NG Firewall Installation: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
 
(22 intermediate revisions by 4 users not shown)
Line 1: Line 1:
<span style="display:none" class="helpSource account_registration">Installation#Account_Registration</span>
<span style="display:none" class="helpSource account_registration">Installation#Account_Registration</span>


Hello and thanks for your interest in Untangle!
Hello and thanks for your interest in NG Firewall!


This guide will be a quick primer on getting your Untangle installed, up and running. Hopefully it will also answer some common configuration questions without causing too much confusion. If you already have Untangle in your network you can skip to any relevant section and read from there. If you're new to Untangle, we recommend reading this section in its entirety to help familiarize yourself with the software and how it works - it will probably save you a headache or two later on.
This guide will be a quick primer on getting your NG Firewall installed, up and running. Hopefully it will also answer some common configuration questions without causing too much confusion. If you already have NG Firewall in your network you can skip to any relevant section and read from there. If you're new to NG Firewall, we recommend reading this section in its entirety to help familiarize yourself with the software and how it works - it will probably save you a headache or two later on.




== What is Untangle? ==
== What is NG Firewall? ==


Untangle is [http://en.wikipedia.org/wiki/Next-Generation_Firewall NGFW]/[http://en.wikipedia.org/wiki/Unified_threat_management UTM] software, bringing together everything your network needs to stay healthy on one box: web content and spam filtering, virus scanning, VPN connectivity, multi-WAN failover capability and much more. We strive to make deployment and administration easy, with a friendly web-based GUI to help you monitor and filter traffic on your network. Untangle provides a suite of applications free of charge with the option of subscribing to additional applications as best suits your organization - our [http://www.untangle.com website] has a full list of [http://www.untangle.com/untangle/features/ features]. If you have additional questions the [http://wiki.untangle.com/ wiki] and [http://forums.untangle.com/ forums] are always open, plus [http://support.untangle.com/ support] is just a ticket away. Current pricing for paid applications, packages and appliances can be found in the [http://www.untangle.com/store/ store].
NG Firewall is [http://en.wikipedia.org/wiki/Next-Generation_Firewall NGFW]/[http://en.wikipedia.org/wiki/Unified_threat_management UTM] software, bringing together everything your network needs to stay healthy on one box: web content and spam filtering, virus scanning, VPN connectivity, multi-WAN failover capability and much more. We strive to make deployment and administration easy, with a friendly web-based GUI to help you monitor and filter traffic on your network. NG Firewall provides a suite of applications free of charge with the option of subscribing to additional applications as best suits your organization - our [http://www.untangle.com website] has a full list of [http://www.untangle.com/untangle/features/ features]. If you have additional questions the [http://wiki.untangle.com/ wiki] and [http://forums.untangle.com/ forums] are always open, plus [http://support.untangle.com/ support] is just a ticket away. Current pricing for paid applications, packages and appliances can be found in the [http://www.untangle.com/store/ store].


== Deploying NG Firewall ==


Perhaps we should also mention what Untangle is ''not'':
NG Firewall is available in the following deployment options:


Untangle is ''not'' a proxy. Whether in router mode or bridge mode, Untangle acts as a transparent filter for traffic, so you do not "point" browsers as it to filter traffic as you would with a proxy. Computers on your network will either use Untangle as their gateway or your network will force their traffic to flow through it, being filtered in the process. More information on deployment can be found [[#Placing Untangle into your Network | below]].
*'''Cloud Appliance''': A virtual appliance available for Amazon Web Services or Microsoft Azure. Learn more about the AWS and Azure public cloud appliances [https://www.untangle.com/untangle-ng-firewall/public-cloud/ here].
*'''Virtual Appliance''': A virtual appliance optimized for VMware deployments in private cloud infrastructure. You can download the virtual and software appliances from [https://www.untangle.com/cmd/download/ng-firewall ETM Dashboard]. The virtual appliance is available as an OVA formatted file. See [[NG Firewall Virtual Appliance on VMware]] for installation details.
*'''Hardware Appliance''': An Arista Edge Threat Management network appliance with NG Firewall preinstalled. Learn more about the zSeries appliances [https://www.untangle.com/untangle-ng-firewall/appliances/ here].
*'''Software Appliance''': An installable version of NG Firewall for most x86 based devices. The software appliance is available as an ISO formatted file that you can image to a USB drive. See [https://support.untangle.com/hc/en-us/articles/216599867-Creating-a-bootable-USB-installer-of-NG-Firewall Creating a bootable USB installer] for imaging instructions.


== Installing the NG Firewall Software Appliance ==
The software appliance method installs to the primary storage of a device, '''erasing all data on that drive in the process'''. Please be aware of this before starting the installation. Also note that NG Firewall '''requires''' at least two [http://en.wikipedia.org/wiki/Network_interface_controller NICs] to be installed '''before''' you start the installation.


You can also take peek at [[Limitations of Untangle]] to see if Untangle is right for you.
Most users install NG Firewall on the server before the server is placed in-line on their network. To do this
plug one interface of your NG Firewall  into your network as you would any other computer, then start the installer. This ensures that NG Firewall will have access to the internet during installation.


== Installing Untangle ==
Power down the server, insert the ISO or USB installer, and power on the server. Make sure the boot options are set to boot from the inserted CD or USB media. Once the installation has started, follow the directions on the screen to complete the installation process.


If you have ordered a hardware appliance with Untangle pre-installed, refer to the [[Hardware_Setup_Guides | hardware setup guides]].
During the installation, you may need to answer a few questions, for example to confirm writing to the storage device. If you encounter issues while installing NG Firewall onto your server, read the [[Troubleshooting Server Installation]].


Untangle installs to the hard drive of a PC, '''erasing all data on that drive in the process'''. Please be aware of this before starting the installation. Also note that Untangle '''requires''' at least two [http://en.wikipedia.org/wiki/Network_interface_controller NICs] to be installed '''before''' you start the installation.  
== UEFI Installation ==
As of release 16.0, NG Firewall can be installed via BIOS or UEFI.  When booting via CD or USB, the installer automatically detects whether it was booted via BIOS or UEFI and tweaks the install process accordingly. To tell whether the installer was booted via BIOS or UEFI, check the installer's menu title. When booted via BIOS, the installer menu title will be "NG Firewall installer boot menu". When booted via UEFI, the installer menu title will be "NG Firewall UEFI Installer".


You can read about Untangle's hardware requirements and guidance in the [[Hardware Requirements]] documentation.
== Serial Console Installation ==
 
As of version 16.5 you can install and manage NG Firewall via a serial console port. This is useful if your device does not have video output and supports serial management.  
You have a few methods to install Untangle on a new server:
This method uses a dedicated ISO installer that you must [https://www.untangle.com/cmd/download/ng-firewall download]. Your system must be configured to use '''S0''' as the serial interface and a baud rate of '''1115200'''.
 
*'''ISO''': Download the ISO from [http://www.untangle.com/store/get-untangle/ Untangle] or [http://sourceforge.net/projects/untangle/ Sourceforge], burn it to a disc and boot - the Installation Wizard will guide you through the install and network configuration process.
:We also have a [http://www.untangle.com/pdf/Download_QuickStart.pdf QuickStart Guide] available.
 
*'''USB''': Write an image to a bootable USB stick - instructions are available [[Installing Untangle from USB | here]].
 
*'''OVA''': Download the OVA from [http://www.untangle.com/store/get-untangle/ Untangle]. This can be deployed in VMware and other virtualization software. When deploying in a virtual environment, be sure to read through the [[Network_Configuration#Cardinal_Rules|Cardinal Rules]]. Additional details are available [[Untangle_Virtual_Appliance_on_VMware | here]].
 
*'''AWS''':  You can launch and run Untangle on Amazon Web Services.  See AWS Install instructions [https://wiki.untangle.com/index.php/Deploying_NG_Firewall_in_AWS here]
 
Most users install Untangle on the server before the server is placed in-line on their network. To do this
plug one interface of your Untangle into your network as you would any other computer, then start the installer. This ensures that Untangle will have access to the internet during installation.
 
Power down the server, insert the ISO or USB installer, and power on the server. Make sure the boot options are set to boot from the inserted CD or USB media. Once the Untangle installation has started, follow the directions on the screen to complete the installation process.
 
For those wishing for custom partitioning or special storage considerations, read the [[Expert Mode Installation]]
 
After the installation is complete the server will reboot and the Setup Wizard will appear to walk you through the next phase of installation.
 
If you encounter issues while installing Untangle onto your server, read the [[Troubleshooting Server Installation]].


----
----
Line 58: Line 46:
== Common Post-Setup-Wizard Configuration ==
== Common Post-Setup-Wizard Configuration ==


At this point Untangle has the basic configuration that will work for most networks. However, some network require some more configuration.
At this point NG Firewall has the basic configuration that will work for most networks. However, some networks require more configuration.


=== Account Registration ===
=== Account Registration ===


Untangle will prompt you to sign in or register a new account with untangle.com. Registration is required to install any applications and takes only a second.  
NG Firewall will prompt you to sign in or register a new account in ETM Dashboard. Registration is required to install any applications and takes only a second.  


Registration has the following benefits:
Registration has the following benefits:
* Install free or paid applications on your Untangle NGFW.  
* Install free or paid applications on your NG Firewall.  
* Manage your licenses, renewals, servers and contact info all from one dashboard.
* Manage your licenses, renewals, servers and contact info all from one dashboard.
* Easily transfer licenses between servers.
* Easily transfer licenses between servers.
Line 71: Line 59:
If you signed in with an existing account, the system will check for any unused subscriptions in your account and ask if you would like to apply them to this system.  
If you signed in with an existing account, the system will check for any unused subscriptions in your account and ask if you would like to apply them to this system.  


Once you have completed the process, continue with the steps below. Your account can always be accessed by visiting http://untangle.com or clicking ''My Account''.
Once you have completed the process, continue with the steps below. Your account can always be accessed by visiting https://edge.arista.com or clicking ''My Account'' in the lower left hand corner of the UI.


=== Install Applications ===
=== Install Applications ===
Line 79: Line 67:
=== Configure Other Subnets ===
=== Configure Other Subnets ===


Untangle will route all traffic according to its routing table, even in when installed as a ''Transparent Bridge.'' This means Untangle must have the proper routing table for all subnets on your network.
NG Firewall will route all traffic according to its routing table, even in when installed as a ''Transparent Bridge.'' This means NG Firewall must have the proper routing table for all subnets on your network.


If you have other subnets on the network aside from those configured in the Setup Wizard you will need to configure Untangle to know about these networks. For example, if you are running as a bridge with Untangle having an address 192.168.1.2 with a netmask 255.255.255.0 but you also have a 192.168.20.* network and also a 10.0.*.* network you will need to tell Untangle where to reach these hosts.
If you have other subnets on the network aside from those configured in the Setup Wizard you will need to configure NG Firewall to know about these networks. For example, if you are running as a bridge with NG Firewall having an address 192.168.1.2 with a netmask 255.255.255.0 but you also have a 192.168.20.* network and also a 10.0.*.* network you will need to tell NG Firewall where to reach these hosts.


There are several ways to do this:
There are several ways to do this:


* Add a route in [[Config]] > [[Network]] > [[Routes]] telling Untangle how to reach those subnets. If 10.0.*.* is local on Internal then you simple need to create a 10.0.0.0/16 route to "Local on Internal." If 10.0.*.* lives behind another router on your network like 192.168.1.100 then you will need to add a route to send all 10.0.0.0/16 traffic to 192.168.1.100.  
* Add a route in [[Config]] > [[Network]] > [[Routes]] telling NG Firewall how to reach those subnets. If 10.0.*.* is local on Internal then you simple need to create a 10.0.0.0/16 route to "Local on Internal." If 10.0.*.* lives behind another router on your network like 192.168.1.100 then you will need to add a route to send all 10.0.0.0/16 traffic to 192.168.1.100.  
* Add an alias on the appropriate interface. In Config > Network > Interface click edit on the appropriate interface and add an alias IP. This effectively tells Untangle that this IP range is local and can be reached locally on that interface. It also provides Untangle a local address on those subnets should any of those clients need to reach Untangle using a local IP.
* Add an alias on the appropriate interface. In Config > Network > Interface click edit on the appropriate interface and add an alias IP. This effectively tells NG Firewall that this IP range is local and can be reached locally on that interface. It also provides NG Firewall a local address on those subnets should any of those clients need to reach NG Firewall using a local IP.


Each subnet on your network will need to be configured so Untangle knows how to reach them. The "Ping Test" in [[Config]] > [[Network]] > [[Troubleshooting]] can be used to verify that Untangle can reach the configured subnets.
Each subnet on your network will need to be configured so NG Firewall knows how to reach them. The "Ping Test" in [[Config]] > [[Network]] > [[Troubleshooting]] can be used to verify that NG Firewall can reach the configured subnets.


More in depth information about how Untangle network is configured is found in [[Network Configuration]].
More in depth information about how the network is configured is found in [[Network Configuration]].


=== Configure Other Interfaces ===
=== Configure Other Interfaces ===
Line 107: Line 95:
: If you have servers with public address you can stick them on the additional interface(s) and bridge those interfaces to your WAN. Then configure them with IPs on the same subnet as the WAN interface.
: If you have servers with public address you can stick them on the additional interface(s) and bridge those interfaces to your WAN. Then configure them with IPs on the same subnet as the WAN interface.
; Additional NICs for existing networks
; Additional NICs for existing networks
: If you want additional NICs for you Internal (for example) you can bridge the 3rd interface to your Internal and plug in additional internal machines to that NIC. This behaves similar to a switch, but traffic going through the untangle to reach other internal hosts is scanned by the apps.
: If you want additional NICs for you Internal (for example) you can bridge the 3rd interface to your Internal and plug in additional internal machines to that NIC. This behaves similar to a switch, but traffic going through the NG Firewall to reach other internal hosts is scanned by the apps.
; Configuring a WiFi interface
: If your hardware platform includes a supported WiFi adapter, you can configure your WiFi interface. Be sure to select the appropriate Regulatory Country option for your country.


More in depth information about how Untangle network is configured is found in [[Network Configuration]].
More in depth information about how the network is configured is found in [[Network Configuration]].


=== Email ===
=== Email ===


Some Untangle applications and functions rely on sending email like reports and spam quarantine digests. Email sending is configured in [[Config]] > [[Email]]. By default email will be sent directly using DNS MX records like a mail server. However, some ISPs and networks block port 25 to prevent spam and in this case you must configure a SMTP relay (and the appropriate authorization credentials if required).
Some NG Firewall applications and functions rely on sending email like reports and spam quarantine digests. Email sending is configured in [[Config]] > [[Email]]. By default email will be sent directly using DNS MX records like a mail server. However, some ISPs and networks block port 25 to prevent spam and in this case you must configure a SMTP relay (and the appropriate authorization credentials if required).


=== Hostname ===
=== Hostname ===


You can configure the hostname (and domain) for the Untangle server in [[Config]] > [[Network]] > [[Hostname]].
You can configure the hostname (and domain) for the NG Firewall server in [[Config]] > [[Network]] > [[Hostname]].


=== Port Forward Rules ===
=== Port Forward Rules ===


If Untangle is installed as a router and have internal servers with services that need to be publicly accessible you need to configure port forward rules to forward that traffic to the appropriate server. You can configure port forward rules in [[Config]] > [[Network]] > [[Port Forward Rules]].
If NG Firewall is installed as a router and have internal servers with services that need to be publicly accessible you need to configure port forward rules to forward that traffic to the appropriate server. You can configure port forward rules in [[Config]] > [[Network]] > [[Port Forward Rules]].


=== Bypass Rules ===
=== Bypass Rules ===


Unlike many next-generation firewalls, Untangle scans ''All'' TCP and UDP traffic on all ports at the application layer by default, except for VoIP traffic. This is ideal for most deployments but if you are running a very large (1000s of users) network it probably makes sense to bypass traffic that you are not interested in scanning. Traffic can be bypassed in [[Config]] > [[Network]] > [[Bypass Rules]]. More is described in the [[Network]] documentation.
Unlike many next-generation firewalls, NG Firewall scans ''All'' TCP and UDP traffic on all ports at the application layer by default, except for VoIP traffic. This is ideal for most deployments but if you are running a very large (1000s of users) network it probably makes sense to bypass traffic that you are not interested in scanning. Traffic can be bypassed in [[Config]] > [[Network]] > [[Bypass Rules]]. More is described in the [[Network]] documentation.


=== Public Address ===
=== Public Address ===


If you use OpenVPN or quarantine or other publicly accessible services on Untangle, you may wish to configure the "public address" of Untangle so that it sends the appropriate URL to remote users. Public Address can be configured in [[Config]] > [[Administration]] > [[Administration#Public Address|Public Address]].
If you use OpenVPN or quarantine or other publicly accessible services on NG Firewall, you may wish to configure the "public address" of NG Firewall so that it sends the appropriate URL to remote users. Public Address can be configured in [[Config]] > [[Administration]] > [[Administration#Public Address|Public Address]].


=== External Administration ===
=== External Administration ===


If you'd like to be able to administer Untangle via HTTPS remotely you will need to enable HTTPS access on WAN interfaces in the [[Access Rules]].
If you'd like to be able to administer NG Firewall via HTTPS remotely you will need to enable HTTPS access on WAN interfaces in the [[Filter Rules#Input Filter Rules]].


== Installing Untangle on the Network ==
== Installing NG Firewall on the Network ==


At this point Untangle should be ready to drop into the network if it is not already in place.
At this point NG Firewall should be ready to drop into the network if it is not already in place.


If Untangle is configured in bridge mode an easy way to test Untangle is to install it with only one or a few computers behind it - plug the External interface into your network then plug a switch with a few computers into the Internal interface so they must go through Untangle. Only those computers will be filtered, allowing you to test without disturbing there rest of your network.  
If NG Firewall is configured in bridge mode an easy way to test is to install it with only one or a few computers behind it - plug the External interface into your network then plug a switch with a few computers into the Internal interface so they must go through NG Firewall. Only those computers will be filtered, allowing you to test without disturbing there rest of your network.  


If you are running as a ''Transparent Bridge'' verify that Untangle is not plugged in backwards by unplugging the network cables one at a time and looking at the green lights in Config > Network > Interfaces. If Untangle is configured as a bridge and plugged in backwards it will pass traffic but some functionality will not work correctly. Untangle also provides [[Administrative Alerts]] which will bring this to your attention so you can fix it.
If you are running as a ''Transparent Bridge'' verify that NG Firewall is not plugged in backwards by unplugging the network cables one at a time and looking at the green lights in Config > Network > Interfaces. If NG Firewall is configured as a bridge and plugged in backwards it will pass traffic but some functionality will not work correctly. NG Firewall also provides [[Administrative Alerts]] which will bring this to your attention so you can fix it.


* Untangle is designed to drop in to your network with minimum disruption. When testing we recommend putting the system in place, keeping most defaults unless you're having problems. This way you can get a feel for how Untangle works before making possibly major changes that may affect system operation.
* NG Firewall is designed to drop in to your network with minimum disruption. When testing we recommend putting the system in place, keeping most defaults unless you're having problems. This way you can get a feel for how it works before making possibly major changes that may affect system operation.


== Using Untangle ==
== Using NG Firewall ==


The next step is installing the applications and configuring Untangle to meet your needs. The  [[User Guide]] provides in depth documentation of the various functions of Untangle and the applications.
The next step is installing the applications and configuring NG Firewall to meet your needs. The  [[User Guide]] provides in depth documentation of the various functions of NG Firewall and the applications.


Welcome to Untangle! ʘ‿ʘ
Welcome to NG Firewall! ʘ‿ʘ

Latest revision as of 20:54, 20 April 2023

Hello and thanks for your interest in NG Firewall!

This guide will be a quick primer on getting your NG Firewall installed, up and running. Hopefully it will also answer some common configuration questions without causing too much confusion. If you already have NG Firewall in your network you can skip to any relevant section and read from there. If you're new to NG Firewall, we recommend reading this section in its entirety to help familiarize yourself with the software and how it works - it will probably save you a headache or two later on.


What is NG Firewall?

NG Firewall is NGFW/UTM software, bringing together everything your network needs to stay healthy on one box: web content and spam filtering, virus scanning, VPN connectivity, multi-WAN failover capability and much more. We strive to make deployment and administration easy, with a friendly web-based GUI to help you monitor and filter traffic on your network. NG Firewall provides a suite of applications free of charge with the option of subscribing to additional applications as best suits your organization - our website has a full list of features. If you have additional questions the wiki and forums are always open, plus support is just a ticket away. Current pricing for paid applications, packages and appliances can be found in the store.

Deploying NG Firewall

NG Firewall is available in the following deployment options:

  • Cloud Appliance: A virtual appliance available for Amazon Web Services or Microsoft Azure. Learn more about the AWS and Azure public cloud appliances here.
  • Virtual Appliance: A virtual appliance optimized for VMware deployments in private cloud infrastructure. You can download the virtual and software appliances from ETM Dashboard. The virtual appliance is available as an OVA formatted file. See NG Firewall Virtual Appliance on VMware for installation details.
  • Hardware Appliance: An Arista Edge Threat Management network appliance with NG Firewall preinstalled. Learn more about the zSeries appliances here.
  • Software Appliance: An installable version of NG Firewall for most x86 based devices. The software appliance is available as an ISO formatted file that you can image to a USB drive. See Creating a bootable USB installer for imaging instructions.

Installing the NG Firewall Software Appliance

The software appliance method installs to the primary storage of a device, erasing all data on that drive in the process. Please be aware of this before starting the installation. Also note that NG Firewall requires at least two NICs to be installed before you start the installation.

Most users install NG Firewall on the server before the server is placed in-line on their network. To do this plug one interface of your NG Firewall into your network as you would any other computer, then start the installer. This ensures that NG Firewall will have access to the internet during installation.

Power down the server, insert the ISO or USB installer, and power on the server. Make sure the boot options are set to boot from the inserted CD or USB media. Once the installation has started, follow the directions on the screen to complete the installation process.

During the installation, you may need to answer a few questions, for example to confirm writing to the storage device. If you encounter issues while installing NG Firewall onto your server, read the Troubleshooting Server Installation.

UEFI Installation

As of release 16.0, NG Firewall can be installed via BIOS or UEFI. When booting via CD or USB, the installer automatically detects whether it was booted via BIOS or UEFI and tweaks the install process accordingly. To tell whether the installer was booted via BIOS or UEFI, check the installer's menu title. When booted via BIOS, the installer menu title will be "NG Firewall installer boot menu". When booted via UEFI, the installer menu title will be "NG Firewall UEFI Installer".

Serial Console Installation

As of version 16.5 you can install and manage NG Firewall via a serial console port. This is useful if your device does not have video output and supports serial management. This method uses a dedicated ISO installer that you must download. Your system must be configured to use S0 as the serial interface and a baud rate of 1115200.


Setup Wizard

The Setup Wizard will open automatically when NG Firewall first boots. If you do not have a keyboard/mouse/video connected to the NG Firewall server, the Setup Wizard can be reached by plugging into a DHCP-configured laptop into the internal interface opening a browser to http://192.168.2.1/.

Once installed, the setup wizard can be repeated at any time and can be found in the NG Firewall GUI at Config > System > Support > Setup Wizard.

Welcome Page

For versions 16.3 and newer the Setup Wizard begins with a welcome page. Choose to either create an ETM Dashboard account or login with an existing account to get started. Your ETM Dashboard account is free and is necessary to activate a trial or complete license on the device. Your account is also linked to ETM Dashboard, enabling you to remotely manage your Arista Edge Threat Management appliances.

By logging in or creating your ETM Dashboard account, the Add Appliance wizard opens automatically and includes the UID of your appliance. The Add Appliance wizard guides you through the remainder of the setup steps for your new NG Firewall appliance. See Adding Appliances to ETM Dashboard for more details.

If your NG Firewall device is not connected to the Internet or requires specific configuration to connect, the wizard allows you to Configure the Internet Connection. If you are unable to connect to the Internet, you can continue with the local setup wizard by following these instructions: Offline Setup Wizard

The next steps include installing the desired apps and possibly tuning the configuration of your NG Firewall.


Common Post-Setup-Wizard Configuration

At this point NG Firewall has the basic configuration that will work for most networks. However, some networks require more configuration.

Account Registration

NG Firewall will prompt you to sign in or register a new account in ETM Dashboard. Registration is required to install any applications and takes only a second.

Registration has the following benefits:

  • Install free or paid applications on your NG Firewall.
  • Manage your licenses, renewals, servers and contact info all from one dashboard.
  • Easily transfer licenses between servers.

If you signed in with an existing account, the system will check for any unused subscriptions in your account and ask if you would like to apply them to this system.

Once you have completed the process, continue with the steps below. Your account can always be accessed by visiting https://edge.arista.com or clicking My Account in the lower left hand corner of the UI.

Install Applications

Installing applications is covered in the User Guide. It is recommended to finish reading this section and get everything working before configuring/tuning the application settings.

Configure Other Subnets

NG Firewall will route all traffic according to its routing table, even in when installed as a Transparent Bridge. This means NG Firewall must have the proper routing table for all subnets on your network.

If you have other subnets on the network aside from those configured in the Setup Wizard you will need to configure NG Firewall to know about these networks. For example, if you are running as a bridge with NG Firewall having an address 192.168.1.2 with a netmask 255.255.255.0 but you also have a 192.168.20.* network and also a 10.0.*.* network you will need to tell NG Firewall where to reach these hosts.

There are several ways to do this:

  • Add a route in Config > Network > Routes telling NG Firewall how to reach those subnets. If 10.0.*.* is local on Internal then you simple need to create a 10.0.0.0/16 route to "Local on Internal." If 10.0.*.* lives behind another router on your network like 192.168.1.100 then you will need to add a route to send all 10.0.0.0/16 traffic to 192.168.1.100.
  • Add an alias on the appropriate interface. In Config > Network > Interface click edit on the appropriate interface and add an alias IP. This effectively tells NG Firewall that this IP range is local and can be reached locally on that interface. It also provides NG Firewall a local address on those subnets should any of those clients need to reach NG Firewall using a local IP.

Each subnet on your network will need to be configured so NG Firewall knows how to reach them. The "Ping Test" in Config > Network > Troubleshooting can be used to verify that NG Firewall can reach the configured subnets.

More in depth information about how the network is configured is found in Network Configuration.

Configure Other Interfaces

In the setup wizard you configured both the Internal and External interfaces. If you have more than 2 interfaces, the 3rd and beyond are Disabled by default.

If you plan to use them, they must be configured and it is suggested to choose a name reflecting its use.

Common uses include:

Additional WAN interfaces (if you have multiple internet connections) for failover/balancing
To do this just configure it as a WAN interface with the ISP's provided values. Read more about WAN Failover and WAN Balancer for more information about failover/balancing.
Other internal networks
To do this just configure it as a non-WAN interface with a static internal IP. For example if you used 192.168.1.1/24 on your internal, you could use 192.168.2.1/24 on your 3rd interface. This is useful on larger networks, for guest networks, for wireless networks etc.
Public segment for public servers (DMZ)
If you have servers with public address you can stick them on the additional interface(s) and bridge those interfaces to your WAN. Then configure them with IPs on the same subnet as the WAN interface.
Additional NICs for existing networks
If you want additional NICs for you Internal (for example) you can bridge the 3rd interface to your Internal and plug in additional internal machines to that NIC. This behaves similar to a switch, but traffic going through the NG Firewall to reach other internal hosts is scanned by the apps.
Configuring a WiFi interface
If your hardware platform includes a supported WiFi adapter, you can configure your WiFi interface. Be sure to select the appropriate Regulatory Country option for your country.

More in depth information about how the network is configured is found in Network Configuration.

Email

Some NG Firewall applications and functions rely on sending email like reports and spam quarantine digests. Email sending is configured in Config > Email. By default email will be sent directly using DNS MX records like a mail server. However, some ISPs and networks block port 25 to prevent spam and in this case you must configure a SMTP relay (and the appropriate authorization credentials if required).

Hostname

You can configure the hostname (and domain) for the NG Firewall server in Config > Network > Hostname.

Port Forward Rules

If NG Firewall is installed as a router and have internal servers with services that need to be publicly accessible you need to configure port forward rules to forward that traffic to the appropriate server. You can configure port forward rules in Config > Network > Port Forward Rules.

Bypass Rules

Unlike many next-generation firewalls, NG Firewall scans All TCP and UDP traffic on all ports at the application layer by default, except for VoIP traffic. This is ideal for most deployments but if you are running a very large (1000s of users) network it probably makes sense to bypass traffic that you are not interested in scanning. Traffic can be bypassed in Config > Network > Bypass Rules. More is described in the Network documentation.

Public Address

If you use OpenVPN or quarantine or other publicly accessible services on NG Firewall, you may wish to configure the "public address" of NG Firewall so that it sends the appropriate URL to remote users. Public Address can be configured in Config > Administration > Public Address.

External Administration

If you'd like to be able to administer NG Firewall via HTTPS remotely you will need to enable HTTPS access on WAN interfaces in the Filter Rules#Input Filter Rules.

Installing NG Firewall on the Network

At this point NG Firewall should be ready to drop into the network if it is not already in place.

If NG Firewall is configured in bridge mode an easy way to test is to install it with only one or a few computers behind it - plug the External interface into your network then plug a switch with a few computers into the Internal interface so they must go through NG Firewall. Only those computers will be filtered, allowing you to test without disturbing there rest of your network.

If you are running as a Transparent Bridge verify that NG Firewall is not plugged in backwards by unplugging the network cables one at a time and looking at the green lights in Config > Network > Interfaces. If NG Firewall is configured as a bridge and plugged in backwards it will pass traffic but some functionality will not work correctly. NG Firewall also provides Administrative Alerts which will bring this to your attention so you can fix it.

  • NG Firewall is designed to drop in to your network with minimum disruption. When testing we recommend putting the system in place, keeping most defaults unless you're having problems. This way you can get a feel for how it works before making possibly major changes that may affect system operation.

Using NG Firewall

The next step is installing the applications and configuring NG Firewall to meet your needs. The User Guide provides in depth documentation of the various functions of NG Firewall and the applications.

Welcome to NG Firewall! ʘ‿ʘ