https://wiki.edge.arista.com/api.php?action=feedcontributions&user=Bmastbergen&feedformat=atomEdge Threat Management Wiki - Arista - User contributions [en]2024-03-28T18:03:22ZUser contributionsMediaWiki 1.41.0https://wiki.edge.arista.com/index.php?title=Troubleshooting_Server_Installation&diff=27761Troubleshooting Server Installation2020-07-27T19:21:01Z<p>Bmastbergen: </p>
<hr />
<div>= Video Issues = <br />
<br />
Occasionally Untangle can not correctly detect video card/monitor settings to successfully display onto the monitor. This can happen in several ways:<br />
<br />
* The monitor flashes and then displays a black screen with a message or login prompt<br />
* The monitor just displays noise after the bootup is complete<br />
* The monitor displays correctly but the screen is much too big requiring scrolling with the mouse.<br />
<br />
[[Image:MonitorProblem.jpeg|300px|center|Video Problem]]<br />
<br />
Things to try:<br />
<br />
* Restart the server and select a different boot mode in the bootup kernel selection menu.<br />
* Try various BIOS settings that may affect video.<br />
* Try another monitor, and reboot after switching. The monitor should be plugged in before powering on Untangle.<br />
* If you are using a KVM (keyboard-video-monitor switch), remove it and connected the peripherals directly.<br />
* Try another video card.<br />
* Re-burn the CD/ISO at a slower speed, or re-create the USB/IMG, and reinstall.<br />
<br />
<br />
Also note that changing resolutions is supported, but can sometimes lead to issues. If this is the case reboot the server in Video Safe Mode.<br />
<br />
= UEFI Issues =<br />
<br />
The Untangle UEFI Installer does not support UEFI SecureBoot, so SecureBoot must be disabled in your hardware's firmware menu prior to installing.<br />
<br />
Unfortunately, not all UEFI implementations are written equally, which may cause issues when installing NG Firewall via UEFI on some hardware. If NG Firewall fails to successfully install via UEFI, check to see if your hardware's firmware can be configured for legacy BIOS boot and attempt to install using the normal installer. Otherwise, check out the Debian project's UEFI page for some tips on troubleshooting UEFI based installs.<br />
<br />
https://wiki.debian.org/UEFI#Quirks.2C_workarounds_and_special_UEFI_features_in_Debian_and_Debian-Installer</div>Bmastbergenhttps://wiki.edge.arista.com/index.php?title=NG_Firewall_Installation&diff=27760NG Firewall Installation2020-07-27T19:14:05Z<p>Bmastbergen: </p>
<hr />
<div><span style="display:none" class="helpSource account_registration">Installation#Account_Registration</span><br />
<br />
Hello and thanks for your interest in Untangle NG Firewall!<br />
<br />
This guide will be a quick primer on getting your Untangle NG Firewall installed, up and running. Hopefully it will also answer some common configuration questions without causing too much confusion. If you already have Untangle in your network you can skip to any relevant section and read from there. If you're new to Untangle, we recommend reading this section in its entirety to help familiarize yourself with the software and how it works - it will probably save you a headache or two later on.<br />
<br />
<br />
== What is Untangle NG Firewall? ==<br />
<br />
Untangle is [http://en.wikipedia.org/wiki/Next-Generation_Firewall NGFW]/[http://en.wikipedia.org/wiki/Unified_threat_management UTM] software, bringing together everything your network needs to stay healthy on one box: web content and spam filtering, virus scanning, VPN connectivity, multi-WAN failover capability and much more. We strive to make deployment and administration easy, with a friendly web-based GUI to help you monitor and filter traffic on your network. Untangle provides a suite of applications free of charge with the option of subscribing to additional applications as best suits your organization - our [http://www.untangle.com website] has a full list of [http://www.untangle.com/untangle/features/ features]. If you have additional questions the [http://wiki.untangle.com/ wiki] and [http://forums.untangle.com/ forums] are always open, plus [http://support.untangle.com/ support] is just a ticket away. Current pricing for paid applications, packages and appliances can be found in the [http://www.untangle.com/store/ store].<br />
<br />
== Installing Untangle NG Firewall on a Server ==<br />
<br />
If you have ordered an appliance with Untangle pre-installed, refer to the [https://wiki.untangle.com/index.php/Hardware_Setup_Guides Hardware Setup Guides].<br />
<br />
Untangle installs to the hard drive of a PC, '''erasing all data on that drive in the process'''. Please be aware of this before starting the installation. Also note that Untangle '''requires''' at least two [http://en.wikipedia.org/wiki/Network_interface_controller NICs] to be installed '''before''' you start the installation. <br />
<br />
You have a few methods to install Untangle NG Firewall on a new server:<br />
<br />
*'''ISO''': Download the ISO from [http://www.untangle.com/store/get-untangle/ Untangle], burn it to a disc and boot - the Installation Wizard will guide you through the install and network configuration process.<br />
<br />
*'''USB''': Write an image to a bootable USB stick - instructions are available [[Installing Untangle from USB | here]].<br />
<br />
*'''OVA''': Download the OVA from [http://www.untangle.com/store/get-untangle/ Untangle]. This can be deployed in VMware and other virtualization software. When deploying in a virtual environment, be sure to read through the [[Network_Configuration#Cardinal_Rules|Cardinal Rules]].<br />
<br />
Most users install Untangle on the server before the server is placed in-line on their network. To do this<br />
plug one interface of your Untangle into your network as you would any other computer, then start the installer. This ensures that Untangle will have access to the internet during installation.<br />
<br />
Power down the server, insert the ISO or USB installer, and power on the server. Make sure the boot options are set to boot from the inserted CD or USB media. Once the Untangle installation has started, follow the directions on the screen to complete the installation process.<br />
<br />
As of release 16.0, NG Firewall can be installed via BIOS or UEFI. When the booting via CD or USB, the installer automatically detects whether it was booted via BIOS or UEFI and tweaks the install process accordingly. To tell whether the installer was booted via BIOS or UEFI, check the installer's menu title. When booted via BIOS, the installer menu title will be "Untangle installer boot menu". When booted via UEFI, the installer menu title will be "Untangle UEFI Installer".<br />
<br />
After the installation is complete the server will reboot and the Setup Wizard will appear to walk you through the next phase of installation.<br />
<br />
If you encounter issues while installing Untangle onto your server, read the [[Troubleshooting Server Installation]].<br />
<br />
----<br />
<br />
== Setup Wizard ==<br />
<br />
{{:Setup Wizard}}<br />
<br />
----<br />
<br />
== Common Post-Setup-Wizard Configuration ==<br />
<br />
At this point Untangle has the basic configuration that will work for most networks. However, some networks require more configuration.<br />
<br />
=== Account Registration ===<br />
<br />
Untangle will prompt you to sign in or register a new account with untangle.com. Registration is required to install any applications and takes only a second. <br />
<br />
Registration has the following benefits:<br />
* Install free or paid applications on your Untangle NGFW. <br />
* Manage your licenses, renewals, servers and contact info all from one dashboard.<br />
* Easily transfer licenses between servers.<br />
<br />
If you signed in with an existing account, the system will check for any unused subscriptions in your account and ask if you would like to apply them to this system. <br />
<br />
Once you have completed the process, continue with the steps below. Your account can always be accessed by visiting http://untangle.com or clicking ''My Account'' in the lower left hand corner of the UI.<br />
<br />
=== Install Applications ===<br />
<br />
Installing applications is covered in the [[User Guide]]. It is recommended to finish reading this section and get everything working before configuring/tuning the application settings.<br />
<br />
=== Configure Other Subnets ===<br />
<br />
Untangle will route all traffic according to its routing table, even in when installed as a ''Transparent Bridge.'' This means Untangle must have the proper routing table for all subnets on your network.<br />
<br />
If you have other subnets on the network aside from those configured in the Setup Wizard you will need to configure Untangle to know about these networks. For example, if you are running as a bridge with Untangle having an address 192.168.1.2 with a netmask 255.255.255.0 but you also have a 192.168.20.* network and also a 10.0.*.* network you will need to tell Untangle where to reach these hosts.<br />
<br />
There are several ways to do this:<br />
<br />
* Add a route in [[Config]] > [[Network]] > [[Routes]] telling Untangle how to reach those subnets. If 10.0.*.* is local on Internal then you simple need to create a 10.0.0.0/16 route to "Local on Internal." If 10.0.*.* lives behind another router on your network like 192.168.1.100 then you will need to add a route to send all 10.0.0.0/16 traffic to 192.168.1.100. <br />
* Add an alias on the appropriate interface. In Config > Network > Interface click edit on the appropriate interface and add an alias IP. This effectively tells Untangle that this IP range is local and can be reached locally on that interface. It also provides Untangle a local address on those subnets should any of those clients need to reach Untangle using a local IP.<br />
<br />
Each subnet on your network will need to be configured so Untangle knows how to reach them. The "Ping Test" in [[Config]] > [[Network]] > [[Troubleshooting]] can be used to verify that Untangle can reach the configured subnets.<br />
<br />
More in depth information about how Untangle network is configured is found in [[Network Configuration]].<br />
<br />
=== Configure Other Interfaces ===<br />
<br />
In the setup wizard you configured both the Internal and External interfaces. If you have more than 2 interfaces, the 3rd and beyond are ''Disabled'' by default.<br />
<br />
If you plan to use them, they must be configured and it is suggested to choose a name reflecting its use.<br />
<br />
Common uses include:<br />
<br />
; Additional WAN interfaces (if you have multiple internet connections) for failover/balancing<br />
: To do this just configure it as a WAN interface with the ISP's provided values. Read more about [[WAN Failover]] and [[WAN Balancer]] for more information about failover/balancing.<br />
; Other internal networks<br />
: To do this just configure it as a non-WAN interface with a static internal IP. For example if you used 192.168.1.1/24 on your internal, you could use 192.168.2.1/24 on your 3rd interface. This is useful on larger networks, for guest networks, for wireless networks etc.<br />
; Public segment for public servers (DMZ)<br />
: If you have servers with public address you can stick them on the additional interface(s) and bridge those interfaces to your WAN. Then configure them with IPs on the same subnet as the WAN interface.<br />
; Additional NICs for existing networks<br />
: If you want additional NICs for you Internal (for example) you can bridge the 3rd interface to your Internal and plug in additional internal machines to that NIC. This behaves similar to a switch, but traffic going through the untangle to reach other internal hosts is scanned by the apps.<br />
<br />
More in depth information about how Untangle network is configured is found in [[Network Configuration]].<br />
<br />
=== Email ===<br />
<br />
Some Untangle applications and functions rely on sending email like reports and spam quarantine digests. Email sending is configured in [[Config]] > [[Email]]. By default email will be sent directly using DNS MX records like a mail server. However, some ISPs and networks block port 25 to prevent spam and in this case you must configure a SMTP relay (and the appropriate authorization credentials if required).<br />
<br />
=== Hostname ===<br />
<br />
You can configure the hostname (and domain) for the Untangle server in [[Config]] > [[Network]] > [[Hostname]].<br />
<br />
=== Port Forward Rules ===<br />
<br />
If Untangle is installed as a router and have internal servers with services that need to be publicly accessible you need to configure port forward rules to forward that traffic to the appropriate server. You can configure port forward rules in [[Config]] > [[Network]] > [[Port Forward Rules]].<br />
<br />
=== Bypass Rules ===<br />
<br />
Unlike many next-generation firewalls, Untangle scans ''All'' TCP and UDP traffic on all ports at the application layer by default, except for VoIP traffic. This is ideal for most deployments but if you are running a very large (1000s of users) network it probably makes sense to bypass traffic that you are not interested in scanning. Traffic can be bypassed in [[Config]] > [[Network]] > [[Bypass Rules]]. More is described in the [[Network]] documentation.<br />
<br />
=== Public Address ===<br />
<br />
If you use OpenVPN or quarantine or other publicly accessible services on Untangle, you may wish to configure the "public address" of Untangle so that it sends the appropriate URL to remote users. Public Address can be configured in [[Config]] > [[Administration]] > [[Administration#Public Address|Public Address]].<br />
<br />
=== External Administration ===<br />
<br />
If you'd like to be able to administer Untangle via HTTPS remotely you will need to enable HTTPS access on WAN interfaces in the [[Filter Rules#Input Filter Rules]].<br />
<br />
== Installing Untangle on the Network ==<br />
<br />
At this point Untangle should be ready to drop into the network if it is not already in place.<br />
<br />
If Untangle is configured in bridge mode an easy way to test Untangle is to install it with only one or a few computers behind it - plug the External interface into your network then plug a switch with a few computers into the Internal interface so they must go through Untangle. Only those computers will be filtered, allowing you to test without disturbing there rest of your network. <br />
<br />
If you are running as a ''Transparent Bridge'' verify that Untangle is not plugged in backwards by unplugging the network cables one at a time and looking at the green lights in Config > Network > Interfaces. If Untangle is configured as a bridge and plugged in backwards it will pass traffic but some functionality will not work correctly. Untangle also provides [[Administrative Alerts]] which will bring this to your attention so you can fix it.<br />
<br />
* Untangle is designed to drop in to your network with minimum disruption. When testing we recommend putting the system in place, keeping most defaults unless you're having problems. This way you can get a feel for how Untangle works before making possibly major changes that may affect system operation.<br />
<br />
== Using Untangle ==<br />
<br />
The next step is installing the applications and configuring Untangle to meet your needs. The [[User Guide]] provides in depth documentation of the various functions of Untangle and the applications.<br />
<br />
Welcome to Untangle! ʘ‿ʘ</div>Bmastbergenhttps://wiki.edge.arista.com/index.php?title=Patch_-_Untangle_u25,u25w_reboots/powers_off&diff=27618Patch - Untangle u25,u25w reboots/powers off2020-03-11T19:51:07Z<p>Bmastbergen: </p>
<hr />
<div>= What it is =<br />
<br />
May fix intermittent reboots and/or power offs experienced on Untangle u25 and u25w appliances after upgrading to 15.0<br />
<br />
= Target Version =<br />
<br />
15.0.0<br />
<br />
= How to run =<br />
<br />
<code><br />
curl -s -k https://downloads.untangle.com/public/patches/15.0.0/max_cstate.patch | dash<br />
</code><br />
<br />
After applying the patch above, the appliance must be rebooted for the change to take effect</div>Bmastbergenhttps://wiki.edge.arista.com/index.php?title=Patch_-_Untangle_u25,u25w_reboots/powers_off&diff=27617Patch - Untangle u25,u25w reboots/powers off2020-03-11T19:49:06Z<p>Bmastbergen: Created page with "= What it is = May fix intermittent reboots and/or power offs experienced on Untangle u25 and u25w appliances after upgrading to 15.0 = Target Version = 15.0.0 = How to ru..."</p>
<hr />
<div>= What it is =<br />
<br />
May fix intermittent reboots and/or power offs experienced on Untangle u25 and u25w appliances after upgrading to 15.0<br />
<br />
= Target Version =<br />
<br />
15.0.0<br />
<br />
= How to run =<br />
<br />
<code><br />
curl -s -k https://downloads.untangle.com/public/patches/15.0.0/max_cstate.patch | dash<br />
</code></div>Bmastbergenhttps://wiki.edge.arista.com/index.php?title=Patches_%26_Scripts&diff=27616Patches & Scripts2020-03-11T19:47:51Z<p>Bmastbergen: </p>
<hr />
<div>== Patches ==<br />
<br />
Occasionally untangle will fix a bug or add an enhancement and release it as a patch. A patch is a simple way to apply a small change and is quicker and easier to release than a full new build. It is recommended to only install a patch if it is needed or you are experiencing an issue a patch is known to solve. Patches are typically added to the next released build so they are often obsolete when a new build is published.<br />
<br />
== Scripts ==<br />
<br />
Occasionally users may wish to accomplish a task that is not considered normal usage and that is not a feature available in the product. Below are some utilities and scripts that accomplish various tasks or tests that is not available in the administration interface.<br />
<br />
* [[Script - Fix some charts not displaying in emailed reports]]<br />
* [[Script - Generate new (2048bit) self-signed certificate]]<br />
* [[Script - Check DNSBL Access]]<br />
* [[Script - Disk Usage Report]]<br />
* [[Script - Clear Reports Data]]<br />
* [[Script - Reinitialize Database]]<br />
* [[Script - Clear Hosts and Devices]]<br />
<br />
=== 15.0.0 ===<br />
<br />
* [[Patch - Untangle u25,u25w reboots/powers off]]<br />
<br />
=== 14.2.2 ===<br />
<br />
* [[Patch - Brightcloud daemon restarts]]<br />
<br />
=== 14.0.1 ===<br />
<br />
* [[Patch - Fix google allowed domains restriction]]<br />
* [[Patch - Consistent order on wifi options]]<br />
<br />
=== 14.0.0 ===<br />
<br />
* [[Patch - Bridge VLANs not properly initializing]]<br />
* [[Patch - Captive Portal users removed from Host Table]]<br />
<br />
=== 13.2.1 ===<br />
<br />
* [[Patch - Disable IPsec unity plugin]]<br />
<br />
=== 13.1.0 ===<br />
<br />
* [[Patch - Fix captive portal non-standard HTTP port redirect]]<br />
* [[Patch - Fix quarantine view filter]]</div>Bmastbergenhttps://wiki.edge.arista.com/index.php?title=Threat_Prevention&diff=26975Threat Prevention2020-02-04T21:39:06Z<p>Bmastbergen: </p>
<hr />
<div>[[Category:Applications]]<br />
<span style="display:none" class="helpSource threat_prevention">Threat_Prevention</span><br />
<span style="display:none" class="helpSource threat_prevention_status">Threat_Prevention#Status</span><br />
<span style="display:none" class="helpSource threat_prevention_threats">Threat_Prevention#Threats</span><br />
<span style="display:none" class="helpSource threat_prevention_rules">Threat_Prevention#Rules</span><br />
<span style="display:none" class="helpSource threat_prevention_lookup">Threat_Prevention#Threat_Lookup</span><br />
<br />
{| width='100%'<br />
|-<br />
| align="center" | [[Image:ThreatPrevention.png|128px]] &nbsp; &nbsp; '''Threat Prevention'''<br />
| align="center" |<br />
{|<br />
|-<br />
| Other Links:<br />
|-<br />
|[http://forums.untangle.com/threat-prevention/ Threat Prevention Forums]<br />
|-<br />
|[[Threat Prevention Reports]]<br />
|-<br />
|[[Threat Prevention FAQs]]<br />
|}<br />
|}<br />
<br/><br />
----<br />
<br />
<br />
== About Threat Prevention ==<br />
<br />
Threat Prevention blocks potentially harmful traffic from entering or exiting the network. This app can prevent cyber attacks to your servers (e.g. web, VoIP, and email). It is also useful to prevent data loss in case users mistakenly try to connect to a phishing site or other type of malicious host.<br />
<br />
Threat Prevention uses Threat Intelligence technology managed by Webroot BrightCloud®. It works by performing a query to the BrighCloud® service, requesting for the reputation score and historical data of each IP address or URL. Based on the rating of the IP address or URL, the session may be blocked. By default, the Threat Prevention app blocks sessions with a "High Risk" rating. IP addresses or URLs rated as High Risk may be associated with the following types of attacks:<br />
* Spam Sources - IP addresses involved in tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities.<br />
* Windows Exploits - IP addresses participating in the distribution of malware, shell code, rootkits, worms or viruses for Windows platforms.<br />
* Web Attacks - IP addresses using cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force attacks to target vulnerabilities on a web server. <br />
* Botnets - IP addresses acting as Botnet Command and Control (C&C) centers, and infected zombie machines controlled by the C&C servers. <br />
* Denial of Service - The Denial of Service category includes DOS, DDOS, anomalous sync flood, and anomalous traffic detection.<br />
* Scanners - IP addresses involved in unauthorized reconnaissance activities such as probing, host scanning, port scanning and brute force login attempts. <br />
* Phishing - IP addresses hosting phishing sites and sites related to other kinds of fraudulent activities. <br />
* TOR Proxy - IP addresses acting as exit nodes for the TOR Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination.<br />
* Proxy - IP addresses providing proxy services, including both VPN and open web proxy services.<br />
* Mobile Threats - Denial of service, packet sniffing, address impersonation, and session hijacking<br />
<br />
== Settings ==<br />
<br />
This section reviews the different settings and configuration options available for Threat Prevention.<br />
<br />
=== Status ===<br />
<br />
The Status screen shows the running state of Threat Prevention and relevant Metrics such as the number of blocked sessions and high risk threats.<br />
<br />
{{AppScreenshot|threatprevention|status}}<br />
<br />
=== Threats ===<br />
<br />
In the Threats tab you can specify the threshold for IP Addresses and URL Threats. The recommended and default Reputation Threshold is "High Risk". By moving the slider to the left you can choose to block more traffic however this may increase the number of false positives. As you move the slider, a description appears that provides more detail of what type of sessions apply to each threshold level.<br />
<br />
{{AppScreenshot|threatprevention|threats}}<br />
<br />
=== Rules ===<br />
<br />
The '''Rules''' tab allows you to specify rules to Block, Pass or Flag traffic that crosses the Untangle.<br />
<br />
The [[Rules|Rules documentation]] describes how rules work and how they are configured. Threat Prevention uses rules to determine to block/pass the specific session, and if the sessions is flagged. Flagging a session marks it in the logs for reviewing in the event logs or reports, but has no direct effect on the network traffic.<br />
<br />
In addition to all the common rule types, there are four that are unique to Threat Prevention, and these can be useful for making exceptions to the general *Reputation Threshold* setting.<br />
<br />
'''Source address reputation threshold'''<br />
The reputation value of a source IP address returned by the Webroot BrighCloud® service. This applies to incoming connections from the Internet to open services on your network.<br />
<br />
'''Destination address reputation threshold'''<br />
The reputation value of a destination IP address returned by the Webroot BrighCloud® service. This applies to outgoing connections to the Internet from hosts on your network.<br />
<br />
'''Source address category'''<br />
The reputation category of a source IP address returned by the Webroot BrighCloud® service. This applies to incoming connections from the Internet to open services on your network.<br />
<br />
'''Destination address reputation threshold'''<br />
The reputation category of a destination IP address returned by the Webroot BrighCloud® service. This applies to outgoing connections to the Internet from hosts on your network.<br />
<br />
==== Rule Actions ====<br />
<br />
* '''Pass''': Allows the traffic which matched the rule to flow.<br />
* '''Block''': Blocks the traffic which matched the rule.<br />
<br />
Additionally a session can be flagged. If '''Flag''' is checked the event is flagged for easier viewing in the event log. Flag is always enabled if the action is Block.<br />
<br />
{{AppScreenshot|threatprevention|rules}}<br />
<br />
=== Threat Lookup ===<br />
Threat Lookup enables you to get threat information on an IP Address or URL. This is useful to validate afterwards or confirm in advance the Reputation and other details of the IP Address or URL.<br />
Enter an IP Address or URL in the input field and click '''Search''' to get information.<br />
<br />
{{AppScreenshot|threatprevention|threat-lookup}}<br />
<br />
==== Threat Results ====<br />
{| border="1" cellpadding="2" width="85%%" align="center" <br />
!Result<br />
!Description<br />
|-<br />
| width="25%" | Address/URL<br />
| width="60%" | The IP Address or URL you requested to search.<br />
|-<br />
| width="25%" | Country<br />
| width="60%" | The country where the IP Address or URL originates.<br />
|-<br />
| width="25%" | Popularity<br />
| width="60%" | The popularity of the IP Address or URL based on the volume of lookups.<br />
|-<br />
| width="25%" | Recent Threat Count<br />
| width="60%" | The amount of recent occurrences that the IP Address or URL has been associated to a threat.<br />
|-<br />
| width="25%" | Age<br />
| width="60%" | The amount of time since the IP Address or URL was first noticed.<br />
|-<br />
| width="25%" | Reputation<br />
| width="60%" | The reputation of the IP Address or URL as determined by the Webroot BrightCloud reputation service.<br />
|-<br />
| width="25%" | Details<br />
| width="60%" | A description of the Reputation value.<br />
|-<br />
|}<br />
<br />
== Reports ==<br />
<br />
{{:Threat Prevention Reports}}</div>Bmastbergenhttps://wiki.edge.arista.com/index.php?title=Threat_Prevention&diff=26974Threat Prevention2020-02-04T21:35:03Z<p>Bmastbergen: </p>
<hr />
<div>[[Category:Applications]]<br />
<span style="display:none" class="helpSource threat_prevention">ThreatPrevention</span><br />
<span style="display:none" class="helpSource threat_prevention_status">ThreatPrevention#Status</span><br />
<span style="display:none" class="helpSource threat_prevention_threats">ThreatPrevention#Threats</span><br />
<span style="display:none" class="helpSource threat_prevention_rules">ThreatPrevention#Rules</span><br />
<span style="display:none" class="helpSource threat_prevention_lookup">ThreatPrevention#Threat_Lookup</span><br />
<br />
{| width='100%'<br />
|-<br />
| align="center" | [[Image:ThreatPrevention.png|128px]] &nbsp; &nbsp; '''Threat Prevention'''<br />
| align="center" |<br />
{|<br />
|-<br />
| Other Links:<br />
|-<br />
|[http://forums.untangle.com/threat-prevention/ Threat Prevention Forums]<br />
|-<br />
|[[Threat Prevention Reports]]<br />
|-<br />
|[[Threat Prevention FAQs]]<br />
|}<br />
|}<br />
<br/><br />
----<br />
<br />
<br />
== About Threat Prevention ==<br />
<br />
Threat Prevention blocks potentially harmful traffic from entering or exiting the network. This app can prevent cyber attacks to your servers (e.g. web, VoIP, and email). It is also useful to prevent data loss in case users mistakenly try to connect to a phishing site or other type of malicious host.<br />
<br />
Threat Prevention uses Threat Intelligence technology managed by Webroot BrightCloud®. It works by performing a query to the BrighCloud® service, requesting for the reputation score and historical data of each IP address or URL. Based on the rating of the IP address or URL, the session may be blocked. By default, the Threat Prevention app blocks sessions with a "High Risk" rating. IP addresses or URLs rated as High Risk may be associated with the following types of attacks:<br />
* Spam Sources - IP addresses involved in tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities.<br />
* Windows Exploits - IP addresses participating in the distribution of malware, shell code, rootkits, worms or viruses for Windows platforms.<br />
* Web Attacks - IP addresses using cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force attacks to target vulnerabilities on a web server. <br />
* Botnets - IP addresses acting as Botnet Command and Control (C&C) centers, and infected zombie machines controlled by the C&C servers. <br />
* Denial of Service - The Denial of Service category includes DOS, DDOS, anomalous sync flood, and anomalous traffic detection.<br />
* Scanners - IP addresses involved in unauthorized reconnaissance activities such as probing, host scanning, port scanning and brute force login attempts. <br />
* Phishing - IP addresses hosting phishing sites and sites related to other kinds of fraudulent activities. <br />
* TOR Proxy - IP addresses acting as exit nodes for the TOR Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination.<br />
* Proxy - IP addresses providing proxy services, including both VPN and open web proxy services.<br />
* Mobile Threats - Denial of service, packet sniffing, address impersonation, and session hijacking<br />
<br />
== Settings ==<br />
<br />
This section reviews the different settings and configuration options available for Threat Prevention.<br />
<br />
=== Status ===<br />
<br />
The Status screen shows the running state of Threat Prevention and relevant Metrics such as the number of blocked sessions and high risk threats.<br />
<br />
{{AppScreenshot|threatprevention|status}}<br />
<br />
=== Threats ===<br />
<br />
In the Threats tab you can specify the threshold for IP Addresses and URL Threats. The recommended and default Reputation Threshold is "High Risk". By moving the slider to the left you can choose to block more traffic however this may increase the number of false positives. As you move the slider, a description appears that provides more detail of what type of sessions apply to each threshold level.<br />
<br />
{{AppScreenshot|threatprevention|threats}}<br />
<br />
=== Rules ===<br />
<br />
The '''Rules''' tab allows you to specify rules to Block, Pass or Flag traffic that crosses the Untangle.<br />
<br />
The [[Rules|Rules documentation]] describes how rules work and how they are configured. Threat Prevention uses rules to determine to block/pass the specific session, and if the sessions is flagged. Flagging a session marks it in the logs for reviewing in the event logs or reports, but has no direct effect on the network traffic.<br />
<br />
In addition to all the common rule types, there are four that are unique to Threat Prevention, and these can be useful for making exceptions to the general *Reputation Threshold* setting.<br />
<br />
'''Source address reputation threshold'''<br />
The reputation value of a source IP address returned by the Webroot BrighCloud® service. This applies to incoming connections from the Internet to open services on your network.<br />
<br />
'''Destination address reputation threshold'''<br />
The reputation value of a destination IP address returned by the Webroot BrighCloud® service. This applies to outgoing connections to the Internet from hosts on your network.<br />
<br />
'''Source address category'''<br />
The reputation category of a source IP address returned by the Webroot BrighCloud® service. This applies to incoming connections from the Internet to open services on your network.<br />
<br />
'''Destination address reputation threshold'''<br />
The reputation category of a destination IP address returned by the Webroot BrighCloud® service. This applies to outgoing connections to the Internet from hosts on your network.<br />
<br />
==== Rule Actions ====<br />
<br />
* '''Pass''': Allows the traffic which matched the rule to flow.<br />
* '''Block''': Blocks the traffic which matched the rule.<br />
<br />
Additionally a session can be flagged. If '''Flag''' is checked the event is flagged for easier viewing in the event log. Flag is always enabled if the action is Block.<br />
<br />
{{AppScreenshot|threatprevention|rules}}<br />
<br />
=== Threat Lookup ===<br />
Threat Lookup enables you to get threat information on an IP Address or URL. This is useful to validate afterwards or confirm in advance the Reputation and other details of the IP Address or URL.<br />
Enter an IP Address or URL in the input field and click '''Search''' to get information.<br />
<br />
{{AppScreenshot|threatprevention|threat-lookup}}<br />
<br />
==== Threat Results ====<br />
{| border="1" cellpadding="2" width="85%%" align="center" <br />
!Result<br />
!Description<br />
|-<br />
| width="25%" | Address/URL<br />
| width="60%" | The IP Address or URL you requested to search.<br />
|-<br />
| width="25%" | Country<br />
| width="60%" | The country where the IP Address or URL originates.<br />
|-<br />
| width="25%" | Popularity<br />
| width="60%" | The popularity of the IP Address or URL based on the volume of lookups.<br />
|-<br />
| width="25%" | Recent Threat Count<br />
| width="60%" | The amount of recent occurrences that the IP Address or URL has been associated to a threat.<br />
|-<br />
| width="25%" | Age<br />
| width="60%" | The amount of time since the IP Address or URL was first noticed.<br />
|-<br />
| width="25%" | Reputation<br />
| width="60%" | The reputation of the IP Address or URL as determined by the Webroot BrightCloud reputation service.<br />
|-<br />
| width="25%" | Details<br />
| width="60%" | A description of the Reputation value.<br />
|-<br />
|}<br />
<br />
== Reports ==<br />
<br />
{{:Threat Prevention Reports}}</div>Bmastbergenhttps://wiki.edge.arista.com/index.php?title=Threat_Prevention&diff=26973Threat Prevention2020-02-04T21:31:57Z<p>Bmastbergen: </p>
<hr />
<div>[[Category:Applications]]<br />
<span style="display:none" class="helpSource threat_prevention">ThreatPrevention</span><br />
<span style="display:none" class="helpSource threat_prevention_status">ThreatPrevention#Status</span><br />
<span style="display:none" class="helpSource threat_prevention_threats">ThreatPrevention#Threats</span><br />
<span style="display:none" class="helpSource threat_prevention_rules">ThreatPrevention#Rules</span><br />
<span style="display:none" class="helpSource threat_prevention_threat_lookup">ThreatPrevention#Threat_Lookup</span><br />
<br />
{| width='100%'<br />
|-<br />
| align="center" | [[Image:ThreatPrevention.png|128px]] &nbsp; &nbsp; '''Threat Prevention'''<br />
| align="center" |<br />
{|<br />
|-<br />
| Other Links:<br />
|-<br />
|[http://forums.untangle.com/threat-prevention/ Threat Prevention Forums]<br />
|-<br />
|[[Threat Prevention Reports]]<br />
|-<br />
|[[Threat Prevention FAQs]]<br />
|}<br />
|}<br />
<br/><br />
----<br />
<br />
<br />
== About Threat Prevention ==<br />
<br />
Threat Prevention blocks potentially harmful traffic from entering or exiting the network. This app can prevent cyber attacks to your servers (e.g. web, VoIP, and email). It is also useful to prevent data loss in case users mistakenly try to connect to a phishing site or other type of malicious host.<br />
<br />
Threat Prevention uses Threat Intelligence technology managed by Webroot BrightCloud®. It works by performing a query to the BrighCloud® service, requesting for the reputation score and historical data of each IP address or URL. Based on the rating of the IP address or URL, the session may be blocked. By default, the Threat Prevention app blocks sessions with a "High Risk" rating. IP addresses or URLs rated as High Risk may be associated with the following types of attacks:<br />
* Spam Sources - IP addresses involved in tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities.<br />
* Windows Exploits - IP addresses participating in the distribution of malware, shell code, rootkits, worms or viruses for Windows platforms.<br />
* Web Attacks - IP addresses using cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force attacks to target vulnerabilities on a web server. <br />
* Botnets - IP addresses acting as Botnet Command and Control (C&C) centers, and infected zombie machines controlled by the C&C servers. <br />
* Denial of Service - The Denial of Service category includes DOS, DDOS, anomalous sync flood, and anomalous traffic detection.<br />
* Scanners - IP addresses involved in unauthorized reconnaissance activities such as probing, host scanning, port scanning and brute force login attempts. <br />
* Phishing - IP addresses hosting phishing sites and sites related to other kinds of fraudulent activities. <br />
* TOR Proxy - IP addresses acting as exit nodes for the TOR Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination.<br />
* Proxy - IP addresses providing proxy services, including both VPN and open web proxy services.<br />
* Mobile Threats - Denial of service, packet sniffing, address impersonation, and session hijacking<br />
<br />
== Settings ==<br />
<br />
This section reviews the different settings and configuration options available for Threat Prevention.<br />
<br />
=== Status ===<br />
<br />
The Status screen shows the running state of Threat Prevention and relevant Metrics such as the number of blocked sessions and high risk threats.<br />
<br />
{{AppScreenshot|threatprevention|status}}<br />
<br />
=== Threats ===<br />
<br />
In the Threats tab you can specify the threshold for IP Addresses and URL Threats. The recommended and default Reputation Threshold is "High Risk". By moving the slider to the left you can choose to block more traffic however this may increase the number of false positives. As you move the slider, a description appears that provides more detail of what type of sessions apply to each threshold level.<br />
<br />
{{AppScreenshot|threatprevention|threats}}<br />
<br />
=== Rules ===<br />
<br />
The '''Rules''' tab allows you to specify rules to Block, Pass or Flag traffic that crosses the Untangle.<br />
<br />
The [[Rules|Rules documentation]] describes how rules work and how they are configured. Threat Prevention uses rules to determine to block/pass the specific session, and if the sessions is flagged. Flagging a session marks it in the logs for reviewing in the event logs or reports, but has no direct effect on the network traffic.<br />
<br />
In addition to all the common rule types, there are four that are unique to Threat Prevention, and these can be useful for making exceptions to the general *Reputation Threshold* setting.<br />
<br />
'''Source address reputation threshold'''<br />
The reputation value of a source IP address returned by the Webroot BrighCloud® service. This applies to incoming connections from the Internet to open services on your network.<br />
<br />
'''Destination address reputation threshold'''<br />
The reputation value of a destination IP address returned by the Webroot BrighCloud® service. This applies to outgoing connections to the Internet from hosts on your network.<br />
<br />
'''Source address category'''<br />
The reputation category of a source IP address returned by the Webroot BrighCloud® service. This applies to incoming connections from the Internet to open services on your network.<br />
<br />
'''Destination address reputation threshold'''<br />
The reputation category of a destination IP address returned by the Webroot BrighCloud® service. This applies to outgoing connections to the Internet from hosts on your network.<br />
<br />
==== Rule Actions ====<br />
<br />
* '''Pass''': Allows the traffic which matched the rule to flow.<br />
* '''Block''': Blocks the traffic which matched the rule.<br />
<br />
Additionally a session can be flagged. If '''Flag''' is checked the event is flagged for easier viewing in the event log. Flag is always enabled if the action is Block.<br />
<br />
{{AppScreenshot|threatprevention|rules}}<br />
<br />
=== Threat Lookup ===<br />
Threat Lookup enables you to get threat information on an IP Address or URL. This is useful to validate afterwards or confirm in advance the Reputation and other details of the IP Address or URL.<br />
Enter an IP Address or URL in the input field and click '''Search''' to get information.<br />
<br />
{{AppScreenshot|threatprevention|threat-lookup}}<br />
<br />
==== Threat Results ====<br />
{| border="1" cellpadding="2" width="85%%" align="center" <br />
!Result<br />
!Description<br />
|-<br />
| width="25%" | Address/URL<br />
| width="60%" | The IP Address or URL you requested to search.<br />
|-<br />
| width="25%" | Country<br />
| width="60%" | The country where the IP Address or URL originates.<br />
|-<br />
| width="25%" | Popularity<br />
| width="60%" | The popularity of the IP Address or URL based on the volume of lookups.<br />
|-<br />
| width="25%" | Recent Threat Count<br />
| width="60%" | The amount of recent occurrences that the IP Address or URL has been associated to a threat.<br />
|-<br />
| width="25%" | Age<br />
| width="60%" | The amount of time since the IP Address or URL was first noticed.<br />
|-<br />
| width="25%" | Reputation<br />
| width="60%" | The reputation of the IP Address or URL as determined by the Webroot BrightCloud reputation service.<br />
|-<br />
| width="25%" | Details<br />
| width="60%" | A description of the Reputation value.<br />
|-<br />
|}<br />
<br />
== Reports ==<br />
<br />
{{:Threat Prevention Reports}}</div>Bmastbergenhttps://wiki.edge.arista.com/index.php?title=Threat_Prevention&diff=26972Threat Prevention2020-02-04T21:22:49Z<p>Bmastbergen: </p>
<hr />
<div>[[Category:Applications]]<br />
<span style="display:none" class="helpSource threatprevention">ThreatPrevention</span><br />
<span style="display:none" class="helpSource threatprevention_status">ThreatPrevention#Status</span><br />
<span style="display:none" class="helpSource threatprevention_threats">ThreatPrevention#Threats</span><br />
<span style="display:none" class="helpSource threatprevention_rules">ThreatPrevention#Rules</span><br />
<span style="display:none" class="helpSource threatprevention_threat_lookup">ThreatPrevention#Threat_Lookup</span><br />
<br />
{| width='100%'<br />
|-<br />
| align="center" | [[Image:ThreatPrevention.png|128px]] &nbsp; &nbsp; '''Threat Prevention'''<br />
| align="center" |<br />
{|<br />
|-<br />
| Other Links:<br />
|-<br />
|[http://forums.untangle.com/threat-prevention/ Threat Prevention Forums]<br />
|-<br />
|[[Threat Prevention Reports]]<br />
|-<br />
|[[Threat Prevention FAQs]]<br />
|}<br />
|}<br />
<br/><br />
----<br />
<br />
<br />
== About Threat Prevention ==<br />
<br />
Threat Prevention blocks potentially harmful traffic from entering or exiting the network. This app can prevent cyber attacks to your servers (e.g. web, VoIP, and email). It is also useful to prevent data loss in case users mistakenly try to connect to a phishing site or other type of malicious host.<br />
<br />
Threat Prevention uses Threat Intelligence technology managed by Webroot BrightCloud®. It works by performing a query to the BrighCloud® service, requesting for the reputation score and historical data of each IP address or URL. Based on the rating of the IP address or URL, the session may be blocked. By default, the Threat Prevention app blocks sessions with a "High Risk" rating. IP addresses or URLs rated as High Risk may be associated with the following types of attacks:<br />
* Spam Sources - IP addresses involved in tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities.<br />
* Windows Exploits - IP addresses participating in the distribution of malware, shell code, rootkits, worms or viruses for Windows platforms.<br />
* Web Attacks - IP addresses using cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force attacks to target vulnerabilities on a web server. <br />
* Botnets - IP addresses acting as Botnet Command and Control (C&C) centers, and infected zombie machines controlled by the C&C servers. <br />
* Denial of Service - The Denial of Service category includes DOS, DDOS, anomalous sync flood, and anomalous traffic detection.<br />
* Scanners - IP addresses involved in unauthorized reconnaissance activities such as probing, host scanning, port scanning and brute force login attempts. <br />
* Phishing - IP addresses hosting phishing sites and sites related to other kinds of fraudulent activities. <br />
* TOR Proxy - IP addresses acting as exit nodes for the TOR Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination.<br />
* Proxy - IP addresses providing proxy services, including both VPN and open web proxy services.<br />
* Mobile Threats - Denial of service, packet sniffing, address impersonation, and session hijacking<br />
<br />
== Settings ==<br />
<br />
This section reviews the different settings and configuration options available for Threat Prevention.<br />
<br />
=== Status ===<br />
<br />
The Status screen shows the running state of Threat Prevention and relevant Metrics such as the number of blocked sessions and high risk threats.<br />
<br />
{{AppScreenshot|threatprevention|status}}<br />
<br />
=== Threats ===<br />
<br />
In the Threats tab you can specify the threshold for IP Addresses and URL Threats. The recommended and default Reputation Threshold is "High Risk". By moving the slider to the left you can choose to block more traffic however this may increase the number of false positives. As you move the slider, a description appears that provides more detail of what type of sessions apply to each threshold level.<br />
<br />
{{AppScreenshot|threatprevention|threats}}<br />
<br />
=== Rules ===<br />
<br />
The '''Rules''' tab allows you to specify rules to Block, Pass or Flag traffic that crosses the Untangle.<br />
<br />
The [[Rules|Rules documentation]] describes how rules work and how they are configured. Threat Prevention uses rules to determine to block/pass the specific session, and if the sessions is flagged. Flagging a session marks it in the logs for reviewing in the event logs or reports, but has no direct effect on the network traffic.<br />
<br />
In addition to all the common rule types, there are four that are unique to Threat Prevention, and these can be useful for making exceptions to the general *Reputation Threshold* setting.<br />
<br />
'''Source address reputation threshold'''<br />
The reputation value of a source IP address returned by the Webroot BrighCloud® service. This applies to incoming connections from the Internet to open services on your network.<br />
<br />
'''Destination address reputation threshold'''<br />
The reputation value of a destination IP address returned by the Webroot BrighCloud® service. This applies to outgoing connections to the Internet from hosts on your network.<br />
<br />
'''Source address category'''<br />
The reputation category of a source IP address returned by the Webroot BrighCloud® service. This applies to incoming connections from the Internet to open services on your network.<br />
<br />
'''Destination address reputation threshold'''<br />
The reputation category of a destination IP address returned by the Webroot BrighCloud® service. This applies to outgoing connections to the Internet from hosts on your network.<br />
<br />
==== Rule Actions ====<br />
<br />
* '''Pass''': Allows the traffic which matched the rule to flow.<br />
* '''Block''': Blocks the traffic which matched the rule.<br />
<br />
Additionally a session can be flagged. If '''Flag''' is checked the event is flagged for easier viewing in the event log. Flag is always enabled if the action is Block.<br />
<br />
{{AppScreenshot|threatprevention|rules}}<br />
<br />
=== Threat Lookup ===<br />
Threat Lookup enables you to get threat information on an IP Address or URL. This is useful to validate afterwards or confirm in advance the Reputation and other details of the IP Address or URL.<br />
Enter an IP Address or URL in the input field and click '''Search''' to get information.<br />
<br />
{{AppScreenshot|threatprevention|threat-lookup}}<br />
<br />
==== Threat Results ====<br />
{| border="1" cellpadding="2" width="85%%" align="center" <br />
!Result<br />
!Description<br />
|-<br />
| width="25%" | Address/URL<br />
| width="60%" | The IP Address or URL you requested to search.<br />
|-<br />
| width="25%" | Country<br />
| width="60%" | The country where the IP Address or URL originates.<br />
|-<br />
| width="25%" | Popularity<br />
| width="60%" | The popularity of the IP Address or URL based on the volume of lookups.<br />
|-<br />
| width="25%" | Recent Threat Count<br />
| width="60%" | The amount of recent occurrences that the IP Address or URL has been associated to a threat.<br />
|-<br />
| width="25%" | Age<br />
| width="60%" | The amount of time since the IP Address or URL was first noticed.<br />
|-<br />
| width="25%" | Reputation<br />
| width="60%" | The reputation of the IP Address or URL as determined by the Webroot BrightCloud reputation service.<br />
|-<br />
| width="25%" | Details<br />
| width="60%" | A description of the Reputation value.<br />
|-<br />
|}<br />
<br />
== Reports ==<br />
<br />
{{:Threat Prevention Reports}}</div>Bmastbergen