NG-UTM provides the following network service functionalities:
1. DHCP
When the DHCP function is enabled, internal PCs can obtain IP addresses, DNS servers, and other information through the interface of NG-UTM.
2. DDNS
DDNS stands for Dynamic DNS, which usually is provided by a third party to host with a non-fixed IP on the WAN. It means the domain name remains constant while the IP address may change at any time.
For hosts with non-fixed IPs (such as those using PPPOE ADSL, DHCP Cable, dial-up users) that want to set up Web, Mail, FTP servers, or when users need network identity (domain name), dynamic DNS is required.
3. SNMP
SNMP is a protocol specifically used for managing network nodes (servers, workstations, routers, switches, etc.).
Network administrators can use SNMP to receive messages, promptly identify and resolve network issues, or assist in planning the utilization of network resources.
4. DNS Server
DNS, Domain Name Service, is a system software that allows computers in the network system to perform domain name-to-IP address conversions.
5. Antu-Virus Engine
Provide ClamAV and Kaspersky anti-virus engine settings.
6. Sandstorm
NG-UTM provides WEB virus scanning, including scanning graphic files, virus connection numbers, scanning file sizes, and can also specify certificate information for HTTPS.
7. High Availability
NG-UTM’s hardware redundancy mechanism adopts a Master/Backup mode. When the system operates normally, network access is through the specified MASTER host.
At the same time, there is a BACKUP host that instantly backs up all data from the MASTER host. When the currently operating MASTER host encounters a fault, the BACKUP host immediately takes over as the MASTER host to maintain uninterrupted internal/external network connections.
To connect a computer to the network, you must first configure the IP address, subnet mask, route, DNS, etc.
In an enterprise, there may be hundreds of computers, and general users are less familiar with network settings. Therefore, network administrators need to allocate and configure them.
Facing such a large amount of work, if there is a DHCP server, computers on the network only need to set up automatic IP address acquisition then they can automatically obtain network settings after booting up.
When configuring a DHCP server, we set the IP address range, route, and DNS for users to obtain automatically. After the DHCP server is enabled, this information will be stored in memory.
When a computer using DHCP to automatically obtain an IP address connects to the network, it will broadcast to ask if there is a DHCP server on the network.
The DHCP server will respond and send the network configuration data to the client. After receiving this information, the client will set it as its IP address, DNS, etc.
Simply put, the scenario of DHCP allocating an IP address can be viewed as DHCP “leasing” IP addresses to clients.
DHCP leases have a time limit. After the time is up, the client must obtain an IP address again, but the client can request to continue using the same IP.
To avoid a machine constantly requesting the same IP, we can also set the maximum period for the same IP.
In addition to dynamically assigning IP addresses, DHCP can also set fixed IP addresses. Each network card has a fixed network card address (MAC, Physical Address).
For example, we can use the ifconfig command in FreeBSD or ipconfig/all in Windows to view MAC information. Below is an example:
# ifconfig
fxp0: flags=88c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1500
List users who have used DHCP services based on the selected interface.
The list will show the user’s hostname, usage time, and status, indicating whether the user is online or disconnected. Click the icon to add this user to the DHCP blacklist.
Interface: Select the interface to be configured, which can be a physical interface ZONE or a virtual VLAN interface.
If you select a virtual VLAN interface (802.1Q), a field will be added to list the current virtual Port interfaces for the administrator to choose from.
• IP Address of Physical ZONE: Select the interface address already set in “Network > 3-2. Interface > IP Address”.
• IP Address of Virtual VLAN: Select the IP address already set in “Network > 3-4. VLAN(802.1Q) > IP Address”.
DHCP Activation: Whether to enable this DHCP server.
Physical Interface: Automatically populated based on the selected interface.
IP Address: The IP address of this physical interface or the IP address of the virtual VLAN.
MAC Address: The MAC address of this physical interface.
Broadcast Address: The broadcast address related to the subnet, which is the last IP of the network segment. For example, the broadcast address of IP address 192.168.1.1/24 is 192.168.1.255.
IP Range 1 Start and End Addresses: Enter the start and end IP addresses for the DHCP server. For example: 192.168.1.20, 192.168.1.30, representing 11 IP addresses in this range.
IP Range 2 Start and End Addresses: Enter the start and end IP addresses for the DHCP server. For example, 192.168.1.200, 192.168.1.230, representing 31 IP addresses in this range.
Primary/Secondary DNS: The primary DNS server used by DHCP clients.
Primary/Secondary WINS: This part is optional. WINS is primarily used for name resolution within Windows LANs. The primary WINS server used by DHCP clients.
Lease Time: The valid time for each IP address issued by the DHCP server, default is 720 minutes (12 hours).
Max Lease Time (minute): The maximum valid time for each IP address issued by the DHCP server, default is 720 minutes (12 hours).
Default Gateway: The gateway IP address for DHCP clients.
Custom: Define the gateway IP address independently, unaffected by changes in network segments.
Domain Name: Optional. The domain name of the gateway for DHCP clients.
When you define the interface’s 5-1-1. IP Address List, select “IP and MAC addresses” for the Configuration Method, and check the “Get static IP address from DHCP Server” option for DHCP. This indicates that the computer with this MAC address will always receive a fixed IP address from the DHCP server each time.
Figure 6-2 IP Address > DHCP Static IP Address Setting Window¶
The fixed IP addresses assigned by DHCP are listed in the table below.
In a dynamic IP address network environment, DDNS allows internet users to connect to your server using domain names instead of IP addresses, solving the problem of dynamic IP addresses. NG-UTM will update the interface’s IP address to the DDNS server according to the configured time. Therefore, administrators only need to remember the domain name provided by the DDNS provider to successfully connect back to their server.
To ensure the proper operation of the DDNS server, several steps need to be completed in advance, as follows:
1. Select a provider from the “Registered DDNS Services” dropdown menu to register.
2. After having registration, follow the provider’s instructions to apply for a domain name.
3. Enter DDNS information in the NG-UTM DDNS screen.
4. NG-UTM automatically sends your current interface IP address to the DDNS server.
• DDNS Server Configuration
Click below the DDNS list to enter the Add Host page:
SNMP is a protocol specifically designed for managing network nodes (servers, workstations, routers, switches, etc.).
Network administrators can use SNMP to receive messages, enabling them to promptly identify and resolve network issues or assist in the utilization of network resources.
• Introduction to SNMP
SNMP manages networks through three main elements: managed devices, agents, and Network Management Systems (NMSs).
Currently, SNMP has three versions:
1. SNMPv1: Due to the lack of encryption and authentication features, transmitting strings in plain text, making passwords easily to be hijacked, hence its security is controversial.
2. SNMPv2: Improve many security flaws of the first version, but execution speed is still slower than the first version, and it is incompatible with it, hence not widely accepted.
3. SNMPv3: Correct the issues of the previous two versions. It encrypts all transmitted data, allows SNMP agents to authenticate to management systems, and ensures the integrity of digitally signed messages. Additionally, it has access control lists for each message.
[Auto-start at Boot]: Specify whether the SNMP service should automatically start after booting.
[Device Name]: Enter the display name for SNMP, for example: Office UTM.
[Device Location]: Default is Taipei, Taiwan, and it can be any English text.
[Login Name]: Default is public, with read-only permission, which can be modified by administrators.
[Contact]: Email address of the contact person, default is help@common.com.
[Comment]: Description text can be entered, default is Firewall.
[SNMPv3]: SNMPv3 is the secure version of SNMP. Check to activate, applying the following security settings. If unchecked, SNMPv2 will be used.
[Security Level]: AuthPriv (authentication and encryption) / AuthNoPriv (authentication but no encryption) / NoAuthNoPriv (neither authentication nor encryption).
[Username]: Username for SNMPv3 user.
[Authentication Protocol]: Offers MD5/SHA authentication methods, where SHA is more secure.
[Authentication Password]: Enter the authentication password.
[Privacy Protocol]: Offer DES/AES encryption methods, where AES is more secure.
[Privacy Password]: Enter the private password.
[Restrict Source IP Access]: Restricts access to SNMP based on the specified IP addresses, or no restriction if unchecked.
The internet consists of countless computers connected. To ensure the accuracy of data flow, each computer has a “fixed and unique” “address.”
IPV4 is an IP address composed of numbers from 0 to 255, while IPV6 consists of 6 segments of 0000:FFFFF.
As the number of connected hosts increases, relying solely on IP addresses for memory and management becomes more challenging.
Everyone has a social security number, but a long string of numbers is difficult to remember. Therefore, names or aliases are used.
A URL consists of two parts: the hostname and the domain name. For example, the Chinese name of a website is www.ShareTech.com.tw, and through DNS resolution, it can be directed to the host with IP address 211.22.160.28.
Therefore, instead of memorizing this difficult string of digits, you only need to enter the domain name to access the website; and the correspondence between www.ShareTech.com.tw and 211.22.160.28 requires a DNS Server for conversion.
We can understand that the internet uses IP for addressing. If you want to use easy-to-remember Domain Names for linking, you need to first record the name data and IP correspondence in a DNS server for people to query the corresponding IP.
To achieve this functionality, different “records” must be set in DNS. The commonly used records include A, MX, CNAME, NS, etc., which will be explained separately below.
NG-UTM also supports the Inbound Load balance mechanism, which utilizes DNS query mechanism.
When the first query for www.abc.com is made, it responds with the WAN-1 line address. When the second query is made, it responds with the WAN-2 line address, distributing the service evenly across different lines to achieve load balancing.
To achieve Inbound Load balance, the domain name resolution authority must be on NG-UTM.
• DNS Name Explanation:
1. A Record
IPV4 address, the correspondence between the hostname and its IPV4 address. For example, the IPV4 address corresponding to www.ShareTech.com.tw is 211.22.160.28.
When we enter www.ShareTech.com.tw in the browser, DNS resolution will find the IPV4 address of 211.22.160.28. Similarly, if you enter 211.22.160.28 directly in the address bar, you can also find the website host.
There is no limit to the number of A records. Different A records can point to the same IPV4 address.
For example, another A record www2.ShareTech.com.tw can be created to point to the IPV4 address 211.22.160.28 of the website mentioned above.
2. AAAA Record
There’s a correspondence between the hostname and its IPV6 address. For example, the IPV6 address corresponding to www.ShareTech.com.tw is 2001:288:502b::1.
When we enter www.ShareTech.com.tw in the browser, DNS resolution will find the IPV6 address of 2001:288:502b::1. Similarly, if you enter 2001:288:502b::1 directly in the address bar, you can also find the website host.
There is no limit to the number of AAAA records. Different AAAA records can point to the same IPV6 address.
For example, another AAAA record www2.ShareTech.com.tw can be created to point to the IP address 2001:288:502b::1.
3. MX Record
The main purpose of MX records is to ensure that emails can be sent and received properly, letting the sender know which server is responsible for receiving emails.
Usually, there are more than two servers responsible for receiving emails, so the priority order of these servers is set.
The advantage of setting MX records is that when your mail server changes, you only need to modify the DNS records, and the recipient’s mail server will not care which computer you use to exchange emails.
[Host]: Refers to the domain or hostname, which is the part after the @ symbol in the email address. Emails sent to this name will be sent to the mail server specified in the host field.
[Priority]: MX records associated with a particular host or domain may not be just one, so the priority order of Mail Servers needs to be set.
For example, when sending an email to jean@ShareTech.com.tw, it will first be sent to the host ms1.ShareTech.com.tw, but if there is no response, it will be sent to the next server, ms2.ShareTech.com.tw.
[Mail Server]: Usually refers to the hostname. If you set up a Mail Server, your hostname is usually mail.ShareTech.com.tw.
After setting up MX records, make sure that the corresponding A or AAAA records are also set.
4. CNAME Record
Also known as nickname. It can match the domain name corresponding to the network address (A) or use another (or multiple) domain names for external queries.
[Nickname]: Another alias for this hostname. The nickname can be any valid hostname.
[Host]: This is the formal hostname. The hostname must be a formal hostname and cannot be an alias.
For example, entering www.ShareTech.com.tw or web.ShareTech.com.tw in the address bar will reach the same website (211.22.160.28).
The CNAME record acts as a clone of the A record, setting other names for existing A records.
5. NS Record
Show other DNS Servers which servers act as the domain name resolution servers for a domain or subdomain.
[Domain Name]: The applied domain name, such as def.com.
[Domain Address]: Firstly, decide which interface will respond to external DNS server queries. This IP address must be a fixed IPV4 (required)/IPV6 (optional) address that can be accessed on the Internet,
and this IP address is usually the one filled in by the administrator when applying for the domain from the upper-level DNS server. For example, managed by ZONE 1 with 12.13.14.15 responsible for responding to external DNS query requests.
[Main Server Name]: The main DNS name of the applied domain such as dns.def.com. The system will automatically add two records, one is the SOA record, and the other is the A record.
[Main Server Address]: The IP address of the main DNS name of the applied domain. This address will be automatically added to the A record.
For example, enter 12.13.14.15, then the A record will have a default entry with the A record IP address of dns.def.com as 12.13.14.15.
[Administrator Email Address]: Enter the email address of the domain administrator.
[Refresh]: The record update time of DNS, default is 10800 seconds.
[Retry]: The record redundancy interval time of DNS, default is 3600 seconds.
[Expire]: The record expiration time of DNS, default is 604800 seconds.
[Minimum]: The default record update time of DNS, default is 38400 seconds.
[Create Reverse DNS Domain]: If enabled, the administrator needs to enter the IP address for DNS lookup.
This feature is limited to users with only one C domain (256 fixed IP addresses), and fewer than this number are generally handled by ISPs for DNS reverse resolution.
After completing the basic DNS server configuration, NG-UTM will automatically create a DNS server list (master domain) in the domain settings.
Click the in the status column to add, delete, and modify all A records, AAAA records, MX records, CNAME records, etc.
After the domain settings are completed, the system will automatically create corresponding A records and NS records for the DNS server. These two values are the IP addresses entered in the domain settings.
[Name]: Create a new A record, you can enter a combination of letters and numbers, for example: mail.def.com.
[Time to Live]: The validity period of this A record.
[Address]: The first field is ANY, which means anyone querying this A record will respond with the IP address entered in the subsequent fields.
The fields after the second one are for selecting the interface and IP address. If the DNS is providing services to external queries, this interface needs to be a valid external interface and IP address.
If this A record is only for internal use, select the interface and address that can only be accessed internally.
[DNS Backup]: When setting 2 different IP addresses for the same A record, if the A record cannot be queried, it will respond with the backup A record IP address, which is usually used in Load Balance or Server Load Balance.
• Add AAAA Record
AAAA records are the IPV6 address mode equivalent of A records. In [Add Resource Record], click to add a AAAA record for this domain.
[Name]: Create a new AAAA record, you can enter a combination of letters and numbers, for example: mail.def.com.
[Time to Live]: The validity period of this AAAA record.
[Address]: The first field is ANY, which means anyone querying this AAAA record will respond with the IP address entered in the subsequent fields.
The fields after the second one are for selecting the interface and IP address. If the DNS is providing services to external queries, this interface needs to be a valid external interface and IP address.
If this AAAA record is only for internal use, select the interface and address that can only be accessed internally.
[DNS Backup]: When setting 2 different IP addresses for the same AAAA record, if the AAAA record cannot be queried, it will respond with the backup AAAA record IP address,
usually used in Load Balance or Server Load Balance.
• Add MX Record
In [Add Resource Record], click to add an MX record for this domain.
MX records have a concept of priority, with lower numbers indicating higher priority. If a domain has more than 2 MX records, the mail server usually communicates with the higher priority A/AAAA record host.
Generally, A/AAAA records should be defined first before setting MX records.
[Domain Name]: The domain name used for mail servers.
[Time to Live]: The validity period of this MX record.
[Mail Server]: The A/AAAA record of the mail server, for example: mail.def.com. This A/AAAA record must be quarriable, otherwise mail cannot be transmitted and received normally.
[Priority]: Enter a number greater than 1. The lower the number, the higher the priority.
For example: Set the priority of mail1.def.com to 5, and mail2.def.com to 10. When an external entity wants to send mail to the mail server of def.com,
it will first request to send mail from mail1.def.com, unless mail1.def.com does not respond, then it will be handled by mail2.def.com.
When setting MX records, there must be corresponding A/AAAA records, otherwise the mail server cannot find the corresponding mail server address to respond to external requests.
[Domain Name]: The domain name used for mail servers.
[Time to Live]: The validity period of this NS record.
[Name Server]: The A/AAAA record of the name server, for example: dns2.def.com. This A/AAAA record must be quarriable, otherwise using this DNS will result in abnormal queries.
When setting NS records, there must be corresponding A/AAAA records.
In [Add Resource Record], click to add a CNAME record for this domain. Generally, A records should be defined first before setting CNAME records.
[Name]: The name using CNAME, for example: mail2.def.com.
[Time to Live]: The validity period of this NS record.
[Actual Name]: When querying CNAME, the actual A/AAAA record to respond with.
For example: mail.def.com. This A/AAAA record must be quarriable, otherwise using this DNS for queries will result in abnormal queries.
Using the above example to explain the usage:
When an external entity query mail2.def.com, it will automatically redirect to mail.def.com, where the actual work is performed by mail.def.com.
However, for some reasons, it wants to hide the domain name from the outside world, so it can use the CNAME mechanism to hide it.
• Add TXT Record
In [Add Resource Record], click to add a TXT record for this domain.
The TXT record is a type of DNS record that provides textual information for sources outside your domain and can be used for various purposes, such as domain ownership verification and email security measures implementation.
Supports SPF, DKIM, DMARC records.
[Domain Name]: Enter the domain name to adopt the TXT record, for example: def.com.
[Time to Live]: The validity period of this TXT record.
[TXT Data]: Enter specific values according to the purpose of the TXT record, for example: “v=spf1 ip4:12.34.56.78 ~all”.
This example indicates that the legitimate IP for sending mail to @def.com is 12.34.56.78.
• Add SRV Record
In [Add Resource Record], click to add an SRV record for this domain.
[Name]: The name of this SRV record.
[Time to Live]: The validity period of this SRV record.
[Priority]: When there are multiple records, distinguish the preferred hosts to use. The lower the priority number, the higher the priority.
[Weight]: When multiple priority numbers are the same, use different weights for load balancing.
Using an example to explain priority and weight:
Service
Priority
Weight
Host Name
_smtp.example.com
10
60
mail1.example.com
_smtp.example.com
10
40
mail2.example.com
_smtp.example.com
20
60
backup.example.com
When there are these three SRV records for the domain, it will preferentially use the host with priority 10 to execute the smtp service.
The sum of the weights for priority 10 records is 100. Therefore, mail1 host will be used for 60% of the time, and mail2 host will be used for 40% of the time, with a preference for hosts with higher weights.
If both hosts with priority 10 are abnormal, then the next priority-ranked host will be used.
When the same A/AAAA record has 2 different IP addresses, it means that Inbound Load balancing mechanism is enabled.
Select the A/AAAA record to enable line load balancing and click to enter the second A/AAAA record.
Because it is implementing line load balancing, its IP address naturally belongs to another group.
After setting up 2 or more different IP addresses for the same A/AAAA record, will appear in the View and Response Address areas below,
the administrator sets the proportion of each line sharing in this area, and there are 2 modes to choose from, one is priority mode, and the other is proportion mode.
[Priority Mode]: The administrator assigns line load balancing to appropriate lines through priority and weight allocation.
For example: Line 1 (100M), Line 2 (200M);
If you want to use Line 2 more when accessing externally, you can set the priority of Line 2 to 1 and the weight to 5. This way, most of the usage will be on Line 2.
[Proportion Mode]: The administrator simply assigns line load balancing to appropriate lines through weight allocation.
For example: Line 1 (100M), Line 2 (200M);
If you want to use Line 1 more when accessing externally, you can set the weight of Line 1 to 10 and the weight of Line 2 to 1. This way, most of the usage will be on Line 1.
Note
There is no limit on the number of A/AAAA records for line load balancing, as long as there are different lines and IP addresses, they can be set and enabled.
Set which IP address can query the built-in DNS server.
The default is ANY, which means that the DNS server will respond to queries from any source IPv4/IPv6 IP.
If you only want specific source IP addresses from certain network segments to be able to query certain A/AAAA records, you can create these source IP addresses here and apply them to the DNS records.
[Source IP Address]: The IP addresses that can query the service, supporting IPv4/IPv6 addresses, and multiple data can be entered with line breaks.
➤ After the configuration is completed, in Create DNS Server Records, when adding A/AAAA records, you can select this data. In this example, it means that only source IP addresses belonging to the Allow group can query.
In addition to serving as a DNS resolver for its own domain, the DNS server service on NG-UTM can also perform common functions found in public DNS servers, such as proxy querying and domain rewriting:
Proxy querying means that when the local DNS server does not have information for a domain queried by the user, it will automatically query external DNS servers and forward the query results to the user;
Domain rewriting is the process of replicating the data of the DNS server to other DNS servers.
[Allow Query from]: Specify from which interfaces DNS queries are accepted; queries from interfaces that are not selected will be rejected.
[Allow Recursive Queries from]: Specify the IP addresses that are allowed to use the proxy query service, supports both IPv4 and IPv6 addresses, and multiple entries can be provided.
[Accept Zone Transfer from]: Specifies the IP addresses that are allowed to use the domain rewriting service, supports both IPv4 and IPv6 addresses, and multiple entries can be provided.
NG-UTM provides 2 virus scanning engines: one is the free ClamAV and the other is the paid Kaspersky.
By default, the ClamAV virus scanning engine is enabled, so the virus scanning mechanism applied in the management interface is provided by ClamAV. After uploading the license for Kaspersky, the main virus scanning engine will switch to Kaspersky.
[Virus Engine Configuration]: Enables or disables the virus scanning engines ClamAV and Kaspersky.
ClamAV, short for Clam Antivirus, emphasizes concepts such as open-source code and free licensing, much like Linux.
| ClamAV provides 24/7 updates and maintenance of its virus database. Anyone who discovers suspicious viruses can contact them at any time to immediately update the virus signatures.
[ClamAV Status]: By default, it is always enabled, with no option to disable.
[Version]: The current version of the virus scanning engine in use, for example: ClamAV 0.98.4.
[Update Log]: Each update of the virus scanning engine is logged here.
[Clear Log]: Clear all update logs.
[Automatic Virus Signature Update Time]: The time interval for updating the virus database, default is every 6 hours, with a setting range of 1 to 24 hours.
[ClamAV Database Mirrors]: Selects the server for updating the virus database.
[Update Now]: Immediately updates the virus database.
The Kaspersky virus scanning engine requires an authorization code to be effective.
[Current Status of Kaspersky Virus Scanning Engine]: By default, it is disabled and requires uploading the authorization document to enable.
[Version]: The current version of the virus scanning engine in use.
[Pattern Number]: Displays the latest number of virus signatures.
[Update Log]: Each update of the virus scanning engine is logged here.
[Automatic Virus Signature Update Time]: The time interval for updating the virus database, default is every 6 hours, with a setting range of 1 to 24 hours.
[Clear Log]: Clears all update logs.
[Update Now]: Immediately updates the virus database.
[Licenses]: Uploads the authorization document for the virus scanning engine.
Phishing emails and malicious URLs are rampant, and users often mistakenly open or click on malicious links. However, these malicious malware or URLs cannot be protected by traditional antivirus software. The firewall is the first (from outside to inside) and last (from inside to outside) line of defense. Therefore, NG-UTM has added new protection mechanisms at this defense line.
Whether it’s a user mistakenly clicking on a malicious URL or an attachment containing malicious programs in an email, Sandstorm will automatically compare. When these malicious behaviors are detected, NG-UTM will actively block them, and Sandstorm’s data will be automatically updated to keep NG-UTM effectively blocking.
Enable Function: Sandstorm can scan two types of Trojan programs, one is file type, and the other is URL type. These two types may be transmitted via WEB or email methods, and administrators need to confirm whether both are required or only specific ones.
File types and URLs exist in both WEB and emails, and administrators need to set them in different places. Here, hyperlinks will be used to quickly access the settings.
Last Update Time: Sandstorm will periodically pull the latest data from the database. Clicking Refresh will immediately update the blacklist information.
Cloud Test: Clicking on this will open another page. After selecting the item to compare, upload the file or enter the URL, and the database will respond whether it is on the blacklist. Administrators can upload files or URLs to Sandstorm to check if they are in the blacklist database.
After enabling Sandstorm’s feature, detailed settings for this item will be expanded:
• FILE Hash
Version: The current version, with the number in parentheses showing the number of Trojans.
Risk Level: Each sample is classified into high, medium, and low risk. Administrators can adjust according to their needs. If they are afraid of blocking normal file transmission, they can cancel the block for low-risk ones.
WEB/Email Service: After enabling this feature, some settings need to be executed in the management interface. Clicking on the link will take you to the operation.
• Web URL
Version: The current version and the number of Trojans, with the number in parentheses.
Risk Level: Each sample is classified into high, medium, and low risk. Administrators can adjust according to their needs. If they are afraid of blocking, they can cancel the block for low-risk ones.
WEB Service/Email Management: Enabling this feature requires some settings to be executed in the management interface. Clicking on the link will take you to the operation.
URL Test: Clicking on this will open another page. Enter the URL directly, and the database will respond whether it is on the blacklist.
• Domain
Version: The current version and the number of blocked URLs, with the number in parentheses.
Risk Level: Each sample is classified into high, medium, and low risk. Administrators can adjust according to their needs. If they are afraid of blocking, they can cancel the block for low-risk ones.
DNS: Enabling this feature requires some settings to be executed in the management interface. Clicking on it will take you directly to the DNS Filter management page.
Domain Test: Clicking on this will open another page. Enter the Domain name directly, and the database will respond whether it is on the blacklist.
Administrators can search based on date, function, service type, risk level, or IP address conditions, and the system will statistically count the number of attacks for each attack feature. An example of a search result is as follows:
Function: This blocking record belongs to which of the 3 blocking items of Sandstorm, File Hash, Web URL, or Domain.
Malware Type: Trojan or phishing email type.
Count: The number of occurrences of the same item during the statistical period.
If administrators find that Sandstorm’s blocking mistakenly blocks normal user behavior, they can disable the blocked items in the enable field. You can view complete disable information by going to the Sandstorm disable list.
➤ Clicking on the detailed icon allows you to see detailed information such as which IP address clicked on this Trojan.
NG-UTM can scan the HTTP and HTTPS communication protocols and check if the transmitted content contains viruses. In addition to being able to inspect packets of these two protocols, it can also record the URLs that users browse, facilitating future inquiries and management by administrators. The scanning and recording of HTTP/HTTPS utilize Transparent Proxy mode, eliminating the need for users to make any browser settings.
For HTTPS, due to involvement with SSL certificate trust, administrators need to generate an SSL root certificate in NG-UTM before use. This root certificate must then be installed on each user’s computer.
Different operating systems have different methods for trusting root certificates. Generally, computers and phones from Apple do not accept non-trusted root certificates. Therefore, the WEB service function will be ineffective on Apple systems. Trusted root certificates for Windows systems and Firefox are also stored in different locations, requiring special attention to where the browser’s trusted root certificates are stored.
Configure the antivirus engine used for HTTP scanning. Administrators can adjust the specifications according to the actual network conditions to ensure the normal operation of WEB services.
Figure 6-22 WEB Configuration and Infected Web Page Warning Preview¶
Maximum Scan File Size (KB): When files transmitted via WEB exceed the set value, virus scanning cannot be performed. The default is 1024K Bytes.
Listen Port: Specify which port to redirect to HTTP PROXY. The default is 80, but administrators can input multiple ports, e.g., 80, 81, 88, indicating that these ports will all be redirected to HTTP inspection.
Virus Engine: Offer a choice between ClamAV and Kaspersky. The default is ClamAV. If the Kaspersky engine is not enabled in 6-5. Virus Engine, only ClamAV is available here.
Warning Setting: Configures the warning message displayed to users when a virus is detected. Clicking Preview allows administrators to check if the entered subject and content text match expectations.
Subject: Enter the subject text to be displayed.
Content to Display: Enter the content to be displayed on the blocked webpage.
• Encryption Connect Setting
In addition to managing HTTP, NG-UTM can also perform virus scanning and website management for HTTPS. Before managing HTTPS, an SSL root certificate must be generated and imported into each user’s computer. HTTPS also utilizes Transparent Proxy technology, so users don’t have to configure any browser settings after importing the certificate.
SSL Listen Port: Specify which ports to redirect to HTTPS PROXY. The default is 443, but administrators can input multiple ports. For example, 443, 8443, 888, meaning these 3 ports will all be redirected to HTTPS inspection.
Certificate Time: Display the current local root certificate generation time.
Download SSL Certificate: Allow administrators to download the NG-UTM local root certificate to their computer, which can then be distributed to users. If there are modifications to the SSL root certificate, it needs to be regenerated and downloaded again. Clicking Re-generate Certificate will prompt a dialogue box.
Regenerate Certificate: Set the expiration period for regenerated certificates, which can be chosen from 1 month, 2 months, 3 months, 6 months, 1 year, 5 years, or 10 years.
Certificate Download Link: Administrators can also provide each user with a URL to allow them to install the certificate themselves. This link consists of three parts:
1. Network interface IP address or domain, e.g., if ZONE 1 interface IP address is 192.168.1.254.
2. The PORT set in “Network Interface and Routing > Network Interface > HTTPS Port.” The default is 443.
3. myca.crt is the name of the root certificate.
In this example, the downloaded URL is https://192.168.1.254:443/myca.crt. Clicking this link will automatically install the certificate for the user.
Certificate Installer Download Link: To simplify the process, ShareTech provides an installation program for Windows systems, allowing users to install root certificates trusted by the three major browsers, IE, Chrome, and Firefox, with a single installation.
Administrators provide each user with a URL to download the installer, consisting of three parts:
1. Network interface IP address or domain, e.g., if ZONE 1 interface IP address is 192.168.1.254.
2. The PORT set in “Network Interface and Routing > Network Interface > HTTPS Port.” The default is 443.
3. download_certinstaller.php is the page for the installer.
In this example, the downloaded URL is https://192.168.1.254:443/download_certinstaller.php. Clicking this link will automatically download the installer. After running the installer, the required root certificates will be installed.
Exclude Apple Devices: Prevents Apple devices from entering HTTPS proxy as Apple’s trust certificate list cannot be modified.
Exclude Source MAC Address: Exclude connections from specified MAC addresses from HTTP/HTTPS filtering.
Black SRC IP Define: Exclude connections from specified source IP addresses from HTTP/HTTPS filtering.
Black Domain Define: Excludes connections to specified domains from HTTP/HTTPS filtering.
Black Destination IP Define: Exclude connections to specified destination IP addresses from HTTP/HTTPS filtering.
• Certification Installer Setting
To facilitate users in downloading SSL certificates, when NG-UTM detects that an IP address has not installed an SSL certificate, it automatically redirects the user’s webpage to the certificate download URL.
Redirection Port: Specify the PORT number used, which must be unused.
Connection Protocol: Specify whether to use HTTP or HTTPS as the protocol for redirection.
Source IP Address: Specify which source IP addresses are eligible to use this service. Those outside of this IP range will not be affected.
Browsed IPs: List which IPs have already been browsed.
When the specified source IP has not installed an SSL certificate, the webpage they browse will be automatically redirected to the following webpage, which contains the Web certificate installer and installation instructions:
Figure 6-26 Redirection Page and Installation Instructions¶
• SSL Certificate Message
Display the SSL certificate information currently used by NG-UTM. Related certificate settings can be found in “System Settings > 2-11. SSL Certificate.” If the SSL certificate is modified, the root certificate for each user needs to be reinstalled and trusted.
• Import SSL Certificate
Import SSL certificates, including those entered manually or obtained through legitimate means.
Some websites or applications may fail certification after passing through NG-UTM, causing subsequent services to fail.
In this case, administrators can add those failed certificates to the whitelist, so NG-UTM will not perform replacement actions when encountering whitelisted certificates.
• Certificate Failure Records
Click the [Search] button, NG-UTM will search for failed certificates based on the criteria and open a new window to display the certificate failure records.
Select the certificates and click [Add to Whitelist Certificates] button to add them to the whitelist.
NG-UTM provides High Availability (HA) functionality, using 2 identical NG-UTM devices, one serving as the Master and the other as Backup.
In the event of a failure of the Master host, the Backup device immediately takes over to prevent network packet disconnection, ensuring business continuity.
Administrators also receive immediate notifications of high availability switches to perform maintenance on the failed host promptly, restoring its operation as soon as possible.
The HA architecture of NG-UTM operates in Active-Backup mode, which means only one device is active while the other remains in standby.
When the active device fails, the Backup host immediately takes over all network traffic.
Before enabling high availability, you must first specify which port is the HA Port in “Network Settings > 3-1. Zone Setting”.
Local Host IP: After enabling HA, the 2 devices will generate a shared virtual IP address.
This virtual IP address can be used to manage the device, along with the original device’s IP address.
When setting the local host IP address, ensure it is in the same subnet as the original interface IP address, or access will be blocked.
For example, if the original interface IP address is 192.168.1.1/24, the local host IP address can be set to 192.168.1.5.
Remote Host IP: When operating in Backup mode, this IP address is the actual IP address of the Master host.
Detection Frequency: Set the detection frequency in seconds.
Auxiliary Detection Interface: Select an auxiliary detection interface, only switching service when both interfaces fail to detect.
Pause Switching and Data Synchronization: When enabled, service switch and data synchronization will be paused.
Current Detection Status: Displays whether the HA interface and auxiliary detection interface detect each other.
Recent Data Synchronization Time: Records data synchronization from Master to Backup.
When 2 hosts enable HA, the interface IP addresses must be different IP addresses within the same subnet, or IP address conflicts will occur.
In the example provided, when the local device is set as Master and the remote host address is set as 192.168.10.2, then 192.168.10.2 is the Backup host.
NG-UTM will check the model group and version with the remote host 192.168.10.2, and only synchronize data when the check is successful.
The Backup host displays the recent data synchronization time. Every 5 minutes, NG-UTM HA Backup host requests data synchronization from Master, and administrators can also manually synchronize.
note
Note 1. When HA switches to Backup, any modification settings made on the Backup host will not be synchronized back to the Master when it recovers.
If synchronization of Backup data back to Master is required, you can swap the roles of the two hosts, changing Master to Backup and Backup to Master, so that the data will be based on the original Backup configuration.
Note 2. Data that is not synchronized includes content recorded data, system operation logs, system/network status diagrams, computer member lists, traffic analysis data.
Note 3. If you need to connect to the Backup host from the external network, you can set up port mapping to connect to the Backup HA interface IP.
NG-UTM can send packet communication records to an external Syslog server using Syslog format, allowing the Syslog Server to save or further analyze this information.
icon to add this user to the DHCP blacklist.
below the DDNS list to enter the Add Host page:
: Indicate normal updates, 
: Indicates service failure.
: Display communication data between the system and the DDNS server.
: Allows NG-UTM to immediately perform the DDNS update action.
in the status column to add, delete, and modify all A records, AAAA records, MX records, CNAME records, etc.
to add an A record for this domain.
to add a AAAA record for this domain.
to add an MX record for this domain.
to add an NS record for this domain.
to add a CNAME record for this domain. Generally, A records should be defined first before setting CNAME records.
to add a TXT record for this domain.
to add an SRV record for this domain.
will appear in the View and Response Address areas below,
