From Edge Threat Management Wiki - Arista
Revision as of 13:45, 31 July 2015 by Lgraves (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


The shield monitors the session creation rate of the clients creating sessions. Each time a session is processed by Untangle the shield calculates the current session creation rate of the client initiating the session. If the session creation rate of the client reaches a level that the shield considers too aggressive the session creation rate of that client is limited to that level.

This process protects the Untangle server and also protects the network from Denial of Service (DOS) attacks.

Enable Shield

If checked, the shield is enabled. If unchecked the shield is disabled. Warning: do not disable the shield. Doing so may cause performance and stability issues. This checkbox is provided to allow for troubleshooting. It is never suggested to leave the shield disabled after any troubleshooting steps.

Note, the shield only looks at new session requests, it does not influence or process traffic of existing sessions.

Shield Rules

Shield rules are evaluated at session creation time. The rules documentation describes how rules are processed.

If no shield rule matches the regular session creation rate limit is applied (1 user). If a shield rule does match the session creation rate limit of the matching rule will be applied. 5 users means that 5x the session creation rate limit will be allowed, 10 users means 10x, etc. unlimited means that no session creation rate limit will be applied. Using unlimited effectively disables the shield for certain traffic and is not suggested.

Shield Rules allow for increasing the session creation rate for certain traffic. For example, if there is a wireless router doing NAT behind Untangle with 100 wireless clients, all this traffic will appear to be coming from the wireless router's IP address. As such, you might need to tell the shield to allow a much higher session creation rate for that IP. Creating a rule matching traffic from that router would allow that IP to create sessions at a rate more appropriate with 100 machines.


The Reports tab provides a view of all reports and events for all traffic handled by Shield.


This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries:

Report Entry Description
Scanned Sessions The amount of scanned and blocked sessions over time.
Blocked Sessions The amount of blocked sessions over time.
Top Blocked Usernames The number of blocked sessions grouped by username.
Top Blocked Clients The number of blocked sessions grouped by client.
Top Blocked Ports The number of blocked sessions grouped by server port.
Top Blocked Servers The number of blocked sessions grouped by server.
Top Blocked Hostnames The number of blocked sessions grouped by hostname.
Scanned Session Events All sessions scanned by Shield.
Blocked Session Events All sessions blocked by Shield.

The tables queried to render these reports:


Does the Shield limit bandwidth?

No, the Shield only looks at new session requests. After the session is accepted the data of that session is not scanned by the shield. It has no capability to see or process the data of accepted connections.