Captive Portal

Inbetriebnahme

First steps for commissioning a Black Dwarf (G5)

New article: 06.2022

notemptyThis article refers to a Beta version

-

Preparation

notemptyCareful preparation of even simple steps is a prerequisite for successful installation

Have login information ready

When operating on a modem or fiber optic connection:
Have login information of the Internet service provider ready
- Who has the current login information of the ISP?
- Is the login information available at the installation site?
- Is the login information available at the time of installation?
- if applicable: Is the person who has the login information available at the time of installation?
When operating with a router:
- What is the IP address of the router?
- Can the UTM get a fixed IP?
- For new installations, DHCP is activated on the external interface
Local network:
- What is the network IP of the local network(s)?
- Which IP addresses should the interfaces of the UTM in these networks receive?
  As a rule, this should always be a fixed IP address!

Prepare firmware update

notemptyWhy should a firmware update be done?

If an existing configuration file is to be used, the installed firmware version must be identical or newer.
Latest features and patches are available immediately.
Several firmware versions may have been released between the manufacturing and delivery.
Damage due to manipulation of the firmware in transit (unlikely, but not impossible) can thus be excluded.

A USB stick with the UTM image is required.
This Securepoint Imaging Tool can be used. (Resellerportal → Menu Downloads → Tools x )
Connect keyboard and monitor

Monitor connection type see table below the figure

v12 is mandatory, as some of the hardware installed in the G5 units is not supported by v11

When installing/updating via USB stick, use the image first UTM v12.x - Interactive installation UTM Software v12 - USB-Image
(not Autoinstall or Autoupdate)

The prepared USB stick must be connected to the UTM
Switch on the UTM
Under Save & Exit execute Restore Defaults
The USB stick should then be listed at the top of the boot menu of the device, preceded by the TAG UEFI
Execute under Save & Exit Save Changes and Reset
Perform installation/ update

Installing the firmware

The firmware is installed in just a few steps. The preselection options only need to be confirmed.

Display and confirmation of the license conditions
Decision as to whether an upgrade should be carried out
Default: Upgrade
Selection of the hard disk on which the firmware is to be installed
Starting the installation
Request to remove the USB stick
Reboot
Display of the login console


1.	2.	3.


Abb.1	Abb.2	Abb.3


Abbildungen

Installation step 1

After the system has been started from the installation medium, the license conditions are displayed first. These should be read carefully. Click on Continue to be redirected to the next dialog to agree to the terms and conditions.

Installation step 2

The conditions must be accepted in order to continue with the installation. If the conditions are not accepted or the No button is clicked, the installation is aborted. The installation is continued by accepting the conditions and confirming with Yes .

Installation step Intermediate step

If the UTM software V11 is already installed on the device, either an update can be carried out via Upgrade or a new installation via Overwrite.

Installation step 3

The next step is to select a hard disk on which the operating system is to be installed

Installation step 4

After a hard disk has been selected, the installation must be confirmed again. If the decision has been made to carry out the installation on the displayed hard disk, this is confirmed with Yes.

Installation step 5

Information on the current progress is provided during the installation

Installation step 6

If the installation was successful, a corresponding dialog will draw attention to this.
Clicking on the OK button completes the installation.

Installationsschritt 7

The installation disk must now be removed and the system then restarted. If the installation was successful, the console login is displayed after the restart.

Black Dwarf

()

A0 RJ45 external

A1 RJ45 internal

HDMI

USB

Integration into the local network

Adjust IP addresses of the UTM via CLI

If administration via the CLI is not an issue, the IP adresses can be provided directly to the UTM via CLI
In this case, the monitor and keyboard remain directly connected to the UTM.
The login is done on the console.

To be able to administer the UTM, the admin interface must be accessed via the IP of the UTM and the port of the admin interface via the interface LAN2.
In the factory settings, the UTM can be reached via https://192.168.175.1:11115.
If the IP or the interface cannot be reached from the local network, changes must be made.

Connecting keyboard and monitor directly to the UTM
Log in to the UTM: Username admin / Password: insecure
the Command Line Interface appears.
change network configuration:
1. Determine the existing interfaces: interface get
2. Determine the ID of the IP addresses: interface address get
  LAN2 corresponds to the internal interface through which the admin interface can be reached.
  The ID is needed for changing the IP address in the next step.
3. Change the interface IPs: interface address set id 1 address 192.168.12.1/24
  system update interface (desired IP of the internal network with subnet mask)
4. Activate an interface: interface address new device LAN1 or A0 address 192.168.x.y/24
  system update interface
Set up administration access:
In the factory settings, access to the admin interface of the UTM is only possible via the internal interface LAN2. If the admin interface is to be accessible via another interface, the IP of the host (or a net IP with subnet mask) must be released:
manager new hostlist 192.168.168.0/24
system update rule Here: All hosts in the network 192.168.168.0 (no matter at which interface) can access the admin interface
Attention: If e.g. the IP 192.168.175.1 is at LAN1 or A0 and the admin interface should be called from a computer in the network at LAN1, the IP 192.168.175.x must be released extra nevertheless.

Adjust the IP address of your own computer

The IP address of your own computer is temporarily adapted to the default network of the internal interface of the UTM.
This is followed by connecting your own computer to interface A1 (the internal interface) of the UTM.
The correct interface can be seen in the figure and table above.

This is how it works

Change IP address on Windows

Display of network connections:
r ncpa.cpl
↵
Show status of Ethernet connection with double click
Show properties of the interface
Show properties of the TCP/IPv4 connection
Set IP address:
- IP address:192.168.175.2
- Subnet mask:255.255.255.0
- Default gateway:192.168.175.1 (=Default address of the internal interface of the UTM)


1.	2.	3.


Abb.1	Abb.2	Abb.3


Abbildungen

Display of the network interface:

Access via desktop display:
- Click on the network icon in the taskbar next to the clock
- Click on Network and Internet settings.
- Click on Change adapter options.
Access by command:
- Windows key r ncpa.cpl
Double-click on the interface used to display the status of the ethernet connection

In the status click on the button Properties

Select the entry Internet Protocol, Version 4 (TCP/IPv4) in the properties.

Click Properties button

Select entry Use the following IP address:

Set IP address:

IP address:192.168.175.2
Subnet mask:255.255.255.0
Default gateway:192.168.175.1 (=Default address of the internal interface of the UTM)

Change IP address on Linux

Please refer to the corresponding documentation of the used distribution.
Examples for Ubunutu:

Opening the terminal
Identify the name of the interface: ip a
Change IP address: (In the example enp0s3 is the interface used: sudo ip address add 192.168.175.2/24 dev enp0s3

Change IP address on a MAC

Menu System settings / network
Configure IPv4: Manuell^▴_▾ select in the dropdown menu
IP address:192.168.175.2
Subnet mask:255.255.255.0
Router:192.168.175.1 (=Default address of the internal interface of the UTM)
ButtonApply

notemptyAfter finishing the installation wizard and rebooting, the UTM is located in another network.
For further configuration, the IP address of your own computer must then be changed again.

Setting the original IP address:

Fixed IP Addresses: Enter as described above
Enable DHCP:
- Windows: Properties Internet Protocol Version 4 (TCPIPv4) → select Obtain an IP address automatically
- Linux: Example for Ubuntu: sudo ip address del 192.168.175.2/24 dev enp0s3
  sudo dhclient enp0s3
  If necessary, refer to the documentation of the distribution used.
- MAC: coming soon...

First access

If not already done, the following connections must be made now physically:

Connect interface for the external interface (A0) towards the Internet (modem, router, etc.).
Connect the internal interface (A1)
- with your own computer, if the IP address has been adjusted on it.
- to the network from which the UTM is to be administered, if the IP address of the UTM has been adjusted.

The admin interface is available at port 11115. Access:
https://192.168.175.1:11115 (Default) or
https://172.16.0.1:11115, if the IP address of the UTM was changed to 172.16.0.1

When the admin interface is called up for the first time, a certificate warning appears in the browser.
Since the browser doesn't know the certificate of the UTM, a security warning is issued.
This warning must be ignored.

Message in Firefox: Warning: Potential security risk ahead
Button Advanced / Accept the risk and continue

Message in Chrome / Chromium: This is not a secure connection. At the end click on Continue to IP address (unsure) .

Message in Edge: Your connection isn't private. At the end click on Continue to IP address (unsure) .

Message in Safari:
Button Show details / Link Open this website

First registration
Caption	Value	Description	UTM-Login (noch nicht lizensiert)
User	admin	Login with the default login information of the factory settings: admin
Password	insecure	Login with the default login information of the factory settings: insecure
Login (admin)

Agree to license agreement and privacy policy
Accept		The license agreement and privacy policy must be accepted by clicking the button.	Privacy Policy UTM Decline Accept The privacy policy must be agreed to. License agreement UTM Decline Accept The license agreement must be agreed to.

Basic configurations
Firewall name	firewall.ttt-point.local	An individual firewall name must be assigned. The name should correspond to an FQDN.	Basic configurations UTMuser@firewall.name.fqdn License agreement Log out Basic configurations The fields displayed may vary depending on what information is already available on the UTM
License key	Browse...	Import valid license. Each license key may only be used once. The UTM is identified via this and various services and configurations are assigned via the license key.
System time	yyyy-mm-dd hh-m--ss	The system time should be correct. It is compared with other servers, e.g. for user authentication (Kerberos, OTP, etc.). If the deviation is too large, for example, login will not be possible.
Password Confirm password		The default password insecure must be changed. Passwords must meet the following criteria: at least 8 characters length at least 3 of the following categories: Upper case Lower case Special characters Digits notemptyNew in v14.0.7: Password change required upon first login
Global email address: notemptyNew as of v12.4.4	admin@ttt-point.de	Required information e.g. for the mail connector and the proxy. Also serves as postmaster address for the mail relay.
Authentication method: notemptyNew as of v12.5.1	PIN (recommended)Login mask	Authentication method for Web sessions via USC The web session PIN also secures the use of the following actions within the scope of the USC: Reboot Shutdown Factory settings Importing cloud backups If the PIN is not used, these actions cannot be called up from the Unified Security Portal.
PIN:		PIN as additional security for Websessions No number sequences or duplications are allowed
PIN:		Creates a secure PIN
License agreement		Displays the license agreement
Privacy policy		Displays the privacy policy
Log out		Logs off again. No settings are saved!
Complete		Completes the login process and opens the Welcome window.

Welcome
Basic settings are completed with the welcome dialog.			Welcome UTMuser@firewall.name.fqdn Installation wizard Start tour Welcome dialog
Installation wizard		Starts the Installation Wizard.
Start tour		Starts a tour that explains the admin interface and menus in 15 steps.

Configure interfaces notemptyNew as of v12.7.0
Do you want to configure the interfaces now?	Yes No	This message appears if not all existing interfaces are configured correctly. However, it is recommended to do this to prevent possible problems. The Yes button opens the network configuration directly.
Do not ask again.	Off	If this message is not desired, it can be set here so that it is not displayed again.

notempty Continue with the button Installation wizard
→ Show Wiki Installation wizard Black Dwarf (G5)

Einrichtung mit Installationsassistenten

Achtung: In der .lang-Datei werden je nach Parameter hw Varaiblen gesetzt für die Bezeichnung der Schnittstellen und ob dmz / dmz interface und wlan vorhanden sind

Warnung: Der Anzeigetitel „Installation wizard“ überschreibt den früheren Anzeigetitel „Commission Black Dwarf (G5)“.

Setting up a UTM with the installation wizard

Last adaptation to the version: 14.0.1

New:

New step: DNS - Forwarding

Last updated:

Note on inclusive WLAN use for licenses from G5

notemptyThis article refers to a Beta version

12.7 12.5.1 12.5 12.2.3 12.2 11.6

Prefaces

Usually, the installation wizard appears during the initial setup of the UTM.
This checks whether a configuration already exists that is marked as the boot configuration. (Status )
If this is not the case, the wizard opens automatically.
It is not advisable to start the installation wizard later, as other settings made in the meantime may be overwritten.

Installation wizard

Step 1 - General

Caption	Value	Description	Installation wizard UTMuser@firewall.name.fqdnConfiguration management Step 1
Firewall Name:	firewall.ttt-point.local	This is about how the UTM responds to requests. For example, if the mail relay is to be used, it may be useful to enter the Fully Qualified Domain Name (FQDN) of the mail exchange (MX) here so that other mail servers can match it via the reverse resolution of the PTR Resource Record (PTR). This setting is not about the name under which the UTM is listed in an active directory domain. This setting is made in the Authentication → AD/LDAP Authentication → tab Settings Appliance Account entry.
Global contact person:	Alina Admin	In this field, the name of the administrator or the organization is entered, which is later specified in the UTM error messages for questions.
Global email address:	admin@ttt-point.de	Important system messages are sent to this email address.
Language of reports:	German English	Language in which the reports and system messages are sent

Step 2 - Privacy
Anonymize all applications	Yes	When activated (default), the appliance's applications are anonymized in accordance with the GDPR. Under Authentication Information privacy anonymization can also be activated individually for each application. Should be disabled for debugging only.	Step 2
			Step 2
Step 3 - Internal
Without WLAN module Without WLAN module
Internal firewall IP address:	192.168.175.1/24	The IP address of the internal interface (A1) as well as the subnet mask (as CIDR-notation) for the internal network.	Step 3 - without WLAN module
Dynamically assign Client IP Addresses via DHCP:	No	When enabled Yes, the UTM works as a DHCP server: All clients in the internal network receive an IP address via DHCP. This sets the UTM as the default gateway and DNS server for the clients.
Router Advertisement:	Off	If the UTM has received an IPv6 prefix, it can advertise the subnet via router advertisement in the network segment behind the interface. (See article IPv6 Prefix Delegation)

With WLAN module With WLAN module
Internal firewall IP address:	192.168.175.1/24	The IP address of the internal interface (A1) as well as the subnet mask (as CIDR-notation) for the internal network.	Step 3 - with WLAN module
Dynamically assign Client IP Addresses via DHCP:	No	When enabled Yes, the UTM works as a DHCP server: All clients in the internal network receive an IP address via DHCP. This sets the UTM as the default gateway and DNS server for the clients.
Generate WLAN Bridge:	No Default	Creates a bridge so that this network and the WLAN are on the same network.
Generate portfilter rule: Shown when Generate WLAN Bridge is enabled	No	When activated, a port filter rule is automatically generated
STP: Shown when Generate WLAN Bridge is enabled	Off	When activated, STP (Spanning Tree Protocol) is used
STP Bridge Priority: Shown when Generate WLAN Bridge is enabled	32768^▴_▾ Default	The priority of the STP Bridge is set

Step 4 - Internet This is where the Internet connection is configured on the external interface (A0). The following variations are available:
Connection type PPPoE / VDSL Connection type: PPPoE / VDSL
With this type, an ADSL or SDSL modem is connected to the external interface (A0). The connection is initiated by the UTM. A router can only be used with this connection type if it can be set to modem mode and it can be guaranteed that the UTM will initiate the connection.
Username:	(Shares ISP)	The login information is provided by the ISP (Internet Service Provider).	Step 4 with PPPoE / VDSL
Password:	(Shares ISP)
PPPoE for VDSL/fiber optics:	Off	Check the box if PPPoE is connected via a VDSL modem or via fibre.
VLAN ID: Shown when PPPoE for VDSL/fiber optics is enabled	7	The VLAN ID is usually specified by the network operator
IPv6 Prefix Delegation:	Off	Allows an IPv6 network assigned by the Internet Service Provider to be split into /64 networks and assigned to individual interfaces via Router Advertisement. Example: Network assigned by ISP: 2001:0db8:aaaa:bb::/56 Networks distributed at internal interfaces via router adviertisement: 2001:0db8:aaaa:bb00::/64 2001:0db8:aaaa:bb01::/64
notemptyThe option Use DNS server of the provider has been moved to step 5
Connection type Ethernet with static IP Connection type:Ethernet with static IP
With this connection type, a router is connected to the external interface (A0), which itself initiates the connection to the Internet. The login information of the provider is stored in the preceding router and not on the UTM. This connection type cannot be used with a modem or router in modem mode.
External IP address:	192.168.178.101/24	The IP address of the external interface (A0) and the IP address range for the external network (subnet mask in CIDR notation). The default is an already existing IP address, if applicable. The external interface receives an IP address via DHCP by default, provided a DHCP server is available in the external network.	Step 4 with Ethernet with static IP
Default Gateway:	192.168.178.1/---	IP address of the default gateway for the UTM so that it knows which is the closest router for all networks that are not on an internal interface: As a rule: the Internet.
IPv6 Prefix Delegation:	Off	Allows an IPv6 network assigned by the Internet Service Provider to be split into /64 networks and assigned to individual interfaces via Router Advertisement. Example: Network assigned by ISP: 2001:0db8:aaaa:bb::/56 Networks distributed at internal interfaces via router adviertisement: 2001:0db8:aaaa:bb00::/64 2001:0db8:aaaa:bb01::/64

Connection type Cable modem with DHCP Connection type: Cable modem with DHCP e.g.: DSL connection via telephone line with Fritzbox or Speedport router. Originally mostly devices that cable providers provided to their customers.
Also with this connection type, a router is connected to the external interface (A0), which itself initiates the connection to the Internet. The login information of the provider is stored in the preceding router and not on the UTM. This connection type cannot be used with a modem or router in modem mode.			Step 4 with cable modem with DHCP
DHCP Client:	IPv4	Selection with which protocol the interface receives IP addresses from the preceding router with DHCP server.
	IPv6
	IPv4 & IPv6
Use the provider's DNS server:	Off	When activated, the provider's DNS server is used.
IPv6 Prefix Delegation:	Off	Allows an IPv6 network assigned by the Internet Service Provider to be split into /64 networks and assigned to individual interfaces via Router Advertisement. Example: Network assigned by ISP: 2001:0db8:aaaa:bb::/56 Networks distributed at internal interfaces via router adviertisement: 2001:0db8:aaaa:bb00::/64 2001:0db8:aaaa:bb01::/64

Connection type LTE / others Connection type: LTE / others LTE connections or other connections are configured after the installation wizard is completed

Step 5 - DNS Forwarding notemptyNew step from v14.0.1 The DNS forwarding of the name server can be configured here. There are the same options as under Applications Nameserver Area DNS Forwarding. For more detailed information, see the Nameserver article.
Add DNS Forwarding notemptyNew in the installation wizard from v14.0.1	DNSDoT	Adds DNS Forwarding. It is possible to select classic DNS or DNS over TLS (DoT). Further information in the Article on DNS forwarding in the nameserver. Add DNS Forwarding UTMuser@firewall.name.fqdn Configuration management Installation wizard	Step 5
Use the provider's DNS server:	On	When activated, the provider's DNS server is used.

Step 6 - DMZ The Black Dwarf (G5) only has 2 interfaces. A second (wired) internal network is thus not possible. The DMZ setup step is therefore skipped.
DMZ IP address:	192.168.176.1/24	The IP address of the interface none and the subnet mask (as CIDR notation) for the DMZ network.	Step 6 without WLAN
Assign the IP addresses to the clients in this network via DHCP:	No	When enabled Yes, the UTM works as a DHCP server: All clients in the DMZ network receive an IP address via DHCP. This sets the UTM as the default gateway and DNS server for the clients.
Autogenerated rules:	No	Port filtering rules can be automatically created for this network, allowing traffic to the Internet on the interface to the external interface (A0). Likewise, rules are created that also allow traffic from the internal network into the DMZ network. These rules release all from this network to the Internet and other internal networks. notempty These any rules are intended for testing purposes and should be disabled and replaced with well-defined rules in production mode.
Router Advertisement:	No	If the UTM has received an IPv6 prefix, it can advertise the subnet via router advertisement in the network segment behind the interface. (See article IPv6 Prefix Delegation)
Generate WLAN Bridge: Only if a WLAN module is present	No	Creates a bridge so that this network and the WLAN are on the same network.

Step 7 - WLAN In the delivery configuration, a WLAN module is installed in the Black Dwarf (G5). if the module has been removed, this step is skipped. A separate license is required for the permanent use of WLAN (>30 days) for devices up to G3/G4 For devices from G5 the use of WLAN is already included in the license
WLAN IP address: Not in bridge mode	192.168.177.1/24	The IP address of the WLAN interface (wlan0) and the subnet mask (as CIDR notation) for the WLAN network. In bridge mode, the setting from the internal network in which bridge mode was activated is used here.	Step 7: WLAN dialog without bridge configuration Step 7: WLAN dialog when using a bridge
Country code:	DE	The country code is used to determine which frequencies and which signal strengths may be used. The frequencies used and the transmission power can be found in a Wikipedia article.
SSID:	TTT-POINT	The Service Set Identifier (SSID) is the name under which the WLAN network is presented to the clients. This must be entered in any case.
SSID Broadcast:	On	This option can be used to define whether the WLAN network can be seen by every client or whether the transmission of the SSID should be suppressed. (Off)
Security Mode:	WPA	Is considered unsafe and only exists for backwards compatibility. (TKIP is used as encryption method)
	WPA2	Standard with enhanced security AES128 is used as encryption method: https://en.wikipedia.org/wiki/WPA2
	WPA3	Standard with highest available level of security AES256 and SAE are used as encryption methodes: https://en.wikipedia.org/wiki/WPA3
Pre-Shared Key:	Don'tcopythis:Ei)#W~X$…	The base station and mobile device must have the same PSK (≙password). The security of the encryption depends directly on the length and complexity of the PSK! Short or easily guessed PSKs compromise network security.
Pre-Shared Key:		Automatically generates a very strong PSK
Assign the IP addresses to the clients in this network via DHCP: Not in bridge mode	Off	When enabled, the UTM works as a DHCP server: All clients in the WLAN network receive an IP address via DHCP. This sets the UTM as the default gateway and DNS server for the clients. In bridge mode, the setting from the internal network in which bridge mode was activated is used here.
Router Advertisement:	No	If the UTM has received an IPv6 prefix, it can advertise the subnet via router advertisement in the network segment behind the interface. (See article IPv6 Prefix Delegation)
Generate rules for Internet access: Not in bridge mode	Off	Port filtering rules can be automatically created for this network, allowing traffic to the Internet on the interface to the external interface (A0). Likewise, rules are created that also allow data traffic from the internal network into the WLAN network. These rules release all from this network to the Internet and other internal networks. notempty These any rules are intended for testing purposes and should be disabled and replaced with well-defined rules in production mode. In bridge mode, the setting from the internal network in which bridge mode was activated is used here.

Step 8 - Certificate
Generate CA and server certificate:	Yes Default	If Yes is enabled, a CA and server certificate will be generated. The boxes Country, Organization and Department are preset depending on the license entered, but can also be changed here.	Step 8
Key length:	3072	Select the bit length of the key
Valid since:	2024/01/01 00:00:00
Valid until:	2037/12/31 23:59:59
Country:	DE	Detailed information is used to identify who issued the certificate
State:	Lower Saxony
Organization:	TTT Point
Department:	Support
Email address:	admin@ttt-point.de

Step 9 - Administrator
User	admin	The username admin cannot be changed at this point	Step 9
Password:	••••••••••••••	Passwords must meet the following criteria: at least 8 characters length at least 3 of the following categories: Upper case Lower case Special characters Digits
Confirm password:	••••••••••••••
Done	The wizard is being completed A new configuration is created with the name configuration-wizard-date-time This configuration is set as the boot configuration This configuration is set as the current configuration

Reboot Restart
Do you want to reboot the system now?	Yes	In order for the configuration changes to be applied, the respective services must be restarted in the correct order. This is achieved by a reboot of the device.
notemptyIf your own IP address was changed to reach the admin interface of the UTM and the default was changed in Step 3 - Internal, the internal interface of the UTM is now located in this network. For further configuration, the IP address of your own computer must then be changed again. See the [1]
Configure interfaces notemptyNew as of v12.7.0
Do you want to configure the interfaces now?	Yes No	This message appears if not all existing interfaces are configured correctly. However, it is recommended to do this to prevent possible problems. The Yes button opens the network configuration directly.
Do not ask again	Off	If this message is not desired, it can be set here so that it is not displayed again the next time you log in.

Servereinstellungen

Warnung: Der Anzeigetitel „Appliance Settings“ überschreibt den früheren Anzeigetitel „Installation wizard“.

Global settings of the UTM

Last adaptation to the version: 14.1.2

New:

Hinweis zu den aktuellen Zertifikats-Anforderungen hinzugefügt
Several NTP server can be stored (v14.1.0)

notemptyThis article refers to a Beta version

14.0 12.6 12.2 11.6.12 11.7

notempty

Support for certificates with a key length of 1024 bits or less will be removed starting with UTM version 14.2.

Support for certificates with the SHA1 signing algorithm will also be removed starting with version 14.2.

HTTP proxy or SSL VPN connections with such outdated certificates will no longer work as of v14.2!

Insecure certificates should be replaced urgently!
The BSI recommends—as of January 2025—key lengths of 3000 bits or more and SHA256
BSI – Technical Guideline – Cryptographic Methods: Recommendations and Key Lengths BSI TR-02102-1 | Chapter 2.3: RSA encryption

The default setting of the UTM for new certificates is RSA encryption with 3072 bits and SHA256 as the hash algorithm

OpenVPN

Serverzertifikat bei Rolle als Server (Roadwarrior oder S2S)

Clientzertifikat bei S2S

ggf. per Userattribut als Client-Zertifikat festgelegtes Zertifikat (Authentifizierung → Benutzer → Benutzer bearbeiten)

Mailrelay

Relaying "Zertifikat" (unter TLS Verschlüsselung als Server)

Reverse-Proxy

Einstellungen → SSL-Zertifikat

Webserver

Netzwerk → Serveinstellungen → Webserver → Zertifikat

HTTP-Proxy

SSL-Interception → CA-Zertifikat

Caption	Value	Description	Appliance Settings UTMuser@firewall.name.fqdnNetwork Appliance Settings
Firewall Firewall
Firewall Name:		Full Qualified Domain Name-Compliant firewall name. Here you can define how the UTM responds to requests. If the mail relay is to be used, it may be useful to enter the FQDN of the mail exchange (MX) here so that other mail servers can match it using the reverse resolution of the PTR resource record (PTR). Read out: `extc global get variable "GLOB_HOSTNAME"` Set: `extc global set variable "GLOB_HOSTNAME" value "utm.firma.local"`
Global contact person:		This field is used to enter the name of the administrator or organization that will later be specified in the UTM error messages for queries.
Global email address:		An email address is entered here to which mails can be sent that otherwise cannot be delivered. Otherwise, undeliverable mails remain on the hard disk space, which can lead to the fact that the available space is no longer sufficient at some point and no more mails will be accepted. As of version v12.4.2 have an email address has to be stored here. Otherwise the mail connector and proxy will not start! A global email address will be requested when logging in. notemptyThe global email address is also the postmaster address for the mail relay. Read out: `extc global get variable "GLOB_ADMIN_EMAIL"` Set: `extc global set variable "GLOB_ADMIN_EMAIL" value "utm-admin@ttt-point.de"`
Report language:	German	Language in which UTM reports are sent. Alternatively to choose: English
DNS-Server DNS-Server
Check Nameserver prior to local cache:	Off (Default)	The local cache of the UTM initially answers the DNS queries (corresponds to 127.0.0.1) as the primary name server. On activation, the name servers entered here will check the name resolution before the local cache of the UTM.
Primary Nameserver: Secondary Nameserver:		The IP addresses of two external name servers to which the UTM should forward the DNS queries can be entered here. DNS servers that can be reached via the external interface should be entered here. notempty Please do not enter a DNS server from your own internal network.
Time Settings Time Settings
Current Date:	2020-20-32 25:00:20	The current time can also be entered manually. Refreshes the display. In the interaction of servers, VPN connections and especially with OTP authentication, it is important that all components are synchronized in time.
NTP-Server: notemptyupdated: Multiple entries possible	»ntp.securepoint.de	The required NTP servers can be entered here. Entering an IP address can avoid problems with DoT and DNSSEC.
Timezone:	Europe/Berlin	Correct time zone
Webserver Webserver
If the port for the admin or the user interface is set to a well known port (ports 0-1023), access by the browser can be blocked! Access may still be possible: The start of e.g. Google Chrome or Edge is done with the start parameter --explicitly-allowed-ports=xyz. For Firefox, a string variable with the value of the port to be released is created in the configuration (about:config in the address bar) under network.security.ports.banned.override. It is possible to create a temporary policy for chromium-based browsers to allow its use. This is strongly discouraged for safety reasons! Error message in Chome / Edge: ERR_UNSAFE_PORT Error message in Firefox: Error: Port blocked for security reasons
Administration Webinterface Port:	11115^▴_▾	Port to reach the administration interface (which is used e.g. to display the web page shown in the image. In delivery state: 192.168.175.1:11115
User Webinterface Port:	443^▴_▾	Port to reach the user interface. This is used for example to access filtered mails and VPN configurations. notempty The user interface port must be changed if port 443 (HTTPS) is used for the reverse proxy. notempty The user interface port must be changed if port 443 (HTTPS) is forwarded.
Certificate:		Please note the minimum requirements for certificates from UTM version 14.2 onwards! notempty Support for certificates with a key length of 1024 bits or less will be removed starting with UTM version 14.2. Support for certificates with the SHA1 signing algorithm will also be removed starting with version 14.2. HTTP proxy or SSL VPN connections with such outdated certificates will no longer work as of v14.2! Insecure certificates should be replaced urgently! The BSI recommends—as of January 2025—key lengths of 3000 bits or more and SHA256 BSI – Technical Guideline – Cryptographic Methods: Recommendations and Key Lengths BSI TR-02102-1 \| Chapter 2.3: RSA encryption The default setting of the UTM for new certificates is RSA encryption with 3072 bits and SHA256 as the hash algorithm Betroffene Anwendungen: OpenVPN Serverzertifikat bei Rolle als Server (Roadwarrior oder S2S) Clientzertifikat bei S2S ggf. per Userattribut als Client-Zertifikat festgelegtes Zertifikat (Authentifizierung → Benutzer → Benutzer bearbeiten) Mailrelay Relaying "Zertifikat" (unter TLS Verschlüsselung als Server) Reverse-Proxy Einstellungen → SSL-Zertifikat Webserver Netzwerk → Serveinstellungen → Webserver → Zertifikat HTTP-Proxy SSL-Interception → CA-Zertifikat Without a dedicated selected certificate, the default certificate of the UTM is used, which was issued by the default CA: firewall.foo.local If the UTM should be recognized by the browser with a valid certificate, proceed as follows: Create a CA ( Authentication Certificates Area CA button Add CA) Export the public part of the CA Create Certificate (Certificates Button Add Certificate Select the CA that was exported in step 2 as the CA Alias DNS FQDN - Name of the UTM , as in Network Firewall Area Server Settings section Firewall field firewall name: entered Multiple entries are possible! AliasIP IP Address IP address under which UTM can be reached. Several entries are possible in each case! Select the just created certificate under Network Server Settings Area Server Settings Section Webserver Certificate: Import the exported CA in the browser as a certificate authority It is also possible to use ACME certificates.
Advanced Settings Advanced Settings
Maximum Active Connections:	32000^▴_▾	Maximum number of active connections to the UTM. This includes: Web interface SMTP SSH
Last-Rule-Logging:	SHORT - Log three entries per minute	The Last-Rule-Logging setting controls the number of messages that are written to the Syslog. NONE - Do not log SHORT - Log three entries per minute : Only the first three log messages per minute are displayed. LONG - Log everything notempty We recommend to leave the setting at short.

Ethernet Konfiguration

Warnung: Der Anzeigetitel „Ethernet Interfaces“ überschreibt den früheren Anzeigetitel „Appliance Settings“.

Creating and configuring an Ethernet interface

Last adaptation to the version: 14.0.0

New:

New autonegotiation option: Default
Speed and duplex are adjustable, even if autonegotiation is switched on
Interfaces can be reset

notemptyThis article refers to a Beta version

12.6.0 12.5.1 11.7

Network interfaces General

Only if → Show reset interface options On
Button	Description		Network configuration UTMuser@firewall.name.fqdnNetwork Network interfaces overview
Edit	Edit the respective interface
ResetnotemptyNew as of v14.0.0	Resetting the interface options, this includes everything that is found with the CLI command interface get in the options column (list here), as well as the hotwire configuration.
Delete	Deletes the respective interface

In the table settings (), the display and content of the table can be configured. notemptyNew as of v14.0.0
Show reset of interface options:	Off	When activated On, the button for resetting a network interface is displayed	Table settings
Style:	Default	Customizes the style of the table for this table (for more detailed information on the configuration options, see Tools)
Entries per page:	Default	Adjusts the entries per page of the table individually for this table (for more detailed information on the configuration options, see Tools)
Max height:	Default	Adjusts the maximum display height of the table for this table individually (for more detailed information on the configuration options, see Tools)

Creating an Ethernet interface

The creation of an Ethernet interface is done with a wizard in the menu Area Network interfaces button Ethernet.

Any number of interfaces can be created on UTMs with the naming scheme “eth”x.
On UTMs with the naming scheme “LAN”x or “A”x, only interfaces that actually exist can be created.

Caption	Value	Description	Add interface UTMuser@firewall.name.fqdnNetworkNetwork configuration
Name:	LAN4	Name of the interface. If ther is an existing unused interface by default the next free LANx name is used. The name can also be entered manually.
IP Address:	192.168.176.1/24	If the interface is to have a fixed IP, this is entered here.
DHCP-Client:	Off IPv4 IPv6 IPv4 & IPv6	Here the setting is made whether - and if so, for which IP protocol - the interface should obtain its IP addresses from a DHCP server.

Zones:		Previously created zones can be selected by clicking in the click box.
Add new zone:	No dmz1	If activated, a new zone with a freely selectable name (here: dmz1) is created.
Auto-generate rules:	No	If activated, autogenerated rules are created to enable network traffic to all existing networks. notempty These rules serve exclusively to facilitate the commissioning of the interface. They cannot be edited and must absolutely be replaced by individualized rules and subsequently deactivated or deleted!
Update associated network objects: notemptyNew as of v12.6.0	On	If an existing zone has been selected, all network objects that are already in this zone and have an interface as a target are moved to the new interface.

Finish the wizard with the Finish button.

Edit an Ethernet interface

The configuration of an Ethernet interface is done in the menu Network Network configuration Area Network interfaces button

General

Caption	Value	Description	Edit interface UTMuser@firewall.name.fqdnNetworkNetwork configuration
Name:	LAN1	The name of the interface cannot be changed afterwards.
DHCP-Client:	Off IPv4 IPv6 IPv4 & IPv6	Here the setting is made whether - and if so, for which IP protocol - the interface should obtain its IP addresses from a DHCP server.
Router Advertisement:	Off	If the UTM has received an IPv6 prefix (on an external interface), it can make the Default Gateway and the subnet known via router advertisement and at the same time distribute corresponding IPv6 addresses in the connected network. (See article IPv6 Prefix Delegation).
Assign IPv6 addresses:	On	If it is not desired that the UTM distributes IPv6 addresses, but only the default gateway, then this option must be deactivated.
IPv6 Prefix Delegation:	Off	Enables IPv6 prefex delegation to get IPv6 prefixes allocated on this interface. (For external interfaces only.)
Settings Settings
MTU:	1500^▴_▾	The Maximum Transmission Unit specifies the maximum packet size that can be transmitted without fragmentation. Depending on the type of network (cable, Ethernet, VPN use), other values can help with connection problems here.
Autonegotiation: notemptyNew option: Default	Off OnDefault	Allows (on) or prohibits (off) Ethernet network ports from independently negotiating and configuring the maximum possible transmission speed and duplex mode. Or does not perform an autonegotiation check (default) and therefore does not generate an error if the option cannot be changed.
Speed: notemptyEven with autonegotiation activated	10 MBit/s 100 MBit/s 1000 MBit/s	Speed of network communication
Duplex: notemptyEven with autonegotiation activated	full half	Duplex allows data packets to be sent and received simultaneously. HUBs usually only support Halfduplex. If autonegotiation mode is enabled at one end of the link and full-duplex operation is forced at the other end, the autonegotiating subscriber will recognize the link as half-duplex, resulting in a large number of transmission errors. →Wikipedia
Route Hint IPv4:	192.0.2.192/---	Via the field "Route Hint" it is possible to define the gateway of the interface. This has the advantage, for example, that only the interface (e.g. LAN3) has to be specified in routing and not directly the gateway IP.
Route Hint IPv6:	2001:DB8::123/---	Via the field "Route Hint" it is possible to define the gateway of the interface. This has the advantage, for example, that only the interface (e.g. LAN3) has to be specified in routing and not directly the gateway IP.
Flow control can also be configured via CLI. Enable autonegotiate: interface set name "LAN1" options [ pause_autoneg=1 ] activate RX (The interface can receive pause frames.) : interface set name "LAN1" options [ pause_rx=1 ] activate TX (The interface can send pause frames to other participants in the network.): interface set name "LAN1" options [ pause_tx=1 ] View configuration: interface get
IP Addresses IP Addresses
IP Addresses	»192.168.121.1/24»fc80:1234::1/64	Under the menu item IP addresses one or more addresses can be assigned to an interface.

Zones Zones
Zones	»internal»firewall-internal»internal_v6»fireall-internal_v6	Under the menu item Zones the zones of the interface are defined. Important: The zone internal should always be assigned to an interface. If the zone internal is not assigned to an interface and the administration via the web interface is not explicitly enabled, the web interface can not be accessed anymore!

DynDNS DynDNS
Enabled:	Yes	Enables or disables (default) the DynDNS function	DynDNS settings
Hostname:	hostname.spdns.de	Desired Hostname
User:	hostname.spdns.de	The corresponding user name must be entered here. If linked to a reseller account, the corresponding host name must be entered here
Password:		The password must be entered here. If linked to a reseller account, the update token must be entered here.
Server:	update.spdyn.de	The securepoint update server
MX:
Webresolver:	On	Must be activated if the NAT router is located before the DNS (i.e.: UTM → Fritzbox/Speedport → internet)
Protocol:		The DNS service can be activated for IPv4 or IPv6 addresses only, or both IPv4 and IPv6.


Fallback Fallback
Fallback interface:	wan3	Interface that stands in for the main interface in the case of a malfunction. The absence of malfunctions is verified by ping-checking an IP. Further notes on the configuration of a fallback can be found in a separate Wiki article.	Fallback settings
Ping-check IP:	»203.0.2.203 »192.0.2.192 Example IPs must be replaced	Host(s) to which the ping check is to be performed. This can also be a host in the internal network if necessary. This may also be a host in the internal network. If a ping check host does not respond, the subsequent IP address is tried immediately. If none of the ping check hosts responds, this is considered a failed attempt and checked again after the ping check interval.
Ping-check Intervall:	5^▴_▾ Seconds	Period between ping attempts
Ping-check Threshold:	4^▴_▾ Attempts	Number of failed ping attempts before switching to the fallback interface.

Create default route

A default route must be created for this connection: Network Network Configuration Area Routing button Add Default Route
Gateway Type Interface Gateway Type: Interface
Caption	Value	Description	Add Default-Route UTMuser@firewall.name.fqdnNetworkNetwork configuration Create default route
Gateway:	wan0	Select the desired interface.
Dialog Save and close

Default route for IPv4. If necessary, another default route for IPv6 must be created.			Network configuration UTMuser@firewall.name.fqdnNetwork Routing with PPPoE

Gateway Type IP Gateway Type: IP
Caption	Value	Description	Add Default-Route UTMuser@firewall.name.fqdnNetworkNetwork configuration Create default route
Gateway:	fe80:1234::1/---	IP address of the gateway. If a Link Local IPv6 is recognised, the "Interface" button is displayed and an interface must be selected.
Interface: Only for link local IPv6	LAN1	Interface via which the IP address can be accessed.
Dialog Save and close

Default route for IPv6. If necessary, another default route for IPv4 must be created.			Network configuration UTMuser@firewall.name.fqdnNetwork Routing with PPPoE

Mobilfunkeinstellungen

Warnung: Der Anzeigetitel „Mobile Settings“ überschreibt den früheren Anzeigetitel „Ethernet Interfaces“.

Mobile Settings on the UTM

Last adaptation to the version: 12.6.0

New:

Updated to Redesign of the webinterface

Last updated:

Incorrect 5G note removed

notemptyThis article refers to a Beta version

12.3 11.7 11.6.11

Vorbemerkung

Under Network Network configuration Area Mobile a UMTS or LTE interface can be configured.
The mode used depends on the modem, the setup does not differ.

The upgrade kit for the UMTS or LTE function can be obtained later for the Black Dwarf, the RC100 and the RC200.
On request, it is also possible for the UMTS or LTE module to be installed before delivery.
The devices or the upgrade kits are to be obtained exclusively from Securepoint or Wortmann AG.
Foreign products are not supported.
Detailed instructions for retrofitting can be found here. Installation Upgradekit

Please note that after a crash of the modem, the device must be completely unpowered for several minutes so that it can successfully re-dial.

Available modules

Name	Manufacturer	Function
MC7304	Sierra Wireless Incorporated	LTE Modem
EM770W	Huawei	UMTS Modem
	Qualcomm	LTE Modem

Add mobile interface

The Mobile interface is configured under Network Network Configuration Area Mobile button + Mobile. The setup wizard for the Mobile interface opens.	Network configuration UTMuser@firewall.name.fqdnNetwork Add mobile interface
Setup step 1	Add interface UTMuser@firewall.name.fqdnNetworkNetwork configuration
Setup step 2 The module to be configured is selected.
Setup step 3 The zones must be placed on the interface. If the mobile interface should be used as an Internet connection, the zones external and firewall-external are required here. New zones can also be created. No zones are required for a fallback interface.
Manage SIM
Unlock SIM The SIM card can be activated by clicking on the lock icon and entering the PIN.	Network configuration UTMuser@firewall.name.fqdnNetwork SIM cards unlocking
Remove SIM PIN The PIN of a SIM can only be removed via SSH and with a root user. Display modem: mmcli -L Display path to SIM: mmcli -m "MODEM-NUMBER" Disable PIN query: mmcli -i "PATH-TO-SIM" --pin="PIN" --disable-pin

Provider selection After the SIM has been unlocked, the connection can be edited and the provider selected. The carriers differ by the respective APN. An overview of the most commonly used providers can be found here: Mobile Provider	Network configuration UTMuser@firewall.name.fqdnNetwork
	Edit modem UTMuser@firewall.name.fqdnNetworkNetwork configuration
Add route A default route via the mobile interface (wwan0) is required so that a connection to the Internet can be established via the mobile interface. The configuration of a default route can be found here Configure default route. The setup of the Mobile connection is now complete.

Signal quality The signal quality can be read out under Network Network configuration Area Mobile. The signal quality is specified as a percentage.	Network configuration UTMuser@firewall.name.fqdnNetwork LTE signal with LTE modem
	Network configuration UTMuser@firewall.name.fqdnNetwork HSPA signal with UMTS modem

WLAN Konfiguration

Warnung: Der Anzeigetitel „Wifi function“ überschreibt den früheren Anzeigetitel „Mobile Settings“.

Wifi function of a UTM Black Dwarf, RC100 and RC 200

Last adaptation to the version: 12.6.0

New:

Updated to Redesign of the webinterface
Note on maximum number of WLAN clients

notemptyThis article refers to a Beta version

12.1 11.6

WLAN functionality

The Wi-Fi is available in the devices "Black Dwarf", "RC100" and "RC200" from the time of delivery or as a retrofit kit.
The devices/retrofit kits can only be obtained from Securepoint GmbH or Wortmann AG.

Foreign products are not supported.

Detailed instructions for retrofitting can be found here.

Attention: This WiFi setup guide is not a bridge configuration. The Wi-Fi IP circle must be in an independent subnet.
As with any DMZ, rules and HideNATs may need to be created to allow access to the Internet/local network.
If a bridge is to be set up in which the Wi-Fi and the internal network are in the same IP network, the corresponding Instructions for Bridging must be used.

A maximum of 28 clients can connect to the WLAN of the UTM

Call up the Wi-Fi configuration in the Area WLAN menu.

Setup

Caption

Value

Description

Operation mode:

Sets the speed and, if necessary, the frequency of the transmission.

Operation mode:	Description:
802.11a	54 MBit/s, 5 GHz
802.11b	11 Mbit/s, 2,4 GHz
802.11g	54 MBit/s, 2,4 GHz
802.11an	802.11n with up to 300 MBit/s, 5GHz Depending on the settings of the HT Capabilities of the client
802.11gn	802.11n with up to 300 MBit/s, 2,4GHz Depending on the settings of the HT Capabilities of the client

Country code:

The country code is used to determine which frequencies and which signal strength may be used.

The frequencies used and the transmission power can be found in a Wikipedia article.

Channel:

The channel can be set individually or selected automatically, depending on the mode.

Beacon-Interval:

100^▴_▾(default)

Frequency in ms with which the base station transmits general information and management packets with identification data, to inform about its presence

In fact, the value given is kμs (kilomicroseconds). One kμs corresponds to 1.024 milliseconds or 0.001024 seconds

Save and close

Saves the settings and closes the input dialogue.

Print WLAN QR codes

Creates an html page with access codes in QR format for the WLANs and opens the print dialogue of the browser.

Add WLAN

Opens the Wi-Fi wizard

Depending on the WLAN hardware available, up to 4 WLANs may be possible.

Step 1 - IP address

BSS:

wlan0

Interface Name - is predefined and cannot be changed. (is part of the Basic service Set)

Step 1 - IP address

IP address:

192.168.177.1/24

IP address of the Wi-Fi interface.

The address of the interface also automatically determines the network used for the WLAN.

The network selected for the WLAN (in this case 192.168.177.0/24) must under no circumstances match any other network on the appliance!

Step 2 - SSID

Network Name (SSID):

TTT-Point-WLAN

The name of the network that other devices must specify for a connection

Step 2 - SSID

SSID-Broadcast:

On

When activated, the WLAN is displayed for other devices.

Step 3 - Authentication

Security Mode:

Considered unsafe and only present for backwards compatibility.

Step 3 - Authentication

Standard with increased safety

Standard with highest available safety.

Management Mode:

Pre Shared Key. The base station and mobile device must have the same PSK (≙password). The security of the encryption depends directly on the length and complexity of the PSK! Short or easily guessed PSKs jeopardise network security.
A secure PSK is automatically suggested, which can be regenerated with .

Simultaneous Authentication of Equals: (Only with WPA3)
. Also uses a PSK, but uses an improved method for key exchange.

A unique but different Pairwise Master Key (PMK) is derived from the password for each client. Despite the use of a password that is the same for all clients, each client receives its own PMK. Pairwise Transient Keys (PTK) are derived from the PMK by means of a four-way handshake between the WiFi client and the authentication server.

Extensible Authentication Protocol / WPA Enterprise: Authentication via a Radius Server. (This is set under ).

Opportunistic Wireless Encryption: Encrypted connections without a password. Can be used for the Captive Portal, for example.

Step 4 - Zones

New Zone:

On

Creates a new zone for the Wi-Fi.

Each Wi-Fi needs its own zone.

A separate zone (with its own port filter rules) can be created for each WLAN

Step 4 - Zones

Auto-generate rules:

On

Creates a port filter rule set for this interface with {spc any

These are only used to temporarily put the network into operation and should definitely be replaced by dedicated port filter rules!
(Menu )

If the transparent mode of the HTTP proxy is to be used, this must also be configured: Tab Transparent Mode Button Add Transparent Rule

Generate DHCP Pool:

On

Creates a DHCP pool with the selected network and the interface IP al router address. Edit in the DHCP Pools section.

Finish

Completing the wizard and saving the settings

Edit WLAN settings

Area General

BSS

Anyideas

Interface Name - is predefined and cannot be changed. (is part of the Basic service Set)

List of configured WLANs (max. 2)

Depending on the WLAN hardware available, up to 4 WLANs may be possible.

Network Name (SSID)

TTT-Point-WLAN

The name of the network that other devices must specify for a connection

SSID-Broadcast

On

When activated, the WLAN is displayed for other devices.

Area Authentication

Settings as in wizard step 3
Additionally for WPA or WPA2:

Encryption:

Encryption protocol based on the Advanced Encryption Standard (AES).

A 128-bit key with a 48-bit initialisation vector is used.

Uses simple encryption.

Use is strongly discouraged!
Not available when using WPA3.

Area Options

AP Isolate:

On

End devices can only reach the firewall in the WLAN network. Clients in the same WLAN network cannot reach each other.

WLAN connection settings

Wi-Fi Multimedia (WMM):

On

End devices can tag their frames, which affects the priority.

Management Frame Protection (MFP):

Enables encryption of the communication for the establishment and operation of the data connection according to IEEE 802.11w
Increases network security and prevents e.g. Man in the Middle attacks.
Requires WPA2 or WPA3

WPA Group Rekeying:

600(default)

The entered value indicates the time interval in seconds by which the encryption is renegotiated.

DHCP-Server IPv4

Warnung: Der Anzeigetitel „DHCP-Server IPv4“ überschreibt den früheren Anzeigetitel „Wifi function“.

Setting up the DHCP server for an IPv4 network

Last adaptation to the version: 14.1.1

New:

Neuer Abschnitt Erweiterte Einstellungen bei Pool bearbeiten

The dialog design has been revised

Last updated:

Hinweis zu dynamischen Leases

notemptyThis article refers to a Beta version

14.0.3 12.6 12.5 12.4 11.8.4 11.7

Prepare IP address ranges

Network configuration UTMuser@firewall.name.fqdnNetwork Network interfaces

For the firewall to function as a DHCP server in a network, a fixed IP from the network range must be configured on the corresponding interface. In this example, IP addresses are assigned in network 192.168.222.0/24. To achieve this, an IP from this network is added to the interface. LAN3 → → IP addresses → In the selection box, enter or select the IP address from the desired network with the desired subnet mask, if applicable. Here 192.168.222.1/24

Set up DHCP server

DHCP

General

Caption	Value	Description	Network configuration UTMuser@firewall.name.fqdnNetwork DHCP-Pools
Enable detailed logging: notemptyNew	Off	When activated, all DHCP requests are recorded in the syslog
DHCP-Pools DHCP-Pools Multiple DHCP pools can be added Dabei steht nur der erste Pool je Subnetz für dynamische Leases zur Verfügung. Weitere Pools sind ausschließlich für statische Leases nutzbar Beispiel: Pool_1: 192.168.14.20 - 192.168.14.50 Pool_2: 192.168.14.100 - 192.168.14.150 Sind 31 Leases per DHCP vergeben worden, werden keine weiteren dynamischen Leases mehr zugewiesen. Der 32. Client erhält keine IP-Adresse mehr dynamisch zugewiesen und hat damit keine Netzwerk-Kommunikation. Ist einem Client über die MAC-Adresse ein statisches Lease mit der Adresse 192.168.14.101 zugeordnet, wird diese zugewiesen. After clicking Add Pool, the setup wizard opens and the DHCP parameters can be specified
Ignore other SDHCP-Servers:	Off	When activated, other DHCP servers notemptyNew: IPv4 and IPv6 are ignored
If more than 1000 IP addresses (across all pools together) are required via DHCP, the number of possible leases must be increased. This is done in the menu Extras Advanced Settings Area Extc Variables with the variable MAXLEASES. The value 0 corresponds to the default value of the service: 1000 leases. If more leases are required, the actual value must be entered here. Edit

Step 1: Name and IP range

Step 1 requires the Name for the pool and the valid IP range for the DHCP.
In the example, the following IP addresses are assigned
Pool start address: 192.168.222.150/---
Pool end address: 192.168.222.170/---

Step 2: Nameserver

In step 2, the DNS server for the DHCP clients can be specified.
Either the IP of a public DNS server or the IP of the firewall itself can be entered here. In this example, the clients use the firewall itself as DNS.notemptyIn order for the UTM to also answer the DNS queries from the internal network, a corresponding rule is required.

Step 3: Router + Options

In step 3 of the wizard, the default gateway of the DHCP clients is specified.
Caution: Normally, the IP of the firewall is always entered here.notemptyAn incorrect entry in this field may prevent access to the Internet!

Edit pool

After the pool has been created correctly, the pool start and end address can be changed and other parameters of the DHCP pool can be set up to be passed to the DHCP client.

General

Edit pool UTMuser@firewall.name.fqdnNetworkNetwork configuration Edit pool general area

Changes to the pool range start and pool range end possible

Options - DHCP Optionen

Option	Option number	Value	Description	Edit pool UTMuser@firewall.name.fqdnNetworkNetwork configuration Edit pool general area
Router:	3	»192.168.222.1	Router configured as in step 3
Domain name:	15	securepoint.local	Name of the domain in which the DHCP leases are assigned
Domain name server:	5	»192.168.222.1	Name server as configured in step 2
Netbios name server:	44		NetBIOS over TCP/IP Name Server Option
SMTP-Server:	69		Simple Mail Transport Protocol (SMTP) Server Option
NTP Server:	41		Servers should be listed in order of preference.
Vendor Encapsulated Options:	43		Values must be given coded.
TFTP Server Name:	66	profile.gigaset.net	The IPv4 address, or the hostname of the TFTP server option tftp-server-name text;
Bootfile Name:	67		The name of the bootfile file option bootfile-name text;
Default URL:	114	https://teamwork.gigaset.com/gigawiki/display/GPPPO/DHCP+option+114	Default URL option default-url string;
VLAN ID:	132		The ID of the VLAN used option vlan-id code 132 = text; option vlan-id "128";
Next Server:			The IPv4 address of the Next server If the value is missing, TFTP may not work.
Default Lease Time:	51	600 Seconds	Default validity period of the IP address if the client has not requested an explicit duration.
Maximal Lease Time:		7200 Seconds	Maximum validity period of the IP address in seconds that the client may receive when explicitly requested.
Reject unknown clients:		No	If activated Yes, an IP address is only assigned if there is a entry at Static DHCP tab for the MAC address of the client. notemptyChanged standard behaviourab v12.7: The static lease entry for the DHCP must be in the same pool to be considered known. The static lease entry for the DHCP must be in the same pool to be considered known.

Erweiterte Einstellungen

notemptyNew as of: 14.1.1
Falls weitere DHCP-Einstellungen vorgenommen werden sollen, kann mittels der Schaltfläche Option hinzufügen in dem sich öffnendem Dialogfenster aus allen 256 möglichen Optionen eine ausgewählt und deren Wert eingegeben werden.			Pool Option hinzufügen UTMuser@firewall.name.fqdnNetworkNetwork configurationEdit pool

Caption	Value	Description	Edit pool UTMuser@firewall.name.fqdnNetworkNetwork configuration Erweiterte Einstellungen mit einer eingestellten DHCP-Option
ID	5	Die ID der DHCP-Option Im Dialogfenster wird beim Hovern beim -Icon deren RFC-Nummer angezeigt
Name	Name Servers	Der Name der DHCP-Option
Value	192.168.222.1	Der Wert der DHCP-Option. Je nach ausgewählter DHCP-Option kann ein anderer Werttyp benötigt werden.

Static DHCP

If hosts are to be assigned predefined IP addresses ( fixed IPs bound to the MAC address, but assigned by the UTM), these IPs can be reserved with static leases:
Configuration under Network Network Configuration Area Static DHCP button Add Lease

Host:	MaxMustermann-Laptop	Meaningful host name	Add lease UTMuser@firewall.name.fqdnNetworkNetwork configuration Dialogue Add lease
Ethernet:	12:34:56:78:90:AB	MAC address of the host
IP:	192.168.222.111/---	IP address to be reserved exclusively for this host
Save and close		Saves and accepts the lease and closes the creation dialogue.

notemptyImportant: Leases must necessarily be in an existing DHCP pool!			Network configuration UTMuser@firewall.name.fqdnNetwork Static DHCP
notemptyJoint use of static and dynamic IP addresses within a pool is possible.

Static leases outside a pool

Existing static leases that are not within a DHCP pool must be changed! If such leases are detected after an update, a message is displayed prompting to adjust the DHCP settings. It ist now possible that either the leases are adapted and relocated in existing pools or additional DHCP pools are created that contain static leases or existing DHCP pools are extended so that they include static leases			Warning at login

Configuration of DHCP-Relay

With the DHCP relay, devices can receive their network configuration dynamically via the network, even if the DHCP server is located in another subnet.

Caption	Value	Description	Network Configuration UTMuser@firewall.name.fqdnNetwork Network configuration DHCP relay overview
activate Debug mode: notemptyNew as of v12.7.1	Off	Log messages are only written when activated On
DHCP Relay IPv4 DHCP Relay IPv4
DHCP server IP addresses:notemptyupdatedMultiple entries possible	»192.168.178.1	IP addresses of the DHCP server/s The network/s in which the servers are located must be known to the UTM.
DHCP-Relay Client Side Interfaces:	LAN2	Interfaces for which the DHCP server is to be responsible.
DHCP Relay IPv6 DHCP Relay IPv6
DHCP-Relay Server Side Interfaces:	LAN1	Interface behind which a DHCP-v6 server is located.
DHCP-Relay Client Side Interfaces:	LAN2	Interfaces for which a DHCP-v6 server is to be responsible.

Widget

In the administrator interface of the UTM, there is a DHCP widget that provides an overview of the existing DHCP connections.
Further information can be found in the Wiki article UTM Widgets.

Zoneneinstellungen

Warnung: Der Anzeigetitel „Zone settings“ überschreibt den früheren Anzeigetitel „DHCP-Server IPv4“.

Zone settings on the UTM

Last adaptation to the version: 12.6.0

New:

Updated to Redesign of the webinterface

notemptyThis article refers to a Beta version

12.4 11.7

Introduction

The zone concept defines through which interface an object (host or network) reaches the NextGen UTM.
To achieve this, it is bound to an interface in the network configuration, and in the rule set to a network object.

The zone concept

Create a new zone

Add zone UTMuser@firewall.name.fqdnNetworkZone Configuration Add zone

A new zone is created under Network Zone Configuration by clicking the Add zone button.
A zone can be created only without, or with an already created interface.

The zones

The zone concept

We distinguish between network, interface and VPN zones:

Network zones distinguish the network segments, each of which is located behind an interface of the firewall.
Interface zones distinguish the interfaces via which the different network zones are connected.
VPN zones distinguish different networks that are connected via VPN connections.

The type of a zone is controlled by flags, which are defined when the zone is created. The distinction for the user is simplified by naming conventions (interfaces: prefix "firewall-", VPN: prefix "vpn-").
By linking an object in the rule set to the interface via the zone, it is possible to ensure that a port filter rule only takes effect if not only the source, destination and service match the rule, but the connection is also made via the correct interfaces. This prevents all attacks that involve IP spoofing. The assignment of an object to an interface is done by binding the zone to the interface on the one hand and the assignment of the network object to a zone on the other hand.
Examples:
Internal Network: internal
Internal Interface: firewall-internal
External Interface: firewall-external
Internet: external
Mailserver: internal
Webserver in the 1st DMZ: DMZ1
Remote IPSec subnet: vpn-ipsec
'Why is it necessary to distinguish between these different zones?"
Here is an example of a port filter rule:

This enables connections with the HTTP protocol from the internal network to the Internet. The source is located in the "Internal" network zone, the destination in the "External" network zone. The source and destination are therefore in different zones because they are reached via different interfaces of the firewall.	#	Source	Destination	Service	NAT	Action	Active
	4	internal-network	internet	HTTP		Accept	On

If, for example, "www.ttt-point.de" is now entered into the browser, name resolution takes place before this connection is established.
Is the firewall DNS server is on the network, the workstation sends the DNS request to the firewall's internal interface.
This request must be allowed with a port filter rule:

This rule differs from the previous one in one detail: the source and destination of the shared connection are not behind different interfaces. Rather, the interface as destination is in the same network segment as the source and thus actually in the same zone! Internally, rules for connections via the firewall are processed in a different table of the port filter than those that have the firewall itself as their destination. Therefore, interfaces are located in their own interface zone, so that here the source is in the network zone "Internal" and the destination, the interface of the firewall, is in the zone "firewall-internal". From this it can be concluded that the source and destination of a connection that is released in the port filter ruleset, the destination is always located in a different zone than the source- either in a different network zone and thus behind a different interface, or in the interface zone of the interface behind which the network segment of the source is located.	#	Source	Destination	Service	NAT	Action	Active
	4	internal-network	internal-interface	DNS		Accept	On

Flags

Flag	Meaning	Zone Configuration UTMuser@firewall.name.fqdnNetwork Zone settings
No flag	It is the zone of a network.
Interface	This is the zone to a UTM interface. It is usually used to make the services offered by the UTM (name server, proxy) accessible.
Policy_IPSec	This is the zone of an IPSec VPN network.
PPP_VPN	This is the zone where PPTP or L2TP VPN clients are located.

IPv6

As of version 12.4, extra zones are no longer needed for IPv6. These are obsolete, since the type of IP determines whether the rule must be written following iptables or ip6tables.

For new installations, IPv6 zones are no longer added. Existing zones also remain when upgrading firmware or importing a configuration.

Netzwerkwerkzeuge

Warnung: Der Anzeigetitel „Network tools“ überschreibt den früheren Anzeigetitel „Zone settings“.

zeuge hNetwork tools for system analysis in the UTM

Last adaptation to the version: 14.1.1

New:

Open and close now via the toolbar (bottom left)
New function: Similarity detection

notemptyThis article refers to a Beta version

14.0 12.6 12.2.2 11.8 11.7

Introduction

Toolbar under the side menu on the leftn

notemptyNew placement of the menu in the toolbar as of v14.1.0
To check the network connections, various functions are provided on the web interface of the UTM via the toolbar under Network tools.

To close the dialog, either click again or use the button as an alternative.

Dialog with drop-down button

notemptyNew as of v14.1.0 The network tools are also displayed as a modal dialog at the bottom of the screen and can be displayed alongside other menus.
With a screen width of more than 1580 pixels, the dialog can also be displayed on the right-hand side of the screen.

Route Route
By pressing the Submit button, the main routing table of the UTM is displayed. Corresponds to the command ip route show table main executed as root on the UTM. By default, the main routing table for IPv4 is displayed. However, the routing table for IPv6 On can also be displayed.			Network Tool - Route
			Network Tool - Route
Ping Ping
The Ping can be used to check whether a certain host can be reached in an internal or external network. No port filter rule is needed for this on the UTM from this point, but it is needed if pinging is to be done from a network device. notempty Not every destination allows icmp-echo-request! Ping for IPv4			IPv4 Ping-Test
Options
IPv6	Off	Remains deactivated during an IPv4 ping
Source	192.168.175.1	Selection of the IPv4 address to ping with
Destination	k.root-servers.net	Destination name or IP address
Submit		Starts the ping test
Response		The root server k.dns-zone.net of the Ripe NCC


Ping for IPv6
Options
Caption	Value	Description	IPv6 Ping-Test
IPv6	On	Enable for IPv6 to be used at all		IPv6 Ping-Test
Source:	2001:db08:aaaa:bbb00::1	Selection of the IPv6 address to be pinged with
Destination:	k.root-servers.net	Destination name or IP address
Submit		Start Ping-Test
Response		The root server k.root-servers.net of the Ripe NCC should respond as shown in the picture


Host Host
Options
Query type:	Any	All listed types are queried	Network tools - Host
	A	The A-record specifies the IPv4 address for the specified host
	AAAA	The AAAA-record specifies the IPv4 address for the specified host
	PTR	Unlike forward DNS resolution (A and AAAA records), the PTR record is used to find domain names based on an IP address
	MX	The MX record specifies a mail exchange server for a DNS. The information is used by the Simple Mail Transfer Protocol (SMTP) to forward e-mails to the correct hosts.
	TXT	The TXT record can contain any unformatted text strings. This is used by the Sender Policy Framcework (SPF) to prevent forged emails from being sent.
	SOA	The SOA record specifies core information about a DNS zone, including the primary name server, the domain administrator's email, the domain serial number and several timers related to updating the zone
	NS	The NS record specifies an authoritative name server for a particular host
Hostname:	securepoint.de	Host that is to be requested
Nameserver:	127.0.0.1	Name server to be used. Here it is the UTM itself.
Response		Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: securepoint.de has address 51.89.43.189

Traceroute Traceroute
Options
With this tool, the hops of a connection to the host can be made visible. If, for example, a destination is not reachable, the last reachable IP address on the way could be determined.			Network tools - Traceroute
IPv6:	Off	Set whether to use IPv6
Source: notemptyNew as of v14.0.0	LAN1	Source from which the traceroute originates
Destination:	k.root-servers.net	Specification of the destination to be tracked with Traceroute
Response		Result of the Traceroute function

Categorize URL Categorize URL
The URL filter categorises web pages and filters according to the specifications (content filter). Here you can check how certain pages are categorised.			Network tools - Categorize URL
Options
URL:	securepoint.de	Website whose categorisation is to be queried
Response	Allow	Categorisation by the content filter of the UTM
If there is any doubt about the categorisation of a URL, or if a change seems necessary, this can be reported at cf-support.securepoint.de. An overview of the available categories can be found in our Wiki here.

Ähnlichkeitserkennung Ähnlichkeitserkennung
notemptyNew as of v14.1.1 Experimentell Diese Feature ist experimentell und sollte daher nur mit Bedacht verwendet werden!
Domains	»securepoint.de »google.de »hansestadt-lueneburg.de »goooogle.de »lueneburger-heide.de	Man kann mehrere Domains zugleich überprüfen lassen. Das Ergebnis hier: Nicht vertrauenswürdig: ❌ Die Domain "gooooogle.de" ähnelt der Domain "google.de". Vertrauensswürdige Domains: ✅ Die Domain "securepoint.de" ist eine vertrauenswürdige Domain. ✅ Die Domain "google.de" ist eine vertrauenswürdige Domain. ✅ Die Domain "hansestadt-lueneburg.de" ist eine vertrauenswürdige Domain. ✅ Die Domain "lueneburger-heide.de" ist eine vertrauenswürdige Domain.	Test von mehreren Domains
			Test von mehreren Domains
Testen		Startet die Ähnlichkeitserkennung für Domain-Namen


Routing table Routing table
Displays all routes stored on the UTM New since v12.2.2			Network tools - Routing table
			Network tools - Routing table

Paketfilter

Warnung: Der Anzeigetitel „Packetfilter“ überschreibt den früheren Anzeigetitel „Network tools“.

Creating and using packet filter rules, network objects, services and time profiles

Last adaptation to the version: 14.1.0

New:

QoS configuration
under Firewall Packetfilter button Add rule
moved from Extras section to General
Log button for packet filter groups

Cloud-managed Packet filter rules and Network objects
Autogenerated rules can be edited
Tabellen-Menü zur Layoutanpassung
New attribute Log Alias (v14.0)
Buttons for log access (v14.0)

Last updated:

Hinweis auf den Regelassistenten eingefügt

notemptyThis article refers to a Beta version

14.0.1 12.7.1.1 12.6 12.4 12.2 12.1 11.7

The port filter was renamed the packet filter in version 12.6, which corresponds much better to its mode of operation.
The function and arrangement in the menu has remained identical.

In version 12.7.1.1, iptables temporarily becomes the default rule engine again.
For test purposes, iptables can be replaced by nftables.

Nftables offers more flexibility and more up-to-date kernel support and was developed as a replacement for iptables.
system rule_engine set value "nftables"
or
system rule_engine set value "iptables"

Packet filter Description

Packet filter UTMuser@firewall.name.fqdnFirewall Packet filter Log Update Rules Menu Package Filter The packet filter controls the data traffic that passes through the UTM.

All network packets that pass through the UTM are filtered and only forwarded based on packet filter rules.
Thereby, it is irrelevant whether the destination address and source address of the packet are in the same network, in another, local network or in the Internet and a local network.
Based on the source IP, destination IP and service used, the rules are checked from top to bottom.
The sequential number before a rule # indicates the order of rulecreation and is permanently retained. It does not indicate the order in which the rule is processed!
A rule that has been created can be subsequently moved in the order by holding down the mouse button on the icon .

If an exception is to be created for a rule, the (more specific) exception must first be defined and only then the more general rule.
If the exception rule applies to a package, the specified action is carried out and the packet filter is terminated.
If the exception rule does not apply, the more general rule is then checked.
If this rule then applies, the action specified there is executed.

If no applicable rule exists for a data packet, the packet is discarded Default Drop

A packet filter rule contains several elements:

Two Network Objects (source / destination).
One Service
if applicable, details of the NAT type (Network Address Translation)
if applicable, Rule Routing
If applicable, a QoS Profile that regulates the bandwidth made available for certain data packets.
if applicable, a Time Profile at which the rule is to be applied
an Action that is to be executed
details of the Logging
the assignment to a Rule Group

Packet filter rule

The basic structure of a rule is :
Source → Target → Service → Action
With copy rulesrules can be copied. The Add Rule dialogue opens with a copy of the respective rule.
Logging can be changed directly in the overview for individual rules or rule groups (see section Logging

) and notemptyNew from v14.0: with the button Packetfilter Log for the individual rules or with Packetfilter Log for all rules.

Logging is based on the log attribute and not on the ID, which is not guaranteed to be unique and may therefore result in incorrectly displayed logging entries.

Typical examples:	#	Source	Destination	Service	NAT	Logging	Action	Cloud	Active
The Internet should be accessible from the internal network	7	internal-network	internet	default-internet	HN	-	Accept		On

The dmz1 network should be accessible for all services from the internal network.	8	internal-network	dmz1-network	any		-	Accept		On

A server in the internal network is to be accessible from outside via ssh	9	internet	internal-network	ssh	DN ➞	3/Min	Accept		On

The Internet should be accessible from the internal network, but no ftp should be enabled!	10	internal-network	internet	ftp		3/Min	Drop		On
	7	internal-network	internet	default-internet	HN	All	Accept		On
The packet filter is processed from top to bottom. If a rule applies, the check of the set of rules is terminated and the configured action is executed. Therefore, the prohibition of ftp must be before the general permission rule. A rule that has been created can be moved to the icon with drag and drop and placed specifically in the order.

Wenn eine Regel über die VPN Konfiguration erstellt wurde, wird dies in der Spalte Cloud-verwaltet mit gezeigt. Diese Regeln können nicht kopiert, bearbeitet oder gelöscht werden.		LG2-internal-networks	vpn-netzwerk	default-internet		-	ACCEPT		On
		vpn-netzwerk	LG2-internal-networks	LG2-any-service		-	ACCEPT		On

Autogenerated rules

autogenerated The UTM has autogenerated rules ex works.
These rules initially allow all data traffic into the existing networks and also release the proxy and DNS services of the respective interface for internal networks
notemptyDiese Regeln dienen ausschließlich dazu, die Inbetriebnahme der Firewall zu ermöglichen.
Sie müssen unbedingt angepasst oder durch individualisierte Regeln ersetzt werden!
notemptyNew as of v14.0.1: Autogenerated rules can be edited
The visibility of the autogenerated rules can be controlled in the drop-down menu with this switch: On Show auto-generated rules Default

Packet filter Rule Settings

notemptyAfter editing or adding a rule, the rulebook must be updated.
Only after that will the rules be applied!
/ Add Rule → Update Rules

notemptyMan kann Paketfilter-Regeln auch mit Unterstützung des Regelassistenten erstellen.

notemptyNew as of v14.0 In dem Tabellen-Menü () lässt sich das Layout der Tabelle anpassen. Mehr Informationen sind hier zu finden.
General General
Caption	Value	Description	Add Rule UTMuser@firewall.name.fqdnFirewallPacket filter Regel Assistent Packet filter rule settings General
Active:	On	Only when activated is this rule checked
Source:	internal-network	Network object or user group that is permitted as the source of the data package.
Destination:	internet	Network object or user group that is permitted as the destination of the data packet.
Service:	default-internet	Desired service with stored port (see tab Services)
Netzwerkobjekt add / Dienst add		Adds a network object or service
Switch network object		Exchanges the network objects Source and Destination
Action: Action	ACCEPT	ACCEPT Forwards the package
	DROP	DROP The package is dropped
	REJECT	REJECT An ICMP packet is sent to the sender indicating that the port is not available. In the LAN, reject rules can prevent clients from having to wait for a timeout.
	QOS	QOS Allows you to specify a Quality of Service profile that limits the bandwidth for data packets to which this rule applies. Configuration of the QoS profiles in the Network QoS Area Profile menu.
	STATELESS	STATELESS Allows connections regardless of status
notemptyOption postponed	QoS	Allows you to specify a Quality of Service profile that limits the bandwidth for data packets to which this rule applies. Configuration of the QoS profiles in the Network QoS Area Profile menu. Only available when QOS is selected as Action.
Group:	default	Packet filter rules must be assigned to a group. This makes it easier to keep track when adding to the set of rules. In addition, rule groups can be activated or deactivated with a switch notemptyNew as of v12.7.0 and the logging settings of all rules contained can be adjusted centrally via a button.

Log Log
Logging: Logging		Specifies how extensively the application of the rule is logged. notemptyNew as of v12.7.0 This setting is also available in the packet filter overview for individual filters as well as complete groups.	Packet filter rule settings Log
	None	No logging (default)
	Short	Logs the first three entries per minute
	Long	Logs all entries
Log Alias: Log Alias notemptyNew as of v14.0	default	Kurzer (maximal 10 Zeichen langer) Alias für die Paketfilterregel, der im Log statt der Id angezeigt wird. Der Alias muss nicht für diese Regel einzigartig sein.

NAT [ - ] NAT	Network Address Translation is the conversion of IP addresses used in a network to another IP address from another network. Typically, all internally used private IP addresses are mapped to one or more public IP addresses.
Type:	NONE	No NAT is performed
	FULLCONENAT	With Full Cone NAT, the same port is set for the sender as for the recipient. However, IPs other than the originally addressed IP are also permitted as senders. This can be helpful with VOIP.	Full Cone NAT
	HIDENAT	Also called Source NAT. Hides the original IP address behind the IP address of the interface used. The standard case is data traffic from an internal network with private IP addresses to the Internet. The IP from the local network is masked with the IP of the interface that establishes access to the Internet.	HideNat
	HIDENAT_EXCLUDE	HideNAT Exclude is usually used in connection with IPSec VPN connections. This ensures that data packets for the VPN remote terminal are routed through the VPN tunnel with the private IP address. Otherwise, these would be masked with the public WAN IP address like all other packets in the direction of the Internet and, since they are sent with a private destination address, would be discarded at the next Internet router. See also the Wiki article HideNAT Exclude. The HideNAT-Exclude rule must come before the HideNAT rule for the exception to apply.	HideNAT Exclude HideNAT Exclude Regel vor HideNAT Regel
	DESTNAT	Destination NAT is usually used to offer several services on different servers under one public IP address. For example, if you want to access the SSH service (port 22) of the server (198.51.100.1/32) from the Internet via the public IP address of the eth0 interface with port 10000, the rule would have to be created as shown opposite. The associated network objects and the service on port 10000 must be created for this.	Destination NAT
	NETMAP	NetMap is used to connect two identical subnets with each other. Using auxiliary networks (mapnet), which are not set up on either of the remote sites to be connected, these connections can be created collision-free without completely changing the subnet on either side. Instructions for connecting two networks can be found in a dedicated Wiki article NetMap	NetMap

Network object:	external-interface	The IP address of this network object is then used as the sender IP of the data packets in the target network. As a rule, this should be the interface whose IP address is known to the target network so that reply packets can also be correctly delivered.
Service:	ssh	Uses the selected service in the local destination network. This value is often (but by no means always) identical with the service above it in the data source package for which the rule is checked. Only available when Type is selected as DESTNAT or NETMAP.
Extras [ - ] Extras
Rule Routing Rule Routing	wan0	In the [ - ] Extras section, the Rule Routing field is used to specify, based on rules, which route IP packets should take. In the example opposite, all VOIP packets are routed via the wan0 interface. The drop-down field only provides wan interfaces for selection. If access to the Internet is via a router connected to an ethernet interface, this can be entered manually.	Packet filter rule with rule routing
Time profile	Time profile	Restricts the validity of the rule to a previously defined time profile. See section Time Profiles.

Description	Show extended rule info On	Alternative text that can be displayed instead of the rule details. The alternative texts are displayed with the button	Packet filter UTMuser@firewall.name.fqdnFirewall Update Rules Rule description in plain text
notemptyAfter editing or adding a rule, the rulebook must be updated. Only after that will the rules be applied! / Add Rule → Update Rules

Network objects

Menu under Firewall Network objects
button	Description	Network objects UTMuser@firewall.name.fqdnFirewall Update Rules Tab Network Objects
Edit	Opens the network group or network object for editing
Delete	Deletes the network group or network object. The deletion must be confirmed once again For GeoIP network objects, after confirmation, deletes all GeoIP network objects with the same prefix
Add group	Creates a new network group to which network objects can be added immediately
	Show GeoIP objects On When disabled Off: Hides GeoIP objects to improve readability.
Network objects contain : a name an address (IP or network), a hostname or an interface and a zone. Network objects are mainly needed to create packet filter rules, but they are also used in the HTTP proxy. The members of a network group are displayed as labels. Click on a label to display the details in the ‘'Network objects’' table. notempty v14.0 If there are network objects that were created via the USC, the Cloud-managed column shows whether these are such objects or locally created objects . Cloud-managed objects must be edited in the Cloud under Unified Network Consoleconfig .

Edit / Add Network Groups Edit / Add Network Groups Menu under Firewall Network Objects button + Add Group
Caption	Value	Description	Edit / Add Network Groups UTMuser@firewall.name.fqdnFirewallNetwork objects Edit / create network group dialog
Name:	Geo-DACH	Freely selectable name for the network group
Network objects:	GEOIP: AT (Austria) GEOIP: CH (Switzerland) GEOIP: DE (Germany)	Existing network objects can be added in the click box
	Opens the dialog for adding another network object
✕	Removes a network object from the network group

Create / Add network objects Edit / Add Network Objects
Caption	Value	Description	Add network objects UTMuser@firewall.name.fqdnFirewallNetwork objects Create / Add network objects
Name:	Host-Objekt	Freely selectable name for the network object. OK - not really free: Even if it should be technically possible, refrain from using cryptic special characters such as curly brackets, backslashes and similar. At the latest in an AD environment, such things may lead to problems.
Type:	The type determines how the affiliation to this network object is determined.
	Host	A single host with an IP address e.g. 192.0.2.192/32 → 192.0.2.192/---
	Network (address)	A complete network, e.g. 192.0.2.0/24 A 24 network is entered as default. However, this can be changed as desired.
	Network (address with custom mask)	Network with any subnet mask. This is useful when the prefix may change. (Example: 192.0.2.0/0.255.255.0 oder 2001:DB8::1234/::FFFF:FFFF)
	Network (interface)	A complete network behind an interface e.g. eth0 Attention: With HideNat, only the first IP lying on this interface is used. When using with HideNat, try to use a network address.
	VPN-Host	A single VPN host with an IP address, e.g. 192.0.2.192/32 → 192.0.2.192/--- Only zones that have a flag Policy_IPSEC or PPP_VPN in the zone management ( Network Zone Settings button w) can be selected as zones for these network objects.
	VPN network	A complete VPN network, e.g. 192.0.2.0/24 A 24 network is entered as default. However, this can be changed as desired.
	Static interface	A configured IP address of an interface can be selected from a drop-down menu, e.g. 192.0.2.1/24
	Dynamic interface	A dynamic assignment of the address of the interface based on the assigned zone. E.G.: 0.0.0.0/. oder eth0
	Hostname	A host name, e.g.: my.host.local
	GeoIP	Creates a network object in the specified zone for each country. IP addresses are assigned to a country via organizations and institutions to which the associated IP networks are assigned. The actual location of a host may differ from the assignment or may not be visible, e.g. due to a VPN tunnel! Adding a network object of type GeoIP creates approx. 250 new network objects!
Address:	192.0.2.192	Depending on the type selected. See above.
Interface: For type only Network (interface) orDynamic interface	LAN1	All hosts behind this interface belong to this network object
IP address: For type only Static interface	192.168.175.1	All hosts behind the interface with this IP address belong to this network object
Hostname: For type only Hostname	my.host.local	Hostname of the network object
Prefix: For type only GeoIP	ext2_	Prefix placed in front of the network objects (for better identification) Example_ Prefix ext2_ → Network object ext2_GEOIP:DE
Zone:	Zone	Zone in which the network object is located. By linking an object in the set of rules with the interface via the zone, it is achieved that a packet filter rule only takes effect if not only the source, destination and service match the rule, but the connection is also made via the correct interfaces. This prevents all attacks that involve IP spoofing. The assignment of an object to an interface is done by binding the zone to the interface on the one hand and the assignment of the network object to a zone on the other. Depending on the selected network type, a zone is already suggested or a restriction of the zone selection is made.
Groups:	»internal-networks	Network objects can be grouped together to assign packet filter rules to multiple objects. notemptyNetwork objects can also belong to several groups. This can lead to contradictory rules for the same network object that are not immediately obvious. As with all rules, the rule that is executed first is the one whose network group contains the network object.
Save		Saves the network object, but leaves the dialogue open to be able to create further objects.
Save and close		Saves the network object and closes the dialogue

Services

Menu call:

notemptyNew as of v12.7.2:All ICMP services are available for IPv4 and IPv6. The IPv6 services start with icmpv6- instead of icmp-.

Menu Services

Add / edit services

If a service does not exist, it can be created with Add object.
Depending on the protocol used, further settings can be made:

Ports (TCP and UDP)
Packet types (ICMP)
Protocol type (gre)

The name of the service and the protocol must be specified in each case.

With the tcp and udp protocols, sharing can be restricted to a single destination port or port ranges. Source ports can be any (None), a single port or a port range.

If an existing service is to run on a different port, the service can be edited and the port changed.

Service groups

Services can be grouped together in service groups. Here, too, there are already predefined groups that can be added to and changed. Detailed display by clicking on the button .

notemptyUpdated to v12.7.2: The Windows domain service group has been expanded.

Services:

domain-tcp Destination ports: 53

domain-udp Destination ports: 53

ldap-tcp Destination ports: 389

ldap-udp Destination ports: 389

ldap-ssl Destination ports: 636

ms-ds Destination ports: 445

netbios-tcp Destination ports: 139

netbios-udpDestination ports: 137:138

netbios-rpc Destination ports: 135

w32time Destination ports: 123

kerberos-tcp Destination ports: 88

kerberos-udp Destination ports: 88

kerberos-password-change-tcp Destination ports: 464

kerberos-password-change-udp Destination ports: 464

ldap-gc Destination ports: 3268

ldap-gc-ssl Destination ports: 3269

The changes only take effect with a new installation, current configurations are not changed.

notemptyNew from v12.7.2: There is a service group called sp-backup that enables the use of Securepoint Unified Backups.

Services:

sp-backup-portal Destination ports: 8086:8087

sp-backup-vault Destination ports: 2546

Example: The group default-internet contains, for example, the services:

Icon	Name	Protocol		Edit service group UTMuser@firewall.name.fqdnFirewallServices
	domain-udp	udp	Port 53
	ftp	tcp (ftp)	Port 21
	http	tcp	Port 80
	https	tcp	Port 443
	icmp-echo-req	icmp	Pakettyp 8

Add/remove service from a service group

Clicking in the click box selects the desired service and thereby adds it.
Clicking the button creates a new service and then adds it to the service group.
A service is removed from the service group by clicking on ✕.

Time profiles

Time profiles UTMuser@firewall.name.fqdnFirewall Update rules Time profiles overview Time profiles are used to activate packet filter rules only at specified times. They can be configured under Firewall Time profiles
In the example shown, the profile applies daily between 3:00 am and 3:59:59 am and on weekdays from 7:00 am to 5:59:59 pm. This can be seen in the table under time window. Under Used in packet filter rules, the IDs are listed together with the descriptions of the packet filters for which this time profile is set up. The packet filter can also be edited by clicking on the corresponding entry. The Name column shows an assigned name that should describe the time profile.

Create time profiles

Add time profile UTMuser@firewall.name.fqdnFirewallTime profiles Add time profile

Create a time profile under Firewall Time profiles button Add time profile.
Select times
- Individual fields or time ranges can be selected by clicking the mouse
- Several fields and time ranges can be selected by holding down the mouse button
Accept the time settings with the button Save and close

Use time profiles

Time profiles can be selected under the Extras section when creating or editing packet filter rules.

notemptyEine Beschreibung der Impliziten Regeln ist hier zu finden.

Implizite Regeln

Warnung: Der Anzeigetitel „Implied rules“ überschreibt den früheren Anzeigetitel „Packetfilter“.

Implied rules of the UTM

Last adaptation to the version: 14.0.8.2

New:

DESTNAT für den TI-Proxy

Einstellungen für GeoIP Sperrungen verschoben zu IDS/IPS

notemptyThis article refers to a Beta version

14.0.1 12.7 12.5 12.4 12.2 12.1 11.7

Implied rules

Settings in menu Firewall Implied rules .
Implied rules have been added for certain use cases. These rules can be easily activated or deactivated by the user as needed. Some of these rules are already active by default.
notemptyThe access zones are not relevant for these rules.

Group / Rule	Description	Protocol	Port	Active (Default)

BlockChain	Activates / deactivates the entire group	AllSomeNone
FailToBan_ssh	Access via ssh.Monitoring with Fail2Ban rules. Configuration at Applications IDS / IPS Wiki article	TCP	22	On
FailToBan_http_admin	Access via the Admin Interface. Monitoring with Fail2Ban rules. Configuration at Applications IDS / IPS Wiki article Port changes possible at Network Appliance Settings	TCP	11115*	On
FailToBan_http_user	Access via the User interface. Monitoring with Fail2Ban rules. Configuration at Applications IDS / IPS Wiki article Port changes possible at Network Appliance Settings	TCP	443*	On
FailToBan_smtp	Access via the Mailgateway. Monitoring with Fail2Ban rules. Configuration at Applications IDS / IPS Wiki article Port changes possible at Applications Mailrelay Area Smarthost	TCP	25*	On

CaptivePortal	Enable redirection of traffic to a landingpage	AllSomeNone
CaptivePortalPage	Opens an incoming port on the corresponding interface of the firewall that is intended for the captive portal to display the landingpage. Port changes possible at Applications Captive Portal Area Advanced	TCP	8085*	Off
CaptivePortalRedirection	Redirection of traffic to the above mentioned port.			Off

IPComp		AllNone
IPComp	Accepts connections with IPComp protocol (compression of data packets, IP protocol number 108)	IPComp		Off

IpsecTraffic	Activates / deactivates the entire group	AllSomeNone
Accept	Accepts incoming and outgoing traffic of an IPSec connection.			On
No NAT for IPSec connections	Takes all IPSec connections from the NAT Changed default setting for new installations as of v12.5			Off

Silent Services Accept		AllNone
Bootp	Accepts Requests for the bootstrap protocol Bootp to transmit an IP address and possibly further parameters. Requests for DHCP (extension of Bootp)	UDP	67	On
Bootp		UDP	68	On

Silent Services Drop		AllSomeNone
NetBios Datagram	Discards these packages without log message	UDP	138	On
NetBios Nameservice	Discards these packages without log message	UDP	137	On
NetBios Session Service	Discards these packages without log message	UDP	139	On

VPN		AllSomeNone
IPSec IKE	Accepts connections on port 500/UDP	UDP	500	On
IPSec ESP	Accepts connections with the ESP protocol (50)	ESP		On
IPSec NAT Traversal	Accepts connections on port 4500/UDP	UDP	4500	On
SSL VPN UDP	Accepts connections on ports for which an SSL VPN instance has been configured with the UDP protocol	UDP	1194	On
SSL VPN TCP	Accepts connections on ports for which an SSL VPN instance has been configured with the TCP protocol	TCP	1194	On
User Interface Portal	Accepts connections on port 443/TCP. Required for the user interface.	TCP	443	On
Wireguard	Enables connections with the Wireguard protocol. Port changes possible at VPN WireGuard button edit connection	UDP	51280*	On

TI-Proxy notemptyNew as of v14.0.7.2		AllNone
DESTNAT for TCP connections from the connector to the card terminals	Erstellt und erlaubt eine Portweiterleitung von den IP-Adressen und Ports wie im TI-Proxy hinterlegt vom Konnektor per destnat zu den Kartenterminals (default: 60000→4742)	TCP	60000	On

HTTP Proxy

Warnung: Der Anzeigetitel „HTTP Proxy“ überschreibt den früheren Anzeigetitel „Implied rules“.

Configuration of the HTTP proxy

Last adaptation to the version: 14.1.2

New:

Added note on current certificate requirements
Renamed the Website-Allowlist and updated the description
Creating additional configuration profiles is possible(14.1.1)
FastDiff updates virus patterns in real time(14.1.0)
SigQA submits new but unknown signatures to our AV-lab(14.1.0)

notemptyThis article refers to a Beta version

12.7.2 12.6.2 12.5 12.4 12.2 11.8 11.7

Introduction

The proxy serves as an intermediary between the internet and the network to be protected.
The clients send their request to the proxy and the proxy passes it on to the corresponding servers.
The actual address of the client remains hidden from the server.
In this way, it is possible to check the data traffic for viruses and unwanted content.

notemptyNew as of v14.1.1If necessary, additional configuration profiles can be added alongside the standard profile.

Please note the minimum requirements for certificates from UTM version 14.2 onwards!

notempty

Support for certificates with a key length of 1024 bits or less will be removed starting with UTM version 14.2.
Support for certificates with the SHA1 signing algorithm will also be removed starting with version 14.2.
HTTP proxy or SSL VPN connections with such outdated certificates will no longer work as of v14.2!
Insecure certificates should be replaced urgently!
The BSI recommends—as of January 2025—key lengths of 3000 bits or more and SHA256
BSI – Technical Guideline – Cryptographic Methods: Recommendations and Key Lengths BSI TR-02102-1 | Chapter 2.3: RSA encryption
The default setting of the UTM for new certificates is RSA encryption with 3072 bits and SHA256 as the hash algorithm
Betroffene Anwendungen:
- OpenVPN
  - Serverzertifikat bei Rolle als Server (Roadwarrior oder S2S)
  - Clientzertifikat bei S2S
  - ggf. per Userattribut als Client-Zertifikat festgelegtes Zertifikat (Authentifizierung → Benutzer → Benutzer bearbeiten)
- Mailrelay
  - Relaying "Zertifikat" (unter TLS Verschlüsselung als Server)
- Reverse-Proxy
  - Einstellungen → SSL-Zertifikat
- Webserver
  - Netzwerk → Serveinstellungen → Webserver → Zertifikat
- HTTP-Proxy
  - SSL-Interception → CA-Zertifikat

Global Profile

notempty The global profile applies to all interfaces and the transparent proxy. Most settings are overridden by additionally created profiles.

General

Caption	Value	Description	Edit global configuration profile UTMuser@firewall.name.fqdnApplicationsHTTP-Proxy Area General
Proxy Port:	8080^▴_▾	Specifies on which port the proxy is to be addressed
Outgoing Address:		The Outgoing Address is used for two scenarios: If the proxy is to be bound to an interface If a web server in the VPN network is to be reached via the proxy. In this example, the proxy is bound to the faster DSL line: Initial situation: LAN1: ppp0 with DSL 2000 LAN2: Internal network (Internal interface with the IP 192.168.175.1) LAN3: ppp1 with DSL 16000 The IP of the Internal interface (here: LAN2) must be entered in the field for the outgoing address Save settings Under Network Network Settings Area Routing a new route is created: Source: IP of the internal interface Router: ppp1 Target: 0.0.0.0/0 Saving the route Now the proxy is bound to the 2nd internet connection. Connection to a web server in the VPN network: The IP of the internal interface must be entered in the field for the outgoing address. Save the settings. Connections initiated by the firewall do not require extra rules
Forward requests to system-wide parent proxy:	No	If another proxy is used before the HTTP proxy, this function must be activated. The configuration takes place under Network Appliance-Settings Area System-wide proxy -->
Logging (Syslog lokal):	Off	Writes a general Syslog for the HTTP proxy (Open: Log Area Log
Logging (Statistics): Only available if no anonymization for the HTTP proxy Settings at Authentication Privacy has been activated	On	Writes a statistical Log call: Log Area HTTP proxy statistics
Authentication method:	The proxy offers various possibilities for authentication. The possibilities are:
	None	The HTTP proxy processes all requests without authentication
	Basic	With basic authentication, the users are queried against the stored users under Authentication User Area User on the firewall
	NTLM / Kerberos	Here the firewall must be made known to the server. This can be set up in the web interface under Authentication AD / LDAP Authentication
	Radius	Here the firewall must be made known to the server. This can be set up in the web interface under Authentication Radius-Authentication
Allow access only from local sources:	Yes default	Access to the HTTP proxy is now only possible from internal sources. These are: local networks routed networks ( Network Network configuration Area Routing) VPN networks
Allow access to local destinations:	Yes default	All internal networks can also be reached via the HTTP proxy (the packetfilter has already been passed through to reach the HTTP proxy). Disabling it prevents this and access to other internal networks must be explicitly allowed via the port filter without an HTTP proxy.
Forward Microsoft connection-oriented authentication:	No	If it is enabled, login or authentication to websites is possible. For some websites this is not possible otherwise. With this option, NTLM, Negotiate and Kerberos authentications are forwarded notemptyIf SSL-Interception is active, this parameter must be enabled for HTTPS-based authentications, otherwise no authentication/login is possible on these websites.
Authentication exceptions
Enabled	Off default	Authentication exceptions are disabled by default. If enabled: URLs listed here are accessed without prior authentication. The default URLs are pages that are used for Securepoint Antivirus Pro. Further information can be found in the article HTTP proxy authentication exceptions	Section authentication exceptions
Exception (URL):	\.ttt-point\.de	If authentication exceptions are enabled, custom exceptions can be defined here

Virusscan
General
Der Virenscanner im HTTP-Proxy kann Datenverkehr auf Viren prüfen. notemptyNew as of v14.1.0 Dabei werden mit FastDiff die Viruspattern in Echtzeit aktualisiert. Die Funktion lässt sich per CLI deaktivieren oder aktivieren. Per Default ist die Funktion aktiviert. FastDiff Deaktivieren: extc value set { application ikarus variable ENABLE_FASTDIFF value 0 } FastDiff Aktivieren: extc value set { application ikarus variable ENABLE_FASTDIFF value 1 } FastDiff Status abfragen:extc value get { application ikarus variable ENABLE_FASTDIFF } application\|variable \|value -----------+---------------+----- ikarus \|ENABLE_FASTDIFF\|1 notemptyNew as of v14.1.0 Zusätzlich werden mit der Funktion SigQA neue aber unbekannte Signaturen an unser AV-Labor übermittelt. Die Funktion lässt sich per CLI deaktivieren oder aktivieren. Per Default ist die Funktion aktiviert. SigQA Deaktivieren: extc value set { application ikarus variable ENABLE_SIGQA value 0 } SigQA Aktivieren: extc value set { application ikarus variable ENABLE_SIGQA value 1 } SigQA Status abfragen:extc value get { application ikarus variable ENABLE_SIGQA } application\|variable \|value -----------+------------+----- ikarus \|ENABLE_SIGQA\|1
Virusscan:	On	The virus scanner is activated and the associated service is running (default setting)	Datei:UTM v14.1.1 Anwendungen HTTP Proxy Virenscanner-en.png Area Virusscan
	On	The virus scanner service is deactivated. The HTTP proxy is not working correctly. The service can be started via the menu Applications Application status Virusscan
	On	The virus scanner service is deactivated. The HTTP proxy is not working correctly.notempty On devices with less than 3GB RAM, the service for the virus scanner cannot start. Please change to current hardware or allocate more RAM! Once this configuration is running in an environment with enough RAM, the service will be resumed.
	Off	The virus scanner is deactivated.
Maximum scan size limit:	2^▴_▾ Megabytes	Sets the size of the files to be scanned by the virus scanner
Trickle Time:	5^▴_▾ seconds	Interval at which data is transferred from the proxy to the browser so that the browser does not stop loading during the virus check
Allowlist ICY-Protokoll:	Off	A web radio protocol that can be excluded from testing
Cache Updates notemptyNew as of v12.7.2	Off	When activated On, the virus database updates are distributed to the connected clients with Securepoint Antivirus Pro after the initial download. In this way, traffic is reduced and the updates are rolled out smoothly.
Mime type blocklist	application/x-shockwave-flash Example	Mime types listed here are blocked in any case. The button opens a dialogue in which a mime type can be selected from a dop-down menu or an individual type can be entered. This function is only active if the Virusscanner is enabled! The MIME-Type detection is performed after the first few bytes of the file. Normally, this detection is accurate, and the blocklist is applied accordingly. Additionally, there is a rescan mechanism in place, which re-evaluates the MIME-Type specifically for Microsoft-Compound Storage Formate files. This rescan occurs once the full file is available or when the loaded portion of the file reaches the Virusscanner sizelimit. Thereforce, the detection may not always be 100% perfect but represents an optimal compromise between efficiency and accuracy

Allowlist
Enabled	On	The allowlist for MIME types and websites is enabled by default
Mime-Type Allowlist	application/pkcs10 Example	Mime types listed here are not scanned. Standard defaults: audio/* image/* video/*
Exceptions »^[^:]://download\.windowsupdate\.com/ »^[^:]://database\.clamav\.net/ »^[^:]://[^\.]\.geo\.kaspersky\.com/ »^[^:]://officecdn\.microsoft\.com/ »^[^:]://[^\.]\.ikarus\.at/ »^[^:]://[^\.]\.mailsecurity\.at/ »^[^:]://officecdn\.microsoft\.com\.edgesuite\.net/		Here it is possible to create your own filters based on Regular Expressions (Regex). notemptyViruses from these pages are not detected! Some update servers that cause problems when using a virus scanner are already preconfigured. Hint: Further exceptions are necessary so that iTunes can communicate correctly with the internet.
Bandwidth
Bandwidth limiting policy:	None	Default	Area Bandwidth
	Limit total bandwidth	In this case, the proxy only uses the specified maximum bandwidth and leaves the rest of the bandwidth untouched by your internet connection. (This bandwidth is shared by all hosts connected to the proxy.)
	Per host bandwidth	Bandwidth for each host. The limited bandwidth for hosts cannot exceed the global bandwidth.
Global bandwidth:	2.000.000^▴_▾ kbit/s	Default value, if activated
Per host bandwidth:	64.000^▴_▾ kbit/s	Default value, if activated

App Blocking
The general app blocking with fixed ports has been removed. Individual apps, or the ports they use, can be blocked flexibly via the packet filter.

SSL-Interception With the SSL interception feature, it is possible to recognise malicious code in SSL-encrypted data streams at the gateway. It interrupts the encrypted connections and makes the data packets visible to virus scanners and other filters. Data transmission to the client is then encrypted again. To do this, however, it is necessary to create a CA under Authentication Certificates and select this in the CA certificate field.
Caption	Value	Description	Globales Konfigurationsprofil bearbeiten UTMuser@firewall.name.fqdnApplicationsHTTP-Proxy SSL Interception tab
Enabled	Off	The SSL-Interception is turned off
	Only webfilter based	When enabled, only connections blocked by the web filter are intercepted. This avoids the problem that there are sites that do not tolerate an interruption of the encryption (e.g. banking software) without having to define an exception for it.
	Always	Activates the SSL interception
Validate SNI:	Yes	When activated, any SNI in the ClientHello of the TLS handshake is checked. The host name contained is resolved and the addresses in the result are compared with the target address of the intercepted request. If they do not match, the connection is closed. Without Server Name Indication validation, clients can manipulate SNI arbitrarily to bypass the web filter. This setting should only be considered as a last resort when it seems impossible to standardize the DNS settings between the HTTP proxy and the UTM clients. If the client and UTM use different DNS servers, this can lead to false positives.
Allow non identified protocols:	Yes	If this switch is deactivated, unrecognized protocols are blocked.
CA-Certificate:	CA-SSL-Interception	Here, a CA must be selected that can re-encrypt the connection after decryption (and scanning). The public key of the CA must be installed on all client computers that are to use SSL Interception. Download can be done here directly with Download public key. Please note the minimum requirements for certificates from UTM version 14.2 onwards! notempty Support for certificates with a key length of 1024 bits or less will be removed starting with UTM version 14.2. Support for certificates with the SHA1 signing algorithm will also be removed starting with version 14.2. HTTP proxy or SSL VPN connections with such outdated certificates will no longer work as of v14.2! Insecure certificates should be replaced urgently! The BSI recommends—as of January 2025—key lengths of 3000 bits or more and SHA256 BSI – Technical Guideline – Cryptographic Methods: Recommendations and Key Lengths BSI TR-02102-1 \| Chapter 2.3: RSA encryption The default setting of the UTM for new certificates is RSA encryption with 3072 bits and SHA256 as the hash algorithm Betroffene Anwendungen: OpenVPN Serverzertifikat bei Rolle als Server (Roadwarrior oder S2S) Clientzertifikat bei S2S ggf. per Userattribut als Client-Zertifikat festgelegtes Zertifikat (Authentifizierung → Benutzer → Benutzer bearbeiten) Mailrelay Relaying "Zertifikat" (unter TLS Verschlüsselung als Server) Reverse-Proxy Einstellungen → SSL-Zertifikat Webserver Netzwerk → Serveinstellungen → Webserver → Zertifikat HTTP-Proxy SSL-Interception → CA-Zertifikat
CA-Certificate:	Download public key	The public key should be installed on the clients that are going to use SSL interception to avoid certificate errors.
Peer verification: not for Only webfilter based	On	This should definitely be enabled! With this, the HTTP proxy checks whether the certificate of the called page is trustworthy. Since the browser only sees the local certificate, a check by the browser is no longer possible.
Exceptions for SSL-Interception Exceptions for SSL-Interception not for Only webfilter based
Enabled	Off	It is possible to define exceptions in the format of Regular Expressions. However, since only https can arrive here, it is not filtered for protocols, unlike the virus scanner. New exceptions can be added directly in the input field. So an exception for www.securepoint.de would be: .*\.securepoint\.de" Regex exceptions do not apply to transparent mode!
Compare exceptions with the SNI: Only available if salidate SNI is active.	Off	Applies Server Name Indication validation only to activated Exceptions of SSL-Interception .
Exceptions:	.\.ttt-point\.de Predefined in the Global Configuration Profile .\.ikarus\.at.\.mailsecurity\.at .91\.212\.136\..*	Define exceptions here for ttt-point.de
Peer verification exceptions Peer verification exceptions only if peer verification is active
Enabled	Off	Here exceptions for certificate verification in regex format can be added.

Transparent Mode
Transparent Mode	On	Due to the transparent mode, the proxy is not visible to the clients, the client sees its internet connection (HTTP) as if no proxy was connected in front of it. Nevertheless, the entire HTTP stream goes through the proxy, which means that no settings have to be made on the client. However, there are the same possibilities to analyze / block / filter / manipulate the data stream as if a fixed proxy were used. Each network object or group of network objects that are to use the transparent proxy must be stored here.	Area Transparent Mode
			Area Transparent Mode
Add Transparent Rule
Protocol:	HTTP or HTTPS	Protocol that is used	Add Transparent Rule UTMuser@firewall.name.fqdnApplicationsHTTP-ProxyGlobales Konfigurationsprofil bearbeiten Adding a Transparent Rule
Type:	INCLUDE	The transparent mode is applied
Type:	EXCLUDE	Transparent mode is not applied
Source:	internal-network	Source network object created under Firewall Packetfilter Area Network objects
Destination:	internet	Destination network object

Add Configuration Profile

New configuration profiles adopt the settings of the global profile as default values.notemptyNew as of v14.1.1

General

Caption	Value	Description	Add Configuration Profile UTMuser@firewall.name.fqdnApplicationsHTTP-Proxy The General section in an additional configuration profile
Name:	Configuration Profile 2	Specify the name for the configuration profile
Interface	LAN1	Assign this configuration profile to an interface, e.g., LAN1
Outgoing Address:		The Outgoing Address is used for two scenarios: If the proxy is to be bound to an interface If a web server in the VPN network is to be reached via the proxy. In this example, the proxy is bound to the faster DSL line: Initial situation: LAN1: ppp0 with DSL 2000 LAN2: Internal network (Internal interface with the IP 192.168.175.1) LAN3: ppp1 with DSL 16000 The IP of the Internal interface (here: LAN2) must be entered in the field for the outgoing address Save settings Under Network Network Settings Area Routing a new route is created: Source: IP of the internal interface Router: ppp1 Target: 0.0.0.0/0 Saving the route Now the proxy is bound to the 2nd internet connection. Connection to a web server in the VPN network: The IP of the internal interface must be entered in the field for the outgoing address. Save the settings. Connections initiated by the firewall do not require extra rules
Forward requests to system-wide parent proxy : Is set in the global configuration profile	No
Logging (Syslog lokal):	Off	Writes a general Syslog for the HTTP proxy (Open: Log Area Log
Logging (Statistics): Only available if no anonymization for the HTTP proxy Settings at Authentication Privacy has been activated	On	Writes a statistical Log call: Log Area HTTP proxy statistics
Authentication method:	The proxy offers various possibilities for authentication. The possibilities are:
	None	The HTTP proxy processes all requests without authentication
	Basic	With basic authentication, the users are queried against the stored users under Authentication User Area User on the firewall
	NTLM / Kerberos	Here the firewall must be made known to the server. This can be set up in the web interface under Authentication AD / LDAP Authentication
	Radius	Here the firewall must be made known to the server. This can be set up in the web interface under Authentication Radius-Authentication
Allow access only from local sources:	Yes default	Access to the HTTP proxy is now only possible from internal sources. These are: local networks routed networks ( Network Network configuration Area Routing) VPN networks
Allow access to local destinations:	Yes default	All internal networks can also be reached via the HTTP proxy (the packetfilter has already been passed through to reach the HTTP proxy). Disabling it prevents this and access to other internal networks must be explicitly allowed via the port filter without an HTTP proxy.
Forward Microsoft connection-oriented authentication:	No	If it is enabled, login or authentication to websites is possible. For some websites this is not possible otherwise. With this option, NTLM, Negotiate and Kerberos authentications are forwarded notemptyIf SSL-Interception is active, this parameter must be enabled for HTTPS-based authentications, otherwise no authentication/login is possible on these websites.
Authentication exceptions
Enabled	Off default	Authentication exceptions are disabled by default. If enabled: URLs listed here are accessed without prior authentication. The default URLs are pages that are used for Securepoint Antivirus Pro. Further information can be found in the article HTTP proxy authentication exceptions	Section authentication exceptions
Exception (URL):	\.ttt-point\.de	If authentication exceptions are enabled, custom exceptions can be defined here

Virusscan
General
Der Virenscanner im HTTP-Proxy kann Datenverkehr auf Viren prüfen. notemptyNew as of v14.1.0 Dabei werden mit FastDiff die Viruspattern in Echtzeit aktualisiert. Die Funktion lässt sich per CLI deaktivieren oder aktivieren. Per Default ist die Funktion aktiviert. FastDiff Deaktivieren: extc value set { application ikarus variable ENABLE_FASTDIFF value 0 } FastDiff Aktivieren: extc value set { application ikarus variable ENABLE_FASTDIFF value 1 } FastDiff Status abfragen:extc value get { application ikarus variable ENABLE_FASTDIFF } application\|variable \|value -----------+---------------+----- ikarus \|ENABLE_FASTDIFF\|1 notemptyNew as of v14.1.0 Zusätzlich werden mit der Funktion SigQA neue aber unbekannte Signaturen an unser AV-Labor übermittelt. Die Funktion lässt sich per CLI deaktivieren oder aktivieren. Per Default ist die Funktion aktiviert. SigQA Deaktivieren: extc value set { application ikarus variable ENABLE_SIGQA value 0 } SigQA Aktivieren: extc value set { application ikarus variable ENABLE_SIGQA value 1 } SigQA Status abfragen:extc value get { application ikarus variable ENABLE_SIGQA } application\|variable \|value -----------+------------+----- ikarus \|ENABLE_SIGQA\|1
Virusscan:	Off	The virus scanner is deactivated, but the associated service is running (default setting)
	On	The virus scanner is activated and the associated service is running
	On	The virus scanner service is deactivated. The HTTP proxy is not working correctly. The service can be started via the menu Applications Application status Virusscan
	On	The virus scanner service is deactivated. The HTTP proxy is not working correctly.notempty On devices with less than 3GB RAM, the service for the virus scanner cannot start. Please change to current hardware or allocate more RAM! Once this configuration is running in an environment with enough RAM, the service will be resumed.
	Off	The virus scanner is deactivated.
Maximum scan size limit: Is set in the global configuration profile	2^▴_▾ Megabytes
Trickle Time: Is set in the global configuration profile	5^▴_▾ seconds
Allowlist ICY-Protokoll:	Off	A web radio protocol that can be excluded from testing

Allowlist
Enabled	On	The allowlist for MIME types and websites is enabled by default
Mime-Type Allowlist Is set in the global configuration profile	application/pkcs10 Example
Exceptions »^[^:]://download\.windowsupdate\.com/ »^[^:]://database\.clamav\.net/ »^[^:]://[^\.]\.geo\.kaspersky\.com/ »^[^:]://officecdn\.microsoft\.com/ »^[^:]://[^\.]\.ikarus\.at/ »^[^:]://[^\.]\.mailsecurity\.at/ »^[^:]://officecdn\.microsoft\.com\.edgesuite\.net/		Here it is possible to create your own filters based on Regular Expressions (Regex). notemptyViruses from these pages are not detected! Some update servers that cause problems when using a virus scanner are already preconfigured. Hint: Further exceptions are necessary so that iTunes can communicate correctly with the internet.
Cache Updates notemptyNew as of v12.7.2 Is set in the global configuration profile	Off

Bandwidth
Bandwidth limiting policy:	None	Default	Area Bandwidth
	Limit total bandwidth	In this case, the proxy only uses the specified maximum bandwidth and leaves the rest of the bandwidth untouched by your internet connection. (This bandwidth is shared by all hosts connected to the proxy.)
	Per host bandwidth	Bandwidth for each host. The limited bandwidth for hosts cannot exceed the global bandwidth.
Global bandwidth:	2.000.000^▴_▾ kbit/s	Default value, if activated
Per host bandwidth:	64.000^▴_▾ kbit/s	Default value, if activated

App Blocking
The general app blocking with fixed ports has been removed. Individual apps, or the ports they use, can be blocked flexibly via the packet filter.

SSL-Interception With the SSL interception feature, it is possible to recognise malicious code in SSL-encrypted data streams at the gateway. It interrupts the encrypted connections and makes the data packets visible to virus scanners and other filters. Data transmission to the client is then encrypted again. To do this, however, it is necessary to create a CA under Authentication Certificates and select this in the CA certificate field.
Caption	Value	Description	Konfigurationsprofil hinzufügen UTMuser@firewall.name.fqdnApplicationsHTTP-Proxy SSL Interception tab
Enabled	Off	The SSL-Interception is turned off
	Only webfilter based	When enabled, only connections blocked by the web filter are intercepted. This avoids the problem that there are sites that do not tolerate an interruption of the encryption (e.g. banking software) without having to define an exception for it.
	Always	Activates the SSL interception
Validate SNI: Is set in the global configuration profile	Yes	When activated, any SNI in the ClientHello of the TLS handshake is checked. The host name contained is resolved and the addresses in the result are compared with the target address of the intercepted request. If they do not match, the connection is closed. Without Server Name Indication validation, clients can manipulate SNI arbitrarily to bypass the web filter. This setting should only be considered as a last resort when it seems impossible to standardize the DNS settings between the HTTP proxy and the UTM clients. If the client and UTM use different DNS servers, this can lead to false positives.
Allow non identified protocols:	Yes	If this switch is deactivated, unrecognized protocols are blocked.
CA-Certificate:	CA-SSL-Interception	Here, a CA must be selected that can re-encrypt the connection after decryption (and scanning). The public key of the CA must be installed on all client computers that are to use SSL Interception. Download can be done here directly with Download public key. Please note the minimum requirements for certificates from UTM version 14.2 onwards! notempty Support for certificates with a key length of 1024 bits or less will be removed starting with UTM version 14.2. Support for certificates with the SHA1 signing algorithm will also be removed starting with version 14.2. HTTP proxy or SSL VPN connections with such outdated certificates will no longer work as of v14.2! Insecure certificates should be replaced urgently! The BSI recommends—as of January 2025—key lengths of 3000 bits or more and SHA256 BSI – Technical Guideline – Cryptographic Methods: Recommendations and Key Lengths BSI TR-02102-1 \| Chapter 2.3: RSA encryption The default setting of the UTM for new certificates is RSA encryption with 3072 bits and SHA256 as the hash algorithm Betroffene Anwendungen: OpenVPN Serverzertifikat bei Rolle als Server (Roadwarrior oder S2S) Clientzertifikat bei S2S ggf. per Userattribut als Client-Zertifikat festgelegtes Zertifikat (Authentifizierung → Benutzer → Benutzer bearbeiten) Mailrelay Relaying "Zertifikat" (unter TLS Verschlüsselung als Server) Reverse-Proxy Einstellungen → SSL-Zertifikat Webserver Netzwerk → Serveinstellungen → Webserver → Zertifikat HTTP-Proxy SSL-Interception → CA-Zertifikat
CA-Certificate:	Download public key	The public key should be installed on the clients that are going to use SSL interception to avoid certificate errors.
Peer verification: not for Only webfilter based Is set in the global configuration profile	On	This should definitely be enabled! With this, the HTTP proxy checks whether the certificate of the called page is trustworthy. Since the browser only sees the local certificate, a check by the browser is no longer possible.
Exceptions for SSL-Interception Exceptions for SSL-Interception not for Only webfilter based
Enabled	Off	It is possible to define exceptions in the format of Regular Expressions. However, since only https can arrive here, it is not filtered for protocols, unlike the virus scanner. New exceptions can be added directly in the input field. So an exception for www.securepoint.de would be: .*\.securepoint\.de" Regex exceptions do not apply to transparent mode!
Compare exceptions with the SNI: Only available if salidate SNI is active.	Off	Applies Server Name Indication validation only to activated Exceptions of SSL-Interception .
Exceptions:	.\.ttt-point\.de Predefined in the Global Configuration Profile .\.ikarus\.at.\.mailsecurity\.at .91\.212\.136\..*	Define exceptions here for ttt-point.de
Peer verification exceptions Peer verification exceptions only if peer verification is active
Enabled	Off	Here exceptions for certificate verification in regex format can be added.

Captive Portal

The Captive Portal is configured since v12.1 in its own menu under Applications Captive Portal . There is a separate Wiki-article for this.

Warnung: Der Anzeigetitel „HTTP proxy transparent mode“ überschreibt den früheren Anzeigetitel „HTTP Proxy“.

Transparent mode for the http-proxy of the UTM

Last adaptation to the version: 12.6.0

New:

Updated to Redesign of the webinterface

notemptyThis article refers to a Beta version

12.2 11.7

Functionality of the transparent proxy

The transparent proxy ensures that web page calls are routed through the HTTP proxy even without settings in the browser, so that the virus scanner and web filter can be used for these connections.

In order to be able to check SSL-encrypted connections for viruses and malware, the proxy must pretend to be a client to the web server on the Internet, so that the data can already be decrypted on the firewall.
These are to be passed on coded afterwards again to the actual Client in the internal network.
To achieve this, the feature SSL interception is used.

The regex exceptions do not apply to transparent mode!

Configuration

Certificate

A CA is required for SSL-encrypted transmission to the client.

Create CA under Area CA button Add CA

Overview under Area Certificate

SSL-Interception

Configuration under Applications HTTP Proxy Area SSL Interception

Caption	Value	Description	Konfigurationsprofil / Globales Konf… bearbeiten UTMuser@firewall.name.fqdnApplicationsHTTP-Proxy SSL Interception tab
Enabled	Off	The SSL-Interception is turned off
	Only webfilter based	When enabled, only connections blocked by the web filter are intercepted. This avoids the problem that there are sites that do not tolerate an interruption of the encryption (e.g. banking software) without having to define an exception for it.
	Always	Activates the SSL interception
Validate SNI: Only in the global configuration profile Is inherited by additional configuration profiles	Yes	When activated, any SNI in the ClientHello of the TLS handshake is checked. The host name contained is resolved and the addresses in the result are compared with the target address of the intercepted request. If they do not match, the connection is closed. Without Server Name Indication validation, clients can manipulate SNI arbitrarily to bypass the web filter. This setting should only be considered as a last resort when it seems impossible to standardize the DNS settings between the HTTP proxy and the UTM clients. If the client and UTM use different DNS servers, this can lead to false positives.
Allow non identified protocols:	Yes	If this switch is deactivated, unrecognized protocols are blocked.
CA-Certificate:	CA-SSL-Interception	Here, a CA must be selected that can re-encrypt the connection after decryption (and scanning). The public key of the CA must be installed on all client computers that are to use SSL Interception. Download can be done here directly with Download public key. Please note the minimum requirements for certificates from UTM version 14.2 onwards! notempty Support for certificates with a key length of 1024 bits or less will be removed starting with UTM version 14.2. Support for certificates with the SHA1 signing algorithm will also be removed starting with version 14.2. HTTP proxy or SSL VPN connections with such outdated certificates will no longer work as of v14.2! Insecure certificates should be replaced urgently! The BSI recommends—as of January 2025—key lengths of 3000 bits or more and SHA256 BSI – Technical Guideline – Cryptographic Methods: Recommendations and Key Lengths BSI TR-02102-1 \| Chapter 2.3: RSA encryption The default setting of the UTM for new certificates is RSA encryption with 3072 bits and SHA256 as the hash algorithm Betroffene Anwendungen: OpenVPN Serverzertifikat bei Rolle als Server (Roadwarrior oder S2S) Clientzertifikat bei S2S ggf. per Userattribut als Client-Zertifikat festgelegtes Zertifikat (Authentifizierung → Benutzer → Benutzer bearbeiten) Mailrelay Relaying "Zertifikat" (unter TLS Verschlüsselung als Server) Reverse-Proxy Einstellungen → SSL-Zertifikat Webserver Netzwerk → Serveinstellungen → Webserver → Zertifikat HTTP-Proxy SSL-Interception → CA-Zertifikat
CA-Certificate:	Download public key	The public key should be installed on the clients that are going to use SSL interception to avoid certificate errors.
Peer verification: not for Only webfilter based Only in the global configuration profile Is inherited by additional configuration profiles	On	This should definitely be enabled! With this, the HTTP proxy checks whether the certificate of the called page is trustworthy. Since the browser only sees the local certificate, a check by the browser is no longer possible.
Exceptions for SSL-Interception Exceptions for SSL-Interception not for Only webfilter based
Enabled	Off	It is possible to define exceptions in the format of Regular Expressions. However, since only https can arrive here, it is not filtered for protocols, unlike the virus scanner. New exceptions can be added directly in the input field. So an exception for www.securepoint.de would be: .*\.securepoint\.de" Regex exceptions do not apply to transparent mode!
Compare exceptions with the SNI: Only available if salidate SNI is active.	Off	Applies Server Name Indication validation only to activated Exceptions of SSL-Interception .
Exceptions:	.\.ttt-point\.de Predefined in the Global Configuration Profile .\.ikarus\.at.\.mailsecurity\.at .91\.212\.136\..*	Define exceptions here for ttt-point.de
Peer verification exceptions Peer verification exceptions only if peer verification is active
Enabled	Off	Here exceptions for certificate verification in regex format can be added.

Add certificate to the browser

To do this, the public part of the CA is downloaded via the button .
Either by logging in from each individual client on the UTM to store the CA on them or it is downloaded once and stored on a USB stick or network storage. The certificate is then added to the browser via this route.

Certificate management
1. In the settings of the browser is the certificate management.

Certificate Authorities
2. In the Certificate Manager under Certificate Authorities the CA is imported.

Certificate for websites
3. The downloaded CA is selected from the appropriate directory.

Certification Authorities with CA
4. When asked if the CA should be trusted as a certification authority, the line "Trust this certificate to identify websites" is checked.
5. Finally, click OK.

Transparent mode

HTTP-Proxy UTMuser@firewall.name.fqdnApplications HTTP-Proxy Log Transparent mode activated

ACtivate under Application HTTP Proxy Area Transparent mode with Transparent mode On

Create HTTPS rule

In the default setting, transparent mode is already enabled for the HTTP protocol over port 80.
To set this up for the HTTPS protocol and port 443 as well, another rule is added by clicking the Add Transparent Rule button.

Caption	Value	Description	Add transparent rule UTMuser@firewall.name.fqdnApplicationsHTTP-Proxy Add transparent rule for HTTPS
Protocol:	HTTPS	Protocol that is to be scanned
Type:	Include Exclude	Determines whether transparent mode should be applied to the following network groups or not. If a specific network object or network group is to be excluded from transparent mode as a source or destination, an Exclude rule can define an exception before the general Include rule.
Source:	internal-network	Source network object, created under Firewall Network Objects The source must be the network from which the requests come, e.g. internal-network.
Destination:	internet	Target network object in which the web servers to be addressed are located, in this example internet.
Clicking Save and close will save the new rule and close the dialog. Another click on Save in the HTTP proxy window will update the rules.

Packet filter rules

Packet filter rule for access to DNS resolution

		#	Source	Destination	Service	NAT	Action	Active
		2	internal-network	internal-interface	proxy		Accept	On

Examples of exceptions for Windows update server

For more examples on how to set up SSL interception, authentication exceptions, virus scanners, and web filters regarding Windows updates, see the knowledge base article Windows Updates with HTTP Proxy and Web Filter

Troubleshooting

{{var | Lösung--SNI

| Einfach, aber unsicher:
Unter Area SSL-Interception die Option SNI validieren: Nein deaktivieren.

Ohne SNI Validierung können Clients die SNI beliebig manipulieren, um den Webfilter zu passieren. Diese Einstellung sollte nur als eine letzte Möglichkeit betrachtet werden, wenn es unmöglich scheint, die DNS-Einstellungen zwischen Clients des HTTP-Proxy und der UTM zu vereinheitlichen.

Situation

UTM with active transparent HTTP proxy for HTTP and HTTPS.
SSL interception running in "Web Filter Based" mode.

Error message in the browser

ERROR_SSL_PROTOCOL_ERROR or
ssl_error_rx_record_too_long

Log message in the UTM

Log message of Squid (menu Log ) in the UTM:

2021-09-15T16:50:20.003+02:00|squid|8933|1631717419.981 1 192.0.2.192 NONE/200 0 CONNECT 104.96.47.5:443 - HIER_NONE/- -
2021-09-15T16:50:20.007+02:00|squid|8933|1631717420.007 27 192.0.2.192 NONE_ABORTED/409 12387 CONNECT loadbalancing.ttt-point.de:443 - HIER_NONE/- text/html
2021-09-15T16:50:20.007+02:00|squid|8933|1631717420.007 27 192.0.2.192 NONE_ABORTED/409 12387 CONNECT loadbalancing.ttt-point.de:443 - HIER_NONE/- text/html
2021-09-15T16:50:22.652+02:00|squid|8933|SECURITY ALERT: Host header forgery detected on local=192.0.2.22:443 remote=192.168.175.10:28144 FD 9 flags=33 (local IP does not match any domain IP)
2021-09-15T16:50:22.654+02:00|squid|8933|SECURITY ALERT: on URL: loadbalancing.ttt-point.de:443

Meaning

The client starts a TCP connection to an HTTPS server
The connection is intercepted by the UTM → Transparent Proxy
The HTTP proxy (Squid) checks the connection and analyzes the TLS handshake
The information obtained, such as the SNI, is thereby resolved and compared with the original IP address
In this case, the original IP and the resolved IP for the SNI (hostname) do not match and are therefore blocked by the HTTP proxy, resulting in the above mentioned error message

Cause

This behavior can be observed for hostnames with intensive load balancing.
If the provider gives different responses to DNS queries in a short period of time, the results in DNS resolution may differ between the client and the UTM.

This behavior can be caused by:

Different DNS servers on client and UTM.
Hostnames that are resolved differently by UTM and client with a very small TTL due to intensive load balancing.
Use of DNS servers at different geographical locations.
In this case, a different IP address can be returned via the remote location for the called host names than at the local location of the UTM. (Geographic DNS Routing)

Solution

Best Practice:
Auf dem Client wird die UTM als globaler Proxy-Server und ggf. für jede Anwendung als Proxy-Server eingetragen.
Workaround:
Auf Client und UTM werden die gleichen DNS-Server eingetragen.

This procedure minimizes the error rate, but cannot reliably prevent the problem, especially with servers that use load balancing with very short TTLs.
In addition, it must be ensured that no DNS servers are used that are themselves already addressed via Geographic DNS Routing.
The Google servers, for example, differ despite identical IP address depending on the region from which they are called!

Captive Portal

Warnung: Der Anzeigetitel „Captive Portal“ überschreibt den früheren Anzeigetitel „HTTP proxy transparent mode“.

Konfiguration of the Captive-Portals

Last adaptation to the version: 12.2.0

Updated in v12.2, documantation with v12.6.0

New:

No changes to the Server Settings are required any more
ACME wildcard certificates can be used for the landing page

Last updated:

Redesign of the webinterface

notemptyThis article refers to a Beta version

12.1.9 (externe & lokale Zertifikate) 11.8.7 (externe Zertifikate) 11.8.7 (lokale Zertifikate) 11.7.3 (externe Zertifikate) 11.7.3 (lokale Zertifikate) 11.7

Preliminary remark

The captive portal redirects an HTTP client in a network to a special web page (so-called landing page) before it can connect normally to the Internet. Thus, acceptance of the condition of use must take place and additional authentication can be configured.

As of version 12, the UTM can manage ACME certificates. (Let's Encrypt)
It is recommended to use either an ACME certificate or a purchased certificate from an official CA (or an already existing wildcard certificate) for the captive portal to prevent later irritations due to warning messages of the browser.

Planning

The following aspects should be considered before configuration:

For which networks should the captive portal be configured?
Will all potential users be reached exclusively?
How and by whom will the terms of use be written?
Should authentication take place?
Which internal web servers are not allowed to be reached from the network behind the captive portal?

Jus a few preparations must be made to use the captive portal:

A certificate must be available for the landing page
Implicit and port filter rules must allow access

Changing the firewall name is no longer necessary since v12.
The host name of the portal page is configured under Area General.

Provide certificate

Create an ACME certificate

To use ACME certificates (Let's Encrypt) the following steps are required:

Activate ACME service
Generate ACME Challenge Token on spDyn
Create certificate
Add SAN with spDyn hostname and token
Create certificate

Wildcard certificates are required for use with the Captive Portal!

Authentication Certificates Area ACME

Caption	Value	Description	Certificates UTMuser@firewall.name.fqdnAuthentifizierung
Activated:	Yes	Enables the use of ACME certificates. For more information see below Activate ACME service.
Use system-wide nameservers for ACME challenges:	Yes	If the addresses for the servers for the extension of the ACME challenges cannot be resolved via the system-wide nameserver (e.g. due to configured relay or foreward zones), alternative nameservers can be entered by deactivating No.
Nameserver for ACME challenges: Can be used for ACME challenges when system-wide nameserver is disabled	»85.209.185.50»85.209.185.51»2a09:9c40:1:53::1»2a09:9c40:1:53::2	Here you can enter the nameservers for the ACME-Challenges.

Activate ACME service

To be able to use ACME certificates, this must be activated under Authentication Certificates Area ACME Enabled: Yes.

As soon as the service has been activated and this has been saved with , the link to the terms of use is loaded and the settings can be called up.
With the button Activate Yes and the storage of an Email address for notifications by the ACME service provider (here: Let's Encrypt), the information can be saved with
A dialog will appear with a link to the Terms of Use, which must be accepted Yes.

ACME service On Enable service

As soon as the service has been activated and this has been saved with , the link to the terms of use is loaded and the settings can be called up.

With the button Activate Yes and the storage of an Email address for notifications by the ACME service provider (here: Let's Encrypt), the information can be saved with

A registration with the ACME service provider is then performed

Successful registration is indicated with the status OK.

Generate token

spDYN To generate the certificates, the ACME token must first be generated in the spDYN portal.
Within the spDYN portal, the corresponding host must be opened.

Call up spDyn Host
Select the ACME Challenge Token from the Token drop-down menu.
Generate token
notempty The token is displayed once during generation and cannot be displayed again.
The token should be noted and stored safely.

Call up spDyn Host

Select the ACME Challenge Token from the Token drop-down menu.

Generate token
The token is displayed once during generation and cannot be displayed again.
The token should be noted and stored safely.

Renewal of ACME certificates

The renewal of the ACME/Let's Encrypt certificates takes place via the nameservers used, which are configured under Authentication Certificates Area ACME (see above)

ACME Certificates

After completing the previous steps, the actual certificate can now be generated. A click on Add ACME certificate in the Certificates tab opens the corresponding dialog.

Status	Description	Note
Caption	Value	Description	Add ACME certificate UTMuser@firewall.name.fqdnAuthentifizierungCertificates Add ACME certificate
Add ACME certificate UTM Dialog Authentication Certificates Area Certificates button Add ACME certificate
Name:	acme_ttt-Point	Name to identify the certificate
Key:	EC-prime256v1	Key of the certificate. Possible values: RSA-1024-bit RSA-2048-bit RSA-3072-bit (default) RSA-4096-bit EC-prime256v1 notemptyNew as of v14.1.0 EC-secp384r1 notemptyNew as of v14.1.0
ACME Account:	Let's Encrypt	ACME account which should be used

Subject Alternative Name configure with Add SAN Add Subject Alternative Name
Subject Alternative Name:	»ttt-point.spdns.org	The Subject Alternative Name ('SAN) is stored in the certificate and corresponds to the called URL	Add SAN UTMuser@firewall.name.fqdnAuthentifizierungCertificates Add Subject Alternative Name
Subject Alternative Name:	»*.ttt-point.spdns.org	Wildcard SANs can also be used. Wildcard certificates are strongly recommended for use with a captive portal If a forward zone is required for the captive portal in the nameserver and an A record is then entered for it, this is no longer resolved in the public DNS. Verification and renewal of an ACME certificate with this name will then fail.
Alias:	ttt-point.spdns.org	If the SAN is a spDYN hostname it is automatically taken on as alias. (Also for wildcard domains without * )
Token:	•••••••••••••	The token from the spDYN portal (see above) proves to the ACME service that you are allowed to dispose of the hostname. displays the token. When inserting the token from the clipboard it can happen that there are blanks before or after the actual token. These must be removed.
[-] Extras
Alternative chain: notemptyNew as of v14.1.0		Can increase stability in rare cases This option can be used if there are problems with the provider's default certificate chain. In the past, for example, the presence of an expired root certificate in the chain used for cross-signing led to problems with some clients ‘’'Usually this setting does not need to be changed * A positive natural number selects the entry at the corresponding position from the server list At least two colon-separated blocks of two hexadecimal digits each selects the first alternative chain that contains a certificate with a SHA256 fingerprint starting with this. If no alternative chain with these criteria is found, the default is used. If no value is entered, this function is deactivated Examples of valid entries: 1 2 999 AF:FE C0:FF:EE Use recommended for experienced users only
		Save and close
Check configuration Check configuration
Status:	Not yet checked	Before the actual generation of the certificate, the configuration must first be checked. This is done by clicking on the Check configuration button.	Add ACME certificate UTMuser@firewall.name.fqdnAuthentifizierungCertificates
	initialize Initializes	The check can take several minutes. During this process, the dialog is updated regularly.
	Valid	If the check is successful, the status Valid is displayed.
	DNS error	Possible causes: Wrong token DNS resolution disturbed zone forwarding configured in DNS local DNS zone configured in DNS If there is a zone in the nameserver of the UTM for a domain that also uses the ACME certificate, the DNS resolution fails. Solution: Create a CNAME record for this domain. • Search for the zone under Menu/Applications/Nameserver/Zones • click on Edit • Click on +Add Entry in the window • enter a suitable name under Name:' • select CNAME under Type: • enter the domain under Value:

Configure subject alternative name for an external DNS zone with Add SAN Add SAN for external DNS zone
Subject Alternative Name:	ttt-point.anyideas.org	The Subject Alternative Name (SAN) from the external DNS zone.	Add SAN UTMuser@firewall.name.fqdnAuthentifizierungCertificates
Alias:	ttt-point.spdns.org	The alias must also be the spDYN name for the external DNS.
DNS Provider	Basically, an additional CNAME record with the prefix _acme-challenge and the subsequent host name must be created at the DNS provider hosting the external zone (here: ttt-point.anyideas.org). _acme-challenge.ttt-point.spdns.org. (With "." at the end!) An example excerpt from a Zonefile for the configuration of the two hostnames mx.ttt-point.de and exchange.ttt-point.de looks like this: _acme-challenge.mx.ttt-point.anyideas.org. IN CNAME _acme-challenge.ttt-point.spdns.org. _acme-challenge.exchange.ttt-point.anyideas.org. IN CNAME _acme-challenge.ttt-point.spdns.org. The hostname must be resolvable in the public DNS. Certificate creation for .local, .lan, etc. zones is not possible. The UTM must be able to resolve the host name correctly via external nameservers. notempty If the internal and the external/public domain are identical, the zone must also be delegated to the internal DNS.

Check configuration	Additional SANs can be added and checked as long as the Save button has not been pressed.		Add ACME certificate UTMuser@firewall.name.fqdnAuthentifizierungCertificates

Status:	Valid	Once all the required SANs have been successfully checked, the certificate can be saved.	Add ACME certificate UTMuser@firewall.name.fqdnAuthentifizierungCertificates
	notemptyOnce the certificate has been saved, no more changes can be made. Only the alias and the token can be changed for existing SANs. If additional or different SANs are required, a new certificate must be created and the existing one has to be revoked.

Creation of the ACME certificate Creation of the ACME certificate
	If the previous steps have been completed successfully, the actual process for validating and generating the certificate is triggered by clicking Save. This process may take some time. To update the status, the dialog must be reloaded manually.		Certificates UTMuser@firewall.name.fqdnAuthentifizierungCertificates

Status values Status values
The following status values can occur
Valid	The ACME certificate is valid
Not yet verified	The ACME certificate still needs to be verified
Internal error	An internal error has occurred	Possible causes: Broken hardware Software error Configuration error
Connection error	No connection possible / present	Check the connection settings
Invalid	The ACME certificate is invalid and cannot be used
DNS error	A DNS error has occurred	Possible causes: wrong token DNS resolution disrupted zone forwarding configured in DNS local DNS zone configured in DNS If there is a zone in the nameserver of the UTM for a domain that also uses the ACME certificate, the DNS resolution fails. Solution: Create a CNAME record for this domain. • Search for the zone under Menu/Applications/Nameserver/Zones • click on Edit • Click on +Add Entry in the window • enter a suitable name under Name:' • select CNAME under Type: • enter the domain under Value:
Banned	The ACME certificate has been revoked	Either it has been manually revoked, or it has lost its validity. For example, the ACME certificate expired and was not renewed.
Initializing	The verification of the ACME certificate is initiated	This can take several minutes. The status is updated regularly.
Deferred	The verification of the ACME certificate is postponed	Refreshing the status will take some time, since the limit of requests was already reached
Initialized	The ACME certificate is being verified	The verification of the ACME certificate is initiated

Purchased certificate

Alternatively, a purchased certificate can also be imported

Grundsätzlich bestehen hier zwei Optionen:

A Certificate for a FQDN
- in this case the common name of the certificate would be portal.anyideas.de
A wildcard certificate
- in which case the common name of the certificate would be *.anyideas.de

In the first step, the CA provided together with the certificate must be imported into the UTM.
Menu Authentication Certificates Area CA button Import CA
In the first step, the CA provided together with the certificate must be imported into the UTM.
Menu Authentication Certificates Area CA button Import CA

Import format

Certificates and CAs to be imported into a UTM must be in the format .pem or .p12 (pkcs12).

Certificates can be converted with the tool openssl - available for all common platforms (part of Linux, call via console) - and the following commands:

Certificate	Command
X509 to PEM	openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem
DER to PEM	openssl x509 -inform der -in certificate.cer -out certificate.pem
P7B to PEM	openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

Error message during import

During import, the error message "The certificate format is not supported..." may appear.
Password protected certificates in pkcs12 format (.p12 , .pfx , .pkcs12) in conjunction with older ciphers can trigger this error.
Import is usually possible if in the tab General the option Support legacy cryptographic algorithms On is enabled. notempty Requires a This will interrupt all connections (incl. VPN connections) to the UTM!

Options for importing certificates:

Convert certificate to *.pem

Certificates can be converted with the tool openssl - available for all common platforms (part of Linux, call via console) - and the following commands:
openssl pkcs12 -in Zertifikat.pfx -out Zertifikat.pem -nodes
Alternatively with the help of an online service

CLI commands to allow certificate import with obsolete ciphers in the UTM
extc global set variable GLOB_ENABLE_SSL_LEGACY value 1

appmgmt config application "securepoint_firewall"
appmgmt config application "fwserver"
system reboot
notemptyRequires a This will interrupt all connections (incl. VPN connections) to the UTM!

cli> extc global get variable GLOB_ENABLE_SSL_LEGACY 
variable              |value
----------------------+-----
GLOB_ENABLE_SSL_LEGACY|0  

cli> extc global set variable GLOB_ENABLE_SSL_LEGACY value 1
OK

cli> extc global get variable GLOB_ENABLE_SSL_LEGACY
variable              |value
----------------------+-----
GLOB_ENABLE_SSL_LEGACY|1

cli> appmgmt config application "securepoint_firewall"
cli> appmgmt config application "fwserver"

Local certificate

The UTM can also provide its own certificate

At Authentication Certificates Area CA a CA must be created
At Authentication Certificates Area Certificates a Server- certificate must be created.
A separate certificate should be created for the captive portal so that it can be revoked if necessary without affecting other connections or applications.

How to create a certificate on the UTM can be read here.

Since this certificate is created by its own CA, it cannot be checked for authenticity by a browser.
The user receives a warning message in which the trustworthiness must be confirmed once.

Captive Portal User

Captive Portal users must authenticate themselves and agree to the terms of use when they connect to an appropriately configured network. Only then is the network access released - according to the port filter rules.	User UTMuser@firewall.name.fqdnAuthentication
notemptyFirewall users who are members of a group with the permission Userinterface Adminstrator On ( Authentication User Area Groups button can access the Captive Portal user management via the User-Interface (in the default port 443)

Add user

Captive Portal users can be managed by:

Administrators
Users who are members of a group with the permission Userinterface Administrator .
They reach the user administration via the user interface.

Caption	Value	Description	Add Captive Portal User UTMuser@firewall.name.fqdnAuthenticationUser Print and save
Login name:	user-DGS-6UM	Randomly generated login name. Once generated, login names cannot be changed after saving.
Password:	IH3-FF5-BSP-APZ-USC	Randomly generated password The login name and password can be regenerated with the button. Once saved, passwords cannot be displayed again.
Expiry date:	yyyy-mm-dd hh:mm:ss	Limits the validity of the credentials
Expiry date:	/	These buttons can be used to shorten (-) or extend (+) the expiry date by 24 hours from the current time
Print and save		Saves and closes the dialogue, creates an html page with the username and password and opens the print dialogue
		Saves the information and closes the dialogue. The password can then no longer be displayed. However, a new password can be created at any time .
		Closes the dialogue without saving changes.

Implied rules

Implied rules UTMuser@firewall.name.fqdnFirewall Firewall - Implied rules Menu Firewall Implied rules Group Ein Captive Portal
At the item Captive Portal in the menu Implied Rules you have to make sure that both rules are activated.
The switch CaptivePortalPage opens an incoming port on the corresponding interface of the firewall, which is intended for the Captive Portal to be able to display the landing page.
The switch CaptivePortalRedirection is, as the name suggests, responsible for the corresponding redirection of the traffic to the port mentioned above.

Packetfilter

Add rule UTMuser@firewall.name.fqdnFirewallPacketfilter Firewall - Portfilter IP A rule is required in the port filter to allow Captive Portal users to access the Internet.
Alternatively, an autogenerated any rule can also be created in the Captive Portal settings using the button in the General tab.

Rule 1

Source:	captive_portal
Destination:	internet
Service:	default-internet
[–] NAT
Type:	HideNAT
Network object:	external-interface

Save Save and close

Then use the button to Update Rules

Settings in the Captive Portal

Menu Applications Captive Portal

General

Caption	Value	Description	Captive Portal UTMuser@firewall.name.fqdnApplications Tab general
Captive Portal:	On	This switch enables or disables the captive portal
Implied rules:		Shows green when the Implied rules of the captive portal are activated. If yellow, these rules are not used.
Port filter rule:		Shows green if port filter rules exist for the captive portal.
Port filter rule:		With the + button an autogenerated any rule can be created. Better, but more elaborate, are rules that only release a selected network .
Portalpage Hostname:	portal.anyideas.de	In the case of a certificate for a FQDN, this should correspond to the Common Name of the certificate. In the case of a wildcard certificate, the host name must correspond to the response to a DNS query of the client.
Certificate	ttt-Point (ACME)	Please select the certificate mentioned above.
Nodes:	wlan-0-network (wlan0)	In this field please select the network objects that represent the networks that should be redirected to the landing page.
Advanced Advanced
Authentication	On	If desired, an authentication can be enforced here.	Advanced tab
Portalpage Port:	8085^▴_▾	A port must be defined for the captive portal, but this can be changed.
Maximum connection time (seconds):	1800^▴_▾	The time frame in which a registration in the captive portal is valid. If the default time has expired, web access to the Internet is blocked and a reconfirmation of the terms of use (and, if desired, authentication) is required.
Allow access to internal targets:	No	Access to internal networks via the captive portal's HTTP proxy is prevented.
Designs Designs
The captive portal can and must be customised. In any case, the terms of use must be specified. A design can be created for each language. It is sufficient to enter the details that have been changed for the fallback design. The fallback design must contain all the following information Call with the edit button or Add design			Tab designs
Branding
Call with the edit button or Add design			Edit design UTMuser@firewall.name.fqdnApplicationsCaptive Portal Factory settings Tab Branding

Terms of use
Terms of use:	Nutzungsbedingungen/Terms of Use	Here own terms of use have to be listed. For liability reasons we can not provide them. For the same reasons we recommend to consult a lawyer.	Tab Terms of use
			Tab Terms of use
Translations
Translations for the labels. If a translation is missing, the value of the default language is used.			Tab Translations
			Tab Translations

Nameserver

Menu Applications Nameserver Area Zones
If the firewall name cannot be changed to a FQDN, for example because the UTM is used as outgoing mail relay, the name server of the firewall must also be used: In this example, it is assumed that the firewall for the network of the captive portal is the responsible DHCP server and is set up as primary DNS server.

Add Forward Zone

Button Add Forward Zone

The zone name to be assigned corresponds to the landing page of the captive portal.
In the example portal.anyideas.de.
localhost is used as the host name of the name server.
The IP address field can be left empty.

Step 1
Zone Name portal.anyideas.de

Step 2
Nameserver Hostname loacalhost

Step 3
IP Address can be left empty

Edit Forward Zone

Edit Zone UTMuser@firewall.name.fqdnApplicationsNameserver Nameserver - A-Record with IP address The following entry is added to the zone just created → Button Add entry :

Caption	Value	Description
Name:	portal.anyideas.de.	FQDN of the firewall Mit . Punkt am Ende
Type:	A	A-Record
Value:	192.168.100.1	IP of the interface via which the captive portal is to be reached (here wlan0 )

Transparent mode

HTTP Proxy UTMuser@firewall.name.fqdnAnwendungen HTTP-Proxy Log HTTP Proxy - Transparent Proxy Menu Applications HTTP Proxy Area Transparent mode
To access the Internet via the required HTTP proxy, at least one rule is necessary (HTTP), better two (additionally HTTPS)

Button Add transparent rule

Caption	Value
Protocol	HTTP
Type	include
Source	wlan-0-network
Destination	internet

To access https pages, in the tab SSL Interception SSL Interception On must be activated. (Requires a CA certificate of the UTM)

Caption	Value
Protocol	HTTPS
Type	include
Source	wlan-0-network
Destination	internet

Webfilter

Finally, the web filter should be configured, since surfing through the proxy is possible without rules in the port filter access to e.g. internal web servers:

with authentication

Firewall Packet Filter Area Network objects button Add group
Create a group (e.g. grp_CP_webfilter) that contains the wlan-0-network network object
Applications Webfilter Button Add profile
Network or user group: grp_CP_webfilter Select the newly created group Save
Edit newly generated rule record
1. webserver.anyideas.de URL of the (internal) server to which access via the captive portal should be blocked Add URL
2. Leave action on block

without authentication

Applications Webfilter Button Add profile
Select the user group
Edit newly generated rule record
1. webserver.anyideas.de URL of the (internal) server to which access via the captive portal should be blocked Add URL
2. Leave action on block


A0	RJ45	external
A1	RJ45	internal


	HDMI
	USB

Inbetriebnahme

Preparation

Have login information ready

Prepare firmware update

Installing the firmware

Integration into the local network

Adjust IP addresses of the UTM via CLI

Adjust the IP address of your own computer

Change IP address on Windows

Change IP address on Linux

Change IP address on a MAC

First access

First registration

Agree to license agreement and privacy policy

Basic configurations

Welcome

Configure interfaces

Einrichtung mit Installationsassistenten

Prefaces

Installation wizard

Step 1 - General

Step 2 - Privacy

Step 3 - Internal

Without WLAN module

With WLAN module

Step 4 - Internet

Connection type PPPoE / VDSL

Connection type Ethernet with static IP

Connection type Cable modem with DHCP

Connection type LTE / others

Step 5 - DNS Forwarding

Step 6 - DMZ

Step 7 - WLAN

Step 8 - Certificate

Step 9 - Administrator

Reboot

Configure interfaces

Servereinstellungen

Firewall

DNS-Server

Time Settings

Webserver

Advanced Settings

Ethernet Konfiguration

Network interfaces General

Creating an Ethernet interface

Edit an Ethernet interface

General

Settings

IP Addresses

Zones

DynDNS

Fallback

Create default route

Gateway Type Interface

Gateway Type IP

Mobilfunkeinstellungen

Vorbemerkung

Available modules

Add mobile interface

Setup step 1

Setup step 2

Setup step 3

Manage SIM

Unlock SIM

Remove SIM PIN

Provider selection

Add route

Signal quality

WLAN Konfiguration

WLAN functionality

Print WLAN QR codes

WLAN Wizard

Step 1 - IP address

Step 2 - SSID

Step 3 - Authentication

Step 4 - Zones

Edit WLAN settings

DHCP-Server IPv4

Prepare IP address ranges