Jump to:navigation, search
Wiki

SSL-VPN Site-to-Site

From Securepoint Wiki

































































}}











































































De.png
En.png
Fr.png









Configuration of SSL-VPN site-to-site connections

Last adaptation to the version: 14.0.3

New:
notempty
This article refers to a Resellerpreview
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 VPN SSL-VPN


Introduction

SSL-VPN can also be used to establish site-to-site connections. Since this requires the corresponding instance of the service to run explicitly in client or server mode, it is possible to create multiple instances of the SSL-VPN service.

Site-to-Site Server

Site-to-Site Server
S2S Server
This method is used when the remote terminal is the initiator of the connection. For this, the service must explicitly start in server mode.

Site-to-Site Client

Site-to-Site Client
S2S Client
This method is used when the UTM itself is the initiator of the connection. For this, the service must explicitly start in client mode.


Site-to-Site Server Configuration

notempty
For the S2S server setup, a CA, a server certificate and a client certificate are required.


SSL-VPN Connection

Set up the connection under VPN SSL-VPN  Button + Add SSL-VPN connection menu.


Installation wizard

Step 1
Step 1 S2S Server

Add SSL-VPN Connection UTMuser@firewall.name.fqdnVPNSSL-VPN UTM v12.6 SSL-VPN hinzufügen S1-en.png Installation step 1

In installation step 1 the connection type is selected, the following connections are available:

  • Roadwarrior Server
  • Site-to-Site Server
  • Site-to-Site Client

For the configuration of the Site-to-Site server this is selected.



Step 2
Step 2 S2S Server
UTM v12.6 SSL-VPN hinzufügen S2-en.png
Installation step 2

If a local IPv6 network is to be connected, the option Use IPv6 over IPv4: must be enabled Yes.



Step 3
Step 3 S2S Server

Local settings for the site-to-site server

Caption Value Description UTM v12.6 SSL-VPN hinzufügen S3-en.png
Installation step 3
Name: S2S-server Unique name
Protocol: UDP Choose desired protocol
Port: 1194Link= Default port for the first SSL VPN connection. May not be used for any other purpose. For further connections, the next free port is selected.
Server certificate:
Only certificates with a private key can be selected
cs-ttt-point Selection of the certificate with which the server authenticates itself
If a server certificate does not yet exist, it can be created (and if necessary also a CA) in the certificate management. Open with
  • Create a CA in the CA section using the + Add CA button
  • Create a server certificate in the Certificates section using the + Add certificate button.
    Please note: Server certificate: enable
  • Create the client certificate with the + Add certificate button

Both certificates must be created with the same CA! The Client certificate and the associated CA are also needed to configure the remote terminal (client). They must be exported with the button. For use with a UTM as client, the PEM-format is required.
Further notes in the Wiki article on the use of certificates.

Share server networks: » 192.168.175.0/24 Network located at this appliance (VPN server) that is to be accessible via SSL-VPN.


Step 4
Step 4 S2S Server

In installation step 4, the transfer network for the site-to-site server is entered.

Caption Value Description UTM v12.6 SSL-VPN hinzufügen S4-en.png
Installation step 4
Transfer network: 192.168.190.0/24 A network address must be specified that is not used in any network of the involved appliances.
  • The last IP before the broadcast address cannot be used as a client's IP address because it is reserved by the virtual DHCP server.
    • Server tunnel address: 192.168.190.1/32 The server and client tunnel address is determined automatically.
    IPv4 client tunnel address: 192.168.190.2/24


    Step 5
    Step 5 S2S Server
    Caption Value Description UTM v12.6 SSL-VPN hinzufügen S5-en.png
    Installation step 5
    Name: S2S-client Is automatically generated from the name defined in step 3
    Client certificate: .ttt-point.de Certificate of the client network
    Share client networks: »192.168.174.0/24 Networks of the remote terminal that are to be released. (Input by clicking in the click box and then using the keyboard).
    notempty
    The selected certificate should not be used with any other client / network.


    Section General General S2S Server

    Already created SSL VPN connections can be edited under VPN SSL-VPN  Button .

    Caption Value Description Edit SSL-VPN Connection UTMuser@firewall.name.fqdnVPNSSL-VPN UTM v14.0.3 SSL-VPN S2S Server Allgemein-en.pngSection General
    Name: S2S-Server Name of the SSL connection
    Interface: tun0 Used interface
    Modus: SERVER Depending on connection type
    Protocol: UDP (Default)
    TCP    		 Select preferred protocol (UDP and TCP can each be limited to IPv4 or IPv6).
    Port: 1194Link= Default port for the first SSL VPN connection. May not be used for any other purpose. For further connections, the next free port is selected.
    Authentication: NONE (Default)
    LOCAL
    RADIUS    		 Select the appropriate authentication method
    Certificate: cs-ttt-point The certificate used can be changed here
    Static SSL-VPN key type: Off tls-authtls-crypt
    • Activation of tls-auth causes additional authentication of the control channel
    • tls-crypt causes additional authentication and encryption of the control channel
    Static SSL-VPN key: notempty
    New as of v12.6.1
    		 SSL-VPN S2S Key for securing the connection
  • The key must be of type OVPN_STATIC_KEY
    • notempty
    The remote terminal must use the same key!
    The key is created on one side and then must be copied to the other side
    Open key management Opens the key management interface to create a key
    Data Connection Cipher: AES-256-GCM Standardmäßig wird AES-256-GCM verwendet notempty
    Seit v14.0.3
    . Die Option Default entspricht den Default-Einstellungen von OpenSSL.
    notempty
    Die Gegenstelle muss denselben Cipher nutzen!
    BF-CBC DES-EDE-CBC DES-EDE3-CBC CAST5-CBC AES-128-CBC AES-192-CBC AES-256-CBC AES-128-GCM AES-192-GCM AES-256-GCM
    Data Connection Hash: Default Default settings of OpenSSL are used.
    notempty
    The remote terminal must use the same hash!
    SHA1 SHA224 SHA256 SHA384 SHA512 whirlpool
    Allowed ciphers for auto-negotiation (NCP):     Individual ciphers can be selected from a list
    IPv4 Transfer network: 192.168.190.0/24 Enter pool address
    IPv6 Transfer network:       /64 Enter pool address
    Share server networks globally:     Network IP for networks behind the UTM that are supposed to be accessible via the SSL VPN connection can be edited.
    Search Domain:    
  • It only makes sense to specify a search domain for a Roadwarrior connection!
    Alternatives:

    1. Always write out the domain in full
    2. Enter the domain in the DHCP server so that it can be assigned
    3. Use an Active Directory

    • Renegotiation: never
    1 hour
    (Default)
    2 hours
    4 Stunden
    8 Stunden
    12 Stunden    		 Period of time from which the connection is rebrokered


    Section Advanced
    Advanced S2S Server
    Caption Value Description Edit SSL-VPN Connection UTMuser@firewall.name.fqdnVPNSSL-VPN UTM v12.6 SSL-VPN S2S Server Erweitert-en.pngSection Advanced
    MTU: 1500Link= Maximum transmission unit of the largest packet (byte)
    Max Clients: 1024 Maximum number of clients.
    If no value is set, the default value of 1024 applies.
    Push DNS: No Allows DNS transmission
    The DNS and WINS can be transmitted automatically. This setting can be enabled in the menu VPN Global VPN Settings
    Push WINS: No Allows WINS transmission
    The DNS and WINS can be transmitted automatically. This setting can be enabled in the menu VPN Global VPN Settings
    Multihome: On Allows the use of multiple default routes

    Allow configured certificates only:    		 On Only allocated certificates can still be accepted
    LZO: Off LZO compression
    After changing this option, the corresponding client counterparts must adjust their configuration!
    Disabled: No
    Pass TOS: Off Allows forwarding of TOS packets
    Ping interval: 10Link= seconds Interval of ping requests
    Ping timeout: 120Link= seconds Timeout of ping requests
    Outgoing buffer size: 65536Link= Bytes Controls the size of the buffer for the socket
  • The larger, the more can be stored between. However, this can also increase the latency.
    • Incoming buffer size: 65536Link= Bytes as above
    Replay window sequence size: 64Link= Number of packages within which even older sequence numbers are accepted.
    Replay window waiting time: 15Link= seconds Time window in which the sequence size is applied at maximum


    Other client remote terminals
    Other client remote terminals S2S Server

    SSL-VPN UTMuser@firewall.name.fqdnVPN SSL-VPN Log Restart UTM v12.6 SSL-VPN Übersicht mit Gegenstelle-en.png Overview of SSL-VPN connections

    Additional remote sites that are to be connected via this site-to-site server can be added via the button.
    Display of remote sites by clicking on the folder icon .


    SSL-VPN Server-Gegenstelle hinzufügen UTMuser@firewall.name.fqdnVPNSSL-VPN UTM v12.6 VPN SSL-VPN client2-en.pngOther remote terminals of the S2S-SSL-.VPNs


    Rulebook

    Implied rules
    Implied rules
    S2S Server

    Implied rules UTMuser@firewall.name.fqdnFirewall UTM v12.6 Firewall Implizite Regeln SSL VPN UDP-en.pngImplied rules

    Under Firewall Implied Rules section VPN the protocol used for the connection can be enabled. Here On SSL-VPN UDP. This implicit rule frees the ports used for SSL-VPN connections on the WAN interface.



    Network objects
    Network objects
    S2S Server

    A TUN interface was created when the connection was set up. It automatically receives the first IP from the transfer network configured in the connection and a zone "vpn-ssl-<servername>".
    To be able to reach the client network of the remote terminal, a network object must be created under Firewall Network Objects  Button + Add Object.
    The TUN interface of the site-to-site client also receives an IP from this network. This serves as a gateway to the subnet of the site-to-site client. The subnet of the client must be created as a network object and is located in the zone on the associated TUN interface.


    Caption Value Description Add Network Object UTMuser@firewall.name.fqdnFirewallNetwork objects UTM v12.6 SSL VPN S2S Server Netzwerkobjekt hinzufügen-en.pngNetwork object for the tunnel network
    Name: sslvpn-S2S-Client-Network Unique name
    Type: VPN-Netzwerk If only a single host is to be shared in the client network, VPN host can also be selected here.
    Address: 192.168.174.0/24 The network address that was shared as the client network in step 5
    If multiple client networks have been shared, a separate network object must be created for each of these networks. Subsequently, the network objects can then be combined into a group.
    Zone: vpn-ssl-S2S-Server The zone on the S2S server through which the S2S client network is accessed.
    Group:     Optional


    Packetfilter rules
    Packetfilter rules
    S2S Server

    Packetfilter UTMuser@firewall.name.fqdnFirewall Regeln aktualisieren UTM v12.6 Firewall Paketfilter Regel hinzufügen S2S Client Network-en.pngPacketfilter rules

    Menu Firewall Packetfilter Button + Add Rule
    Two rules allow access to or from the S2S client network:


    # Source Destination Service NAT Action Activ
    Access from the client to the (internal) server network (remote station initiates the connection) Dragndrop.png 9 Vpn-network.svg sslvpn-S2S-client-network Network.svg internal-network Service-group.svg default-internet Accept On
    Access to the client network (local UTM initiates the connection) Dragndrop.png 10 Network.svg internal-network Vpn-network.svg sslvpn-S2S-client-network Service-group.svg default-internet Accept On


    Routen
    Routen
    S2S Server

    The routes are set automatically.
    However, when using VoIP through the tunnel, routes should be set to ensure that the phones connect correctly to the PBX.
    Menu Network Network configuration  Area Routing Button + Add route.
    A route should be set so that the network of the remote terminal can be found reliably.

    Caption Value Description Add Route UTMuser@firewall.name.fqdn UTM v12.6 SSL VPN S2S Server Route hinzufügen-en.pngRoute for remote terminal
    Gateway interface: tun2 A TUN interface was created when the connection was set up and must be specified here.
    Target network: 192.168.174.0/24 The network of the remote terminal (S2S Client)



































    Ausgangslage

    Es kann gewünscht sein, die Routen für VPN-Verbindungen Nur für interne Prüfzwecke erst dann zu setzen, wenn die Verbindung wirklich steht.

    1. Dadurch wird verhindert das Pakete in das Internet geroutet und vom Conntrack gespeichert werden und so einen korrekten Aufbau der Verbindung verhindern.
    2. Dies kann von Vorteil sein wenn zum Beispiel VoIP durch den Tunnel gehen soll.
    3. Load Balancing über eine zweite Firewall wird deutlich vereinfacht, wenn nur die UTM eine Route bekommt, bei der der Tunnel auch tatsächlich aufgebaut wird.

    CLI-Befehl

    Verbindung per SSH oder über Menü Extras CLI : route set id <ID> flags BLACKHOLE_IF_OFFLINE

    Z.B.: route set id "2" flags BLACKHOLE_IF_OFFLINE
    Dieser Befehl verwirft Pakete zu diesem Ziel wenn die Route nicht vorhanden ist.
    Bei SSL-VPN oder bei Wireguard zum Beispiel wenn der Tunnel nicht steht.
    Zuvor kann mit route get die korrekte Verbindungs-ID ermittelt werden


    Site-to-site client configuration

    SSL-VPN Connection

    Installation wizard
    notempty
    For the S2S server setup, a CA, a server certificate and a client certificate are required.


    Step 1
    Step 1 S2S Client

    Add SSL-VPN Connection UTMuser@firewall.name.fqdnVPNSSL-VPN UTM v12.6 SSL-VPN S2S Client S1-en.pngInstallation step 1

    In installation step 1 the connection type is selected, the following connections are available:

    • Roadwarrior Server
    • Site-to-Site Server
    • Site-to-Site Client

    For the configuration of the Site-to-Site Client this is selected.



    Step 2
    Step 2 S2S Client
    UTM v12.6 SSL-VPN S2S Client S2-en.png
    Installation step 2

    If a local IPv6 network is to be connected, the option Use IPv6 over IPv4: must be enabled Yes.



    Step 3
    Step 3 S2S Client

    Local settings for the Site-to-Site Client can be made in step 3. Here you can enter a name for the connection, select protocol, choose a server certificate - by clicking the button with the window you can import a CA and a certificate.

    Caption Value Description UTM v12.6 SSL-VPN S2S Client S3-en.png
    Installation step 3
    Name: S2S-client Unique name
    Protocol: UDP Choose desired protocol
  • It is necessary to select the same protocol as for the site-to-site server.
    • Client certificate: CC-S2S-Client-Network1 Selection of the certificate with which the client authenticates itself.
    The same certificate must be used here that was selected as the certificate of the remote terminal (client) for the site-to-site server in step 5.

    Open with

    • Section CA Button Import CA Import CA from
      S2S server
    • Section Certificates Button Import certificate Import the client certificate created on the
      S2S server
      .


    Step 4
    Step 4 S2S Client

    This installation step is omitted for the site-to-site client.


    Step 5
    Step 5 S2S Client
    UTM v12.6 SSL-VPN S2S Client S5-en.png
    Installation step 5
    In step 5, the public remote gateway IP address or SPDyn address of the site-to-site server is entered as the remote site.
    notempty
    The port address must be set with a colon after the IP address.

    If port 1194 is used, this specification can be omitted.


    Section General General S2S Client

    Already created SSL VPN connections can be edited under VPN SSL-VPN  Button .

    Caption Value Description Edit SSL-VPN Connection UTMuser@firewall.name.fqdnVPNSSL-VPN UTM v14.0.3 SSL-VPN S2S Client Allgemein-en.pngSection General
    Name: S2S-client Name of the SSL connection
    Interface: tun4 Used interface
    Modus: CLIENT
    Protocol: UDP (Default)
    TCP    		 Choose desired protocol
    Certificate: CC-S2S-Client-Network1 The certificate used can be changed here
    Static SSL-VPN key type: notempty
    New as of v12.6.1
    		 Off tls-authtls-crypt
    • Activation of tls-auth causes additional authentication of the control channel
    • tls-crypt causes additional authentication and encryption of the control channel
    Static SSL-VPN key: notempty
    New as of v12.6.1
    		 SSL-VPN S2S Key for securing the connection
  • The key must be of type OVPN_STATIC_KEY
    • Data Connection Cipher: AES-256-GCM Standardmäßig wird AES-256-GCM verwendet notempty
    Seit v14.0.3
    . Die Option Default entspricht den Default-Einstellungen von OpenSSL.
    notempty
    Die Gegenstelle muss denselben Cipher nutzen!
    BF-CBC DES-EDE-CBC DES-EDE3-CBC CAST5-CBC AES-128-CBC AES-192-CBC AES-256-CBC AES-128-GCM AES-192-GCM AES-256-GCM
    Data Connection Hash: Default Default settings of OpenSSL are used.
    notempty
    The remote terminal must use the same hash!
    SHA1 SHA224 SHA256 SHA384 SHA512 whirlpool
    Allowed ciphers for auto-negotiation (NCP):     Individual ciphers can be selected from a list
    Renegotiation: never
    1 hour
    (Default)
    2 hours
    4 hours
    8 hours
    12 hours    		 Period of time from which the connection is rebrokered


    Section Advanced
    Advanced S2S Client
    Caption Value Description Edit SSL-VPN Connection UTMuser@firewall.name.fqdnVPNSSL-VPN UTM v12.6 SSL-VPN S2S Client Reiter Erweitert-en.pngSection Advanced
    MTU: 1500Link= Maximum transmission unit of the largest packet (byte)
    LZO: Off LZO compression
    After changing this option, the corresponding client counterparts must adjust their configuration!
    Disabled: No
    Pass TOS: Off Allows forwarding of TOS packets
    Ping interval: 10Link= seconds Interval of ping requests
    Ping timeout: 120Link= seconds Timeout of ping requests
    Outgoing buffer size: 65536Link= Bytes
    Incoming buffer size: 65536Link= Bytes
    Replay window sequence size: 64Link=
    Replay window waiting time: 15Link= seconds


    S2S Client Rulebook

    S2S Client Implied rules

    Since the site-to-site client establishes the connection to the S2S server and outgoing connections from the firewall itself are always allowed by default, no implicit rules are necessary.

    S2S Client Network objects

    A new network object can be created under Firewall Network Object  Button + Add Object.

    Caption Value Description Add Network Objects UTMuser@firewall.name.fqdnFirewallNetwork objects UTM v12.6 Firewall Netzwerkobjekt hinzufügen S2S Client-en.pngNetwork object for the tunnel network
    Name: sslvpn-S2S-Server-Network Unique name
    Type: VPN network If only a single host is to be shared in the server network, VPN host can also be selected here.
    Address: 192.168.175.0/24
    If several server networks have been shared, a separate network object must be created for each of these networks. The network objects can then be combined into a group.
    Zone: vpn-ssl-S2S-client the zone on the S2S client through which the S2S server network is accessed.
    Group:     Optional


    S2S Client Packetfilter rules
    S2S Client Packetfilter rules
    S2S Client

    Packetfilter UTMuser@firewall.name.fqdnFirewall Regeln aktualisieren UTM v12.6 Firewall Paketfilter Regeln S2S Client-en.pngPacketfilter rules in the

    Menu Firewall Packtfilter  Button + Add rule.
    Two rules allow access to or from the S2S server network or from the network:

    # Source Destination Service NAT Action Activ
    Dragndrop.png 5 Network.svg internal-network Vpn-network.svg sslvpn-S2S-server-network Service-group.svg default-internet Accept On
    Dragndrop.png 4 Vpn-network.svg sslvpn-S2S-server-network Network.svg internal-network Service-group.svg default-internet Accept On


    S2S Client Routen
    S2S Client Routen
    S2S Client

    The routes are set automatically.
    However, when using VoIP through the tunnel, routes should be set to ensure that the phones connect correctly to the PBX.
    Menu Network Network configuration  Area Routing Button + Add route.
    A route should be set so that the network of the remote terminal can be found reliably.

    Caption Value Description Add Route UTMuser@firewall.name.fqdn UTM v12.6 Netzwerkkonfiguration Route S2S Client-en.pngRoute for remote terminal
    Gateway interface: tun4 A TUN interface was created when the connection was set up and must be specified here.
    Target network: 192.168.175.0/24 The network of the remote terminal (S2S Server)



































    Ausgangslage

    Es kann gewünscht sein, die Routen für VPN-Verbindungen Nur für interne Prüfzwecke erst dann zu setzen, wenn die Verbindung wirklich steht.

    1. Dadurch wird verhindert das Pakete in das Internet geroutet und vom Conntrack gespeichert werden und so einen korrekten Aufbau der Verbindung verhindern.
    2. Dies kann von Vorteil sein wenn zum Beispiel VoIP durch den Tunnel gehen soll.
    3. Load Balancing über eine zweite Firewall wird deutlich vereinfacht, wenn nur die UTM eine Route bekommt, bei der der Tunnel auch tatsächlich aufgebaut wird.

    CLI-Befehl

    Verbindung per SSH oder über Menü Extras CLI : route set id <ID> flags BLACKHOLE_IF_OFFLINE

    Z.B.: route set id "2" flags BLACKHOLE_IF_OFFLINE
    Dieser Befehl verwirft Pakete zu diesem Ziel wenn die Route nicht vorhanden ist.
    Bei SSL-VPN oder bei Wireguard zum Beispiel wenn der Tunnel nicht steht.
    Zuvor kann mit route get die korrekte Verbindungs-ID ermittelt werden

    notempty
    New as of 12.6.2


    Note

    Multipath

    Multipath
    S2S Client

    For multipath on the client side, the VPN connection in the client must be bound to an interface.
    To bind a client connection to an interface, the CLI command must be used openvpn get to locate the ID of the connection.
    The command openvpn set id $ID_DES_TUNNELS local_addr $IP_DES_INTERFACES can then be used to set the outgoing IP.
    In addition, a rule route via the corresponding tunX interface is required in the outgoing rule (internal-network → VPN network → $DIENST).


    The transparent HTTP proxy

    When accessing a server behind the site-to-site connection from the internal network via HTTP, the transparent HTTP proxy may filter the packets. This can lead to errors in the accesses to the target.
    To prevent this from happening a rule must be added in the Applications HTTP Proxy  Area Transparent Mode Button + Add transparent rule menu:

    Add Transparent Rule UTMuser@firewall.name.fqdnApplicationHTTP-Proxy

    Protocol: HTTP
    Type: Exclude
    Source: internal-network
    Destination: name-vpn-netzwerk-objekt
  • If SSL interception is used, this should be done additionally for the HTTPS protocol.

















































    • Connection Rate Limit

    Throttling of access from certain source IPs to recurring ports

    notempty

    The function is still in the testing phase and will be further expanded.
    The function can initially only be configured via the CLI

    The function aims to protect against attacks.
    SSL-VPN accesses can be protected against aggressive scans or login attempts, for example.

    Connection Rate Limit.png
    Connection Rate Limit Access.png

    From v12.6.2, the UTM can limit the number of TCP and/or UDP connections from an external IP address to one port.
    The following conditions apply:

    • Only incoming connections for which a default route exists are monitored
    • The connections from an IP address to a port of the UTM are counted within one minute
    • When activated, 5 connections / connection attempts per minute are permitted.
      The connections are then limited:
      • The additionally permitted connections are distributed evenly within 60 seconds of the first connection.
      • With a CONNECTION_RATE_LIMIT value of 20, an additional connection is added every 3 seconds.
      • 10 seconds after the first login, 3 further connections could be established (each from the same IP address to the same destination port)
    • Blocking an IP address only affects access to the port that has been used too often.


    Other ports can still be accessed.

    • The function is activated by default for new installations on 20 UDP connections / minute on all ports
    • For Updates the function must be manually activated
    extc-Variable Default Description
    CONNECTION_RATE_LIMIT_TCP 0 Number of permitted TCP connections of an IP address per port
    0 = Function deactivated, no blocking is performed
    CONNECTION_RATE_LIMIT_TCP_PORTS Ports to be monitored. Empty by default=all ports would be monitored (if activated).
    Individual ports are separated by spaces: [ 1194 1195 ]
    CONNECTION_RATE_LIMIT_UDP 20 / 0
    Default setting for new installations from v12.6.2: 20
    For update installations the value is 0, so the function is deactivated.
    		Number of permitted UDP connections of an IP address per port
    CONNECTION_RATE_LIMIT_UDP_PORTS Ports to be monitored. Empty by default=all ports are monitored (only for new installations!).
    Individual ports are separated by spaces: [ 1194 1195 ]

    Configuration with CLI commands

    CLI command Function
    extc value get application securepoint_firewall
    Alternatively as root user:
    spcli extc value get application securepoint_firewall | grep RATE     		Lists all variables of the securepoint_firewall application.
    The variables beginning with CONNECTION_RATE_LIMIT_ are responsible for the connection limit.

    application |variable |value --------------------+-------------------------------+----- securepoint_firewall |… |… |CONNECTION_RATE_LIMIT_TCP |0 |CONNECTION_RATE_LIMIT_TCP_PORTS| |CONNECTION_RATE_LIMIT_UDP |20 |CONNECTION_RATE_LIMIT_UDP_PORTS|

    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20
    system update rule    		 Limits the allowed number of TCP connections from a single IP address to a specific port to 20 per minute
  • A change is made directly by a rule update.
    The value must not be set to 0 first!
    • extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 0
    system update rule    		 Deactivates the monitoring of TCP connections
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ]
    system update rule     		Restricts the monitoring of TCP connections to ports 443 and 11115
    There must be spaces before and after the square brackets [ ]!
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ ]
    system update rule    		 There must be spaces before and after the square brackets [ ]!
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20
    system update rule    		 Limits the allowed number of UDP connections from a single IP address to a specific port to 20 per minute
    Default setting for new installations from v12.6.2: 20
    For update installations the value is 0, so the function is deactivated.
  • A change is made directly by a rule update.
    The value must not be set to 0 first!
    • extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 0
    system update rule    		 Deactivates the monitoring of UDP connections
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ 1194 1195 ]
    system update rule     		Restricts the monitoring of UDP connections to ports 1194 and 1195.
    (Example for 2 created SSL-VPN tunnels).
    There must be spaces before and after the square brackets [ ]!
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ]
    system update rule    		 There must be spaces before and after the square brackets [ ]!

    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ]
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ]
    system update rule

    notempty

    Finally, the CLI command system update rule must be entered so that the values in the rules are applied.

    		For example, to allow a maximum of 20 connections per minute per IP address and port. For TCP, monitoring is restricted to ports 443 and 11115. All ports are monitored for UDP connections.
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/VPN/SSL_VPN-S2S&oldid=95241"