Jump to:navigation, search
Wiki

SSL-VPN Site-to-Site

From Securepoint Wiki




























In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden





































}}





















































































Configuration of SSL-VPN site-to-site connections

Last adaptation to the version: 14.0.3

New:
Last updated: 
notempty
This article refers to a Beta version
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 VPN SSL-VPN


Introduction

SSL-VPN can also be used to establish site-to-site connections. Since this requires the corresponding instance of the service to run explicitly in client or server mode, it is possible to create multiple instances of the SSL-VPN service.

Site-to-Site Server

Site-to-Site Server
S2S Server
This method is used when the remote terminal is the initiator of the connection. For this, the service must explicitly start in server mode.

Site-to-Site Client

Site-to-Site Client
S2S Client
This method is used when the UTM itself is the initiator of the connection. For this, the service must explicitly start in client mode.


Site-to-Site Server Configuration

notempty
For the S2S server setup, a CA, a server certificate and a client certificate are required.



notempty
  • Support for certificates with a key length of 1024 bits or less will be removed starting with UTM version 14.2.
  • Support for certificates with the SHA1 signing algorithm will also be removed starting with version 14.2.
  • HTTP proxy or SSL VPN connections with such outdated certificates will no longer work as of v14.2!
  • Insecure certificates should be replaced urgently!
    The BSI recommends—as of January 2025—key lengths of 3000 bits or more and SHA256
    BSI – Technical Guideline – Cryptographic Methods: Recommendations and Key Lengths BSI TR-02102-1 | Chapter 2.3: RSA encryption

    The default setting of the UTM for new certificates is RSA encryption with 3072 bits and SHA256 as the hash algorithm


    • SSL-VPN Connection

    Set up the connection under VPN SSL-VPN  button + Add SSL-VPN connection menu.


    Installation wizard

    Step 1
    Step 1 S2S Server

    Add SSL-VPN Connection UTMuser@firewall.name.fqdnVPNSSL-VPN Installation step 1

    In installation step 1 the connection type is selected, the following connections are available:

    • Roadwarrior Server
    • Site-to-Site Server
    • Site-to-Site Client

    For the configuration of the Site-to-Site server this is selected.



    Step 2
    Step 2 S2S Server
    Installation step 2

    If a local IPv6 network is to be connected, the option Use IPv6 over IPv4: must be enabled Yes.



    Step 3
    Step 3 S2S Server

    Local settings for the site-to-site server

    Caption Value Description
    Installation step 3
    Name: S2S-server Unique name
    Protocol: UDP Choose desired protocol
    Port: 1194 Default port for the first SSL VPN connection. May not be used for any other purpose. For further connections, the next free port is selected.
    Server certificate:
    Only certificates with a private key can be selected
    		cs-ttt-point Selection of the certificate with which the server authenticates itself
    If a server certificate does not yet exist, it can be created (and if necessary also a CA) in the certificate management. Open with
    • Create a CA in the CA section using the + Add CA button
    • Create a server certificate in the Certificates section using the + Add certificate button.
      Please note: Server certificate: enable
    • Create the client certificate with the + Add certificate button

    Both certificates must be created with the same CA!

    The Client certificate and the associated CA are also needed to configure the remote terminal (client). They must be exported with the button. For use with a UTM as client, the PEM-format is required.
    Further notes in the Wiki article on the use of certificates.



  • Please note the minimum requirements for certificates from UTM version 14.2 onwards!
    notempty
    • Support for certificates with a key length of 1024 bits or less will be removed starting with UTM version 14.2.
    • Support for certificates with the SHA1 signing algorithm will also be removed starting with version 14.2.
    • HTTP proxy or SSL VPN connections with such outdated certificates will no longer work as of v14.2!
    • Insecure certificates should be replaced urgently!
      The BSI recommends—as of January 2025—key lengths of 3000 bits or more and SHA256
      BSI – Technical Guideline – Cryptographic Methods: Recommendations and Key Lengths BSI TR-02102-1 | Chapter 2.3: RSA encryption

      The default setting of the UTM for new certificates is RSA encryption with 3072 bits and SHA256 as the hash algorithm
    • Share server networks: » 192.168.175.0/24 Network located at this appliance (VPN server) that is to be accessible via SSL-VPN.


    Step 4
    Step 4 S2S Server

    In installation step 4, the transfer network for the site-to-site server is entered.

    Caption Value Description
    Installation step 4
    Transfer network: 192.168.190.0/24 A network address must be specified that is not used in any network of the involved appliances.
  • The last IP before the broadcast address cannot be used as a client's IP address because it is reserved by the virtual DHCP server.
    • Server tunnel address: 192.168.190.1/32 The server and client tunnel address is determined automatically.
    IPv4 client tunnel address: 192.168.190.2/24


    Step 5
    Step 5 S2S Server
    Caption Value Description
    Installation step 5
    Name: S2S-client Is automatically generated from the name defined in step 3
    Client certificate: .ttt-point.de Certificate of the client network
    Share client networks: »192.168.174.0/24 Networks of the remote terminal that are to be released. (Input by clicking in the click box and then using the keyboard).
    notempty
    The selected certificate should not be used with any other client / network.


    Section General

    General S2S Server

    Already created SSL VPN connections can be edited under VPN SSL-VPN  button .

    Caption Value Description Edit SSL-VPN Connection UTMuser@firewall.name.fqdnVPNSSL-VPN Section General
    Name: S2S-Server Name of the SSL connection
    Interface: tun0 Used interface
    Modus: SERVER Depending on connection type
    Protocol: UDP (Default)
    TCP    		 Select preferred protocol (UDP and TCP can each be limited to IPv4 or IPv6).
    Port: 1194 Default port for the first SSL VPN connection. May not be used for any other purpose. For further connections, the next free port is selected.
    Authentication: NONE (Default)
    LOCAL
    RADIUS    		 Select the appropriate authentication method
    Certificate: cs-ttt-point The certificate used can be changed here



  • Please note the minimum requirements for certificates from UTM version 14.2 onwards!
    notempty
    • Support for certificates with a key length of 1024 bits or less will be removed starting with UTM version 14.2.
    • Support for certificates with the SHA1 signing algorithm will also be removed starting with version 14.2.
    • HTTP proxy or SSL VPN connections with such outdated certificates will no longer work as of v14.2!
    • Insecure certificates should be replaced urgently!
      The BSI recommends—as of January 2025—key lengths of 3000 bits or more and SHA256
      BSI – Technical Guideline – Cryptographic Methods: Recommendations and Key Lengths BSI TR-02102-1 | Chapter 2.3: RSA encryption

      The default setting of the UTM for new certificates is RSA encryption with 3072 bits and SHA256 as the hash algorithm
    • Static SSL-VPN key type: Off tls-authtls-crypt
    • Activation of tls-auth causes additional authentication of the control channel
    • tls-crypt causes additional authentication and encryption of the control channel
    Static SSL-VPN key: notempty
    New as of v12.6.1
    		 SSL-VPN S2S Key for securing the connection
  • The key must be of type OVPN_STATIC_KEY
    • notempty
    The remote terminal must use the same key!
    The key is created on one side and then must be copied to the other side
    Open key management Opens the key management interface to create a key
    Data Connection Cipher: AES-256-GCM AES-256-GCM is used by default notempty
    Since v14.0.3
    .     The option Default corresponds to the default settings of OpenSSL.
    notempty
    The remote peer must use the same cipher!
    BF-CBC DES-EDE-CBC DES-EDE3-CBC CAST5-CBC AES-128-CBC AES-192-CBC AES-256-CBC AES-128-GCM AES-192-GCM AES-256-GCM
    Data Connection Hash: Default Default settings of OpenSSL are used.
    notempty
    The remote terminal must use the same hash!
    SHA1 SHA224 SHA256 SHA384 SHA512 whirlpool
    Allowed ciphers for auto-negotiation (NCP):     Individual ciphers can be selected from a list
    IPv4 Transfer network: 192.168.190.0/24 Enter pool address
    IPv6 Transfer network:       /64 Enter pool address
    Share server networks globally:     Network IP for networks behind the UTM that are supposed to be accessible via the SSL VPN connection can be edited.
    Search Domain:    
  • It only makes sense to specify a search domain for a Roadwarrior connection!
    Alternatives:

    1. Always write out the domain in full
    2. Enter the domain in the DHCP server so that it can be assigned
    3. Use an Active Directory

    • Renegotiation: never
    1 hour
    (Default)
    2 hours
    4 Stunden
    8 Stunden
    12 Stunden    		 Period of time from which the connection is rebrokered


    Section Advanced
    Advanced S2S Server
    Caption Value Description Edit SSL-VPN Connection UTMuser@firewall.name.fqdnVPNSSL-VPN Section Advanced
    MTU: 1500 Maximum transmission unit of the largest packet (byte)
    Max Clients: 1024 Maximum number of clients.
    If no value is set, the default value of 1024 applies.
    Push DNS: No Allows DNS transmission
    The DNS and WINS can be transmitted automatically. This setting can be enabled in the menu VPN Global VPN Settings
    Push WINS: No Allows WINS transmission
    The DNS and WINS can be transmitted automatically. This setting can be enabled in the menu VPN Global VPN Settings
    Multihome: On Allows the use of multiple default routes

    Allow configured certificates only:    		 On Only allocated certificates can still be accepted
    LZO: Off LZO compression
    After changing this option, the corresponding client counterparts must adjust their configuration!
    Disabled: No
    Pass TOS: Off Allows forwarding of TOS packets
    Ping interval: 10 seconds Interval of ping requests
    Ping timeout: 120 seconds Timeout of ping requests
    Outgoing buffer size: 65536 Bytes Controls the size of the buffer for the socket
  • The larger, the more can be stored between. However, this can also increase the latency.
    • Incoming buffer size: 65536 Bytes as above
    Replay window sequence size: 64 Number of packages within which even older sequence numbers are accepted.
    Replay window waiting time: 15 seconds Time window in which the sequence size is applied at maximum


    Other client remote terminals
    Other client remote terminals S2S Server

    SSL-VPN UTMuser@firewall.name.fqdnVPN SSL-VPN Log Restart Overview of SSL-VPN connections

    Additional remote sites that are to be connected via this site-to-site server can be added via the button.
    Display of remote sites by clicking on the folder icon .


    SSL-VPN Server-Gegenstelle hinzufügen UTMuser@firewall.name.fqdnVPNSSL-VPN Other remote terminals of the S2S-SSL-.VPNs


    Rulebook

    Implied rules
    Implied rules
    S2S Server

    Implied rules UTMuser@firewall.name.fqdnFirewall Implied rules

    Under Firewall Implied Rules section VPN the protocol used for the connection can be enabled. Here On SSL-VPN UDP. This implicit rule frees the ports used for SSL-VPN connections on the WAN interface.



    Network objects
    Network objects
    S2S Server

    A TUN interface was created when the connection was set up. It automatically receives the first IP from the transfer network configured in the connection and a zone "vpn-ssl-<servername>".
    To be able to reach the client network of the remote terminal, a network object must be created under Firewall Network Objects  button + Add Object.
    The TUN interface of the site-to-site client also receives an IP from this network. This serves as a gateway to the subnet of the site-to-site client. The subnet of the client must be created as a network object and is located in the zone on the associated TUN interface.


    Caption Value Description Add Network Object UTMuser@firewall.name.fqdnFirewallNetwork objects Network object for the tunnel network
    Name: sslvpn-S2S-Client-Network Unique name
    Type: VPN-Netzwerk If only a single host is to be shared in the client network, VPN host can also be selected here.
    Address: 192.168.174.0/24 The network address that was shared as the client network in step 5
    If multiple client networks have been shared, a separate network object must be created for each of these networks. Subsequently, the network objects can then be combined into a group.
    Zone: vpn-ssl-S2S-Server The zone on the S2S server through which the S2S client network is accessed.
    Group:     Optional


    Packetfilter rules
    Packetfilter rules
    S2S Server

    Packetfilter UTMuser@firewall.name.fqdnFirewall Regeln aktualisieren Packetfilter rules

    Menu Firewall Packetfilter Button + Add Rule
    Two rules allow access to or from the S2S client network:


    # Source Destination Service NAT Action Activ
    Access from the client to the (internal) server network (remote station initiates the connection) 9 sslvpn-S2S-client-network internal-network default-internet Accept On
    Access to the client network (local UTM initiates the connection) 10 internal-network sslvpn-S2S-client-network default-internet Accept On


    Routen
    Routen
    S2S Server

    The routes are set automatically.
    However, when using VoIP through the tunnel, routes should be set to ensure that the phones connect correctly to the PBX.
    Menu Network Network configuration  Area Routing button + Add route.
    A route should be set so that the network of the remote terminal can be found reliably.

    Caption Value Description Add Route UTMuser@firewall.name.fqdn Route for remote terminal
    Gateway interface: tun2 A TUN interface was created when the connection was set up and must be specified here.
    Target network: 192.168.174.0/24 The network of the remote terminal (S2S Client)

































    Initial situation

    It may be desirable to set the routes for VPN connections only when the connection is actually established.

    • This prevents packets from being routed to the Internet and stored by Conntrack, thus preventing the connection from being established correctly
    • This can be advantageous, for example, if VoIP is to go through the tunnel
    • Load balancing via a second firewall is significantly simplified if only the UTM receives a route where the tunnel is actually established

    CLI command

    Connection via SSH or via menu Extras CLI :

    route get determines the correct connection ID

    route set id <ID> flags BLACKHOLE_IF_OFFLINE

    E.G.: route set id "2" flags BLACKHOLE_IF_OFFLINE
    This command discards packets to this destination if the route does not exist.
    With SSL VPN or Wireguard, for example, if the tunnel is not available.


    Site-to-site client configuration

    SSL-VPN Connection

    Installation wizard
    notempty
    For the S2S server setup, a CA, a server certificate and a client certificate are required.



    notempty
  • Support for certificates with a key length of 1024 bits or less will be removed starting with UTM version 14.2.
  • Support for certificates with the SHA1 signing algorithm will also be removed starting with version 14.2.
  • HTTP proxy or SSL VPN connections with such outdated certificates will no longer work as of v14.2!
  • Insecure certificates should be replaced urgently!
    The BSI recommends—as of January 2025—key lengths of 3000 bits or more and SHA256
    BSI – Technical Guideline – Cryptographic Methods: Recommendations and Key Lengths BSI TR-02102-1 | Chapter 2.3: RSA encryption

    The default setting of the UTM for new certificates is RSA encryption with 3072 bits and SHA256 as the hash algorithm


    • Step 1
    Step 1 S2S Client

    Add SSL-VPN Connection UTMuser@firewall.name.fqdnVPNSSL-VPN Installation step 1

    In installation step 1 the connection type is selected, the following connections are available:

    • Roadwarrior Server
    • Site-to-Site Server
    • Site-to-Site Client

    For the configuration of the Site-to-Site Client this is selected.



    Step 2
    Step 2 S2S Client
    Installation step 2

    If a local IPv6 network is to be connected, the option Use IPv6 over IPv4: must be enabled Yes.



    Step 3
    Step 3 S2S Client

    Local settings for the Site-to-Site Client can be made in step 3. Here you can enter a name for the connection, select protocol, choose a server certificate - by clicking the button with the window you can import a CA and a certificate.

    Caption Value Description
    Installation step 3
    Name: S2S-client Unique name
    Protocol: UDP Choose desired protocol
  • It is necessary to select the same protocol as for the site-to-site server.
    • Client certificate: CC-S2S-Client-Network1
    Selection of the certificate with which the client authenticates itself.
    The same certificate must be used here that was selected as the certificate of the remote terminal (client) for the site-to-site server in step 5.

    Open with

    • Section CA Button Import CA Import CA from
      S2S server
    • Section Certificates Button Import certificate Import the client certificate created on the
      S2S server
      .


    Step 4
    Step 4 S2S Client

    This installation step is omitted for the site-to-site client.


    Step 5
    Step 5 S2S Client
    Installation step 5
    In step 5, the public remote gateway IP address or SPDyn address of the site-to-site server is entered as the remote site.
    notempty
    The port address must be set with a colon after the IP address.

    If port 1194 is used, this specification can be omitted.


    Section General

    General S2S Client

    Already created SSL VPN connections can be edited under VPN SSL-VPN  button .

    Caption Value Description Edit SSL-VPN Connection UTMuser@firewall.name.fqdnVPNSSL-VPN Section General
    Name: S2S-client Name of the SSL connection
    Interface: tun4 Used interface
    Modus: CLIENT
    Protocol: UDP (Default)
    TCP    		 Choose desired protocol
    Certificate: CC-S2S-Client-Network1 The certificate used can be changed here



  • Please note the minimum requirements for certificates from UTM version 14.2 onwards!
    notempty
    • Support for certificates with a key length of 1024 bits or less will be removed starting with UTM version 14.2.
    • Support for certificates with the SHA1 signing algorithm will also be removed starting with version 14.2.
    • HTTP proxy or SSL VPN connections with such outdated certificates will no longer work as of v14.2!
    • Insecure certificates should be replaced urgently!
      The BSI recommends—as of January 2025—key lengths of 3000 bits or more and SHA256
      BSI – Technical Guideline – Cryptographic Methods: Recommendations and Key Lengths BSI TR-02102-1 | Chapter 2.3: RSA encryption

      The default setting of the UTM for new certificates is RSA encryption with 3072 bits and SHA256 as the hash algorithm
    • Static SSL-VPN key type: notempty
    New as of v12.6.1
    		 Off tls-authtls-crypt
    • Activation of tls-auth causes additional authentication of the control channel
    • tls-crypt causes additional authentication and encryption of the control channel
    Static SSL-VPN key: notempty
    New as of v12.6.1
    		 SSL-VPN S2S Key for securing the connection
  • The key must be of type OVPN_STATIC_KEY
    • Data Connection Cipher: AES-256-GCM AES-256-GCM is used by default notempty
    Since v14.0.3
    .     The option Default corresponds to the default settings of OpenSSL.
    notempty
    The remote peer must use the same cipher!
    BF-CBC DES-EDE-CBC DES-EDE3-CBC CAST5-CBC AES-128-CBC AES-192-CBC AES-256-CBC AES-128-GCM AES-192-GCM AES-256-GCM
    Data Connection Hash: Default Default settings of OpenSSL are used.
    notempty
    The remote terminal must use the same hash!
    SHA1 SHA224 SHA256 SHA384 SHA512 whirlpool
    Allowed ciphers for auto-negotiation (NCP):     Individual ciphers can be selected from a list
    Renegotiation: never
    1 hour
    (Default)
    2 hours
    4 hours
    8 hours
    12 hours    		 Period of time from which the connection is rebrokered


    Section Advanced
    Advanced S2S Client
    Caption Value Description Edit SSL-VPN Connection UTMuser@firewall.name.fqdnVPNSSL-VPN Section Advanced
    MTU: 1500 Maximum transmission unit of the largest packet (byte)
    LZO: Off LZO compression
    After changing this option, the corresponding client counterparts must adjust their configuration!
    Disabled: No
    Pass TOS: Off Allows forwarding of TOS packets
    Ping interval: 10 seconds Interval of ping requests
    Ping timeout: 120 seconds Timeout of ping requests
    Outgoing buffer size: 65536 Bytes
    Incoming buffer size: 65536 Bytes
    Replay window sequence size: 64
    Replay window waiting time: 15 seconds


    S2S Client Rulebook

    S2S Client Implied rules

    Since the site-to-site client establishes the connection to the S2S server and outgoing connections from the firewall itself are always allowed by default, no implicit rules are necessary.

    S2S Client Network objects

    A new network object can be created under Firewall Network Object  button + Add Object.

    Caption Value Description Add Network Objects UTMuser@firewall.name.fqdnFirewallNetwork objects Network object for the tunnel network
    Name: sslvpn-S2S-Server-Network Unique name
    Type: VPN network If only a single host is to be shared in the server network, VPN host can also be selected here.
    Address: 192.168.175.0/24
    If several server networks have been shared, a separate network object must be created for each of these networks. The network objects can then be combined into a group.
    Zone: vpn-ssl-S2S-client the zone on the S2S client through which the S2S server network is accessed.
    Group:     Optional


    S2S Client Packetfilter rules
    S2S Client Packetfilter rules
    S2S Client

    Packetfilter UTMuser@firewall.name.fqdnFirewall Regeln aktualisieren Packetfilter rules in the

    Menu Firewall Packtfilter  button + Add rule.
    Two rules allow access to or from the S2S server network or from the network:

    # Source Destination Service NAT Action Activ
    5 internal-network sslvpn-S2S-server-network default-internet Accept On
    4 sslvpn-S2S-server-network internal-network default-internet Accept On


    S2S Client Routen
    S2S Client Routen
    S2S Client

    The routes are set automatically.
    However, when using VoIP through the tunnel, routes should be set to ensure that the phones connect correctly to the PBX.
    Menu Network Network configuration  Area Routing button + Add route.
    A route should be set so that the network of the remote terminal can be found reliably.

    Caption Value Description Add Route UTMuser@firewall.name.fqdn Route for remote terminal
    Gateway interface: tun4 A TUN interface was created when the connection was set up and must be specified here.
    Target network: 192.168.175.0/24 The network of the remote terminal (S2S Server)

































    Initial situation

    It may be desirable to set the routes for VPN connections only when the connection is actually established.

    • This prevents packets from being routed to the Internet and stored by Conntrack, thus preventing the connection from being established correctly
    • This can be advantageous, for example, if VoIP is to go through the tunnel
    • Load balancing via a second firewall is significantly simplified if only the UTM receives a route where the tunnel is actually established

    CLI command

    Connection via SSH or via menu Extras CLI :

    route get determines the correct connection ID

    route set id <ID> flags BLACKHOLE_IF_OFFLINE

    E.G.: route set id "2" flags BLACKHOLE_IF_OFFLINE
    This command discards packets to this destination if the route does not exist.
    With SSL VPN or Wireguard, for example, if the tunnel is not available.

    notempty
    New as of 12.6.2


    Note

    Multipath

    Multipath
    S2S Client

    For multipath on the client side, the VPN connection in the client must be bound to an interface.
    To bind a client connection to an interface, the CLI command must be used openvpn get to locate the ID of the connection.
    The command openvpn set id $ID_DES_TUNNELS local_addr $IP_DES_INTERFACES can then be used to set the outgoing IP.
    In addition, a rule route via the corresponding tunX interface is required in the outgoing rule (internal-network → VPN network → $DIENST).


    The transparent HTTP proxy

    When accessing a server behind the site-to-site connection from the internal network via HTTP, the transparent HTTP proxy may filter the packets. This can lead to errors in the accesses to the target.
    To prevent this from happening a rule must be added in the Applications HTTP Proxy  Area Transparent Mode button + Add transparent rule menu:

    Add Transparent Rule UTMuser@firewall.name.fqdnApplicationHTTP-Proxy

    Protocol: HTTP
    Type: Exclude
    Source: internal-network
    Destination: name-vpn-netzwerk-objekt
  • If SSL interception is used, this should be done additionally for the HTTPS protocol.




























    • In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
    Diese Seite wird auf folgenden Seiten eingebunden





















    Connection Rate Limit

    Throttling of access from certain source IPs to recurring ports

    notempty

    The function is still in the testing phase and will be further expanded.
    The function can initially only be configured via the CLI

    The function aims to protect against attacks.
    SSL-VPN accesses can be protected against aggressive scans or login attempts, for example.

    From v12.6.2, the UTM can limit the number of TCP and/or UDP connections from an external IP address to one port.
    The following conditions apply:

    • Only incoming connections for which a default route exists are monitored
    • The connections from an IP address to a port of the UTM are counted within one minute
    • When activated, 5 connections / connection attempts per minute are permitted.
      The connections are then limited:
      • The additionally permitted connections are distributed evenly within 60 seconds of the first connection.
      • With a CONNECTION_RATE_LIMIT value of 20, an additional connection is added every 3 seconds.
      • 10 seconds after the first login, 3 further connections could be established (each from the same IP address to the same destination port)
    • Blocking an IP address only affects access to the port that has been used too often.


    Other ports can still be accessed.

    • The function is activated by default for new installations on 20 UDP connections / minute on all ports
    • For Updates the function must be manually activated
    extc-Variable Default Description
    CONNECTION_RATE_LIMIT_TCP 0 Number of permitted TCP connections of an IP address per port
    0 = Function deactivated, no blocking is performed
    CONNECTION_RATE_LIMIT_TCP_PORTS Ports to be monitored. Empty by default=all ports would be monitored (if activated).
    Individual ports are separated by spaces: [ 1194 1195 ]
    CONNECTION_RATE_LIMIT_UDP 20 / 0
    Default setting for new installations from v12.6.2: 20
    For update installations the value is 0, so the function is deactivated.
    		Number of permitted UDP connections of an IP address per port
    CONNECTION_RATE_LIMIT_UDP_PORTS Ports to be monitored. Empty by default=all ports are monitored (only for new installations!).
    Individual ports are separated by spaces: [ 1194 1195 ]

    Configuration with CLI commands

    CLI command Function
    extc value get application securepoint_firewall
    Alternatively as root user:
    spcli extc value get application securepoint_firewall | grep RATE     		Lists all variables of the securepoint_firewall application.
    The variables beginning with CONNECTION_RATE_LIMIT_ are responsible for the connection limit.

    application |variable |value --------------------+-------------------------------+----- securepoint_firewall |… |… |CONNECTION_RATE_LIMIT_TCP |0 |CONNECTION_RATE_LIMIT_TCP_PORTS| |CONNECTION_RATE_LIMIT_UDP |20 |CONNECTION_RATE_LIMIT_UDP_PORTS|

    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20
    system update rule    		 Limits the allowed number of TCP connections from a single IP address to a specific port to 20 per minute
  • A change is made directly by a rule update.
    The value must not be set to 0 first!
    • extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 0
    system update rule    		 Deactivates the monitoring of TCP connections
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ]
    system update rule     		Restricts the monitoring of TCP connections to ports 443 and 11115
    There must be spaces before and after the square brackets [ ]!
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ ]
    system update rule    		 There must be spaces before and after the square brackets [ ]!
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20
    system update rule    		 Limits the allowed number of UDP connections from a single IP address to a specific port to 20 per minute
    Default setting for new installations from v12.6.2: 20
    For update installations the value is 0, so the function is deactivated.
  • A change is made directly by a rule update.
    The value must not be set to 0 first!
    • extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 0
    system update rule    		 Deactivates the monitoring of UDP connections
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ 1194 1195 ]
    system update rule     		Restricts the monitoring of UDP connections to ports 1194 and 1195.
    (Example for 2 created SSL-VPN tunnels).
    There must be spaces before and after the square brackets [ ]!
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ]
    system update rule    		 There must be spaces before and after the square brackets [ ]!

    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ]
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ]
    system update rule

    notempty

    Finally, the CLI command system update rule must be entered so that the values in the rules are applied.

    		For example, to allow a maximum of 20 connections per minute per IP address and port. For TCP, monitoring is restricted to ports 443 and 11115. All ports are monitored for UDP connections.
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/VPN/SSL_VPN-S2S&oldid=98855"