Navigation

The System Menu

Select System from the menu bar at the top of the screen.

The following links will appear in a submenu on the left side of the screen. They allow for basic administration and monitoring of your Endian UTM Appliance.

  • Dashboard - system and internet connection status overview
  • Network configuration - network and interface configuration
  • Event notifications - send a notification e-mail in case of emergency
  • Support - support request form
  • Endian Network - Endian Network registration information
  • Passwords - set system passwords
  • SSH access - enable/configure Secure Shell (SSH) access to your Endian UTM Appliance
  • GUI settings - such as interface language
  • Backup - backup/restore Endian UTM Appliance settings as well as reset to factory default
  • Shutdown - shutdown/reboot your Endian UTM Appliance
  • Credits - thanks to all contributors

Each link will be explained individually in the following sections.

Dashboard

New in version 2.3.

Select System from the menu bar at the top of the screen, then select Dashboard from the submenu on the left side of the screen.

This page displays an overview of the uplink connection(s) and general system health. It consists of five sections:

The first section has the name of your Endian UTM Appliance. Here you can see some information about your installation:

Appliance
Your Appliance type.
Version
The version of your appliance.
Deployset
The deployset of your appliance.
Uptime
The uptime of your appliance.
Update status
Shows the number of available updates.
Maintenance
Shows how long your maintenance is still valid.
Support access
Shows whether you have support access enabled.

Hardware information

In this second section you can see the load or usage of your hardware:

CPU x
Shows the load of your CPU. x represents the CPU number.
Memory
Shows how much of your memory is being used.
Swap
Shows how much of your swap disk is being used. High values here usually mean there is something wrong.
Main disk
Shows the usage of your main disk. This is the root partition.
Boot disk
Shows the usage of your /boot partition.
Data disk
Shows the usage of your /var partition.
/dev/xxx
Shows the usage of an additional disk where xxx is the partition’s device name.

Services

In this section you can see information about the most important services that are installed on your Endian UTM Appliance. Each services provides information about the last hour as well as for the last 24 hours. Currently these are the supported services:

HTTP Proxy
In this subsection you can see the cache hits and misses of Squid.
SMTP Proxy
In this subsection you can see how many mails are currently in the postfix-queue as well as how many mails postfix received, how many of them were clean, how many contained viruses and how many have been blocked mails during the last hour or day.
POP3 Proxy
In this subsection you can see the number of received, blocked and virus-containing mails that went through the POP3 Proxy.
Intrusion Detection
In this subsection you see how many attacks have been logged by Snort during the last hour and day.

Each subsection can be collapsed or expanded by clicking on the service name. If you find strange numbers in the statistics you can click on the Live log link of the respective service and the Live Log Viewer will pop up and show you what is going on right now.

Network Interfaces

This section is divided into two subsections. The first section lists all known network interfaces, their status and how much traffic is passing through them in real-time. The checkboxes can be used to specify which interfaces should be shown in the second subsection.

The second subsection is made of two charts. The first chart shows the incoming traffic for each interface that has been selected in subsection one. The second chart shows the outgoing traffic. Both charts are updated in real-time.

Note

It is not possible to select more than six interfaces to be shown in the charts.

Network configuration

Select System from the menu bar at the top of the screen, then select Network configuration from the submenu on the left side of the screen.

Network and interface configuration is fast and easy with the wizard provided in this section. The wizard is divided into steps: you can navigate back and forth using the <<< and >>> buttons. You can freely navigate all steps and decide to cancel your actions at any moment. Only in the last step you will be asked to confirm the new settings. If you confirm, the new settings will be applied. This might take some time during which the web interface might not respond.

Following is a detailed list of each wizard step.

Choose type of RED interface

When Endian UTM Appliance was installed, the trusted network interface (called the GREEN interface) has already been chosen and set up.

This screen allows to choose the untrusted network interface (called the RED interface): the one that connects your Endian UTM Appliance to the “outside” (typically the uplink to your internet provider). Endian UTM Appliance does support the following types of RED interfaces:

ETHERNET STATIC
You want to operate an Ethernet adapter and you need to setup network information (IP address and netmask) manually. This is typically the case when you connect your RED interface to a simple router using an Ethernet crossover cable.
ETHERNET DHCP
You want to operate an Ethernet adapter that gets network information through DHCP. This is typically the case when you connect your RED interface to a cable modem/router or ADSL/ISDN router using an Ethernet crossover cable.
PPPoE
You want to operate a Ethernet adapter that is connected via an Ethernet crossover cable to an ADSL modem. Note that this option is only needed if your modem uses bridging mode and requires your firewall to use PPPoE to connect to your provider. Pay attention not to confuse this option with the ETHERNET STATIC or ETHERNET DHCP options used to connect to ADSL routers that handle the PPPoE themselves.
ADSL (USB, PCI)
You want to operate an ADSL modem (USB or PCI devices).
ISDN
You want to operate an ISDN adapter.
ANALOG/UMTS Modem
You want to operate an analog (dial-up) or UMTS (cell-phone) modem.
GATEWAY
Your Endian UTM Appliance has no RED interface. This is unusual since a firewall normally needs to have two interfaces at least - for some scenarios this does make sense though. One example would be if you want to use only a specific service of the firewall. Another, more sophisticated example is an Endian UTM Appliance whose BLUE zone is connected through a VPN to the GREEN interface of a second Endian UTM Appliance. The second firewall’s GREEN IP address can then be used as a backup uplink on the first firewall. If you choose this option, you will need to configure a default gateway later on.

Choose network zones

Endian UTM Appliance borrows IPCop’s idea of different zones. At this point you’ve already encountered the two most important zones:

GREEN
is the trusted network segment.
RED
is the untrusted network segment.

This step allows you to add one or two additional zones, provided you have enough interfaces. Available zones are:

ORANGE
is the demilitarized zone (DMZ). If you host servers, it is wise to connect them to a different network than your GREEN network. If an attacker manages to break into one of your servers, he or she is trapped within the DMZ and cannot gain sensible information from local machines in your GREEN zone.
BLUE
is the wireless zone (WLAN). You can attach a hotspot or WiFi access point to an interface assigned to this zone. Wireless networks are often not secure - so the purpose is to trap all wirelessly connected machines into their own zone without access to any other zone except RED (by default).

Note

One network interface is reserved for the GREEN zone. Another one may already be assigned to the RED zone if you have selected a RED interface type that requires a network card. This might limit your choices here to the point that you cannot choose an ORANGE or BLUE zone due to lack of additional network interfaces.

Network Preferences

This step allows you to configure the GREEN zone and any additional zone you might have set up in the previous step (ORANGE or BLUE).

Each zone is configured in its own section with the following options:

IP address
Specify one IP address (such as 192.168.0.1). Pay attention not to use addresses that are already in use in your network. You need to be particularly careful when configuring the interfaces in the GREEN zone to avoid locking yourself out of the web interface! If you change IP addresses of an Endian UTM Appliance in a production environment, you might need to adjust settings elsewhere, for example the HTTP proxy configuration in web browsers.
Network mask
Specify the CIDR / network mask from a selection of possible masks (such as /24 - 255.255.255.0). It is important to use the same mask for all devices on the same subnet.
Additional addresses
You can add additional IP addresses from different subnets to the interface here.
Interfaces
Map the interfaces to zones. Each interface can be mapped to only one zone and each zone must have at least one interface. However, you might assign more than one interface to a zone. In this case these interfaces are bridged together and act as if they were part of a switch.

All shown interfaces are labeled with their PCI identification number, the device description as returned by lspci and their MAC addresses. A symbol shows the current link status: a tickmark shows that the link is active, an X means there is no link and a question mark will tell you that the driver does not provide this information.

Note

Endian UTM Appliance internally handles all zones as bridges, regardless of the number of assigned interfaces. Therefore the Linux name of the interfaces is brX, not ethX.

Additionally, the system’s host and domain name can be set at the bottom of the screen.

You need to use IP addresses in different network segments for each interface, for example:

IP = 192.168.0.1, network mask = /24 - 255.255.255.0 for GREEN

IP = 192.168.10.1, network mask = /24 - 255.255.255.0 for ORANGE

IP = 10.0.0.1, network mask = /24 - 255.255.255.0 for BLUE

Note

It is suggested to follow the standards described in RFC 1918 and use only IP addresses contained in the networks reserved for private use by the Internet Assigning Numbers Authority (IANA):

10.0.0.0 - 10.255.255.255 (10.0.0.0/8), 16,777,216 addresses

172.16.0.0 - 172.31.255.255 (172.16.0.0/12), 1,048,576 addresses

192.168.0.0 - 192.168.255.255 ( 192.168.0.0/16), 65,536 addresses

The first and the last IP address of a network segment are the network address and the broadcast address respectively and must not be assigned to any device.

Internet access preferences

This step allows you to configure the RED interface, that connects to the internet or any other untrusted network outside Endian UTM Appliance.

You will find different configuration options on this page, depending on the type of the RED interface you have chosen earlier. Some interface types require more configuration steps than others. Below is a description of the configuration for each type.

ETHERNET STATIC
You need to enter the IP address and network mask of the RED interface, as well as the IP address of your default gateway - that is, the IP address of the gateway that connects your Endian UTM Appliance to the internet or another untrusted network. Optionally, you can also specify the MTU (maximum transmission unit) and the Ethernet hardware address (MAC address) of the interface - usually this is not needed.
ETHERNET DHCP
You just need to specify whether you want DHCP to set the IP address of the DNS (domain name server) automatically or you want to set it manually.
PPPoE
You need to enter the username and password assigned to you by your provider, the authentication method (if you do not know whether PAP or CHAP applies, keep the default PAP or CHAP) and whether you want the IP address of the DNS (domain name server) to be assigned automatically or you want to set it manually. Optionally, you can also specify the MTU (maximum transmission unit) and your provider’s service and concentrator name - usually this is not needed.
ADSL (USB, PCI)
There are 3 sub-screens for this choice. First you need to select the appropriate driver for your modem. Then you need to select the ADSL type: PPPoA, PPPoE, RFC 1483 static IP or RFC 1483 DHCP. Next, you need to provide some of the following settings (depending on the ADSL type fields are available or not): the VPI/VCI numbers as well as the encapsulation type; the username and password assigned to you by your provider and the authentication method (if you don’t know whether PAP or CHAP applies, use the default PAP or CHAP); the IP address and network mask of the RED interface, as well as the IP address of your default gateway (RFC 1483 static IP only); whether you want the IP address of the DNS (domain name server) to be assigned automatically or you want to set it manually. Optionally, you can also specify the MTU size (maximum transmission unit) - usually this is not needed.
ISDN
You need to select your modem driver, phone numbers (your provider’s number and the number used to dial out), as well as the username and password that have been assigned to you by your provider and the authentication method (if you don’t know whether PAP or CHAP applies, use the default PAP or CHAP). Also specify whether you want the IP address of the DNS (domain name server) to be assigned automatically or you want to set it manually. Optionally, you can also specify the MTU (maximum transmission unit) - usually this is not needed.
ANALOG/UMTS Modem

There are 2 sub-screens for this choice. First you need to specify the serial port your modem is connected to and whether it is a simple analog modem or a UMTS/HSDPA modem. Next you need to specify the modem’s bit-rate, the dial-up phone number or access point name, the username and password that have been assigned to you by your provider and the authentication method (if you don’t know whether PAP or CHAP applies, use the default PAP or CHAP). Also specify whether you want the IP address of the DNS (domain name server) to be assigned automatically or you want to set it manually. For UMTS modems it is also necessary to specify the access point name. Optionally, you can also specify the MTU (maximum transmission unit) - usually this is not needed. Please read the note below for problems with modems.

Note

/dev/ttyS0 is normally used as serial console and is therefore not available for modems.

GATEWAY
You just need to specify the IP address of your default gateway - that is, the IP address of the gateway that connects your Endian UTM Appliance to the internet or another untrusted network. Some modern UMTS modems are USB mass storage devices as well. These modems usually register two devices (e.g. /dev/ttyUSB0, /dev/ttyUSB1). In this case the second device is the modem. This type of modem can cause problems when restarting the firewall because the firewall tries to boot from the USB mass storage device.

Note

SIM cards that require a personal identification number (PIN) are not supported by Endian UTM Appliance.

Configure DNS resolver

This step allows you to define up to two addresses for DNS (domain name server), unless they are assigned automatically. Should only one nameserver be used it is necessary to enter the same IP address twice. The IP addresses that are entered must be accessible from this interface.

Configure default admin mail

This step lets you configure a global administrator email address that will be used by all modules that allow you to send emails.

There are three fields to configure:

Admin email address

The email address to which the emails should be sent.

Sender email address

The email address that should be used as the sender address.

Address of smarthost

Here you can specify the SMTP server through which the email should be sent.

Apply configuration

This last step asks you to confirm the new settings.

Click the OK, apply configuration button to go ahead. Once you did this, the network wizard will write all configuration files to the disk, reconfigure all necessary devices and restart all depending services. This may take up to 20 seconds, during which you may not be able to connect to the administration interface and for a short time no connections through the firewall are possible.

The administration interface will then reload automatically. If you have changed the IP address of the GREEN zone’s interface, you will be redirected to the new IP address. In this case and/or if you have changed the hostname a new SSL certificate will be generated.

Event notifications

Select System from the menu bar at the top of the screen, then select Event notifications from the submenu on the left side of the screen.

Settings

On this page you can set the global notification options:

Email notifications

Here you can select how to use the notification system. Options are do not notify in which case no notifications will be sent, notify using default email address in which case emails will be sent using the default administrator email address (as specified in step 6 of System ‣ Network configuration) or you can choose notify using custom email address in which case you will have to specify a Mail sender address, a Mail recipient address and the Mail smarthost you want to use*.

You can Save your settings by clicking on the button below. After doing that do not forget to Apply them.

Events

On this page you can configure how to handle each of the events. A list of all events is shown.

The list contains three columns:

ID

In this column the event ID is shown.

Description

This column describes the event.

Actions

In this column you see what actions can be performed. All email notifications are enabled by default. If you want to disable email notifications for one event just click on the mail icon in that event’s row.

Here is how the IDs are generated:

12233334
^^^\++/^
|\| || +-----> 4) severity 0-9     0: critical 4,5: neutral 9: good
| | ++-------> 3) event number     sequential event number
| +----------> 2) module number    sequential module number
+------------> 1) layer number     (1 == kernel, 2 == system, 3 == services,
                                    4 == configlayer, 5 == gui)

To apply your changes you must click on the Apply button.

Support

Select System from the menu bar at the top of the screen, then select Support from the submenu on the left side of the screen.

A support request can be created directly from this screen. Fill in all necessary information and submit your request. A member of the Endian support team will contact you as soon as possible. Please provide a detailed problem description in order to help the support team to resolve the issue as quickly as possible.

Optionally, you can grant access to your firewall via SSH (secure shell). This is a secure, encrypted connection that allows support staff to log in to your Endian UTM Appliance to verify settings, etc. This option is disabled by default. When enabled, the support team’s public SSH key is copied to your system and access is granted via that key. Your root password is never disclosed in any way.

Endian Network

Select System from the menu bar at the top of the screen, then select Endian Network from the submenu on the left side of the screen.

Your Endian UTM Appliance can connect to Endian Network (EN). Endian Network allows for easy and centralized monitoring, managing and upgrading of all your Endian UTM Appliance systems with just a few clicks.

This screen contains three tabs.

The Subscriptions tab shows a summary of your Endian Network support status. The last section lists your activation keys. You need at least one valid activation key (not expired) to receive updates from and participate in Endian Network. There is a key for each support channel (typically just one). If the firewall has not yet been registered the registration form is shown.

The Remote Access tab allows to specify whether your Endian UTM Appliance can be reached through Endian Network at all, and if so, through which protocol: HTTPS means the web interface can be reached through Endian Network and SSH means it is possible to login via secure shell through Endian Network.

The Updates tab displays and controls the update status of your system. There are three sections.

Firstly, pressing the Check for new updates! button will access your support channels looking for new updates. If any updates are found they will be listed (updates are distributed as RPM packages). Pressing the Start update process NOW! button will install all updated packages.

Secondly - to save you some time - the system retrieves the update list automatically. You may choose the interval to be hourly, daily, weekly (the default) or monthly - do not forget to click on Save to save the settings.

Thirdly, by pressing Update signatures now you can update the ClamAV antivirus signatures. This works only if ClamAV is in use, for example in combination with the email or HTTP proxy.

Passwords

Select System from the menu bar at the top of the screen, then select Passwords from the submenu on the left side of the screen.

You can change one password at a time here. Specify each new password twice and press Save. The following users are available:

Admin
the user that can connect to the web interface for administration.
Root
the user that can login to the shell for administration. Logins can be made locally to the console, through the serial console or remotely via SSH (secure shell) if it has been activated.
Dial
the Endian UTM Appliance client user.

SSH access

Select System from the menu bar at the top of the screen, then select SSH access from the submenu on the left side of the screen.

This screens allows you to enable remote SSH (secure shell) access to your Endian UTM Appliance. This is disabled by default which is the recommended setting. SSH access is always on when one of the following is true:

  • Endian support team access is allowed in System, Support.
  • SSH access is enabled in System, Endian Network, Remote Access.
  • High availability is enabled in Services, High Availability.

Some SSH options can be set:

SSH protocol version 1
This is only needed for old SSH clients that do not support newer versions of the SSH protocol. This is strongly discouraged since there are known vulnerabilities in SSH protocol version 1. You should rather upgrade your SSH clients to version 2, if possible.
TCP forwarding
Check this if you need to tunnel other protocols through SSH. See the note below for a use case example.
password authentication
Permit logins through password authentication.
public key authentication
Permit logins through public keys. The public keys must be added to /root/.ssh/authorized_keys.

Finally there is a section detailing the public SSH keys of this Endian UTM Appliance that have been generated during the first boot process.

Assume you have a service such as telnet (or any other service that can be tunneled through SSH) on a computer inside your GREEN zone, say port 23 on host 10.0.0.20. This is how you can setup a SSH tunnel through your Endian UTM Appliance to access the service securely from outside your LAN.

  1. Enable SSH and make sure it can be accessed (see Firewall, System access).
  2. From an external system connect to your Endian UTM Appliance using ssh -N -f -L 12345:10.0.0.20:23 root@endian_firewall where -N tells SSH not to execute commands, but just to forward traffic, -f runs SSH in the background and -L 12345:10.0.0.20:23 maps the external system’s port 12345 to port 23 on 10.0.0.20 as it can be seen from your Endian UTM Appliance.
  3. The SSH tunnel from port 12345 of the external system to port 23 on host 10.0.0.20 is now established. In this example you can now telnet to port 12345 on localhost to reach 10.0.0.20.

GUI settings

Select System from the menu bar at the top of the screen, then select GUI settings from the submenu on the left side of the screen. In the community release it is also possible to click on the Help translating this project link which will open the Endian UTM Appliance translation page. Any help is appreciated.

Two options regarding the web interface can be set in this screen: whether to display the hostname in the browser window title and the language of the web interface (English, German and Italian are currently supported).

Backup

Select System from the menu bar at the top of the screen, then select Backup from the submenu on the left side of the screen.

In this section you can create backups of your Endian UTM Appliance configuration and restore the system to one of these backups when needed. Backups can be saved locally on the Endian UTM Appliance host, to a USB stick or downloaded to your computer. It is also possible to reset the configuration to factory defaults and to create fully automated backups.

Backup sets

By clicking on the Create new Backup button a dialog opens up where you can configure the new system snapshot:

configuration
includes all configurations and settings you have made, that is the content of the directory /var/efw.
database dumps
includes a database dump, which for example includes hotspot accounting information.
log files
includes the current log files
log archives
includes older log files, backups with this option checked will get very big after some time
remark
an additional comment can be added here

Click on the Create new Backup button again to go ahead and create the backup.

Following is the list of available backups (initially empty): you can choose to download them, delete them or restore them by clicking on the appropriate icon in this list. Each backup is annotated with zero or more of the following flags:

S
Settings. The backup contains your configurations and settings.
D
Database. The backup contains a database dump.
E
Encrypted. The backup file is encrypted.
L
Log files. The backup contains log files.
A
Archive. The backup contains older log files.
!
Error! The backup file is corrupt.
C
Created automatically. The backup has been created automatically by a scheduled backup job.
U
This backup has been saved to a USB stick.

Encrypt backup

You can provide a GPG public key that will be used to encrypt all backups. Select your public key by clicking on the Browse button and then choosing the key file from your local file system. Make sure Encrypt backup archives is checked. Confirm and upload the key file by clicking Save.

Import Backup files

You can upload a previously downloaded backup. Select your backup by clicking on the Browse button and then choosing the backup file from your local file system. Fill in the Remark field in order to name the backup and upload it by clicking Save. It is not possible to import encrypted backups. You must decrypt such backups before uploading them.

The backup appears in the backup list above. You can now choose to restore it by clicking on the restore icon.

Reset to factory defaults

Clicking the Factory defaults button allows you to reset the configuration of your Endian UTM Appliance to factory defaults and reboot the system immediately after. A backup of the old settings is saved automatically.

Scheduled backups

Select the Scheduled backups tab if you wish to enable and configure automated backups.

First, enable and configure automatic backups. You can choose what should be part of the backup: the configuration, database dumps, log files and old log files as seen in the Backup Sets section. You can also choose how many backups you want to keep (2-10) and the interval between backups (hourly, daily, weekly or monthly). When you’re done click the Save button.

Next, you can tell the system whether or not you want backups emailed to you. If you wish to receive backups by email you can enable this feature and select the email address of the recipient. You can then Save the settings. There is also a Send a backup now button that will save the settings and try to send an email with the backup immediately, so you can test the system. Optionally you can also provide a sender email address (this must be done if your domain or hostname are not resolvable by your DNS) and the address of a smarthost to be used (in case you want all outgoing email go through your companies SMTP server, rather than be sent directly by your Endian UTM Appliance). If the SMTP proxy is disabled it is absolutely necessary to add a smarthost to be able to send emails.

Shutdown

Select System from the menu bar at the top of the screen, then select Shutdown from the submenu on the left side of the screen.

In this screen you can shutdown or reboot your Endian UTM Appliance by clicking the Shutdown or the Reboot button respectively.

Credits

Select System from the menu bar at the top of the screen, then select Credits from the submenu on the left side of the screen.

This screen displays the list of people that brought Endian UTM Appliance to you.

Table Of Contents

Previous topic

Preface

Next topic

The Status Menu

Navigation

© Copyright 2011, Endian S.r.l.. Last updated on Jan 10, 2011.