Import a backup Archive
This section appears after a click on the Upload a backup button.
In order to import a backup on the UTM, it is necessary to supply the following information.
A comment that will appear alongside
Click on the Choose File button to upload a file containing the backup.
A click on the Upload will start the upload process.
It is not possible to import encrypted backups on the UTM: Any encrypted backup must be decrypted before being uploaded.
Encrypt backup archives
The second box in the page allows to encrypt all the future backups by providing a GPG public key. Click on the Disabled button to activate the functionality. The first time it is started, only one option shows up:
- Import GPG public key:
Select the GPG public key by clicking on Choose file to upload the key file from the local file system, then click on the Upload button underneath.
- Encrypt backup archives
Tick the checkbox if the archives should be encrypted. This option applies to both manual and scheduled backups.
Once a key has been uploaded and the Encrypt backup archives option is ticked, information about the key will be shown above the options, like in the following example:
The following GPG public key will be used to encrypt the backup archives: pub 1024R/00000000 2010-10-10 [expires: 2020-10-09] Key fingerprint = 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 uid Jane Doe <firstname.lastname@example.org> sub 1024R/00000001 2010-10-10 [expires: 2020-10-10]
It is a good practice to encrypt a backup archive whenever it contains sensible data, like for example the hotspot’s users data and billing information.
The fourth box allows to wipe out all configurations and settings done so far and reboot the system with the default configuration. This result is achieved by clicking on the only option available:
- Factory defaults
A click on this button will start the factory default process: A backup copy of the current settings is created and immediately after the UTM is rebooted and brought back to the factory defaults, including its default IP address, 192.168.0.15.
Since this potentially is a quite dangerous option, a pop-up window will ask for confirmation before starting the process. After clicking on OK, the process starts and can not be interrupted.
Here it is possible to configure automated backups of the system
scheduled automatic backups
To enable automatic backups, click on the disabled: button. The following options will appear.
- Keep # of archives
Choose from the drop-down how many backups to keep on the UTM (from 2 up to 10, but they can be exported to save space).
- Schedule for automatic backups
The frequency between backups, either hourly, daily, weekly, or monthly.
- Include …
A check on each of these option will include in the scheduled backup the corresponding configuration or data. These are the same seen in the Backups box
Scheduled backups will always be stored on the UTM.
Send backups via email
In this box the system can be configured to send the backups by e-mail. To enable the functionality, click on the Disabled button. The following options will appear.
Backups sent by e-mail will not contain the log archives, because their size might be so large to prevent a correct delivery of the email.
The following otpions are available.
- Recipient email address
The e-mail address to which to send the e-mail with the backup.
- Sender email address
The e-mail address that will appear as the sender’s e-mail address, which proves useful when backups should appear to have been sent from a special address (say, email@example.com), and must be provided if the domain or hostname are not resolvable by the DNS.
- Smarthost address
The address of a smarthost to be used to send the e-mails, which is needed in case the outgoing e-mails should not be sent directly by the UTM, but from a different SMTP server.
A guide to create a backup on a USB stick.
In this page it is possible to either reboot or shutdown the UTM, by clicking on the Reboot or the Shutdown button respectively.
When clicking either of the buttons, a dialog will open, asking for confirmation. Click on Confirm to really reboot or shutdown the appliance or on Cancel to close the dialog.
During a reboot, the message Reboot in progress will be shown and after a short period (usually under a minute), it will be possible to continue to use the GUI without a new authentication.
This section displays the license agreement between Endian and the owner of the UTM.
After an upgrade, if the license agreement changes, at the first login it is necessary to accept the new license agreement before accessing the upgraded system and being allowed to use the UTM