https://wiki.edge.arista.com/api.php?action=feedcontributions&user=Dmorris&feedformat=atomEdge Threat Management Wiki - Arista - User contributions [en]2024-03-29T10:05:58ZUser contributionsMediaWiki 1.41.0https://wiki.edge.arista.com/index.php?title=URL_Matcher&diff=26775URL Matcher2019-07-26T18:53:29Z<p>Dmorris: </p>
<hr />
<div>The URL Matcher Syntax describes all or part of a website. <br />
<br />
{| border="1" cellpadding="2"<br />
|+<br />
! Example !! Matches !! Does not Match <br />
|-<br />
| example.com<br />
| http://example.com/, http://www.example.com/, http://example.com/foo<br />
| http://example.net<br />
|-<br />
| example.com/bar <br />
| http://example.com/bar/test.html, http://www.example.com/bar<br />
| http://example.com/foo<br />
|-<br />
| *porn* <br />
| http://pornsite.com/ <br />
| http://foobar.com<br />
|-<br />
| example???.com/ <br />
| http://example123.com <br />
| http://example1.com<br />
|-<br />
| example.com/foo<br />
| http://example.com/foo, http://abc.example.com/foobar<br />
| http://example.com/<br />
|}<br />
<br />
URL Matchers use globs which are describe more in depth in the [[Glob Matcher|Glob Matcher documentation]].<br />
<br />
Important notes:<br />
* The left side of the rule is anchored with the regular expression "^([a-zA-Z_0-9-]*\.)*". "foo.com" will match only "foo.com" and "abc.foo.com" but not "afoo.com"<br />
* The right side of the rule is anchored with with the regular expression ".*$". "foo.com" will match "foo.com/test.html" because it is actually "foo.com.*$". "foo.com/bar" is "foo.com/bar.*$" which will match "foo.com/bar/baz" and "foo.com/bar2". Also "foo" becomes "foo.*" which will match "foobar.com" and "foo.com"<br />
* "http://" and "https://" are stripped from the rule.<br />
* URIs are case-sensitive, but domains are not. The URL Matcher is case sensitive, but domains are converted to lowercase before evaluation because they should not be case sensitive. Any part of the matcher that should match against the domain should be lower case in the rule.<br />
* "www." is automatically stripped from the rule. This is to prevent the frequent misconfiguration of users adding a block rule for something like "www.pornsite.com" which blocks "www.pornsite.com" but '''not''' just "pornsite.com." If you truly desire to only match www.pornsite.com and not pornsite.com then use "*www.pornsite.com" because the "*" will match zero or more characters.<br />
* Similarly "*." is stripped from the rule for the same reason as above. If you truly want all subdomains but not the main domain matched, you can accomplish this by doing "*?.foo.com"</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Date_Changelog&diff=26769Date Changelog2019-07-17T00:00:33Z<p>Dmorris: </p>
<hr />
<div>This is the complete changelog including any time packages are released that do not have new major.minor version numbers. <br />
<br />
Major release are documented in the primary [[Changelog]].<br />
<br />
== 14.2.0 build4 2019-07-16 ==<br />
* Upstream security fixes<br />
* Minor bugfixes<br />
<br />
== 14.2.0 build3 2019-07-02 ==<br />
* Fix CSV export in reports<br />
* Fix google oauth issues<br />
* Fix some sorting issues<br />
<br />
== 14.2.0 build2 2019-06-24 ==<br />
* Fix policy manager renderer bug<br />
* Update web categorization engine<br />
<br />
== 14.2.0 build1 2019-06-06 ==<br />
* [[14.2.0_Changelog]]<br />
<br />
== 14.1.2 build1 2019-04-02 ==<br />
* [[14.1.2_Changelog]]<br />
<br />
== 14.1.1 build1 2019-01-17 ==<br />
* [[14.1.1_Changelog]]<br />
<br />
== 14.1.0 build3 2018-12-03 ==<br />
* Fix python cache issue<br />
* Fix local directory change password issue<br />
* Fix IPS UI issue<br />
* Remove cloudflare from dynamic DNS options<br />
<br />
== 14.1.0 build2 2018-11-14 ==<br />
* Fix issue with creating alert rules<br />
* Fix duplicate condition in UI<br />
* Fix backup/restore supported versions<br />
<br />
== 14.1.0 build1 2018-11-13 ==<br />
* [[14.1.0_Changelog]]<br />
<br />
== 14.0.1 build2 2018-08-27 ==<br />
* Fix issue with captive portal & username capitalization<br />
* Spam Blocker plugin license check fix<br />
<br />
== 14.0.1 build1 2018-08-23 ==<br />
* [[14.0.1_Changelog]]<br />
<br />
== 14.0.0 build5 2018-08-10 ==<br />
* Fix issue with datepicker selecting past month/days<br />
* Fix some LCD issues<br />
* Minor tweaks to reports performance tuning<br />
* Fix certificate verification process<br />
* Fix setup wizard to bridge the wifi to External if Internal is bridged<br />
* Add report title to exported image<br />
* Fix dashboard auto-refresh hang issue<br />
* Fix upgrade issue with some international languages<br />
* Security fixes<br />
<br />
== 14.0.0 build4 2018-07-09 ==<br />
* Fix possible conflict between Tunnel VPN and OpenVPN<br />
* Fix reports data export date range issue<br />
* Fix issue with editing Event Rules<br />
* Fix warning about auth.txt permissions in Tunnel VPN<br />
* Allow multiple of same type conditions in dashboard/reports<br />
* Some changes to setup wizard for AWS deployments<br />
* Improve Captive Portal user cleanup tasks<br />
* Fix Tunnel VPN cleanup on uninstall<br />
<br />
== 14.0.0 build3 2018-06-26 ==<br />
* Fix IPS issue with certain rules<br />
* Fix HTTP port redirect issue<br />
* Fix systemd interferance with untangle-vm thread max<br />
* Fix syslog issue logging to incorrect files<br />
<br />
== 14.0.0 build2 2018-06-18 ==<br />
* Fix issue with emailed report summary image width and height<br />
* Add automatic restart of IPsec daemon on certificate change<br />
* Fix ddclient restart issue<br />
* Fix upgrade issue with CD-ROM sources.list<br />
* Fix a widget refresh issue on dashboard<br />
* Fix issue with clicking on pie graphs adding the wrong value<br />
* Add new admin notification for when the timezone has changed<br />
* Fix console issues on firmware builds<br />
<br />
== 14.0.0 build1 2018-06-08 ==<br />
* [[14.0.0 Changelog]]<br />
<br />
== 13.2.1 build2 2018-04-13 ==<br />
* Fix GRE issue where no remote network is specified<br />
* Fix captive portal host table cleanup issue<br />
* Fix network settings conversion issue<br />
<br />
== 13.2.1 build1 2018-04-03 ==<br />
* [[13.2.1 Changelog]]<br />
<br />
== 13.2.0 build3 2018-02-13 ==<br />
* Fix text adiminstration on tty console errors<br />
* Add support for username/password for site-to-site<br />
* Fix Turris Omnia image <br />
* Remove "Automatic" from channel selection options<br />
* Fix Captive Portal HTTPS port issue<br />
* Fix cloned sql conditions when creating reports issue<br />
* Fix to gracefully handle invalid reports<br />
* Fix email quarantine to update when releasing<br />
<br />
== 13.2.0 build2 2018-01-30 ==<br />
* Fix firmware issue with turris and linksys<br />
* Fix openvpn multifactor auth issue<br />
* Fix OVA filesystem resize issue<br />
* Fix port forward simple mode issue<br />
* Fix some scrollbar issues<br />
* Fix IPS settings modification issue<br />
<br />
== 13.2.0 build1 2018-01-16 ==<br />
* [[13.2.0 Changelog]]<br />
<br />
== 13.1.1 build2 2018-01-05 ==<br />
* Fix NIC ordering issue on specific appliance<br />
<br />
== 13.1.1 build1 2017-12-08 ==<br />
* Minor bug fixes [[13.1.1 Changelog]]<br />
<br />
== 13.1.0 build7 2017-10-16 ==<br />
* Upstream security fixes (for [https://www.documentcloud.org/documents/4109401-KRACK-Attacks.html krack] vulnerability)<br />
<br />
== 13.1.0 build6 2017-10-12 ==<br />
* Fix emailed report summaries image issue<br />
* Fix editing port forward rules issue<br />
<br />
== 13.1.0 build5 2017-10-10 ==<br />
* Upstream security fixes<br />
* Fix reports-only users<br />
* Fix quarantine issue<br />
* Fix IPS interface detection<br />
* Fix issue with editing port forward rules<br />
* Fix issue with Virus Blocker displaying invalid license when it is valid<br />
<br />
== 13.1.0 build4 2017-09-26 ==<br />
* 86df013 [src] Fix dates (timezone) issues<br />
* 3c7eb8c [src] Fix PPPoE wizard issues<br />
* 8249ca3 [src] Updated localization strings<br />
<br />
== 13.1.0 build3 2017-09-22 ==<br />
* Fix issues with saving devices/users<br />
* Fix issues with reports browsing and breadcrumbs<br />
* Fix timezone display issue in reports<br />
* Fix saving of Tunnel VPN that occurred for some devices<br />
* Fix PPPoE issues in setup wizard<br />
* Fix more issues with "Reset View"<br />
<br />
== 13.1.0 build2 2017-09-12 ==<br />
* Add more error checking to tunnel VPN import<br />
* Fix setup wizard NIC remapping issue with drag and drop<br />
* Fix "Reset View" odd behavior <br />
<br />
== 13.1.0 build1 2017-09-06 ==<br />
* [[13.1.0 Changelog]]<br />
<br />
== 13.0.0 build8 2017-06-23 ==<br />
* Fix date rendering issue<br />
* Fix UPnP issue and UPnP status display<br />
* Fix restore issue when selecting without network settings<br />
<br />
== 13.0.0 build7 2017-06-22 ==<br />
* Many UI fixes<br />
* Some UI javascript optimizations<br />
<br />
== 13.0.0 build6 2017-06-10 ==<br />
* Many UI fixes<br />
* Upstream security updates<br />
<br />
== 13.0.0 build5 2017-06-01 ==<br />
* Many UI fixes<br />
<br />
== 13.0.0 build4 2017-05-24 ==<br />
* Many UI fixes<br />
* L2TP fix and IPsec to OpenVPN fix<br />
<br />
== 13.0.0 build3 2017-05-17 ==<br />
* Many UI fixes<br />
* Fix kernel version issue for linksys & turris firmware<br />
<br />
== 13.0.0 build2 2017-05-10 ==<br />
* Many UI fixes<br />
<br />
== 13.0.0 build1 2017-04-28 ==<br />
* [[13.0.0 Changelog]]<br />
<br />
== 12.2.1 build2 2017-02-09 ==<br />
* Fix an issue with interface usage report<br />
* Many linksys WRT1900ACS improvements<br />
<br />
== 12.2.1 build1 2017-02-01 ==<br />
* [[12.2.1 Changelog]]<br />
<br />
== 12.2.0 build5 2017-01-11 ==<br />
* Fix copy function for email templates<br />
* Fix i18n in captive portal page<br />
* Fix active hosts graph<br />
* Fix reports event logs not returning first entry<br />
* Changed UPnP daemon to version compiled without --igd2<br />
<br />
== 12.2.0 build4 2017-01-05 ==<br />
* Email report rendering improvements<br />
* Default email template changes <br />
* UPnP input filter rules added<br />
* UPnP fixes<br />
<br />
== 12.2.0 build3 2016-12-27 ==<br />
* Fix a web filter rule exception<br />
* Change email image max-width<br />
<br />
== 12.2.0 build2 2016-12-22 ==<br />
* Fix sources.list rewrite<br />
* Fix other small issues<br />
<br />
== 12.1.1 build2 2016-09-15 ==<br />
* Fix more PPPoE issues<br />
<br />
== 12.1.1 build1 2016-09-13 ==<br />
* [[12.1.1 Changelog]]</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Date_Changelog&diff=26766Date Changelog2019-07-02T14:55:41Z<p>Dmorris: </p>
<hr />
<div>This is the complete changelog including any time packages are released that do not have new major.minor version numbers. <br />
<br />
Major release are documented in the primary [[Changelog]].<br />
<br />
== 14.2.0 build3 2019-07-02 ==<br />
* Fix CSV export in reports<br />
* Fix google oauth issues<br />
* Fix some sorting issues<br />
<br />
== 14.2.0 build2 2019-06-24 ==<br />
* Fix policy manager renderer bug<br />
* Update web categorization engine<br />
<br />
== 14.2.0 build1 2019-06-06 ==<br />
* [[14.2.0_Changelog]]<br />
<br />
== 14.1.2 build1 2019-04-02 ==<br />
* [[14.1.2_Changelog]]<br />
<br />
== 14.1.1 build1 2019-01-17 ==<br />
* [[14.1.1_Changelog]]<br />
<br />
== 14.1.0 build3 2018-12-03 ==<br />
* Fix python cache issue<br />
* Fix local directory change password issue<br />
* Fix IPS UI issue<br />
* Remove cloudflare from dynamic DNS options<br />
<br />
== 14.1.0 build2 2018-11-14 ==<br />
* Fix issue with creating alert rules<br />
* Fix duplicate condition in UI<br />
* Fix backup/restore supported versions<br />
<br />
== 14.1.0 build1 2018-11-13 ==<br />
* [[14.1.0_Changelog]]<br />
<br />
== 14.0.1 build2 2018-08-27 ==<br />
* Fix issue with captive portal & username capitalization<br />
* Spam Blocker plugin license check fix<br />
<br />
== 14.0.1 build1 2018-08-23 ==<br />
* [[14.0.1_Changelog]]<br />
<br />
== 14.0.0 build5 2018-08-10 ==<br />
* Fix issue with datepicker selecting past month/days<br />
* Fix some LCD issues<br />
* Minor tweaks to reports performance tuning<br />
* Fix certificate verification process<br />
* Fix setup wizard to bridge the wifi to External if Internal is bridged<br />
* Add report title to exported image<br />
* Fix dashboard auto-refresh hang issue<br />
* Fix upgrade issue with some international languages<br />
* Security fixes<br />
<br />
== 14.0.0 build4 2018-07-09 ==<br />
* Fix possible conflict between Tunnel VPN and OpenVPN<br />
* Fix reports data export date range issue<br />
* Fix issue with editing Event Rules<br />
* Fix warning about auth.txt permissions in Tunnel VPN<br />
* Allow multiple of same type conditions in dashboard/reports<br />
* Some changes to setup wizard for AWS deployments<br />
* Improve Captive Portal user cleanup tasks<br />
* Fix Tunnel VPN cleanup on uninstall<br />
<br />
== 14.0.0 build3 2018-06-26 ==<br />
* Fix IPS issue with certain rules<br />
* Fix HTTP port redirect issue<br />
* Fix systemd interferance with untangle-vm thread max<br />
* Fix syslog issue logging to incorrect files<br />
<br />
== 14.0.0 build2 2018-06-18 ==<br />
* Fix issue with emailed report summary image width and height<br />
* Add automatic restart of IPsec daemon on certificate change<br />
* Fix ddclient restart issue<br />
* Fix upgrade issue with CD-ROM sources.list<br />
* Fix a widget refresh issue on dashboard<br />
* Fix issue with clicking on pie graphs adding the wrong value<br />
* Add new admin notification for when the timezone has changed<br />
* Fix console issues on firmware builds<br />
<br />
== 14.0.0 build1 2018-06-08 ==<br />
* [[14.0.0 Changelog]]<br />
<br />
== 13.2.1 build2 2018-04-13 ==<br />
* Fix GRE issue where no remote network is specified<br />
* Fix captive portal host table cleanup issue<br />
* Fix network settings conversion issue<br />
<br />
== 13.2.1 build1 2018-04-03 ==<br />
* [[13.2.1 Changelog]]<br />
<br />
== 13.2.0 build3 2018-02-13 ==<br />
* Fix text adiminstration on tty console errors<br />
* Add support for username/password for site-to-site<br />
* Fix Turris Omnia image <br />
* Remove "Automatic" from channel selection options<br />
* Fix Captive Portal HTTPS port issue<br />
* Fix cloned sql conditions when creating reports issue<br />
* Fix to gracefully handle invalid reports<br />
* Fix email quarantine to update when releasing<br />
<br />
== 13.2.0 build2 2018-01-30 ==<br />
* Fix firmware issue with turris and linksys<br />
* Fix openvpn multifactor auth issue<br />
* Fix OVA filesystem resize issue<br />
* Fix port forward simple mode issue<br />
* Fix some scrollbar issues<br />
* Fix IPS settings modification issue<br />
<br />
== 13.2.0 build1 2018-01-16 ==<br />
* [[13.2.0 Changelog]]<br />
<br />
== 13.1.1 build2 2018-01-05 ==<br />
* Fix NIC ordering issue on specific appliance<br />
<br />
== 13.1.1 build1 2017-12-08 ==<br />
* Minor bug fixes [[13.1.1 Changelog]]<br />
<br />
== 13.1.0 build7 2017-10-16 ==<br />
* Upstream security fixes (for [https://www.documentcloud.org/documents/4109401-KRACK-Attacks.html krack] vulnerability)<br />
<br />
== 13.1.0 build6 2017-10-12 ==<br />
* Fix emailed report summaries image issue<br />
* Fix editing port forward rules issue<br />
<br />
== 13.1.0 build5 2017-10-10 ==<br />
* Upstream security fixes<br />
* Fix reports-only users<br />
* Fix quarantine issue<br />
* Fix IPS interface detection<br />
* Fix issue with editing port forward rules<br />
* Fix issue with Virus Blocker displaying invalid license when it is valid<br />
<br />
== 13.1.0 build4 2017-09-26 ==<br />
* 86df013 [src] Fix dates (timezone) issues<br />
* 3c7eb8c [src] Fix PPPoE wizard issues<br />
* 8249ca3 [src] Updated localization strings<br />
<br />
== 13.1.0 build3 2017-09-22 ==<br />
* Fix issues with saving devices/users<br />
* Fix issues with reports browsing and breadcrumbs<br />
* Fix timezone display issue in reports<br />
* Fix saving of Tunnel VPN that occurred for some devices<br />
* Fix PPPoE issues in setup wizard<br />
* Fix more issues with "Reset View"<br />
<br />
== 13.1.0 build2 2017-09-12 ==<br />
* Add more error checking to tunnel VPN import<br />
* Fix setup wizard NIC remapping issue with drag and drop<br />
* Fix "Reset View" odd behavior <br />
<br />
== 13.1.0 build1 2017-09-06 ==<br />
* [[13.1.0 Changelog]]<br />
<br />
== 13.0.0 build8 2017-06-23 ==<br />
* Fix date rendering issue<br />
* Fix UPnP issue and UPnP status display<br />
* Fix restore issue when selecting without network settings<br />
<br />
== 13.0.0 build7 2017-06-22 ==<br />
* Many UI fixes<br />
* Some UI javascript optimizations<br />
<br />
== 13.0.0 build6 2017-06-10 ==<br />
* Many UI fixes<br />
* Upstream security updates<br />
<br />
== 13.0.0 build5 2017-06-01 ==<br />
* Many UI fixes<br />
<br />
== 13.0.0 build4 2017-05-24 ==<br />
* Many UI fixes<br />
* L2TP fix and IPsec to OpenVPN fix<br />
<br />
== 13.0.0 build3 2017-05-17 ==<br />
* Many UI fixes<br />
* Fix kernel version issue for linksys & turris firmware<br />
<br />
== 13.0.0 build2 2017-05-10 ==<br />
* Many UI fixes<br />
<br />
== 13.0.0 build1 2017-04-28 ==<br />
* [[13.0.0 Changelog]]<br />
<br />
== 12.2.1 build2 2017-02-09 ==<br />
* Fix an issue with interface usage report<br />
* Many linksys WRT1900ACS improvements<br />
<br />
== 12.2.1 build1 2017-02-01 ==<br />
* [[12.2.1 Changelog]]<br />
<br />
== 12.2.0 build5 2017-01-11 ==<br />
* Fix copy function for email templates<br />
* Fix i18n in captive portal page<br />
* Fix active hosts graph<br />
* Fix reports event logs not returning first entry<br />
* Changed UPnP daemon to version compiled without --igd2<br />
<br />
== 12.2.0 build4 2017-01-05 ==<br />
* Email report rendering improvements<br />
* Default email template changes <br />
* UPnP input filter rules added<br />
* UPnP fixes<br />
<br />
== 12.2.0 build3 2016-12-27 ==<br />
* Fix a web filter rule exception<br />
* Change email image max-width<br />
<br />
== 12.2.0 build2 2016-12-22 ==<br />
* Fix sources.list rewrite<br />
* Fix other small issues<br />
<br />
== 12.1.1 build2 2016-09-15 ==<br />
* Fix more PPPoE issues<br />
<br />
== 12.1.1 build1 2016-09-13 ==<br />
* [[12.1.1 Changelog]]</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Date_Changelog&diff=26196Date Changelog2019-06-24T20:07:27Z<p>Dmorris: </p>
<hr />
<div>This is the complete changelog including any time packages are released that do not have new major.minor version numbers. <br />
<br />
Major release are documented in the primary [[Changelog]].<br />
<br />
== 14.2.0 build2 2019-06-24 ==<br />
* Fix policy manager renderer bug<br />
* Update web categorization engine<br />
<br />
== 14.2.0 build1 2019-06-06 ==<br />
* [[14.2.0_Changelog]]<br />
<br />
== 14.1.2 build1 2019-04-02 ==<br />
* [[14.1.2_Changelog]]<br />
<br />
== 14.1.1 build1 2019-01-17 ==<br />
* [[14.1.1_Changelog]]<br />
<br />
== 14.1.0 build3 2018-12-03 ==<br />
* Fix python cache issue<br />
* Fix local directory change password issue<br />
* Fix IPS UI issue<br />
* Remove cloudflare from dynamic DNS options<br />
<br />
== 14.1.0 build2 2018-11-14 ==<br />
* Fix issue with creating alert rules<br />
* Fix duplicate condition in UI<br />
* Fix backup/restore supported versions<br />
<br />
== 14.1.0 build1 2018-11-13 ==<br />
* [[14.1.0_Changelog]]<br />
<br />
== 14.0.1 build2 2018-08-27 ==<br />
* Fix issue with captive portal & username capitalization<br />
* Spam Blocker plugin license check fix<br />
<br />
== 14.0.1 build1 2018-08-23 ==<br />
* [[14.0.1_Changelog]]<br />
<br />
== 14.0.0 build5 2018-08-10 ==<br />
* Fix issue with datepicker selecting past month/days<br />
* Fix some LCD issues<br />
* Minor tweaks to reports performance tuning<br />
* Fix certificate verification process<br />
* Fix setup wizard to bridge the wifi to External if Internal is bridged<br />
* Add report title to exported image<br />
* Fix dashboard auto-refresh hang issue<br />
* Fix upgrade issue with some international languages<br />
* Security fixes<br />
<br />
== 14.0.0 build4 2018-07-09 ==<br />
* Fix possible conflict between Tunnel VPN and OpenVPN<br />
* Fix reports data export date range issue<br />
* Fix issue with editing Event Rules<br />
* Fix warning about auth.txt permissions in Tunnel VPN<br />
* Allow multiple of same type conditions in dashboard/reports<br />
* Some changes to setup wizard for AWS deployments<br />
* Improve Captive Portal user cleanup tasks<br />
* Fix Tunnel VPN cleanup on uninstall<br />
<br />
== 14.0.0 build3 2018-06-26 ==<br />
* Fix IPS issue with certain rules<br />
* Fix HTTP port redirect issue<br />
* Fix systemd interferance with untangle-vm thread max<br />
* Fix syslog issue logging to incorrect files<br />
<br />
== 14.0.0 build2 2018-06-18 ==<br />
* Fix issue with emailed report summary image width and height<br />
* Add automatic restart of IPsec daemon on certificate change<br />
* Fix ddclient restart issue<br />
* Fix upgrade issue with CD-ROM sources.list<br />
* Fix a widget refresh issue on dashboard<br />
* Fix issue with clicking on pie graphs adding the wrong value<br />
* Add new admin notification for when the timezone has changed<br />
* Fix console issues on firmware builds<br />
<br />
== 14.0.0 build1 2018-06-08 ==<br />
* [[14.0.0 Changelog]]<br />
<br />
== 13.2.1 build2 2018-04-13 ==<br />
* Fix GRE issue where no remote network is specified<br />
* Fix captive portal host table cleanup issue<br />
* Fix network settings conversion issue<br />
<br />
== 13.2.1 build1 2018-04-03 ==<br />
* [[13.2.1 Changelog]]<br />
<br />
== 13.2.0 build3 2018-02-13 ==<br />
* Fix text adiminstration on tty console errors<br />
* Add support for username/password for site-to-site<br />
* Fix Turris Omnia image <br />
* Remove "Automatic" from channel selection options<br />
* Fix Captive Portal HTTPS port issue<br />
* Fix cloned sql conditions when creating reports issue<br />
* Fix to gracefully handle invalid reports<br />
* Fix email quarantine to update when releasing<br />
<br />
== 13.2.0 build2 2018-01-30 ==<br />
* Fix firmware issue with turris and linksys<br />
* Fix openvpn multifactor auth issue<br />
* Fix OVA filesystem resize issue<br />
* Fix port forward simple mode issue<br />
* Fix some scrollbar issues<br />
* Fix IPS settings modification issue<br />
<br />
== 13.2.0 build1 2018-01-16 ==<br />
* [[13.2.0 Changelog]]<br />
<br />
== 13.1.1 build2 2018-01-05 ==<br />
* Fix NIC ordering issue on specific appliance<br />
<br />
== 13.1.1 build1 2017-12-08 ==<br />
* Minor bug fixes [[13.1.1 Changelog]]<br />
<br />
== 13.1.0 build7 2017-10-16 ==<br />
* Upstream security fixes (for [https://www.documentcloud.org/documents/4109401-KRACK-Attacks.html krack] vulnerability)<br />
<br />
== 13.1.0 build6 2017-10-12 ==<br />
* Fix emailed report summaries image issue<br />
* Fix editing port forward rules issue<br />
<br />
== 13.1.0 build5 2017-10-10 ==<br />
* Upstream security fixes<br />
* Fix reports-only users<br />
* Fix quarantine issue<br />
* Fix IPS interface detection<br />
* Fix issue with editing port forward rules<br />
* Fix issue with Virus Blocker displaying invalid license when it is valid<br />
<br />
== 13.1.0 build4 2017-09-26 ==<br />
* 86df013 [src] Fix dates (timezone) issues<br />
* 3c7eb8c [src] Fix PPPoE wizard issues<br />
* 8249ca3 [src] Updated localization strings<br />
<br />
== 13.1.0 build3 2017-09-22 ==<br />
* Fix issues with saving devices/users<br />
* Fix issues with reports browsing and breadcrumbs<br />
* Fix timezone display issue in reports<br />
* Fix saving of Tunnel VPN that occurred for some devices<br />
* Fix PPPoE issues in setup wizard<br />
* Fix more issues with "Reset View"<br />
<br />
== 13.1.0 build2 2017-09-12 ==<br />
* Add more error checking to tunnel VPN import<br />
* Fix setup wizard NIC remapping issue with drag and drop<br />
* Fix "Reset View" odd behavior <br />
<br />
== 13.1.0 build1 2017-09-06 ==<br />
* [[13.1.0 Changelog]]<br />
<br />
== 13.0.0 build8 2017-06-23 ==<br />
* Fix date rendering issue<br />
* Fix UPnP issue and UPnP status display<br />
* Fix restore issue when selecting without network settings<br />
<br />
== 13.0.0 build7 2017-06-22 ==<br />
* Many UI fixes<br />
* Some UI javascript optimizations<br />
<br />
== 13.0.0 build6 2017-06-10 ==<br />
* Many UI fixes<br />
* Upstream security updates<br />
<br />
== 13.0.0 build5 2017-06-01 ==<br />
* Many UI fixes<br />
<br />
== 13.0.0 build4 2017-05-24 ==<br />
* Many UI fixes<br />
* L2TP fix and IPsec to OpenVPN fix<br />
<br />
== 13.0.0 build3 2017-05-17 ==<br />
* Many UI fixes<br />
* Fix kernel version issue for linksys & turris firmware<br />
<br />
== 13.0.0 build2 2017-05-10 ==<br />
* Many UI fixes<br />
<br />
== 13.0.0 build1 2017-04-28 ==<br />
* [[13.0.0 Changelog]]<br />
<br />
== 12.2.1 build2 2017-02-09 ==<br />
* Fix an issue with interface usage report<br />
* Many linksys WRT1900ACS improvements<br />
<br />
== 12.2.1 build1 2017-02-01 ==<br />
* [[12.2.1 Changelog]]<br />
<br />
== 12.2.0 build5 2017-01-11 ==<br />
* Fix copy function for email templates<br />
* Fix i18n in captive portal page<br />
* Fix active hosts graph<br />
* Fix reports event logs not returning first entry<br />
* Changed UPnP daemon to version compiled without --igd2<br />
<br />
== 12.2.0 build4 2017-01-05 ==<br />
* Email report rendering improvements<br />
* Default email template changes <br />
* UPnP input filter rules added<br />
* UPnP fixes<br />
<br />
== 12.2.0 build3 2016-12-27 ==<br />
* Fix a web filter rule exception<br />
* Change email image max-width<br />
<br />
== 12.2.0 build2 2016-12-22 ==<br />
* Fix sources.list rewrite<br />
* Fix other small issues<br />
<br />
== 12.1.1 build2 2016-09-15 ==<br />
* Fix more PPPoE issues<br />
<br />
== 12.1.1 build1 2016-09-13 ==<br />
* [[12.1.1 Changelog]]</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Date_Changelog&diff=26195Date Changelog2019-06-24T20:07:19Z<p>Dmorris: </p>
<hr />
<div>This is the complete changelog including any time packages are released that do not have new major.minor version numbers. <br />
<br />
Major release are documented in the primary [[Changelog]].<br />
<br />
== 14.2.0 build2 2019-06 ==<br />
* Fix policy manager renderer bug<br />
* Update web categorization engine<br />
<br />
== 14.2.0 build1 2019-06-06 ==<br />
* [[14.2.0_Changelog]]<br />
<br />
== 14.1.2 build1 2019-04-02 ==<br />
* [[14.1.2_Changelog]]<br />
<br />
== 14.1.1 build1 2019-01-17 ==<br />
* [[14.1.1_Changelog]]<br />
<br />
== 14.1.0 build3 2018-12-03 ==<br />
* Fix python cache issue<br />
* Fix local directory change password issue<br />
* Fix IPS UI issue<br />
* Remove cloudflare from dynamic DNS options<br />
<br />
== 14.1.0 build2 2018-11-14 ==<br />
* Fix issue with creating alert rules<br />
* Fix duplicate condition in UI<br />
* Fix backup/restore supported versions<br />
<br />
== 14.1.0 build1 2018-11-13 ==<br />
* [[14.1.0_Changelog]]<br />
<br />
== 14.0.1 build2 2018-08-27 ==<br />
* Fix issue with captive portal & username capitalization<br />
* Spam Blocker plugin license check fix<br />
<br />
== 14.0.1 build1 2018-08-23 ==<br />
* [[14.0.1_Changelog]]<br />
<br />
== 14.0.0 build5 2018-08-10 ==<br />
* Fix issue with datepicker selecting past month/days<br />
* Fix some LCD issues<br />
* Minor tweaks to reports performance tuning<br />
* Fix certificate verification process<br />
* Fix setup wizard to bridge the wifi to External if Internal is bridged<br />
* Add report title to exported image<br />
* Fix dashboard auto-refresh hang issue<br />
* Fix upgrade issue with some international languages<br />
* Security fixes<br />
<br />
== 14.0.0 build4 2018-07-09 ==<br />
* Fix possible conflict between Tunnel VPN and OpenVPN<br />
* Fix reports data export date range issue<br />
* Fix issue with editing Event Rules<br />
* Fix warning about auth.txt permissions in Tunnel VPN<br />
* Allow multiple of same type conditions in dashboard/reports<br />
* Some changes to setup wizard for AWS deployments<br />
* Improve Captive Portal user cleanup tasks<br />
* Fix Tunnel VPN cleanup on uninstall<br />
<br />
== 14.0.0 build3 2018-06-26 ==<br />
* Fix IPS issue with certain rules<br />
* Fix HTTP port redirect issue<br />
* Fix systemd interferance with untangle-vm thread max<br />
* Fix syslog issue logging to incorrect files<br />
<br />
== 14.0.0 build2 2018-06-18 ==<br />
* Fix issue with emailed report summary image width and height<br />
* Add automatic restart of IPsec daemon on certificate change<br />
* Fix ddclient restart issue<br />
* Fix upgrade issue with CD-ROM sources.list<br />
* Fix a widget refresh issue on dashboard<br />
* Fix issue with clicking on pie graphs adding the wrong value<br />
* Add new admin notification for when the timezone has changed<br />
* Fix console issues on firmware builds<br />
<br />
== 14.0.0 build1 2018-06-08 ==<br />
* [[14.0.0 Changelog]]<br />
<br />
== 13.2.1 build2 2018-04-13 ==<br />
* Fix GRE issue where no remote network is specified<br />
* Fix captive portal host table cleanup issue<br />
* Fix network settings conversion issue<br />
<br />
== 13.2.1 build1 2018-04-03 ==<br />
* [[13.2.1 Changelog]]<br />
<br />
== 13.2.0 build3 2018-02-13 ==<br />
* Fix text adiminstration on tty console errors<br />
* Add support for username/password for site-to-site<br />
* Fix Turris Omnia image <br />
* Remove "Automatic" from channel selection options<br />
* Fix Captive Portal HTTPS port issue<br />
* Fix cloned sql conditions when creating reports issue<br />
* Fix to gracefully handle invalid reports<br />
* Fix email quarantine to update when releasing<br />
<br />
== 13.2.0 build2 2018-01-30 ==<br />
* Fix firmware issue with turris and linksys<br />
* Fix openvpn multifactor auth issue<br />
* Fix OVA filesystem resize issue<br />
* Fix port forward simple mode issue<br />
* Fix some scrollbar issues<br />
* Fix IPS settings modification issue<br />
<br />
== 13.2.0 build1 2018-01-16 ==<br />
* [[13.2.0 Changelog]]<br />
<br />
== 13.1.1 build2 2018-01-05 ==<br />
* Fix NIC ordering issue on specific appliance<br />
<br />
== 13.1.1 build1 2017-12-08 ==<br />
* Minor bug fixes [[13.1.1 Changelog]]<br />
<br />
== 13.1.0 build7 2017-10-16 ==<br />
* Upstream security fixes (for [https://www.documentcloud.org/documents/4109401-KRACK-Attacks.html krack] vulnerability)<br />
<br />
== 13.1.0 build6 2017-10-12 ==<br />
* Fix emailed report summaries image issue<br />
* Fix editing port forward rules issue<br />
<br />
== 13.1.0 build5 2017-10-10 ==<br />
* Upstream security fixes<br />
* Fix reports-only users<br />
* Fix quarantine issue<br />
* Fix IPS interface detection<br />
* Fix issue with editing port forward rules<br />
* Fix issue with Virus Blocker displaying invalid license when it is valid<br />
<br />
== 13.1.0 build4 2017-09-26 ==<br />
* 86df013 [src] Fix dates (timezone) issues<br />
* 3c7eb8c [src] Fix PPPoE wizard issues<br />
* 8249ca3 [src] Updated localization strings<br />
<br />
== 13.1.0 build3 2017-09-22 ==<br />
* Fix issues with saving devices/users<br />
* Fix issues with reports browsing and breadcrumbs<br />
* Fix timezone display issue in reports<br />
* Fix saving of Tunnel VPN that occurred for some devices<br />
* Fix PPPoE issues in setup wizard<br />
* Fix more issues with "Reset View"<br />
<br />
== 13.1.0 build2 2017-09-12 ==<br />
* Add more error checking to tunnel VPN import<br />
* Fix setup wizard NIC remapping issue with drag and drop<br />
* Fix "Reset View" odd behavior <br />
<br />
== 13.1.0 build1 2017-09-06 ==<br />
* [[13.1.0 Changelog]]<br />
<br />
== 13.0.0 build8 2017-06-23 ==<br />
* Fix date rendering issue<br />
* Fix UPnP issue and UPnP status display<br />
* Fix restore issue when selecting without network settings<br />
<br />
== 13.0.0 build7 2017-06-22 ==<br />
* Many UI fixes<br />
* Some UI javascript optimizations<br />
<br />
== 13.0.0 build6 2017-06-10 ==<br />
* Many UI fixes<br />
* Upstream security updates<br />
<br />
== 13.0.0 build5 2017-06-01 ==<br />
* Many UI fixes<br />
<br />
== 13.0.0 build4 2017-05-24 ==<br />
* Many UI fixes<br />
* L2TP fix and IPsec to OpenVPN fix<br />
<br />
== 13.0.0 build3 2017-05-17 ==<br />
* Many UI fixes<br />
* Fix kernel version issue for linksys & turris firmware<br />
<br />
== 13.0.0 build2 2017-05-10 ==<br />
* Many UI fixes<br />
<br />
== 13.0.0 build1 2017-04-28 ==<br />
* [[13.0.0 Changelog]]<br />
<br />
== 12.2.1 build2 2017-02-09 ==<br />
* Fix an issue with interface usage report<br />
* Many linksys WRT1900ACS improvements<br />
<br />
== 12.2.1 build1 2017-02-01 ==<br />
* [[12.2.1 Changelog]]<br />
<br />
== 12.2.0 build5 2017-01-11 ==<br />
* Fix copy function for email templates<br />
* Fix i18n in captive portal page<br />
* Fix active hosts graph<br />
* Fix reports event logs not returning first entry<br />
* Changed UPnP daemon to version compiled without --igd2<br />
<br />
== 12.2.0 build4 2017-01-05 ==<br />
* Email report rendering improvements<br />
* Default email template changes <br />
* UPnP input filter rules added<br />
* UPnP fixes<br />
<br />
== 12.2.0 build3 2016-12-27 ==<br />
* Fix a web filter rule exception<br />
* Change email image max-width<br />
<br />
== 12.2.0 build2 2016-12-22 ==<br />
* Fix sources.list rewrite<br />
* Fix other small issues<br />
<br />
== 12.1.1 build2 2016-09-15 ==<br />
* Fix more PPPoE issues<br />
<br />
== 12.1.1 build1 2016-09-13 ==<br />
* [[12.1.1 Changelog]]</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Date_Changelog&diff=26194Date Changelog2019-06-24T20:07:10Z<p>Dmorris: </p>
<hr />
<div>This is the complete changelog including any time packages are released that do not have new major.minor version numbers. <br />
<br />
Major release are documented in the primary [[Changelog]].<br />
<br />
== 14.2.0 build2 2019-06<br />
* Fix policy manager renderer bug<br />
* Update web categorization engine<br />
<br />
== 14.2.0 build1 2019-06-06 ==<br />
* [[14.2.0_Changelog]]<br />
<br />
== 14.1.2 build1 2019-04-02 ==<br />
* [[14.1.2_Changelog]]<br />
<br />
== 14.1.1 build1 2019-01-17 ==<br />
* [[14.1.1_Changelog]]<br />
<br />
== 14.1.0 build3 2018-12-03 ==<br />
* Fix python cache issue<br />
* Fix local directory change password issue<br />
* Fix IPS UI issue<br />
* Remove cloudflare from dynamic DNS options<br />
<br />
== 14.1.0 build2 2018-11-14 ==<br />
* Fix issue with creating alert rules<br />
* Fix duplicate condition in UI<br />
* Fix backup/restore supported versions<br />
<br />
== 14.1.0 build1 2018-11-13 ==<br />
* [[14.1.0_Changelog]]<br />
<br />
== 14.0.1 build2 2018-08-27 ==<br />
* Fix issue with captive portal & username capitalization<br />
* Spam Blocker plugin license check fix<br />
<br />
== 14.0.1 build1 2018-08-23 ==<br />
* [[14.0.1_Changelog]]<br />
<br />
== 14.0.0 build5 2018-08-10 ==<br />
* Fix issue with datepicker selecting past month/days<br />
* Fix some LCD issues<br />
* Minor tweaks to reports performance tuning<br />
* Fix certificate verification process<br />
* Fix setup wizard to bridge the wifi to External if Internal is bridged<br />
* Add report title to exported image<br />
* Fix dashboard auto-refresh hang issue<br />
* Fix upgrade issue with some international languages<br />
* Security fixes<br />
<br />
== 14.0.0 build4 2018-07-09 ==<br />
* Fix possible conflict between Tunnel VPN and OpenVPN<br />
* Fix reports data export date range issue<br />
* Fix issue with editing Event Rules<br />
* Fix warning about auth.txt permissions in Tunnel VPN<br />
* Allow multiple of same type conditions in dashboard/reports<br />
* Some changes to setup wizard for AWS deployments<br />
* Improve Captive Portal user cleanup tasks<br />
* Fix Tunnel VPN cleanup on uninstall<br />
<br />
== 14.0.0 build3 2018-06-26 ==<br />
* Fix IPS issue with certain rules<br />
* Fix HTTP port redirect issue<br />
* Fix systemd interferance with untangle-vm thread max<br />
* Fix syslog issue logging to incorrect files<br />
<br />
== 14.0.0 build2 2018-06-18 ==<br />
* Fix issue with emailed report summary image width and height<br />
* Add automatic restart of IPsec daemon on certificate change<br />
* Fix ddclient restart issue<br />
* Fix upgrade issue with CD-ROM sources.list<br />
* Fix a widget refresh issue on dashboard<br />
* Fix issue with clicking on pie graphs adding the wrong value<br />
* Add new admin notification for when the timezone has changed<br />
* Fix console issues on firmware builds<br />
<br />
== 14.0.0 build1 2018-06-08 ==<br />
* [[14.0.0 Changelog]]<br />
<br />
== 13.2.1 build2 2018-04-13 ==<br />
* Fix GRE issue where no remote network is specified<br />
* Fix captive portal host table cleanup issue<br />
* Fix network settings conversion issue<br />
<br />
== 13.2.1 build1 2018-04-03 ==<br />
* [[13.2.1 Changelog]]<br />
<br />
== 13.2.0 build3 2018-02-13 ==<br />
* Fix text adiminstration on tty console errors<br />
* Add support for username/password for site-to-site<br />
* Fix Turris Omnia image <br />
* Remove "Automatic" from channel selection options<br />
* Fix Captive Portal HTTPS port issue<br />
* Fix cloned sql conditions when creating reports issue<br />
* Fix to gracefully handle invalid reports<br />
* Fix email quarantine to update when releasing<br />
<br />
== 13.2.0 build2 2018-01-30 ==<br />
* Fix firmware issue with turris and linksys<br />
* Fix openvpn multifactor auth issue<br />
* Fix OVA filesystem resize issue<br />
* Fix port forward simple mode issue<br />
* Fix some scrollbar issues<br />
* Fix IPS settings modification issue<br />
<br />
== 13.2.0 build1 2018-01-16 ==<br />
* [[13.2.0 Changelog]]<br />
<br />
== 13.1.1 build2 2018-01-05 ==<br />
* Fix NIC ordering issue on specific appliance<br />
<br />
== 13.1.1 build1 2017-12-08 ==<br />
* Minor bug fixes [[13.1.1 Changelog]]<br />
<br />
== 13.1.0 build7 2017-10-16 ==<br />
* Upstream security fixes (for [https://www.documentcloud.org/documents/4109401-KRACK-Attacks.html krack] vulnerability)<br />
<br />
== 13.1.0 build6 2017-10-12 ==<br />
* Fix emailed report summaries image issue<br />
* Fix editing port forward rules issue<br />
<br />
== 13.1.0 build5 2017-10-10 ==<br />
* Upstream security fixes<br />
* Fix reports-only users<br />
* Fix quarantine issue<br />
* Fix IPS interface detection<br />
* Fix issue with editing port forward rules<br />
* Fix issue with Virus Blocker displaying invalid license when it is valid<br />
<br />
== 13.1.0 build4 2017-09-26 ==<br />
* 86df013 [src] Fix dates (timezone) issues<br />
* 3c7eb8c [src] Fix PPPoE wizard issues<br />
* 8249ca3 [src] Updated localization strings<br />
<br />
== 13.1.0 build3 2017-09-22 ==<br />
* Fix issues with saving devices/users<br />
* Fix issues with reports browsing and breadcrumbs<br />
* Fix timezone display issue in reports<br />
* Fix saving of Tunnel VPN that occurred for some devices<br />
* Fix PPPoE issues in setup wizard<br />
* Fix more issues with "Reset View"<br />
<br />
== 13.1.0 build2 2017-09-12 ==<br />
* Add more error checking to tunnel VPN import<br />
* Fix setup wizard NIC remapping issue with drag and drop<br />
* Fix "Reset View" odd behavior <br />
<br />
== 13.1.0 build1 2017-09-06 ==<br />
* [[13.1.0 Changelog]]<br />
<br />
== 13.0.0 build8 2017-06-23 ==<br />
* Fix date rendering issue<br />
* Fix UPnP issue and UPnP status display<br />
* Fix restore issue when selecting without network settings<br />
<br />
== 13.0.0 build7 2017-06-22 ==<br />
* Many UI fixes<br />
* Some UI javascript optimizations<br />
<br />
== 13.0.0 build6 2017-06-10 ==<br />
* Many UI fixes<br />
* Upstream security updates<br />
<br />
== 13.0.0 build5 2017-06-01 ==<br />
* Many UI fixes<br />
<br />
== 13.0.0 build4 2017-05-24 ==<br />
* Many UI fixes<br />
* L2TP fix and IPsec to OpenVPN fix<br />
<br />
== 13.0.0 build3 2017-05-17 ==<br />
* Many UI fixes<br />
* Fix kernel version issue for linksys & turris firmware<br />
<br />
== 13.0.0 build2 2017-05-10 ==<br />
* Many UI fixes<br />
<br />
== 13.0.0 build1 2017-04-28 ==<br />
* [[13.0.0 Changelog]]<br />
<br />
== 12.2.1 build2 2017-02-09 ==<br />
* Fix an issue with interface usage report<br />
* Many linksys WRT1900ACS improvements<br />
<br />
== 12.2.1 build1 2017-02-01 ==<br />
* [[12.2.1 Changelog]]<br />
<br />
== 12.2.0 build5 2017-01-11 ==<br />
* Fix copy function for email templates<br />
* Fix i18n in captive portal page<br />
* Fix active hosts graph<br />
* Fix reports event logs not returning first entry<br />
* Changed UPnP daemon to version compiled without --igd2<br />
<br />
== 12.2.0 build4 2017-01-05 ==<br />
* Email report rendering improvements<br />
* Default email template changes <br />
* UPnP input filter rules added<br />
* UPnP fixes<br />
<br />
== 12.2.0 build3 2016-12-27 ==<br />
* Fix a web filter rule exception<br />
* Change email image max-width<br />
<br />
== 12.2.0 build2 2016-12-22 ==<br />
* Fix sources.list rewrite<br />
* Fix other small issues<br />
<br />
== 12.1.1 build2 2016-09-15 ==<br />
* Fix more PPPoE issues<br />
<br />
== 12.1.1 build1 2016-09-13 ==<br />
* [[12.1.1 Changelog]]</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Reports&diff=26191Reports2019-06-17T16:47:29Z<p>Dmorris: </p>
<hr />
<div>[[Category:Applications]]<br />
<span style="display:none" class="helpSource reports">Reports</span><br />
<span style="display:none" class="helpSource reports_status">Reports#Status</span><br />
<span style="display:none" class="helpSource reports_data">Reports#Data</span><br />
<span style="display:none" class="helpSource reports_email_templates">Reports#Email_Templates</span><br />
<span style="display:none" class="helpSource reports_reports_users">Reports#Reports_Users</span><br />
<span style="display:none" class="helpSource reports_name_map">Reports#Name_Map</span><br />
<span style="display:none" class="helpSource reports_all_reports">Reports#All_Reports</span><br />
<span style="display:none" class="helpSource reports_reports">Reports#Reports</span><br />
<br />
{| width='100%'<br />
|-<br />
| align="center" | [[Image:Reports.png|128px]] &nbsp; &nbsp; '''Reports'''<br />
| align="center" |<br />
{|<br />
|-<br />
| Other Links:<br />
|-<br />
|[http://www.untangle.com/store/reports.html Reports Description Page]<br />
|-<br />
|[http://demo.untangle.com/admin/index.do#service/reports Reports Demo]<br />
|-<br />
|[http://forums.untangle.com/reports/ Reports Forums]<br />
|-<br />
|[[Reports FAQs]]<br />
|}<br />
|}<br />
<br/><br />
----<br />
<br />
<br />
== About Untangle Reports ==<br />
<br />
Reports provides users with detailed statistics of the traffic and activity on your network.<br />
<br />
These reports can be viewed online, either through the administration interface or through the separate reporting interface available to non-administrators reporting-only users.<br />
<br />
Customizable report summaries can be sent via email, which includes basic information and a link to view the online reports if the user has access. <br />
<br />
Reports can backup your data in multiple formats to Google Drive for long term storage.<br />
<br />
<br />
== Settings ==<br />
<br />
This section reviews the different settings and configuration options available for Reports.<br />
<br />
<br />
=== Status ===<br />
<br />
On this tab you can click '''View Reports''' to open up Reports in a new browser tab.<br />
<br />
{{ServiceAppScreenshot|reports|status}}<br />
<br />
<br />
=== All Reports ===<br />
<br />
This is the full list of all currently existing reports. This includes all the default reports and any custom reports that have been added.<br />
<br />
To edit a report, click on ''View'' and then click on ''Settings.''<br />
<br />
To delete a custom report, click on ''View'' and then click on ''Delete.''<br />
<br />
To create a new custom report, click ''View'' on an existing similar report, then click ''Settings'' then change the name and click ''Save as New Report.''<br />
<br />
To create a report from scratch, go to ''Reports'' and click on ''Create New'' in the lower left.<br />
When creating reports from scratch, each field must be carefully chosen and tuned until the desired data is provided. This process can be time consuming and difficult. It is suggested to work with a similar report to required the desired result. Additionally you can ask for help via support or the forums and import the report if someone can craft it for you.<br />
<br />
If creating a report from scratch, the settings and fields and their purposes are described below.<br />
<br />
{{ServiceAppScreenshot|reports|all-reports}}<br />
<br />
==== Report Entry ====<br />
<br />
A report is many settings that essentially describe how to craft a SQL query and how to display the data.<br />
Here are the fields:<br />
<br />
{| border="1" cellpadding="2"<br />
|+<br />
! Name !! Value !! Available !! Description<br />
<br />
|- <br />
| style="width: 20%;"|Report Type<br />
| Text, Pie Graph, Time Graph, Time Graph Dynamic, Event List<br />
| The type of graph<br />
<br />
|-<br />
| Title<br />
| Text<br />
| All<br />
| The report title<br />
<br />
|-<br />
| Category<br />
| Any existing category/application<br />
| All<br />
| The category in which the report is located<br />
<br />
|-<br />
| Description<br />
| Text<br />
| All<br />
| A brief description of the report<br />
<br />
|-<br />
| Text String<br />
| Text<br />
| Text<br />
| The text used to create the Text Report Type<br />
<br />
|-<br />
| Pie Group Column<br />
| Text<br />
| Pie Graph<br />
| The column to "group by" in top X charts (usually user, host, etc)<br />
<br />
|-<br />
| Pie Sum Column<br />
| Text<br />
| Pie Graph<br />
| The column to sum in the top X charts (usually count, bytes, etc)<br />
<br />
|-<br />
| Order By Column<br />
| Text<br />
| Pie Graph<br />
| The column to order by<br />
<br />
|-<br />
| Graph Style<br />
| Pie, Pie 3D, Donut, Donut 3D, Column, Column 3D<br />
| Pie Graph<br />
| The render style of the pie graph<br />
<br />
|-<br />
| Pie Slices Number<br />
| Integer<br />
| Pie Graph<br />
| The number of slices to display<br />
<br />
|-<br />
| Units<br />
| Text<br />
| Pie Graph<br />
| The units being displayed (usually bytes, sessions, etc)<br />
<br />
|-<br />
| Graph Style<br />
| Line, Area, Stacked Area, Column, Overlapped Column, Stacked Columns<br />
| Time Graph<br />
| The render style of the time graph<br />
<br />
|-<br />
| Time Data Interval<br />
| Auto, Second, Minute, Hour, Day, Week, Month<br />
| Time Graph<br />
| The time aggregation unit or resolution<br />
<br />
|-<br />
| Approximation<br />
| Average, High, Low, Sum<br />
| Time Graph<br />
| The method used to aggregate/combine data points <br />
<br />
|-<br />
| Units<br />
| Text<br />
| Time Graph<br />
| The units being displayed (usually bytes, sessions, etc)<br />
<br />
|-<br />
| Series Renderer<br />
| None, Interface, Protocol<br />
| Time Graph<br />
| The renderer used to display human-readable names<br />
<br />
|-<br />
| Dynamic Column<br />
| Text<br />
| Time Graph Dynamic<br />
| The column to select for/group by<br />
<br />
|-<br />
| Dynamic Value<br />
| Text<br />
| Time Graph Dynamic<br />
| The value to sort by and display<br />
<br />
|-<br />
| Dynamic Limit<br />
| Integer<br />
| Time Graph Dynamic<br />
| The number of series to show<br />
<br />
|-<br />
| Aggregation Function<br />
| Count, Sum, Min, Max<br />
| Time Graph Dynamic<br />
| The function used to aggregate by dynamic values grouped by dynamic column<br />
<br />
|-<br />
| Graph Style<br />
| Line, Area, Stacked Area, Column, Overlapped Column, Stacked Columns<br />
| Time Graph Dynamic<br />
| The render style of the time graph<br />
<br />
|-<br />
| Approximation<br />
| Average, High, Low, Sum<br />
| Time Graph Dynamic<br />
| The method used to aggregate/combine data points <br />
<br />
|-<br />
| Units<br />
| Text<br />
| Time Graph Dynamic<br />
| The units being displayed (usually bytes, sessions, etc)<br />
<br />
|-<br />
| Series Renderer<br />
| None, Interface, Protocol<br />
| Time Graph Dynamic<br />
| The renderer used to display human-readable names<br />
<br />
|-<br />
| Colors<br />
| Colorpicker<br />
| All<br />
| The color pallete to use<br />
<br />
|-<br />
| Display Order<br />
| Integer<br />
| All<br />
| The integer used to determine the report's position in the category list<br />
<br />
|}<br />
<br />
=== Data ===<br />
<br />
* '''Data Retention''': This value controls how much time report data is kept on disk. Please note that increasing the number increases the amount of disk space that is needed for data storage.<br />
<br />
* '''Upload Data to Google Drive'' If enabled, and the Google Connector in [[Directory Connector]] is enabled, your daily data will be uploaded to google drive each night for safe storage.<br />
<br />
* '''Upload CSVs to Google Drive'' If enabled, and the Google Connector in [[Directory Connector]] is enabled, your daily CSV files will be uploaded to google drive each night for safe storage.<br />
<br />
* '''Google Drive Directory''' configures which subdirectory data will be uploaded to in google drive.<br />
<br />
* '''Import/Restore Data Backup Files''' imports data from a previous backup into the database. ''NOTE:'' this directly imports the SQL contents. If you have upgraded and the database schema has significantly changed since the time of the back, the import will not work correctly.<br />
<br />
{{ServiceAppScreenshot|reports|data}}<br />
<br />
<br />
=== Email Templates ===<br />
<br />
You can customize emailed reports using Report Templates. You can create as many as you wish with any combination of:<br />
<br />
:* '''Interval''': Daily, Weekly, Monthly, Week to Date, Month to Date. The determines the time interval that the report will cover. Beware that enough data is available via the Retention settings to provide the data for the configured interval.<br />
:* '''Mobile''': Generate chart images more appropriate for a mobile device.<br />
:* '''Reports''': Select those reports under Config and Application sections. Text and chart reports are allowed but not event list reports. Reports for applications will be included only if that application is installed.<br />
<br />
Additionally, you can copy the settings for an existing report.<br />
<br />
The default Daily Reports template includes common text and chart reports for your system. This template is fixed and cannot be changed or modified. <br />
<br />
Email Templates must be associated with Report Users.<br />
<br />
{{ServiceAppScreenshot|reports|email-templates}}<br />
<br />
=== Reports Users ===<br />
<br />
Reports users are users that are not administrators, but can still view reports.<br />
<br />
:* '''Email Address''' is the email address (and username) of the report user. ''admin'' is a special case that determines if administrators will receive emails and alerts.<br />
:* '''Email Alerts''' determines if this reports user will receive email alerts.<br />
:* '''Email Reports''' determines if this reports user will received email report summaries.<br />
:* '''Email Templates''' determines which email report summaries this user will receive if ''Email Reports'' is enabled.<br />
:* '''Online Access''' if enabled, a URL to online reports is included in emailed report summaries for this user.<br />
:* '''Change Password''' changes the password for this reports user.<br />
<br />
{{ServiceAppScreenshot|reports|reports-users}}<br />
<br />
<br />
=== Name Map ===<br />
<br />
You can use the Name Map to manually configure the hostname for hosts. Untangle often can automatically determine the hostname for the IP automatically via DHCP or other methods. You can view the current names for currently active hosts in the [[Hosts]]<br />
<br />
However, when Untangle is unable to automatically determine a hostname for an IP the Name Map provides a way to manually name them. <br />
<br />
{{ServiceAppScreenshot|reports|name-map}}<br />
<br />
<br />
== Accessing Reports ==<br />
<br />
If a user is set up to receive email report summaries, they only need to view or download the HTML attachment to see an overview report. If they need more information or would like to drill down to specific users or machines, they can use the link in the email, which will open Reports on the Untangle if it is accessible from their location. <br />
<br />
To access Reports directly from a browser, you have two options:<br />
<br />
* '''Outside the Untangle's network''': Browse to the IP of the Untangle /reports using HTTPs, such as <tt>https://1.2.3.4/reports</tt>.<br />
* '''Inside the Untangle's network''': Browse to the IP of the Untangle /reports, such as <tt>https://192.168.1.1/reports</tt>.<br />
<br />
Please note that to view Reports from outside the network you'll need to check '''Allow HTTPS on WANs''' at '''Config > Network > Advanced > Filter Rules'''. If you have changed the '''External HTTPS Port''', you'll need to use the proper HTTPS port when connecting from the outside.<br />
<br />
{{:Report Viewer}}<br />
<br />
== Related Topics ==<br />
<br />
[[Custom Reports]]<br />
<br />
== Reports FAQs ==<br />
<br />
{{:Reports FAQs}}</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=14.2.0_Changelog&diff=2614814.2.0 Changelog2019-05-13T17:14:58Z<p>Dmorris: </p>
<hr />
<div>= Overview =<br />
<br />
14.2 is a major new release containing new functionality and some big changes.<br />
<br />
= Web Filter =<br />
<br />
== Improved Education Features ==<br />
<br />
Many commonly-requested features have been added to [[Web Filter]]. These are especially powerful for those filtering for children like educational institutions and those doing SSL inspection.<br />
<br />
* "Enforce safe search" now includes searches on youtube.<br />
* Logging of online searches now includes searches on youtube.<br />
* Added a new "Search Terms" tab to allow admins to block/flag searches containing certain words or phrases.<br />
* Added the ability to import very large list of suspicious search terms in either JSON or CSV format.<br />
<br />
== New Web Filtering Categorization engine ==<br />
<br />
We have switched Web Filter to use Brightcloud's web URL categorization and reputation engine. Untangle often changes the underlying commercial engine used in some of the paid apps (like Virus Blocker) over the years. Doing so is never easy, but is critical for Untangle to stay current with the best technologies available.<br />
<br />
On upgrade, your current category settings will be converted to the new category format. <br />
<br />
== Other Quality-of-Life Improvements ==<br />
<br />
Web Filter categories page is now grouped by default and has a search function to help locate categories more easily.<br />
Additionally the database schema has been improved for better reports performance.<br />
<br />
= Intrusion Prevention =<br />
<br />
Intrusion Prevention incorporated much user feedback and requests from the new version impremented in 14.1<br />
<br />
== Whitelist (Exempt) ==<br />
<br />
Rules now have the ability to whitelist (exempt) certain traffic or subnets from Intrusion Prevention entirely.<br />
<br />
== Postrouting Option ==<br />
<br />
Intrusion Prevention now has the ability to run "postrouting". This is mode is very different than the standard "prerouting" mode and which option you will choose to run depends on your reasons for using Intrusion Prevention. <br />
<br />
When run in "prerouting" mode (the default), IPS sees all traffic even if it will subsequently be dropped by the firewall. This means IPS will see much malicious activity like port scan, intrusion attempts on the public IP addresses that happen on almost all networks, even though that traffic will ultimately just be dropped. The advantage of this approach is that Intrusion Prevention sees and logs everything providing the most complete picture. The disadvantage is that it usually logs so much that the Intrusion Prevention logs quickly become ignored because its logging thousands of events per day and this is completely normal and expected.<br />
<br />
When run in "postrouting" mode, IPS will only scan traffic that will actually pass through the firewall. Most networks where Untangle is running with a Public IP and doing NAT and only port forwarding select or no traffic at all, this will be extremely different that scanning "prerouting". The advantage of this mode is that IPS will only scan/log on traffic that is actually entering your network and therefore ignores a lot of the standard "noise" from incoming port scans and vulnerability scans that just get dropped at the firewall and logs only on traffic that should potentially concern the administrator. The disadvantage of this mode is that it provides a less complete picture of activity on the public interface it now no longer logs attempts that just get dropped. Additionally, for long time Untangle users, this was once the default, however many administrators were very uncomfortable with this mode because it logs much less than they anticipated or compared to a solution that runs "prerouting".<br />
<br />
Which mode is right for you depends on your reasons for using Intrusion Prevention. The "prerouting" mode is currently the default because it is the most anticipated behavior of most administrators.<br />
<br />
= Directory Connector =<br />
<br />
Directory Connector can now connect to directory services in Microsoft Azure.<br />
<br />
The Active Directory Login Monitor now can monitor RADIUS authentication events on the Active Directory server.<br />
<br />
= Other =<br />
<br />
Tons of other improvements and bugfixes<br />
<br />
* systemd boot hang issues fixed<br />
* many IPS fixes<br />
* many AD/directory-connector fixes<br />
* OpenVPN now build windows client based on 2.4.7 (thanks WebFool!)<br />
* Configuration Backup can now be scheduled to a specific time<br />
* Ability to hide wireless SSID</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=14.2.0_Changelog&diff=2614714.2.0 Changelog2019-05-13T16:56:47Z<p>Dmorris: /* Postrouting Option */</p>
<hr />
<div>= Overview =<br />
<br />
14.2 is a major new release containing new functionality and some big changes.<br />
<br />
= Web Filter =<br />
<br />
== Improved Education Features ==<br />
<br />
Many commonly-requested features have been added to [[Web Filter]]. These are especially powerful for those filtering for children like educational institutions and those doing SSL inspection.<br />
<br />
* "Enforce safe search" now includes searches on youtube.<br />
* Logging of online searches now includes searches on youtube.<br />
* Added a new "Search Terms" tab to allow admins to block/flag searches containing certain words or phrases.<br />
* Added the ability to import very large list of suspicious search terms in either JSON or CSV format.<br />
<br />
== New Web Filtering Categorization engine ==<br />
<br />
We have switched Web Filter to use Brightcloud's web URL categorization and reputation engine. Untangle often changes the underlying commercial engine used in some of the paid apps (like Virus Blocker) over the years. Doing so is never easy, but is critical for Untangle to stay current with the best technologies available.<br />
<br />
Brightcloud offered the best categorization of the solutions we tested in our most recent test. This test includes both performance and accuracy as well as other properties like the category taxonomy. Brightcloud also provides the background intelligence so Untangle can now provide information about *why* certain sites where categorized as malicious when customers have questions.<br />
<br />
On upgrade, your current category settings will be converted to the new category format. <br />
<br />
Additionally Brightcloud offers several other key reputation services which we hope to use in future versions. More on that in the future!<br />
<br />
== Other Quality-of-Life Improvements ==<br />
<br />
Web Filter categories page is now grouped by default and has a search function to help locate categories more easily.<br />
Additionally the database schema has been improved for better reports performance.<br />
<br />
= Intrusion Prevention =<br />
<br />
Intrusion Prevention incorporated much user feedback and requests from the new version impremented in 14.1<br />
<br />
== Whitelist (Exempt) ==<br />
<br />
Rules now have the ability to whitelist (exempt) certain traffic or subnets from Intrusion Prevention entirely.<br />
<br />
== Postrouting Option ==<br />
<br />
Intrusion Prevention now has the ability to run "postrouting". This is mode is very different than the standard "prerouting" mode and which option you will choose to run depends on your reasons for using Intrusion Prevention. <br />
<br />
When run in "prerouting" mode (the default), IPS sees all traffic even if it will subsequently be dropped by the firewall. This means IPS will see much malicious activity like port scan, intrusion attempts on the public IP addresses that happen on almost all networks, even though that traffic will ultimately just be dropped. The advantage of this approach is that Intrusion Prevention sees and logs everything providing the most complete picture. The disadvantage is that it usually logs so much that the Intrusion Prevention logs quickly become ignored because its logging thousands of events per day and this is completely normal and expected.<br />
<br />
When run in "postrouting" mode, IPS will only scan traffic that will actually pass through the firewall. Most networks where Untangle is running with a Public IP and doing NAT and only port forwarding select or no traffic at all, this will be extremely different that scanning "prerouting". The advantage of this mode is that IPS will only scan/log on traffic that is actually entering your network and therefore ignores a lot of the standard "noise" from incoming port scans and vulnerability scans that just get dropped at the firewall and logs only on traffic that should potentially concern the administrator. The disadvantage of this mode is that it provides a less complete picture of activity on the public interface it now no longer logs attempts that just get dropped. Additionally, for long time Untangle users, this was once the default, however many administrators were very uncomfortable with this mode because it logs much less than they anticipated or compared to a solution that runs "prerouting".<br />
<br />
Which mode is right for you depends on your reasons for using Intrusion Prevention. The "prerouting" mode is currently the default because it is the most anticipated behavior of most administrators.<br />
<br />
= Directory Connector =<br />
<br />
Directory Connector can now connect to directory services in Microsoft Azure.<br />
<br />
The Active Directory Login Monitor now can monitor RADIUS authentication events on the Active Directory server.<br />
<br />
= Other =<br />
<br />
Tons of other improvements and bugfixes<br />
<br />
* systemd boot hang issues fixed<br />
* many IPS fixes<br />
* many AD/directory-connector fixes<br />
* OpenVPN now build windows client based on 2.4.7 (thanks WebFool!)<br />
* Configuration Backup can now be scheduled to a specific time<br />
* Ability to hide wireless SSID</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=14.2.0_Changelog&diff=2614614.2.0 Changelog2019-05-13T16:53:59Z<p>Dmorris: </p>
<hr />
<div>= Overview =<br />
<br />
14.2 is a major new release containing new functionality and some big changes.<br />
<br />
= Web Filter =<br />
<br />
== Improved Education Features ==<br />
<br />
Many commonly-requested features have been added to [[Web Filter]]. These are especially powerful for those filtering for children like educational institutions and those doing SSL inspection.<br />
<br />
* "Enforce safe search" now includes searches on youtube.<br />
* Logging of online searches now includes searches on youtube.<br />
* Added a new "Search Terms" tab to allow admins to block/flag searches containing certain words or phrases.<br />
* Added the ability to import very large list of suspicious search terms in either JSON or CSV format.<br />
<br />
== New Web Filtering Categorization engine ==<br />
<br />
We have switched Web Filter to use Brightcloud's web URL categorization and reputation engine. Untangle often changes the underlying commercial engine used in some of the paid apps (like Virus Blocker) over the years. Doing so is never easy, but is critical for Untangle to stay current with the best technologies available.<br />
<br />
Brightcloud offered the best categorization of the solutions we tested in our most recent test. This test includes both performance and accuracy as well as other properties like the category taxonomy. Brightcloud also provides the background intelligence so Untangle can now provide information about *why* certain sites where categorized as malicious when customers have questions.<br />
<br />
On upgrade, your current category settings will be converted to the new category format. <br />
<br />
Additionally Brightcloud offers several other key reputation services which we hope to use in future versions. More on that in the future!<br />
<br />
== Other Quality-of-Life Improvements ==<br />
<br />
Web Filter categories page is now grouped by default and has a search function to help locate categories more easily.<br />
Additionally the database schema has been improved for better reports performance.<br />
<br />
= Intrusion Prevention =<br />
<br />
Intrusion Prevention incorporated much user feedback and requests from the new version impremented in 14.1<br />
<br />
== Whitelist (Exempt) ==<br />
<br />
Rules now have the ability to whitelist (exempt) certain traffic or subnets from Intrusion Prevention entirely.<br />
<br />
== Postrouting Option ==<br />
<br />
Intrusion Prevention now has the ability to run "post" routing. This is a major change in behavior and which option you will choose to run depends on your reasons for using Intrusion Prevention. <br />
<br />
When run in "prerouting" mode (the default), IPS sees all traffic even if it will subsequently be dropped by the firewall. This means IPS will see much malicious activity like port scan, intrusion attempts on the public IP addresses that happen on almost all networks, even though that traffic will ultimately just be dropped. The advantage of this approach is that Intrusion Prevention sees and logs everything providing the most complete picture. The disadvantage is that it usually logs so much that the Intrusion Prevention logs quickly become ignored because its logging thousands of events per day and this is completely normal and expected.<br />
<br />
When run in "postrouting" mode, IPS will only scan traffic that will actually pass through the firewall. Most networks where Untangle is running with a Public IP and doing NAT and only port forwarding select or no traffic at all, this will be extremely different that scanning "prerouting". The advantage of this mode is that IPS will only scan/log on traffic that is actually entering your network and therefore ignores a lot of the standard "noise" from incoming port scans and vulnerability scans that just get dropped at the firewall and logs only on traffic that should potentially concern the administrator. The disadvantage of this mode is that it provides a less complete picture of activity on the public interface it now no longer logs attempts that just get dropped. Additionally, for long time Untangle users, this was once the default, however many administrators were very uncomfortable with this mode because it logs much less than they anticipated or compared to a solution that runs "prerouting".<br />
<br />
Which mode is right for you depends on your reasons for using Intrusion Prevention. The "prerouting" mode is currently the default because it is the most anticipated behavior of most administrators.<br />
<br />
= Directory Connector =<br />
<br />
Directory Connector can now connect to directory services in Microsoft Azure.<br />
<br />
The Active Directory Login Monitor now can monitor RADIUS authentication events on the Active Directory server.<br />
<br />
= Other =<br />
<br />
Tons of other improvements and bugfixes<br />
<br />
* systemd boot hang issues fixed<br />
* many IPS fixes<br />
* many AD/directory-connector fixes<br />
* OpenVPN now build windows client based on 2.4.7 (thanks WebFool!)<br />
* Configuration Backup can now be scheduled to a specific time<br />
* Ability to hide wireless SSID</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=14.2.0_Changelog&diff=2614514.2.0 Changelog2019-05-13T16:35:49Z<p>Dmorris: Created page with "= Overview = 14.2 is a major new release containing new functionality and some big changes. = Web Filter = == Improved Education Features == Many commonly-requested featur..."</p>
<hr />
<div>= Overview =<br />
<br />
14.2 is a major new release containing new functionality and some big changes.<br />
<br />
= Web Filter =<br />
<br />
== Improved Education Features ==<br />
<br />
Many commonly-requested features have been added to [[Web Filter]]. These are especially powerful for those filtering for children like educational institutions and those doing SSL inspection.<br />
<br />
* "Enforce safe search" now includes searches on youtube.<br />
* Logging of online searches now includes searches on youtube.<br />
* Added a new "Search Terms" tab to allow admins to block/flag searches containing certain words or phrases.<br />
* Added the ability to import very large list of suspicious search terms in either JSON or CSV format.<br />
<br />
== New Web Filtering Categorization engine ==<br />
<br />
We have switched Web Filter to use Brightcloud's web URL categorization and reputation engine. Untangle often changes the underlying commercial engine used in some of the paid apps (like Virus Blocker) over the years. Doing so is never easy, but is critical for Untangle to stay current with the best technologies available.<br />
<br />
Brightcloud offered the best categorization of the solutions we tested in our most recent test. This test includes both performance and accuracy as well as other properties like the category taxonomy. Brightcloud also provides the background intelligence so Untangle can now provide information about *why* certain sites where categorized as malicious when customers have questions.<br />
<br />
On upgrade, your current category settings will be converted to the new category format. <br />
<br />
Additionally Brightcloud offers several other key reputation services which we hope to use in future versions. More on that in the future!<br />
<br />
== Other Quality-of-Life Improvements ==<br />
<br />
Web Filter categories page is now grouped by default and has a search function to help locate categories more easily.<br />
Additionally the database schema has been improved for better reports performance.<br />
<br />
= Intrusion Prevention =<br />
<br />
Intrusion Prevention incorporated much user feedback and requests from the new version impremented in 14.1<br />
<br />
This includes many bugfixes but also new features like the ability to exempt certain traffic or subnets from Intrusion Prevention entirely.<br />
<br />
= Directory Connector =<br />
<br />
Directory Connector can now connect to directory services in Microsoft Azure.<br />
<br />
The Active Directory Login Monitor now can monitor RADIUS authentication events on the Active Directory server.<br />
<br />
= Other =<br />
<br />
Tons of other improvements and bugfixes<br />
<br />
* systemd boot hang issues fixed<br />
* many IPS fixes<br />
* many AD/directory-connector fixes<br />
* OpenVPN now build windows client based on 2.4.7 (thanks WebFool!)<br />
* Configuration Backup can now be scheduled to a specific time</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=NG_Firewall_Changelogs&diff=26144NG Firewall Changelogs2019-05-13T16:35:43Z<p>Dmorris: </p>
<hr />
<div>The sections below detail notable changes made to the Untangle software in each revision. If an entry has parenthesis after it, such as (NGFW-xxxx), it references an issue from [http://jira.untangle.com jira].<br />
<br />
= Major Releases =<br />
<br />
* [[14.2.0 Changelog]]<br />
* [[14.1.2 Changelog]]<br />
* [[14.1.1 Changelog]]<br />
* [[14.1.0 Changelog]]<br />
* [[14.0.1 Changelog]]<br />
* [[14.0.0 Changelog]]<br />
* [[13.2.1 Changelog]]<br />
* [[13.2.0 Changelog]]<br />
* [[13.1.1 Changelog]]<br />
* [[13.1.0 Changelog]]<br />
* [[13.0.0 Changelog]]<br />
<br />
= Date Changes =<br />
<br />
Minor builds are newly released updates or builds without a change in the overall MAJOR.MINOR version number. The date changelog shows all changes by date.<br />
<br />
[[Date Changelog]]<br />
<br />
= Active Directory Monitor =<br />
<br />
The Active Directory Monitor software installs on the Active Directory server and is released independently of other products.<br />
<br />
[[Active Directory Monitor Changelog]]<br />
<br />
= Old NGFW Changelogs =<br />
<br />
* [[12.2.1 Changelog]]<br />
* [[12.2.0 Changelog]]<br />
* [[12.1.2 Changelog]]<br />
* [[12.1.1 Changelog]]<br />
* [[12.1.0 Changelog]]<br />
* [[12.0.1 Changelog]]<br />
* [[12.0.0 Changelog]]<br />
* [[11.2.1 Changelog]]<br />
* [[11.2.0 Changelog]]<br />
* [[11.1.0 Changelog]]<br />
* [[11.0.1 Changelog]]<br />
* [[11.0.0 Changelog]]<br />
* [[10.2.1 Changelog]]<br />
* [[10.2.0 Changelog]]<br />
* [[10.1.0 Changelog]]<br />
* [[10.0.0 Changelog]]<br />
* [[9.4.2 Changelog]]<br />
* [[9.4.1 Changelog]]<br />
* [[9.4.0 Changelog]]<br />
* [[9.3.2 Changelog]]<br />
* [[9.3.1 Changelog]]<br />
* [[9.3.0 Changelog]]<br />
* [[9.2.1 Changelog]]<br />
* [[9.2.0 Changelog]]<br />
* [[9.1.1 Changelog]]<br />
* [[9.1.0 Changelog]]<br />
* [[9.0.2 Changelog]]<br />
* [[9.0.1 Changelog]]<br />
* [[9.0.0 Changelog]]</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Intrusion_Prevention&diff=26143Intrusion Prevention2019-05-06T17:03:06Z<p>Dmorris: </p>
<hr />
<div>[[Category:Applications]]<br />
<span style="display:none" class="helpSource intrusion_prevention">Intrusion_Prevention</span><br />
<span style="display:none" class="helpSource intrusion_prevention_status">Intrusion_Prevention#Status</span><br />
<span style="display:none" class="helpSource intrusion_prevention_rules">Intrusion_Prevention#Rules</span><br />
<span style="display:none" class="helpSource intrusion_prevention_variables">Intrusion_Prevention#Variables</span><br />
<span style="display:none" class="helpSource intrusion_prevention_event_log">Intrusion_Prevention#Event_Log</span><br />
<br />
{| width='100%'<br />
|-<br />
| align="center" | [[Image:IntrusionPrevention.png|128px]] &nbsp; &nbsp; '''Intrusion Prevention'''<br />
| align="center" |<br />
{|<br />
|-<br />
| Other Links:<br />
|-<br />
|[http://www.untangle.com/store/intrusion-prevention.html Intrusion Prevention Description Page]<br />
|-<br />
|[http://demo.untangle.com/admin/index.do#service/intrusion-prevention Intrusion Prevention Demo]<br />
|-<br />
|[http://forums.untangle.com/intrusion-prevention/ Intrusion Prevention Forums]<br />
|-<br />
|[[Intrusion Prevention Reports]]<br />
|-<br />
|[[Intrusion Prevention FAQs]]<br />
|}<br />
|}<br />
<br/><br />
----<br />
<br />
== About Intrusion Prevention ==<br />
<br />
Intrusion Prevention is an [http://en.wikipedia.org/wiki/Intrusion_detection_systems Intrusion Detection system] that detects malicious activity on your network. <br />
<br />
To detect malicious activity, Intrusion Prevention uses ''signatures'', a method that draws upon a database of known attack patterns. <br />
If a network [http://en.wikipedia.org/wiki/Session_%28computer_science%29 session] matches a signature, its enabled ''action'' directs Intrusion Prevention to <br />
''Log'' (records the incident but '''does not stop''' the activity) or ''Block'' (records the incident and '''does stop''' the activity).<br />
<br />
There is tremendous diversity between networks and it is possible for a signature to correctly identify malicious activity on one network and incorrectly match legitimate traffic on another.<br />
Logging all matching signatures can make it difficult to effectively monitor Intrusion Prevention and blocking can disrupt legitimate traffic causing cause your network to appear to be broken. <br />
Therefore it is perfectly legitimate for there to be many signatures set as ''disabled'' or not active in Intrusion Prevention.<br />
In fact, it is advised that you use to the ''Recommended'' actions as specified by the signature database providers.<br />
<br />
The database contains over 26,000 signatures making it difficult to manage signatures directly.<br />
''Rules'' are used to configure groups of signatures on matching various attributes.<br />
A condition can match an attribute such as classtype. For all signatures that match, they are configured in Intrusion Prevention according to the rule action.<br />
Any signature not matched by a rule is Disabled.<br />
A default set of rules based on system memory are enabled by default.<br />
<br />
The signature database is automatically updated several times a week. New and updated rules will be configured as determined by rules.<br />
<br />
All detected activity for enabled signatures is recorded to the Intrusion Prevention ''All Events'' log. You should review this log on a daily basis.<br />
<br />
''Note:'' Intrusion Prevention installs but is off by default. <br />
<br />
''Note:'' Intrusion Prevention can be memory intensive and requires at least 2GB of RAM. The amount used is a combination of the number of enabled signatures and the amount of traffic that goes through your system.<br />
<br />
== Settings == <br />
<br />
=== Status ===<br />
<br />
The Status tab shows the following information:<br />
<br />
* Memory Usage. The amount of system memory the IPS engine is using compared to your installed system memory.<br />
<br />
* Metrics. The number of blocked, logged, and scanned sessions.<br />
<br />
* Overview. Signatures and Signature Updates.<br />
** Signatures. Total number of signatures available and the number set for Log, Block, Disabled.<br />
** Updates. The last time the signature database was updated and the last time a check was performed. Database updates do not occur on each check.<br />
<br />
{{ServiceAppScreenshot|intrusion-prevention|status}}<br />
<br />
<br />
=== Rules ===<br />
<br />
Rules allow you to control which signatures are enabled (and their actions) or disabled.<br />
For each signature the rules are evaluated in order, the action from the first matching rule is used to determine the status of that signature. The Intrusion Prevention rules are the mechanism to determine which signatures are enabled and their associated actions. These rules have no impact on network traffic and are not evaluated against packets, sessions, or network traffic in any manner.<br />
<br />
Any signature not matched by any rule is disabled.<br />
<br />
The [[Rules|Rules documentation]] describes how rules generally work and how they are configured. The major difference for Intrusion Prevention is the Conditions List.<br />
<br />
At the bottom of the tab a stats bar indicates how many signatures are affected by the currently defined rules.<br />
<br />
When adding or editing a rule, the bottom of the edit window will show how many signatures are affected by the conditions as you build the rule.<br />
<br />
{{AppScreenshot|intrusion-prevention|rules}}<br />
<br />
==== Rule Conditions ====<br />
<br />
Conditions define which signatures will match the rule. If and only if all of the conditions match, the rule is considered a match. <br />
<br />
The following conditions are specific to Intrusion Prevention rules:<br />
<br />
{| border="1" cellpadding="2" font="sans-serif" style="border-collapse: collapse;"<br />
|+<br />
! style="text-align: left" | Name <br />
! style="text-align: left" | Syntax <br />
! style="text-align: left" | Function<br />
|- <br />
| Signature identifier<br />
| Numeric<br />
| Matches if value matches the exact or partial signature identifier.<br />
|- <br />
| Group identifier<br />
| Numeric<br />
| Matches if value matches the exact or partial group identifier.<br />
|- <br />
| Category<br />
| Checkbox<br />
| Matches if value is in one of the checked categories.<br />
|- <br />
| Classtype<br />
| Checkbox<br />
| Matches if value is in one of the checked classtypes.<br />
|- <br />
| Message<br />
| Text<br />
| Matches if value matches the exact or partial signature subject message.<br />
|- <br />
| Protocol<br />
| Checkbox<br />
| Matches if value is in one of the checked protocols.<br />
|- <br />
| Source Address<br />
| Text<br />
| Matches if value matches the exact or partial source address.<br />
|- <br />
| Source Port<br />
| Text<br />
| Matches if value matches the exact or partial source port.<br />
|- <br />
| Destination Address<br />
| Text<br />
| Matches if value matches the exact or partial destination address.<br />
|- <br />
| Destination Port<br />
| Text<br />
| Matches if value matches the exact or partial destination port.<br />
|- <br />
| Signature<br />
| Text<br />
| Matches if value matches the exact or any part of the entire signature.<br />
|- <br />
| Custom<br />
| Boolean<br />
| Matches if value is a custom signature.<br />
|- <br />
| Recommended Action<br />
| Select<br />
| Matches if value is a signature's recommended action.<br />
|- <br />
| System Memory<br />
| Numeric<br />
| Matches if system memory matches this value.<br />
|}<br />
<br />
==== Rule Actions ====<br />
<br />
When all conditions are met, signatures will be configured into Intrusion Prevention as follows:<br />
<br />
{| border="1" cellpadding="2" font="sans-serif" style="border-collapse: collapse;"<br />
|+<br />
! style="text-align: left" | Action<br />
! style="text-align: left" | Function<br />
|- <br />
| Recommended<br />
| Each signature will use their specific Recommended Action. If that Recommended Action is disabled, it will not be enabled at all.<br />
|- <br />
| Enable Log<br />
| Each signature will be enabled to log.<br />
|- <br />
| Enable Block if Recommended is Enabled<br />
| Only if the signature's Recommended Action is Log will the signature be configured for Block. Use this for "wide" condition matches like classtype.<br />
|- <br />
| Enable Block<br />
| Each signature will be enabled to block. Use this for "narrow" matches like sid and gid.<br />
|- <br />
| Disable<br />
| Each signature will be disabled and not used by Intrusion Prevention.<br />
|}<br />
<br />
<br />
=== Signatures ===<br />
<br />
The Signature tab shows the entire database of signatures, both the defaults set provided as well as any custom signatures you may add.<br />
<br />
{{AppScreenshot|intrusion-prevention|signatures}}<br />
<br />
==== Navigation ====<br />
<br />
By default, signatures are grouped by classtype and you can expand the groups to view the individual signatures. <br />
<br />
To better find specific signatures, you can use the Filter to select signature fields and the match you're looking for. The grid view will change to show those signatures matching the filter.<br />
<br />
If your filter returned one or more matches, you can create a rule from the filter by clicking Create Rule. <br />
<br />
Mousing over grid cell will show appropriate information related to that cell. For example, if you mouse over the Rule Action cell, you'll see which rule is affecting this signature.<br />
<br />
==== Custom Signatures ====<br />
<br />
You may create and maintain your own signatures, but most use the default database.<br />
<br />
If you wish to add custom signatures you can do so either by clicking Add.<br />
<br />
Alternatively, if you wish to create a new custom signature on an existing signature, you can click Copy then edit that copy.<br />
<br />
'''NOTE:''' Don't be tempted to copy a signature to change its Recommended Action. Create a Rule instead!<br />
<br />
<br />
=== Variables ===<br />
<br />
This tab provides administrators access to Suricata variables. These variables are used in rules to specify criteria for the source and destination of a packet. <br />
<br />
Suricata's most important variable is $HOME_NET. $HOME_NET defines the network or networks you are trying to protect - it is computer automatically based on your network configuration - it includes all local networks (including aliases). Under nearly every circumstance you will want to leave these values as-is.<br />
<br />
Using the Add button, custom variables can be added. Adding variables may be used by users adding their own rules.This should only be attempted by advanced users with a strong knowledge of Suricata signature creation.<br />
<br />
{{AppScreenshot|intrusion-prevention|variables}}<br />
<br />
<br />
== Updates ==<br />
<br />
The signature database is checked automatically every night. Updates are typically released 2-3 times week.<br />
<br />
The signature database does not affect custom signatures.<br />
<br />
New signatures will be integrated into Intrusion Prevention according to defined rules.<br />
<br />
== Reports == <br />
<br />
{{:Intrusion Prevention Reports}}<br />
== All Events ==<br />
<br />
The All Events report shows all enabled signature matches found by Intrusion Prevention.<br />
<br />
If there are signatures that are currently set to an action of Log and you determine the signature should in fact be Block, you can click the Block button on the far right.<br />
The Block button is disabled for any signature that is already blocked. <br />
<br />
{{Screenshot|reports_cat_intrusion-prevention_rep_all-events}}<br />
<br />
== Related Topics ==<br />
<br />
[http://en.wikipedia.org/wiki/Intrusion_prevention_system Intrusion Prevention Systems]<br />
<br />
[https://suricata.readthedocs.io/en/suricata-3.2.1/rules/index.html Suricata - Writing Suricata Signatures]<br />
<br />
== Intrusion Prevention FAQs ==<br />
<br />
{{:Intrusion Prevention FAQs}}</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Upstream_Projects&diff=26134Upstream Projects2019-04-17T17:54:23Z<p>Dmorris: </p>
<hr />
<div>[[Category: Developer Wiki]]<br />
This page lists many of the upstream projects used by Untangle.<br />
<br />
<br />
{| class="wikitable border="1"<br />
|-<br />
! project namets<br />
! license<br />
! linked<br />
! modified<br />
! used in<br />
! URL<br />
|-<br />
| linux kernel || GPLv2 ||&nbsp;|| yes || server || [http://kernel.org 1]<br />
|-<br />
| debian || assorted ||&nbsp;||&nbsp;|| server || [http://debian.org 1]<br />
|-<br />
| postgres || BSD ||&nbsp;||&nbsp;|| uvm || [http://postgresql.org 1]<br />
|-<br />
| apache log4j || apache || yes ||&nbsp;|| uvm || [http://logging.apache.org/log4j/docs/ 1]<br />
|-<br />
| apache tomcat || apache || yes ||&nbsp;|| uvm || [http://jakarta.apache.org/tomcat/index.html 1]<br />
|-<br />
| apache fileupload || apache || yes ||&nbsp;|| uvm || [https://commons.apache.org/proper/commons-fileupload/ 1]<br />
|-<br />
| apache io || apache || yes ||&nbsp;|| uvm || [https://commons.apache.org/proper/commons-io/ 1]<br />
|-<br />
| apache httpcomponents || apache || yes ||&nbsp;|| uvm || [https://hc.apache.org/httpcomponents-client-ga/ 1]<br />
|-<br />
| gettext commons || apache || yes || &nbsp; || i18n || [https://code.google.com/archive/p/gettext-commons/ 1]<br />
|-<br />
| dns java || BSD || yes || &nbsp; || uvm || [http://www.xbill.org/dnsjava/ 1]<br />
|-<br />
| javamail || GPLv2+CPE || yes ||&nbsp;|| uvm || [https://javaee.github.io/javamail/JavaMail-License 1]<br />
|-<br />
| postgresJDBC || BSD || yes ||&nbsp;|| uvm || [http://jdbc.postgresql.org/ 1]<br />
|-<br />
| java (JRE) || GPLv2 ||&nbsp;||&nbsp;|| uvm || [http://openjdk.java.net/ 1]<br />
|-<br />
| clamav || GPLv2 ||&nbsp;||&nbsp;|| virus blocker lite || [http://www.clamav.net/ 1]<br />
|-<br />
| spamassassin || apache ||&nbsp;||&nbsp;|| spam blocker lite || [http://spamassassin.apache.org/ 1]<br />
|-<br />
| velocity || apache ||&nbsp;||&nbsp;|| smtp-casing || [http://jakarta.apache.org/velocity/ 1]<br />
|-<br />
| OpenVPN || GPLv2 ||&nbsp;||&nbsp;|| openvpn || [http://openvpn.net/ 1]<br />
|-<br />
| ExtJS || LGPL ||&nbsp;||&nbsp;|| UI || [http://extjs.com 1]<br />
|-<br />
| GeoIP2 || Apache || yes || &nbsp; || uvm || [https://github.com/maxmind/GeoIP2-java 1]<br />
|-<br />
| libnetfilter-queue || GPLv2 || yes || &nbsp; || uvm || [http://www.netfilter.org/projects/libnetfilter_queue/ 1]<br />
|-<br />
| libnetfilter-conntrack || GPLv2 || yes || &nbsp; || uvm || [http://www.netfilter.org/projects/libnetfilter_conntrack/ 1]<br />
|-<br />
| jabsorb || apache || &nbsp; || yes || UI || [http://jabsorb.org/ 1]<br />
|-<br />
| jradius || LGPL || &nbsp; || &nbsp; || directory connector || [http://coova.org/JRadius 1]<br />
|-<br />
| python-jsonrpc || LGPL || &nbsp; || yes || uvm || [http://json-rpc.org/wiki/python-json-rpc 1]<br />
|-<br />
| selenium-java || apache || &nbsp; || &nbsp; || directory connector || [http://www.seleniumhq.org/about/license.jsp 1]<br />
|-<br />
| NSIS || zlib,bzip2 || &nbsp; || &nbsp;|| openvpn,uvm || [http://nsis.sourceforge.net 1]<br />
|-<br />
| Emerging Threats || BSD || &nbsp; || &nbsp; || ips || [http://doc.emergingthreats.net/bin/view/Main/EmergingFAQ#Are_the_Emerging_Threats_Rules_R 1]<br />
|-<br />
| suricata || GPLv2 || &nbsp; || &nbsp; || ips || [https://suricata-ids.org/about/open-source/ 1]<br />
<br />
|}<br />
<br />
Many commercial applications use paid OEM technology:<br />
* Spam Blocker<br />
* Virus Blocker<br />
* Web Filter<br />
* Application Control<br />
<br />
Many of these projects also use their own sub-libraries and sub-projects.</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Upstream_Projects&diff=26133Upstream Projects2019-04-17T17:47:27Z<p>Dmorris: </p>
<hr />
<div>[[Category: Developer Wiki]]<br />
This page lists many of the upstream projects used by Untangle.<br />
<br />
<br />
{| class="wikitable border="1"<br />
|-<br />
! project namets<br />
! license<br />
! linked<br />
! modified<br />
! used in<br />
! URL<br />
|-<br />
| linux kernel || GPLv2 ||&nbsp;|| yes || server || [http://kernel.org 1]<br />
|-<br />
| debian || assorted ||&nbsp;||&nbsp;|| server || [http://debian.org 1]<br />
|-<br />
| postgres || BSD ||&nbsp;||&nbsp;|| uvm || [http://postgresql.org 1]<br />
|-<br />
| apache log4j || apache || yes ||&nbsp;|| uvm || [http://logging.apache.org/log4j/docs/ 1]<br />
|-<br />
| apache tomcat || apache || yes ||&nbsp;|| uvm || [http://jakarta.apache.org/tomcat/index.html 1]<br />
|-<br />
| apache fileupload || apache || yes ||&nbsp;|| uvm || [https://commons.apache.org/proper/commons-fileupload/ 1]<br />
|-<br />
| apache io || apache || yes ||&nbsp;|| uvm || [https://commons.apache.org/proper/commons-io/ 1]<br />
|-<br />
| apache httpcomponents || apache || yes ||&nbsp;|| uvm || [https://hc.apache.org/httpcomponents-client-ga/ 1]<br />
|-<br />
| gettext commons || apache || yes || &nbsp; || i18n || [https://code.google.com/archive/p/gettext-commons/ 1]<br />
|-<br />
| dns java || BSD || yes || &nbsp; || uvm || [http://www.xbill.org/dnsjava/ 1]<br />
|-<br />
| javamail || GPLv2+CPE || yes ||&nbsp;|| uvm || [https://javaee.github.io/javamail/JavaMail-License 1]<br />
|-<br />
| postgresJDBC || BSD || yes ||&nbsp;|| uvm || [http://jdbc.postgresql.org/ 1]<br />
|-<br />
| java (JRE) || GPLv2 ||&nbsp;||&nbsp;|| uvm || [http://openjdk.java.net/ 1]<br />
|-<br />
| clamav || GPLv2 ||&nbsp;||&nbsp;|| virus blocker lite || [http://www.clamav.net/ 1]<br />
|-<br />
| spamassassin || apache ||&nbsp;||&nbsp;|| spam blocker lite || [http://spamassassin.apache.org/ 1]<br />
|-<br />
| velocity || apache ||&nbsp;||&nbsp;|| smtp-casing || [http://jakarta.apache.org/velocity/ 1]<br />
|-<br />
| OpenVPN || GPLv2 ||&nbsp;||&nbsp;|| openvpn || [http://openvpn.net/ 1]<br />
|-<br />
| ExtJS || LGPL ||&nbsp;||&nbsp;|| UI || [http://extjs.com 1]<br />
|-<br />
| GeoIP2 || Apache || yes || &nbsp; || uvm || [https://github.com/maxmind/GeoIP2-java 1]<br />
|-<br />
| libnetfilter-queue || GPLv2 || yes || &nbsp; || nflogd || [http://www.netfilter.org/projects/libnetfilter_queue/ 1]<br />
|-<br />
| libnetfilter-conntrack || GPLv2 || yes || &nbsp; || nflogd || [http://www.netfilter.org/projects/libnetfilter_conntrack/ 1]<br />
|-<br />
| jabsorb || apache || &nbsp; || yes || UI || [http://jabsorb.org/ 1]<br />
|-<br />
| jradius || LGPL || &nbsp; || &nbsp; || directory connector || [http://coova.org/JRadius 1]<br />
|-<br />
| python-jsonrpc || LGPL || &nbsp; || yes || uvm || [http://json-rpc.org/wiki/python-json-rpc 1]<br />
|-<br />
| selenium-java || apache || &nbsp; || &nbsp; || directory connector || [http://www.seleniumhq.org/about/license.jsp 1]<br />
|-<br />
| NSIS || zlib,bzip2 || &nbsp; || &nbsp;|| openvpn,uvm || [http://nsis.sourceforge.net 1]<br />
|-<br />
| Emerging Threats || BSD || &nbsp; || &nbsp; || ips || [http://doc.emergingthreats.net/bin/view/Main/EmergingFAQ#Are_the_Emerging_Threats_Rules_R 1]<br />
|-<br />
| suricata || GPLv2 || &nbsp; || &nbsp; || ips || [https://suricata-ids.org/about/open-source/ 1]<br />
<br />
|}<br />
<br />
Many commercial applications use paid OEM technology:<br />
* Spam Blocker<br />
* Virus Blocker<br />
* Web Filter<br />
* Application Control<br />
<br />
Many of these projects also use their own sub-libraries and sub-projects.</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Date_Changelog&diff=26114Date Changelog2019-04-02T20:54:21Z<p>Dmorris: </p>
<hr />
<div>This is the complete changelog including any time packages are released that do not have new major.minor version numbers. <br />
<br />
Major release are documented in the primary [[Changelog]].<br />
<br />
<br />
== 14.1.2 build1 2019-04-02 ==<br />
* [[14.1.2_Changelog]]<br />
<br />
== 14.1.1 build1 2019-01-17 ==<br />
* [[14.1.1_Changelog]]<br />
<br />
== 14.1.0 build3 2018-12-03 ==<br />
* Fix python cache issue<br />
* Fix local directory change password issue<br />
* Fix IPS UI issue<br />
* Remove cloudflare from dynamic DNS options<br />
<br />
== 14.1.0 build2 2018-11-14 ==<br />
* Fix issue with creating alert rules<br />
* Fix duplicate condition in UI<br />
* Fix backup/restore supported versions<br />
<br />
== 14.1.0 build1 2018-11-13 ==<br />
* [[14.1.0_Changelog]]<br />
<br />
== 14.0.1 build2 2018-08-27 ==<br />
* Fix issue with captive portal & username capitalization<br />
* Spam Blocker plugin license check fix<br />
<br />
== 14.0.1 build1 2018-08-23 ==<br />
* [[14.0.1_Changelog]]<br />
<br />
== 14.0.0 build5 2018-08-10 ==<br />
* Fix issue with datepicker selecting past month/days<br />
* Fix some LCD issues<br />
* Minor tweaks to reports performance tuning<br />
* Fix certificate verification process<br />
* Fix setup wizard to bridge the wifi to External if Internal is bridged<br />
* Add report title to exported image<br />
* Fix dashboard auto-refresh hang issue<br />
* Fix upgrade issue with some international languages<br />
* Security fixes<br />
<br />
== 14.0.0 build4 2018-07-09 ==<br />
* Fix possible conflict between Tunnel VPN and OpenVPN<br />
* Fix reports data export date range issue<br />
* Fix issue with editing Event Rules<br />
* Fix warning about auth.txt permissions in Tunnel VPN<br />
* Allow multiple of same type conditions in dashboard/reports<br />
* Some changes to setup wizard for AWS deployments<br />
* Improve Captive Portal user cleanup tasks<br />
* Fix Tunnel VPN cleanup on uninstall<br />
<br />
== 14.0.0 build3 2018-06-26 ==<br />
* Fix IPS issue with certain rules<br />
* Fix HTTP port redirect issue<br />
* Fix systemd interferance with untangle-vm thread max<br />
* Fix syslog issue logging to incorrect files<br />
<br />
== 14.0.0 build2 2018-06-18 ==<br />
* Fix issue with emailed report summary image width and height<br />
* Add automatic restart of IPsec daemon on certificate change<br />
* Fix ddclient restart issue<br />
* Fix upgrade issue with CD-ROM sources.list<br />
* Fix a widget refresh issue on dashboard<br />
* Fix issue with clicking on pie graphs adding the wrong value<br />
* Add new admin notification for when the timezone has changed<br />
* Fix console issues on firmware builds<br />
<br />
== 14.0.0 build1 2018-06-08 ==<br />
* [[14.0.0 Changelog]]<br />
<br />
== 13.2.1 build2 2018-04-13 ==<br />
* Fix GRE issue where no remote network is specified<br />
* Fix captive portal host table cleanup issue<br />
* Fix network settings conversion issue<br />
<br />
== 13.2.1 build1 2018-04-03 ==<br />
* [[13.2.1 Changelog]]<br />
<br />
== 13.2.0 build3 2018-02-13 ==<br />
* Fix text adiminstration on tty console errors<br />
* Add support for username/password for site-to-site<br />
* Fix Turris Omnia image <br />
* Remove "Automatic" from channel selection options<br />
* Fix Captive Portal HTTPS port issue<br />
* Fix cloned sql conditions when creating reports issue<br />
* Fix to gracefully handle invalid reports<br />
* Fix email quarantine to update when releasing<br />
<br />
== 13.2.0 build2 2018-01-30 ==<br />
* Fix firmware issue with turris and linksys<br />
* Fix openvpn multifactor auth issue<br />
* Fix OVA filesystem resize issue<br />
* Fix port forward simple mode issue<br />
* Fix some scrollbar issues<br />
* Fix IPS settings modification issue<br />
<br />
== 13.2.0 build1 2018-01-16 ==<br />
* [[13.2.0 Changelog]]<br />
<br />
== 13.1.1 build2 2018-01-05 ==<br />
* Fix NIC ordering issue on specific appliance<br />
<br />
== 13.1.1 build1 2017-12-08 ==<br />
* Minor bug fixes [[13.1.1 Changelog]]<br />
<br />
== 13.1.0 build7 2017-10-16 ==<br />
* Upstream security fixes (for [https://www.documentcloud.org/documents/4109401-KRACK-Attacks.html krack] vulnerability)<br />
<br />
== 13.1.0 build6 2017-10-12 ==<br />
* Fix emailed report summaries image issue<br />
* Fix editing port forward rules issue<br />
<br />
== 13.1.0 build5 2017-10-10 ==<br />
* Upstream security fixes<br />
* Fix reports-only users<br />
* Fix quarantine issue<br />
* Fix IPS interface detection<br />
* Fix issue with editing port forward rules<br />
* Fix issue with Virus Blocker displaying invalid license when it is valid<br />
<br />
== 13.1.0 build4 2017-09-26 ==<br />
* 86df013 [src] Fix dates (timezone) issues<br />
* 3c7eb8c [src] Fix PPPoE wizard issues<br />
* 8249ca3 [src] Updated localization strings<br />
<br />
== 13.1.0 build3 2017-09-22 ==<br />
* Fix issues with saving devices/users<br />
* Fix issues with reports browsing and breadcrumbs<br />
* Fix timezone display issue in reports<br />
* Fix saving of Tunnel VPN that occurred for some devices<br />
* Fix PPPoE issues in setup wizard<br />
* Fix more issues with "Reset View"<br />
<br />
== 13.1.0 build2 2017-09-12 ==<br />
* Add more error checking to tunnel VPN import<br />
* Fix setup wizard NIC remapping issue with drag and drop<br />
* Fix "Reset View" odd behavior <br />
<br />
== 13.1.0 build1 2017-09-06 ==<br />
* [[13.1.0 Changelog]]<br />
<br />
== 13.0.0 build8 2017-06-23 ==<br />
* Fix date rendering issue<br />
* Fix UPnP issue and UPnP status display<br />
* Fix restore issue when selecting without network settings<br />
<br />
== 13.0.0 build7 2017-06-22 ==<br />
* Many UI fixes<br />
* Some UI javascript optimizations<br />
<br />
== 13.0.0 build6 2017-06-10 ==<br />
* Many UI fixes<br />
* Upstream security updates<br />
<br />
== 13.0.0 build5 2017-06-01 ==<br />
* Many UI fixes<br />
<br />
== 13.0.0 build4 2017-05-24 ==<br />
* Many UI fixes<br />
* L2TP fix and IPsec to OpenVPN fix<br />
<br />
== 13.0.0 build3 2017-05-17 ==<br />
* Many UI fixes<br />
* Fix kernel version issue for linksys & turris firmware<br />
<br />
== 13.0.0 build2 2017-05-10 ==<br />
* Many UI fixes<br />
<br />
== 13.0.0 build1 2017-04-28 ==<br />
* [[13.0.0 Changelog]]<br />
<br />
== 12.2.1 build2 2017-02-09 ==<br />
* Fix an issue with interface usage report<br />
* Many linksys WRT1900ACS improvements<br />
<br />
== 12.2.1 build1 2017-02-01 ==<br />
* [[12.2.1 Changelog]]<br />
<br />
== 12.2.0 build5 2017-01-11 ==<br />
* Fix copy function for email templates<br />
* Fix i18n in captive portal page<br />
* Fix active hosts graph<br />
* Fix reports event logs not returning first entry<br />
* Changed UPnP daemon to version compiled without --igd2<br />
<br />
== 12.2.0 build4 2017-01-05 ==<br />
* Email report rendering improvements<br />
* Default email template changes <br />
* UPnP input filter rules added<br />
* UPnP fixes<br />
<br />
== 12.2.0 build3 2016-12-27 ==<br />
* Fix a web filter rule exception<br />
* Change email image max-width<br />
<br />
== 12.2.0 build2 2016-12-22 ==<br />
* Fix sources.list rewrite<br />
* Fix other small issues<br />
<br />
== 12.1.1 build2 2016-09-15 ==<br />
* Fix more PPPoE issues<br />
<br />
== 12.1.1 build1 2016-09-13 ==<br />
* [[12.1.1 Changelog]]</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=14.1.2_Changelog&diff=2611314.1.2 Changelog2019-04-02T20:43:35Z<p>Dmorris: Created page with "= Summary = 14.1.2 is a minor bugfix release for 14.1.1 = Bugfixes = * Fix systemd boot-up hang * Fix detection of some wifi cards"</p>
<hr />
<div>= Summary =<br />
<br />
14.1.2 is a minor bugfix release for 14.1.1<br />
<br />
= Bugfixes =<br />
<br />
* Fix systemd boot-up hang<br />
* Fix detection of some wifi cards</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=NG_Firewall_Changelogs&diff=26112NG Firewall Changelogs2019-04-02T20:42:53Z<p>Dmorris: </p>
<hr />
<div>The sections below detail notable changes made to the Untangle software in each revision. If an entry has parenthesis after it, such as (NGFW-xxxx), it references an issue from [http://jira.untangle.com jira].<br />
<br />
= Major Releases =<br />
<br />
* [[14.1.2 Changelog]]<br />
* [[14.1.1 Changelog]]<br />
* [[14.1.0 Changelog]]<br />
* [[14.0.1 Changelog]]<br />
* [[14.0.0 Changelog]]<br />
* [[13.2.1 Changelog]]<br />
* [[13.2.0 Changelog]]<br />
* [[13.1.1 Changelog]]<br />
* [[13.1.0 Changelog]]<br />
* [[13.0.0 Changelog]]<br />
<br />
= Date Changes =<br />
<br />
Minor builds are newly released updates or builds without a change in the overall MAJOR.MINOR version number. The date changelog shows all changes by date.<br />
<br />
[[Date Changelog]]<br />
<br />
= Active Directory Monitor =<br />
<br />
The Active Directory Monitor software installs on the Active Directory server and is released independently of other products.<br />
<br />
[[Active Directory Monitor Changelog]]<br />
<br />
= Old NGFW Changelogs =<br />
<br />
* [[12.2.1 Changelog]]<br />
* [[12.2.0 Changelog]]<br />
* [[12.1.2 Changelog]]<br />
* [[12.1.1 Changelog]]<br />
* [[12.1.0 Changelog]]<br />
* [[12.0.1 Changelog]]<br />
* [[12.0.0 Changelog]]<br />
* [[11.2.1 Changelog]]<br />
* [[11.2.0 Changelog]]<br />
* [[11.1.0 Changelog]]<br />
* [[11.0.1 Changelog]]<br />
* [[11.0.0 Changelog]]<br />
* [[10.2.1 Changelog]]<br />
* [[10.2.0 Changelog]]<br />
* [[10.1.0 Changelog]]<br />
* [[10.0.0 Changelog]]<br />
* [[9.4.2 Changelog]]<br />
* [[9.4.1 Changelog]]<br />
* [[9.4.0 Changelog]]<br />
* [[9.3.2 Changelog]]<br />
* [[9.3.1 Changelog]]<br />
* [[9.3.0 Changelog]]<br />
* [[9.2.1 Changelog]]<br />
* [[9.2.0 Changelog]]<br />
* [[9.1.1 Changelog]]<br />
* [[9.1.0 Changelog]]<br />
* [[9.0.2 Changelog]]<br />
* [[9.0.1 Changelog]]<br />
* [[9.0.0 Changelog]]</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Upstream_Projects&diff=26069Upstream Projects2019-02-12T18:46:37Z<p>Dmorris: </p>
<hr />
<div>[[Category: Developer Wiki]]<br />
This page lists many of the upstream projects used by Untangle.<br />
<br />
<br />
{| class="wikitable border="1"<br />
|-<br />
! project namets<br />
! license<br />
! linked<br />
! modified<br />
! used in<br />
! URL<br />
|-<br />
| linux kernel || GPLv2 ||&nbsp;|| yes || server || [http://kernel.org 1]<br />
|-<br />
| debian || assorted ||&nbsp;||&nbsp;|| server || [http://debian.org 1]<br />
|-<br />
| postgres || BSD ||&nbsp;||&nbsp;|| uvm || [http://postgresql.org 1]<br />
|-<br />
| apache log4j || apache || yes ||&nbsp;|| uvm || [http://logging.apache.org/log4j/docs/ 1]<br />
|-<br />
| apache tomcat || apache || yes ||&nbsp;|| uvm || [http://jakarta.apache.org/tomcat/index.html 1]<br />
|-<br />
| apache fileupload || apache || yes ||&nbsp;|| uvm || [https://commons.apache.org/proper/commons-fileupload/ 1]<br />
|-<br />
| apache io || apache || yes ||&nbsp;|| uvm || [https://commons.apache.org/proper/commons-io/ 1]<br />
|-<br />
| apache httpcomponents || apache || yes ||&nbsp;|| uvm || [https://hc.apache.org/httpcomponents-client-ga/ 1]<br />
|-<br />
| gettext commons || apache || yes || &nbsp; || i18n || [https://code.google.com/archive/p/gettext-commons/ 1]<br />
|-<br />
| dns java || BSD || yes || &nbsp; || uvm || [http://www.xbill.org/dnsjava/ 1]<br />
|-<br />
| javamail || Sun || yes ||&nbsp;|| uvm || [http://java.sun.com/https://vininsights.com/products/javamail/ 1]<br />
|-<br />
| postgresJDBC || BSD || yes ||&nbsp;|| uvm || [http://jdbc.postgresql.org/ 1]<br />
|-<br />
| java (JRE) || GPLv2 ||&nbsp;||&nbsp;|| uvm || [http://openjdk.java.net/ 1]<br />
|-<br />
| clamav || GPLv2 ||&nbsp;||&nbsp;|| virus blocker lite || [http://www.clamav.net/ 1]<br />
|-<br />
| spamassassin || apache ||&nbsp;||&nbsp;|| spam blocker lite || [http://spamassassin.apache.org/ 1]<br />
|-<br />
| velocity || apache ||&nbsp;||&nbsp;|| smtp-casing || [http://jakarta.apache.org/velocity/ 1]<br />
|-<br />
| OpenVPN || GPLv2 ||&nbsp;||&nbsp;|| openvpn || [http://openvpn.net/ 1]<br />
|-<br />
| ExtJS || LGPL ||&nbsp;||&nbsp;|| UI || [http://extjs.com 1]<br />
|-<br />
| GeoIP2 || Apache || yes || &nbsp; || uvm || [https://github.com/maxmind/GeoIP2-java 1]<br />
|-<br />
| libnetfilter-queue || GPLv2 || yes || &nbsp; || nflogd || [http://www.netfilter.org/projects/libnetfilter_queue/ 1]<br />
|-<br />
| libnetfilter-conntrack || GPLv2 || yes || &nbsp; || nflogd || [http://www.netfilter.org/projects/libnetfilter_conntrack/ 1]<br />
|-<br />
| jabsorb || apache || &nbsp; || yes || UI || [http://jabsorb.org/ 1]<br />
|-<br />
| jradius || LGPL || &nbsp; || &nbsp; || directory connector || [http://coova.org/JRadius 1]<br />
|-<br />
| python-jsonrpc || LGPL || &nbsp; || yes || uvm || [http://json-rpc.org/wiki/python-json-rpc 1]<br />
|-<br />
| selenium-java || apache || &nbsp; || &nbsp; || directory connector || [http://www.seleniumhq.org/about/license.jsp 1]<br />
|-<br />
| NSIS || zlib,bzip2 || &nbsp; || &nbsp;|| openvpn,uvm || [http://nsis.sourceforge.net 1]<br />
|-<br />
| Emerging Threats || BSD || &nbsp; || &nbsp; || ips || [http://doc.emergingthreats.net/bin/view/Main/EmergingFAQ#Are_the_Emerging_Threats_Rules_R 1]<br />
|-<br />
| suricata || GPLv2 || &nbsp; || &nbsp; || ips || [https://suricata-ids.org/about/open-source/ 1]<br />
<br />
|}<br />
<br />
Many commercial applications use paid OEM technology:<br />
* Spam Blocker<br />
* Virus Blocker<br />
* Web Filter<br />
* Application Control<br />
<br />
Many of these projects also use their own sub-libraries and sub-projects.</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=NG_Firewall_Downloads&diff=26065NG Firewall Downloads2019-01-23T22:30:54Z<p>Dmorris: </p>
<hr />
<div>= Current Version =<br />
<br />
== 14.1.1 ==<br />
<br />
{| border="1" cellpadding="2"<br />
|+<br />
! Image !! Link <br />
|-<br />
| ISO CD Installer (64-bit/amd64/x64)<br />
| [http://download.untangle.com/untangle_1410_x64.iso untangle_1411_x64.iso]<br />
|-<br />
| IMG USB Installer (64-bit/amd64/x64)<br />
| [http://download.untangle.com/untangle_1410_x64.img untangle_1411_x64.img]<br />
|-<br />
| ISO CD Installer (32-bit/i386)<br />
| [http://download.untangle.com/untangle_1410_x32.iso untangle_1411_x32.iso]<br />
|-<br />
| IMG USB Installer (32-bit/i386)<br />
| [http://download.untangle.com/untangle_1410_x32.img untangle_1411_x32.img]<br />
|-<br />
| OVA Virtual Image <br />
| [http://download.untangle.com/untangle_1410_x64.ova untangle_1411_x64.ova]<br />
|}<br />
<br />
= Old Versions =<br />
<br />
== 14.1.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1401_x32.iso untangle_1410_x32.iso]<br />
* [http://download.untangle.com/untangle_1401_x32.img untangle_1410_x32.img]<br />
* [http://download.untangle.com/untangle_1401_x64.iso untangle_1410_x64.iso]<br />
* [http://download.untangle.com/untangle_1401_x64.img untangle_1410_x64.img]<br />
* [http://download.untangle.com/untangle_1401_x64.ova untangle_1410_x64.ova]<br />
<br />
== 14.0.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1401_x32.iso untangle_1401_x32.iso]<br />
* [http://download.untangle.com/untangle_1401_x32.img untangle_1401_x32.img]<br />
* [http://download.untangle.com/untangle_1401_x64.iso untangle_1401_x64.iso]<br />
* [http://download.untangle.com/untangle_1401_x64.img untangle_1401_x64.img]<br />
* [http://download.untangle.com/untangle_1401_x64.ova untangle_1401_x64.ova]<br />
* [http://download.untangle.com/untangle_1401_linksys_wrt1900acs.zip untangle_1401_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1401_turris_omnia.zip untangle_1401_turris_omnia.zip]<br />
<br />
== 14.0.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1400_x32.iso untangle_1400_x32.iso]<br />
* [http://download.untangle.com/untangle_1400_x32.img untangle_1400_x32.img]<br />
* [http://download.untangle.com/untangle_1400_x64.iso untangle_1400_x64.iso]<br />
* [http://download.untangle.com/untangle_1400_x64.img untangle_1400_x64.img]<br />
* [http://download.untangle.com/untangle_1400_x64.ova untangle_1400_x64.ova]<br />
* [http://download.untangle.com/untangle_1400_linksys_wrt1900acs.zip untangle_1400_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1400_turris_omnia.zip untangle_1400_turris_omnia.zip]<br />
<br />
== 13.2.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1321_x32.iso untangle_1321_x32.iso]<br />
* [http://download.untangle.com/untangle_1321_x32.img untangle_1321_x32.img]<br />
* [http://download.untangle.com/untangle_1321_x64.iso untangle_1321_x64.iso]<br />
* [http://download.untangle.com/untangle_1321_x64.img untangle_1321_x64.img]<br />
* [http://download.untangle.com/untangle_1321_x64.ova untangle_1321_x64.ova]<br />
* [http://download.untangle.com/untangle_1321_linksys_wrt1900acs.zip untangle_1321_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1321_turris_omnia.zip untangle_1321_turris_omnia.zip]<br />
<br />
== 13.2.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1320_x32.iso untangle_1320_x32.iso]<br />
* [http://download.untangle.com/untangle_1320_x32.img untangle_1320_x32.img]<br />
* [http://download.untangle.com/untangle_1320_x64.iso untangle_1320_x64.iso]<br />
* [http://download.untangle.com/untangle_1320_x64.img untangle_1320_x64.img]<br />
* [http://download.untangle.com/untangle_1320_x64.ova untangle_1320_x64.ova]<br />
* [http://download.untangle.com/untangle_1320_linksys_wrt1900acs.zip untangle_1320_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1320_turris_omnia.zip untangle_1320_turris_omnia.zip]<br />
<br />
== 13.1.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1311_x32.iso untangle_1311_x32.iso]<br />
* [http://download.untangle.com/untangle_1311_x32.img untangle_1311_x32.img]<br />
* [http://download.untangle.com/untangle_1311_x64.iso untangle_1311_x64.iso]<br />
* [http://download.untangle.com/untangle_1311_x64.img untangle_1311_x64.img]<br />
* [http://download.untangle.com/untangle_1311_x64.ova untangle_1311_x64.ova]<br />
* [http://download.untangle.com/untangle_1311_linksys_wrt1900acs.zip untangle_1311_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1311_turris_omnia.zip untangle_1311_turris_omnia.zip]<br />
* [http://download.untangle.com/untangle_1311_asus_ac88u.zip untangle_1311_asus_ac88u.zip]<br />
<br />
== 13.1.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1310_x32.iso untangle_1310_x32.iso]<br />
* [http://download.untangle.com/untangle_1310_x32.img untangle_1310_x32.img]<br />
* [http://download.untangle.com/untangle_1310_x64.iso untangle_1310_x64.iso]<br />
* [http://download.untangle.com/untangle_1310_x64.img untangle_1310_x64.img]<br />
* [http://download.untangle.com/untangle_1310_x64.ova untangle_1310_x64.ova]<br />
* [http://download.untangle.com/untangle_1310_linksys_wrt1900acs.zip untangle_1310_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1310_turris_omnia.zip untangle_1310_turris_omnia.zip]<br />
* [http://download.untangle.com/untangle_1310_asus_ac88u.zip untangle_1310_asus_ac88u.zip]<br />
<br />
== 13.0.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1300_x32.iso untangle_1300_x32.iso]<br />
* [http://download.untangle.com/untangle_1300_x32.img untangle_1300_x32.img]<br />
* [http://download.untangle.com/untangle_1300_x64.iso untangle_1300_x64.iso]<br />
* [http://download.untangle.com/untangle_1300_x64.img untangle_1300_x64.img]<br />
* [http://download.untangle.com/untangle_1300_x64.ova untangle_1300_x64.ova]<br />
* [http://download.untangle.com/untangle_1300_linksys_wrt1900acs.zip untangle_1300_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1300_turris_omnia.zip untangle_1300_turris_omnia.zip]<br />
* [http://download.untangle.com/untangle_1300_asus_ac88u.zip untangle_1300_asus_ac88u.zip]<br />
<br />
== 12.2.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1221_x32.iso untangle_1221_x32.iso]<br />
* [http://download.untangle.com/untangle_1221_x32.img untangle_1221_x32.img]<br />
* [http://download.untangle.com/untangle_1221_x64.iso untangle_1221_x64.iso]<br />
* [http://download.untangle.com/untangle_1221_x64.img untangle_1221_x64.img]<br />
* [http://download.untangle.com/untangle_1221_x64.ova untangle_1221_x64.ova]<br />
* [http://download.untangle.com/untangle_1221_linksys_wrt1900acs.rootfs untangle_1221_linksys_wrt1900acs.rootfs]<br />
* [http://download.untangle.com/untangle_1221_linksys_wrt1900acs.trx untangle_1221_linksys_wrt1900acs.trx]<br />
* [http://download.untangle.com/untangle_1221_asus_rt_ac88u.rootfs untangle_1221_asus_rt_ac88u.rootfs]<br />
* [http://download.untangle.com/untangle_1221_asus_rt_ac88u.trx untangle_1221_asus_rt_ac88u.trx]<br />
<br />
== 12.2.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1220_x32.iso untangle_1220_x32.iso]<br />
* [http://download.untangle.com/untangle_1220_x32.img untangle_1220_x32.img]<br />
* [http://download.untangle.com/untangle_1220_x64.iso untangle_1220_x64.iso]<br />
* [http://download.untangle.com/untangle_1220_x64.img untangle_1220_x64.img]<br />
* [http://download.untangle.com/untangle_1220_x64.ova untangle_1220_x64.ova]<br />
<br />
== 12.1.2 ==<br />
<br />
* [http://download.untangle.com/untangle_1212_x32.iso untangle_1212_x32.iso]<br />
* [http://download.untangle.com/untangle_1212_x32.img untangle_1212_x32.img]<br />
* [http://download.untangle.com/untangle_1212_x64.iso untangle_1212_x64.iso]<br />
* [http://download.untangle.com/untangle_1212_x64.img untangle_1212_x64.img]<br />
* [http://download.untangle.com/untangle_1212_x64.ova untangle_1212_x64.ova]<br />
<br />
== 12.1.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1210_x32.iso untangle_1210_x32.iso]<br />
* [http://download.untangle.com/untangle_1210_x32.img untangle_1210_x32.img]<br />
* [http://download.untangle.com/untangle_1210_x64.iso untangle_1210_x64.iso]<br />
* [http://download.untangle.com/untangle_1210_x64.img untangle_1210_x64.img]<br />
* [http://download.untangle.com/untangle_1210_x64.ova untangle_1210_x64.ova]<br />
<br />
== 12.0.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1200_x32.iso untangle_1200_x32.iso]<br />
* [http://download.untangle.com/untangle_1200_x32.img untangle_1200_x32.img]<br />
* [http://download.untangle.com/untangle_1200_x64.iso untangle_1200_x64.iso]<br />
* [http://download.untangle.com/untangle_1200_x64.img untangle_1200_x64.img]<br />
* [http://download.untangle.com/untangle_1200_x64.ova untangle_1200_x64.ova]<br />
<br />
== 11.2.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1121_x32.iso untangle_1121_x32.iso]<br />
* [http://download.untangle.com/untangle_1121_x32.img untangle_1121_x32.img]<br />
* [http://download.untangle.com/untangle_1121_x64.iso untangle_1121_x64.iso]<br />
* [http://download.untangle.com/untangle_1121_x64.img untangle_1121_x64.img]<br />
* [http://download.untangle.com/untangle_1121_x64.ova untangle_1121_x64.ova]<br />
<br />
== 11.2.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1120_x32.iso untangle_1120_x32.iso]<br />
* [http://download.untangle.com/untangle_1120_x32.img untangle_1120_x32.img]<br />
* [http://download.untangle.com/untangle_1120_x64.iso untangle_1120_x64.iso]<br />
* [http://download.untangle.com/untangle_1120_x64.img untangle_1120_x64.img]<br />
* [http://download.untangle.com/untangle_1120_x64.ova untangle_1120_x64.ova]</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=14.1.1_Changelog&diff=2606414.1.1 Changelog2019-01-18T16:00:46Z<p>Dmorris: /* Bugfixes */</p>
<hr />
<div>= Summary =<br />
<br />
14.1.1 is a minor bugfix release for 14.1.0<br />
<br />
= Bugfixes =<br />
<br />
* Remove DHCP mac conflict sanity check<br />
* Fix issue for creating alerts on IntrusionPreventionEvents<br />
* Change default OpenVPN compression on new installs to "compress lz4"<br />
* Fix UI issue with creating event rules in subobjects<br />
* Fix IPS issue with defining custom variables<br />
* Fix suricata failure detection false positive causing restarts<br />
* Upstream security updates<br />
* New fiber NIC drivers</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=14.1.1_Changelog&diff=2606314.1.1 Changelog2019-01-17T18:04:16Z<p>Dmorris: </p>
<hr />
<div>= Summary =<br />
<br />
14.1.1 is a minor bugfix release for 14.1.0<br />
<br />
= Bugfixes =<br />
<br />
* Remove DHCP mac conflict sanity check<br />
* Fix issue for creating alerts on IntrusionPreventionEvents<br />
* Change default OpenVPN compression on new installs to "compress lz4"<br />
* Fix UI issue with creating event rules in subobjects<br />
* Fix IPS issue with defining custom variables<br />
* Fix suricata failure detection false positive causing restarts<br />
* Upstream security updates</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Date_Changelog&diff=26062Date Changelog2019-01-17T18:00:34Z<p>Dmorris: </p>
<hr />
<div>This is the complete changelog including any time packages are released that do not have new major.minor version numbers. <br />
<br />
Major release are documented in the primary [[Changelog]].<br />
<br />
== 14.1.1 build1 2019-01-17 ==<br />
* [[14.1.1_Changelog]]<br />
<br />
== 14.1.0 build3 2018-12-03 ==<br />
* Fix python cache issue<br />
* Fix local directory change password issue<br />
* Fix IPS UI issue<br />
* Remove cloudflare from dynamic DNS options<br />
<br />
== 14.1.0 build2 2018-11-14 ==<br />
* Fix issue with creating alert rules<br />
* Fix duplicate condition in UI<br />
* Fix backup/restore supported versions<br />
<br />
== 14.1.0 build1 2018-11-13 ==<br />
* [[14.1.0_Changelog]]<br />
<br />
== 14.0.1 build2 2018-08-27 ==<br />
* Fix issue with captive portal & username capitalization<br />
* Spam Blocker plugin license check fix<br />
<br />
== 14.0.1 build1 2018-08-23 ==<br />
* [[14.0.1_Changelog]]<br />
<br />
== 14.0.0 build5 2018-08-10 ==<br />
* Fix issue with datepicker selecting past month/days<br />
* Fix some LCD issues<br />
* Minor tweaks to reports performance tuning<br />
* Fix certificate verification process<br />
* Fix setup wizard to bridge the wifi to External if Internal is bridged<br />
* Add report title to exported image<br />
* Fix dashboard auto-refresh hang issue<br />
* Fix upgrade issue with some international languages<br />
* Security fixes<br />
<br />
== 14.0.0 build4 2018-07-09 ==<br />
* Fix possible conflict between Tunnel VPN and OpenVPN<br />
* Fix reports data export date range issue<br />
* Fix issue with editing Event Rules<br />
* Fix warning about auth.txt permissions in Tunnel VPN<br />
* Allow multiple of same type conditions in dashboard/reports<br />
* Some changes to setup wizard for AWS deployments<br />
* Improve Captive Portal user cleanup tasks<br />
* Fix Tunnel VPN cleanup on uninstall<br />
<br />
== 14.0.0 build3 2018-06-26 ==<br />
* Fix IPS issue with certain rules<br />
* Fix HTTP port redirect issue<br />
* Fix systemd interferance with untangle-vm thread max<br />
* Fix syslog issue logging to incorrect files<br />
<br />
== 14.0.0 build2 2018-06-18 ==<br />
* Fix issue with emailed report summary image width and height<br />
* Add automatic restart of IPsec daemon on certificate change<br />
* Fix ddclient restart issue<br />
* Fix upgrade issue with CD-ROM sources.list<br />
* Fix a widget refresh issue on dashboard<br />
* Fix issue with clicking on pie graphs adding the wrong value<br />
* Add new admin notification for when the timezone has changed<br />
* Fix console issues on firmware builds<br />
<br />
== 14.0.0 build1 2018-06-08 ==<br />
* [[14.0.0 Changelog]]<br />
<br />
== 13.2.1 build2 2018-04-13 ==<br />
* Fix GRE issue where no remote network is specified<br />
* Fix captive portal host table cleanup issue<br />
* Fix network settings conversion issue<br />
<br />
== 13.2.1 build1 2018-04-03 ==<br />
* [[13.2.1 Changelog]]<br />
<br />
== 13.2.0 build3 2018-02-13 ==<br />
* Fix text adiminstration on tty console errors<br />
* Add support for username/password for site-to-site<br />
* Fix Turris Omnia image <br />
* Remove "Automatic" from channel selection options<br />
* Fix Captive Portal HTTPS port issue<br />
* Fix cloned sql conditions when creating reports issue<br />
* Fix to gracefully handle invalid reports<br />
* Fix email quarantine to update when releasing<br />
<br />
== 13.2.0 build2 2018-01-30 ==<br />
* Fix firmware issue with turris and linksys<br />
* Fix openvpn multifactor auth issue<br />
* Fix OVA filesystem resize issue<br />
* Fix port forward simple mode issue<br />
* Fix some scrollbar issues<br />
* Fix IPS settings modification issue<br />
<br />
== 13.2.0 build1 2018-01-16 ==<br />
* [[13.2.0 Changelog]]<br />
<br />
== 13.1.1 build2 2018-01-05 ==<br />
* Fix NIC ordering issue on specific appliance<br />
<br />
== 13.1.1 build1 2017-12-08 ==<br />
* Minor bug fixes [[13.1.1 Changelog]]<br />
<br />
== 13.1.0 build7 2017-10-16 ==<br />
* Upstream security fixes (for [https://www.documentcloud.org/documents/4109401-KRACK-Attacks.html krack] vulnerability)<br />
<br />
== 13.1.0 build6 2017-10-12 ==<br />
* Fix emailed report summaries image issue<br />
* Fix editing port forward rules issue<br />
<br />
== 13.1.0 build5 2017-10-10 ==<br />
* Upstream security fixes<br />
* Fix reports-only users<br />
* Fix quarantine issue<br />
* Fix IPS interface detection<br />
* Fix issue with editing port forward rules<br />
* Fix issue with Virus Blocker displaying invalid license when it is valid<br />
<br />
== 13.1.0 build4 2017-09-26 ==<br />
* 86df013 [src] Fix dates (timezone) issues<br />
* 3c7eb8c [src] Fix PPPoE wizard issues<br />
* 8249ca3 [src] Updated localization strings<br />
<br />
== 13.1.0 build3 2017-09-22 ==<br />
* Fix issues with saving devices/users<br />
* Fix issues with reports browsing and breadcrumbs<br />
* Fix timezone display issue in reports<br />
* Fix saving of Tunnel VPN that occurred for some devices<br />
* Fix PPPoE issues in setup wizard<br />
* Fix more issues with "Reset View"<br />
<br />
== 13.1.0 build2 2017-09-12 ==<br />
* Add more error checking to tunnel VPN import<br />
* Fix setup wizard NIC remapping issue with drag and drop<br />
* Fix "Reset View" odd behavior <br />
<br />
== 13.1.0 build1 2017-09-06 ==<br />
* [[13.1.0 Changelog]]<br />
<br />
== 13.0.0 build8 2017-06-23 ==<br />
* Fix date rendering issue<br />
* Fix UPnP issue and UPnP status display<br />
* Fix restore issue when selecting without network settings<br />
<br />
== 13.0.0 build7 2017-06-22 ==<br />
* Many UI fixes<br />
* Some UI javascript optimizations<br />
<br />
== 13.0.0 build6 2017-06-10 ==<br />
* Many UI fixes<br />
* Upstream security updates<br />
<br />
== 13.0.0 build5 2017-06-01 ==<br />
* Many UI fixes<br />
<br />
== 13.0.0 build4 2017-05-24 ==<br />
* Many UI fixes<br />
* L2TP fix and IPsec to OpenVPN fix<br />
<br />
== 13.0.0 build3 2017-05-17 ==<br />
* Many UI fixes<br />
* Fix kernel version issue for linksys & turris firmware<br />
<br />
== 13.0.0 build2 2017-05-10 ==<br />
* Many UI fixes<br />
<br />
== 13.0.0 build1 2017-04-28 ==<br />
* [[13.0.0 Changelog]]<br />
<br />
== 12.2.1 build2 2017-02-09 ==<br />
* Fix an issue with interface usage report<br />
* Many linksys WRT1900ACS improvements<br />
<br />
== 12.2.1 build1 2017-02-01 ==<br />
* [[12.2.1 Changelog]]<br />
<br />
== 12.2.0 build5 2017-01-11 ==<br />
* Fix copy function for email templates<br />
* Fix i18n in captive portal page<br />
* Fix active hosts graph<br />
* Fix reports event logs not returning first entry<br />
* Changed UPnP daemon to version compiled without --igd2<br />
<br />
== 12.2.0 build4 2017-01-05 ==<br />
* Email report rendering improvements<br />
* Default email template changes <br />
* UPnP input filter rules added<br />
* UPnP fixes<br />
<br />
== 12.2.0 build3 2016-12-27 ==<br />
* Fix a web filter rule exception<br />
* Change email image max-width<br />
<br />
== 12.2.0 build2 2016-12-22 ==<br />
* Fix sources.list rewrite<br />
* Fix other small issues<br />
<br />
== 12.1.1 build2 2016-09-15 ==<br />
* Fix more PPPoE issues<br />
<br />
== 12.1.1 build1 2016-09-13 ==<br />
* [[12.1.1 Changelog]]</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=14.1.1_Changelog&diff=2606114.1.1 Changelog2019-01-17T17:58:53Z<p>Dmorris: Created page with "= Summary = 14.1.1 is a minor bugfix release for 14.1.0 = Bugfixes = * Remove DHCP mac conflict sanity check * Fix issue for creating alerts on IntrusionPreventionEvents *..."</p>
<hr />
<div>= Summary =<br />
<br />
14.1.1 is a minor bugfix release for 14.1.0<br />
<br />
= Bugfixes =<br />
<br />
* Remove DHCP mac conflict sanity check<br />
* Fix issue for creating alerts on IntrusionPreventionEvents<br />
* Change default OpenVPN compression on new installs to "compress lz4"<br />
* Fix UI issue with creating event rules in subobjects<br />
* Fix IPS issue with defining custom variables<br />
* Fix suricata failure detection false positive causing restarts</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=NG_Firewall_Changelogs&diff=26060NG Firewall Changelogs2019-01-17T17:35:18Z<p>Dmorris: </p>
<hr />
<div>The sections below detail notable changes made to the Untangle software in each revision. If an entry has parenthesis after it, such as (NGFW-xxxx), it references an issue from [http://jira.untangle.com jira].<br />
<br />
= Major Releases =<br />
<br />
* [[14.1.1 Changelog]]<br />
* [[14.1.0 Changelog]]<br />
* [[14.0.1 Changelog]]<br />
* [[14.0.0 Changelog]]<br />
* [[13.2.1 Changelog]]<br />
* [[13.2.0 Changelog]]<br />
* [[13.1.1 Changelog]]<br />
* [[13.1.0 Changelog]]<br />
* [[13.0.0 Changelog]]<br />
<br />
= Date Changes =<br />
<br />
Minor builds are newly released updates or builds without a change in the overall MAJOR.MINOR version number. The date changelog shows all changes by date.<br />
<br />
[[Date Changelog]]<br />
<br />
= Active Directory Monitor =<br />
<br />
The Active Directory Monitor software installs on the Active Directory server and is released independently of other products.<br />
<br />
[[Active Directory Monitor Changelog]]<br />
<br />
= Old NGFW Changelogs =<br />
<br />
* [[12.2.1 Changelog]]<br />
* [[12.2.0 Changelog]]<br />
* [[12.1.2 Changelog]]<br />
* [[12.1.1 Changelog]]<br />
* [[12.1.0 Changelog]]<br />
* [[12.0.1 Changelog]]<br />
* [[12.0.0 Changelog]]<br />
* [[11.2.1 Changelog]]<br />
* [[11.2.0 Changelog]]<br />
* [[11.1.0 Changelog]]<br />
* [[11.0.1 Changelog]]<br />
* [[11.0.0 Changelog]]<br />
* [[10.2.1 Changelog]]<br />
* [[10.2.0 Changelog]]<br />
* [[10.1.0 Changelog]]<br />
* [[10.0.0 Changelog]]<br />
* [[9.4.2 Changelog]]<br />
* [[9.4.1 Changelog]]<br />
* [[9.4.0 Changelog]]<br />
* [[9.3.2 Changelog]]<br />
* [[9.3.1 Changelog]]<br />
* [[9.3.0 Changelog]]<br />
* [[9.2.1 Changelog]]<br />
* [[9.2.0 Changelog]]<br />
* [[9.1.1 Changelog]]<br />
* [[9.1.0 Changelog]]<br />
* [[9.0.2 Changelog]]<br />
* [[9.0.1 Changelog]]<br />
* [[9.0.0 Changelog]]</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=IPsec_VPN&diff=26059IPsec VPN2019-01-17T17:21:09Z<p>Dmorris: </p>
<hr />
<div>[[Category:Applications]]<br />
<span style="display:none" class="helpSource ipsec_vpn">IPsec_VPN</span><br />
<span style="display:none" class="helpSource ipsec_vpn_status">IPsec_VPN#Status</span><br />
<span style="display:none" class="helpSource ipsec_vpn_ipsec_options">IPsec_VPN#IPsec_Options</span><br />
<span style="display:none" class="helpSource ipsec_vpn_ipsec_tunnels">IPsec_VPN#IPsec_Tunnels</span><br />
<span style="display:none" class="helpSource ipsec_vpn_l2tp_options">IPsec_VPN#L2TP_Options</span><br />
<span style="display:none" class="helpSource ipsec_vpn_l2tp_events">IPsec_VPN#L2TP_Events</span><br />
<span style="display:none" class="helpSource ipsec_vpn_l2tp_log">IPsec_VPN#L2TP_Log</span><br />
<span style="display:none" class="helpSource ipsec_vpn_vpn_config">IPsec_VPN#VPN_Config</span><br />
<span style="display:none" class="helpSource ipsec_vpn_gre_networks">IPsec_VPN#GRE_Networks</span><br />
<span style="display:none" class="helpSource ipsec_vpn_ipsec_state">IPsec_VPN#IPsec_State</span><br />
<span style="display:none" class="helpSource ipsec_vpn_ipsec_policy">IPsec_VPN#IPsec_Policy</span><br />
<span style="display:none" class="helpSource ipsec_vpn_ipsec_log">IPsec_VPN#IPsec_Log</span><br />
<br />
{| width='100%'<br />
|-<br />
| align="center" | [[Image:IPsecVPN.png|128px]] &nbsp; &nbsp; '''IPsec VPN'''<br />
| align="center" |<br />
{|<br />
|-<br />
| Other Links:<br />
|-<br />
|[http://www.untangle.com/store/ipsec-conf.html IPsec VPN Description Page]<br />
|-<br />
|[http://demo.untangle.com/admin/index.do#service/ipsec-vpn IPsec VPN Demo]<br />
|-<br />
|[http://forums.untangle.com/ipsec-vpn/ IPsec VPN Forums]<br />
|-<br />
|[[IPsec VPN Reports]]<br />
|-<br />
|[[IPsec VPN FAQs]]<br />
|}<br />
|}<br />
<br><br />
----<br />
<br />
== About IPsec VPN ==<br />
<br />
The '''IPsec VPN''' service provides secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.<br />
<br />
The [[VPN Overview]] article provides some general guidance of which VPN technology may be the best fit for different scenarios.<br />
<br />
== Settings ==<br />
<br />
This section reviews the different settings and configuration options available for IPsec VPN.<br />
<br />
=== <u>Status</u> ===<br />
<br />
The Status tab shows the status of the different components of the IPsec application.<br />
<br />
* '''Enabled IPsec Tunnels'''<br />
:This section shows a list of all IPsec tunnels that have been created and enabled. For tunnels that are active, the status will display the connection details reported by the IPsec subsystem. For inactive tunnels, the configuration information will be displayed.<br />
<br />
* ''' Active VPN Sessions '''<br />
: This section shows a list of all active L2TP and Xauth connections. In addition to the connection details, there is a Disconnect column that can be used to forcefully disconnect an active session. Please note that there is no confirmation when you click the Disconnect icon. The corresponding session will be immediately terminated.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|status}}<br />
<br />
<br />
=== <u>IPsec Options</u> ===<br />
<br />
* '''Bypass all IPsec traffic'''<br />
: When this checkbox is enabled, traffic from IPsec tunnels will bypass all applications and services on the Untangle server. This was the only behavior available in previous versions of Untangle, so this option is enabled by default to maintain equivalent functionality on upgrade. If you disable this checkbox, traffic from IPsec tunnels can now be filtered through all active applications and services.<br />
<br />
: Also please note that this only applies to plain IPsec tunnels. Traffic from L2TP and Xauth VPN clients will always pass through all active applications and services.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|ipsec-options}}<br />
<br />
<br />
=== <u>IPsec Tunnels</u> ===<br />
<br />
The IPsec Tunnels tab is where you create and manage the IPsec VPN configuration. The main tab display shows a summary of all IPsec tunnels that have been created.<br />
<br />
* ''' Tunnel Editor '''<br />
: When you create a new tunnel, or edit and existing tunnel, the tunnel editor screen will appear with the following configurable settings:<br />
<br />
{| border="1" cellpadding="2" width="85%" align="center"<br />
|+<br />
! Name !! Description<br />
|-<br />
|width="15%"|'''Enable'''<br />
|width="70%"|This checkbox allows you to set a tunnel to either enabled or disabled.<br />
|-<br />
|'''Description'''<br />
|This field should contain a short name or description.<br />
|- <br />
|'''Connection Type'''<br />
|This field allows you to set the connection type to any of the following:<br />
<br />
*Select Tunnel to specify a host-to-host, host-to-subnet, or subnet-to-subnet tunnel. This is by far the most common connection type.<br />
* Select Transport to specify a host-to-host transport mode tunnel. This connection type is much less common, and would generally only be used if you are attempting to establish an IPsec connection to another host which specifically requires this mode.<br />
|-<br />
|'''Auto Mode'''<br />
|This field controls how IPsec manages the corresponding tunnel when the IPsec process re-starts:<br />
<br />
* Select Start to have the tunnel automatically loaded, routes inserted, and connection initiated.<br />
* Select Add to have the tunnel load in standby mode, waiting to respond to an incoming connection request.<br />
|- <br />
|'''Interface'''<br />
|This field allows you to select the network interface that should be associated with the IPsec tunnel on the Untangle server. When you select a valid interface, the Local IP field (see below) will automatically be configured with the corresponding IP address. If for some reason you want to manually configure an IP address that is not currently active, you can set the Interface to Custom and manually input the IP address below.<br />
|- <br />
|'''External IP'''<br />
|Use this field to configure the IP address that is associated with the IPsec VPN on the Untangle server. Normally this field will be read-only and will automatically be populated based on the Interface selected above. If you select Custom as the interface, you can then manually enter the local IP address.<br />
|- <br />
|'''Remote Host'''<br />
|This field should contain the public IP address or DNS name of the host to which the IPsec VPN will be connected.<br />
: '''WARNING''' - Using host names with IPsec tunnels can often cause problems, especially if you have also enabled the L2TP/Xauth VPN server. We '''strongly''' recommend the use of IP addresses in the ''Remote Host'' field. <br />
|-<br />
|'''Local Identifier'''<br />
|This field is used to configure the local identifier used for authentication. When this field is blank the value in the *External IP* field will be used.<br />
|-<br />
|'''Remote Identifier'''<br />
|This field is used to configure the remote identifier used for authentication. When this field is blank, the value in the Remote Host field will be used.<br />
:'''IMPORTANT''' - If the remote host is located behind any kind of NAT device, you may need to use the value <TT>%any</TT> in this field for a connection to be successfully established.<br />
|- <br />
|'''Local Network'''<br />
|This field is used to configure the local network that will be reachable from hosts on the other side of the IPsec VPN.<br />
|-<br />
|'''Remote Network'''<br />
|This field is used to configure the remote network that will be reachable from hosts on the local side of the IPsec VPN.<br />
|-<br />
|'''Shared Secret'''<br />
|This field should contain the shared secret or PSK (pre-shared key) that is used to authenticate the connection, and must be the same on both sides of the tunnel for the connection to be successful. Because the PSK is actually used as the encryption key for the session, using long strings of a random nature will provide the highest level of security.<br />
|-<br />
|'''DPD Interval'''<br />
|The number of seconds between R_U_THERE messages. Enter 0 to disable this feature.<br />
|-<br />
|'''DPD Timeout'''<br />
| The number of seconds for a dead peer tunnel to be restarted.<br />
|-<br />
|'''Authentication and SA/Key Exchange'''<br />
| If you leave the Phase 1 and Phase 2 manual configuration checkboxes disabled, IPsec will attempt to automatically negotiate the encryption protocol with the remote peer when creating the tunnel. Given the number of different IPsec implementations and versions, as well as the overall complexity of the protocol, best results can often be achieved by enabling manual configuration of these two options, and selecting Encryption, Hash, DH Key Group, and Lifetime values that exactly match the settings configured on the peer device.<br />
|}<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|ipsec-tunnels}}<br />
<br />
<br />
=== <u>VPN Config</u> ===<br />
<br />
The VPN Config tab allows you to enable and configure the L2TP/Xauth server.<br />
<br />
L2TP and Xauth are two protocols that are natively supported by many devices. This makes L2TP/Xauth good options when simpler/better solutions like OpenVPN are not possible because it requires installing a third-party app, which is not always possible. If installing third-party applications is possible, OpenVPN will usually make a better performing, simpler, and more reliable option.<br />
<br />
If installing third party apps on the remote device is not possible, L2TP and Xauth are more appropriate. Xauth is newer and the preferable option. <br />
<br />
<br />
[[File:alert.jpg|right|100px|caption]]<br />
<br />
'''WARNING:''' Using L2TP is '''NOT RECOMMENDED'''. L2TP is only suggested when OpenVPN and Xauth are not options. L2TP is an older protocol. It also has many issues going through NAT (on both ends) and has the limitation of only supporting a single device from a single public IP address. Only a single device on any given network (behind a single public IP address) can connect at once.<br />
<br />
'''IMPORANT: L2TP is only suggested as a last resort when other more appropriate options are not available!'''<br />
<br />
<br />
*'''Enable L2TP/Xauth Server'''<br />
: Use this checkbox to enable or disable the L2TP/Xauth server.<br />
<br />
*'''L2TP Address Pool'''<br />
: This field configures the pool of IP addresses that will be assigned to L2TP clients while they are connected to the server. The default 198.18.0.0/16 is a private network that is generally reserved for internal network testing. It was chosen as the default because it is used less frequently than other RFC-1918 address blocks, and thus is less likely to conflict with existing address assignments on your network.<br />
<br />
*'''Xauth Address Pool'''<br />
: This field configures the pool of IP addresses that will be assigned to Xauth clients while they are connected to the server. The default 198.19.0.0/16 is a private network that is generally reserved for internal network testing. It was chosen as the default because it is used less frequently than other RFC-1918 address blocks, and thus is less likely to conflict with existing address assignments on your network.<br />
<br />
*''' Custom DNS Servers'''<br />
: Leave both of these fields blank to have L2TP and Xauth clients use the Untangle server for all DNS resolution. Alternatively, if you have other DNS servers you want clients to use, you can enter IP addresses in these fields.<br />
<br />
*'''IPsec Secret'''<br />
: This is the shared secret that will be used between the client and server to establish the IPsec channel that will secure all L2TP and Xauth communications.<br />
<br />
*'''User Authentication'''<br />
: In addition to the IPsec Secret configured above, VPN clients will also need to authenticate with a username and password. To use the Local Directory, select this option and click the ''Configure Local Directory'' button to manage use credentials. Alternatively, you can use an external RADIUS server for authentication by selecting the RADIUS option, and clicking the Configure RADIUS button to configure the RADIUS server options.<br />
<br />
*'''Server Listen Addresses'''<br />
: This list is used to configure one or more of your server IP addresses to listen for inbound VPN connection requests from remote clients. Clicking the add button will insert a new line allowing the entry of another server IP address.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|vpn-config}}<br />
<br />
=== <u>GRE Networks</u> ===<br />
<br />
The GRE Networks tab is where you create and manage connections to remote GRE servers. Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network.<br />
<br />
'''GRE Address Pool'''<br />
<br />
This field configures the pool of IP addresses that will be assigned to interfaces created and associated with tunnels added on the GRE Networks tab. The default 198.51.100.0/24 is a private network that is generally reserved for internal network testing. It was chosen as the default because it is used less frequently than other RFC-1918 address blocks, and thus is less likely to conflict with existing address assignments on your network. If you use GRE to connect multiple Untangle servers together, you may need to configure a different, unused pool on each server.<br />
<br />
<br />
The main tab display shows a summary of all GRE Networks that have been created.<br />
<br />
* ''' Network Editor '''<br />
: When you create a new GRE Network, or edit and existing network, the network editor screen will appear with the following configurable settings:<br />
<br />
{| border="1" cellpadding="2" width="85%" align="center"<br />
|+<br />
! Name !! Description<br />
|-<br />
|width="15%"|'''Enable'''<br />
|width="70%"|This checkbox allows you to set a network to either enabled or disabled.<br />
|-<br />
|'''Description'''<br />
|This field should contain a short name or description.<br />
|- <br />
|'''Interface'''<br />
|This field allows you to select the network interface that should be associated with the GRE Network on the Untangle server. When you select a valid interface, the Local IP field (see below) will automatically be configured with the corresponding IP address. If for some reason you want to manually configure an IP address that is not currently active, you can set the Interface to Custom and manually input the IP address below.<br />
|- <br />
|'''External IP'''<br />
|Use this field to configure the IP address that is associated with the GRE Network on the Untangle server. Normally this field will be read-only and will automatically be populated based on the Interface selected above. If you select Custom as the interface, you can then manually enter the local IP address.<br />
|- <br />
|'''Remote Host'''<br />
|This field should contain the public IP address of the host to which the GRE tunnel will be connected.<br />
|- <br />
|'''Remote Networks'''<br />
|This field is used to configure the list of remote network traffic that should be routed across this GRE tunnel. Networks should be entered one per line in CIDR (192.168.123.0/24) format.<br />
|}<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|gre-networks}}<br />
<br />
<br />
=== <u>IPsec State</u> ===<br />
<br />
The IPsec State tab allows you to see the status of all established IPsec connections. There will typically be two entries per tunnel, one with details about the local side of the connection, and another with details about the remote side of the connection.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|ipsec-state}}<br />
<br />
<br />
=== <u>IPsec Policy</u> ===<br />
<br />
The IPsec Policy tab allows you to see the routing table rules associated with each IPsec VPN that is active.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|ipsec-policy}}<br />
<br />
<br />
=== <u>IPsec Log</u> ===<br />
<br />
The IPsec Log tab allows you to see the low level status messages that are generated by the underlying IPsec protocol components. This information can be very helpful when attempting to diagnose connection problems or other IPsec issues.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|ipsec-log}}<br />
<br />
<br />
=== <u>L2TP Log</u> ===<br />
<br />
The L2TP Log tab allows you to see the low level status messages that are generated by the underlying L2TP protocol daemon. This information can be very helpful when attempting to diagnose connection problems or other L2TP issues.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|l2tp-log}}<br />
<br />
<br />
== Reports ==<br />
<br />
{{:IPsec VPN Reports}}<br />
<br />
<br />
== Related Topics ==<br />
<br />
[[OpenVPN]]<br />
<br />
<br />
== IPsec VPN FAQs ==<br />
<br />
{{:IPsec VPN FAQs}}</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Firewall&diff=26058Firewall2019-01-15T19:40:26Z<p>Dmorris: </p>
<hr />
<div>[[Category:Applications]]<br />
<span style="display:none" class="helpSource firewall">Firewall</span><br />
<span style="display:none" class="helpSource firewall_status">Firewall#Status</span><br />
<span style="display:none" class="helpSource firewall_rules">Firewall#Rules</span><br />
<span style="display:none" class="helpSource firewall_event_log">Firewall#Event_Log</span><br />
<br />
{| width='100%'<br />
|-<br />
| align="center" | [[Image:Firewall.png|128px]] &nbsp; &nbsp; '''Firewall'''<br />
| align="center" |<br />
{|<br />
|-<br />
| Other Links:<br />
|-<br />
|[http://www.untangle.com/store/firewall.html Firewall Description Page]<br />
|-<br />
|[http://demo.untangle.com/admin/index.do#apps/1/firewall Firewall Demo]<br />
|-<br />
|[http://forums.untangle.com/firewall/ Firewall Forums]<br />
|-<br />
|[[Firewall Reports]]<br />
|-<br />
|[[Firewall FAQs]]<br />
|}<br />
|}<br />
<br/><br />
----<br />
<br />
<br />
== About Firewall ==<br />
<br />
Firewall provides traditional [http://en.wikipedia.org/wiki/Firewall firewall] functionality, blocking and/or flagging traffic based on rules. <br />
<br />
The term "Firewall" has grown to encompass many functionalities and has a wide array of meanings.<br />
The "firewall" is often use interchangeably with "router" "gateway" and "UTM" or "Unified Threat Management"<br />
Even the Untangle NGFW is a "next-gen" "firewall." There are also host-based "firewalls" that run on the local host computer.<br />
<br />
The "Firewall" app itself is a traditional firewall used to block and/or flag TCP and UDP sessions passing through Untangle using rules. The ''Firewall'' app provides the same functionality as the traditional "firewall" - the ability to use rules to control which computers and communicate on a network.<br />
<br />
<br />
== Settings ==<br />
<br />
This section reviews the different settings and configuration options available for Firewall.<br />
<br />
<br />
=== Status ===<br />
<br />
This displays the current status and some statistics.<br />
<br />
{{AppScreenshot|firewall|status}}<br />
<br />
<br />
=== Rules ===<br />
<br />
The '''Rules''' tab allows you to specify rules to Block, Pass or Flag traffic that crosses the Untangle.<br />
<br />
The [[Rules|Rules documentation]] describes how rules work and how they are configured. Firewall uses rules to determine to block/pass the specific session, and if the sessions is flagged. Flagging a session marks it in the logs for reviewing in the event logs or reports, but has no direct effect on the network traffic.<br />
<br />
Typically Untangle is installed as a NAT/gateway device, or behind another NAT/gateway device in bridge mode. In this scenario all inbound sessions are blocked by NAT except those explicitly allowed with port forwards. Because of this, the Firewall '''does not block anything by default'''. It is up to you to decide to best fit for your network, whether you only want to block specific ports or you want to block everything and allow only a few services.<br />
<br />
<br />
=== Rule Actions ===<br />
<br />
* '''Pass''': Allows the traffic which matched the rule to flow.<br />
* '''Block''': Blocks the traffic which matched the rule.<br />
<br />
Additionally a session can be flagged. If '''Flag''' is checked the event is flagged for easier viewing in the event log. Flag is always enabled if the action is Block.<br />
<br />
{{AppScreenshot|firewall|rules}}<br />
<br />
<br />
== Reports ==<br />
<br />
{{:Firewall Reports}}<br />
<br />
<br />
== Related Topics ==<br />
<br />
[[User Guide]]<br />
<br />
<br />
== Firewall FAQs ==<br />
<br />
{{:Firewall FAQs}}</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Local_Users&diff=26057Local Users2019-01-07T19:01:14Z<p>Dmorris: </p>
<hr />
<div><span style="display:none" class="helpSource local_directory_local_users">Local_Users</span><br />
<br />
= Local Users =<br />
<br />
''Local Users'' stores a list of users that can be used by the applications.<br />
For example, [[Captive Portal]] can use the local directory to authenticate users.<br />
<br />
{{BiScreenshot|config|local-directory}}<br />
<br />
To add new users click on the Add button. You must supply a username, first name, last name, email address, and password. Only the administration can set the password for a given user. Users can be imported or exported using the import/export buttons on the upper right. <br />
<br />
An expiration date can be specified for a user. If the expiration date has passed that user will no longer be authenticated.<br />
<br />
To use the Local Directory, simply configure [[Captive Portal]] to authenticate against the Local Directory while requiring user authentication.<br />
<br />
'''WARNING:''' Typically, when passwords are stored, password hashes are saved and the original cleartext password is forgotten so administrators do not have access to user passwords. However, The passwords for users are stored in the local directory are stored in cleartext because some applications and features (L2TP) depend on access to the cleartext password. Administrators do have access to cleartext user passwords and caution is advised.</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Certificates&diff=26056Certificates2019-01-03T18:48:50Z<p>Dmorris: </p>
<hr />
<div><span style="display:none" class="helpSource administration_certificates">Certificates</span><br />
<br />
= Certificates =<br />
<br />
{{TriScreenshot|config|administration|certificates}}<br />
<br />
==About Digital Certificates==<br />
<br />
The Untangle Server uses<br />
[http://en.wikipedia.org/wiki/Digital_Certificate digital certificates]<br />
when serving web content via<br />
[http://eelln.wikipedia.org/wiki/Secure_Sockets_Layer SSL].<br />
The server certificate is mainly used to provide secure access to the Administrative Console, as well as<br />
the Email Quarantine features. The server also needs to generate imitation certificates on the fly when<br />
using the [[SSL Inspector]] application. There are two different ways to configure the certificate used by<br />
your server, depending on your specific requirements:<br />
<br />
# Create and use a server certificate signed by the internal certificate authority<br />
# Create a Certificate Signing Request [http://en.wikipedia.org/wiki/Certificate_signing_request (CSR)] which you can have signed by a third party certificate authority.<br />
<br />
If you plan on using the SSL Inspector application, option #1 is likely a good choice. Since you'll need to<br />
install the root certificate on all client computers and devices to use SSL Inspector effectively, it makes<br />
sense to also sign the certificate used by the Untangle server with this same CA.<br />
<br />
If you aren't going to use the SSL Inspector, or have some other reason to prefer a third party<br />
certificate, then option #2 may be a better choice. This will allow you to obtain and use a server<br />
certificate signed by a third party authority. The benefit here, assuming you use one of the<br />
standard and well known providers, is that their root certificate will already be included in<br />
the list of trusted CA's on client computers and devices, so you won't have to distribute and install<br />
a new root certificate.<br />
<br />
==Certificate Authority==<br />
During the initial server installation, a default Certificate Authority<br />
[http://en.wikipedia.org/wiki/Certificate_Authority (CA)]<br />
was created automatically. This CA is used to create and sign imitation certificates that are generated on<br />
the fly by the SSL Inspector application. It was also used to sign the default server certificate used<br />
by the server itself. You can use the default CA as is, or you can generate a new CA if you want to<br />
customize the information contained in the root certificate.<br />
<br />
===Generate Certificate Authority===<br />
When you click this button to generate a new CA, you will be presented with a popup form where you can<br />
enter the details to be included in the Subject DN of the new root certificate. Since this operation is creating a root certificate and not a<br />
server certificate, the CN field can contain most anything you like. Once the form is complete and you click<br />
the Generate button, the new CA will be created and the Certificate Authority information fields will be<br />
updated to display the contents of the new certificate.<br />
<br />
===Download Root Certificate===<br />
Click this button to download the root_authority.crt certificate file of the Certificate Authority on<br />
the Untangle server. If you are using SSL Inspector, or if you have configured your Untangle server<br />
to use a server certificate signed by the internal Certificate Authority, you will need to download<br />
and install this certificate on all client computers and devices to eliminate certificate warning messages<br />
when browsing or accessing secure content.<br />
<br />
===Download Root Certificate Installer===<br />
This button downloads a Windows installer that will automatically deploy the root certificate to Windows devices. This will allow for more efficient deployment of the root certificate above. Once installed, this will eliminate certificate warning messages when browsing or accessing secure content, or when using the HTTPS captive portal.<br />
<br />
==Server Certificate==<br />
The Server Certificate is used to secure all HTTPS connections with the Untangle server. This mainly<br />
applies to the Administrative Console and the Email Quarantine pages.<br />
<br />
During the initial server installation, a default certificate is created and signed using the<br />
default Certificate Authority that was also created during installation. You can use the default<br />
root certificate as is, or you can generate a new server certificate if you want to customize the<br />
information contained in the server certificate.<br />
<br />
===Generate Server Certificate===<br />
When you click this button to generate a new server certificate, you will be presented with a popup form<br />
where you can enter the details to be included in the Subject DN of the server certificate. All fields<br />
are optional except for the Common Name (CN) field, which should contain the hostname that will be used<br />
to access the server.<br />
<br />
<b>Example:</b> hostname.domain.com<br />
<br />
Once the form is complete and you click the Generate button, the new server certificate will be<br />
created and the Untangle server will start using it immediately. The Server Certificate information<br />
fields will also be updated to display the contents of the new certificate.<br />
<br />
==Third Party Certificate==<br />
Instead of using a certificate signed by the local CA, you may instead prefer to have the Untangle server<br />
use a certificate signed by well-known CA such as VeriSign or Thawte. The advantage to using this type<br />
of certificate is client computers and devices will need no additional configuration, since most browsers<br />
are already configured to trust certificates issued by these authorities.<br />
<br />
'''NOTE:''' This has nothing to do with [[SSL Inspector]] and is just the certificate used when connecting to web services running on the Untangle server itself (Administration, Captive Portal, Quarantine, etc).<br />
<br />
===Upload Server Certificate===<br />
Click the ''Upload Server Certificate'' button to upload an official signed certificate provided by a CA, or a certificate that you generated yourself.<br />
<br />
Certificates from CAs are provided in many different formats. The ''Import a certificate or key file'' button can be used to upload the certificates and keys. First, press ''Import a certificate or key file'' and select the certificate. Second, press the ''Import a certificate or key file'' and select the private key file. Repeat this process for any additional separate intermediate certificates (not commonly required). When finished, the "Server Certificate" field should contain the server cert, and the "Certificate Key" field should contain the private key. Additionally the "Optional Intermediate Certificates" field may be populated if the CA provided an intermediate certificate. At this point click ''Upload Certificate'' to upload the certificate. Don't forget to adjust how the new certificate will be used (HTTPS, IPSEC, etc) in the ''Server Certificates'' table!<br />
<br />
Alternatively, instead of importing files you can copy & paste the certificate, key, and intermediate certificates provided by the CA into the fields.<br />
<br />
===Create Signature Signing Request===<br />
Click the ''Create Signature Signing Request'' button to generate a signature signing request, you will be presented with a popup form<br />
where you can enter the details to be included in the Subject DN of the CSR. Once the form is complete and<br />
you click Generate, a server_certificate.csr file will be downloaded to your computer. The certificate<br />
authority you choose will require this file, and possibly additional information to verify that you are<br />
the "owner" of the website for which you are requesting the certificate. When they receive all the<br />
required information, and any associated fee, they will issue you a new certificate file which you<br />
can upload to the Untangle server.<br />
<br />
===Import Signing Request Certificate===<br />
When you receive your signed certificate, click the ''Import Signing Server Certificate'' button to upload the certificate to the Untangle server. Certificates are provided in many different formats. <br />
<br />
You can select the ''Import a certificate file'' to upload a certificate file provided by the signer. This will parse the file and put the result in the displayed ''Server Certificate'' field and any other optional "Intermediate Certificates" in the ''Optional Intermediate Certificates'' field. To finish the upload click the ''Upload Certificate'' button.<br />
<br />
Alternatively, you can copy paste the certificate (text) provided by the signer into the fields and click ''Upload Certificate''.</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Certificates&diff=26055Certificates2019-01-03T18:38:42Z<p>Dmorris: </p>
<hr />
<div><span style="display:none" class="helpSource administration_certificates">Certificates</span><br />
<br />
= Certificates =<br />
<br />
{{TriScreenshot|config|administration|certificates}}<br />
<br />
==About Digital Certificates==<br />
<br />
The Untangle Server uses<br />
[http://en.wikipedia.org/wiki/Digital_Certificate digital certificates]<br />
when serving web content via<br />
[http://eelln.wikipedia.org/wiki/Secure_Sockets_Layer SSL].<br />
The server certificate is mainly used to provide secure access to the Administrative Console, as well as<br />
the Email Quarantine features. The server also needs to generate imitation certificates on the fly when<br />
using the [[SSL Inspector]] application. There are two different ways to configure the certificate used by<br />
your server, depending on your specific requirements:<br />
<br />
# Create and use a server certificate signed by the internal certificate authority<br />
# Create a Certificate Signing Request [http://en.wikipedia.org/wiki/Certificate_signing_request (CSR)] which you can have signed by a third party certificate authority.<br />
<br />
If you plan on using the HTTPS Inspector application, option #1 is likely a good choice. Since you'll need to<br />
install the root certificate on all client computers and devices to use HTTPS Inspector effectively, it makes<br />
sense to also sign the certificate used by the Untangle server with this same CA.<br />
<br />
If you aren't going to use the HTTPS Inspector, or have some other reason to prefer a third party<br />
certificate, then option #2 may be a better choice. This will allow you to obtain and use a server<br />
certificate signed by a third party authority. The benefit here, assuming you use one of the<br />
standard and well known providers, is that their root certificate will already be included in<br />
the list of trusted CA's on client computers and devices, so you won't have to distribute and install<br />
a new root certificate.<br />
<br />
==Certificate Authority==<br />
During the initial server installation, a default Certificate Authority<br />
[http://en.wikipedia.org/wiki/Certificate_Authority (CA)]<br />
was created automatically. This CA is used to create and sign imitation certificates that are generated on<br />
the fly by the HTTPS Inspector application. It was also used to sign the default server certificate used<br />
by the server itself. You can use the default CA as is, or you can generate a new CA if you want to<br />
customize the information contained in the root certificate.<br />
<br />
===Generate Certificate Authority===<br />
When you click this button to generate a new CA, you will be presented with a popup form where you can<br />
enter the details to be included in the Subject DN of the new root certificate. Since this operation is creating a root certificate and not a<br />
server certificate, the CN field can contain most anything you like. Once the form is complete and you click<br />
the Generate button, the new CA will be created and the Certificate Authority information fields will be<br />
updated to display the contents of the new certificate.<br />
<br />
===Download Root Certificate===<br />
Click this button to download the root_authority.crt certificate file of the Certificate Authority on<br />
the Untangle server. If you are using HTTPS Inspector, or if you have configured your Untangle server<br />
to use a server certificate signed by the internal Certificate Authority, you will need to download<br />
and install this certificate on all client computers and devices to eliminate certificate warning messages<br />
when browsing or accessing secure content.<br />
<br />
===Download Root Certificate Installer===<br />
This button downloads a Windows installer that will automatically deploy the root certificate to Windows devices. This will allow for more efficient deployment of the root certificate above. Once installed, this will eliminate certificate warning messages when browsing or accessing secure content, or when using the HTTPS captive portal.<br />
<br />
==Server Certificate==<br />
The Server Certificate is used to secure all HTTPS connections with the Untangle server. This mainly<br />
applies to the Administrative Console and the Email Quarantine pages.<br />
<br />
During the initial server installation, a default certificate is created and signed using the<br />
default Certificate Authority that was also created during installation. You can use the default<br />
root certificate as is, or you can generate a new server certificate if you want to customize the<br />
information contained in the server certificate.<br />
<br />
===Generate Server Certificate===<br />
When you click this button to generate a new server certificate, you will be presented with a popup form<br />
where you can enter the details to be included in the Subject DN of the server certificate. All fields<br />
are optional except for the Common Name (CN) field, which should contain the hostname that will be used<br />
to access the server.<br />
<br />
<b>Example:</b> hostname.domain.com<br />
<br />
Once the form is complete and you click the Generate button, the new server certificate will be<br />
created and the Untangle server will start using it immediately. The Server Certificate information<br />
fields will also be updated to display the contents of the new certificate.<br />
<br />
==Third Party Certificate==<br />
Instead of using a certificate signed by the local CA, you may instead prefer to have the Untangle server<br />
use a certificate signed by well-known CA such as VeriSign or Thawte. The advantage to using this type<br />
of certificate is client computers and devices will need no additional configuration, since most browsers<br />
are already configured to trust certificates issued by these authorities.<br />
<br />
'''NOTE:''' This has nothing to do with [[SSL Inspector]] and is just the certificate used when connecting to web services running on the Untangle server itself (Administration, Captive Portal, Quarantine, etc).<br />
<br />
===Upload Server Certificate===<br />
Click the ''Upload Server Certificate'' button to upload an official signed certificate provided by a CA, or a certificate that you generated yourself.<br />
<br />
Certificates from CAs are provided in many different formats. The ''Import a certificate or key file'' button can be used to upload the certificates and keys. First, press ''Import a certificate or key file'' and select the certificate. Second, press the ''Import a certificate or key file'' and select the private key file. Repeat this process for any additional separate intermediate certificates (not commonly required). When finished, the "Server Certificate" field should contain the server cert, and the "Certificate Key" field should contain the private key. Additionally the "Optional Intermediate Certificates" field may be populated if the CA provided an intermediate certificate. At this point click ''Upload Certificate'' to upload the certificate. Don't forget to adjust how the new certificate will be used (HTTPS, IPSEC, etc) in the ''Server Certificates'' table!<br />
<br />
Alternatively, instead of importing files you can copy & paste the certificate, key, and intermediate certificates provided by the CA into the fields.<br />
<br />
===Create Signature Signing Request===<br />
Click the ''Create Signature Signing Request'' button to generate a signature signing request, you will be presented with a popup form<br />
where you can enter the details to be included in the Subject DN of the CSR. Once the form is complete and<br />
you click Generate, a server_certificate.csr file will be downloaded to your computer. The certificate<br />
authority you choose will require this file, and possibly additional information to verify that you are<br />
the "owner" of the website for which you are requesting the certificate. When they receive all the<br />
required information, and any associated fee, they will issue you a new certificate file which you<br />
can upload to the Untangle server.<br />
<br />
===Import Signing Request Certificate===<br />
When you receive your signed certificate, click the ''Import Signing Server Certificate'' button to upload the certificate to the Untangle server. Certificates are provided in many different formats. <br />
<br />
You can select the ''Import a certificate file'' to upload a certificate file provided by the signer. This will parse the file and put the result in the displayed ''Server Certificate'' field and any other optional "Intermediate Certificates" in the ''Optional Intermediate Certificates'' field. To finish the upload click the ''Upload Certificate'' button.<br />
<br />
Alternatively, you can copy paste the certificate (text) provided by the signer into the fields and click ''Upload Certificate''.</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Certificates&diff=26054Certificates2019-01-03T18:38:18Z<p>Dmorris: </p>
<hr />
<div><span style="display:none" class="helpSource administration_certificates">Certificates</span><br />
<br />
= Certificates =<br />
<br />
{{TriScreenshot|config|administration|certificates}}<br />
<br />
==About Digital Certificates==<br />
<br />
The Untangle Server uses<br />
[http://en.wikipedia.org/wiki/Digital_Certificate digital certificates]<br />
when serving web content via<br />
[http://en.wikipedia.org/wiki/Secure_Sockets_Layer SSL].<br />
The server certificate is mainly used to provide secure access to the Administrative Console, as well as<br />
the Email Quarantine features. The server also needs to generate imitation certificates on the fly when<br />
using the [[SSL Inspector]] application. There are two different ways to configure the certificate used by<br />
your server, depending on your specific requirements:<br />
<br />
# Create and use a server certificate signed by the internal certificate authority<br />
# Create a Certificate Signing Request [http://en.wikipedia.org/wiki/Certificate_signing_request (CSR)] which you can have signed by a third party certificate authority.<br />
<br />
If you plan on using the HTTPS Inspector application, option #1 is likely a good choice. Since you'll need to<br />
install the root certificate on all client computers and devices to use HTTPS Inspector effectively, it makes<br />
sense to also sign the certificate used by the Untangle server with this same CA.<br />
<br />
If you aren't going to use the HTTPS Inspector, or have some other reason to prefer a third party<br />
certificate, then option #2 may be a better choice. This will allow you to obtain and use a server<br />
certificate signed by a third party authority. The benefit here, assuming you use one of the<br />
standard and well known providers, is that their root certificate will already be included in<br />
the list of trusted CA's on client computers and devices, so you won't have to distribute and install<br />
a new root certificate.<br />
<br />
==Certificate Authority==<br />
During the initial server installation, a default Certificate Authority<br />
[http://en.wikipedia.org/wiki/Certificate_Authority (CA)]<br />
was created automatically. This CA is used to create and sign imitation certificates that are generated on<br />
the fly by the HTTPS Inspector application. It was also used to sign the default server certificate used<br />
by the server itself. You can use the default CA as is, or you can generate a new CA if you want to<br />
customize the information contained in the root certificate.<br />
<br />
===Generate Certificate Authority===<br />
When you click this button to generate a new CA, you will be presented with a popup form where you can<br />
enter the details to be included in the Subject DN of the new root certificate. Since this operation is creating a root certificate and not a<br />
server certificate, the CN field can contain most anything you like. Once the form is complete and you click<br />
the Generate button, the new CA will be created and the Certificate Authority information fields will be<br />
updated to display the contents of the new certificate.<br />
<br />
===Download Root Certificate===<br />
Click this button to download the root_authority.crt certificate file of the Certificate Authority on<br />
the Untangle server. If you are using HTTPS Inspector, or if you have configured your Untangle server<br />
to use a server certificate signed by the internal Certificate Authority, you will need to download<br />
and install this certificate on all client computers and devices to eliminate certificate warning messages<br />
when browsing or accessing secure content.<br />
<br />
===Download Root Certificate Installer===<br />
This button downloads a Windows installer that will automatically deploy the root certificate to Windows devices. This will allow for more efficient deployment of the root certificate above. Once installed, this will eliminate certificate warning messages when browsing or accessing secure content, or when using the HTTPS captive portal.<br />
<br />
==Server Certificate==<br />
The Server Certificate is used to secure all HTTPS connections with the Untangle server. This mainly<br />
applies to the Administrative Console and the Email Quarantine pages.<br />
<br />
During the initial server installation, a default certificate is created and signed using the<br />
default Certificate Authority that was also created during installation. You can use the default<br />
root certificate as is, or you can generate a new server certificate if you want to customize the<br />
information contained in the server certificate.<br />
<br />
===Generate Server Certificate===<br />
When you click this button to generate a new server certificate, you will be presented with a popup form<br />
where you can enter the details to be included in the Subject DN of the server certificate. All fields<br />
are optional except for the Common Name (CN) field, which should contain the hostname that will be used<br />
to access the server.<br />
<br />
<b>Example:</b> hostname.domain.com<br />
<br />
Once the form is complete and you click the Generate button, the new server certificate will be<br />
created and the Untangle server will start using it immediately. The Server Certificate information<br />
fields will also be updated to display the contents of the new certificate.<br />
<br />
==Third Party Certificate==<br />
Instead of using a certificate signed by the local CA, you may instead prefer to have the Untangle server<br />
use a certificate signed by well-known CA such as VeriSign or Thawte. The advantage to using this type<br />
of certificate is client computers and devices will need no additional configuration, since most browsers<br />
are already configured to trust certificates issued by these authorities.<br />
<br />
''NOTE:'' This has nothing to do with [[SSL Inspector]] and is just the certificate used when connecting to web services running on the Untangle server itself (Administration, Captive Portal, Quarantine, etc).<br />
<br />
===Upload Server Certificate===<br />
Click the ''Upload Server Certificate'' button to upload an official signed certificate provided by a CA, or a certificate that you generated yourself.<br />
<br />
Certificates from CAs are provided in many different formats. The ''Import a certificate or key file'' button can be used to upload the certificates and keys. First, press ''Import a certificate or key file'' and select the certificate. Second, press the ''Import a certificate or key file'' and select the private key file. Repeat this process for any additional separate intermediate certificates (not commonly required). When finished, the "Server Certificate" field should contain the server cert, and the "Certificate Key" field should contain the private key. Additionally the "Optional Intermediate Certificates" field may be populated if the CA provided an intermediate certificate. At this point click ''Upload Certificate'' to upload the certificate. Don't forget to adjust how the new certificate will be used (HTTPS, IPSEC, etc) in the ''Server Certificates'' table!<br />
<br />
Alternatively, instead of importing files you can copy & paste the certificate, key, and intermediate certificates provided by the CA into the fields.<br />
<br />
===Create Signature Signing Request===<br />
Click the ''Create Signature Signing Request'' button to generate a signature signing request, you will be presented with a popup form<br />
where you can enter the details to be included in the Subject DN of the CSR. Once the form is complete and<br />
you click Generate, a server_certificate.csr file will be downloaded to your computer. The certificate<br />
authority you choose will require this file, and possibly additional information to verify that you are<br />
the "owner" of the website for which you are requesting the certificate. When they receive all the<br />
required information, and any associated fee, they will issue you a new certificate file which you<br />
can upload to the Untangle server.<br />
<br />
===Import Signing Request Certificate===<br />
When you receive your signed certificate, click the ''Import Signing Server Certificate'' button to upload the certificate to the Untangle server. Certificates are provided in many different formats. <br />
<br />
You can select the ''Import a certificate file'' to upload a certificate file provided by the signer. This will parse the file and put the result in the displayed ''Server Certificate'' field and any other optional "Intermediate Certificates" in the ''Optional Intermediate Certificates'' field. To finish the upload click the ''Upload Certificate'' button.<br />
<br />
Alternatively, you can copy paste the certificate (text) provided by the signer into the fields and click ''Upload Certificate''.</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Administration_Notifications&diff=26053Administration Notifications2018-12-18T22:05:21Z<p>Dmorris: </p>
<hr />
<div><span style="display:none" class="helpSource admin_alerts">Administration_Notifications</span><br />
<span style="display:none" class="helpSource admin_notifications">Administration_Notifications</span><br />
<br />
= Overview = <br />
<br />
[[Image:Administrator_Alert.png|right]]<br />
<br />
Administration Notifications appear as an exclamation point icon at the top of the rack when logged into the Administration interface or in the "Notifications" widget on the dashboard. When logging in, the server will runs a series of tests which can take a few minutes and then it will display the administration alert icon if there are any alerts. Tests are only performed on login, to force a retest just refresh the browser or click refresh on the Notification widget on the dashboard.<br />
<br />
Notifications are displayed to alert the administrator of common misconfigurations or issues.<br />
<br />
= Notifications =<br />
<br />
{| width=100% border="1" cellpadding="2"<br />
|-<br />
!width="50%"|Text<br />
!width="50%"|Description<br />
<br />
|-<br />
| Upgrades are available and ready to be installed.'' <br />
| The server detected software upgrades that have not been applied. Upgrades can be applied in [[Config]] > [[Upgrade]].<br />
<br />
|- <br />
| DNS connectivity failed: ''DNS Server IP''<br />
| The specified server's DNS settings is not providing DNS resolution. Check DNS settings of your WAN interfaces in [[Config]] > [[Network]] > [[Interfaces]]. It is recommended to use your ISP's DNS servers.<br />
<br />
|-<br />
| Failed to connect to Untangle. ''[address:port]''<br />
| Untangle failed to successfully connect to the Untangle servers. Check your network setting to make sure they are valid and that Untangle is online. Also check there is no firewall between Untangle and the internet that could be blocking connectivity. Untangle requires an active connection to the internet for proper operation.<br />
<br />
|-<br />
| Free disk space is low. ''[ xx% free ]''<br />
| Free disk space is running low. Contact Untangle support for help determining what is using disk space and what to do about it. Please note that our recommended minimum hard disk size is at least 80Gigs. <br />
<br />
|-<br />
| Disk errors reported. <br />
''Error text''<br />
| The disk (hard drive) returned some errors for certain commands. This usually means the disk has bad sectors which are non-responsive. In this case the disk (hard drive) should be immediately replaced.<br />
<br />
|-<br />
| ''Rack Name'' contains two or more ''Application 1''<br />
| The given rack contains two or more instances of the same application. While possible this is never desired as it decreases performance and increases management complexity. Remove one of the duplicate applications.<br />
<br />
|-<br />
| ''Rack Name'' contains redundant apps: ''Application 1'' and ''Application 2''<br />
| Some applications in Untangle are redundant and should not both be installed in the same rack at the same time. For example, Spam Blocker is a super-set to Spam Blocker Lite. If both are run no additional spam will be blocked, but messages will be scanned twice incurring a performance hit. Remove the redundant application.<br />
<br />
|- <br />
| Bridge (''Interface 1'' <-> ''Interface 2'') may be backwards. Gateway (''Gateway IP'') is on ''Interface 2''.<br />
| Often bridges can be plugged in with the WAN interfaces on the LAN and the LAN interface on the WAN. This works and passes traffic, however several applications do not behave as expected. If this is show it has detected that the gateway for the main bridge interface is not on the expected interface. It is recommended to go into [[Config]] > [[Network]] > [[Interfaces]] and unplug each interface one at a time and verify and correct the mapping of interfaces by swapping cables around.<br />
<br />
|- <br />
| ''Interface 1'' interface NIC has a high number of ''RX/TX'' errors.<br />
| This indicates that ''ifconfig'' shows a high number of RX or TX errors on the given interface card. This is typically a network layer or NIC issue. If possible, try another NIC or different duplex setting in /admin/index.do#config/network/advanced/network_cards.<br />
<br />
|-<br />
| Spam Blocker [Lite] is installed but an unsupported DNS server is used<br />
| Spam Blocker and Spam Blocker Lite rely on DNSBL (DNS blacklists) to categorize spam. Several publicly available and often used DNS servers do not supply access to these services. For example, google(8.8.8.8, 8.8.4.4), opendns(208.67.222.222, 208.67.222.220), level3(4.2.2.1,4.2.2.2) do not provide resolution for DNSBL queries. It is recommended to configure Untangle to use your ISP's DNS servers for effective spam filtering. If spam filtering is not required simply uninstall the spam filtering application from the rack.<br />
<br />
|-<br />
| Spam Blocker [Lite] is installed but a DNS server (X, Y) fails to resolve DNSBL queries.<br />
| This means one of the configured DNS servers does not properly resolve DNSBL queries. This will greatly degrade Spam Blocker and Spam Blocker Lite's ability to detect spam. Try configuring a different DNS server. To test this manually run ''host 2.0.0.127.zen.spamhaus.org your_DNS_server'' in the terminal where "your_DNS_server" is the IP of your DNS server. If it does not return results then DNSBL queries are not being properly resolved by that server.<br />
<br />
|-<br />
| Web Filter is installed but a DNS server (X, Y) fails to resolve categorization queries.<br />
| This means one of the configured DNS servers does not properly resolve Web Filter category queries. Web Filter uses DNS to query for the categorization of unknown sites. If the configured DNS servers do not properly respond to categorization queries then Web Filter will not function correctly and may slow web traffic significantly. <br />
<br />
|-<br />
| A DNS server responds slowly. (X,Y,Z) This may negatively effect Web Filter performance.<br />
| This means the specified DNS server (Y) on interface (X) responded slowly (in Z milliseconds) to a Web Filter categorization request. Web Filter will automatically request categorization of unknown and never before seen URLs. If DNS is performing poorly Web Filter categorization will also be slow and may negatively effect web traffic latency as Web Filter categorizes websites.<br />
<br />
|-<br />
| Event processing is slow (x ms).<br />
| Event logging is slow. This is shown when event logging takes more than 15ms on average. This can be caused by a slow disk or an extremely busy server. If you see this message, you can try a couple things. 1) Use a faster disk/disk controller to the daemon is able to more quickly write events. 2) Create less events by turning off apps and/or bypassing traffic that need not be scanned.<br />
<br />
|-<br />
| Event processing is delayed (x minute delay).<br />
| The event logging daemon that logs events to the database is behind. This happens when "events" are happening quicker than the events can be written to the database. This can be caused by a slow disk or a busy network. Events will be stored in queued in memory until they can be written to the disk. If the time it takes for an event to happen to be logged to the database reaches a time greater than 10 minutes this warning appears. This is not necessarily an issue, but the administrator should be aware when viewing reports and events that they will be delayed by x minutes. You can try a few things to resolve this alert: 1) Use a faster disk/disk controller to the daemon is able to more quickly write events. 2) Create less events by turning off apps and/or bypassing traffic that need not be scanned.<br />
<br />
|-<br />
| Packet processing recently overloaded<br />
| This warning means that at "''nf_queue: full at * entries, dropping packets(s)''" was found in "''/var/log/kern.log.''" This means packets were incoming faster than the server was able to handle them. This usually indicates some misconfiguration or performance issue, or that some traffic needs to be [[Installation#Bypass_Rules|bypassed]]. This can also indicate that the server is undersized for the current task and is short on memory (swapping) or disk I/O throughput or processing power. For further help with this alert, contact Untangle support.<br />
<br />
<br />
|-<br />
| The shield is disabled. This can cause performance and stability problems.<br />
| The shield is disabled in [[Config]] > [[System]] > [[Shield]]. While sometimes useful for testing, this configuration will cause performance and stability problems. To fix verify that ''Enable Shield'' is checked.<br />
<br />
|-<br />
| Route to unreachable address: 1.2.3.4<br />
| A static route exists in [[Config]] > [[Network]] > [[Routes]], but the next hop is unreachable. All traffic for this route will be dropped.<br />
<br />
|-<br />
| Currently the number of devices significantly exceeds the number of licensed devices. (x > y)<br />
| The number of devices for which NGFW has recently processed traffic (x) is greater than the number of allowed devices (y) for the license existing on the NGFW server. In order to return to compliance it may be necessary to bypass devices or get a larger license. Please contact support@untangle.com for help.<br />
<br />
|-<br />
| DNS and DHCP services are not functioning.<br />
| This means that the DNS and DHCP service is not properly functioning. This is a serious issue that must be resolved in order for Untangle to function properly. The usual cause of this is invalid options or syntax in [[Config]] > [[Network]] > Advanced > [[DHCP & DNS]], or in the interface settings in [[Config]] > [[Interfaces]] > Edit > DHCP Configuration > DHCP Options. <br />
<br />
|-<br />
| The timezone has been changed since boot. A reboot is required.<br />
| The timezone has been reconfigured since boot-up and reboot is required at the earliest convenience.<br />
<br />
|-<br />
| An upgrade process has been interrupted.<br />
| An upgrade has been interrupted. This is usually the result of rebooting during an upgrade or using an alternate upgrade process or running multiple upgrades at once or some other similar scenario. Contact Untangle support.<br />
|}</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Administration_Notifications&diff=26052Administration Notifications2018-12-18T21:57:53Z<p>Dmorris: </p>
<hr />
<div><span style="display:none" class="helpSource admin_alerts">Administration_Notifications</span><br />
<span style="display:none" class="helpSource admin_notifications">Administration_Notifications</span><br />
<br />
= Overview = <br />
<br />
[[Image:Administrator_Alert.png|right]]<br />
<br />
Administration Notifications appear as an exclamation point icon at the top of the rack when logged into the Administration interface or in the "Notifications" widget on the dashboard. When logging in, the server will runs a series of tests which can take a few minutes and then it will display the administration alert icon if there are any alerts. Tests are only performed on login, to force a retest just refresh the browser or click refresh on the Notification widget on the dashboard.<br />
<br />
Notifications are displayed to alert the administrator of common misconfigurations or issues.<br />
<br />
= Notifications =<br />
<br />
{| width=100% border="1" cellpadding="2"<br />
|-<br />
!width="50%"|Text<br />
!width="50%"|Description<br />
<br />
|-<br />
| Upgrades are available and ready to be installed.'' <br />
| The server detected software upgrades that have not been applied. Upgrades can be applied in [[Config]] > [[Upgrade]].<br />
<br />
|- <br />
| DNS connectivity failed: ''DNS Server IP''<br />
| The specified server's DNS settings is not providing DNS resolution. Check DNS settings of your WAN interfaces in [[Config]] > [[Network]] > [[Interfaces]]. It is recommended to use your ISP's DNS servers.<br />
<br />
|-<br />
| Failed to connect to Untangle. ''[address:port]''<br />
| Untangle failed to successfully connect to the Untangle servers. Check your network setting to make sure they are valid and that Untangle is online. Also check there is no firewall between Untangle and the internet that could be blocking connectivity. Untangle requires an active connection to the internet for proper operation.<br />
<br />
|-<br />
| Free disk space is low. ''[ xx% free ]''<br />
| Free disk space is running low. Contact Untangle support for help determining what is using disk space and what to do about it. Please note that our recommended minimum hard disk size is at least 80Gigs. <br />
<br />
|-<br />
| Disk errors reported. <br />
''Error text''<br />
| The disk (hard drive) returned some errors for certain commands. This usually means the disk has bad sectors which are non-responsive. In this case the disk (hard drive) should be immediately replaced.<br />
<br />
|-<br />
| ''Rack Name'' contains two or more ''Application 1''<br />
| The given rack contains two or more instances of the same application. While possible this is never desired as it decreases performance and increases management complexity. Remove one of the duplicate applications.<br />
<br />
|-<br />
| ''Rack Name'' contains redundant apps: ''Application 1'' and ''Application 2''<br />
| Some applications in Untangle are redundant and should not both be installed in the same rack at the same time. For example, Spam Blocker is a super-set to Spam Blocker Lite. If both are run no additional spam will be blocked, but messages will be scanned twice incurring a performance hit. Remove the redundant application.<br />
<br />
|- <br />
| Bridge (''Interface 1'' <-> ''Interface 2'') may be backwards. Gateway (''Gateway IP'') is on ''Interface 2''.<br />
| Often bridges can be plugged in with the WAN interfaces on the LAN and the LAN interface on the WAN. This works and passes traffic, however several applications do not behave as expected. If this is show it has detected that the gateway for the main bridge interface is not on the expected interface. It is recommended to go into [[Config]] > [[Network]] > [[Interfaces]] and unplug each interface one at a time and verify and correct the mapping of interfaces by swapping cables around.<br />
<br />
|- <br />
| ''Interface 1'' interface NIC has a high number of ''RX/TX'' errors.<br />
| This indicates that ''ifconfig'' shows a high number of RX or TX errors on the given interface card. This is typically a network layer or NIC issue. If possible, try another NIC or different duplex setting in /admin/index.do#config/network/advanced/network_cards.<br />
<br />
|-<br />
| Spam Blocker [Lite] is installed but an unsupported DNS server is used<br />
| Spam Blocker and Spam Blocker Lite rely on DNSBL (DNS blacklists) to categorize spam. Several publicly available and often used DNS servers do not supply access to these services. For example, google(8.8.8.8, 8.8.4.4), opendns(208.67.222.222, 208.67.222.220), level3(4.2.2.1,4.2.2.2) do not provide resolution for DNSBL queries. It is recommended to configure Untangle to use your ISP's DNS servers for effective spam filtering. If spam filtering is not required simply uninstall the spam filtering application from the rack.<br />
<br />
|-<br />
| Spam Blocker [Lite] is installed but a DNS server (X, Y) fails to resolve DNSBL queries.<br />
| This means one of the configured DNS servers does not properly resolve DNSBL queries. This will greatly degrade Spam Blocker and Spam Blocker Lite's ability to detect spam. Try configuring a different DNS server. To test this manually run ''host 2.0.0.127.zen.spamhaus.org your_DNS_server'' in the terminal where "your_DNS_server" is the IP of your DNS server. If it does not return results then DNSBL queries are not being properly resolved by that server.<br />
<br />
|-<br />
| Web Filter is installed but a DNS server (X, Y) fails to resolve categorization queries.<br />
| This means one of the configured DNS servers does not properly resolve Web Filter category queries. Web Filter uses DNS to query for the categorization of unknown sites. If the configured DNS servers do not properly respond to categorization queries then Web Filter will not function correctly and may slow web traffic significantly. <br />
<br />
|-<br />
| A DNS server responds slowly. (X,Y,Z) This may negatively effect Web Filter performance.<br />
| This means the specified DNS server (Y) on interface (X) responded slowly (in Z milliseconds) to a Web Filter categorization request. Web Filter will automatically request categorization of unknown and never before seen URLs. If DNS is performing poorly Web Filter categorization will also be slow and may negatively effect web traffic latency as Web Filter categorizes websites.<br />
<br />
|-<br />
| Event processing is slow (x ms).<br />
| Event logging is slow. This is shown when event logging takes more than 15ms on average. This can be caused by a slow disk or an extremely busy server. If you see this message, you can try a couple things. 1) Use a faster disk/disk controller to the daemon is able to more quickly write events. 2) Create less events by turning off apps and/or bypassing traffic that need not be scanned.<br />
<br />
|-<br />
| Event processing is delayed (x minute delay).<br />
| The event logging daemon that logs events to the database is behind. This happens when "events" are happening quicker than the events can be written to the database. This can be caused by a slow disk or a busy network. Events will be stored in queued in memory until they can be written to the disk. If the time it takes for an event to happen to be logged to the database reaches a time greater than 10 minutes this warning appears. This is not necessarily an issue, but the administrator should be aware when viewing reports and events that they will be delayed by x minutes. You can try a few things to resolve this alert: 1) Use a faster disk/disk controller to the daemon is able to more quickly write events. 2) Create less events by turning off apps and/or bypassing traffic that need not be scanned.<br />
<br />
|-<br />
| Packet processing recently overloaded<br />
| This warning means that at "''nf_queue: full at * entries, dropping packets(s)''" was found in "''/var/log/kern.log.''" This means packets were incoming faster than the server was able to handle them. This usually indicates some misconfiguration or performance issue, or that some traffic needs to be [[Installation#Bypass_Rules|bypassed]]. This can also indicate that the server is undersized for the current task and is short on memory (swapping) or disk I/O throughput or processing power. For further help with this alert, contact Untangle support.<br />
<br />
<br />
|-<br />
| The shield is disabled. This can cause performance and stability problems.<br />
| The shield is disabled in [[Config]] > [[System]] > [[Shield]]. While sometimes useful for testing, this configuration will cause performance and stability problems. To fix verify that ''Enable Shield'' is checked.<br />
<br />
|-<br />
| Route to unreachable address: 1.2.3.4<br />
| A static route exists in [[Config]] > [[Network]] > [[Routes]], but the next hop is unreachable. All traffic for this route will be dropped.<br />
<br />
|-<br />
| Currently the number of devices significantly exceeds the number of licensed devices. (x > y)<br />
| The number of devices for which NGFW has recently processed traffic (x) is greater than the number of allowed devices (y) for the license existing on the NGFW server. In order to return to compliance it may be necessary to bypass devices or get a larger license. Please contact support@untangle.com for help.<br />
<br />
|-<br />
| DNS and DHCP services are not functioning.<br />
| This means that the DNS and DHCP service is not properly functioning. This is a serious issue that must be resolved in order for Untangle to function properly. The usual cause of this is invalid options or syntax in [[Config]] > [[Network]] > Advanced > [[DHCP & DNS]], or in the interface settings in [[Config]] > [[Interfaces]] > Edit > DHCP Configuration > DHCP Options. <br />
<br />
|-<br />
| The timezone has been changed since boot. A reboot is required.<br />
| The timezone has been reconfigured since boot-up and reboot is required at the earliest convenience.<br />
<br />
|-<br />
| An upgrade process has been interrupted.<br />
| An upgrade has been interrupted. Contact Untangle support.<br />
|}</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=IPsec_VPN&diff=26051IPsec VPN2018-12-06T18:17:13Z<p>Dmorris: </p>
<hr />
<div>[[Category:Applications]]<br />
<span style="display:none" class="helpSource ipsec_vpn">IPsec_VPN</span><br />
<span style="display:none" class="helpSource ipsec_vpn_status">IPsec_VPN#Status</span><br />
<span style="display:none" class="helpSource ipsec_vpn_ipsec_options">IPsec_VPN#IPsec_Options</span><br />
<span style="display:none" class="helpSource ipsec_vpn_ipsec_tunnels">IPsec_VPN#IPsec_Tunnels</span><br />
<span style="display:none" class="helpSource ipsec_vpn_l2tp_options">IPsec_VPN#L2TP_Options</span><br />
<span style="display:none" class="helpSource ipsec_vpn_l2tp_events">IPsec_VPN#L2TP_Events</span><br />
<span style="display:none" class="helpSource ipsec_vpn_l2tp_log">IPsec_VPN#L2TP_Log</span><br />
<span style="display:none" class="helpSource ipsec_vpn_vpn_config">IPsec_VPN#VPN_Config</span><br />
<span style="display:none" class="helpSource ipsec_vpn_gre_networks">IPsec_VPN#GRE_Networks</span><br />
<span style="display:none" class="helpSource ipsec_vpn_ipsec_state">IPsec_VPN#IPsec_State</span><br />
<span style="display:none" class="helpSource ipsec_vpn_ipsec_policy">IPsec_VPN#IPsec_Policy</span><br />
<span style="display:none" class="helpSource ipsec_vpn_ipsec_log">IPsec_VPN#IPsec_Log</span><br />
<br />
{| width='100%'<br />
|-<br />
| align="center" | [[Image:IPsecVPN.png|128px]] &nbsp; &nbsp; '''IPsec VPN'''<br />
| align="center" |<br />
{|<br />
|-<br />
| Other Links:<br />
|-<br />
|[http://www.untangle.com/store/ipsec-conf.html IPsec VPN Description Page]<br />
|-<br />
|[http://demo.untangle.com/admin/index.do#service/ipsec-vpn IPsec VPN Demo]<br />
|-<br />
|[http://forums.untangle.com/ipsec-vpn/ IPsec VPN Forums]<br />
|-<br />
|[[IPsec VPN Reports]]<br />
|-<br />
|[[IPsec VPN FAQs]]<br />
|}<br />
|}<br />
<br><br />
----<br />
<br />
== About IPsec VPN ==<br />
<br />
The '''IPsec VPN''' service provides secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.<br />
<br />
The [[VPN Overview]] article provides some general guidance of which VPN technology may be the best fit for different scenarios.<br />
<br />
== Settings ==<br />
<br />
This section reviews the different settings and configuration options available for IPsec VPN.<br />
<br />
=== <u>Status</u> ===<br />
<br />
The Status tab shows the status of the different components of the IPsec application.<br />
<br />
* '''Enabled IPsec Tunnels'''<br />
:This section shows a list of all IPsec tunnels that have been created and enabled. For tunnels that are active, the status will display the connection details reported by the IPsec subsystem. For inactive tunnels, the configuration information will be displayed.<br />
<br />
* ''' Active VPN Sessions '''<br />
: This section shows a list of all active L2TP and Xauth connections. In addition to the connection details, there is a Disconnect column that can be used to forcefully disconnect an active session. Please note that there is no confirmation when you click the Disconnect icon. The corresponding session will be immediately terminated.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|status}}<br />
<br />
<br />
=== <u>IPsec Options</u> ===<br />
<br />
* '''Bypass all IPsec traffic'''<br />
: When this checkbox is enabled, traffic from IPsec tunnels will bypass all applications and services on the Untangle server. This was the only behavior available in previous versions of Untangle, so this option is enabled by default to maintain equivalent functionality on upgrade. If you disable this checkbox, traffic from IPsec tunnels can now be filtered through all active applications and services.<br />
<br />
: Also please note that this only applies to plain IPsec tunnels. Traffic from L2TP and Xauth VPN clients will always pass through all active applications and services.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|ipsec-options}}<br />
<br />
<br />
=== <u>IPsec Tunnels</u> ===<br />
<br />
The IPsec Tunnels tab is where you create and manage the IPsec VPN configuration. The main tab display shows a summary of all IPsec tunnels that have been created.<br />
<br />
* ''' Tunnel Editor '''<br />
: When you create a new tunnel, or edit and existing tunnel, the tunnel editor screen will appear with the following configurable settings:<br />
<br />
{| border="1" cellpadding="2" width="85%" align="center"<br />
|+<br />
! Name !! Description<br />
|-<br />
|width="15%"|'''Enable'''<br />
|width="70%"|This checkbox allows you to set a tunnel to either enabled or disabled.<br />
|-<br />
|'''Description'''<br />
|This field should contain a short name or description.<br />
|- <br />
|'''Connection Type'''<br />
|This field allows you to set the connection type to any of the following:<br />
<br />
*Select Tunnel to specify a host-to-host, host-to-subnet, or subnet-to-subnet tunnel. This is by far the most common connection type.<br />
* Select Transport to specify a host-to-host transport mode tunnel. This connection type is much less common, and would generally only be used if you are attempting to establish an IPsec connection to another host which specifically requires this mode.<br />
|-<br />
|'''Auto Mode'''<br />
|This field controls how IPsec manages the corresponding tunnel when the IPsec process re-starts:<br />
<br />
* Select Start to have the tunnel automatically loaded, routes inserted, and connection initiated.<br />
* Select Add to have the tunnel load in standby mode, waiting to respond to an incoming connection request.<br />
|- <br />
|'''Interface'''<br />
|This field allows you to select the network interface that should be associated with the IPsec tunnel on the Untangle server. When you select a valid interface, the Local IP field (see below) will automatically be configured with the corresponding IP address. If for some reason you want to manually configure an IP address that is not currently active, you can set the Interface to Custom and manually input the IP address below.<br />
|- <br />
|'''External IP'''<br />
|Use this field to configure the IP address that is associated with the IPsec VPN on the Untangle server. Normally this field will be read-only and will automatically be populated based on the Interface selected above. If you select Custom as the interface, you can then manually enter the local IP address.<br />
|- <br />
|'''Remote Host'''<br />
|This field should contain the public IP address or DNS name of the host to which the IPsec VPN will be connected.<br />
: '''WARNING''' - Using host names with IPsec tunnels can often cause problems, especially if you have also enabled the L2TP/Xauth VPN server. We '''strongly''' recommend the use of IP addresses in the ''Remote Host'' field. <br />
|-<br />
|'''Local Identifier'''<br />
|This field is used to configure the local identifier used for authentication. When this field is blank the value in the *External IP* field will be used.<br />
|-<br />
|'''Remote Identifier'''<br />
|This field is used to configure the remote identifier used for authentication. When this field is blank, the value in the Remote Host field will be used.<br />
:'''IMPORTANT''' - If the remote host is located behind any kind of NAT device, you may need to use the value <TT>%any</TT> in this field for a connection to be successfully established.<br />
|- <br />
|'''Local Network'''<br />
|This field is used to configure the local network that will be reachable from hosts on the other side of the IPsec VPN.<br />
|-<br />
|'''Remote Network'''<br />
|This field is used to configure the remote network that will be reachable from hosts on the local side of the IPsec VPN.<br />
|-<br />
|'''Shared Secret'''<br />
|This field should contain the shared secret or PSK (pre-shared key) that is used to authenticate the connection, and must be the same on both sides of the tunnel for the connection to be successful. Because the PSK is actually used as the encryption key for the session, using long strings of a random nature will provide the highest level of security.<br />
|-<br />
|'''DPD Interval'''<br />
|The number of seconds between R_U_THERE messages. Enter 0 to disable this feature.<br />
|-<br />
|'''DPD Timeout'''<br />
| The number of seconds for a dead peer tunnel to be restarted.<br />
|-<br />
|'''Authentication and SA/Key Exchange'''<br />
| If you leave the Phase 1 and Phase 2 manual configuration checkboxes disabled, IPsec will attempt to automatically negotiate the encryption protocol with the remote peer when creating the tunnel. Given the number of different IPsec implementations and versions, as well as the overall complexity of the protocol, best results can often be achieved by enabling manual configuration of these two options, and selecting Encryption, Hash, DH Key Group, and Lifetime values that exactly match the settings configured on the peer device.<br />
|}<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|ipsec-tunnels}}<br />
<br />
<br />
=== <u>VPN Config</u> ===<br />
<br />
The VPN Config tab allows you to enable and configure the L2TP/Xauth server.<br />
<br />
L2TP and Xauth are two protocols that are natively supported by many devices. This makes L2TP/Xauth good options when simpler/better solutions like OpenVPN are not possible because it requires installing a third-party app, which is not always possible. If installing third-party applications is possible, OpenVPN will usually make a better performing, simpler, and more reliable option.<br />
<br />
If installing third party apps on the remote device is not possible, L2TP and Xauth are more appropriate. Xauth is newer and the preferable option. <br />
<br />
L2TP is only suggested when OpenVPN and Xauth are not options. L2TP is an older protocol. It also has many issues going through NAT (on both ends) and has the limitation of only supporting a single device from a single public IP address. Only a single device on any given network (behind a single public IP address) can connect at once.<br />
'''IMPORANT: L2TP is only suggested as a last resort when other more appropriate options are not available!'''<br />
<br />
*'''Enable L2TP/Xauth Server'''<br />
: Use this checkbox to enable or disable the L2TP/Xauth server.<br />
<br />
*'''L2TP Address Pool'''<br />
: This field configures the pool of IP addresses that will be assigned to L2TP clients while they are connected to the server. The default 198.18.0.0/16 is a private network that is generally reserved for internal network testing. It was chosen as the default because it is used less frequently than other RFC-1918 address blocks, and thus is less likely to conflict with existing address assignments on your network.<br />
<br />
*'''Xauth Address Pool'''<br />
: This field configures the pool of IP addresses that will be assigned to Xauth clients while they are connected to the server. The default 198.19.0.0/16 is a private network that is generally reserved for internal network testing. It was chosen as the default because it is used less frequently than other RFC-1918 address blocks, and thus is less likely to conflict with existing address assignments on your network.<br />
<br />
*''' Custom DNS Servers'''<br />
: Leave both of these fields blank to have L2TP and Xauth clients use the Untangle server for all DNS resolution. Alternatively, if you have other DNS servers you want clients to use, you can enter IP addresses in these fields.<br />
<br />
*'''IPsec Secret'''<br />
: This is the shared secret that will be used between the client and server to establish the IPsec channel that will secure all L2TP and Xauth communications.<br />
<br />
*'''User Authentication'''<br />
: In addition to the IPsec Secret configured above, VPN clients will also need to authenticate with a username and password. To use the Local Directory, select this option and click the ''Configure Local Directory'' button to manage use credentials. Alternatively, you can use an external RADIUS server for authentication by selecting the RADIUS option, and clicking the Configure RADIUS button to configure the RADIUS server options.<br />
<br />
*'''Server Listen Addresses'''<br />
: This list is used to configure one or more of your server IP addresses to listen for inbound VPN connection requests from remote clients. Clicking the add button will insert a new line allowing the entry of another server IP address.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|vpn-config}}<br />
<br />
=== <u>GRE Networks</u> ===<br />
<br />
The GRE Networks tab is where you create and manage connections to remote GRE servers. Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network.<br />
<br />
'''GRE Address Pool'''<br />
<br />
This field configures the pool of IP addresses that will be assigned to interfaces created and associated with tunnels added on the GRE Networks tab. The default 198.51.100.0/24 is a private network that is generally reserved for internal network testing. It was chosen as the default because it is used less frequently than other RFC-1918 address blocks, and thus is less likely to conflict with existing address assignments on your network. If you use GRE to connect multiple Untangle servers together, you may need to configure a different, unused pool on each server.<br />
<br />
<br />
The main tab display shows a summary of all GRE Networks that have been created.<br />
<br />
* ''' Network Editor '''<br />
: When you create a new GRE Network, or edit and existing network, the network editor screen will appear with the following configurable settings:<br />
<br />
{| border="1" cellpadding="2" width="85%" align="center"<br />
|+<br />
! Name !! Description<br />
|-<br />
|width="15%"|'''Enable'''<br />
|width="70%"|This checkbox allows you to set a network to either enabled or disabled.<br />
|-<br />
|'''Description'''<br />
|This field should contain a short name or description.<br />
|- <br />
|'''Interface'''<br />
|This field allows you to select the network interface that should be associated with the GRE Network on the Untangle server. When you select a valid interface, the Local IP field (see below) will automatically be configured with the corresponding IP address. If for some reason you want to manually configure an IP address that is not currently active, you can set the Interface to Custom and manually input the IP address below.<br />
|- <br />
|'''External IP'''<br />
|Use this field to configure the IP address that is associated with the GRE Network on the Untangle server. Normally this field will be read-only and will automatically be populated based on the Interface selected above. If you select Custom as the interface, you can then manually enter the local IP address.<br />
|- <br />
|'''Remote Host'''<br />
|This field should contain the public IP address of the host to which the GRE tunnel will be connected.<br />
|- <br />
|'''Remote Networks'''<br />
|This field is used to configure the list of remote network traffic that should be routed across this GRE tunnel. Networks should be entered one per line in CIDR (192.168.123.0/24) format.<br />
|}<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|gre-networks}}<br />
<br />
<br />
=== <u>IPsec State</u> ===<br />
<br />
The IPsec State tab allows you to see the status of all established IPsec connections. There will typically be two entries per tunnel, one with details about the local side of the connection, and another with details about the remote side of the connection.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|ipsec-state}}<br />
<br />
<br />
=== <u>IPsec Policy</u> ===<br />
<br />
The IPsec Policy tab allows you to see the routing table rules associated with each IPsec VPN that is active.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|ipsec-policy}}<br />
<br />
<br />
=== <u>IPsec Log</u> ===<br />
<br />
The IPsec Log tab allows you to see the low level status messages that are generated by the underlying IPsec protocol components. This information can be very helpful when attempting to diagnose connection problems or other IPsec issues.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|ipsec-log}}<br />
<br />
<br />
=== <u>L2TP Log</u> ===<br />
<br />
The L2TP Log tab allows you to see the low level status messages that are generated by the underlying L2TP protocol daemon. This information can be very helpful when attempting to diagnose connection problems or other L2TP issues.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|l2tp-log}}<br />
<br />
<br />
== Reports ==<br />
<br />
{{:IPsec VPN Reports}}<br />
<br />
<br />
== Related Topics ==<br />
<br />
[[OpenVPN]]<br />
<br />
<br />
== IPsec VPN FAQs ==<br />
<br />
{{:IPsec VPN FAQs}}</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=IPsec_VPN&diff=26050IPsec VPN2018-12-06T18:16:40Z<p>Dmorris: </p>
<hr />
<div>[[Category:Applications]]<br />
<span style="display:none" class="helpSource ipsec_vpn">IPsec_VPN</span><br />
<span style="display:none" class="helpSource ipsec_vpn_status">IPsec_VPN#Status</span><br />
<span style="display:none" class="helpSource ipsec_vpn_ipsec_options">IPsec_VPN#IPsec_Options</span><br />
<span style="display:none" class="helpSource ipsec_vpn_ipsec_tunnels">IPsec_VPN#IPsec_Tunnels</span><br />
<span style="display:none" class="helpSource ipsec_vpn_l2tp_options">IPsec_VPN#L2TP_Options</span><br />
<span style="display:none" class="helpSource ipsec_vpn_l2tp_events">IPsec_VPN#L2TP_Events</span><br />
<span style="display:none" class="helpSource ipsec_vpn_l2tp_log">IPsec_VPN#L2TP_Log</span><br />
<span style="display:none" class="helpSource ipsec_vpn_vpn_config">IPsec_VPN#VPN_Config</span><br />
<span style="display:none" class="helpSource ipsec_vpn_gre_networks">IPsec_VPN#GRE_Networks</span><br />
<span style="display:none" class="helpSource ipsec_vpn_ipsec_state">IPsec_VPN#IPsec_State</span><br />
<span style="display:none" class="helpSource ipsec_vpn_ipsec_policy">IPsec_VPN#IPsec_Policy</span><br />
<span style="display:none" class="helpSource ipsec_vpn_ipsec_log">IPsec_VPN#IPsec_Log</span><br />
<br />
{| width='100%'<br />
|-<br />
| align="center" | [[Image:IPsecVPN.png|128px]] &nbsp; &nbsp; '''IPsec VPN'''<br />
| align="center" |<br />
{|<br />
|-<br />
| Other Links:<br />
|-<br />
|[http://www.untangle.com/store/ipsec-conf.html IPsec VPN Description Page]<br />
|-<br />
|[http://demo.untangle.com/admin/index.do#service/ipsec-vpn IPsec VPN Demo]<br />
|-<br />
|[http://forums.untangle.com/ipsec-vpn/ IPsec VPN Forums]<br />
|-<br />
|[[IPsec VPN Reports]]<br />
|-<br />
|[[IPsec VPN FAQs]]<br />
|}<br />
|}<br />
<br><br />
----<br />
<br />
== About IPsec VPN ==<br />
<br />
The '''IPsec VPN''' service provides secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.<br />
<br />
The [[VPN Overview]] article provides some general guidance of which VPN technology may be the best fit for different scenarios.<br />
<br />
== Settings ==<br />
<br />
This section reviews the different settings and configuration options available for IPsec VPN.<br />
<br />
=== <u>Status</u> ===<br />
<br />
The Status tab shows the status of the different components of the IPsec application.<br />
<br />
* '''Enabled IPsec Tunnels'''<br />
:This section shows a list of all IPsec tunnels that have been created and enabled. For tunnels that are active, the status will display the connection details reported by the IPsec subsystem. For inactive tunnels, the configuration information will be displayed.<br />
<br />
* ''' Active VPN Sessions '''<br />
: This section shows a list of all active L2TP and Xauth connections. In addition to the connection details, there is a Disconnect column that can be used to forcefully disconnect an active session. Please note that there is no confirmation when you click the Disconnect icon. The corresponding session will be immediately terminated.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|status}}<br />
<br />
<br />
=== <u>IPsec Options</u> ===<br />
<br />
* '''Bypass all IPsec traffic'''<br />
: When this checkbox is enabled, traffic from IPsec tunnels will bypass all applications and services on the Untangle server. This was the only behavior available in previous versions of Untangle, so this option is enabled by default to maintain equivalent functionality on upgrade. If you disable this checkbox, traffic from IPsec tunnels can now be filtered through all active applications and services.<br />
<br />
: Also please note that this only applies to plain IPsec tunnels. Traffic from L2TP and Xauth VPN clients will always pass through all active applications and services.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|ipsec-options}}<br />
<br />
<br />
=== <u>IPsec Tunnels</u> ===<br />
<br />
The IPsec Tunnels tab is where you create and manage the IPsec VPN configuration. The main tab display shows a summary of all IPsec tunnels that have been created.<br />
<br />
* ''' Tunnel Editor '''<br />
: When you create a new tunnel, or edit and existing tunnel, the tunnel editor screen will appear with the following configurable settings:<br />
<br />
{| border="1" cellpadding="2" width="85%" align="center"<br />
|+<br />
! Name !! Description<br />
|-<br />
|width="15%"|'''Enable'''<br />
|width="70%"|This checkbox allows you to set a tunnel to either enabled or disabled.<br />
|-<br />
|'''Description'''<br />
|This field should contain a short name or description.<br />
|- <br />
|'''Connection Type'''<br />
|This field allows you to set the connection type to any of the following:<br />
<br />
*Select Tunnel to specify a host-to-host, host-to-subnet, or subnet-to-subnet tunnel. This is by far the most common connection type.<br />
* Select Transport to specify a host-to-host transport mode tunnel. This connection type is much less common, and would generally only be used if you are attempting to establish an IPsec connection to another host which specifically requires this mode.<br />
|-<br />
|'''Auto Mode'''<br />
|This field controls how IPsec manages the corresponding tunnel when the IPsec process re-starts:<br />
<br />
* Select Start to have the tunnel automatically loaded, routes inserted, and connection initiated.<br />
* Select Add to have the tunnel load in standby mode, waiting to respond to an incoming connection request.<br />
|- <br />
|'''Interface'''<br />
|This field allows you to select the network interface that should be associated with the IPsec tunnel on the Untangle server. When you select a valid interface, the Local IP field (see below) will automatically be configured with the corresponding IP address. If for some reason you want to manually configure an IP address that is not currently active, you can set the Interface to Custom and manually input the IP address below.<br />
|- <br />
|'''External IP'''<br />
|Use this field to configure the IP address that is associated with the IPsec VPN on the Untangle server. Normally this field will be read-only and will automatically be populated based on the Interface selected above. If you select Custom as the interface, you can then manually enter the local IP address.<br />
|- <br />
|'''Remote Host'''<br />
|This field should contain the public IP address or DNS name of the host to which the IPsec VPN will be connected.<br />
: '''WARNING''' - Using host names with IPsec tunnels can often cause problems, especially if you have also enabled the L2TP/Xauth VPN server. We '''strongly''' recommend the use of IP addresses in the ''Remote Host'' field. <br />
|-<br />
|'''Local Identifier'''<br />
|This field is used to configure the local identifier used for authentication. When this field is blank the value in the *External IP* field will be used.<br />
|-<br />
|'''Remote Identifier'''<br />
|This field is used to configure the remote identifier used for authentication. When this field is blank, the value in the Remote Host field will be used.<br />
:'''IMPORTANT''' - If the remote host is located behind any kind of NAT device, you may need to use the value <TT>%any</TT> in this field for a connection to be successfully established.<br />
|- <br />
|'''Local Network'''<br />
|This field is used to configure the local network that will be reachable from hosts on the other side of the IPsec VPN.<br />
|-<br />
|'''Remote Network'''<br />
|This field is used to configure the remote network that will be reachable from hosts on the local side of the IPsec VPN.<br />
|-<br />
|'''Shared Secret'''<br />
|This field should contain the shared secret or PSK (pre-shared key) that is used to authenticate the connection, and must be the same on both sides of the tunnel for the connection to be successful. Because the PSK is actually used as the encryption key for the session, using long strings of a random nature will provide the highest level of security.<br />
|-<br />
|'''DPD Interval'''<br />
|The number of seconds between R_U_THERE messages. Enter 0 to disable this feature.<br />
|-<br />
|'''DPD Timeout'''<br />
| The number of seconds for a dead peer tunnel to be restarted.<br />
|-<br />
|'''Authentication and SA/Key Exchange'''<br />
| If you leave the Phase 1 and Phase 2 manual configuration checkboxes disabled, IPsec will attempt to automatically negotiate the encryption protocol with the remote peer when creating the tunnel. Given the number of different IPsec implementations and versions, as well as the overall complexity of the protocol, best results can often be achieved by enabling manual configuration of these two options, and selecting Encryption, Hash, DH Key Group, and Lifetime values that exactly match the settings configured on the peer device.<br />
|}<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|ipsec-tunnels}}<br />
<br />
<br />
=== <u>VPN Config</u> ===<br />
<br />
The VPN Config tab allows you to enable and configure the L2TP/Xauth server.<br />
<br />
L2TP and Xauth are two protocols that are natively supported by many devices. This makes L2TP/Xauth good options when simpler/better solutions like OpenVPN are not possible because it requires installing a third-party app, which is not always possible. If installing third-party applications is possible, OpenVPN will usually make a better performing, simpler, and more reliable option.<br />
<br />
If installing third party apps on the remote device is not possible, L2TP and Xauth are more appropriate. Xauth is newer and the preferable option. <br />
<br />
L2TP is only suggested when OpenVPN and Xauth are not options. L2TP is an older protocol. It also has many issues going through NAT (on both ends) and has the limitation of only supporting a single device from a single public IP address. Only a single device on any given network (behind a single public IP address) can connect at once.<br />
''IMPORANT:'' L2TP is only suggested as a last resort when other more appropriate options are not available!<br />
<br />
*'''Enable L2TP/Xauth Server'''<br />
: Use this checkbox to enable or disable the L2TP/Xauth server.<br />
<br />
*'''L2TP Address Pool'''<br />
: This field configures the pool of IP addresses that will be assigned to L2TP clients while they are connected to the server. The default 198.18.0.0/16 is a private network that is generally reserved for internal network testing. It was chosen as the default because it is used less frequently than other RFC-1918 address blocks, and thus is less likely to conflict with existing address assignments on your network.<br />
<br />
*'''Xauth Address Pool'''<br />
: This field configures the pool of IP addresses that will be assigned to Xauth clients while they are connected to the server. The default 198.19.0.0/16 is a private network that is generally reserved for internal network testing. It was chosen as the default because it is used less frequently than other RFC-1918 address blocks, and thus is less likely to conflict with existing address assignments on your network.<br />
<br />
*''' Custom DNS Servers'''<br />
: Leave both of these fields blank to have L2TP and Xauth clients use the Untangle server for all DNS resolution. Alternatively, if you have other DNS servers you want clients to use, you can enter IP addresses in these fields.<br />
<br />
*'''IPsec Secret'''<br />
: This is the shared secret that will be used between the client and server to establish the IPsec channel that will secure all L2TP and Xauth communications.<br />
<br />
*'''User Authentication'''<br />
: In addition to the IPsec Secret configured above, VPN clients will also need to authenticate with a username and password. To use the Local Directory, select this option and click the ''Configure Local Directory'' button to manage use credentials. Alternatively, you can use an external RADIUS server for authentication by selecting the RADIUS option, and clicking the Configure RADIUS button to configure the RADIUS server options.<br />
<br />
*'''Server Listen Addresses'''<br />
: This list is used to configure one or more of your server IP addresses to listen for inbound VPN connection requests from remote clients. Clicking the add button will insert a new line allowing the entry of another server IP address.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|vpn-config}}<br />
<br />
=== <u>GRE Networks</u> ===<br />
<br />
The GRE Networks tab is where you create and manage connections to remote GRE servers. Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network.<br />
<br />
'''GRE Address Pool'''<br />
<br />
This field configures the pool of IP addresses that will be assigned to interfaces created and associated with tunnels added on the GRE Networks tab. The default 198.51.100.0/24 is a private network that is generally reserved for internal network testing. It was chosen as the default because it is used less frequently than other RFC-1918 address blocks, and thus is less likely to conflict with existing address assignments on your network. If you use GRE to connect multiple Untangle servers together, you may need to configure a different, unused pool on each server.<br />
<br />
<br />
The main tab display shows a summary of all GRE Networks that have been created.<br />
<br />
* ''' Network Editor '''<br />
: When you create a new GRE Network, or edit and existing network, the network editor screen will appear with the following configurable settings:<br />
<br />
{| border="1" cellpadding="2" width="85%" align="center"<br />
|+<br />
! Name !! Description<br />
|-<br />
|width="15%"|'''Enable'''<br />
|width="70%"|This checkbox allows you to set a network to either enabled or disabled.<br />
|-<br />
|'''Description'''<br />
|This field should contain a short name or description.<br />
|- <br />
|'''Interface'''<br />
|This field allows you to select the network interface that should be associated with the GRE Network on the Untangle server. When you select a valid interface, the Local IP field (see below) will automatically be configured with the corresponding IP address. If for some reason you want to manually configure an IP address that is not currently active, you can set the Interface to Custom and manually input the IP address below.<br />
|- <br />
|'''External IP'''<br />
|Use this field to configure the IP address that is associated with the GRE Network on the Untangle server. Normally this field will be read-only and will automatically be populated based on the Interface selected above. If you select Custom as the interface, you can then manually enter the local IP address.<br />
|- <br />
|'''Remote Host'''<br />
|This field should contain the public IP address of the host to which the GRE tunnel will be connected.<br />
|- <br />
|'''Remote Networks'''<br />
|This field is used to configure the list of remote network traffic that should be routed across this GRE tunnel. Networks should be entered one per line in CIDR (192.168.123.0/24) format.<br />
|}<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|gre-networks}}<br />
<br />
<br />
=== <u>IPsec State</u> ===<br />
<br />
The IPsec State tab allows you to see the status of all established IPsec connections. There will typically be two entries per tunnel, one with details about the local side of the connection, and another with details about the remote side of the connection.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|ipsec-state}}<br />
<br />
<br />
=== <u>IPsec Policy</u> ===<br />
<br />
The IPsec Policy tab allows you to see the routing table rules associated with each IPsec VPN that is active.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|ipsec-policy}}<br />
<br />
<br />
=== <u>IPsec Log</u> ===<br />
<br />
The IPsec Log tab allows you to see the low level status messages that are generated by the underlying IPsec protocol components. This information can be very helpful when attempting to diagnose connection problems or other IPsec issues.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|ipsec-log}}<br />
<br />
<br />
=== <u>L2TP Log</u> ===<br />
<br />
The L2TP Log tab allows you to see the low level status messages that are generated by the underlying L2TP protocol daemon. This information can be very helpful when attempting to diagnose connection problems or other L2TP issues.<br />
<br />
{{ServiceAppScreenshot|ipsec-vpn|l2tp-log}}<br />
<br />
<br />
== Reports ==<br />
<br />
{{:IPsec VPN Reports}}<br />
<br />
<br />
== Related Topics ==<br />
<br />
[[OpenVPN]]<br />
<br />
<br />
== IPsec VPN FAQs ==<br />
<br />
{{:IPsec VPN FAQs}}</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Date_Changelog&diff=26048Date Changelog2018-12-03T17:53:49Z<p>Dmorris: </p>
<hr />
<div>This is the complete changelog including any time packages are released that do not have new major.minor version numbers. <br />
<br />
Major release are documented in the primary [[Changelog]].<br />
<br />
== 14.1.0 build3 2018-12-03 ==<br />
* Fix python cache issue<br />
* Fix local directory change password issue<br />
* Fix IPS UI issue<br />
* Remove cloudflare from dynamic DNS options<br />
<br />
== 14.1.0 build2 2018-11-14 ==<br />
* Fix issue with creating alert rules<br />
* Fix duplicate condition in UI<br />
* Fix backup/restore supported versions<br />
<br />
== 14.1.0 build1 2018-11-13 ==<br />
* [[14.1.0_Changelog]]<br />
<br />
== 14.0.1 build2 2018-08-27 ==<br />
* Fix issue with captive portal & username capitalization<br />
* Spam Blocker plugin license check fix<br />
<br />
== 14.0.1 build1 2018-08-23 ==<br />
* [[14.0.1_Changelog]]<br />
<br />
== 14.0.0 build5 2018-08-10 ==<br />
* Fix issue with datepicker selecting past month/days<br />
* Fix some LCD issues<br />
* Minor tweaks to reports performance tuning<br />
* Fix certificate verification process<br />
* Fix setup wizard to bridge the wifi to External if Internal is bridged<br />
* Add report title to exported image<br />
* Fix dashboard auto-refresh hang issue<br />
* Fix upgrade issue with some international languages<br />
* Security fixes<br />
<br />
== 14.0.0 build4 2018-07-09 ==<br />
* Fix possible conflict between Tunnel VPN and OpenVPN<br />
* Fix reports data export date range issue<br />
* Fix issue with editing Event Rules<br />
* Fix warning about auth.txt permissions in Tunnel VPN<br />
* Allow multiple of same type conditions in dashboard/reports<br />
* Some changes to setup wizard for AWS deployments<br />
* Improve Captive Portal user cleanup tasks<br />
* Fix Tunnel VPN cleanup on uninstall<br />
<br />
== 14.0.0 build3 2018-06-26 ==<br />
* Fix IPS issue with certain rules<br />
* Fix HTTP port redirect issue<br />
* Fix systemd interferance with untangle-vm thread max<br />
* Fix syslog issue logging to incorrect files<br />
<br />
== 14.0.0 build2 2018-06-18 ==<br />
* Fix issue with emailed report summary image width and height<br />
* Add automatic restart of IPsec daemon on certificate change<br />
* Fix ddclient restart issue<br />
* Fix upgrade issue with CD-ROM sources.list<br />
* Fix a widget refresh issue on dashboard<br />
* Fix issue with clicking on pie graphs adding the wrong value<br />
* Add new admin notification for when the timezone has changed<br />
* Fix console issues on firmware builds<br />
<br />
== 14.0.0 build1 2018-06-08 ==<br />
* [[14.0.0 Changelog]]<br />
<br />
== 13.2.1 build2 2018-04-13 ==<br />
* Fix GRE issue where no remote network is specified<br />
* Fix captive portal host table cleanup issue<br />
* Fix network settings conversion issue<br />
<br />
== 13.2.1 build1 2018-04-03 ==<br />
* [[13.2.1 Changelog]]<br />
<br />
== 13.2.0 build3 2018-02-13 ==<br />
* Fix text adiminstration on tty console errors<br />
* Add support for username/password for site-to-site<br />
* Fix Turris Omnia image <br />
* Remove "Automatic" from channel selection options<br />
* Fix Captive Portal HTTPS port issue<br />
* Fix cloned sql conditions when creating reports issue<br />
* Fix to gracefully handle invalid reports<br />
* Fix email quarantine to update when releasing<br />
<br />
== 13.2.0 build2 2018-01-30 ==<br />
* Fix firmware issue with turris and linksys<br />
* Fix openvpn multifactor auth issue<br />
* Fix OVA filesystem resize issue<br />
* Fix port forward simple mode issue<br />
* Fix some scrollbar issues<br />
* Fix IPS settings modification issue<br />
<br />
== 13.2.0 build1 2018-01-16 ==<br />
* [[13.2.0 Changelog]]<br />
<br />
== 13.1.1 build2 2018-01-05 ==<br />
* Fix NIC ordering issue on specific appliance<br />
<br />
== 13.1.1 build1 2017-12-08 ==<br />
* Minor bug fixes [[13.1.1 Changelog]]<br />
<br />
== 13.1.0 build7 2017-10-16 ==<br />
* Upstream security fixes (for [https://www.documentcloud.org/documents/4109401-KRACK-Attacks.html krack] vulnerability)<br />
<br />
== 13.1.0 build6 2017-10-12 ==<br />
* Fix emailed report summaries image issue<br />
* Fix editing port forward rules issue<br />
<br />
== 13.1.0 build5 2017-10-10 ==<br />
* Upstream security fixes<br />
* Fix reports-only users<br />
* Fix quarantine issue<br />
* Fix IPS interface detection<br />
* Fix issue with editing port forward rules<br />
* Fix issue with Virus Blocker displaying invalid license when it is valid<br />
<br />
== 13.1.0 build4 2017-09-26 ==<br />
* 86df013 [src] Fix dates (timezone) issues<br />
* 3c7eb8c [src] Fix PPPoE wizard issues<br />
* 8249ca3 [src] Updated localization strings<br />
<br />
== 13.1.0 build3 2017-09-22 ==<br />
* Fix issues with saving devices/users<br />
* Fix issues with reports browsing and breadcrumbs<br />
* Fix timezone display issue in reports<br />
* Fix saving of Tunnel VPN that occurred for some devices<br />
* Fix PPPoE issues in setup wizard<br />
* Fix more issues with "Reset View"<br />
<br />
== 13.1.0 build2 2017-09-12 ==<br />
* Add more error checking to tunnel VPN import<br />
* Fix setup wizard NIC remapping issue with drag and drop<br />
* Fix "Reset View" odd behavior <br />
<br />
== 13.1.0 build1 2017-09-06 ==<br />
* [[13.1.0 Changelog]]<br />
<br />
== 13.0.0 build8 2017-06-23 ==<br />
* Fix date rendering issue<br />
* Fix UPnP issue and UPnP status display<br />
* Fix restore issue when selecting without network settings<br />
<br />
== 13.0.0 build7 2017-06-22 ==<br />
* Many UI fixes<br />
* Some UI javascript optimizations<br />
<br />
== 13.0.0 build6 2017-06-10 ==<br />
* Many UI fixes<br />
* Upstream security updates<br />
<br />
== 13.0.0 build5 2017-06-01 ==<br />
* Many UI fixes<br />
<br />
== 13.0.0 build4 2017-05-24 ==<br />
* Many UI fixes<br />
* L2TP fix and IPsec to OpenVPN fix<br />
<br />
== 13.0.0 build3 2017-05-17 ==<br />
* Many UI fixes<br />
* Fix kernel version issue for linksys & turris firmware<br />
<br />
== 13.0.0 build2 2017-05-10 ==<br />
* Many UI fixes<br />
<br />
== 13.0.0 build1 2017-04-28 ==<br />
* [[13.0.0 Changelog]]<br />
<br />
== 12.2.1 build2 2017-02-09 ==<br />
* Fix an issue with interface usage report<br />
* Many linksys WRT1900ACS improvements<br />
<br />
== 12.2.1 build1 2017-02-01 ==<br />
* [[12.2.1 Changelog]]<br />
<br />
== 12.2.0 build5 2017-01-11 ==<br />
* Fix copy function for email templates<br />
* Fix i18n in captive portal page<br />
* Fix active hosts graph<br />
* Fix reports event logs not returning first entry<br />
* Changed UPnP daemon to version compiled without --igd2<br />
<br />
== 12.2.0 build4 2017-01-05 ==<br />
* Email report rendering improvements<br />
* Default email template changes <br />
* UPnP input filter rules added<br />
* UPnP fixes<br />
<br />
== 12.2.0 build3 2016-12-27 ==<br />
* Fix a web filter rule exception<br />
* Change email image max-width<br />
<br />
== 12.2.0 build2 2016-12-22 ==<br />
* Fix sources.list rewrite<br />
* Fix other small issues<br />
<br />
== 12.1.1 build2 2016-09-15 ==<br />
* Fix more PPPoE issues<br />
<br />
== 12.1.1 build1 2016-09-13 ==<br />
* [[12.1.1 Changelog]]</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Port_Forward_Troubleshooting_Guide&diff=26046Port Forward Troubleshooting Guide2018-11-29T06:06:45Z<p>Dmorris: </p>
<hr />
<div><span style="display:none" class="helpSource port_forward_troubleshooting_guide">Port_Forward_Troubleshooting_Guide</span><br />
<br />
Port forwards can be tricky. Below is a series of suggestions about getting port forwards to work.<br />
<br />
# Read the [[Port Forwarding FAQs]]<br />
# Verify that the destination host on the inside is using the Untangle as its default gateway. If not the reply packets won't find their way back to Untangle.<br />
# Verify that the destination service is reachable from the '''inside''' on the IP and port specified in your port forward rule. <br />
# Test your (TCP) port forward using 'telnet.' In windows you can run start->run and then you can type telnet 1.2.3.4 123 where 1.2.3.4 is your external IP and 123 is the port your port forward rule matches. If it connects and hangs then the port forward is working. If it fails to connect then your port forward is not working.<br />
# Test your rule from the outside. Port forwarding back inside the network has extra complications. First verify that it works from the outside.<br />
# Verify there is a session shown in Reports > Network > [http://demo.untangle.com/admin/index.do#reports?cat=network&rep=port-forwarded-sessions Port Forwarded Sessions]''<br />
# Verify that Untangle can connect to the final destination. Use the ''Connection Test'' in ''Troubleshooting' or open the console on Untangle and type 'telnet 192.168.1.10 123' where 192.168.1.10 is the internal server you are forwarding to and 123 is the port. If it connects then Untangle can reach the server. If it fails to connect Untangle can't reach the server and the port forward will probably not function until this part is working.<br />
# For testing, turn off the [[Firewall]] and [[Captive Portal]] applications if you have them installed. Port forwarded sessions will not connect if they are blocked by an application. If you have many policies, verify which policy is processing the session and make sure you disable the correct apps.<br />
# Simplify your port forward rule. Remove extra qualifiers and make it contain as few as possible. For example specify just what port to forward and "Destined Local" and then which server to forward it to. If that works then add the extra qualifiers back one at a time testing each time.<br />
# If you are port forwarding port 443 (HTTPS), try moving Untangle administration to another port so port 443 is available to be forwarded.<br />
# Remove any ''Source Address'' and ''Source Interface'' qualifiers - 99% of the time these are misused.<br />
# For advanced users, use tcpdump or the ''Packet Test'' in troubleshooting to debug and watch the packets. To test with tcpdump run these commands: ''tcpdump -i eth0 -n "port 123"'' and ''tcpdump -i eth1 -n "port 123"'' - assuming eth0 is your outside interface and eth1 is your inside interface.<br />
# Still not working? Post a '''screenshot''' of your port forward rule to the [http://forums.untangle.com forums] along with '''the results from the above tests''' and ask for help.</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Port_Forward_Troubleshooting_Guide&diff=26045Port Forward Troubleshooting Guide2018-11-29T06:06:28Z<p>Dmorris: </p>
<hr />
<div><span style="display:none" class="helpSource port_forward_troubleshooting_guide">Port_Forward_Troubleshooting_Guide</span><br />
<br />
Port forwards can be tricky. Below is a series of suggestions about getting port forwards to work.<br />
<br />
# Read the [[Port Forwarding FAQs]]<br />
# Verify that the destination host on the inside is using the Untangle as its default gateway. If not the reply packets won't find their way back to Untangle.<br />
# Verify that the destination service is reachable from the '''inside''' on the IP and port specified in your port forward rule. <br />
# Test your (TCP) port forward using 'telnet.' In windows you can run start->run and then you can type telnet 1.2.3.4 123 where 1.2.3.4 is your external IP and 123 is the port your port forward rule matches. If it connects and hangs then the port forward is working. If it fails to connect then your port forward is not working.<br />
# Test your rule from the outside. Port forwarding back inside the network has extra complications. First verify that it works from the outside.<br />
# Verify there is a session shown in Reports > [http://demo.untangle.com/admin/index.do#reports?cat=network&rep=port-forwarded-sessions Port Forwarded Sessions]''<br />
# Verify that Untangle can connect to the final destination. Use the ''Connection Test'' in ''Troubleshooting' or open the console on Untangle and type 'telnet 192.168.1.10 123' where 192.168.1.10 is the internal server you are forwarding to and 123 is the port. If it connects then Untangle can reach the server. If it fails to connect Untangle can't reach the server and the port forward will probably not function until this part is working.<br />
# For testing, turn off the [[Firewall]] and [[Captive Portal]] applications if you have them installed. Port forwarded sessions will not connect if they are blocked by an application. If you have many policies, verify which policy is processing the session and make sure you disable the correct apps.<br />
# Simplify your port forward rule. Remove extra qualifiers and make it contain as few as possible. For example specify just what port to forward and "Destined Local" and then which server to forward it to. If that works then add the extra qualifiers back one at a time testing each time.<br />
# If you are port forwarding port 443 (HTTPS), try moving Untangle administration to another port so port 443 is available to be forwarded.<br />
# Remove any ''Source Address'' and ''Source Interface'' qualifiers - 99% of the time these are misused.<br />
# For advanced users, use tcpdump or the ''Packet Test'' in troubleshooting to debug and watch the packets. To test with tcpdump run these commands: ''tcpdump -i eth0 -n "port 123"'' and ''tcpdump -i eth1 -n "port 123"'' - assuming eth0 is your outside interface and eth1 is your inside interface.<br />
# Still not working? Post a '''screenshot''' of your port forward rule to the [http://forums.untangle.com forums] along with '''the results from the above tests''' and ask for help.</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Port_Forward_Troubleshooting_Guide&diff=26044Port Forward Troubleshooting Guide2018-11-29T06:05:55Z<p>Dmorris: </p>
<hr />
<div><span style="display:none" class="helpSource port_forward_troubleshooting_guide">Port_Forward_Troubleshooting_Guide</span><br />
<br />
Port forwards can be tricky. Below is a series of suggestions about getting port forwards to work.<br />
<br />
# Read the [[Port Forwarding FAQs]]<br />
# Verify that the destination host on the inside is using the Untangle as its default gateway. If not the reply packets won't find their way back to Untangle.<br />
# Verify that the destination service is reachable from the '''inside''' on the IP and port specified in your port forward rule. <br />
# Test your (TCP) port forward using 'telnet.' In windows you can run start->run and then you can type telnet 1.2.3.4 123 where 1.2.3.4 is your external IP and 123 is the port your port forward rule matches. If it connects and hangs then the port forward is working. If it fails to connect then your port forward is not working.<br />
# Test your rule from the outside. Port forwarding back inside the network has extra complications. First verify that it works from the outside.<br />
# Verify there is an port forward event in Reports > [http://demo.untangle.com/admin/index.do#reports?cat=network&rep=port-forwarded-sessions Port Forwarded Sessions]''<br />
# Verify that Untangle can connect to the final destination. Use the ''Connection Test'' in ''Troubleshooting' or open the console on Untangle and type 'telnet 192.168.1.10 123' where 192.168.1.10 is the internal server you are forwarding to and 123 is the port. If it connects then Untangle can reach the server. If it fails to connect Untangle can't reach the server and the port forward will probably not function until this part is working.<br />
# For testing, turn off the [[Firewall]] and [[Captive Portal]] applications if you have them installed. Port forwarded sessions will not connect if they are blocked by an application. If you have many policies, verify which policy is processing the session and make sure you disable the correct apps.<br />
# Simplify your port forward rule. Remove extra qualifiers and make it contain as few as possible. For example specify just what port to forward and "Destined Local" and then which server to forward it to. If that works then add the extra qualifiers back one at a time testing each time.<br />
# If you are port forwarding port 443 (HTTPS), try moving Untangle administration to another port so port 443 is available to be forwarded.<br />
# Remove any ''Source Address'' and ''Source Interface'' qualifiers - 99% of the time these are misused.<br />
# For advanced users, use tcpdump or the ''Packet Test'' in troubleshooting to debug and watch the packets. To test with tcpdump run these commands: ''tcpdump -i eth0 -n "port 123"'' and ''tcpdump -i eth1 -n "port 123"'' - assuming eth0 is your outside interface and eth1 is your inside interface.<br />
# Still not working? Post a '''screenshot''' of your port forward rule to the [http://forums.untangle.com forums] along with '''the results from the above tests''' and ask for help.</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Port_Forward_Troubleshooting_Guide&diff=26043Port Forward Troubleshooting Guide2018-11-29T04:21:25Z<p>Dmorris: </p>
<hr />
<div><span style="display:none" class="helpSource port_forward_troubleshooting_guide">Port_Forward_Troubleshooting_Guide</span><br />
<br />
Port forwards can be tricky. Below is a series of suggestions about getting port forwards to work.<br />
<br />
# Read the [[Port Forwarding FAQs]]<br />
# Verify that the destination host on the inside is using the Untangle as its default gateway. If not the reply packets won't find their way back to Untangle.<br />
# Verify that the destination service is reachable from the '''inside''' on the IP and port specified in your port forward rule. <br />
# Test your (TCP) port forward using 'telnet.' In windows you can run start->run and then you can type telnet 1.2.3.4 123 where 1.2.3.4 is your external IP and 123 is the port your port forward rule matches. If it connects and hangs then the port forward is working. If it fails to connect then your port forward is not working.<br />
# Test your rule from the outside. Port forwarding back inside the network has extra complications. First verify that it works from the outside.<br />
# Verify there is an port forward event in [[Config]] > [[Network]] > ''Reports'' > ''Port Forwarded Sessions.''<br />
# Verify that Untangle can connect to the final destination. Use the ''Connection Test'' in ''Troubleshooting' or open the console on Untangle and type 'telnet 192.168.1.10 123' where 192.168.1.10 is the internal server you are forwarding to and 123 is the port. If it connects then Untangle can reach the server. If it fails to connect Untangle can't reach the server and the port forward will probably not function until this part is working.<br />
# For testing, turn off the [[Firewall]] and [[Captive Portal]] applications if you have them installed. Port forwarded sessions will not connect if they are blocked by an application. If you have many policies, verify which policy is processing the session and make sure you disable the correct apps.<br />
# Simplify your port forward rule. Remove extra qualifiers and make it contain as few as possible. For example specify just what port to forward and "Destined Local" and then which server to forward it to. If that works then add the extra qualifiers back one at a time testing each time.<br />
# If you are port forwarding port 443 (HTTPS), try moving Untangle administration to another port so port 443 is available to be forwarded.<br />
# Remove any ''Source Address'' and ''Source Interface'' qualifiers - 99% of the time these are misused.<br />
# For advanced users, use tcpdump or the ''Packet Test'' in troubleshooting to debug and watch the packets. To test with tcpdump run these commands: ''tcpdump -i eth0 -n "port 123"'' and ''tcpdump -i eth1 -n "port 123"'' - assuming eth0 is your outside interface and eth1 is your inside interface.<br />
# Still not working? Post a '''screenshot''' of your port forward rule to the [http://forums.untangle.com forums] along with '''the results from the above tests''' and ask for help.</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=14.1.0_Changelog&diff=2604214.1.0 Changelog2018-11-27T21:34:11Z<p>Dmorris: </p>
<hr />
<div>= Overview =<br />
<br />
14.1 is a major new release.<br />
<br />
= New Intrusion Prevention =<br />
<br />
Intrusion Prevention (IPS) has been newly designed and implemented.<br />
<br />
While many security technologies can fall under the description of "Intrusion Prevention" typically, traditionally IPS refers to a mass-signature based approach to detect commonly known attacks. Unlike many of the other security technologies in Untangle, this has always presented an issue for Untangle because it is not by its nature a "set and forget" technology. It usually requires routine maintenance and diligent reading of the logs and tuning to get any positive return on investment. Lack of this effort often results in negative value, and misconfiguration through inexperience with IPS systems can often result in even more negative value.<br />
<br />
In our effort to "keep things simple" we have redesigned our implementation of IPS to hopefully provide more power, yet easier maintenance.<br />
<br />
== Rules and Signatures ==<br />
<br />
What was previously called "rules" are now called "signatures"<br />
<br />
Our upstream source of signatures (currently [https://rules.emergingthreats.net/ Emerging Threats]) provides a large and frequently updated signature set.<br />
Signatures can detect anything from major attacks, interesting activity, or just downright mundane things like ping, http, etc.<br />
These signatures come with a recommended state from the provider. Either enabled (log/alert) or not enabled by default.<br />
Contrary to popular belief, no signature actions are set to block or drop from the signature providers.<br />
<br />
Now there is a new concept of a rule that is a post-processor of all signatures that will can override/set the action of the signatures. For example, you could create a rule that you want to set the action to "Block" of all signatures in the certain category or that affect a certain protocol.<br />
<br />
The new rules determine which signatures are enabled and their associated actions if enabled.<br />
These rules can be crafted to maintain the signature set and actions, even across continual updates of the signatures.<br />
<br />
Some examples:<br />
* An admin can create a rule to set block "web-application-attacks" that were enabled from the provider. If the provider releases a new web-application-attacks signature that is enabled - it will be set to block automatically.<br />
* An admin can create a rule to set log on all "critical" signatures. If new critical signatures are released, they will be set to log.<br />
* Ad admin can create a rule to set block on signature SID 1234, If the definition of SID 1234 changes in an update, the rule will set block on the new SID 1234 signature.<br />
* Ad admin can create a rule that references system memory as a variable, allowing for creation of rulesets that take system memory into account, making sharing the same ruleset across an install base with command center easier even in scenarios where system memory varies.<br />
<br />
== Suricata ==<br />
<br />
We've switch the IPS engine from snort to suricata. This change will be mostly invisible to the network admin.<br />
<br />
The reason for the switch was purely technical. Suricata has some nice features, good performance, better upstream packaging and management, and is more memory efficient.<br />
<br />
== Power Users ==<br />
<br />
While these changes will hopefully bring benefits to those looking for an easier way to maintain signatures. We expect it will also provide new challenges.<br />
<br />
For example, rules provide an easy way to set all signatures or many signatures to block, which can and will cause massive network connectivity issues.<br />
Many signatures are very broad, many have false positives, and many just detect very mundane regular network activity not "attacks".<br />
<br />
We have encountered many users frustrated with this before and had to hide functionality that allowed for easy mass-enabling of signatures.<br />
<br />
Hopefully the rules based approach will provide the power to power users but not encourage wreckless behavior to the crowd that just want things to work but are curious.<br />
In the meantime, if you have customized your IPS rules, when troubleshooting network issues we would recommend disabling IPS during the process so it can be eliminated as a source of the issue.<br />
<br />
= Zero Touch Provisioning =<br />
<br />
14.1 adds support for the new "zero touch" provisioning process. If enabled in Command Center, when using official Untangle appliances, they will self-provision themselves with subscriptions and configuration when deployed at the customer site through Command Center. This allows admins to ship appliances set to be zero-touch provisioned to customer sites and have the customer just plug them in. They will register and image themselves with the configured settings.<br />
<br />
Here is how Zero Touch Provisioning works:<br />
*At the installation site, a designated person receives the hardware appliance and connects the power and Internet cable based on the instructions from the setup guide.<br />
*When the appliance is powered, it attempts to obtain an IP address via DHCP and connect to the Internet.<br />
*If the appliance establishes connectivity, it registers to Command Center.<br />
*The user copies the serial number from the label on the device and communicates it to the administrator.<br />
*The administrator logs in to Command Center and adds the appliance based on the serial number.<br />
*Once the appliance is added to Command Center, the administrator can remotely manage the configuration and subscriptions.<br />
<br />
= New Certificate Management =<br />
<br />
The process/UI for managing Untangle certificates has been improved.<br />
<br />
Managing and understanding certificates is difficult. Buying a certificate from a provider is not easy.<br />
<br />
The new UI aims to simply this process a little by providing several ways for admins to upload the certs, keys, and intermediate certs provided from the certificate authority to your Untangle server.<br />
<br />
= Other =<br />
<br />
* Ability to search large settings grids (Application Control Application List, Web Filter Categories, etc)<br />
* Many [https://jira.untangle.com/issues/?jql=project%20%3D%20NGFW%20AND%20fixVersion%20%3D%2014.1.0 bugfixes]</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=NG_Firewall_Downloads&diff=26041NG Firewall Downloads2018-11-26T22:55:13Z<p>Dmorris: </p>
<hr />
<div>= Current Version =<br />
<br />
== 14.1.0 ==<br />
<br />
{| border="1" cellpadding="2"<br />
|+<br />
! Image !! Link <br />
|-<br />
| ISO CD Installer (64-bit/amd64/x64)<br />
| [http://download.untangle.com/untangle_1410_x64.iso untangle_1410_x64.iso]<br />
|-<br />
| IMG USB Installer (64-bit/amd64/x64)<br />
| [http://download.untangle.com/untangle_1410_x64.img untangle_1410_x64.img]<br />
|-<br />
| ISO CD Installer (32-bit/i386)<br />
| [http://download.untangle.com/untangle_1410_x32.iso untangle_1410_x32.iso]<br />
|-<br />
| IMG USB Installer (32-bit/i386)<br />
| [http://download.untangle.com/untangle_1410_x32.img untangle_1410_x32.img]<br />
|-<br />
| OVA Virtual Image <br />
| [http://download.untangle.com/untangle_1410_x64.ova untangle_1410_x64.ova]<br />
|}<br />
<br />
= Old Versions =<br />
<br />
== 14.0.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1401_x32.iso untangle_1401_x32.iso]<br />
* [http://download.untangle.com/untangle_1401_x32.img untangle_1401_x32.img]<br />
* [http://download.untangle.com/untangle_1401_x64.iso untangle_1401_x64.iso]<br />
* [http://download.untangle.com/untangle_1401_x64.img untangle_1401_x64.img]<br />
* [http://download.untangle.com/untangle_1401_x64.ova untangle_1401_x64.ova]<br />
* [http://download.untangle.com/untangle_1401_linksys_wrt1900acs.zip untangle_1401_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1401_turris_omnia.zip untangle_1401_turris_omnia.zip]<br />
<br />
== 14.0.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1400_x32.iso untangle_1400_x32.iso]<br />
* [http://download.untangle.com/untangle_1400_x32.img untangle_1400_x32.img]<br />
* [http://download.untangle.com/untangle_1400_x64.iso untangle_1400_x64.iso]<br />
* [http://download.untangle.com/untangle_1400_x64.img untangle_1400_x64.img]<br />
* [http://download.untangle.com/untangle_1400_x64.ova untangle_1400_x64.ova]<br />
* [http://download.untangle.com/untangle_1400_linksys_wrt1900acs.zip untangle_1400_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1400_turris_omnia.zip untangle_1400_turris_omnia.zip]<br />
<br />
== 13.2.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1321_x32.iso untangle_1321_x32.iso]<br />
* [http://download.untangle.com/untangle_1321_x32.img untangle_1321_x32.img]<br />
* [http://download.untangle.com/untangle_1321_x64.iso untangle_1321_x64.iso]<br />
* [http://download.untangle.com/untangle_1321_x64.img untangle_1321_x64.img]<br />
* [http://download.untangle.com/untangle_1321_x64.ova untangle_1321_x64.ova]<br />
* [http://download.untangle.com/untangle_1321_linksys_wrt1900acs.zip untangle_1321_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1321_turris_omnia.zip untangle_1321_turris_omnia.zip]<br />
<br />
== 13.2.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1320_x32.iso untangle_1320_x32.iso]<br />
* [http://download.untangle.com/untangle_1320_x32.img untangle_1320_x32.img]<br />
* [http://download.untangle.com/untangle_1320_x64.iso untangle_1320_x64.iso]<br />
* [http://download.untangle.com/untangle_1320_x64.img untangle_1320_x64.img]<br />
* [http://download.untangle.com/untangle_1320_x64.ova untangle_1320_x64.ova]<br />
* [http://download.untangle.com/untangle_1320_linksys_wrt1900acs.zip untangle_1320_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1320_turris_omnia.zip untangle_1320_turris_omnia.zip]<br />
<br />
== 13.1.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1311_x32.iso untangle_1311_x32.iso]<br />
* [http://download.untangle.com/untangle_1311_x32.img untangle_1311_x32.img]<br />
* [http://download.untangle.com/untangle_1311_x64.iso untangle_1311_x64.iso]<br />
* [http://download.untangle.com/untangle_1311_x64.img untangle_1311_x64.img]<br />
* [http://download.untangle.com/untangle_1311_x64.ova untangle_1311_x64.ova]<br />
* [http://download.untangle.com/untangle_1311_linksys_wrt1900acs.zip untangle_1311_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1311_turris_omnia.zip untangle_1311_turris_omnia.zip]<br />
* [http://download.untangle.com/untangle_1311_asus_ac88u.zip untangle_1311_asus_ac88u.zip]<br />
<br />
== 13.1.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1310_x32.iso untangle_1310_x32.iso]<br />
* [http://download.untangle.com/untangle_1310_x32.img untangle_1310_x32.img]<br />
* [http://download.untangle.com/untangle_1310_x64.iso untangle_1310_x64.iso]<br />
* [http://download.untangle.com/untangle_1310_x64.img untangle_1310_x64.img]<br />
* [http://download.untangle.com/untangle_1310_x64.ova untangle_1310_x64.ova]<br />
* [http://download.untangle.com/untangle_1310_linksys_wrt1900acs.zip untangle_1310_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1310_turris_omnia.zip untangle_1310_turris_omnia.zip]<br />
* [http://download.untangle.com/untangle_1310_asus_ac88u.zip untangle_1310_asus_ac88u.zip]<br />
<br />
== 13.0.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1300_x32.iso untangle_1300_x32.iso]<br />
* [http://download.untangle.com/untangle_1300_x32.img untangle_1300_x32.img]<br />
* [http://download.untangle.com/untangle_1300_x64.iso untangle_1300_x64.iso]<br />
* [http://download.untangle.com/untangle_1300_x64.img untangle_1300_x64.img]<br />
* [http://download.untangle.com/untangle_1300_x64.ova untangle_1300_x64.ova]<br />
* [http://download.untangle.com/untangle_1300_linksys_wrt1900acs.zip untangle_1300_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1300_turris_omnia.zip untangle_1300_turris_omnia.zip]<br />
* [http://download.untangle.com/untangle_1300_asus_ac88u.zip untangle_1300_asus_ac88u.zip]<br />
<br />
== 12.2.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1221_x32.iso untangle_1221_x32.iso]<br />
* [http://download.untangle.com/untangle_1221_x32.img untangle_1221_x32.img]<br />
* [http://download.untangle.com/untangle_1221_x64.iso untangle_1221_x64.iso]<br />
* [http://download.untangle.com/untangle_1221_x64.img untangle_1221_x64.img]<br />
* [http://download.untangle.com/untangle_1221_x64.ova untangle_1221_x64.ova]<br />
* [http://download.untangle.com/untangle_1221_linksys_wrt1900acs.rootfs untangle_1221_linksys_wrt1900acs.rootfs]<br />
* [http://download.untangle.com/untangle_1221_linksys_wrt1900acs.trx untangle_1221_linksys_wrt1900acs.trx]<br />
* [http://download.untangle.com/untangle_1221_asus_rt_ac88u.rootfs untangle_1221_asus_rt_ac88u.rootfs]<br />
* [http://download.untangle.com/untangle_1221_asus_rt_ac88u.trx untangle_1221_asus_rt_ac88u.trx]<br />
<br />
== 12.2.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1220_x32.iso untangle_1220_x32.iso]<br />
* [http://download.untangle.com/untangle_1220_x32.img untangle_1220_x32.img]<br />
* [http://download.untangle.com/untangle_1220_x64.iso untangle_1220_x64.iso]<br />
* [http://download.untangle.com/untangle_1220_x64.img untangle_1220_x64.img]<br />
* [http://download.untangle.com/untangle_1220_x64.ova untangle_1220_x64.ova]<br />
<br />
== 12.1.2 ==<br />
<br />
* [http://download.untangle.com/untangle_1212_x32.iso untangle_1212_x32.iso]<br />
* [http://download.untangle.com/untangle_1212_x32.img untangle_1212_x32.img]<br />
* [http://download.untangle.com/untangle_1212_x64.iso untangle_1212_x64.iso]<br />
* [http://download.untangle.com/untangle_1212_x64.img untangle_1212_x64.img]<br />
* [http://download.untangle.com/untangle_1212_x64.ova untangle_1212_x64.ova]<br />
<br />
== 12.1.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1210_x32.iso untangle_1210_x32.iso]<br />
* [http://download.untangle.com/untangle_1210_x32.img untangle_1210_x32.img]<br />
* [http://download.untangle.com/untangle_1210_x64.iso untangle_1210_x64.iso]<br />
* [http://download.untangle.com/untangle_1210_x64.img untangle_1210_x64.img]<br />
* [http://download.untangle.com/untangle_1210_x64.ova untangle_1210_x64.ova]<br />
<br />
== 12.0.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1200_x32.iso untangle_1200_x32.iso]<br />
* [http://download.untangle.com/untangle_1200_x32.img untangle_1200_x32.img]<br />
* [http://download.untangle.com/untangle_1200_x64.iso untangle_1200_x64.iso]<br />
* [http://download.untangle.com/untangle_1200_x64.img untangle_1200_x64.img]<br />
* [http://download.untangle.com/untangle_1200_x64.ova untangle_1200_x64.ova]<br />
<br />
== 11.2.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1121_x32.iso untangle_1121_x32.iso]<br />
* [http://download.untangle.com/untangle_1121_x32.img untangle_1121_x32.img]<br />
* [http://download.untangle.com/untangle_1121_x64.iso untangle_1121_x64.iso]<br />
* [http://download.untangle.com/untangle_1121_x64.img untangle_1121_x64.img]<br />
* [http://download.untangle.com/untangle_1121_x64.ova untangle_1121_x64.ova]<br />
<br />
== 11.2.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1120_x32.iso untangle_1120_x32.iso]<br />
* [http://download.untangle.com/untangle_1120_x32.img untangle_1120_x32.img]<br />
* [http://download.untangle.com/untangle_1120_x64.iso untangle_1120_x64.iso]<br />
* [http://download.untangle.com/untangle_1120_x64.img untangle_1120_x64.img]<br />
* [http://download.untangle.com/untangle_1120_x64.ova untangle_1120_x64.ova]</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=NG_Firewall_Downloads&diff=26040NG Firewall Downloads2018-11-26T22:52:31Z<p>Dmorris: </p>
<hr />
<div>= Current Version =<br />
<br />
== 14.1.0 ==<br />
<br />
{| border="1" cellpadding="2"<br />
|+<br />
! Image !! Link <br />
|-<br />
| ISO CD Installer (64-bit/amd64/x64)<br />
| [https://download.untangle.com/untangle_1410_x64.iso untangle_1410_x64.iso]<br />
|-<br />
| IMG USB Installer (64-bit/amd64/x64)<br />
| [https://download.untangle.com/untangle_1410_x64.img untangle_1410_x64.img]<br />
|-<br />
| ISO CD Installer (32-bit/i386)<br />
| [https://download.untangle.com/untangle_1410_x32.iso untangle_1410_x32.iso]<br />
|-<br />
| IMG USB Installer (32-bit/i386)<br />
| [https://download.untangle.com/untangle_1410_x32.img untangle_1410_x32.img]<br />
|-<br />
| OVA Virtual Image <br />
| [https://download.untangle.com/untangle_1410_x64.ova untangle_1410_x64.ova]<br />
|}<br />
<br />
= Old Versions =<br />
<br />
== 14.0.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1401_x32.iso untangle_1401_x32.iso]<br />
* [http://download.untangle.com/untangle_1401_x32.img untangle_1401_x32.img]<br />
* [http://download.untangle.com/untangle_1401_x64.iso untangle_1401_x64.iso]<br />
* [http://download.untangle.com/untangle_1401_x64.img untangle_1401_x64.img]<br />
* [http://download.untangle.com/untangle_1401_x64.ova untangle_1401_x64.ova]<br />
* [http://download.untangle.com/untangle_1401_linksys_wrt1900acs.zip untangle_1401_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1401_turris_omnia.zip untangle_1401_turris_omnia.zip]<br />
<br />
== 14.0.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1400_x32.iso untangle_1400_x32.iso]<br />
* [http://download.untangle.com/untangle_1400_x32.img untangle_1400_x32.img]<br />
* [http://download.untangle.com/untangle_1400_x64.iso untangle_1400_x64.iso]<br />
* [http://download.untangle.com/untangle_1400_x64.img untangle_1400_x64.img]<br />
* [http://download.untangle.com/untangle_1400_x64.ova untangle_1400_x64.ova]<br />
* [http://download.untangle.com/untangle_1400_linksys_wrt1900acs.zip untangle_1400_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1400_turris_omnia.zip untangle_1400_turris_omnia.zip]<br />
<br />
== 13.2.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1321_x32.iso untangle_1321_x32.iso]<br />
* [http://download.untangle.com/untangle_1321_x32.img untangle_1321_x32.img]<br />
* [http://download.untangle.com/untangle_1321_x64.iso untangle_1321_x64.iso]<br />
* [http://download.untangle.com/untangle_1321_x64.img untangle_1321_x64.img]<br />
* [http://download.untangle.com/untangle_1321_x64.ova untangle_1321_x64.ova]<br />
* [http://download.untangle.com/untangle_1321_linksys_wrt1900acs.zip untangle_1321_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1321_turris_omnia.zip untangle_1321_turris_omnia.zip]<br />
<br />
== 13.2.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1320_x32.iso untangle_1320_x32.iso]<br />
* [http://download.untangle.com/untangle_1320_x32.img untangle_1320_x32.img]<br />
* [http://download.untangle.com/untangle_1320_x64.iso untangle_1320_x64.iso]<br />
* [http://download.untangle.com/untangle_1320_x64.img untangle_1320_x64.img]<br />
* [http://download.untangle.com/untangle_1320_x64.ova untangle_1320_x64.ova]<br />
* [http://download.untangle.com/untangle_1320_linksys_wrt1900acs.zip untangle_1320_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1320_turris_omnia.zip untangle_1320_turris_omnia.zip]<br />
<br />
== 13.1.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1311_x32.iso untangle_1311_x32.iso]<br />
* [http://download.untangle.com/untangle_1311_x32.img untangle_1311_x32.img]<br />
* [http://download.untangle.com/untangle_1311_x64.iso untangle_1311_x64.iso]<br />
* [http://download.untangle.com/untangle_1311_x64.img untangle_1311_x64.img]<br />
* [http://download.untangle.com/untangle_1311_x64.ova untangle_1311_x64.ova]<br />
* [http://download.untangle.com/untangle_1311_linksys_wrt1900acs.zip untangle_1311_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1311_turris_omnia.zip untangle_1311_turris_omnia.zip]<br />
* [http://download.untangle.com/untangle_1311_asus_ac88u.zip untangle_1311_asus_ac88u.zip]<br />
<br />
== 13.1.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1310_x32.iso untangle_1310_x32.iso]<br />
* [http://download.untangle.com/untangle_1310_x32.img untangle_1310_x32.img]<br />
* [http://download.untangle.com/untangle_1310_x64.iso untangle_1310_x64.iso]<br />
* [http://download.untangle.com/untangle_1310_x64.img untangle_1310_x64.img]<br />
* [http://download.untangle.com/untangle_1310_x64.ova untangle_1310_x64.ova]<br />
* [http://download.untangle.com/untangle_1310_linksys_wrt1900acs.zip untangle_1310_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1310_turris_omnia.zip untangle_1310_turris_omnia.zip]<br />
* [http://download.untangle.com/untangle_1310_asus_ac88u.zip untangle_1310_asus_ac88u.zip]<br />
<br />
== 13.0.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1300_x32.iso untangle_1300_x32.iso]<br />
* [http://download.untangle.com/untangle_1300_x32.img untangle_1300_x32.img]<br />
* [http://download.untangle.com/untangle_1300_x64.iso untangle_1300_x64.iso]<br />
* [http://download.untangle.com/untangle_1300_x64.img untangle_1300_x64.img]<br />
* [http://download.untangle.com/untangle_1300_x64.ova untangle_1300_x64.ova]<br />
* [http://download.untangle.com/untangle_1300_linksys_wrt1900acs.zip untangle_1300_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1300_turris_omnia.zip untangle_1300_turris_omnia.zip]<br />
* [http://download.untangle.com/untangle_1300_asus_ac88u.zip untangle_1300_asus_ac88u.zip]<br />
<br />
== 12.2.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1221_x32.iso untangle_1221_x32.iso]<br />
* [http://download.untangle.com/untangle_1221_x32.img untangle_1221_x32.img]<br />
* [http://download.untangle.com/untangle_1221_x64.iso untangle_1221_x64.iso]<br />
* [http://download.untangle.com/untangle_1221_x64.img untangle_1221_x64.img]<br />
* [http://download.untangle.com/untangle_1221_x64.ova untangle_1221_x64.ova]<br />
* [http://download.untangle.com/untangle_1221_linksys_wrt1900acs.rootfs untangle_1221_linksys_wrt1900acs.rootfs]<br />
* [http://download.untangle.com/untangle_1221_linksys_wrt1900acs.trx untangle_1221_linksys_wrt1900acs.trx]<br />
* [http://download.untangle.com/untangle_1221_asus_rt_ac88u.rootfs untangle_1221_asus_rt_ac88u.rootfs]<br />
* [http://download.untangle.com/untangle_1221_asus_rt_ac88u.trx untangle_1221_asus_rt_ac88u.trx]<br />
<br />
== 12.2.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1220_x32.iso untangle_1220_x32.iso]<br />
* [http://download.untangle.com/untangle_1220_x32.img untangle_1220_x32.img]<br />
* [http://download.untangle.com/untangle_1220_x64.iso untangle_1220_x64.iso]<br />
* [http://download.untangle.com/untangle_1220_x64.img untangle_1220_x64.img]<br />
* [http://download.untangle.com/untangle_1220_x64.ova untangle_1220_x64.ova]<br />
<br />
== 12.1.2 ==<br />
<br />
* [http://download.untangle.com/untangle_1212_x32.iso untangle_1212_x32.iso]<br />
* [http://download.untangle.com/untangle_1212_x32.img untangle_1212_x32.img]<br />
* [http://download.untangle.com/untangle_1212_x64.iso untangle_1212_x64.iso]<br />
* [http://download.untangle.com/untangle_1212_x64.img untangle_1212_x64.img]<br />
* [http://download.untangle.com/untangle_1212_x64.ova untangle_1212_x64.ova]<br />
<br />
== 12.1.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1210_x32.iso untangle_1210_x32.iso]<br />
* [http://download.untangle.com/untangle_1210_x32.img untangle_1210_x32.img]<br />
* [http://download.untangle.com/untangle_1210_x64.iso untangle_1210_x64.iso]<br />
* [http://download.untangle.com/untangle_1210_x64.img untangle_1210_x64.img]<br />
* [http://download.untangle.com/untangle_1210_x64.ova untangle_1210_x64.ova]<br />
<br />
== 12.0.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1200_x32.iso untangle_1200_x32.iso]<br />
* [http://download.untangle.com/untangle_1200_x32.img untangle_1200_x32.img]<br />
* [http://download.untangle.com/untangle_1200_x64.iso untangle_1200_x64.iso]<br />
* [http://download.untangle.com/untangle_1200_x64.img untangle_1200_x64.img]<br />
* [http://download.untangle.com/untangle_1200_x64.ova untangle_1200_x64.ova]<br />
<br />
== 11.2.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1121_x32.iso untangle_1121_x32.iso]<br />
* [http://download.untangle.com/untangle_1121_x32.img untangle_1121_x32.img]<br />
* [http://download.untangle.com/untangle_1121_x64.iso untangle_1121_x64.iso]<br />
* [http://download.untangle.com/untangle_1121_x64.img untangle_1121_x64.img]<br />
* [http://download.untangle.com/untangle_1121_x64.ova untangle_1121_x64.ova]<br />
<br />
== 11.2.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1120_x32.iso untangle_1120_x32.iso]<br />
* [http://download.untangle.com/untangle_1120_x32.img untangle_1120_x32.img]<br />
* [http://download.untangle.com/untangle_1120_x64.iso untangle_1120_x64.iso]<br />
* [http://download.untangle.com/untangle_1120_x64.img untangle_1120_x64.img]<br />
* [http://download.untangle.com/untangle_1120_x64.ova untangle_1120_x64.ova]</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=NG_Firewall_Downloads&diff=26039NG Firewall Downloads2018-11-26T22:52:13Z<p>Dmorris: </p>
<hr />
<div>= Current Version =<br />
<br />
== 14.1 ==<br />
<br />
{| border="1" cellpadding="2"<br />
|+<br />
! Image !! Link <br />
|-<br />
| ISO CD Installer (64-bit/amd64/x64)<br />
| [https://download.untangle.com/untangle_1410_x64.iso untangle_1410_x64.iso]<br />
|-<br />
| IMG USB Installer (64-bit/amd64/x64)<br />
| [https://download.untangle.com/untangle_1410_x64.img untangle_1410_x64.img]<br />
|-<br />
| ISO CD Installer (32-bit/i386)<br />
| [https://download.untangle.com/untangle_1410_x32.iso untangle_1410_x32.iso]<br />
|-<br />
| IMG USB Installer (32-bit/i386)<br />
| [https://download.untangle.com/untangle_1410_x32.img untangle_1410_x32.img]<br />
|-<br />
| OVA Virtual Image <br />
| [https://download.untangle.com/untangle_1410_x64.ova untangle_1410_x64.ova]<br />
|}<br />
<br />
= Old Versions =<br />
<br />
== 14.0.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1401_x32.iso untangle_1401_x32.iso]<br />
* [http://download.untangle.com/untangle_1401_x32.img untangle_1401_x32.img]<br />
* [http://download.untangle.com/untangle_1401_x64.iso untangle_1401_x64.iso]<br />
* [http://download.untangle.com/untangle_1401_x64.img untangle_1401_x64.img]<br />
* [http://download.untangle.com/untangle_1401_x64.ova untangle_1401_x64.ova]<br />
* [http://download.untangle.com/untangle_1401_linksys_wrt1900acs.zip untangle_1401_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1401_turris_omnia.zip untangle_1401_turris_omnia.zip]<br />
<br />
== 14.0.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1400_x32.iso untangle_1400_x32.iso]<br />
* [http://download.untangle.com/untangle_1400_x32.img untangle_1400_x32.img]<br />
* [http://download.untangle.com/untangle_1400_x64.iso untangle_1400_x64.iso]<br />
* [http://download.untangle.com/untangle_1400_x64.img untangle_1400_x64.img]<br />
* [http://download.untangle.com/untangle_1400_x64.ova untangle_1400_x64.ova]<br />
* [http://download.untangle.com/untangle_1400_linksys_wrt1900acs.zip untangle_1400_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1400_turris_omnia.zip untangle_1400_turris_omnia.zip]<br />
<br />
== 13.2.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1321_x32.iso untangle_1321_x32.iso]<br />
* [http://download.untangle.com/untangle_1321_x32.img untangle_1321_x32.img]<br />
* [http://download.untangle.com/untangle_1321_x64.iso untangle_1321_x64.iso]<br />
* [http://download.untangle.com/untangle_1321_x64.img untangle_1321_x64.img]<br />
* [http://download.untangle.com/untangle_1321_x64.ova untangle_1321_x64.ova]<br />
* [http://download.untangle.com/untangle_1321_linksys_wrt1900acs.zip untangle_1321_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1321_turris_omnia.zip untangle_1321_turris_omnia.zip]<br />
<br />
== 13.2.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1320_x32.iso untangle_1320_x32.iso]<br />
* [http://download.untangle.com/untangle_1320_x32.img untangle_1320_x32.img]<br />
* [http://download.untangle.com/untangle_1320_x64.iso untangle_1320_x64.iso]<br />
* [http://download.untangle.com/untangle_1320_x64.img untangle_1320_x64.img]<br />
* [http://download.untangle.com/untangle_1320_x64.ova untangle_1320_x64.ova]<br />
* [http://download.untangle.com/untangle_1320_linksys_wrt1900acs.zip untangle_1320_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1320_turris_omnia.zip untangle_1320_turris_omnia.zip]<br />
<br />
== 13.1.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1311_x32.iso untangle_1311_x32.iso]<br />
* [http://download.untangle.com/untangle_1311_x32.img untangle_1311_x32.img]<br />
* [http://download.untangle.com/untangle_1311_x64.iso untangle_1311_x64.iso]<br />
* [http://download.untangle.com/untangle_1311_x64.img untangle_1311_x64.img]<br />
* [http://download.untangle.com/untangle_1311_x64.ova untangle_1311_x64.ova]<br />
* [http://download.untangle.com/untangle_1311_linksys_wrt1900acs.zip untangle_1311_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1311_turris_omnia.zip untangle_1311_turris_omnia.zip]<br />
* [http://download.untangle.com/untangle_1311_asus_ac88u.zip untangle_1311_asus_ac88u.zip]<br />
<br />
== 13.1.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1310_x32.iso untangle_1310_x32.iso]<br />
* [http://download.untangle.com/untangle_1310_x32.img untangle_1310_x32.img]<br />
* [http://download.untangle.com/untangle_1310_x64.iso untangle_1310_x64.iso]<br />
* [http://download.untangle.com/untangle_1310_x64.img untangle_1310_x64.img]<br />
* [http://download.untangle.com/untangle_1310_x64.ova untangle_1310_x64.ova]<br />
* [http://download.untangle.com/untangle_1310_linksys_wrt1900acs.zip untangle_1310_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1310_turris_omnia.zip untangle_1310_turris_omnia.zip]<br />
* [http://download.untangle.com/untangle_1310_asus_ac88u.zip untangle_1310_asus_ac88u.zip]<br />
<br />
== 13.0.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1300_x32.iso untangle_1300_x32.iso]<br />
* [http://download.untangle.com/untangle_1300_x32.img untangle_1300_x32.img]<br />
* [http://download.untangle.com/untangle_1300_x64.iso untangle_1300_x64.iso]<br />
* [http://download.untangle.com/untangle_1300_x64.img untangle_1300_x64.img]<br />
* [http://download.untangle.com/untangle_1300_x64.ova untangle_1300_x64.ova]<br />
* [http://download.untangle.com/untangle_1300_linksys_wrt1900acs.zip untangle_1300_linksys_wrt1900acs.zip]<br />
* [http://download.untangle.com/untangle_1300_turris_omnia.zip untangle_1300_turris_omnia.zip]<br />
* [http://download.untangle.com/untangle_1300_asus_ac88u.zip untangle_1300_asus_ac88u.zip]<br />
<br />
== 12.2.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1221_x32.iso untangle_1221_x32.iso]<br />
* [http://download.untangle.com/untangle_1221_x32.img untangle_1221_x32.img]<br />
* [http://download.untangle.com/untangle_1221_x64.iso untangle_1221_x64.iso]<br />
* [http://download.untangle.com/untangle_1221_x64.img untangle_1221_x64.img]<br />
* [http://download.untangle.com/untangle_1221_x64.ova untangle_1221_x64.ova]<br />
* [http://download.untangle.com/untangle_1221_linksys_wrt1900acs.rootfs untangle_1221_linksys_wrt1900acs.rootfs]<br />
* [http://download.untangle.com/untangle_1221_linksys_wrt1900acs.trx untangle_1221_linksys_wrt1900acs.trx]<br />
* [http://download.untangle.com/untangle_1221_asus_rt_ac88u.rootfs untangle_1221_asus_rt_ac88u.rootfs]<br />
* [http://download.untangle.com/untangle_1221_asus_rt_ac88u.trx untangle_1221_asus_rt_ac88u.trx]<br />
<br />
== 12.2.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1220_x32.iso untangle_1220_x32.iso]<br />
* [http://download.untangle.com/untangle_1220_x32.img untangle_1220_x32.img]<br />
* [http://download.untangle.com/untangle_1220_x64.iso untangle_1220_x64.iso]<br />
* [http://download.untangle.com/untangle_1220_x64.img untangle_1220_x64.img]<br />
* [http://download.untangle.com/untangle_1220_x64.ova untangle_1220_x64.ova]<br />
<br />
== 12.1.2 ==<br />
<br />
* [http://download.untangle.com/untangle_1212_x32.iso untangle_1212_x32.iso]<br />
* [http://download.untangle.com/untangle_1212_x32.img untangle_1212_x32.img]<br />
* [http://download.untangle.com/untangle_1212_x64.iso untangle_1212_x64.iso]<br />
* [http://download.untangle.com/untangle_1212_x64.img untangle_1212_x64.img]<br />
* [http://download.untangle.com/untangle_1212_x64.ova untangle_1212_x64.ova]<br />
<br />
== 12.1.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1210_x32.iso untangle_1210_x32.iso]<br />
* [http://download.untangle.com/untangle_1210_x32.img untangle_1210_x32.img]<br />
* [http://download.untangle.com/untangle_1210_x64.iso untangle_1210_x64.iso]<br />
* [http://download.untangle.com/untangle_1210_x64.img untangle_1210_x64.img]<br />
* [http://download.untangle.com/untangle_1210_x64.ova untangle_1210_x64.ova]<br />
<br />
== 12.0.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1200_x32.iso untangle_1200_x32.iso]<br />
* [http://download.untangle.com/untangle_1200_x32.img untangle_1200_x32.img]<br />
* [http://download.untangle.com/untangle_1200_x64.iso untangle_1200_x64.iso]<br />
* [http://download.untangle.com/untangle_1200_x64.img untangle_1200_x64.img]<br />
* [http://download.untangle.com/untangle_1200_x64.ova untangle_1200_x64.ova]<br />
<br />
== 11.2.1 ==<br />
<br />
* [http://download.untangle.com/untangle_1121_x32.iso untangle_1121_x32.iso]<br />
* [http://download.untangle.com/untangle_1121_x32.img untangle_1121_x32.img]<br />
* [http://download.untangle.com/untangle_1121_x64.iso untangle_1121_x64.iso]<br />
* [http://download.untangle.com/untangle_1121_x64.img untangle_1121_x64.img]<br />
* [http://download.untangle.com/untangle_1121_x64.ova untangle_1121_x64.ova]<br />
<br />
== 11.2.0 ==<br />
<br />
* [http://download.untangle.com/untangle_1120_x32.iso untangle_1120_x32.iso]<br />
* [http://download.untangle.com/untangle_1120_x32.img untangle_1120_x32.img]<br />
* [http://download.untangle.com/untangle_1120_x64.iso untangle_1120_x64.iso]<br />
* [http://download.untangle.com/untangle_1120_x64.img untangle_1120_x64.img]<br />
* [http://download.untangle.com/untangle_1120_x64.ova untangle_1120_x64.ova]</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Date_Changelog&diff=26029Date Changelog2018-11-14T20:38:52Z<p>Dmorris: </p>
<hr />
<div>This is the complete changelog including any time packages are released that do not have new major.minor version numbers. <br />
<br />
Major release are documented in the primary [[Changelog]].<br />
<br />
== 14.1.0 build2 2018-11-14 ==<br />
* Fix issue with creating alert rules<br />
* Fix duplicate condition in UI<br />
* Fix backup/restore supported versions<br />
<br />
== 14.1.0 build1 2018-11-13 ==<br />
* [[14.1.0_Changelog]]<br />
<br />
== 14.0.1 build2 2018-08-27 ==<br />
* Fix issue with captive portal & username capitalization<br />
* Spam Blocker plugin license check fix<br />
<br />
== 14.0.1 build1 2018-08-23 ==<br />
* [[14.0.1_Changelog]]<br />
<br />
== 14.0.0 build5 2018-08-10 ==<br />
* Fix issue with datepicker selecting past month/days<br />
* Fix some LCD issues<br />
* Minor tweaks to reports performance tuning<br />
* Fix certificate verification process<br />
* Fix setup wizard to bridge the wifi to External if Internal is bridged<br />
* Add report title to exported image<br />
* Fix dashboard auto-refresh hang issue<br />
* Fix upgrade issue with some international languages<br />
* Security fixes<br />
<br />
== 14.0.0 build4 2018-07-09 ==<br />
* Fix possible conflict between Tunnel VPN and OpenVPN<br />
* Fix reports data export date range issue<br />
* Fix issue with editing Event Rules<br />
* Fix warning about auth.txt permissions in Tunnel VPN<br />
* Allow multiple of same type conditions in dashboard/reports<br />
* Some changes to setup wizard for AWS deployments<br />
* Improve Captive Portal user cleanup tasks<br />
* Fix Tunnel VPN cleanup on uninstall<br />
<br />
== 14.0.0 build3 2018-06-26 ==<br />
* Fix IPS issue with certain rules<br />
* Fix HTTP port redirect issue<br />
* Fix systemd interferance with untangle-vm thread max<br />
* Fix syslog issue logging to incorrect files<br />
<br />
== 14.0.0 build2 2018-06-18 ==<br />
* Fix issue with emailed report summary image width and height<br />
* Add automatic restart of IPsec daemon on certificate change<br />
* Fix ddclient restart issue<br />
* Fix upgrade issue with CD-ROM sources.list<br />
* Fix a widget refresh issue on dashboard<br />
* Fix issue with clicking on pie graphs adding the wrong value<br />
* Add new admin notification for when the timezone has changed<br />
* Fix console issues on firmware builds<br />
<br />
== 14.0.0 build1 2018-06-08 ==<br />
* [[14.0.0 Changelog]]<br />
<br />
== 13.2.1 build2 2018-04-13 ==<br />
* Fix GRE issue where no remote network is specified<br />
* Fix captive portal host table cleanup issue<br />
* Fix network settings conversion issue<br />
<br />
== 13.2.1 build1 2018-04-03 ==<br />
* [[13.2.1 Changelog]]<br />
<br />
== 13.2.0 build3 2018-02-13 ==<br />
* Fix text adiminstration on tty console errors<br />
* Add support for username/password for site-to-site<br />
* Fix Turris Omnia image <br />
* Remove "Automatic" from channel selection options<br />
* Fix Captive Portal HTTPS port issue<br />
* Fix cloned sql conditions when creating reports issue<br />
* Fix to gracefully handle invalid reports<br />
* Fix email quarantine to update when releasing<br />
<br />
== 13.2.0 build2 2018-01-30 ==<br />
* Fix firmware issue with turris and linksys<br />
* Fix openvpn multifactor auth issue<br />
* Fix OVA filesystem resize issue<br />
* Fix port forward simple mode issue<br />
* Fix some scrollbar issues<br />
* Fix IPS settings modification issue<br />
<br />
== 13.2.0 build1 2018-01-16 ==<br />
* [[13.2.0 Changelog]]<br />
<br />
== 13.1.1 build2 2018-01-05 ==<br />
* Fix NIC ordering issue on specific appliance<br />
<br />
== 13.1.1 build1 2017-12-08 ==<br />
* Minor bug fixes [[13.1.1 Changelog]]<br />
<br />
== 13.1.0 build7 2017-10-16 ==<br />
* Upstream security fixes (for [https://www.documentcloud.org/documents/4109401-KRACK-Attacks.html krack] vulnerability)<br />
<br />
== 13.1.0 build6 2017-10-12 ==<br />
* Fix emailed report summaries image issue<br />
* Fix editing port forward rules issue<br />
<br />
== 13.1.0 build5 2017-10-10 ==<br />
* Upstream security fixes<br />
* Fix reports-only users<br />
* Fix quarantine issue<br />
* Fix IPS interface detection<br />
* Fix issue with editing port forward rules<br />
* Fix issue with Virus Blocker displaying invalid license when it is valid<br />
<br />
== 13.1.0 build4 2017-09-26 ==<br />
* 86df013 [src] Fix dates (timezone) issues<br />
* 3c7eb8c [src] Fix PPPoE wizard issues<br />
* 8249ca3 [src] Updated localization strings<br />
<br />
== 13.1.0 build3 2017-09-22 ==<br />
* Fix issues with saving devices/users<br />
* Fix issues with reports browsing and breadcrumbs<br />
* Fix timezone display issue in reports<br />
* Fix saving of Tunnel VPN that occurred for some devices<br />
* Fix PPPoE issues in setup wizard<br />
* Fix more issues with "Reset View"<br />
<br />
== 13.1.0 build2 2017-09-12 ==<br />
* Add more error checking to tunnel VPN import<br />
* Fix setup wizard NIC remapping issue with drag and drop<br />
* Fix "Reset View" odd behavior <br />
<br />
== 13.1.0 build1 2017-09-06 ==<br />
* [[13.1.0 Changelog]]<br />
<br />
== 13.0.0 build8 2017-06-23 ==<br />
* Fix date rendering issue<br />
* Fix UPnP issue and UPnP status display<br />
* Fix restore issue when selecting without network settings<br />
<br />
== 13.0.0 build7 2017-06-22 ==<br />
* Many UI fixes<br />
* Some UI javascript optimizations<br />
<br />
== 13.0.0 build6 2017-06-10 ==<br />
* Many UI fixes<br />
* Upstream security updates<br />
<br />
== 13.0.0 build5 2017-06-01 ==<br />
* Many UI fixes<br />
<br />
== 13.0.0 build4 2017-05-24 ==<br />
* Many UI fixes<br />
* L2TP fix and IPsec to OpenVPN fix<br />
<br />
== 13.0.0 build3 2017-05-17 ==<br />
* Many UI fixes<br />
* Fix kernel version issue for linksys & turris firmware<br />
<br />
== 13.0.0 build2 2017-05-10 ==<br />
* Many UI fixes<br />
<br />
== 13.0.0 build1 2017-04-28 ==<br />
* [[13.0.0 Changelog]]<br />
<br />
== 12.2.1 build2 2017-02-09 ==<br />
* Fix an issue with interface usage report<br />
* Many linksys WRT1900ACS improvements<br />
<br />
== 12.2.1 build1 2017-02-01 ==<br />
* [[12.2.1 Changelog]]<br />
<br />
== 12.2.0 build5 2017-01-11 ==<br />
* Fix copy function for email templates<br />
* Fix i18n in captive portal page<br />
* Fix active hosts graph<br />
* Fix reports event logs not returning first entry<br />
* Changed UPnP daemon to version compiled without --igd2<br />
<br />
== 12.2.0 build4 2017-01-05 ==<br />
* Email report rendering improvements<br />
* Default email template changes <br />
* UPnP input filter rules added<br />
* UPnP fixes<br />
<br />
== 12.2.0 build3 2016-12-27 ==<br />
* Fix a web filter rule exception<br />
* Change email image max-width<br />
<br />
== 12.2.0 build2 2016-12-22 ==<br />
* Fix sources.list rewrite<br />
* Fix other small issues<br />
<br />
== 12.1.1 build2 2016-09-15 ==<br />
* Fix more PPPoE issues<br />
<br />
== 12.1.1 build1 2016-09-13 ==<br />
* [[12.1.1 Changelog]]</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Interfaces&diff=24877Interfaces2018-11-11T00:34:01Z<p>Dmorris: </p>
<hr />
<div><span style="display:none" class="helpSource network_interfaces">Interfaces</span><br />
<span style="display:none" class="helpSource network_interface_status">Interfaces#Interface_Status</span><br />
<br />
= Interfaces =<br />
<br />
The Interfaces page configures the network interfaces or the server.<br />
<br />
== Interfaces Grid ==<br />
<br />
The Interfaces tab shows the current interfaces and the current status and some configuration information.<br />
<br />
{{TriScreenshot|config|network|interfaces}}<br />
<br />
The are several columns along the top of the grid that show the current interface status and configuration. Some are hidden by default and can be shown by using the dropdown at the top of the column.<br />
<br />
'''Columns'''<br />
{| border="1" cellpadding="2"<br />
|+<br />
! Column !! Description <br />
<br />
|-<br />
| style="width: 15%;" | Id<br />
| The Id is a unique integer primary key of the interface. All configuration of interfaces will refer to Id.<br />
<br />
|- <br />
| Name<br />
| This is a name/description of the interface. It is recommended to choose names representative of their purpose.<br />
<br />
|-<br />
| Connected<br />
| This shows the current "connected" state of the device currently mapped to this interface. This may not display correctly for all network interface cards.<br />
<br />
|-<br />
| Device<br />
| This shows the current network device (physical NIC card or wireless card) mapped to this interface.<br />
<br />
|- <br />
| Physical Device<br />
| Hidden by default, this shows the current "Physical Device" for this interface.<br />
<br />
|- <br />
| System Device<br />
| Hidden by default, this shows the current "System Device" for this interface.<br />
<br />
|- <br />
| Symbolic Device<br />
| Hidden by default, this shows the current "Symbolic Device" for this interface.<br />
<br />
|-<br />
| Config<br />
| This shows the current type of configuration for this interface. ADDRESSED, BRIDGED, or DISABLED.<br />
<br />
|-<br />
| Current Address<br />
| This shows the current address if there is one of the interface. <br />
<br />
|-<br />
| is WAN<br />
| This shows true if the interface is configured as a WAN, false otherwise.<br />
<br />
|-<br />
| Delete<br />
| This column shows an delete button on VLAN Tagged Interfaces to delete the interface. Physical interfaces can not be deleted, unless their their physical devices have been removed from the system.<br />
<br />
|-<br />
| Edit<br />
| This column shows an edit button to edit the configuration of this interface.<br />
<br />
|}<br />
<br />
There are also several options along the bottom.<br />
<br />
* Remap Interfaces<br />
** This utility can be used to change the mapping between physical devices and the corresponding interface configurations. This is useful if you want to use certain physical devices for certain purpose. For example, the gigabit cards for internal and external networks and the 100Mbit card for wireless because its only wireless.<br />
* Refresh Device Status<br />
** This refreshes the "Connected" column in the interfaces grid. To verify your interface mapping plug/unplug one network card at a time and hit ''Refresh Device Status'' to verify that the expected interface changes the Connected status.<br />
* Add VLAN Tagged Interface<br />
** This allows for additional of 802.1q VLAN tagged interfaces. For more information read [[Network Configuration#VLANs]].<br />
* Test Connectivity<br />
** This button launches the connectivity test to verify the server is online.<br />
* Ping Test <br />
** This button launches the ping test for troubleshooting configuration.<br />
<br />
<br />
== Interface Configuration ==<br />
<br />
Clicking the edit button on an interface will open the interface configuration settings for that interface.<br />
<br />
An interface can be configured in many ways. Some settings and configuration options are only relevant and/or available in certain configurations. As such, based on an interface's configuration certain options may appear and disappear. For example, when checking 'is WAN' the options available to WAN interfaces will appear. After unchecking 'is WAN' the WAN options will disappear and the options for non-WAN interfaces will appear. Because of this it is suggested to configure your interface from the top of the page downward.<br />
<br />
The table below shows the various configuration options and their meanings.<br />
<br />
<br />
'''Interface Options'''<br />
<br />
{| border="1" cellpadding="2"<br />
|+<br />
! Option !! Description <br />
<br />
|- <br />
| style="width: 20%;" | Interface Name<br />
| This is a name/description of the interface. It is recommended to choose names representative of their purpose.<br />
<br />
|-<br />
| is VLAN (802.1q) Interface<br />
| This is true if this a tagged VLAN interface. Otherwise this is not shown<br />
<br />
|-<br />
| Parent Interface<br />
| This is the parent interface for this tagged VLAN interface. This is only shown for VLAN interfaces.<br />
<br />
|-<br />
| 802.1q Tag<br />
| This is the VLAN tag for this interface. This is only shown for VLAN interfaces.<br />
<br />
|-<br />
| Is Wireless Interface<br />
| This is available if the interface is detected as a wireless (wlan) interface. Otherwise this is not shown.<br />
<br />
|-<br />
| Config Type<br />
| This is the basic configuration type of this interfaces. ''Addressed'' means this interface has its own address and configuration. ''Bridged'' means this interface is bridged to another interface. ''Disabled'' means this interface is entirely disabled.<br />
<br />
|-<br />
| is WAN Interface<br />
| This should be checked if this is a WAN (Wide Area Network) interface. This means it is connected to your ISP or an internet connection. This should be unchecked if this interface is connected to a private/local network. <br />
<br />
|}<br />
<br />
<br />
'''Wireless Configuration''' - This section configures the wireless settings for wireless interfaces. This is only shown for wireless interfaces.<br />
<br />
{| border="1" cellpadding="2"<br />
|+<br />
! Option !! Description <br />
|-<br />
| SSID<br />
| The broadcasted [https://en.wikipedia.org/wiki/Service_set_(802.11_network) Service Set Identifier (SSID)] for the wireless network. <br />
<br />
|- <br />
| Mode<br />
| '''AP''' (Access Point) or '''Client'''.<br />
<br />
|- <br />
| Encryption<br />
| Encryption method used for the wireless signal. WPA2 is recommended.<br />
<br />
|-<br />
| Password<br />
| When encryption is enabled, a password will be required to access the network. <br />
<br />
|-<br />
| Channel<br />
| Choose from the available channels available and 2.4GHz or 5GHz frequencies. The options available here are dependent on your wireless card. '''WARNING:''' Many chips/drivers do not correctly implement "Automatic" (ACS or Automatic Channel Survey) so it may not work depending on your card. '''NOTICE:''' Automatic channel selection has been removed from modern builds due to lack of support and usability issues.<br />
<br />
|}<br />
<br />
<br />
'''IPv4 Options''' - This section configures the IPv4 (Internet Protocol v4) settings of this interface.<br />
<br />
{| border="1" cellpadding="2"<br />
|+<br />
! Option !! Description <br />
<br />
|- <br />
| style="width: 20%;" | Config Type<br />
| This is the IPv4 configuration type. ''Static'' means this interface has a static IPv4 address. ''Auto (DHCP)'' means this interface will use DHCP to automatically acquire an address. ''PPPoE'' means this interface will use PPPoE to acquire an address. This option is only available for WAN interfaces because non-WANs can only be statically configured.<br />
<br />
|-<br />
| Address<br />
| This is the IPv4 static address. It is only shown if Config Type is ''Static''<br />
<br />
|-<br />
| Netmask<br />
| This is the IPv4 static netmask. It is only shown if Config Type is ''Static''<br />
<br />
|-<br />
| Gateway<br />
| This is the IPv4 static gateway. It is only shown if Config Type is ''Static''<br />
<br />
|-<br />
| Primary DNS<br />
| This is the primary DNS used for DNS resolution. It is only shown if Config Type is ''Static''<br />
<br />
|-<br />
| Secondary DNS<br />
| This is the secondary DNS used for DNS resolution. It is only shown if Config Type is ''Static''<br />
<br />
|-<br />
| Address Override<br />
| If set, this address will be used instead of the one in the offered DHCP lease. It is only shown if Config Type is ''Auto (DHCP)''<br />
<br />
|-<br />
| Netmask Override<br />
| If set, this netmask will be used instead of the one in the offered DHCP lease. It is only shown if Config Type is ''Auto (DHCP)''<br />
<br />
|-<br />
| Gateway Override<br />
| If set, this gateway will be used instead of the one in the offered DHCP lease. It is only shown if Config Type is ''Auto (DHCP)''<br />
<br />
|-<br />
| Primary DNS Override<br />
| If set, this will be used instead of the one in the offered DHCP lease. It is only shown if Config Type is ''Auto (DHCP)''<br />
<br />
|-<br />
| Secondary DNS Override<br />
| If set, this will be used instead of the one in the offered DHCP lease. It is only shown if Config Type is ''Auto (DHCP)''<br />
<br />
|- <br />
| Username<br />
| This is the PPPoE username. It is only shown in Config Type ''PPPoE''<br />
<br />
|- <br />
| Password<br />
| This is the PPPoE password. It is only shown in Config Type ''PPPoE''<br />
<br />
|- <br />
| Use Peer DNS<br />
| If checked the server will use the DNS provided by the PPPoE server for DNS resolution. It is only shown in Config Type ''PPPoE''<br />
<br />
|-<br />
| Primary DNS<br />
| The primary DNS to be used for DNS resolution. It is only shown in Config Type ''PPPoE'' and ''Use Peer DNS'' is unchecked.<br />
<br />
|-<br />
| Secondary DNS<br />
| The secondary DNS to be used for DNS resolution. It is only shown in Config Type ''PPPoE'' and ''Use Peer DNS'' is unchecked.<br />
<br />
|-<br />
| IPv4 Aliases<br />
| This is a list of ''alias'' addresses. This is an additional list of addresses that this interface will have along with their associated netmasks. <br />
<br />
|-<br />
| IPv4 Options - NAT traffic exiting this interface (and bridged peers)<br />
| This option is only available on WAN Interfaces and defaults to checked. If checked all traffic exiting this interface and interfaces bridged to it will be NATd, and all incoming sessions from this interface will be blocked unless they are forwarded via a [[Port Forward Rules|port forward]] or destined to the local server. <br />
<br />
|-<br />
| IPv4 Options - NAT traffic coming from this interface (and bridged peers)<br />
| This option is only available on non-WAN Interfaces and defaults to unchecked. If checked all traffic coming from this interface and interfaces bridged to it will be NATd, and all incoming sessions to this interface will be blocked unless they are forwarded via a [[Port Forward Rules|port forward]]. <br />
<br />
|}<br />
<br />
<br />
'''IPv6 Options''' - This section configures the IPv6 (Internet Protocol v6) settings of this interface.<br />
<br />
{| border="1" cellpadding="2"<br />
|+<br />
! Option !! Description <br />
<br />
|- <br />
| style="width: 20%;" | Config Type<br />
| This is the IPv6 configuration type. ''Disabled'' means the interface has no IPv6 configuration. ''Static'' means this interface has a static IPv6 address. ''Auto (SLAAC/RA)'' means this interface will use SLAAC to automatically acquired an address. This option is only available for WAN interfaces because non-WANs can only be statically configured.<br />
<br />
|-<br />
| Address<br />
| This is the IPv6 static address. Blank is allowed and means no IPv6 address will be given. It is only shown if Config Type is ''Static''<br />
<br />
|-<br />
| Prefix<br />
| This is the IPv6 static prefix. It is only shown if Config Type is ''Static''<br />
<br />
|-<br />
| Gateway<br />
| This is the IPv6 static gateway. It is only shown if Config Type is ''Static''<br />
<br />
|-<br />
| Primary DNS<br />
| This is the primary DNS used for DNS resolution. It is only shown if Config Type is ''Static''<br />
<br />
|-<br />
| Secondary DNS<br />
| This is the secondary DNS used for DNS resolution. It is only shown if Config Type is ''Static''<br />
|-<br />
<br />
|-<br />
| IPv6 Aliases<br />
| This is a list of ''alias'' addressed. This is an additional list of addresses that this interface will have along with their associated netmasks. This is only available on non-WAN interfaces.<br />
<br />
|-<br />
| IPv6 Options - Send Router Advertisements<br />
| If checked route advertisements are sent on this interface. This is only available on non-WAN interfaces.<br />
<br />
|}<br />
<br />
<br />
'''DHCP Configuration''' - This configures the DHCP serving options on this interfaces. DHCP Serving is only available on ''Addressed'' non-WAN interfaces.<br />
<br />
{| border="1" cellpadding="2"<br />
|+<br />
! Option !! Description <br />
<br />
|-<br />
| style="width: 20%;" | Enable DHCP Serving<br />
| If checked, DHCP will be served to this interface so that machines can automatically acquire addresses.<br />
<br />
|-<br />
| Range Start<br />
| The start of the DHCP range. If blank and DHCP Serving is enabled a start range will <br />
automatically be chosen.<br />
<br />
|-<br />
| Range end<br />
| The end of the DHCP range. If blank and DHCP Serving is enabled a start range will automatically be chosen.<br />
<br />
|-<br />
| Lease duration<br />
| The duration of the provided DHCP leases in seconds.<br />
<br />
|-<br />
| Gateway Override<br />
| If set, this value will be provided as the gateway in the DHCP leases. If unset, the static IPv4 address of this interface will be provided as the gateway.<br />
<br />
|-<br />
| Netmask Override<br />
| If set, this value will be provided as the netmask in the DHCP leases. If unset, the static IPv4 netmask of this interface will be provided as the netmask.<br />
<br />
|-<br />
| DNS Override<br />
| If set, this value will be provided as the DNS in the DHCP leases. If unset, the static IPv4 address of this interface will be provided as the DNS. A single IPv4 address or a comma-separated list of IPv4 addresses is accepted.<br />
<br />
|- <br />
| DHCP Options<br />
| This is a list of DHCP options for dnsmasq. '''WARNING:''' this option is for advanced users. The specified [http://www.networksorcery.com/enp/protocol/bootp/options.htm DHCP options] will be used on this interface. For example, to specify an NTP server use enabled = true, description = "time server", and value = "42,192.168.1.2". For multiple DNS override servers specify enabled = true, description = "DNS", and value = "6,192.168.1.1,192.168.1.2". The value must be specified in a valid dnsmasq format as described in the [http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html dnsmasq documentation]<br />
<br />
|}<br />
<br />
<br />
'''Redundancy (VRRP) Configuration''' - This configures the VRRP redundancy options for this interface. VRRP is only available on statically assigned interfaces. VRRP documentation is [[Network_Configuration#VRRP|here]].<br />
<br />
{| border="1" cellpadding="2"<br />
|+<br />
! Option !! Description <br />
<br />
|-<br />
| style="width: 20%;" | Enable VRRP<br />
| If checked, VRRP is enabled on this interface.<br />
<br />
|-<br />
| VRRP ID<br />
| The VRRP (group) ID of this server. Must match the VRRP ID of peers, but must be unique on the server. <br />
<br />
|-<br />
| VRRP Priority<br />
| The VRRP Priority of this server. Higher value is a higher priority. (1-255)<br />
<br />
|-<br />
| VRRP Aliases<br />
| The list of VRRP Virtual Addresses. This list should be the same on all VRRP peers.<br />
<br />
|}<br />
<br />
== Interface Status ==<br />
<br />
The ''status'' button on the interface brings up a window showing some of the statistics about the interface. This includes statistics, the ARP table, and the connected clients if its a wireless interface.</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Certificates&diff=24875Certificates2018-11-09T01:32:48Z<p>Dmorris: </p>
<hr />
<div><span style="display:none" class="helpSource administration_certificates">Certificates</span><br />
<br />
= Certificates =<br />
<br />
{{TriScreenshot|config|administration|certificates}}<br />
<br />
==About Digital Certificates==<br />
<br />
The Untangle Server uses<br />
[http://en.wikipedia.org/wiki/Digital_Certificate digital certificates]<br />
when serving web content via<br />
[http://en.wikipedia.org/wiki/Secure_Sockets_Layer SSL].<br />
The server certificate is mainly used to provide secure access to the Administrative Console, as well as<br />
the Email Quarantine features. The server also needs to generate imitation certificates on the fly when<br />
using the [[SSL Inspector]] application. There are two different ways to configure the certificate used by<br />
your server, depending on your specific requirements:<br />
<br />
# Create and use a server certificate signed by the internal certificate authority<br />
# Create a Certificate Signing Request [http://en.wikipedia.org/wiki/Certificate_signing_request (CSR)] which you can have signed by a third party certificate authority.<br />
<br />
If you plan on using the HTTPS Inspector application, option #1 is likely a good choice. Since you'll need to<br />
install the root certificate on all client computers and devices to use HTTPS Inspector effectively, it makes<br />
sense to also sign the certificate used by the Untangle server with this same CA.<br />
<br />
If you aren't going to use the HTTPS Inspector, or have some other reason to prefer a third party<br />
certificate, then option #2 may be a better choice. This will allow you to obtain and use a server<br />
certificate signed by a third party authority. The benefit here, assuming you use one of the<br />
standard and well known providers, is that their root certificate will already be included in<br />
the list of trusted CA's on client computers and devices, so you won't have to distribute and install<br />
a new root certificate.<br />
<br />
==Certificate Authority==<br />
During the initial server installation, a default Certificate Authority<br />
[http://en.wikipedia.org/wiki/Certificate_Authority (CA)]<br />
was created automatically. This CA is used to create and sign imitation certificates that are generated on<br />
the fly by the HTTPS Inspector application. It was also used to sign the default server certificate used<br />
by the server itself. You can use the default CA as is, or you can generate a new CA if you want to<br />
customize the information contained in the root certificate.<br />
<br />
===Generate Certificate Authority===<br />
When you click this button to generate a new CA, you will be presented with a popup form where you can<br />
enter the details to be included in the Subject DN of the new root certificate. Since this operation is creating a root certificate and not a<br />
server certificate, the CN field can contain most anything you like. Once the form is complete and you click<br />
the Generate button, the new CA will be created and the Certificate Authority information fields will be<br />
updated to display the contents of the new certificate.<br />
<br />
===Download Root Certificate===<br />
Click this button to download the root_authority.crt certificate file of the Certificate Authority on<br />
the Untangle server. If you are using HTTPS Inspector, or if you have configured your Untangle server<br />
to use a server certificate signed by the internal Certificate Authority, you will need to download<br />
and install this certificate on all client computers and devices to eliminate certificate warning messages<br />
when browsing or accessing secure content.<br />
<br />
===Download Root Certificate Installer===<br />
This button downloads a Windows installer that will automatically deploy the root certificate to Windows devices. This will allow for more efficient deployment of the root certificate above. Once installed, this will eliminate certificate warning messages when browsing or accessing secure content, or when using the HTTPS captive portal.<br />
<br />
==Server Certificate==<br />
The Server Certificate is used to secure all HTTPS connections with the Untangle server. This mainly<br />
applies to the Administrative Console and the Email Quarantine pages.<br />
<br />
During the initial server installation, a default certificate is created and signed using the<br />
default Certificate Authority that was also created during installation. You can use the default<br />
root certificate as is, or you can generate a new server certificate if you want to customize the<br />
information contained in the server certificate.<br />
<br />
===Generate Server Certificate===<br />
When you click this button to generate a new server certificate, you will be presented with a popup form<br />
where you can enter the details to be included in the Subject DN of the server certificate. All fields<br />
are optional except for the Common Name (CN) field, which should contain the hostname that will be used<br />
to access the server.<br />
<br />
<b>Example:</b> hostname.domain.com<br />
<br />
Once the form is complete and you click the Generate button, the new server certificate will be<br />
created and the Untangle server will start using it immediately. The Server Certificate information<br />
fields will also be updated to display the contents of the new certificate.<br />
<br />
==Third Party Certificate==<br />
Instead of using a certificate signed by the local CA, you may instead prefer to have the Untangle server<br />
use a certificate signed by well-known CA such as VeriSign or Thawte. The advantage to using this type<br />
of certificate is client computers and devices will need no additional configuration, since most browsers<br />
are already configured to trust certificates issued by these authorities.<br />
<br />
===Upload Server Certificate===<br />
Click the ''Upload Server Certificate'' button to upload an official signed certificate provided by a CA, or a certificate that you generated yourself.<br />
<br />
Certificates from CAs are provided in many different formats. The ''Import a certificate or key file'' button can be used to upload the certificates and keys. First, press ''Import a certificate or key file'' and select the certificate. Second, press the ''Import a certificate or key file'' and select the private key file. Repeat this process for any additional separate intermediate certificates (not commonly required). When finished, the "Server Certificate" field should contain the server cert, and the "Certificate Key" field should contain the private key. Additionally the "Optional Intermediate Certificates" field may be populated if the CA provided an intermediate certificate. At this point click ''Upload Certificate'' to upload the certificate. Don't forget to adjust how the new certificate will be used (HTTPS, IPSEC, etc) in the ''Server Certificates'' table!<br />
<br />
Alternatively, instead of importing files you can copy & paste the certificate, key, and intermediate certificates provided by the CA into the fields.<br />
<br />
===Create Signature Signing Request===<br />
Click the ''Create Signature Signing Request'' button to generate a signature signing request, you will be presented with a popup form<br />
where you can enter the details to be included in the Subject DN of the CSR. Once the form is complete and<br />
you click Generate, a server_certificate.csr file will be downloaded to your computer. The certificate<br />
authority you choose will require this file, and possibly additional information to verify that you are<br />
the "owner" of the website for which you are requesting the certificate. When they receive all the<br />
required information, and any associated fee, they will issue you a new certificate file which you<br />
can upload to the Untangle server.<br />
<br />
===Import Signing Request Certificate===<br />
When you receive your signed certificate, click the ''Import Signing Server Certificate'' button to upload the certificate to the Untangle server. Certificates are provided in many different formats. <br />
<br />
You can select the ''Import a certificate file'' to upload a certificate file provided by the signer. This will parse the file and put the result in the displayed ''Server Certificate'' field and any other optional "Intermediate Certificates" in the ''Optional Intermediate Certificates'' field. To finish the upload click the ''Upload Certificate'' button.<br />
<br />
Alternatively, you can copy paste the certificate (text) provided by the signer into the fields and click ''Upload Certificate''.</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Certificates&diff=24874Certificates2018-11-09T01:32:33Z<p>Dmorris: </p>
<hr />
<div><span style="display:none" class="helpSource administration_certificates">Certificates</span><br />
<br />
= Certificates =<br />
<br />
{{TriScreenshot|config|administration|certificates}}<br />
<br />
==About Digital Certificates==<br />
<br />
The Untangle Server uses<br />
[http://en.wikipedia.org/wiki/Digital_Certificate digital certificates]<br />
when serving web content via<br />
[http://en.wikipedia.org/wiki/Secure_Sockets_Layer SSL].<br />
The server certificate is mainly used to provide secure access to the Administrative Console, as well as<br />
the Email Quarantine features. The server also needs to generate imitation certificates on the fly when<br />
using the [[SSL Inspector]] application. There are two different ways to configure the certificate used by<br />
your server, depending on your specific requirements:<br />
<br />
# Create and use a server certificate signed by the internal certificate authority<br />
# Create a Certificate Signing Request [http://en.wikipedia.org/wiki/Certificate_signing_request (CSR)] which you can have signed by a third party certificate authority.<br />
<br />
If you plan on using the HTTPS Inspector application, option #1 is likely a good choice. Since you'll need to<br />
install the root certificate on all client computers and devices to use HTTPS Inspector effectively, it makes<br />
sense to also sign the certificate used by the Untangle server with this same CA.<br />
<br />
If you aren't going to use the HTTPS Inspector, or have some other reason to prefer a third party<br />
certificate, then option #2 may be a better choice. This will allow you to obtain and use a server<br />
certificate signed by a third party authority. The benefit here, assuming you use one of the<br />
standard and well known providers, is that their root certificate will already be included in<br />
the list of trusted CA's on client computers and devices, so you won't have to distribute and install<br />
a new root certificate.<br />
<br />
==Certificate Authority==<br />
During the initial server installation, a default Certificate Authority<br />
[http://en.wikipedia.org/wiki/Certificate_Authority (CA)]<br />
was created automatically. This CA is used to create and sign imitation certificates that are generated on<br />
the fly by the HTTPS Inspector application. It was also used to sign the default server certificate used<br />
by the server itself. You can use the default CA as is, or you can generate a new CA if you want to<br />
customize the information contained in the root certificate.<br />
<br />
===Generate Certificate Authority===<br />
When you click this button to generate a new CA, you will be presented with a popup form where you can<br />
enter the details to be included in the Subject DN of the new root certificate. Since this operation is creating a root certificate and not a<br />
server certificate, the CN field can contain most anything you like. Once the form is complete and you click<br />
the Generate button, the new CA will be created and the Certificate Authority information fields will be<br />
updated to display the contents of the new certificate.<br />
<br />
===Download Root Certificate===<br />
Click this button to download the root_authority.crt certificate file of the Certificate Authority on<br />
the Untangle server. If you are using HTTPS Inspector, or if you have configured your Untangle server<br />
to use a server certificate signed by the internal Certificate Authority, you will need to download<br />
and install this certificate on all client computers and devices to eliminate certificate warning messages<br />
when browsing or accessing secure content.<br />
<br />
===Download Root Certificate Installer===<br />
This button downloads a Windows installer that will automatically deploy the root certificate to Windows devices. This will allow for more efficient deployment of the root certificate above. Once installed, this will eliminate certificate warning messages when browsing or accessing secure content, or when using the HTTPS captive portal.<br />
<br />
==Server Certificate==<br />
The Server Certificate is used to secure all HTTPS connections with the Untangle server. This mainly<br />
applies to the Administrative Console and the Email Quarantine pages.<br />
<br />
During the initial server installation, a default certificate is created and signed using the<br />
default Certificate Authority that was also created during installation. You can use the default<br />
root certificate as is, or you can generate a new server certificate if you want to customize the<br />
information contained in the server certificate.<br />
<br />
===Generate Server Certificate===<br />
When you click this button to generate a new server certificate, you will be presented with a popup form<br />
where you can enter the details to be included in the Subject DN of the server certificate. All fields<br />
are optional except for the Common Name (CN) field, which should contain the hostname that will be used<br />
to access the server.<br />
<br />
<b>Example:</b> hostname.domain.com<br />
<br />
Once the form is complete and you click the Generate button, the new server certificate will be<br />
created and the Untangle server will start using it immediately. The Server Certificate information<br />
fields will also be updated to display the contents of the new certificate.<br />
<br />
==Third Party Certificate==<br />
Instead of using a certificate signed by the local CA, you may instead prefer to have the Untangle server<br />
use a certificate signed by well-known CA such as VeriSign or Thawte. The advantage to using this type<br />
of certificate is client computers and devices will need no additional configuration, since most browsers<br />
are already configured to trust certificates issued by these authorities.<br />
<br />
===Upload Server Certificate===<br />
Click the ''Upload Server Certificate'' button to upload an official signed certificate provided by a CA, or a certificate that you generated yourself.<br />
<br />
Certificates from CAs are provided in many different formats. The ''Import a certificate or key file'' button can be used to upload the certificates and keys. First, press ''Import a certificate or key file'' and select the certificate. Second, press the ''Import a certificate or key file'' and select the private key file. Repeat this process for any additional separate intermediate certificates (not commonly required). When finished, the "Server Certificate" field should contain the server cert, and the "Certificate Key" field should contain the private key. Additionally the "Optional Intermediate Certificates" field may be populated if the CA provided an intermediate certificate. At this point click ''Upload Certificate'' to upload the certificate. Don't forget to adjust how the new certificate will be used (HTTPS, IPSEC, etc) in the ''Server Certificates'' table!<br />
<br />
Alternatively, instead of importing files you can copy & paste the certificate, key, and intermediate certificates provided by the CA into the fields.<br />
<br />
<br />
===Create Signature Signing Request===<br />
Click the ''Create Signature Signing Request'' button to generate a signature signing request, you will be presented with a popup form<br />
where you can enter the details to be included in the Subject DN of the CSR. Once the form is complete and<br />
you click Generate, a server_certificate.csr file will be downloaded to your computer. The certificate<br />
authority you choose will require this file, and possibly additional information to verify that you are<br />
the "owner" of the website for which you are requesting the certificate. When they receive all the<br />
required information, and any associated fee, they will issue you a new certificate file which you<br />
can upload to the Untangle server.<br />
<br />
===Import Signing Request Certificate===<br />
When you receive your signed certificate, click the ''Import Signing Server Certificate'' button to upload the certificate to the Untangle server. Certificates are provided in many different formats. <br />
<br />
You can select the ''Import a certificate file'' to upload a certificate file provided by the signer. This will parse the file and put the result in the displayed ''Server Certificate'' field and any other optional "Intermediate Certificates" in the ''Optional Intermediate Certificates'' field. To finish the upload click the ''Upload Certificate'' button.<br />
<br />
Alternatively, you can copy paste the certificate (text) provided by the signer into the fields and click ''Upload Certificate''.</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=Certificates&diff=24873Certificates2018-11-09T01:23:24Z<p>Dmorris: /* Import Signed Server Certificate */</p>
<hr />
<div><span style="display:none" class="helpSource administration_certificates">Certificates</span><br />
<br />
= Certificates =<br />
<br />
{{TriScreenshot|config|administration|certificates}}<br />
<br />
==About Digital Certificates==<br />
<br />
The Untangle Server uses<br />
[http://en.wikipedia.org/wiki/Digital_Certificate digital certificates]<br />
when serving web content via<br />
[http://en.wikipedia.org/wiki/Secure_Sockets_Layer SSL].<br />
The server certificate is mainly used to provide secure access to the Administrative Console, as well as<br />
the Email Quarantine features. The server also needs to generate imitation certificates on the fly when<br />
using the [[SSL Inspector]] application. There are two different ways to configure the certificate used by<br />
your server, depending on your specific requirements:<br />
<br />
# Create and use a server certificate signed by the internal certificate authority<br />
# Create a Certificate Signing Request [http://en.wikipedia.org/wiki/Certificate_signing_request (CSR)] which you can have signed by a third party certificate authority.<br />
<br />
If you plan on using the HTTPS Inspector application, option #1 is likely a good choice. Since you'll need to<br />
install the root certificate on all client computers and devices to use HTTPS Inspector effectively, it makes<br />
sense to also sign the certificate used by the Untangle server with this same CA.<br />
<br />
If you aren't going to use the HTTPS Inspector, or have some other reason to prefer a third party<br />
certificate, then option #2 may be a better choice. This will allow you to obtain and use a server<br />
certificate signed by a third party authority. The benefit here, assuming you use one of the<br />
standard and well known providers, is that their root certificate will already be included in<br />
the list of trusted CA's on client computers and devices, so you won't have to distribute and install<br />
a new root certificate.<br />
<br />
==Certificate Authority==<br />
During the initial server installation, a default Certificate Authority<br />
[http://en.wikipedia.org/wiki/Certificate_Authority (CA)]<br />
was created automatically. This CA is used to create and sign imitation certificates that are generated on<br />
the fly by the HTTPS Inspector application. It was also used to sign the default server certificate used<br />
by the server itself. You can use the default CA as is, or you can generate a new CA if you want to<br />
customize the information contained in the root certificate.<br />
<br />
===Generate Certificate Authority===<br />
When you click this button to generate a new CA, you will be presented with a popup form where you can<br />
enter the details to be included in the Subject DN of the new root certificate. Since this operation is creating a root certificate and not a<br />
server certificate, the CN field can contain most anything you like. Once the form is complete and you click<br />
the Generate button, the new CA will be created and the Certificate Authority information fields will be<br />
updated to display the contents of the new certificate.<br />
<br />
===Download Root Certificate===<br />
Click this button to download the root_authority.crt certificate file of the Certificate Authority on<br />
the Untangle server. If you are using HTTPS Inspector, or if you have configured your Untangle server<br />
to use a server certificate signed by the internal Certificate Authority, you will need to download<br />
and install this certificate on all client computers and devices to eliminate certificate warning messages<br />
when browsing or accessing secure content.<br />
<br />
===Download Root Certificate Installer===<br />
This button downloads a Windows installer that will automatically deploy the root certificate to Windows devices. This will allow for more efficient deployment of the root certificate above. Once installed, this will eliminate certificate warning messages when browsing or accessing secure content, or when using the HTTPS captive portal.<br />
<br />
==Server Certificate==<br />
The Server Certificate is used to secure all HTTPS connections with the Untangle server. This mainly<br />
applies to the Administrative Console and the Email Quarantine pages.<br />
<br />
During the initial server installation, a default certificate is created and signed using the<br />
default Certificate Authority that was also created during installation. You can use the default<br />
root certificate as is, or you can generate a new server certificate if you want to customize the<br />
information contained in the server certificate.<br />
<br />
===Generate Server Certificate===<br />
When you click this button to generate a new server certificate, you will be presented with a popup form<br />
where you can enter the details to be included in the Subject DN of the server certificate. All fields<br />
are optional except for the Common Name (CN) field, which should contain the hostname that will be used<br />
to access the server.<br />
<br />
<b>Example:</b> hostname.domain.com<br />
<br />
Once the form is complete and you click the Generate button, the new server certificate will be<br />
created and the Untangle server will start using it immediately. The Server Certificate information<br />
fields will also be updated to display the contents of the new certificate.<br />
<br />
==Third Party Certificate==<br />
Instead of using a certificate signed by the local CA, you may instead prefer to have the Untangle server<br />
use a certificate signed by well-known CA such as VeriSign or Thawte. The advantage to using this type<br />
of certificate is client computers and devices will need no additional configuration, since most browsers<br />
are already configured to trust certificates issued by these authorities.<br />
<br />
===Create Signature Signing Request===<br />
When you click this button to generate a signature signing request, you will be presented with a popup form<br />
where you can enter the details to be included in the Subject DN of the CSR. Once the form is complete and<br />
you click Generate, a server_certificate.csr file will be downloaded to your computer. The certificate<br />
authority you choose will require this file, and possibly additional information to verify that you are<br />
the "owner" of the website for which you are requesting the certificate. When they receive all the<br />
required information, and any associated fee, they will issue you a new certificate file which you<br />
can upload to the Untangle server.<br />
<br />
===Import Signing Request Certificate===<br />
When you receive your signed certificate, click the ''Import Signing Server Certificate'' button to upload the certificate to the Untangle server. Certificates are provided in many different formats. <br />
<br />
You can select the ''Import a certificate file'' to upload a certificate file provided by the signer. This will parse the file and put the result in the displayed ''Server Certificate'' field and any other optional "Intermediate Certificates" in the ''Optional Intermediate Certificates'' field. To finish the upload click the ''Upload Certificate'' button.<br />
<br />
Alternatively, you can copy paste the certificate (text) provided by the signer into the fields and click ''Upload Certificate''.</div>Dmorrishttps://wiki.edge.arista.com/index.php?title=NG_Firewall_Performance_Guide&diff=24860NG Firewall Performance Guide2018-10-16T17:27:40Z<p>Dmorris: /* Performance Numbers */</p>
<hr />
<div>= Untangle Performance Tuning =<br />
<br />
This guide describes what factors determine the performance of your Untangle server and configuration and how you can tune your Untangle for optimal performance.<br />
<br />
Usually on modern hardware "tuning" really isn't necessary for the huge majority of sites. However, if you are running on a tiny server or running a large site with thousands of users doing more than 100Mbit 24/7, then this guide may help you tune your Untangle to get the best performance out of it.<br />
<br />
== Performance Factors ==<br />
<br />
There are several main components that determine the performance of your Untangle setup.<br />
<br />
* Server Hardware<br />
* Configuration<br />
* Traffic Profile<br />
<br />
Of course, all three of these are closely interrelated. Lets analyze each one such that you can find a working configuration.<br />
<br />
=== Hardware ===<br />
<br />
If you are choosing what hardware to run or evaluating hardware, this section can help make sure you have the optimal setup. If you already have hardware it still may be useful to understand in case you need to add more memory or just monitor resource consumption.<br />
<br />
While server performance is extremely complex and there are many different kinds of resources. The most important resources that can be limiting factors are memory, CPU, disk I/O (input/output).<br />
<br />
When people think of server performance they usually think of CPU speed. While CPU clock speed and processing power are important, they are the least important resource of these three for Untangle’s work load. More cores and faster cores help, but you can actually run a large site on a fairy underpowered CPU if you have plenty of memory and disk I/O.<br />
<br />
Memory is extremely important up to a point. You need enough memory to store Untangle’s working set with some left over to serve as disk cache. If you have a major shortage of memory, you’ll see consistent swapping, performance will be sluggish, and large pauses will occur. Once you have enough memory, you may want to add more for better disk cache, but you won’t see massive gains from doubling memory if you already have enough.<br />
<br />
For large sites an important resource for Untangle is disk speed or disk I/O throughput. Unfortunately, when evaluating servers it is often overlooked and the hardest to quantify. Unlike a typical firewall which has flat log files, Reports runs a database and each application logs information to the database through the reporting system. For large sites this can be many millions of events every hour. Systems experiencing disk I/O saturation can experience long pauses and major sluggishness.<br />
<br />
Generally, I would just plan on having plenty of all 3 types of resources for your setup with some overhead available, just in case. It is absolutely essential to have at least enough of memory and disk I/O. You can have a 16 core machine with 16 gigs RAM, but if your disk is slow, that will ultimately be your limiting factor.<br />
<br />
Also, NICs or Network cards also matter. Its hard to quantify which are good network cards. Generally speaking intel NICs are the best supported as they are common and the drivers are current and very good.<br />
<br />
Virtualization can be a source of additional performance woes. The same principles apply. If Untangle is given sufficient (virtual) resources it will run great. However, if other VMs running on the same virtualization platform manage to saturate the disk I/O, Untangle performance will suffer.<br />
<br />
=== Configuration ===<br />
<br />
Configuration obviously has a huge effect on the performance of your setup. Which apps are installed and their configuration has a huge impact on the amount of work the Untangle system has to do to process the network traffic.<br />
<br />
Many new users expect Untangle performance to be comparable to other software firewall solutions available with similar hardware requirements. This is usually true if you install just the Firewall application and maybe some lighter apps. Untangle will have slightly higher latency than your typical layer-3 firewall at these tasks because Untangle (by default) processes all sessions at layer 7, which means it reconstructs the stream for processing before deconstructing it again on the other side. <br />
<br />
Where Untangle starts to diverge from traditional router software is when you start installing the apps which can have huge impact on the resource requirements. For example, Virus Blocker Lite requires a large amount of memory all by itself because it uses clamav which uses a lot of memory. Web Filter requires much less, since it does its categorization through a cloud service with a local cache. Reports, on the other hand, requires almost no additional memory, but requires a large amount of disk I/O to process and store events. The following chart provides a high-level guide to which resources and how much of each resource each app requires.<br />
<br />
{| border="1" cellpadding="2"<br />
|+<br />
! Component/App !! Memory !! CPU !! Disk I/O <br />
|-<br />
|Platform <br />
|<span style="color:#FFBC00">medium</span><br />
|<span style="color:#FFBC00">medium</span> <br />
|<span style="color:#FFBC00">medium</span><br />
|-<br />
|Web Filter <br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|-<br />
|Web Monitor <br />
|<span style="color:#00CC00">low</span> <br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|-<br />
|Virus Blocker <br />
|<span style="color:#FFBC00">medium</span> <br />
|<span style="color:#FFBC00">medium</span><br />
|<span style="color:#FFBC00">medium</span><br />
|-<br />
|Virus Blocker Lite <br />
|<span style="color:#FF0000">very high</span> <br />
|<span style="color:#FFBC00">medium</span><br />
|<span style="color:#FFBC00">medium</span><br />
|-<br />
|Spam Blocker <br />
|<span style="color:#FF0000">high</span><br />
|<span style="color:#FFBC00">medium</span><br />
|<span style="color:#FFBC00">medium</span><br />
|-<br />
|Spam Blocker Lite <br />
|<span style="color:#FFBC00">medium</span><br />
|<span style="color:#FFBC00">medium</span><br />
|<span style="color:#FFBC00">medium</span><br />
|-<br />
|Phish Blocker <br />
|<span style="color:#FF0000">very high</span><br />
|<span style="color:#FFBC00">medium</span><br />
|<span style="color:#FFBC00">medium</span><br />
|-<br />
|Web Cache <br />
|<span style="color:#FFBC00">medium</span><br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#FF0000">high</span><br />
|-<br />
|Bandwdith Control <br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#FFBC00">medium</span><br />
|<span style="color:#00CC00">low</span><br />
|-<br />
|SSL Inspector <br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#FFBC00">medium</span><br />
|<span style="color:#00CC00">low</span><br />
|-<br />
|Application Control <br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#FFBC00">medium</span><br />
|<span style="color:#00CC00">low</span><br />
|-<br />
|Application Control Lite <br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|-<br />
|Firewall <br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|-<br />
|Ad Blocker <br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#FFBC00">medium</span><br />
|<span style="color:#00CC00">low</span><br />
|-<br />
|Reports <br />
|<span style="color:#FFBC00">medium</span><br />
|<span style="color:#FFBC00">medium</span><br />
|<span style="color:#FF0000">high</span><br />
|-<br />
|Policy Manager <br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|-<br />
|Directory Connector <br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|-<br />
|WAN Failover <br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|-<br />
|WAN Balancer<br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|-<br />
|Captive Portal <br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|-<br />
|IPsec VPN <br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|-<br />
|OpenVPN <br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|-<br />
|Intrusion Prevention <br />
|<span style="color:#FF0000">very high</span> <br />
|<span style="color:#FFBC00">medium</span><br />
|<span style="color:#00CC00">low</span><br />
|-<br />
|Configuration Backup <br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|-<br />
|Branding Manager <br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|-<br />
|Live Support <br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|<span style="color:#00CC00">low</span><br />
|}<br />
<br />
Note: these are just an estimates. The configuration of the app itself can matter a great deal. Virus Blocker can require very little, but if configured to scan every .png downloaded over HTTP, it will be significantly more costly. Intrusion Prevention memory usage is directly related to its configuration. If configured with a huge ruleset it will use an huge amount of memory.<br />
<br />
As mentioned earlier, none of the apps require an intense amount of CPU power; therefore, it is less important. Disk I/O and memory are very important. If you are short on Disk I/O, try disabling Reports, which will lessen the disk I/O requirements a significant amount. Likewise, if you are short on memory, try removing Intrusion Prevention or Spam Blocker and possibly Virus Blocker Lite and Phish Blocker.<br />
<br />
The other important aspect of configuration is bypass rules. By default, Untangle processes all ports of TCP and UDP at layer 7. For many sites, this is overkill, and significant gains can be had by just adjusting the bypass rules to bypass traffic that doesn’t require scanning. <br />
<br />
=== Network ===<br />
<br />
The type and amount of traffic on your network plays in important part in your Untangle performance. Unfortunately, it isn’t always a variable you can tune as the traffic on your network is the traffic on your network. <br />
<br />
However, at some sites it is appropriate to restrict certain behavior that is not considered an appropriate use of network resources. Often schools may block or shape bittorrent, or use quotas to enforce reasonable bandwidth usage, or outright block content from inappropriate sites. <br />
Other tips below suggest ways to tune your configuration to optimized for your network traffic profile.<br />
<br />
=== Summary ===<br />
<br />
Hopefully this article helps illuminate some of Untangle’s inner workings and its performance characteristics. Users often ask “How big of a server do I need on a site with X thousand users?” or “Is this server big enough for this site?” Unfortunately these questions are impossible to answer as the difference from one site to the next site and one configuration to the next configuration can be drastic.<br />
<br />
As general guidance, buying a server with good hardware, several cores, and a few gigs of memory, and a good disk setup can handle huge sites if configured correctly. If you aren’t sure how to configure it correctly, call Untangle support. If you aren’t sure what server to get, remember disk I/O is what matters. If you just want one that will ''just work'', check out our appliances as we have tested those extensively.<br />
<br />
== Checking your Performance ==<br />
<br />
How can you tell if the Untangle server is running optimally?<br />
<br />
The most important thing is to check how the network is running. Is the network fast? Are web pages loading quickly? There should be absolutely zero noticeable delay in internet traffic. There should be no noticeable latency nor throughput degradation.<br />
<br />
''Note:'' If you run a download test and are getting less throughput then you expect this is rarely related to server CPU/RAM/Disk. Usually this is related to configuration like [[QoS]] settings, NIC issues, Duplex issues, MTU issues, or something else.<br />
<br />
In addition to checking real-world network traffic performance you likely want to look and see how stressed the Untangle server is in [[Reports]] > [[Server]] while handling the network traffic.<br />
<br />
If you look at the ''CPU Load'' graph and see any large spikes where the load is higher than the number of CPU cores of the server, this is suspect. If its a very large number (30+) then you probably have an issue. When these spikes occur traffic will be very sluggish and its likely due to a disk I/O shortage or a memory shortage (or a memory shortage that causes swapping which causes a disk I/O shortage).<br />
<br />
If you look at ''Memory Usage'' and you see it hitting 85% plus frequently, you may want to consider more RAM. However, its not necessarily an issue if Swap is not being used excessively. If you look at the ''Swap Usage'' and see it using a significant portion of swap and wild swings, it is probably an indication that your working memory set is larger than the amount of memory in the server. This is bad.<br />
<br />
This server has less memory than it probably should. It works but is not performing optimally for its configuration.<br />
<br />
{| border="1" cellpadding="2"<br />
|-<br />
| [[Image:Memory_Usage_Marginal.png|350px|left|Non-ideal memory usage]]<br />
| [[Image:Swap_Usage_Marginal.png|350px|right|Non-ideal swap usage]]<br />
|-<br />
| Memory usage frequently bumps up near 90% with wild swings. This server is running all apps on only 768 megs of RAM.<br />
| Swap usage has a significant portion of swap with big swings. <br />
|}<br />
<br />
The below server has way more memory than is necessary for its configuration and network load.<br />
<br />
{| border="1" cellpadding="2"<br />
|-<br />
| [[Image:Memory_Usage_Plenty.png|350px|left|ideal memory usage]]<br />
| [[Image:Swap_Usage_Plenty.png|350px|right|ideal swap usage]]<br />
|-<br />
| This server has WAY more memory than it needs as its only using <15%. Left over memory will be used as disk cache so it won't completely go to waste.<br />
| Swap is untouched. In some cases there will be plenty of memory available but swap will still be used to store memory that is not referenced often. <br />
|} <br />
<br />
The key when looking at server performance is to see if it is within the 'normal' operating zone all the time. If there are spikes or times when its running very low or memory or doing large amounts of swapping performance may suffer during these times. <br />
<br />
Below are some techniques available to tune the performance of your server.<br />
<br />
== Tuning Tips ==<br />
<br />
Here are some common tests and changes you can do to analyze and optimize your performance.<br />
<br />
=== Disable logging of bypassed traffic ===<br />
<br />
Do you care about logging/reporting of traffic that is bypassed (not scanned by the apps)? <br />
<br />
This includes:<br />
* Traffic that is explicitly bypassed with bypass rules. (that would have otherwise been scanned)<br />
* Traffic from the Untangle server itself (DNS lookups, cloud lookups, signature updates, etc)<br />
* Traffic to the Untangle server itself (DNS lookups, Administration, etc)<br />
<br />
Most users do not need this information.<br />
The best performance can be had by unchecking in [[Config]] > [[Network]] > [[Advanced]] > [[Options]]:<br />
''Log bypassed sessions''<br />
''Log outbound local sessions''<br />
''Log inbound local sessions'<br />
''Log blocked sessions''<br />
<br />
With this configuration only scanned traffic is logged, which is going to be fine in most cases except where you need to be able to audit all network traffic that has occurred or all traffic needs to be logged for bandwidth accounting.<br />
<br />
=== Bypass unimportant traffic ===<br />
<br />
Look in [[Reports]] > [[Network]] > Top Ports by Session and [[Reports]] > [[Network]] > Top Ports by Bytes. Do you see any uncommon ports that comprise a significant amount of your traffic? If so consider bypassing it. <br />
<br />
For example, sometimes we’ll look at a site and see millions of sessions to port 514. Its doubtful that a site like this really needs to spend the server resources on scanning their internal syslog traffic (port 514). This traffic can safely be bypassed. <br />
<br />
A more normal traffic profile will show the more common ports (80 for HTTP, 443 for HTTPS, 53 for DNS, etc being the most common ports).<br />
<br />
{| border="0" cellpadding="2"<br />
|-<br />
| [[Image:Top_Server_Ports_514_Example.png|350px|left|A suspect traffic profile]]<br />
| [[Image:Top_Server_Ports_Normal_Example.png|350px|right|A more normal traffic profile]]<br />
|-<br />
| A suspect traffic profile<br />
| A normal traffic profile<br />
|} <br />
<br />
If you see something non-standard as the top port, you may want to investigate what it is and consider bypassing it.<br />
<br />
=== Bypass DNS ===<br />
<br />
If Untangle itself is the DNS server, then DNS is automatically bypassed. However, if DNS is going *through* Untangle it is scanned/categorized/scrubbed just like normal traffic. <br />
<br />
In some cases this is desirable if you want to use Captive Portal, or Firewall and/or policies to control internet access. However in some cases users may not care about DNS or it can be managed solely with filter rules (at layer 3) even when bypassed which is much faster. In these cases you can bypass all UDP port 53 and save a lot of server processing power.<br />
<br />
=== Bypass UDP ===<br />
<br />
Similarly to bypassing DNS, depending on the use case many sites can actually bypass all UDP.<br />
If you are trying to control applications, shape bandwidth, or run captive portal, this won't work because a significant amount of internet traffic is UDP based. However, if the goal is simply to filter web traffic, then scanning UDP is not necessary and bypassing it can save a lot of server processing power.<br />
<br />
=== Shape bandwidth ===<br />
<br />
Do you have bandwidth hogs or certain applications that are hogging network resources?<br />
A quick look at [[Reports]] > [[Bandwidth Control]] > Top Clients (by total bytes) will show if you have any clients on the network that are significantly different than other clients.<br />
[[Reports]] > [[Bandwidth Control]] > Top Application (by total bytes) will show if you have any applications on the network that are using more resources than they should.<br />
<br />
In some cases, you can actually change the network profile. For example, schools often struggle with P2P and bittorrent saturating the bandwidth and causing performance bottlenecks at the WAN. Application Control and Bandwidth Control can provide essential tools for blocking or slowing unimportant traffic to limit both the bandwidth requirements and server resource requirements.<br />
<br />
Quotas in [[Bandwidth Control]] can provide a useful low-maintenance tool to automatically slow clients when they are using more data then you think in reasonable.<br />
<br />
=== Remove unnecessary apps ===<br />
<br />
Performance tuning may require being pragmatic about which applications you install and run. Untangle makes it VERY easy to install and enable apps, but that doesn't mean its always a good idea.<br />
<br />
[[Web Cache]] requires lots of server resources and likely provides very little value. Often this results on a net-negative ROI. It is suggested not to run it except in very special circumstances.<br />
<br />
[[Intrusion Prevention]] requires a lot of memory and CPU resources but provides little measurable security benefit. If you are low on memory, then its certainly better to leave this disabled. The more rules you have enabled the more memory is required.<br />
<br />
=== Tune SSL Inspector ===<br />
<br />
SSL Inspector, if enabled, can consumer a lot of CPU processing power to handle all of the certificate generation, decryption and re-encryption. <br />
<br />
If running SSL Inspector it is worth looking very carefully at the "Top Inspected Sites" verify that CPU is being invested into traffic that you actually want inspected. If running inspection on most or all of HTTPS traffic, a good deal of extra processing power is useful.<br />
<br />
=== Look for misbehaving hosts ===<br />
<br />
Misbehaving hosts can often suck network and server resources by flooding the network, sending spam, scanning the internet for vulnerable hosts, and other crazy activities. Its not always an infected hosts - in some cases applications that are explicitly blocked often retry the connection with no delay and this can lead to accidental floods of connections. <br />
<br />
Check the reports to look for suspicious activity. [[Reports]] > [[Shield]] > Top Blocked Clients might reveal if there are any hosts that may be behaving suspiciously. Its normal to see some blocked clients, however if you see millions of sessions being blocked that host may be doing something suspect and it warrants investigation.<br />
<br />
[[Image:Top_Blocked_Clients_Suspect_Example.png|350px|center|A suspect profile]]<br />
<br />
Finding and investigating these hosts and their activity can help you keep your network and configuration of Untangle in the optimal state.<br />
<br />
=== Check your settings ===<br />
<br />
Some settings are very expensive. <br />
<br />
* Did you enable syslog reporting in Reports? Syslog reporting of '''every single event''' is expensive. If you are not doing anything with that information, disable it.<br />
<br />
* Is Virus Blocker or Virus Blocker Lite scanning a huge number of files? Sometimes web apps download thousands files as part of regular usage. (Office can download hundreds of .cab files from office.net). You can disable scanning of that file type or add a common site to the pass list to skip scanning those files.<br />
<br />
<br />
== Performance Numbers ==<br />
<br />
Users often request performance metrics be published by vendors. Untangle doesn’t do this. Here's why:<br />
<br />
Traditionally, network devices quantify network performance in throughput. Untangle doesn’t publish throughput numbers because it is obviously hardware-dependent, but, more importantly, because it’s just irrelevant. Modern bare minimum hardware doesn’t have a tough time supporting 1Gbit, which is usually more than most users running minimal hardware have at the gateway. It doesn’t require a lot of hardware to support gigabit or 10 gigabit or more levels of throughput.<br />
<br />
What matters a great deal is the type of traffic. For example, 100Mbit of continuous tiny HTTP fetches and tiny HTTP downloads requires significantly more work to process than one big HTTP download taking 100Mbit which takes almost no resources. However, at the packet level, both are just 100Mbit/sec of packets.<br />
<br />
Another common metric is maximum number of sessions. Untangle does not publish these numbers because they are similarly misleading. Vendors publish these numbers for their servers when they are “optimally” configured, which is a code word for configured for maximal performance and minimum utility. Publishing the performance of Untangle with traffic bypassed and no apps installed is not useful because no one runs it like that since it provides no utility in that configuration.<br />
<br />
We did some internal testing of common appliances currently available. None of them even supported 10% of the advertised maximum number of sessions with a “reasonable” configuration. <br />
<br />
After reading, this if you’re still worried about the typical performance metrics, then rest assured that its fairly easy to configure your Untangle server to support 256k concurrent sessions and more than gigabit throughput even on small servers.</div>Dmorris