The Services Menu

Select Services from the menu bar at the top of the screen.

Endian UTM Appliance can provide a number of useful services that can be configured in this section. In particular, these include services used by the various proxies, such as the ClamAV antivirus. Intrusion detection, high availability and traffic monitoring can be enabled here as well. Following is a list of links that appear in the submenu on the left side of the screen:

  • DHCP server - DHCP (Dynamic Host Configuration Protocol) server for automatic IP assignment
  • Dynamic DNS - Client for dynamic DNS providers such as DynDNS (for home / small office use)
  • Antivirus Engine - configure the antivirus engine used by the mail-, web-, pop- and ftp-proxies
  • Time server - enable/configure NTP time server, set time zone or update time manually
  • Spam Training - configure training for the spam filter used by the mail proxies
  • Intrusion Prevention - configure the intrusion prevention system (IPS) Snort
  • High availability - configure your Endian UTM Appliance in a high availability setup
  • Traffic Monitoring - enable or disable traffic monitoring with ntop
  • SNMP Server - enable or disable support for the Simple Network Management Protocol
  • Quality of Service - prioritize your IP traffic

Each link will be explained in the following sections.

DHCP server

Select Services from the menu bar at the top of the screen, then select DHCP server from the submenu on the left side of the screen.

The DHCP (Dynamic Host Configuration Protocol) service allows you to control the IP address configuration of all your network devices from Endian UTM Appliance in a centralized way.

When a client (host or other device such as networked printer, etc.) joins your network it will automatically get a valid IP address from a range of addresses and other settings from the DHCP service. The client must be configured to use DHCP - this is something called “automatic network configuration” and is often the default setting. You may choose to provide this service to clients on your GREEN zone only, or include devices on the ORANGE (DMZ) or BLUE (WLAN) zone. Just tick the check boxes that are labeled Enabled accordingly.

Click on the Settings link to define the DHCP parameters as described below:

Start address / End address
Specify the range of addresses to be handed out. These addresses have to be within the subnet that has been assigned to the corresponding zone. If you want to configure some hosts to use manually assigned IP addresses or fixed IP addresses (see below), be sure to define a range that does not include these addresses or addresses from the OpenVPN address pool (see OpenVPN, OpenVPN server) to avoid conflicts. If you intend to use fixed leases only (see below), leave these fields empty.
Default / Max lease time
This defines the default / maximum time in minutes before the IP assignment expires and the client is supposed to request a new lease from the DHCP server.
Domain name suffix
This is the default domain name suffix that is passed to the clients. When the client looks up a hostname, it will first try to resolve the requested name. If that is not possible, the client will append this domain name suffix preceded by a dot and try again. Example: if the fully qualified domain name of your local file server is and this suffix is “”, the clients will be able to resolve the server by the name “earth”.
Primary / Secondary DNS
This specifies the domain name servers (DNS) to be used by your clients. Since Endian UTM Appliance contains a caching DNS server, the default value is the firewall’s own IP address in the respective zone.
Primary / Secondary NTP server
Here you can specify the Network Time Protocol (NTP) servers to be used by your clients (to keep the clocks synchronized on all clients).
Primary / Secondary WINS server
This setting specifies the Windows Internet Name Service (WINS) servers to be used by your clients (for Microsoft Windows networks that use WINS).

Advanced users might wish to add custom configuration lines to be added to dhcpd.conf in the text area below the settings forms. Pay attention that Endian UTM Appliance‘s interface does not perform any syntax check on these lines: Any mistake here, might inhibit the DHCP server from starting!

Example: The following extra lines may be used to handle VoIP telephones that need to retrieve their configuration files from an HTTP server at boot time:

option tftp-server-name "http://$GREEN_ADDRESS";
option bootfile-name "download/snom/{mac}.html";

Note the use of $GREEN_ADDRESS which is a macro that is replaced with the firewall’s own GREEN interface address.

Fixed leases

Sometimes it is necessary for certain devices to always use the same IP address while still using DHCP. Clicking on the Add a fixed lease link allows to assign static IP addresses to devices. The devices are identified by their MAC addresses. Note that this is still very different from setting up the addresses manually on each of these devices, since each device will still contact the DHCP server to get its address.

A typical use case for this is the case of thin clients on your network that boot the operating system image from a network server using PXE (Preboot Execution Environment).

The following parameters can be set to define fixed leases:

MAC address
the client’s MAC address
IP address
the IP address that will always be assigned to this client
optional description
Next address
the address of the TFTP server (only for thin clients / network boot)
the boot image file name (only for thin clients / network boot)
Root path
the path of the boot image file (only for thin clients / network boot)
if this checkbox is not ticked the fixed lease will be stored but not written down to dhcpd.conf

Every fixed lease can be enabled, disabled, edited or removed by clicking on the respective icon (icons are described in the legend at the bottom of the fixed leases table).

List of current dynamic leases

The DHCP sections ends with a list of currently assigned dynamic IP addresses.

Dynamic DNS

Select Services from the menu bar at the top of the screen, then select Dynamic DNS from the submenu on the left side of the screen.

Dynamic DNS providers like DynDNS offer a service that allows assigning a globally available domain name to IP addresses. This works even with addresses that are changing dynamically such as those offered by residential ADSL connections. For this to work, each time the IP address changes, the update must be actively propagated to the dynamic DNS provider.

Endian UTM Appliance contains a dynamic DNS client for 14 different providers - if enabled, it will automatically connect to the dynamic DNS provider and tell it the new IP address after every address change.

For each account (you might use more than one) click on the Add a host link, then specify the following parameters:

choose the dynamic DNS provider
Behind a proxy
(only applies if you use the service) check this box if your Endian UTM Appliance is connecting to the internet through a proxy
Enable wildcards
some dynamic DNS providers allow having all sub domains of your domain point to your IP address, i.e. and will both resolve to the same IP address: by checking this box you enable this feature (if supported by your dynamic DNS provider)
Hostname and Domain
the hostname and domain as registered with your dynamic DNS provider, for instance “example” and “”
Username and Password
as given to you by your dynamic DNS provider
behind Router (NAT)
check this if your Endian UTM Appliance is not directly connected to the internet, i.e. behind another router / gateway: in this case the service at is used to find out what your external IP address is
check to enable (default)

Please note that you still have to export a service to the RED zone if you want to be able to use you domain name to connect to your home/office system from the internet. The dynamic DNS provider just does the domain name resolution part for you. Exporting a service might typically involve setting up port forwarding (see Firewall, Port forwarding / NAT).

Antivirus Engine

Select Services from the menu bar at the top of the screen, then select Antivirus Engine from the submenu on the left side of the screen.


New in version 2.3.

This section is only available if you have installed the optional Sophos antivirus module. You can specify for each service whether you want to use Sophos or ClamAV. The following services are supported:

  • HTTP Proxy
  • SMTP Proxy
  • POP3 Proxy
  • FTP Proxy

To save your settings click on the Save button at the bottom of the page. Do not forget to Apply afterwards.

Clamav Antivirus

This section lets you configure how ClamAV should handle archive bombs (see the next paragraph for an explanation) and how often information about new viruses is downloaded (“signature update schedule”). You can also see when the last scheduled update has been performed as well as manually start an update.

Anti archive bomb configuration

Archive bombs are archives that use a number of tricks to load antivirus software to the point that they hog most of the firewall’s resources (denial of service attack). Tricks include sending small archives made of large files with repeated content that compress well (for example, a file of 1 GB containing only zeros compresses down to just 1 MB using zip), or multiple nested archives (e.g. zip files inside zip files) or archives that contain a large number of empty files, etc...).

To avoid these types of attack, ClamAV is preconfigured not to scan archives that have certain attributes, as configured here:

Max. archive size
Archives larger than this size in MB are not scanned.
Max. nested archives
Archives containing archives are not scanned if the nesting exceeds this number of levels.
Max. files in archive
Archives are not scanned if they contain more than this number of files.
Max compression ratio
Archives whose uncompressed size exceeds the compressed archive size by more than X times, where X is the specified number, are not scanned, the default value is 1000 - note that normal files typically uncompress to no more than 10 times the size of the compressed archive.
Handle bad archives
What should happen to archives that are not scanned because of the above settings: it is possible to choose between “Do not scan but pass” and “Block as virus”.
Block encrypted archives
Since it’s technically impossible to scan encrypted (password protected) archives, they might constitute a security risk and you might want to block them by checking this box.

ClamAV signature update schedule configuration

Another important aspect of running ClamAV are the antivirus signatures updates: information about new viruses must be downloaded periodically from a ClamAV server. The configuration pane (top right) lets you choose how often these updates are performed - the default is once every hour. Tip: move the mouse over the question marks to see when exactly the updates are performed in each case - the default is one minute past the full hour.

ClamAV virus signatures

This section shows when the last update has been performed and what the latest version of ClamAV’s antivirus signatures is.

Click on Update signatures now to perform an update right now (regardless of scheduled updates) - note that this might take some time. There is also a link to ClamAV’s online virus database in case you are looking for information about a specific virus.

Sophos AntiVirus

On this page you can select how often new signatures from Sophos should be downloaded. Possible options are:

  • hourly
  • daily
  • weekly
  • monthly

Finally click on the button at the bottom of the page to Save your settings.

Time server

Select Services from the menu bar at the top of the screen, then select Time server from the submenu on the left side of the screen.

Endian UTM Appliance keeps the system time synchronized to time server hosts on the internet by using the network time protocol (NTP).

A number of time server hosts on the internet are preconfigured and used by the system. Click on Override default NTP servers to specify your own time server hosts. This might be necessary if you are running a setup that does not allow Endian UTM Appliance to reach the internet. These hosts have to be added one per line.

Your current time zone setting can also be changed in this section.

The last form in this section gives you the possibility to manually change the system time. This makes sense if the system clock is way off and you would like to speed up synchronization (since automatic synchronization using time servers is not done instantly).

Spam Training

Select Services from the menu bar at the top of the screen, then select Spam Training from the submenu on the left side of the screen.

SpamAssassin can be be configured to learn automatically which emails are spam mails and which are not (so called ham mails). To be able to learn, it needs to connect to an IMAP host and check pre-defined folders for spam and ham messages.

The default configuration is not used for training. All it does is provide default configuration values that are inherited by the real training sources which can be added below. By clicking on the Edit default configuration link a new pane appears where the default values can be set:

Default IMAP host
the IMAP host that contains the training folders
Default username
the login name for the IMAP host
Default password
the password of the user
Default ham folder
the name of the folder that contains only ham messages
Default spam folder
the name of the folder that contains only spam messages
Schedule an automatic spam filter training
the interval between checks. This can either be disabled or be an hourly, daily, weekly, or monthly interval. For exact information about the scheduled time you can move your mouse cursor over the question mark next to the chosen interval.

Spam training sources can be added in the section below. By clicking on the Add IMAP spam training source link a new pane appears. The options for the additional training hosts are similar to the default configuration options. The only thing that is missing is the scheduling. This will always be inherited from the default configuration. Three additional options are available.

if this box is ticked the training source will be used whenever spamassassin is trained
in this field it is possible to save comment to remember the purpose of this source at a later time
Delete processed mails
if this box is ticked mails will be deleted after they have been processed

The other options can be defined just like in the default configuration. If they are defined they override the default values. To save a source it is necessary to click on the Update Training Source button after all desired values have been set. A source can be tested, enabled, disabled, edited or removed by clicking on the appropriate icon in its row. The icons are explained in the legend at the bottom of the page.

It is also possible to check all connections by clicking on the Test all connections button. Note that this can take some time if many training sources have been defined or the connection to the IMAP servers is slow. To start the training immediately the Start training now has to be clicked. It is important to note that training can take a long time depending on the number of sources, the connection speed and most importantly on the number of emails that will be downloaded.

You can also train the antispam engine manually if the SMTP Proxy is enabled for incoming as well as for outgoing mails. This is done by sending spam mails to spam@spam.spam. Non-spam mails can be sent to ham@ham.ham. For this to work it is necessary that spam.spam and ham.ham can be resolved. Typically this is achieved by adding these two hostnames to the host configuration in Network, Edit hosts, Add a host on your Endian UTM Appliance.

Intrusion Prevention

New in version 2.3.

Select Services from the menu bar at the top of the screen, then select Intrusion Prevention from the submenu on the left side of the screen.

Endian UTM Appliance includes the well known intrusion detection (IDS) and prevention (IPS) system Snort. It is directly built into the IP-firewall (Snort inline).

Intrusion Prevention System

Snort can be enabled by clicking on the Enable Intrusion Prevention System service switch. The following options are available:

Automatically fetch Snort Rules
this will automatically download Snort rules from the Emerging Threats website (
Update rules now
download the current Emerging Threats rules immediately
Choose update schedule
how often should the rules be updated - can be one of Hourly, Daily, Weekly or Monthly
Custom SNORT Rules
if you have custom SNORT rules you want to use you can upload them here


Once the rules are on the Endian UTM Appliance you can see a list of rulesets and the number of rules they contain on this page. You can also modify the default behavior for each ruleset on this page. It is possible to activate or deactivate rulesets. By default the policy of all rulesets is set to alert. This behavior can be changed by clicking on the alert icon which will then turn into a red shield. This means that after clicking the Apply button the chosen ruleset will not cause alerts anymore but will block traffic that matches its rules. A ruleset can be deleted by clicking on the trash can icon. By clicking on the pencil icon you will be redirected to a new page where you can edit every single rule.


At the top of this page you can select the rulesets you want to edit. After selecting and clicking the Edit button you will se a list of rules that are part of the ruleset(s) you selected. You can also search in your selection by entering the term you are searching for in the Search field. Just like in the Rules page you can change the behavior of every single entry. However, clicking on the trash can icon will not remove the role but restore its default behavior.

Please note that turning on the Intrusion Prevention System does not do anything, it just means that Snort is running. In the various Firewall pages you can specify which traffic should be scanned by Snort with the Allow with IPS Filter policy.

High availability

Endian UTM Appliance can be easily run in high availability (HA) mode. At least 2 Endian UTM Appliance machines are required for HA mode: one assumes the role of the active (master) firewall while the others are standby (slave) firewalls.

If the master firewall fails, an election between the slaves will take place and one of them will be promoted to the new master, providing for transparent failover.

Master setup

To set up such a HA configuration, first set up the firewall that is going to be the master:

  1. Execute the setup wizard, filling in all needed informations.
  2. Log into the administration web interface, select Services from the menu bar at the top of the screen, then select High availability from the submenu on the left side of the screen.
  3. Set Enable High Availability to Yes and set High Availability side to Master.
  4. At this point an extra panel appears where the master-specific settings can be configured: The Management network is the special subnet to which all Endian Firewalls that are part of a HA setup must be connected via the GREEN interface. The default is Unless this subnet is already used for other purposes there is no need to change this. The Master IP Address is the first IP address of the management network. Next, there are some fields that you can fill in if you wish to be notified by email if a failover event takes place. Finally, click on Save, then Apply to activate the settings.

Slave setup

Setup the the firewall that is going to be the slave:

  1. Execute the setup wizard, including the network wizard, filling in all needed information. It is not necessary to configure services etc, since this information will be synchronized from the master. However, it is necessary to register the slave with Endian Network.
  2. Log into the administration web interface, select Services from the menu bar at the top of the screen, then select High availability from the submenu on the left side of the screen.
  3. Set Enable High Availability to Yes and set High Availability side to Slave.
  4. At this point an extra panel appears where the slave-specific settings can be configured: Choose the management network option according to the settings on the master: either GREEN zone or a dedicated network port. Fill in the Master IP address (CIDR) field: unless you choose a non-standard management network address for the master. Fill in the Master root password (the slave needs this to synchronize its configuration from the master). Finally, click on Save, then Apply to activate the settings.

At this point the slave cannot be reached anymore via its old IP address (factory default or previous GREEN address) since it is in standby mode. It is connected to the master only through the management network.

If you log in to the master again, on the HA page you can see a list of connected slaves. If you click on the Go to Management GUI link you can open the slave’s administration web interface via the management network (routed via the master firewall).

Traffic Monitoring

Select Services from the menu bar at the top of the screen, then select Traffic Monitoring from the submenu on the left side of the screen.

Traffic monitoring is done by ntop and can be enabled or disabled by clicking on the main switch on this page. Once traffic monitoring is enabled a link to the monitoring administration interface appears in the lower section of the page. This administration interface is provided by ntop and includes detailed traffic statistics. ntop displays summaries as well as detailed information. The traffic can be analyzed by host, protocol, local network interface and many other types of information. For detailed information about the ntop administration interface please have a look at About, Online Documentation on the ntop administration interface itself or visit the ntop documentation page.

SNMP Server

New in version 2.3.

The Simple Network Management Protocol (SNMP) is used to monitor network-attached devices. Since version 2.3 Endian UTM Appliance features a built-in SNMP server. To access the SNMP Server settings you must select Services from the menu bar at the top of the screen, then select SNMP Server from the submenu on the left side of the screen.

If you want to enable the SNMP Server all you have to do is click on the Service Switch. A few options will appear. The Community String is a key that is needed to read the data with an snmp client. The Location can be set to anything. However, it should describe the location of your Endian UTM Appliance. The SNMP Server requires an email address to be configured. This email address represents the system contact. If you setup a global email-address during the installation procedure and want to use this address you may leave the checkbox as it is. If you want to use a custom email address here you must tick the Override global notification email address checkbox and enter your custom email address into the System contact email address field. Finally click save to apply the settings.

Quality of Service

New in version 2.3.

Select Services from the menu bar at the top of the screen, then select Quality of Service from the submenu on the left side of the screen.

The purpose of the Quality of Service and Bandwidth Management module is to prioritize the IP traffic that is going through your firewall depending on the service. Applications that typically need to be prioritized over bulk traffic like downloads are interactive services such as Secure Shell (SSH) or voice over IP (VoIP).


On this page you can see a list of all Quality of Service Devices that have been created. This list contains the following columns.

Target Device
the network interface that will be used by this devices
Upstream Bandwidth (kbit/s)
Here you must specify the actual upstream speed of your interface
Downstream Bandwidth (kbit/s)
Here you must specify the actual downstream speed of your interface

To configure a new device you must click on the Add Quality of Service Device link. You can edit, enable/disable or remove a device by clicking on the respective icon.


On this page you can see a list of all Quality of Service classes that have been created. The following information is displayed in the list.

the name of the Quality of Service class
the Quality of Service device for which the class should be created
this number indicates the percentage of bandwidth that has been reserved for this device
The maximum percentage of bandwidth this class may use
The priority of the class

The created classes can be edited, moved and deleted by clicking on the respective icon. To add a new class just click on the Add Quality of Service Class link.


Please note that the sum of reserved percentages can not be greater than 100 per device.


On this page you can see a list of defined Quality of Service Rules and can specify which type of traffic should belong to one of the classes you have specified in the Classes page. To add a new Quality of Service rule click on the Add Quality of Service Rule. This must be specified:

the traffic source. This can either be an interface, an IP- or a MAC-address.
the destination address or network
whether the service to be prioritized is a TCP or UDP (or other) service (e.g. SSH is a TCP service)
the port used in Protocol (e.g. SSH has port 22)
the TOS or DSCP value you want to match
Traffic Class
the class to which the matching traffic should belong
a comment to help you remember the purpose of this rule
if the checkbox is ticked this rule will be enabled

Click on Add/Change to save the settings and apply the new rule.

Please note that if there is more than one service in a Quality of Service class then all these services together will share the reserved bandwidth.