- Updated to Redesign of the webinterface
Redundant Warning
Unfortunately, experience teaches us that time and time again this is not considered carefully enough and then a restore fails.
The employees in support are aware of the problem - but can not solve this: There is no backdoor in our system.
Introduction
In addition to a local backup of the configuration or via the Unified Security Console, UTM offers the possibility to store a backup of the boot configuration on our cloud servers.
Without this password the backup is unusable.
Securepoint has no possibilities to decrypt the backup.
Requirements
- Installed and licensed UTM
- Internet access
Message after update
UTMuser@firewall.name.fqdnConfiguration management
Without knowing the password, decrypting the cloud backup is not possible!
- at least 8 characters length
- at least 3 of the following categories:
- Upper case
- Lower case
- Special characters
- Digits
- Login on the administration interface of the firewall (in the delivery state: https://192.168.175.1:11115).
- If the installation wizard was previously run, the correct IP address must be used
- Port of the administration interface is 11115 in the default state
- Configure the cloud backup in the menu Cloud Backup Area
Cloud Backup Configuration
View in Reseller Portal
In the Securepoint Reseller Portal it is possible to view a list of available backups for a specific license. The information can be found on the detail page of the license (column "Licensee", if you are on the profile page).
However, a download of the configuration is only possible
- from an appliance with the corresponding licence key
- in the Unified Security Console (USC) the license(s) in question can be found in the "Serial numbers" column (see figure opposite).
Restore after factory settings with cloud backup
To import the configuration of a cloud backup after a Reset to factory settings the following steps are necessary:
A previous download of the configuration file is not required, but the UTM needs access to the Internet to access the cloud backups.
- Login to the admin interface of the UTM (IP address of the UTM with port specification, usually 11115
Example https://192.168.175.1:11115 - Updating the firewall name
- Importing a license file
- Setting up an Internet connection
- The cloud backups are assigned via the license.
Once the UTM has been able to connect to the Securepoint license server, existing backups can be imported to the UTM in the menu. - The can be used to set the restored version as the future startup version.
- loads the configuration as the currently used version.
Restore to a new hardware with cloud backup
- Make the UTM accessible in the network, open the admin interface and run the basic setup.
Integration into the local network
Adjust IP addresses of the UTM via CLI
If administration via the CLI is not an issue, the IP adresses can be provided directly to the UTM via CLI
The monitor and keyboard is connected directly to the UTM.
The login is done on the console.
To be able to administer the UTM, the admin interface must be accessed via the IP of the UTM and the port of the admin interface via the interface LAN2.
In the factory settings, the UTM can be reached via https://192.168.175.1:11115.
If the IP or the interface cannot be reached from the local network, changes must be made.
- Connecting keyboard and monitor directly to the UTM
- Log in to the UTM: Username Admin / Password: insecure
- the Command Line Interface appears.
- change network configuration:
- Determine the existing interfaces: interface get
- Determine the ID of the IP addresses: interface address get
LAN2 corresponds to the internal interface through which the admin interface can be reached.
The ID is needed for changing the IP address in the next step. - Change the interface IPs: interface address set id 1 address 192.168.12.1/24
system update interface (desired IP of the internal network with subnet mask) - Activate an interface: interface address new device LAN1 or A0 address 192.168.x.y/24
system update interface
- Set up administration access:
In the factory settings, access to the admin interface of the UTM is only possible via the internal interface LAN2. If the admin interface is to be accessible via another interface, the IP of the host (or a net IP with subnet mask) must be released:
manager new hostlist 192.168.168.0/24
system update rule Here: All hosts in the network 192.168.168.0 (no matter at which interface) can access the admin interface
Attention: If e.g. the IP 192.168.175.1 is at LAN1 or A0 and the admin interface should be called from a computer in the network at LAN1, the IP 192.168.175.x must be released extra nevertheless.
Adjust the IP address of your own computer
This is followed by connecting your own computer to interface A1 (the internal interface) of the UTM.
This is how it works
Change IP address on Windows
- Display of network connections: r ncpa.cpl↵
- Show status of Ethernet connection with double click
- Show properties of the interface
- Show properties of the TCP/IPv4 connection
- Set IP address:
- IP address:192.168.175.2
- Subnet mask:255.255.255.0
- Default gateway:192.168.175.1 (=Default address of the internal interface of the UTM)
Change IP address on Linux
Examples for Ubunutu:
- Opening the terminal
- Identify the name of the interface: ip a
- Change IP address: (In the example enp0s3 is the interface used: sudo ip address add 192.168.175.2/24 dev enp0s3
Change IP address on a MAC
- Menu System settings / network
- Configure IPv4: Manuell select in the dropdown menu
- IP address:192.168.175.2
- Subnet mask:255.255.255.0
- Router:192.168.175.1 (=Default address of the internal interface of the UTM)
- Button:
For further configuration, the IP address of your own computer must then be changed again.
Setting the original IP address:
- Fixed IP Addresses: Enter as described above
- Enable DHCP:
- Windows: Properties Internet Protocol Version 4 (TCPIPv4) → select Obtain an IP address automatically
- Linux: Example for Ubuntu: sudo ip address del 192.168.175.2/24 dev enp0s3
sudo dhclient enp0s3
If necessary, refer to the documentation of the distribution used. - MAC: coming soon...
First access
If not already done, the following connections must be made now physically:
- Connect interface for the external interface (A0) towards the Internet (modem, router, etc.).
- Connect the internal interface (A1)
- with your own computer, if the IP address has been adjusted on it.
- to the network from which the UTM is to be administered, if the IP address of the UTM has been adjusted.
https://192.168.175.1:11115 (Default) or
https://172.16.0.1:11115, if the IP address of the UTM was changed to 172.16.0.1
When the admin interface is called up for the first time, a certificate warning appears in the browser.
Since the browser doesn't know the certificate of the UTM, a security warning is issued.
This warning must be ignored.
First registration | |||
Caption | Value | Description | |
---|---|---|---|
User | admin | Login with the default login information of the factory settings: admin | |
Password | insecure | Login with the default login information of the factory settings: insecure | |
Login (Admin) | |||
Agree to license agreement and privacy policy | |||
The license agreement and privacy policy must be accepted by clicking the button. | UTM UTM | ||
Basic configurations | |||
Firewall name | firewall.ttt-point.local | An individual firewall name must be assigned. |
UTMuser@firewall.name.fqdn Basic configurations
|
System time | yyyy-mm-dd hh-m--ss | The system time should be correct. It is compared with other servers, e.g. for user authentication (Kerberos, OTP, etc.). If the deviation is too large, for example, login will not be possible. | |
License key | Import valid license. | ||
Global email address: notempty New as of v12.4.4
|
admin@ttt-point.de | Required information e.g. for the mail connector and the proxy. Also serves as postmaster address for the mail relay. | |
Authentication method: notempty New as of v12.5.1
|
Authentication method for Web sessions via USC Der Webession-PIN sichert auch die Benutzung der folgenden Aktionen im Rahmen der USC ab:
Wenn der PIN nicht genutzt wird, sind diese Aktionen nicht aus dem Unified Security Portal aufrufbar. | ||
PIN: notempty New as of v12.5.1
|
PIN as additional security for Websessions No number sequences or duplications are allowed | ||
Creates a secure PIN | |||
Displays the license agreement | |||
Displays the privacy policy | |||
Logs off again. No settings are saved! | |||
Complete | Completes the login process and opens the Welcome window. | ||
Welcome | |||
Basic settings are completed with the welcome dialog. | UTMuser@firewall.name.fqdn | ||
Starts the Installation Wizard. | |||
Starts a tour that explains the admin interface and menus in 15 steps. | |||
- Close the welcome dialog with in the title bar without starting the tour or the installation wizard.
- New firmware versions may have already been released between production of a UTM and its deployment.
It is possible that a cloud backup was created with a newer version than what is currently installed on newly deployed hardware. Therefore, it is advisable to check for a Firmware Update before applying a cloud backup to new hardware. Menu - Then proceed as for a Restore to factory settings.