Jump to:navigation, search
Wiki

Profiles for UTMs in the USC portal

From Securepoint Wiki





































































































































De.png
En.png
Fr.png









Profiles for UTMs in the Unified Security Console

Last adaptation to the version: 2.2(02.2025)

New:
notempty
This article refers to a Resellerpreview
Access: portal.securepoint.cloud  Unified Security Console UTM Profiles


Function description

notempty
From UTM version 12.6.2, the option Apply USC profiles must be active Yes under USC for Unified Security Console so that USC profiles can be applied to UTMs.

Thumbnail for

Load video
Vimeo
Video: UTM Update Management
Profiles allow several UTMs to assign specific events.
Initially, there is the option to perform an automatic update when a new version is available on the UTM.


Profiles

 Add profile Creates a new profile.
Existing profiles can be edited by clicking on the profile tile.

General

General  - Local profiles
Local profiles
Caption Value Description USC v2.1 UTM-Profile Allgemein-en.png
Profile details
Name Update weekdays 5 am Meaningful name displayed on the profile tile
Priority 5Default The higher the number, the higher the priority. This is only used if a device is assigned to multiple profiles.
Cross-tenant profile    Remains disabled for local profiles
UTMs
TTT-Point AG I TTT-Point AG II Available UTMs can be selected in the clickbox
  • Bei der Zuordnung einer primären Cluster-UTM notempty
    (möglich ab Portal-Version 2.1)
    ist eine manuelle Synchronisation der anderen Cluster-UTM notwendig, um Inkonsistenzen zu vermeiden. Hier sollte nur die primäre UTM eines Clusters zugewiesen werden.
    • Tags     The profile is assigned to all UTMs that have at least one of these tags
    Comment     Comment field for additional descriptions
    Cross-tenant profiles
    General  - Cross-tenant profiles

  • Cross-tenant profiles are marked as such in the overview.
    In the tenants themselves, a copy of these profiles is displayed with the feature Generated. The copy cannot be edited. Editing is only possible in the profile in which it was created.
    • Caption Value Description USC v1.28 Profile Allgemein Cross-Tenant-en.png
    Cross-tenant profile
    Name Update weekdays 5 am Meaningful name displayed on the profile tile
    Priority 5 The higher the number, the higher the priority. This is only used if a device is assigned to multiple profiles.
    Cross-tenant profile    This profile affects the active tenant (reseller or parent company) and all subsequently selected clients
    Tenants TTT-Point AG Westernhagen GmbH Tenants to which the profile in addition to the own tenant is to be applied
     Select all Adds all tenants
    Tags utms The profile is applied to all UTMs with this tag across all tenants.
  • By default all UTMs have the tag utms
    • Comment     Comment field for additional descriptions

    Cloud-Backup

    Cloud-Backup
    Cloud-Backup verwalten
           		Erlaubt bei Aktivierung    die Konfiguration der Cloud-Backup-Einstellungen
    Caption Value Description USC v1.28 Profile Cloud-Backup-en.png
    Aktiviere Cloud-Backup auf der UTM    If activated   , a time frame can be specified in which the boot configuration of the UTM is saved on a Securepoint cloud server. notempty
    These settings can only be applied to UTMs from version 12.6.2.
    Daily from: xx o'clock 00:00 Setting the time at which the cloud backup starts.
    Password Password Password required to restore the backup

    Server settings

    Server settings
    notempty
    These settings can only be applied to UTMs from version 12.6.2.
    Firewall
    Firewall verwalten
           		Erlaubt bei Aktivierung    die Konfiguration der Firewall-Einstellungen
    Caption Value Description USC v2.2 UTM-Profile Servereinstellungen Firewall-en.png
    Global contact person     The name of the administrator or organization is entered in this field, which is later specified in the UTM error messages for queries.
    Global email address     Important system messages are sent to this email address. The email address entered must be correct.
    Language of the reports German The important system messages are sent in this language.
    Alternatively, English can also be selected.

    DNS-Server
    DNS-Server verwalten
           		Erlaubt bei Aktivierung    die Konfiguration der DNS-Server-Einstellungen
    Caption Value Description USC v2.2 UTM-Profile Servereinstellungen DNS-en.png
    Check nameserver before local cache    The local cache of the UTM first answers the DNS queries (corresponds to 127.0.0.1 as the primary name server.
    When activated, the name servers entered here will check the name resolution before the local cache of the UTM.
    Primary nameserver     The IP addresses of two external nameservers to which the UTM should forward the DNS queries can be entered here.
  • DNS servers that can be reached via the external interface should be entered here.
    • notempty
    Please do not enter a DNS server from your own internal network.
    Secondary nameserver     The IP addresses of two external nameservers to which the UTM should forward the DNS queries can be entered here.
  • DNS servers that can be reached via the external interface should be entered here.
    • notempty
    Please do not enter a DNS server from your own internal network.

    Time settings
    Zeit verwalten
           		Erlaubt bei Aktivierung    die Konfiguration der Zeit-Einstellungen
    Caption Value Description USC v2.2 UTM-Profile Servereinstellungen NTP-en.png
    NTP-Server
    		Die gewünschten NTP-Server können hier eintragen werden.
  • Das Eintragen einer IP-Adresse kann Probleme mit DNS over TLS und DNSSEC vermeiden.
    • Time zone Europe/Berlin The time zone in which the UTM is located.

    Administration
    Administrations verwalten
           		Erlaubt bei Aktivierung    die Konfiguration der Administrations-Einstellungen
    Caption Value Description USC v2.2 UTM-Profile Servereinstellungen Administration-en.png
    Enable administrative access for: Host names, IP addresses and networks can be enabled for administration. The network with the "internal" zone is always enabled.

    Global GeoIP

    Global GeoIP
    GeoIP verwalten
           		Erlaubt bei Aktivierung    die Konfiguration der GeoIP-Einstellungen notempty
    These settings can only be applied to UTMs from version 12.6.2.
         		USC v1.28 Profile Globale-GeoIP-en.png
    Aktiviere Quellen-GeoIP-Blocking
          		 Aktiviert das Ablehnen von IP-Adressen als Quellen
    Sources
    Sources
    System-wide rejected sources     IP addresses can be assigned to a country via the associated IP networks, the organizations and institutions to which they are assigned. Countries stored here are active for source GeoIP blocking.
    Exceptions     IPs stored here are excluded from source GeoIP blocking.

    Aktiviere Ziel-GeoIP-Blocking
      
    Activates the GeoIP settings for rejected destinations
    Destinations
    Destinations
    System-wide rejected destinations     IP addresses can be assigned to a country via the associated IP networks, the organizations and institutions to which they are assigned. Countries stored here are active for destination GeoIP blocking.
    Exceptions     IPs stored here are excluded from the destination GeoIP blocking.

    Global VPN-Settings

    Global VPN-Settings
    Globale-VPN verwalten
           		Erlaubt bei Aktivierung    die Konfiguration der globalen VPN-Einstellungen notempty
    These settings can only be applied to UTMs from version 12.6.2.
    Primary nameserver     Primary nameserver which is used for the VPN tunnel clients. USC v1.28 Profile Globale-VPN-Einstellungen-en.png
    Secondary nameserver     Secondary nameserver which is used for the VPN tunnel clients.

    Firmware-Updates

    Firmware-Updates
    Firmware update settings   
    		 If activated, the firmware update settings can be defined. USC v1.28 Profile Firmware-Updates-en.png
    Tab "Automatic updates"
    Automatische Updates auf der UTM aktivieren Upon activation   , a timeframe can be specified in which updates will perform automatically.
    • The UTM searches for updates on its own and downloads them if available
  • Updates are typically distributed over a period of 1-2 weeks.
    It is possible that one UTM may already have an update while another UTM in the same network has not yet received one.
    • Updates are not activated automatically in general.
      The function in the USC portal creates a job in the portal that triggers a time-controlled update.
    • The update job performs the following steps:
      • system upgrade dryrun
      • system upgrade confirm privacy
      • system upgrade confirm eula
      • system upgrade finalize

        notempty

        During the update process, the UTM will be restarted.
        All connections to the UTM (e.g. VPN, SSH) will be interrupted.
        notempty

        The update will remain even after a later restart.

    Period Mo Di Mi Do Fr Sa So Selection of the weekdays on which an update can be performed notempty
    The option 1x per month is not available on the UTM and is therefore no longer displayed here. If the option was previously used, it will continue to be used until a change is made in the firmware update area in the portal or on the UTM from v12.6.2.
    from 00:00 (UTC) Time period within which an update should be performed, if applicable
    The update is triggered by the portal.
    For better load balancing, only one time period can be selected within which the process is started.
  • The time is given in UTC. UTC does not use daylight saving time!
    • Additional audit endpoint
    Additional audit endpoint
    notempty
    These settings can only be applied to UTMs from version 12.6.2.
    URL URL Before a dry run is started and also after an update has been installed and started (but before the update is finalized), the appliance will test whether the Securepoint update server can be reached.
    Another endpoint (host name or IP address and port) can be specified here, the accessibility of which is also tested.
    A TCP handshake to a service on the specified server is checked.
    If a test fails, no firmware update is carried out (if necessary by rolling back to the previous version).     		USC v1.28 Profile Firmware-Updates Zusätzlicher-Prüfungs-Endpunkt-en.png
    Port 443

    Cyber Defense Cloud

    Cyber Defense Cloud

    notempty
    These settings can only be applied to UTMs from version 14.0 - Luna.
    Threat Intelligence Filter   
    		Erlaubt bei Aktivierung    die Konfiguration der Threat-Intelligence-Filter-Einstellungen
    Verbindung protokolieren    Bei Aktivierung    wird die Verbindung im Syslog protokoliert aber zugelassen USC v2.1 UTM-Profile CDC-en.png
    Verbindung protokolieren und blockieren    Bei Aktivierung    wird die Verbindung im Syslog protokoliert und blockiert

    Datenschutz

    Datenschutz

    notempty
    These settings can only be applied to UTMs from version 14.0 - Luna.
    Datenschutzeinstellungen verwalten   
    		Erlaubt bei Aktivierung    die Konfiguration der Datenschutzeinstellungen
    Für alle Anwendungen aktivieren    Aktiviert die Anonymisierung des Logs für alle Anwendungen auf der UTM
    Date Dienst Nachricht
    30.2.2019 13:45:01 ulogd DROP: (DEFAULT DROP) X.X.X.X:8612 ⮕eth0⮕ X.X.X.X:8612 UDP
    		USC v2.1 UTM-Profile Datenschutz-en.png
    Reiter Datenschutz
    Anwendungen
    Anwendungsname    Für jede Anwendung kann einzeln die Anonymisierung der Logs aktiviert werden.

    Mögliche Anwendungen:

    • Authentifizierung Webinterface
    • Clientless VPN
    • DHCP-Server & -Relay
    • HTTP-Proxy
    • IPS Sperrungen
    • IPSEC
    • L2TP VPN
    • Mailfilter
    • Mailrelay
    • Paketfilter
    • Reverse-Proxy
    • SSH-Server
    • SSL-VPN
    • Securepoint UTM maintenance console
    • WLAN-Server

    Fail2Ban

    Fail2Ban

    notempty
    These settings can only be applied to UTMs from version 14.0 - Luna.
    Fail2Ban-Einstellungen verwalten   
    		Erlaubt bei Aktivierung    die Konfiguration der Fail2Ban-Einstellungen.

    Der Fail2Ban Schutz bedeutet hierbei, dass IP-Adressen temporär gesperrt werden, wenn eine bestimmte Anzahl an fehlgeschlagenen Anmeldeversuchen überschritten wurde. Die Anzahl kann auf der UTM unter Applications IDS/IPS konfiguriert werden.

    SMTP    Bei Aktivierung    wird der Schutz vor Brute-Force-Angriffen für den SMTP-Dienst aktiviert USC v2.1 UTM-Profile Fail2Ban-en.png
    Reiter Fail2Ban
    SSH    Bei Aktivierung    wird der Schutz vor Brute-Force-Angriffen für den SSH-Dienst aktiviert
    Admin-Interface    Bei Aktivierung    wird der Schutz vor Brute-Force-Angriffen für das Administrations-Webinterface aktiviert
    User-Interface    Bei Aktivierung    wird der Schutz vor Brute-Force-Angriffen für das Benutzer-Webinterface aktiviert

    Cloud Scheduler Log

    Cloud Scheduler Log
  • The Cloud Scheduler Log tab is only displayed for existing profiles
    • Once a UTM has downloaded an automatic update, it reports this to the portal
    • The portal creates a job that starts the update at the specified time
    		 USC 1.28 Profile Jobs-en.png
    Tab Jobs
    USC 1.28 Profile Jobs Verlauf-anzeigen-en.png
    Executed job with log

    Publish-State

    Publish-State
    The Publication status tab is only displayed for existing profiles
    Log on the status of the publication of the profile on the assigned UTMs.
    Time Shows the date and time at which the profile is published USC 1.28 Profile Veröffentlichungsstatus-en.png
    Type Indicates the type that is being executed
    UTM Displays the UTM where the profile is applied
    Direction Indicates the direction of communication
    • { in Message from the device to the server
    •  out Message from the server to the device
    Status Displays the status of the executed job
    •  Sent the transmitted job was sent to the device or the transmitted UTM profile was sent
    •  Received the device has received the transmitted job without errors
    •  Confirmed the submitted job or the submitted UTM profile has been applied
    •  Offline the device is offline
    •  Pending the submitted job has not yet been sent
    •  Error the error is described in the Info column
      Save Saves the information and closes the dialog
    Close Closes the dialog without saving the information
    Retrieved from "https://wiki.securepoint.de/index.php?title=USC/Profile&oldid=94712"