Securepoint Unified Threat Management (UTM) FAQ

No. Passwords of users on the UTM cannot be reset without administrative access.

The UTM system must be reset to factory settings by reinstalling it.
After restoring the configuration of the UTM, the password can be adjusted.
A backup of the current configuration is required for this process.

We recommend our recorded webinar Good network design and secure firewall configuration (in German language). We also have a UTM Firewall Basic Training (Silver Level), which takes place regularly. An overview with the next dates can be found at the Securepoint Academy.

Yes, the CLI commands are documented with examples in the Wiki.

An overview can be found at securepoint.de.

After an update from a version < 11.7.3, changes in the server settings may require an entry for "Allow SNMP packets from the following networks" under the SNMP settings.

If SNMP was not in use, SNMP v2c must be deactivated after an update to 11.7.3.

The PIN of a SIM can only be removed via SSH and with a root user.
This is described here.

This is described in a separate article: Installation / Update from USB stick

• Conversion DER (.crt .cer .der) to PEM: openssl x509 -inform der -in certificate.cer -out certificate.pem
• Conversion PEM to DER: openssl x509 -outform der -in certificate.pem -out certificate.der
• Convert PKCS#12 (.pfx .p12) with private key and certificates to PEM: openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
• Convert PEM with private key to PKCS#12 (.pfx .p12): openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

With -nocerts only the private key is output
.

With -nokeys only the certificate is output.

An attempt is made to access a website, either by a user in the browser or by a service (e.g. Securepoint AV establishes an http/https connection to the licence servers) and it is redirected to "speedport.ip". However, this page only returns a DNS Resolve Error.

Speedport routers transmit "important" messages, such as "volume used up" or "new update available", via an internal website to which all http/https traffic is redirected until the message has been confirmed.

If the Speedport is connected as a router in front of the Securepoint, a transfer network will normally be established between the Speedport and the Securepoint. If the Speedport now has a "message" and thus redirects all http/https traffic to its internal side, the clients from the internal network of the UTM will only receive a DNS resolve error during the redirection, since the internal network of the Securepoint cannot resolve the internal side of the Speedport.

There are two possible solutions to this problem:

• The simplest would be to connect a client directly to the Speedport to confirm the message.
• Since the problem comes from the fact that the internal network cannot resolve the IP of the Speedport, a forward zone is simply created. The following steps are necessary for this:
  • Under → Applications →NameserverTab Zones Button AddForeward-Zone a forward zone must be added with the following settings:
    • ZoneName: speedport.ip
    • Nameserver Hostname: ns
    • IP address:     We want to provide the nameserver ourselves.
  • The foreward zone that has just been created must then be edited:
    • Under Entries you will now find a type NS with the value ns.. The dot after the ns must be removed.
  • Now two A-records have to be created:
    • 1st A-record: Add entry
      • name: ns
      • type: A
      • value: IP of internal-interface
        This is needed for the internal network to resolve the speedport.ip page.
        
        This only works if the clients have entered the Securepoint UTM as DNS server.
    • 2nd A-Record: Add record
      • Name: speedport.ip.
      • type: A
      • value IP of the Speedports router.

Now the page of the Speedport can also be resolved from the internal network.

There is an own wiki article on the conversion of the Internet connection from PPPoE to router access.

Yes, reading is possible via the CLI command interface get.

• LOAD is the number of processes that are waiting or being executed at the same time for processing (CPU or IO).
• The number is always an integer - in contrast to the Load Average, the average value of the last 1, 5 or 15 minutes
• If the LOAD Average is higher than the number of processors or threads in all processors of a system over a longer period of time, the system is slowed down.
• Short-term peaks are not uncommon
• The load average should not exceed 3/4 of the number of processors in the medium term

The network traffic can be evaluated via the web interface widgets, among other things.

With an SSH programme and the user "root", the following options are still available:

iftop -i $interface or vnstat

1. Check whether the recommendations have been complied with → IPSec S2S Recommendations
2. Check the log messages in the livelog → IPSec Troubleshooting
3. Are there port forwarders that forward the packets to a device behind the UTM?
4. With an SSH program and the user "root", you can use tcpdump to check whether the IPSec packets arrive on the WAN interface:
   tcpdump -i eth0 -nnp host IP address of the remote gateway

1. First, check whether port filter rules have been created for the networks.
   For IPSec connections, both options should be activated in the implicit rules.
2. If packets with port 80 (HTTP) do not arrive, the transparent HTTP proxy can intercept the packets. An exclude must then be created for this.
3. The target device may not be able to accept the packets because they come from another subnet. Either adjust the firewall of the target or create a port filter rule with a HideNat on the internal interface.

To check the paths of the packets, WireShark can be used for this purpose, or alternatively tcpdump can be used with an SSH program and the user "root".

Example of a tcpdump on interface eth1, seeing the IP addresses and ports and filtering packets with protocol 1 (ICMP Echo Request): tcpdump -i eth1 -nnp proto 1

The Transparent HTTP Proxy can only accept HTTP packets.

If HTTPS websites are also to be filtered by the web filter, the HTTP proxy must be stored in the browser settings / Internet options of the client. In addition, direct communication to the Internet should not be allowed so that the proxy cannot be deactivated. (Default rule internal-network -> Internet | ANY, HN)

VPN connections (IPSec and SSL-VPN, Site-to-Site or Roadwarrior) may be interrupted if a Lancom router is doing VoIP. In this case, it can help if the value "no change" is entered for "Prefer outgoing packets" in Configuration → Voice Call Manager → Advanced on the Lancom.

Renaming via CLI:

The MAC address can be displayed in two places: 1. Hover over the interface of the appliance mapping in the dashboard

Neu ab v12.2.2

2. Hover the mouse over an interface name in the → Network →Network Interfaces menu

Neu ab v12.2.2

Configuration at → Applications →HTTP-ProxyTab Virus Scanner section Web Page Allowlist

The following entries are necessary in the virus scanner allowlist of the HTTP proxy to allow iTunes to communicate correctly with the internet in certain setups.

^[^:]*://[^\.]*\.service\.gracenote\.com/
^[^:]*://[^\.]*\.mgr-mid\.gcsp\.cddbp\.net/
^[^:]*://[^\.]*\.mgr\.gcsp\.cddbp\.net/
^[^:]*://[^\.]*\.gcsp\.cddbp\.net/
^[^:]*://[^\.]*\.cddbp\.net/
^[^:]*://updates-http\.cdn-apple\.com/ 

Unloading is only possible via the CLI. The following commands are to be executed for this:

debug kmod unload module nf_nat_sip
debug kmod unload module nf_nat_h323
debug kmod unload module nf_conntrack_sip
debug kmod unload module nf_conntrack_h323

debug kmod load module nf_nat_sip debug kmod load module nf_nat_h323 debug kmod load module nf_conntrack_sip debug kmod load module nf_conntrack_h323 Then as root-user via ssh execute the command conntrack -F run several times

Loading the SIP helper via CLI should actually no longer be necessary.
This happens automatically with the use of the VoIP service group in the port filter.
Further details under VoIP FAQ

By default, the encryption is renegotiated after one hour.
The user is also re-authenticated at this time.
If the OTP function is active, a current OTP must be transferred at this time.

If this is not desired, the time span until a new renegotiation can be increased:

→ VPN →SSL-VPN → Edit SSL VPN Instance → Tab General Renegotiation 2/4/8 hours

Caution: If the renegotiation is increased, more data is encrypted with the same keys.

The computer account of the UTM must be deleted from the Active Directory.
The UTM can then be integrated into the Active Directory again.

Please contact our support for this.

The distribution of the UTM firmware updates will take place over a longer period of time. The exact period can be seen in the announcement in the support forum. This process is automated and cannot be influenced manually.

The UTM can be updated manually at any time via an update image from the reseller portal.