Appliance Settings

Global settings of the UTM

Last adaptation to the version: 14.1.2 (02.2026)

New:

BetaFor participants on the Beta Channel only:

Several NTP server can be stored (v14.1.0)

notemptyThis article refers to a Beta version

14.0 12.6 12.2 11.6.12 11.7

notempty

Support for certificates with a key length of 1024 bits or less will be removed starting with UTM version 14.2.

Support for certificates with the SHA1 signing algorithm will also be removed starting with version 14.2.

HTTP proxy or SSL VPN connections with such outdated certificates will no longer work as of v14.2!

Insecure certificates should be replaced urgently!
The BSI recommends—as of January 2025—key lengths of 3000 bits or more and SHA256
BSI – Technical Guideline – Cryptographic Methods: Recommendations and Key Lengths BSI TR-02102-1 | Chapter 2.3: RSA encryption

The default setting of the UTM for new certificates is RSA encryption with 3072 bits and SHA256 as the hash algorithm

OpenVPN

Mailrelay

Reverse-Proxy

Webserver

HTTP-Proxy

Caption	Value	Description	Appliance Settings UTMuser@firewall.name.fqdnNetwork Appliance Settings
Firewall Firewall
Firewall Name:		Full Qualified Domain Name-Compliant firewall name. Here you can define how the UTM responds to requests. If the mail relay is to be used, it may be useful to enter the FQDN of the mail exchange (MX) here so that other mail servers can match it using the reverse resolution of the PTR resource record (PTR). Read out: `extc global get variable "GLOB_HOSTNAME"` Set: `extc global set variable "GLOB_HOSTNAME" value "utm.firma.local"`
Global contact person:		This field is used to enter the name of the administrator or organization that will later be specified in the UTM error messages for queries.
Global email address:		An email address is entered here to which mails can be sent that otherwise cannot be delivered. Otherwise, undeliverable mails remain on the hard disk space, which can lead to the fact that the available space is no longer sufficient at some point and no more mails will be accepted. As of version v12.4.2 have an email address has to be stored here. Otherwise the mail connector and proxy will not start! A global email address will be requested when logging in. notemptyThe global email address is also the postmaster address for the mail relay. Read out: `extc global get variable "GLOB_ADMIN_EMAIL"` Set: `extc global set variable "GLOB_ADMIN_EMAIL" value "utm-admin@ttt-point.de"`
Report language:	German	Language in which UTM reports are sent. Alternatively to choose: English
DNS-Server DNS-Server
Check Nameserver prior to local cache:	Off (Default)	The local cache of the UTM initially answers the DNS queries (corresponds to 127.0.0.1) as the primary name server. On activation, the name servers entered here will check the name resolution before the local cache of the UTM.
Primary Nameserver: Secondary Nameserver:		The IP addresses of two external name servers to which the UTM should forward the DNS queries can be entered here. DNS servers that can be reached via the external interface should be entered here. notempty Please do not enter a DNS server from your own internal network.
Time Settings Time Settings
Current Date:	2020-20-32 25:00:20	The current time can also be entered manually. Refreshes the display. In the interaction of servers, VPN connections and especially with OTP authentication, it is important that all components are synchronized in time.
NTP-Server: notemptyupdated: Multiple entries possible	»ntp.securepoint.de	The required NTP servers can be entered here. Entering an IP address can avoid problems with DoT and DNSSEC.
Timezone:	Europe/Berlin	Correct time zone
Webserver Webserver
If the port for the admin or the user interface is set to a well known port (ports 0-1023), access by the browser can be blocked! Access may still be possible: The start of e.g. Google Chrome or Edge is done with the start parameter --explicitly-allowed-ports=xyz. For Firefox, a string variable with the value of the port to be released is created in the configuration (about:config in the address bar) under network.security.ports.banned.override. It is possible to create a temporary policy for chromium-based browsers to allow its use. This is strongly discouraged for safety reasons! Error message in Chome / Edge: ERR_UNSAFE_PORT Error message in Firefox: Error: Port blocked for security reasons
Administration Webinterface Port:	11115	Port to reach the administration interface (which is used e.g. to display the web page shown in the image. In delivery state: 192.168.175.1:11115
User Webinterface Port:	443	Port to reach the user interface. This is used for example to access filtered mails and VPN configurations. notempty The user interface port must be changed if port 443 (HTTPS) is used for the reverse proxy. notempty The user interface port must be changed if port 443 (HTTPS) is forwarded.
Certificate:		Please note the minimum requirements for certificates from UTM version 14.2 onwards! notempty Support for certificates with a key length of 1024 bits or less will be removed starting with UTM version 14.2. Support for certificates with the SHA1 signing algorithm will also be removed starting with version 14.2. HTTP proxy or SSL VPN connections with such outdated certificates will no longer work as of v14.2! Insecure certificates should be replaced urgently! The BSI recommends—as of January 2025—key lengths of 3000 bits or more and SHA256 BSI – Technical Guideline – Cryptographic Methods: Recommendations and Key Lengths BSI TR-02102-1 \| Chapter 2.3: RSA encryption The default setting of the UTM for new certificates is RSA encryption with 3072 bits and SHA256 as the hash algorithm OpenVPN Mailrelay Reverse-Proxy Webserver HTTP-Proxy Without a dedicated selected certificate, the default certificate of the UTM is used, which was issued by the default CA: firewall.foo.local If the UTM should be recognized by the browser with a valid certificate, proceed as follows: Create a CA ( Authentication Certificates Area CA button Add CA) Export the public part of the CA Create Certificate (Certificates Button Add Certificate Select the CA that was exported in step 2 as the CA Alias DNS FQDN - Name of the UTM , as in Network Firewall Area Server Settings section Firewall field firewall name: entered Multiple entries are possible! AliasIP IP Address IP address under which UTM can be reached. Several entries are possible in each case! Select the just created certificate under Network Server Settings Area Server Settings Section Webserver Certificate: Import the exported CA in the browser as a certificate authority It is also possible to use ACME certificates.
Advanced Settings Advanced Settings
Maximum Active Connections:	32000	Maximum number of active connections to the UTM. This includes: Web interface SMTP SSH
Last-Rule-Logging:	SHORT - Log three entries per minute	The Last-Rule-Logging setting controls the number of messages that are written to the Syslog. NONE - Do not log SHORT - Log three entries per minute : Only the first three log messages per minute are displayed. LONG - Log everything notempty We recommend to leave the setting at short.

Firewall

DNS-Server

Time Settings

Webserver

Advanced Settings