ThreatPrevention provides traditional threatprevention functionality, blocking and/or flagging traffic based on rules.
The term "ThreatPrevention" has grown to encompass many functionalities and has a wide array of meanings. The "threatprevention" is often use interchangeably with "router" "gateway" and "UTM" or "Unified Threat Management" Even the Untangle NGFW is a "next-gen" "threatprevention." There are also host-based "threatpreventions" that run on the local host computer.
The "ThreatPrevention" app itself is a traditional threatprevention used to block and/or flag TCP and UDP sessions passing through Untangle using rules. The ThreatPrevention app provides the same functionality as the traditional "threatprevention" - the ability to use rules to control which computers and communicate on a network.
This section reviews the different settings and configuration options available for ThreatPrevention.
This displays the current status and some statistics.
The Rules tab allows you to specify rules to Block, Pass or Flag traffic that crosses the Untangle.
The Rules documentation describes how rules work and how they are configured. ThreatPrevention uses rules to determine to block/pass the specific session, and if the sessions is flagged. Flagging a session marks it in the logs for reviewing in the event logs or reports, but has no direct effect on the network traffic.
Typically Untangle is installed as a NAT/gateway device, or behind another NAT/gateway device in bridge mode. In this scenario all inbound sessions are blocked by NAT except those explicitly allowed with port forwards. Because of this, the ThreatPrevention does not block anything by default. It is up to you to decide to best fit for your network, whether you only want to block specific ports or you want to block everything and allow only a few services.
- Pass: Allows the traffic which matched the rule to flow.
- Block: Blocks the traffic which matched the rule.
Additionally a session can be flagged. If Flag is checked the event is flagged for easier viewing in the event log. Flag is always enabled if the action is Block.