Select Services from the menu bar at the top of the screen.
Endian UTM Appliance can provide a number of useful services that can be configured in this section. In particular, these include services used by the various proxies, such as the ClamAV antivirus. Intrusion detection, high availability and traffic monitoring can be enabled here as well. Following is a list of links that appear in the submenu on the left side of the screen:
Each link will be explained in the following sections.
Select Services from the menu bar at the top of the screen, then select DHCP server from the submenu on the left side of the screen.
The DHCP (Dynamic Host Configuration Protocol) service allows you to control the IP address configuration of all your network devices from Endian UTM Appliance in a centralized way.
When a client (host or other device such as networked printer, etc.) joins your network it will automatically get a valid IP address from a range of addresses and other settings from the DHCP service. The client must be configured to use DHCP - this is something called “automatic network configuration” and is often the default setting. You may choose to provide this service to clients on your GREEN zone only, or include devices on the ORANGE (DMZ) or BLUE (WLAN) zone. Just tick the check boxes that are labeled Enabled accordingly.
Click on the Settings link to define the DHCP parameters as described below:
Advanced users might wish to add custom configuration lines to be added to dhcpd.conf in the text area below the settings forms. Pay attention that Endian UTM Appliance‘s interface does not perform any syntax check on these lines: Any mistake here, might inhibit the DHCP server from starting!
Example: The following extra lines may be used to handle VoIP telephones that need to retrieve their configuration files from an HTTP server at boot time:
option tftp-server-name "http://$GREEN_ADDRESS";
option bootfile-name "download/snom/{mac}.html";
Note the use of $GREEN_ADDRESS which is a macro that is replaced with the firewall’s own GREEN interface address.
Sometimes it is necessary for certain devices to always use the same IP address while still using DHCP. Clicking on the Add a fixed lease link allows to assign static IP addresses to devices. The devices are identified by their MAC addresses. Note that this is still very different from setting up the addresses manually on each of these devices, since each device will still contact the DHCP server to get its address.
A typical use case for this is the case of thin clients on your network that boot the operating system image from a network server using PXE (Preboot Execution Environment).
The following parameters can be set to define fixed leases:
Every fixed lease can be enabled, disabled, edited or removed by clicking on the respective icon (icons are described in the legend at the bottom of the fixed leases table).
The DHCP sections ends with a list of currently assigned dynamic IP addresses.
Select Services from the menu bar at the top of the screen, then select Dynamic DNS from the submenu on the left side of the screen.
Dynamic DNS providers like DynDNS offer a service that allows assigning a globally available domain name to IP addresses. This works even with addresses that are changing dynamically such as those offered by residential ADSL connections. For this to work, each time the IP address changes, the update must be actively propagated to the dynamic DNS provider.
Endian UTM Appliance contains a dynamic DNS client for 14 different providers - if enabled, it will automatically connect to the dynamic DNS provider and tell it the new IP address after every address change.
For each account (you might use more than one) click on the Add a host link, then specify the following parameters:
Please note that you still have to export a service to the RED zone if you want to be able to use you domain name to connect to your home/office system from the internet. The dynamic DNS provider just does the domain name resolution part for you. Exporting a service might typically involve setting up port forwarding (see Firewall, Port forwarding / NAT).
Select Services from the menu bar at the top of the screen, then select Antivirus Engine from the submenu on the left side of the screen.
New in version 2.3.
This section is only available if you have installed the optional Sophos antivirus module. You can specify for each service whether you want to use Sophos or ClamAV. The following services are supported:
To save your settings click on the Save button at the bottom of the page. Do not forget to Apply afterwards.
This section lets you configure how ClamAV should handle archive bombs (see the next paragraph for an explanation) and how often information about new viruses is downloaded (“signature update schedule”). You can also see when the last scheduled update has been performed as well as manually start an update.
Archive bombs are archives that use a number of tricks to load antivirus software to the point that they hog most of the firewall’s resources (denial of service attack). Tricks include sending small archives made of large files with repeated content that compress well (for example, a file of 1 GB containing only zeros compresses down to just 1 MB using zip), or multiple nested archives (e.g. zip files inside zip files) or archives that contain a large number of empty files, etc...).
To avoid these types of attack, ClamAV is preconfigured not to scan archives that have certain attributes, as configured here:
Another important aspect of running ClamAV are the antivirus signatures updates: information about new viruses must be downloaded periodically from a ClamAV server. The configuration pane (top right) lets you choose how often these updates are performed - the default is once every hour. Tip: move the mouse over the question marks to see when exactly the updates are performed in each case - the default is one minute past the full hour.
This section shows when the last update has been performed and what the latest version of ClamAV’s antivirus signatures is.
Click on Update signatures now to perform an update right now (regardless of scheduled updates) - note that this might take some time. There is also a link to ClamAV’s online virus database in case you are looking for information about a specific virus.
On this page you can select how often new signatures from Sophos should be downloaded. Possible options are:
Finally click on the button at the bottom of the page to Save your settings.
Select Services from the menu bar at the top of the screen, then select Time server from the submenu on the left side of the screen.
Endian UTM Appliance keeps the system time synchronized to time server hosts on the internet by using the network time protocol (NTP).
A number of time server hosts on the internet are preconfigured and used by the system. Click on Override default NTP servers to specify your own time server hosts. This might be necessary if you are running a setup that does not allow Endian UTM Appliance to reach the internet. These hosts have to be added one per line.
Your current time zone setting can also be changed in this section.
The last form in this section gives you the possibility to manually change the system time. This makes sense if the system clock is way off and you would like to speed up synchronization (since automatic synchronization using time servers is not done instantly).
Select Services from the menu bar at the top of the screen, then select Spam Training from the submenu on the left side of the screen.
SpamAssassin can be be configured to learn automatically which emails are spam mails and which are not (so called ham mails). To be able to learn, it needs to connect to an IMAP host and check pre-defined folders for spam and ham messages.
The default configuration is not used for training. All it does is provide default configuration values that are inherited by the real training sources which can be added below. By clicking on the Edit default configuration link a new pane appears where the default values can be set:
Spam training sources can be added in the section below. By clicking on the Add IMAP spam training source link a new pane appears. The options for the additional training hosts are similar to the default configuration options. The only thing that is missing is the scheduling. This will always be inherited from the default configuration. Three additional options are available.
The other options can be defined just like in the default configuration. If they are defined they override the default values. To save a source it is necessary to click on the Update Training Source button after all desired values have been set. A source can be tested, enabled, disabled, edited or removed by clicking on the appropriate icon in its row. The icons are explained in the legend at the bottom of the page.
It is also possible to check all connections by clicking on the Test all connections button. Note that this can take some time if many training sources have been defined or the connection to the IMAP servers is slow. To start the training immediately the Start training now has to be clicked. It is important to note that training can take a long time depending on the number of sources, the connection speed and most importantly on the number of emails that will be downloaded.
You can also train the antispam engine manually if the SMTP Proxy is enabled for incoming as well as for outgoing mails. This is done by sending spam mails to spam@spam.spam. Non-spam mails can be sent to ham@ham.ham. For this to work it is necessary that spam.spam and ham.ham can be resolved. Typically this is achieved by adding these two hostnames to the host configuration in Network, Edit hosts, Add a host on your Endian UTM Appliance.
New in version 2.3.
Select Services from the menu bar at the top of the screen, then select Intrusion Prevention from the submenu on the left side of the screen.
Endian UTM Appliance includes the well known intrusion detection (IDS) and prevention (IPS) system Snort. It is directly built into the IP-firewall (Snort inline).
Snort can be enabled by clicking on the Enable Intrusion Prevention System service switch. The following options are available:
Once the rules are on the Endian UTM Appliance you can see a list of rulesets and the number of rules they contain on this page. You can also modify the default behavior for each ruleset on this page. It is possible to activate or deactivate rulesets. By default the policy of all rulesets is set to alert. This behavior can be changed by clicking on the alert icon which will then turn into a red shield. This means that after clicking the Apply button the chosen ruleset will not cause alerts anymore but will block traffic that matches its rules. A ruleset can be deleted by clicking on the trash can icon. By clicking on the pencil icon you will be redirected to a new page where you can edit every single rule.
At the top of this page you can select the rulesets you want to edit. After selecting and clicking the Edit button you will se a list of rules that are part of the ruleset(s) you selected. You can also search in your selection by entering the term you are searching for in the Search field. Just like in the Rules page you can change the behavior of every single entry. However, clicking on the trash can icon will not remove the role but restore its default behavior.
Please note that turning on the Intrusion Prevention System does not do anything, it just means that Snort is running. In the various Firewall pages you can specify which traffic should be scanned by Snort with the Allow with IPS Filter policy.
Endian UTM Appliance can be easily run in high availability (HA) mode. At least 2 Endian UTM Appliance machines are required for HA mode: one assumes the role of the active (master) firewall while the others are standby (slave) firewalls.
If the master firewall fails, an election between the slaves will take place and one of them will be promoted to the new master, providing for transparent failover.
To set up such a HA configuration, first set up the firewall that is going to be the master:
Setup the the firewall that is going to be the slave:
At this point the slave cannot be reached anymore via its old IP address (factory default or previous GREEN address) since it is in standby mode. It is connected to the master only through the management network.
If you log in to the master again, on the HA page you can see a list of connected slaves. If you click on the Go to Management GUI link you can open the slave’s administration web interface via the management network (routed via the master firewall).
Select Services from the menu bar at the top of the screen, then select Traffic Monitoring from the submenu on the left side of the screen.
Traffic monitoring is done by ntop and can be enabled or disabled by clicking on the main switch on this page. Once traffic monitoring is enabled a link to the monitoring administration interface appears in the lower section of the page. This administration interface is provided by ntop and includes detailed traffic statistics. ntop displays summaries as well as detailed information. The traffic can be analyzed by host, protocol, local network interface and many other types of information. For detailed information about the ntop administration interface please have a look at About, Online Documentation on the ntop administration interface itself or visit the ntop documentation page.
New in version 2.3.
The Simple Network Management Protocol (SNMP) is used to monitor network-attached devices. Since version 2.3 Endian UTM Appliance features a built-in SNMP server. To access the SNMP Server settings you must select Services from the menu bar at the top of the screen, then select SNMP Server from the submenu on the left side of the screen.
If you want to enable the SNMP Server all you have to do is click on the Service Switch. A few options will appear. The Community String is a key that is needed to read the data with an snmp client. The Location can be set to anything. However, it should describe the location of your Endian UTM Appliance. The SNMP Server requires an email address to be configured. This email address represents the system contact. If you setup a global email-address during the installation procedure and want to use this address you may leave the checkbox as it is. If you want to use a custom email address here you must tick the Override global notification email address checkbox and enter your custom email address into the System contact email address field. Finally click save to apply the settings.
New in version 2.3.
Select Services from the menu bar at the top of the screen, then select Quality of Service from the submenu on the left side of the screen.
The purpose of the Quality of Service and Bandwidth Management module is to prioritize the IP traffic that is going through your firewall depending on the service. Applications that typically need to be prioritized over bulk traffic like downloads are interactive services such as Secure Shell (SSH) or voice over IP (VoIP).
On this page you can see a list of all Quality of Service Devices that have been created. This list contains the following columns.
To configure a new device you must click on the Add Quality of Service Device link. You can edit, enable/disable or remove a device by clicking on the respective icon.
On this page you can see a list of all Quality of Service classes that have been created. The following information is displayed in the list.
The created classes can be edited, moved and deleted by clicking on the respective icon. To add a new class just click on the Add Quality of Service Class link.
Note
Please note that the sum of reserved percentages can not be greater than 100 per device.
On this page you can see a list of defined Quality of Service Rules and can specify which type of traffic should belong to one of the classes you have specified in the Classes page. To add a new Quality of Service rule click on the Add Quality of Service Rule. This must be specified:
Click on Add/Change to save the settings and apply the new rule.
Please note that if there is more than one service in a Quality of Service class then all these services together will share the reserved bandwidth.
Enter search terms or a module, class or function name.