FAQs

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search

General

This section answers general questions about Untangle NG Firewall and how it works.


What is Untangle NG Firewall?

Untangle Next Generation (NG) Firewall is a platform for deploying network based applications. The platform unites these applications around a common GUI, database and reporting. NG Firewall's applications inspect network traffic simultaneously, which greatly reduces the resource requirements of each individual application. The NG Firewall platform currently supports many open source applications and commercial add-ons.


Is NG Firewall for home or business use?

Untangle is great for businesses and small home office networks. Untangle requires its own dedicated computer so it may not be a good fit for home where an extra computer is not available - it cannot be run on the same computer it is protecting.


Is NG Firewall hardware or software?

Untangle NG Firewall is software that can be installed on standard Intel-compatible hardware, or you can purchase a hardware appliance directly from Untangle with the software pre-installed. The minimum hardware requirements can be found here, and many Untangle partners offer pre-built systems.

Where does NG Firewall sit on the network?

NG Firewall should sit at or directly behind the network gateway in between your network and the Internet. Please see our installation guide for examples of where Untangle should be placed in your network.


Does NG Firewall use open source software?

Yes, NG Firewall uses several open source projects. We seek to offer the best technology in each of our apps whether or not that requires writing proprietary code, working with existing open source projects to combine the best features from multiple projects, adding missing features or simply optimizing them for the NG Firewall platform. The Untangle NG Firewall platform itself is a proprietary technology that was developed internally.

Who owns my network data? Is it private?

You own 100% of your network data. Untangle does not have access to your NG Firewall or your network unless you explicitly authorize us by turning on remote support access in Config > System > Support. Your data is 100% private.


Technical

My separate internal networks can reach each other. Why?

  • By default, all NG Firewall interfaces can talk to each other. This is because, by default, NAT (Network Address Translation) is performed on traffic leaving the WANs only (not traffic between LANs). If you want them to be separate follow the documentation nat documentation.


How secure is NG Firewall by default?

NG Firewall has no open ports by default on WAN interfaces, and has HTTP and HTTPS open by default on non-WAN interfaces. If any ports are showing up as open from the outside, you've either set up a port forward for them or you've enabled HTTPS administration on WANs or NG Firewall is somehow misconfigured.


Does NG Firewall support VLANs?

Yes.

NG Firewall support both tagged (802.1q) VLANs and untagged VLANs.

Untagged VLANs are just separate networks on the same interfaces and can be handled by

  • Adding an alias to the appropriate interfaces (ie 192.168.15.1/24 to the Internal Aliases), effectively telling Untangle that this network range is local on this interface.
  • Adding a route so traffic for that subnet is routed appropriately (ie 192.168.15.1/24 is routed to "local on Internal (eth1)"

Tagged VLANs are handled by creating a separate VLAN interface in Config > Network. All traffic received on the configured Parent interface with the configured VLAN tag will be perceived to come from the VLAN interface. All traffic sent to the configured VLAN interface will actually be sent on the Parent interface with the configured VLAN tag.

See Network_Configuration#VLANs for more information.


Can I put a WiFi card in my NG Firewall?

Currently some wireless cards are supported. Unlike regular NICs, wireless support is much more problematic and complicated. If wireless is a priority we suggest looking at one of our appliances that comes with wireless support. If you want to build your own wireless server, be prepared for some research and trial and error to find a working setup. There is more information here: 11.1_Changelog#Wireless_Support.


How can I add a guest or private WiFi/WAP network to my NG Firewall?

You will need to disable DHCP on the wireless Access Point, give it an IP in the subnet of NG Firewall's interface you're plugging it into, and use a LAN port rather than a WAN/Uplink port on the AP, or disable NAT.

To add WiFi to your existing network, just plug the AP into a switch somewhere on the network. Please note if you have a combination WiFi AP/modem that NG Firewall sits behind, wireless traffic may bypass the NG Firewall and not be filtered. WiFi APs must be downstream of NG Firewall.

If you're looking for a guest WiFi network walled off from your private network, the easiest way is to plug the wireless AP into its own interface.


Does NG Firewall have high availability options or support automatic hardware failover?

As of version 10.1 NG Firewall supports High Availability through the use of VRRP. More information on VRRP configuration can be found here: Network Configuration - VRRP


Licensing and Subscriptions

This section has answers to questions relating to purchasing, licensing and subscriptions to Untangle.


How does NG Firewall licensing work?

NG Firewall licensing is done individually for each deployed NG Firewall server. One license cannot be shared across multiple NG Firewall servers. The pricing band is determined by the number of devices that are behind the Untangle server. Our current pricing model allows the purchase of a monthly, 1-year, 3-year or 5-year subscription.


How do I determine the correct pricing band?

NG Firewall products and services are priced by bands for different sized companies and networks. The appropriate band can be calculated by counting the number of unique devices behind NG Firewall on any given day. More explicitly, it is the number of unique IP addresses on any non-WAN (local) interface including VPN users seen from midnight to midnight the next day that have initiated a scanned TCP session to the internet. If the number of unique IPs is below the upper bound of the subscription band for that server it is fully compliant.

Note: Bypassed devices are not counted. Bypass Rules can be added for devices that do not need Untangle scanning and services (printers etc) but still require internet access.


What happens if the number of devices on my network temporarily exceeds my licensed number of devices?

For any device over the upper limit of the license count, their traffic will not be scanned by the paid applications. They will still be online and have full connectivity but will not receive the benefits of the paid application.


How can I see how many devices are currently on my network?

In Config > About, the Current active device count shows the number of active devices currently on the network. Highest active device count since reboot shows the highest number of licensed devices that have been on the network since reboot.

An Alert will be shown if the your license is currently being exceeded. Remember, bypassed devices are not counted so you can manage your device count with Bypass Rules.

At the top of the rack the number of currently knows hosts is shown above "Hosts." Clicking on this number or selecting "Show Hosts" in the drop down menu at the top of the rack will show the list of currently known devices. However, not all known devices are counted against licenses. If you use a drop down in one of the columns at the top and display the "Active" column you can see which hosts are counted as active. Only active hosts are the only hosts counted towards the license limit.


How do I purchase Untangle NG Firewall software?

Currently there are two ways to make a purchase of NG Firewall software:

An off-GUI purchase is when you purchase a subscription directly from Untangle's store without being logged into an Untangle server. An off-GUI purchase results in a voucher you can redeem at any time, but keep in mind that until you redeem the voucher you don't have access to the purchased features. Additionally, it's important to note that your subscription expiration count-down starts from the day you purchase your subscription not the date you redeem the voucher.

An on-GUI purchase is when you purchase from your NG Firewall Server directly. If you purchase via the on-GUI method, the store and the server should talk to each other and the server will automatically download the software you've purchased. We recommend that you use Firefox or Chrome when doing this process because some browsers (e.g. Internet Explorer) won't allow the store and the server to communicate, which causes the process to fail.

If you have any problems with either of these two ways to purchase, please contact support at 866.233.2296 option 2 or open a case at Untangle Support.


What happens if I stop paying Untangle for my subscription(s)?

If you stop paying for your subscriptions any paid applications will stop working when your subscription ends. You will no longer be able to use anything but the applications in the Lite Package and will see No License Found on the faceplate of any paid applications. It's very easy to get your account back working again by contacting our sales department to renew your subscription and all of your previous settings will return.


What's a UID?

Refer to the knowledge base https://support.untangle.com/hc/en-us/articles/201710527

What's a voucher and voucher key?

A voucher is a "gift certificate" for a specific NG Firewall package or individual application. A voucher key is a unique alphanumeric code that you redeem to apply a subscription for NG Firewall.

When do I use a voucher?

A voucher provides you a way to delay activation of your subscription. If you are an Untangle Partner, It's efficient to purchase a set of vouchers using one transaction, and redeem the vouchers as you deploy NG Firewalls. If you do not intend to install the NG Firewall yourself, you can simplify the installation process by sending the voucher to your customer.

Can a voucher expire?

Yes, if you do not redeem a voucher within 180 days, it converts automatically to a subscription.

How do I redeem a voucher?

See Redeeming a voucher.

Can I try NG Firewall or Applications before purchase?

Yes! We provide a suite of applications free of charge; all of our paid applications have a fully functional 14-day free trial available. During the trial period the faceplate of any trial mode applications will show xx Days Remaining, this will switch over to Free Trial Expired once the trial period has ended. If you want to purchase an expired application it will retain your settings as long as you don't remove it from the rack.


Do my other applications still work after my trials expire?

Yes. All free applications in the Lite Package will never expire.


I just purchased a product, however it is still reporting as a trial version?

From your NG Firewall, click My Account on the lower left hand side of the web GUI and log into the store. Click My Subscriptions, then select your product(s) and click Reinstall. You'll need to do this either from the actual NG Firewall box or through the network using Firefox or Chrome, Internet Explorer can have issues with this process.


How do I renew my subscription(s)?

Refer to the knowledge base at https://support.untangle.com/hc/en-us/articles/115012351228-How-to-renew-a-subscription

How do I unsubscribe or cancel my subscription(s)?

You can turn off auto renewal by logging into your store account, clicking My Subscriptions, then modifying the Auto Renew field.


Why is my renewal date not changing after I renewed my subscription?

If your subscription is enabled for renewal but the renewal date still shows the same date as before, don't worry - because we don't charge your account for the subscription renewal until the renewal date, the renewal date will not change until that charge takes place. For example, say you enabled a subscription for renewal with a renewal date of November 11, 2010. On November 11 we will charge your account for the cost of the renewal and update your renewal date to November 11, 2011. If your subscription does not appear when you click Renewals in your store account it is already enabled for renewal.


I reinstalled my Untangle NG Firewall Server, why can't I reinstall my paid subscriptions?

Each NG Firewall has a UID, or Unique Identifier that is set during the install and never changed. If you reinstall your NG Firewall it will have a new UID and you'll need to transfer the subscription to the new UID to be able to download your subscription. Instructions on subscription transfer are below.


How can I transfer my subscription?

Video for this process is available here.

IMPORTANT: Before transferring the subscription, be sure to download any backups from your store account at My Subscriptions > View Backups - once the transfer has been made you will no longer be able to access the backups of the old UID.

Steps to transfer the license to the new server.
1. Login to the store with the store account.
2. On the top menu, click Subscriptions.

Remove Subscriptions
Remove Subscriptions

3. Click the Name/UID link for the subscription you want to transfer.
4. This will remove the subscription from the appliance. Click Remove to confirm. Once removed, the subscription becomes a voucher available for use on another NG Firewall UID.
5. To add the license to another NG Firewall UID, click the unassigned link on the Subscriptions tab.

Click Unassigned
Click Unassigned

6. Select a device from the list to transfer the subscriptions to and click Add.

Add Subscription
Add Subscription



Networking

This section has answers to common networking questions. You'll want to take a look at our User Guide and Network Configuration for more information on general network settings.


If I am using NAT, how can I provide access to a web server on the internal network?

  1. If the web server is using DHCP, it should be assigned a static address or a static DHCP lease.
  2. Create a port forward rule for all incoming traffic on port 80 to your web server as discussed in Port Forward Rules.

Why can only some of my subnets access the Internet?

NG Firewall needs to know about the other subnets in order to correctly route traffic to them; this can be done in several ways:

  • Give NG Firewall an alias on each subnet at Config > Networking for that interface. Make sure to use a reall, unused IP, not x.x.x.0.
  • Alternatively, if your subnets are close (e.g. 192.168.1.x, 192.168.2.x) you can expand NG Firewall's netmask on that interface.

If your other subnets are behind a different internal router, you'll probably need to add routes pointing the subnets to that router.

Read Network_Configuration and Installation for more information.


Does Untangle support dual WAN or WAN failover?

Yes! For information on Multi-WAN, see WAN Balancer for Load Balancing and WAN Failover for failover.


Can I use OpenDNS with NG Firewall?

We've seen a lot of confusion regarding OpenDNS - many of our customers want to use OpenDNS as a "second layer of protection." While this is all well and good, most of the time we see people putting OpenDNS's servers on NG Firewall's External interface, which isn't the right way of going about it. We always recommend using your ISP's DNS servers on any WAN interfaces of NG Firewall. We do not recommend using OpenDNS, public, or internal DNS servers as they can hamper the effectiveness of Spam Blocker and sometimes the performance of Web Filter.

If you want to use OpenDNS with NG Firewall, you should hand out OpenDNS as the DNS servers for the end users only. To do this, set the OpenDNS DNS server as the "DNS Override setting in your DHCP settings on your internal interface(s).

This way, NG Firewall will hand out OpenDNS to the clients it gives DHCP addresses. If you're running your own DHCP server, you'll need to figure out how to make the change for your particular server software.


Updates

These FAQs explain how updates are performed.

How do I check for updates? Is this automatic?

NG Firewall automatically performs and installs definition updates for all applications; you can modify the platform updates settings at Config > Updates > Update Settings. If you turn Automatic Updates off, you will still receive definition updates, however platform updates will not automatically be applied.


How do I know if updates are available for download?

The Config > Upgrades button will light up when upgrades are available, just click it and follow the prompts to upgrade.

VoIP

These FAQs explain how NG Firewall handles VoIP traffic.


How does NG Firewall handle VoIP traffic?

Most VoIP traffic is automatically bypassed from scanning by default because it is sensitive to latency. It is recommended to manually add bypass rules for non-standard VoIP installations.


After installing NG Firewall, my VoIP doesn't work. Why?

Verify your VoIP devices are set to do NAT Traversal themselves - if they are not, you can try enabling the SIP Helper at Config > Networking > Advanced > General.