Policy is the essence of the entire NG-UTM system. They govern every inbound and outbound network packet, including encrypted channels like IPSec VPN tunnels, IP Tunnels, PPTP, and SSL VPN, except those assigned to physical ports managed by the SDN controller.
Each packet entering or leaving an interface is sequentially compared against the policies. When the packet’s conditions match the basic settings of a rule, it is either allowed or discarded according to that rule’s configuration, without further comparison with other rules.
If a packet fails to match any policy after traversing through all rules, it is denied.
Since packet matching starts from the first rule and proceeds sequentially, the order of rules significantly impacts system operation.
Administrators must ensure that the intended targets for control are included in the corresponding policies during configuration. NG-UTM provides packet communication and statistical mechanisms.
Communication records allow administrators to verify whether packets enter or exit in compliance with policies. By clicking on the statistics of a specific rule, NG-UTM opens a new window displaying all inbound and outbound packets for that rule.
Each policy comprises three parts: “basic settings,” “advanced settings,” and “protection settings,” explained in simpler terms as follows:
Basic settings: Who, where from, and which path.
Advanced settings: Inspection of carried content.
Protection settings: Whether to provide protection.
For IPSec VPN tunnels, typically employed in Site-to-Site VPN scenarios, policies are relatively straightforward, containing only “basic settings” and “advanced settings”.
Upon entering the policies section, NG-UTM displays the existing policies by default, listing all rules for each interface.
Each page shows 16 rules, and administrators can specify to view the policies for a particular interface.
There are four tabs for policies, namely Outgoing, Incoming, Advance, and SYN Protection, each explained as follows:
Outgoing: Rules governing traffic from the internal network to the external network. When performing IP address translation, only Routing and NAT options are available. Routing is typically used between zones, while NAT is commonly employed for internet access.
Incoming: Rules governing traffic from the external network to the internal network. When performing IP address translation, options include IP mapping, port mapping, and server mapping, facilitating the redirection of packets into the internal network.
Advance: Advanced version of policies, not segregated by internal or external traffic, allowing administrators to determine packet ingress and egress rules. All rule options, including Routing, NAT, IP mapping, port mapping, and server mapping, are available for IP address translation.
SYN Protection: Provides protection against SYN attacks by ensuring that connections are genuine before passing them to backend servers. Due to the processing stage occurring before connection establishment, SYN Protection has the highest priority. When performing IP address translation, only IP mapping, port mapping, and server mapping options are available, primarily aimed at blocking abnormal connections from the external network to internal servers.
In cases of conflicting rules within tabs, the priority is as follows:
In regulatory rules, icons are used to illustrate the tasks carried out under each provision, facilitating quick identification for administrators. The explanation of the icons is as follows:
Image
Name
Description
Bandwidth Management
Bandwidth management functionality is enabled.
Time Schedule
Activate a schedule to automatically execute rules within a set time range.
URL Control
URL control functionality is enabled.
Application Control
Manage which applications, such as web, FTP, Skype, etc., are allowed.
Virus Scan Control
Web and FTP virus scanning.
Authentication
Requires login credentials to connect to the internet.
IPS
Intrusion Detection and Prevention.
Logging Control
Logging for HTTP and email.
Bulletin Board
Users must view the content of the bulletin board.
Gateway
Specification Select which gateway to use.
Protection
Enable firewall protection.
Any Protocol
Any protocol including TCP/UDP/ICMP, etc.
TCP
TCP communication protocol.
UDP
UDP communication protocol.
ICMP
ICMP communication protocol.
Permit
NAT operating mode, allowing packets that match the policies to pass through.
Deny
Deny packets that match the policies from passing through.
Pause
Pause the operation of the policies.
Activate
Activate the operation of the policies.
Modify
Modify the content of the policies.
Delete
Delete the policies.
•Instructions for the policy display page
When accessing the “policy”, NG-UTM displays all policies, with IPv4 and IPv6 policies listed separately. NG-UTM defaults to display IPv4 policies.
To switch to IPv6 policies, click on “IPv6” on the main menu. This action will switch the entire policies to IPv6 mode.
Regardless of IPv4 or IPv6, the items that administrators can adjust on this page:
【No】: NG-UTM executes policies starting from the first IPSec policy, so the sequence of matching is crucial for packet passage. A smaller number indicates higher priority.
【On/Off】: Buttons to pause or enable policies. Clicking here toggles the status of a policy between paused and enabled.
【NAT】: Operation mode of IP address translation. Blank represents Routing mode, DST represents Port Mapping, and SRC represents IP Mapping.
【Advanced Settings】: Advanced control items applied to the policies.
【Edit/Delete】: Modify or delete this policy.
【Statistics】: Number of packets and traffic volume entering and exiting each policy. Pausing and re-enabling will reset the values to zero. Clicking the number will display detailed records of all network packets that match this rule.
When administrators are troubleshooting network issues or verifying if the target settings have entered the policies, they can use the real-time packet communication feature provided by NG-UTM.
Clicking on the number in the “Statistics” column of a policy will capture and open a new window for administrators to observe. (Figure 4-2)
【Update】: Immediately update the list of policies.
【Delete All Rules】: Delete all policies and return to the initial state of NG-UTM.
【Zero Counter】: Reset all numbers in the “Statistics” column of policies, recalculating them.
【Display Search Interface】: Select the network interface policies to view. Network interfaces include physical network interfaces (ZONE 0, 1…), PPPoE, IP Tunnel, PPTP, and SSL VPN. By default, all network interfaces are displayed.
• Packet Communication Records of Policies
Figure 4-2 Packet Communication Records of Policies¶
【Auto Update】: NG-UTM automatically updates packet communication records every 3 to 30 seconds for administrators’ convenience in observation.
【Clear】: Clears all data of the communication records, resetting the recording and display.
【Time】: Time at which the packet passed through.
【Source IP/Port】: Source IP address and Port that passed through the policies.
【Destination IP/Port】: Destination IP address and Port that passed through the policies.
【Protocol】: Communication protocol that passed through the policies, including TCP/UDP/ICMP.
【Packet Size】: Size of the packet for this connection, measured in Bytes.
【Outgoing Line】: Outgoing line through which the packet traveled from inside to outside. If displayed as “-”, it indicates a packet returned by the remote TCP.
• Combination of Policies
Each policy consists of three parts: basic settings, advanced settings, and protection settings. Except for the required data in the basic settings section, the configurations in the other two areas are determined by the administrator.
All internal-to-external network traffic is controlled here, while control of internal ZONE-to-ZONE traffic is set in the Advanced section.
Clicking on the edit icon of a policy will take you to the configuration screen where you can modify basic settings, advanced settings, and protection settings.
The source and destination for each policy are defined in the basic settings. To enhance management convenience and readability, administrators can pre-define address tables, service tables, and applications in “Object” for selection.
Apart from network interfaces, which need to be planned beforehand, other parts provide customizable options for administrators to directly input information, such as IP addresses, network Ports, etc.
【Policy Name】: Name of the policy for easy recognition by administrators. Can be entered in any language, for example: “Block Internet Access”.
【Source Interface】: NG-UTM is based on ZONE management, and every inbound/outbound ZONE network packet can be managed and controlled. As this is Outgoing control, the available ZONE options should be interfaces leading from the internal network, including internal ZONE, PPTP, L2TP, and SSL VPN clients.
Network interfaces are divided into physical and virtual interfaces. Interfaces, PPTP, L2TP, and SSL VPN added by administrators in “Network > Network Interfaces” will automatically be included in the source interface options.
【Protocol】: There are four protocol options: All, TCP, UDP, and ICMP. Select the type of communication protocol this policy should manage. Default is All.
【Source】: Source IP address that matches the policy. For ZONE interfaces, this is the IP address exiting NG-UTM internally. There are two modes for administrators to choose from: Option mode and Custom mode. Default is Option mode.
· Option Mode: The system automatically adds the following source IP addresses for selection:
A. Internal ZONE defined in “Network > Network Interface”.
B. Address tables or groups created in “Object > IP Address”.
C. IP addresses assigned in various VPNs, including PPTP servers, SSL VPN, and L2TP assigned to remote users.
· Define Mode: Administrators directly input source IP addresses or MAC addresses.
【Destination Network】: Destination IP address to reach. For Outgoing policies, this is the IP address of external networks. There are two modes for administrators to choose from: Option mode and Custom mode. Default is Option mode.
· Option Mode: The system automatically adds address tables or groups already created in “Object > Address Table” for selection.
· Custom IP Address Mode: Administrators directly input destination IP addresses or MAC addresses.
Note
NG-UTM does not control different source and destination IP addresses within the same interface (ZONE). Its behavior is like that of a switch’s bridging function, where only network packets entering and exiting interfaces (ZONE) will apply policies.
【Source Port Group】: Limits the source port. There are three options available: Default Service Table, Custom Service Group, or directly input port numbers. NG-UTM lists commonly used service tables, such as HTTP, FTP, etc. To simplify the number of policies, multiple services can be integrated into one service group, which needs to be defined in “Object > Service”. Defined Object will appear as options. Selecting “User Defined” allows manual input of Ports in the following space.
note
Caution!
In an IPV4 environment, PAT technology is commonly used, so source Ports are usually not fixed and could be any from 1 to 65535. Therefore, special attention should be paid when specifying source Ports. When administrators do not specify any groups, the default value is all Ports.
【Destination Port Group】: Limits the destination port. There are three options available: Default Service Table, Custom Service Group, or directly input port numbers. NG-UTM lists commonly used service tables, such as HTTP, FTP, etc. To simplify the number of policies, multiple services can be integrated into one service group, which needs to be defined in “Object > Service”. Defined Object will appear as options. Selecting “User Defined” allows manual input of Ports in the following space.
note
Caution!
In IPV4/IPV6 environments, the destination Port is the network service to be controlled. For example, if only HTTP is allowed, then HTTP should be entered here. When administrators do not specify any groups, the default value is all.
【Action】: Specifies how packets matching the above criteria should be handled. Options include Allow or Deny; Allow means to let the packet pass through, while Deny means to discard the packet.
note
Caution!
If advanced settings functionalities like IPS, URL control, etc., are to be used, the Action must be set to Allow; otherwise, packets will be discarded, and advanced settings cannot be accessed.
Outgoing Basic Settings > Assign Gateway and Network Address Translation¶
2. NAT
When packets are sent out, they are translated into which IP address, basically using PAT (Port Address Translation) technology.
· When the outbound interface is set to “Default”, the system automatically selects the translated IP address when performing PAT and lists all the translated IP addresses. If the administrator wants to specify the translated IP, they cannot use “Default”.
· When the outbound interface is set to a specific gateway, the administrator can choose which IP address to be used as the source address for PAT/NAT conversion.
For example: In “Network > Network Interface Setting > Interface Address”, set the IP address to 192.168.100.0/24, then the IP address that can be set here is one of 192.168.100.0-192.168.100.254.
· When the outbound interface is set to an outbound interface group, the administrator can separately specify which IP address to be used as the source address for PAT/NAT for each outbound interface.
Figure 4-4 PAT/NAT settings for multiple outbound interfaces¶
For network packets that match the rules of the basic settings and have the action set to allow, NG-UTM can perform more advanced actions, including scheduling, IPS, and virus scanning, etc. Each item needs to be set in the corresponding management target in advance for the entire policy to take effect.
Each item has an option to Add. When the content to be set is not available in the options, clicking Add will automatically open a new page for the administrator to quickly add management items.
For example: If the desired address table is not available in the options, clicking Add will open a new window for the administrator to add an address table without switching to “Object > IP Address” settings.
Time Schedule: You can directly click Add in the options or go to “Object > Schedule” to set.
Create a time schedule for control. The entire rule will only be effective within the time schedule, and ineffective outside the time schedule.
Bandwidth Management: You can directly click Add in the options or go to “Object> QoS” to set.
Create bandwidth restrictions. The traffic used per second for the entire rule will be limited.
Application Control: You can directly click Add in the options or go to “Object > Application Control” to set.
Create application controls. After applying, the configured applications will be blocked or have their bandwidth usage limited.
Maximum Number of Connections per Source IP: Default is 0, meaning no control. After setting the maximum number of connections, the maximum number of connections per source IP address that matches this policy will be limited.
Internet Authentication: You can directly click Add in the options or go to “Object > Internet Authentication” to create an authentication group.
After applying, an authentication window will pop up for both source and destination IP addresses, requiring users to authenticate.
Portal: You can directly click Add in the options or go to “Object > Application Control” to set user groups.
After applying, a captive portal message will pop up for users when they attempt to access the interface.
URL Filtering: You can directly click Add in the options or go to “Object > URL Filtering” to set blacklists and whitelists.
After applying, URLs in the blacklist will be blocked, while those in the whitelist will be allowed.
IPS: You can directly click Add in the options or go to “IPS” to create groups.
After applying, packets matching this rule will enter the IPS feature for comparison. Whether matching packets are logged or blocked will be determined by the IPS settings.
DNS Filter: You can directly click Add in the options or go to “Object > DNS Filter” to set.
The source of DNS Filter includes Sandstorm and custom options, which can block malicious programs and Trojan URLs.
Max Quota (per Source IP): The amount of upload and download for each source IP address in this rule, default is 0, meaning no limit.
When upload and download quotas are exceeded, actions set in After Quota Exhausted Action will be taken.
Action after running out of the quota: After exceeding the quota, subsequent packets will either be rejected, or the next rule will be executed.
- DROP: Packets exceeding the quota will be discarded, and users’ web pages will display the text set in Web Block Message.
- Continue to run next policy: Packets that exceeds the quota will proceed to the next rule for processing.
Web Block Message: After exceeding the quota, users’ web pages will display a message notifying them of the reason for network access denial.
WEB(S): There are 2 options, Virus Scan and Logging.
Virus Scan will scan all passing http/https packets for viruses; Logging will record the browsing history of http/https.
NG-UTM’s built-in ClamAV virus scanning engine is activated, while the Kaspersky virus scanning engine requires an authorization code to be uploaded in advance.
WEB Logging does not require pre-configuration and will be effective upon activation, recording all URIs passing through NG-UTM, whether it is http or https.
To allow NG-UTM to record https URIs, there is a prerequisite action, which is to import NG-UTM’s SSL certificate for each user to be recorded,
The certificate is located at https://NG-UTM Management IP/myca.crt. Both IE and Chrome browsers will automatically execute this certificate, while Firefox will manage certificates by itself. Therefore, when using Firefox, it needs to be imported again, and all three options should be enabled.
See: ref: 6-7. WEB Service for reference.
SMTP LOG: In “Mail Security > 10-1-1. Email Filtering and Logging”, configure the actions to be performed, such as virus scanning, email audit, spam filtering, and email backup. Each function can be enabled individually or all at once.
When enabling virus scanning, email audit, and spam filtering, you also need to set them up separately in Anti-Virus
Determine whether to provide firewall protection for incoming interface packets or not.
Each policy can set firewall protection, but the entire NG-UTM has only one type of protection configuration. The firewall protection configuration is set in “Object > Firewall Protection”.
There are three operating modes for IP address translation: IP mapping, Port mapping, and Server load. Each action has a different purpose.
Simply put, IP mapping is a one-to-one IP address mapping relationship, Port mapping and Server load is one-to-many IP address mapping relationship.
Policy Name: The name of the policy for easy identification by administrators. You can enter any Chinese or English characters, for example, ERP server.
Source Interface: NG-UTM is based on ZONE management, and each network packet that enters and leaves the ZONE can be managed and controlled.
Because this is incoming control, the selectable ZONE should be the external interface to be entered. The system will list all external network interfaces for administrators to choose from.
Protocol: There are 4 options for protocols: Any, TCP, UDP, and ICMP. Choose which type of protocol the policy wants to control. Default is for any.
Source: The source IP address that matches the policy. For the interface (ZONE), it is the IP address coming from outside to enter NG-UTM.
There are 2 modes for administrators to choose from, Option Mode and Custom Mode, default is Option Mode.
Option Mode: The system will automatically include the address tables or groups already established in “Management Target > Address Table” for administrators to choose from.
Define Mode: Administrators directly enter the source IP address or MAC address.
Destination: For Incoming policies, it is the IP address of the internal network. There are 2 modes for administrators to choose from, Option Mode and Custom Mode, default is Option Mode.
Option Mode: The system will automatically include the following types of source IP addresses for administrators to choose from.
A. Defined in “Network > Network Interfaces” internal ZONE.
B. Established in “Object > IP Address” address tables or groups.
Custom IP Address Mode: Administrators directly enter the source IP address or MAC address.
Source Port Group: Restricted source ports, there are 3 options to choose from, default service table, custom service group, or directly enter port,
NG-UTM will list commonly used service tables, such as HTTP, FTP, etc. To simplify the number of policies, multiple services can be integrated into one service group,
These need to be defined in “Object > Service”. In advance, the defined Object will appear in the options. If you choose User Custom, you can fill in the port in the blank space.
note
Caution!
In IPV4 environments, PAT technology is widely used, so the source Port is usually not fixed and can be any from 1 to 65535,
so please pay special attention to whether you need to specify the source port specifically. When the administrator does not specify any group, the default value is all ports.
Destination Port Group: Restricted destination ports, there are 3 options to choose from, default service table, custom service group, or directly enter port,
NG-UTM will list commonly used service tables, such as HTTP, FTP, etc. If the administrator wants to simplify the number of policies, they can integrate multiple services into one service group,
These need to be defined in “Management Target > Service Table” in advance, and the defined Object will appear in the options. If you choose User Custom, you can fill in the port in the blank space.
note
Caution!
In IPV4/IPV6 environments, the destination Port is the network service to be controlled. For example, only having HTTP to enter, then you need to fill in HTTP here.
When the administrator does not specify any group, the default value is all.
NAT: When it’s checked, the source IP address of this policy will be changed to the internal IP address, usually the IP address bound on this internal interface.
Scenario: The internal server will control the source IP address, only open to internal use. When external users need to use it, in addition to changing the policies of the internal server, another method is to check NAT in the rule.
Action: How to handle packets that match the above matching. You can choose to permit or deny; permit means allowing the packet to pass and deny means discarding the packet.
note
Caution!
If you want to use the functions in advanced settings, such as IPS, URL control, etc., the Action must be set to allow, otherwise the packets will be discarded, and of course, you cannot enter the advanced settings.
There are three operation modes for IP address translation: IP Mapping, Port Mapping, and Server Load. Each action serves a different purpose.
In simple terms, IP Mapping establishes a one-to-one correspondence between IP addresses, while Port Mapping and Server Load establish a one-to-many correspondence.
1. Mapped IP
The IP address set in “Network > Network Interfaces > External Network ZONE > Interface Address” is translated into the internal IP address that provides the service, using NAT address translation technology with a one-to-one mapping mechanism.
For example, if the address set in “External Network ZONE > Interface Address” is 192.168.1.200, and it needs to correspond to the internal IP address 10.10.1.200,
when someone outside the interface accesses the IP address 192.168.1.200, all network packets will be automatically translated to 10.10.1.200.
To illustrate the setup of IP Mapping based on the example above:
1. In the policy’s “Basic Setting > IP Address Translation,” select “IP Mapping,” then enter the internal IP address 10.10.1.200 in the field.
2. Choose ANY for “Source Network.” If restricting the source network segment, select the IP set already configured in the address table or click the “Switch to Custom” button to input the restricted source IP.
3. Choose the IP address 192.168.1.200 already set in “Network Settings > Network Interfaces > External Network ZONE > Interface Address” for “Destination Network,” or click “Switch to Custom” to input the external IP address directly.
4. Also, make sure to check “Source Interface” and select the correct source interface to allow external connections.
2. Mapped Port
Port Mapping is a one-to-many NAT technology that redirects an external IP address to different internal service hosts based on different service ports.
Similar to IP Mapping, Port Mapping also requires the selection of the source interface. If the source interface is not set, access is denied.
In theory, a legitimate IP address can be assigned to a maximum of 65,535 internal IP addresses.
After selecting “Port Mapping” and clicking the modify button, a new window will appear, where the IP address set in this setting is the internal IP address and port number.
For example, in “External Network ZONE > Interface Address,” an external IP address is defined as 192.168.1.200.
The server 192.168.1.200 provides three services externally: WEB, FTP, and DNS.
These three services correspond to different internal hosts: 10.10.1.200, 10.10.1.100, and 10.10.1.50, respectively.
In the Port Mapping modification table, enter the following in the “Translated IP Address” field:
A. 10.10.1.200 / Destination Port: 80
B. 10.10.1.100 / Destination Port: 21
C. 10.10.1.50 / Destination Port: 53
The “Destination Port” generally matches the “Original Destination Port,” but it can be set differently. If set differently, the internal and external port numbers will not be the same.
Additionally, in the basic settings:
1. Check “Source Interface” and select the correct source interface to allow external connections.
2. Choose ANY for “Source Network.” If restricting the source network segment, select the IP set already configured in the address table or click the “Switch to Custom” button to input the restricted source IP.
3. Choose IP address for “Destination Network,” based on the above example, it’s 192.168.1.200.
The system will automatically list the IP addresses already set in the “Address Table,” or click the “Switch to Custom” button to input the external IP address directly.
Note
For WEB-type servers, NG-UTM provides WAF protection mechanisms. For detailed settings, please refer to Chapter 9. WAF .
3. Server Load Balance
NG-UTM can perform server load balancing tasks, which means distributing a service to two or more internal devices evenly, based on configured weights or service modes, and allocating different loads to different servers.
Similar to the concept of IP mapping, server load balancing also requires selecting a source interface before configuration, as only the selected source interfaces can enter.
Selecting Server Load Balancing and clicking the modify button will open a new window in NG-UTM where you can configure which IP addresses and services perform load balancing.
In the example below, the WEB service of 192.168.1.200 is distributed to two internal servers, 10.10.1.100 and 10.10.1.200, according to the configured weights.
1. First, confirm the Original Destination Port, which can be selected from the service table options or manually filled in with a TCP Port.
The server load balancing mechanism distributes the load for each service, so each Port requires adding a corresponding configuration.
2. There are two allocation modes: Sequential Round Robin and By Source IP. Each allocation method is accompanied by a concept of weight to distribute the load to translated IP addresses.
· Sequential Round Robin: Distributes based on the source connection requests to backend IP addresses.
For example: If 10.10.1.200 has a weight of 1 and 10.10.1.201 has a weight of 2, the first connection goes to 10.10.1.200, the second and third connections go to 10.10.1.201, the fourth connection goes to 10.10.1.200, and so on.
· By Source IP: Distributes IP addresses based on the source IP address.
For example: The first source IP address is assigned to 10.10.1.200, the second and third different source IP addresses are assigned to 10.10.1.201, and so on.
Additionally, in the basic settings:
1. Check Source Interface and select the correct source interface to allow external connections.
2. Choose ANY for Source Network. If restricting the source network segment, select the IP set already configured in the address table or click the Switch to Custom button to input the restricted source IP.
3. Destination Network should be selected as IP address, based on the above example, it’s 192.168.1.200.
The system will automatically list the IP addresses already set in the Address Table for easy selection or click the Switch to Custom button to input the external IP address directly.
For network packets that match the rules set in Basic Settings and have the Action set to allow, NG-UTM can perform the following advanced actions, including Time Schedules, IPS, and SMTP.
Each item needs to be configured in the corresponding Management Object beforehand for the entire policy to take effect.
tip
Each item has an option to Add. When the desired content is not available in the options, clicking Add will automatically open a new page for administrators to quickly add management items.
For example: If the desired address table is not available in the options, clicking Add will open a new window for administrators to add an address table without switching to Management Object > Address Table settings.
Time Schedule: You can directly click Add in the options or go to Management Object > Time Schedule to set up.
Create a time schedule for policies to be effective only within the specified time range; otherwise, they are ineffective.
Bandwidth Management: You can directly click Add in the options or go to Management Object > Bandwidth Management to set up.
Establish bandwidth control for the entire rule, limiting the traffic used per second.
Application Control: You can directly click Add in the options or go to Management Object > Application Control to set up.
Create application policies to block or limit the usage bandwidth of specified applications after application control is applied.
Maximum Connections per Source IP: Default is 0, indicating no control. After setting the maximum number of connections, each source IP address that matches this policy will be limited to the maximum number of connections.
IPS: You can directly click Add in the options or create a group in IPS > IPS Settings.
When applied, packets of this rule will be compared in IPS feature set, and the packets matching IPS settings will be either logged or blocked.
WEB Logging does not require prior configuration and takes effect immediately. It logs all URIs in WEB protocols passing through NG-UTM, whether it’s HTTP or HTTPS.
To enable NG-UTM to log HTTPS URIs, a prerequisite action is required, which is to import NG-UTM’s SSL certificate for every user to be logged.
The certificate is stored at https://NG-UTM management IP/myca.crt, which is automatically executed by IE/Chrome browsers, while Firefox manages certificates independently. Therefore, when using Firefox, it needs to be entered again, and all three options need to be enabled.
Refer to: ref:6-7, WEB Services.
SMTP Logging: In Mail Security> Mail Filtering and Logging, configure the items to be executed, including virus scanning, email auditing, spam filtering, email backup, and other functions, each of which can be individually enabled or selected all.
When enabling virus scanning, email auditing, and spam filtering, it also requires separate settings in Mail Security > Anti-Virus, Spam Filtering, and Email Auditing respectively.
WAF: Refer to: ref: Chapter 9. WAF.
note
For SMTP Logging and WAF, these two functions apply the same rules to the entire NG-UTM and cannot be customized based on each interface.
Therefore, administrators can only choose to enable or disable them. Once enabled, the same mechanism applies to all rules within this one.
For packets entering the interface, whether to provide firewall protection.
Each policy can be configured with firewall protection, but the entire NG-UTM has only one configuration for firewall protection capabilities, which is set in Object > Firewall Protection.
Clicking on the edit icon of a policy will take you to the configuration screen where you can modify Basic Settings, Advanced Settings, and Protection Settings.
Advance is an advanced version of policies, encompassing both Outgoing and Incoming functionalities.
In Basic Settings, selecting the corresponding IP Address Translation will switch the source interface to either Outgoing or Incoming settings.
The application scenarios for these 5 settings are explained as follows:
1. Routing: Typically used for control between internal zones.
2. NAT: Commonly applied for control when internal zones need to access external resources.
3. IP Mapping: Maps external IP addresses to specific internal IP addresses, with all ports being translated together.
4. Port Mapping: Maps specific ports of external IP addresses to specific ports of internal IP addresses.
5. Server Load Balancing: Maps specific ports of external IP addresses to specific ports of two or more different internal IP addresses, where these two different internal IP addresses are performing the same function, such as a WEB server.
The priority of Advance is higher than Outgoing and Incoming. If the same policy is set separately in Outgoing, Incoming, and Advance, Advance will take precedence.
Clicking on the edit icon of a policy will lead you to the configuration screen where you can modify Basic Settings, Advanced Settings, and Protection Settings.
Hackers commonly use SYN attacks to cripple servers. NG-UTM provides SYN protection mechanisms to safeguard backend servers from many abnormal SYN attacks, ensuring normal service operation.
Because it protects backend servers, its settings are the same as Incoming rules, providing IP Mapping, Port Mapping, and Server Load Balancing as the three IP address translation methods.
• Operation of SYN Protection
The three-way handshake of TCP occurs when a client wants to establish a TCP connection with a server. In sequential order, the client and server exchange information as follows:
A. The client sends a SYN packet to the server to request a connection.
B. The server responds to the client with a SYN-ACK to acknowledge the request.
C. The client responds with an ACK, and the TCP connection is established. During a SYN attack, the client does not respond with an ACK.
Because hackers send many SYN requests to the server, occupying server resources and causing normal TCP connection requests to be unusable, the server’s services may be paralyzed.
NG-UTM’s protection mechanism takes oversteps A to C, ensuring that the connection is genuine before passing it to the backend server. Thus, the attacking device is the NG-UTM, not the backend server.
In Basic Settings, selecting different IP Address Translation options will switch the interface to the corresponding setting.
SYN protection has three rules, and their application scenarios are explained as follows:
1. Mapped IP: Maps external IP addresses to specific internal IP addresses, with all ports being translated together.
2. Mapped Port: Maps specific ports of external IP addresses to specific ports of internal IP addresses.
3. Server Load Balance: Maps specific ports of external IP addresses to specific ports of two or more different internal IP addresses, where these two different internal IP addresses are performing the same function, such as a WEB server.
IPSec policies are configured similarly to other policies, with fewer options and no need to select a source interface.
• Explanation of IPSec Control Display Page
When accessing IPSec control, NG-UTM will list all policies sequentially. IPv4 and IPv6 policies are displayed separately, with IPv4 rules being the default.
To switch to IPv6 policies, click on IPv6 at the top of the main menu, and the entire set of policies will switch to IPv6 mode.
Regardless of IPv4 or IPv6, the following items can be adjusted on this page:
No.: NG-UTM executes IPSec policies starting from the first rule, so the order of precedence significantly affects whether network packets pass through. Smaller number indicate higher priority.
Enable/Disable: Buttons to pause or enable policies. Clicking on this icon can pause previously enabled policies or enable previously paused ones.
Edit/Delete: Modify or delete this IPSec policy.
Statistics: Number of packets and traffic in and out for each policy. Pausing and re-enabling will reset the values to zero. Clicking on the number will display detailed in/out records of all network packets that match this rule.
When administrators are troubleshooting network issues or verifying if the targets of their settings are included in policies, they can utilize NG-UTM’s real-time packet communication feature by clicking on the number in the Statistics column of the IPSec policy, which captures and opens a new window for administrators to observe the inbound and outbound network packets.
Auto-Refresh: NG-UTM automatically updates packet communication records every 3 to 30 seconds, facilitating observation for administrators.
Clear: Clears all communication record data for re-recording and display.
Time: Time when IPSec network packets pass through.
Source IP/Port: Source IP address and port of this IPSec policy.
Destination IP/Port: Destination IP address and port of this IPSec policy.
Protocol: Protocol of this IPSec policy, including TCP/UDP/ICMP.
Packet Size: Size of packets for this connection, measured in bytes.
Outgoing Line: Outgoing line through which this packet passes from inside to outside. If displayed as “-”, it indicates a packet returned by the opposite TCP.
Name: Name of the IPSec policy for easy identification by administrators, allowing any characters in both Chinese and English, for example, Block Internet Access.
Protocol: Three options for protocols: Any, TCP, and UDP.
Choose the type of protocol that this IPSec policy wants to control, with the default being Any.
Direction: Two direction options for simple differentiation:
· To IPSec: From inside through the IPSec VPN channel to the remote.
· IPSec To: From the IPSec VPN channel into the inside.
Source Network: Depending on the selected Direction, the source network will vary.
If Direction is To IPSec, the source network is the IP address of the internal ZONE; if Direction is IPSec To, then the source network is the IP address at the other end of the IPSec VPN channel.
· Option Mode: System lists the address tables or groups already created in “Management Target > Address Table”.
· Define Mode: Enter the source IP address or MAC address directly.
Destination Network: Depending on the selected Direction, the destination network will vary.
If Direction is To IPSec, the destination network is the IP address at the other end of the IPSec VPN channel; if Direction is IPSec To, then the destination network is the IP address of the internal ZONE.
· Option Mode: System lists the address tables or groups already created in “Management Target > Address Table”.
· Define Mode: Enter the destination IP address directly.
Port or Group: Limit the communication ports passing through the IPSec VPN channel, with three types to choose from: Default service table, Custom service group, and User-defined.
NG-UTM lists commonly used service tables, such as HTTP, FTP, etc., for simplifying the number of policies. Multiple services can be integrated into one service group,
which needs to be defined in “Management Target > Service Table” in advance. Defined Object will appear in the options. If User-defined is selected, fill in the port in the blank space afterwards.
note
Usage Note!
In the IPv4/IPv6 environment, if no group is specified, it represents all communication ports.
Action: Specify how packets matching the above criteria should be handled, with options to allow or deny.
Allow means letting the packet pass through and then further processing in advanced settings such as scheduling or bandwidth management, while Deny means discarding the packet.
For network packets that meet the criteria set in Basic Settings and have their Action set to allow, NG-UTM can perform the following advanced actions, including scheduling, bandwidth management, and NAT (limited to the direction of IPSec To cases).
Schedule: Create a schedule to control the time in “Object > Schedule”. The entire IPSec rule will only be effective within the specified schedule and will be ineffective outside the schedule.
QoS: Create bandwidth restrictions in “Object > Bandwidth Management”. The traffic usage per second for the entire rule will be limited. If not configured, it will utilize the maximum bandwidth provided by the line.
Maximum Concurrent Sessions for Each Source IP Address: Default is 0, indicating no restriction. When setting the maximum number of connections, each source IP address that meets this policy will be limited to the specified maximum number of connections.
NAT: Perform NAT action for packets entering the network interface from the IPSec VPN channel.
When it is checked, the source IP address of this rule will be replaced with the internal IP address, usually the IP address bound to this internal interface.
Usage: Internal servers restrict source IP addresses, only open to internal use. When it is necessary to allow external users to access, besides modifying the internal server’s policies, another method is to check NAT in the rule.
NG-UTM has the functionality of SD-WAN, which integrates various types of circuits including MPLS, IP Tunnel, or IPSec VPN, and allocates or manages the communication protocols or bandwidth used for each circuit.
Before performing the control, it is necessary to go to “VPN > SD-WAN” to define each type of channel used.
A simple application diagram is as follows: Between two points, MPLS dedicated lines are used, and an additional backup line is established using IPSec VPN over the Internet. At this point, the administrator can allocate the load distribution mechanism between the two points, for example: using MPLS for MAIL and IPSec VPN for ERP. When any line fails, the other line takes over immediately.
In addition to redundancy for MPLS circuits, multiple IPSec VPN or IP Tunnel VPN channels can also be established, and the required load for communication on both sides can be allocated to suitable channels.
When entering SD-WAN control, NG-UTM will list all policies sequentially. Policies for IPV4 and IPV6 are listed separately, with NG-UTM defaulting to display IPV4 policies.
To switch to IPV6 policies, click IPV6 above the main menu , and the entire policies will switch to IPV6 mode.
Regardless of IPV4 or IPV6, the items that can be adjusted by administrators on this page are as follows:
【Priority】: NG-UTM executes policies starting from the first SD-WAN policy, so the matching order is crucial for whether network packets pass through or not. A smaller number indicates higher priority.
【Enable】: Button to pause or enable SD-WAN policies. Clicking here can pause the originally enabled SD-WAN policy or enable the originally paused one.
【Edit/Delete】: Modify or delete this SD-WAN policy.
【Statistics】: The number and traffic of packets entering and leaving each policy. Pausing and re-enabling will reset the values to zero. Clicking the number will display detailed records of all network packets that match this rule entering and leaving.
When administrators are troubleshooting network issues or want to confirm whether the target setting has entered the policies, they can use the real-time communication function provided by NG-UTM.
Click the number in the “Statistics” field of the SD-WAN policy, and NG-UTM will extract and open a new window for administrators to observe the incoming and outgoing network packets.
【Auto Update】: NG-UTM automatically updates packet communication records every 3-30 seconds, making it convenient for administrators to observe.
【Clear】: Clears all communication record data and re-records and displays.
【Time】: Time when SD-WAN network packets pass through.
【Source IP/Port】: Source IP address and PORT of this SD-WAN policy.
【Destination IP/Port】: Destination IP address and PORT of this SD-WAN policy.
【Protocol】: Communication protocol of this SD-WAN policy, including TCP/UDP/ICMP.
【Packet Size】: Packet size for this connection, measured in Bytes.
【Exit Circuit】: The circuit exit route for this packet from inside to outside. If it is “-”, it indicates a packet returned by the other party via TCP or a UDP packet.
The source and destination for each SD-WAN policy are defined in the basic settings because of the mechanism specific to the SD-WAN channel. Thus, the other end of the source or destination is the SD-WAN channel.
【Policy Name】: The name of the SD-WAN policy for easy identification by administrators. Any text in Chinese or English can be entered, for example: “Block Internet Access”.
【Protocol】: There are three options for protocols: All, TCP, and UDP.
Choose which type of protocol the SD-WAN policy wants to control. The default is All.
【Path】: There are two direction options, simply distinguished as followimg:
· To SD-WAN: Establishing a connection from the local end to the other end of the SD-WAN channel.
· SD-WAN To: Establishing a connection from the SD-WAN channel to the local end.
Source: Depending on the selected Direction, the source network will vary.
If the Direction is To SD-WAN, then the source network is the IP address of the internal ZONE; if the Direction is SD-WAN To, then the source network is the IP address of the other end of the SD-WAN channel.
Option Mode: Select an address table or group already established in “Object > Address Table”.
Define Mode: Directly input the source IP address or MAC address.
Destination: Depending on the selected 【Direction】, the destination network will vary.
If the 【Direction】 is To SD-WAN, then the destination network is the IP address of the other end of the SD-WAN channel; if the 【Direction】 is SD-WAN To, then the destination network is the IP address of the internal ZONE.
· Option Mode: Select an address table or group already established in “Object > Address Table”.
· Custom Mode: Administrators directly input the destination IP address.
【Port or Group】: Restrict the communication ports passing through the IPSec VPN channel. There are three categories to choose from: Default Service Table, Custom Service Group, and User Defined.
NG-UTM lists commonly used service tables, such as HTTP, FTP, etc. To simplify the number of policies, multiple services can be integrated into one service group. These need to be defined in “Object > Service Table” beforehand. Defined targets will appear in the options. If 【User Defined】 is selected, the port can be manually entered in the space provided.
note
Note!
In IPV4/IPV6 environments, if no group is specified, it means all communication ports.
【Action】: How packets that match the above criteria should be handled. You can choose to allow or deny;
Allow means letting packets through and then performing advanced settings such as time schedules or bandwidth management. Deny means discarding packets.
For network packets that meet the criteria of the 【Basic Settings】 rule and have the action set to allow, NG-UTM can perform the following advanced actions.
【Time Schedule】: Choose the time schedule to be controlled (established in “Object > Time Schedule”). The entire SD-WAN rule is only effective within the time schedule and ineffective outside of it.
【Bandwidth Management】: Set the bandwidth to be controlled (established in “Object > Bandwidth Management”). The traffic used per second by the entire rule will be limited.
【Max. Concurrent Sessions for Each Source IP Address】: Set the Maximum session each source IP can have.
【SD-WAN】: Displayed when the control direction is To SD-WAN.
For packets that match the basic settings and have the action set to allow, select which lines they should go through. SD-WAN can consist of multiple IPSec VPN channels or MPLS lines.
These combinations need to be set up in “VPN > SD-WAN” beforehand. After selecting the channel name, the system will automatically list all SD-WAN line names for that channel.
【NAT】: Displayed when the control direction is SD-WAN To.
For packets entering the network interface from the IPSec VPN channel, perform NAT action.
When checked, the source IP address of this rule will be replaced with an internal IP address, usually the IP address bound to the internal interface.
Usage: Internal servers control source IP addresses, only open to internal use. When it is necessary for external users to use it, besides changing the policies of the internal server, another way is to check 【NAT】 in the rule.
Using practical examples and setting steps to illustrate how to use NG-UTM’s policies to manage all network behaviors.
A certain company uses NG-UTM as the first-line firewall and core switch and divides the internal network into four major areas based on the actual network security architecture: Wired Zone, Wireless Network Zone, External Service Zone, and Internal Server Zone. All external lines are integrated into one area, and the control requirements for each area are different.
The overall network architecture is as follows:
Figure 4-19 Example Network Architecture for Control¶
• Example of Control Requirements:
Example
Network Interface
Management Requirements
1
Wired Zone (Zone 1)
Cannot access blacklisted URLs and record browsing websites.
2
Wireless Zone (Zone 2)
Must authenticate when accessing the Internet and view bulletin boards; Internet access is prohibited after work hours.
3
Internal Server Zone (Zone 3)
Prohibit Internet access; only specific internal IP addresses are allowed to enter.
4
External Service Zone (Zone 4)
Only web services are allowed in and out, and IPS and firewall protection are enabled.
5
External Service Zone (Zone 4)
Only mail services are allowed in and out, and spam and virus email filtering are enabled.
• Common Settings
This example uses NG-UTM with 14 Giga Ports configured. The device has a total of 14 physical ports, denoted as Eth0 to Eth13.
Zone0 (Eth0) is the system’s default zone, kept as the management port. Therefore, there are 13 ports available for allocation.
Administrators plan all physical ports and network IP addresses according to the table below:
Network Interface
Quantity, Physical Port
IPV4 Address
Description
Wired Zone (Zone 1)
2, Eth1, Eth2
192.168.2.0/24
Connected to L2 switch downstream
Wireless Zone (Zone 2)
1, Eth3
192.168.5.0/24
Connected to wireless AP
Internal Server Zone (Zone 3)
3, Eth4~Eth6
172.16.1.0/24
Mail and web servers, no need for external switch
External Service Zone (Zone 4)
5, Eth7~Eth11
172.16.5.0/24
ERP and Data servers, no need for external switch
External Line (Zone 5)
2, Eth12, Eth13
61.22.23.24/32
Only one external line connected
In the “Internal Server Zone (Zone 3)” and “External Service Zone (Zone 4)”, because there are few servers to be connected, they can be directly connected to the NG-UTM’s network ports, saving the use of switches.
In addition to facilitating management, the overall network speed can be reduced without interference from switches.
A. Allocate Physical Ports
In “Network Settings > Area Settings”, allocate physical ports and zones according to the requirements.
Figure 4-20 Define each network interface and physical port¶
B. Set IP Addresses for Each Interface
1. Set the IP address and segment for each interface in “Network Settings > Network Interface”.
2. Newly added zones appear in the tabs above.
3. Newly added zones are initially set to OFF and need to be set to STATIC and saved.
4. Add planned IP addresses and segments to the interface. Except for WAN-type interfaces requiring default gateways, the default gateway field can be left blank when adding new interfaces because the configured IP address is the gateway address for ZONE users.
5. Decide whether to enable access control and firewall protection settings.
6. For external line zones, there is an option to “Define External Network”. When checked, this interface automatically becomes the interface for the system’s default gateway.
2. Set the message displayed when blocking blacklisted websites.
In “Object > URL Management > Other Settings”, set the message to be displayed to users. The window on the right side of the figure shows the page displayed to users when blocked.
In “Network Services > WEB Service > WEB”, review various settings, including antivirus engine, page display when infected, maximum connections, and encryption certificates.
5. Apply policies.
Add a policy where the 【Source Interface】 is Zone 1 Wired Zone, the 【Action】 is allow, and the designated gateway is the external line. Since it is a virtual IP segment, NAT is required for Internet access, so select source address translation.
Internal Server Zone (Zone3) prohibits Internet access and only specific internal IP addresses are allowed to enter.
When creating policies, NG-UTM only offers the option of 【Source Interface】 and does not have the option for 【Destination Interface】;
Therefore, to restrict certain specific source IP addresses from entering the internal server zone, besides selecting source IP addresses in advance, destination IP addresses and segments also need to be defined in advance.
1. Create source address tables and groups.
In “Object > Address Tables > Address Tables”, create computer names and IP addresses that can enter the ERP and database, for easy selection in policies.
Alternatively, you can skip this step and directly enter IP addresses in the policies.
When creating address tables, you can use a single IP address, IP+MAC address, MAC address, a network segment, or a domain.
In this case, the source interface to be limited is Zone 1 Wired Zone’s specific IP address that can enter the specific IP address of the destination network in the internal server area.
The basic settings are as follows, allowing network packets that meet the conditions to enter the destination segment.
The External Service Zone (Zone 4) only allows Web services to enter and exit, and IPS and firewall protections are enabled.
The external IP address is defined on Zone 5, while the actual external service is on Zone 4, with different IP addresses for the two. Therefore, administrators need to plan which legitimate IPV4 IP addresses should map to which internal IP addresses.
1. Establish which Zone 5 IP addresses are to be mapped to Zone 4.
In “Object > IP Adress > IP Address,” create a new external service IP address table. The purpose of creating the address table in advance is to facilitate the selection and application in control rules. If the address table is not created, the IP addresses can also be directly entered in the control rules.
2. Create a service table for services available to users.
In “Object > Services > Service Group,” create services available externally. One server is a Web Server, and the other is a Mail Server. The Web Server also provides DNS Server queries. The example of the service table for the Web Server is as follows:
(1) Source Interface: Which source interfaces are allowed to access the external service server zone? In addition to computers on the Internet in Zone 5, administrators can also select additional interfaces. For example, if you want both wired and wireless internal zones to access your company’s website, these source interfaces need to be selected; otherwise, even internal users will not be able to view the website content. Generally, without any control rules, communication between zones is completely blocked.
(2) Destination Network: The legitimate IP address for external access. When packets from the Internet are destined for the destination IP address, NG-UTM will handle this packet. The example is 61.22.23.20.
(3) Destination Port Group: Choose the established Web service group. If the destination address translation mechanism is Port Mapping or Server Load Balancing, the corresponding Port will be set separately. This example uses IP Mapping, so you need to select which services are to be routed to the external server.
(4) Gateway: External gateway.
(5) IP Mapping: There are 3 modes, here using IP Mapping, which is 1-to-1 NAT, where the actual external service Web Server IP address is 172.16.5.200.
, and the entire set of policies will switch to IPv6 mode.
