From Edge Threat Management Wiki - Arista
Jump to navigationJump to search


This section answers general questions about Arista Edge Threat Management NG Firewall and how it works.

What is NG Firewall?

ETM Next Generation (NG) Firewall is a platform for deploying network based applications. The platform unites these applications around a common GUI, database and reporting. NG Firewall's applications inspect network traffic simultaneously, which greatly reduces the resource requirements of each individual application. The NG Firewall platform currently supports many open source applications and commercial add-ons.

Is NG Firewall hardware or software?

NG Firewall is software that can be installed on standard Intel-compatible hardware, or you can purchase a hardware appliance directly from Arista ETM with the software pre-installed. The minimum hardware requirements can be found here, and many Arista partners offer pre-built systems.

Where does NG Firewall sit on the network?

NG Firewall should sit at or directly behind the network gateway in between your network and the Internet. Please see our installation guide for examples of where NG Firewall should be placed in your network.

Does NG Firewall use open source software?

Yes, NG Firewall uses several open source projects. We seek to offer the best technology in each of our apps whether or not that requires writing proprietary code, working with existing open source projects to combine the best features from multiple projects, adding missing features or simply optimizing them for the NG Firewall platform. The NG Firewall platform itself is a proprietary technology that was developed internally.

Who owns my network data? Is it private?

You own 100% of your network data. Arista ETM does not have access to your NG Firewall or your network unless you explicitly authorize us by turning on remote support access in Config > System > Support. Your data is 100% private.


My separate internal networks can reach each other. Why?

By default, all NG Firewall interfaces can talk to each other. This is because, by default, NAT (Network Address Translation) is performed on traffic leaving the WANs only (not traffic between LANs). If you want them to be separate follow the documentation nat documentation.

How secure is NG Firewall by default?

NG Firewall has no open ports by default on WAN interfaces, and has HTTP and HTTPS open by default on non-WAN interfaces. If any ports are showing up as open from the outside, you've either set up a port forward for them or you've enabled HTTPS administration on WANs or NG Firewall is somehow misconfigured.

Does NG Firewall support VLANs?


NG Firewall support both tagged (802.1q) VLANs and untagged VLANs.

Untagged VLANs are just separate networks on the same interfaces and can be handled by

  • Adding an alias to the appropriate interfaces (ie to the Internal Aliases), effectively telling Untangle that this network range is local on this interface.
  • Adding a route so traffic for that subnet is routed appropriately (ie is routed to "local on Internal (eth1)"

Tagged VLANs are handled by creating a separate VLAN interface in Config > Network. All traffic received on the configured Parent interface with the configured VLAN tag will be perceived to come from the VLAN interface. All traffic sent to the configured VLAN interface will actually be sent on the Parent interface with the configured VLAN tag.

See Network_Configuration#VLANs for more information.

Can I put a WiFi card in my NG Firewall?

Currently some wireless cards are supported. Unlike regular NICs, wireless support is much more problematic and complicated. If wireless is a priority we suggest looking at one of our appliances that comes with wireless support. If you want to build your own wireless server, be prepared for some research and trial and error to find a working setup. There is more information here: 11.1_Changelog#Wireless_Support.

How can I add a guest or private WiFi/WAP network to my NG Firewall?

You will need to disable DHCP on the wireless Access Point, give it an IP in the subnet of NG Firewall's interface you're plugging it into, and use a LAN port rather than a WAN/Uplink port on the AP, or disable NAT.

To add WiFi to your existing network, just plug the AP into a switch somewhere on the network. Please note if you have a combination WiFi AP/modem that NG Firewall sits behind, wireless traffic may bypass the NG Firewall and not be filtered. WiFi APs must be downstream of NG Firewall.

If you're looking for a guest WiFi network walled off from your private network, the easiest way is to plug the wireless AP into its own interface.

Does NG Firewall have high availability options or support automatic hardware failover?

As of version 10.1 NG Firewall supports High Availability through the use of VRRP. More information on VRRP configuration can be found here: Network Configuration - VRRP

Licensing and Subscriptions

This section has answers to questions relating to purchasing, licensing and subscriptions.

How does NG Firewall licensing work?

NG Firewall licensing is done individually for each deployed NG Firewall server. One license cannot be shared across multiple NG Firewall servers. The pricing band is determined by the number of devices that are behind the NG Firewall server. Our current pricing model allows the purchase of a monthly, 1-year, or 3-year subscription.

How do I determine the correct pricing band?

NG Firewall products and services are priced by bands for different sized companies and networks. The appropriate band can be calculated by the number of active devices on all local networks and VPN interfaces.

Note: Bypassed devices are not counted. Bypass Rules can be added for devices that do not need NG Firewall scanning and services (VoIP devices, printers, and so forth) but still require internet access.

What happens if the number of devices on my network temporarily exceeds my licensed number of devices?

For any device over the upper limit of the license count, their traffic will not be scanned by the paid applications. They will still be online and have full connectivity but will not receive the benefits of the paid application.

Can I exclude devices from counting towards the license?

In some cases you may prefer to exclude devices such as printers or guest devices from consuming licensing of paid apps. The consequence is that bypassed devices can access the Internet but will not apply to the security layers provided by the paid apps. You can bypass devices based on IP address or you can bypass an entire network. For configuration details see Bypass Rules.

How can I see how many devices are currently on my network?

In Config > About, the Current active device count shows the number of active devices currently on the network. Highest active device count since reboot shows the highest number of licensed devices that have been on the network since reboot.

An Alert will be shown if the your license is currently being exceeded. Remember, bypassed devices are not counted so you can manage your device count with Bypass Rules.

At the top of the rack the number of currently knows hosts is shown above "Hosts." Clicking on this number or selecting "Show Hosts" in the drop down menu at the top of the rack will show the list of currently known devices. However, not all known devices are counted against licenses. If you use a drop down in one of the columns at the top and display the "Active" column you can see which hosts are counted as active. Only active hosts are the only hosts counted towards the license limit.

How do I purchase NG Firewall software?

Log into your ETM Dashboard account, click GET STARTED in the top right-hand corner, and select Buy.

You can also contact our Sales department directly by phone at (877) 754-2986, option 2 or by email at edge.sales@arista.com.

What happens if I stop paying for my subscription(s)?

If you stop paying for your subscriptions any paid applications will stop working when your subscription ends. You will see No License Found on the icon of any paid applications in the Apps page. It's very easy to get your account back working again by contacting our sales department to renew your subscription and all of your previous settings will return.

What's a UID?

Refer to the knowledge base https://support.untangle.com/hc/en-us/articles/201710527

What's a voucher and voucher key?

Refer to All about vouchers for more details on vouchers & how to use them.

Can I try NG Firewall or Applications before purchase?

Yes! All of our paid applications have a fully functional 30-day free trial available. During the trial period the icon of any trial mode applications will show xx Days Remaining, this will switch over to Free Trial Expired once the trial period has ended. If you want to purchase an expired application it will retain your settings as long as you don't remove it from the rack.

Do my other applications still work after my trials expire?

Yes. All free applications in the Lite Package will never expire.

I just purchased a product, however it is still reporting as a trial version?

If you have not yet assigned your subscription, do that first: How to assign a subscription to an appliance

If you have assigned your subscription, you can ignore the warning that your trial will expire in X days. Once the trial ends, the subscription assigned 'behind' it will take over automatically.

How do I renew my subscription(s)?

Refer to the knowledge base at https://support.untangle.com/hc/en-us/articles/115012351228-How-to-renew-a-subscription

How do I unsubscribe or cancel my subscription(s)?

You can turn off auto renewal by logging into your store account, clicking My Subscriptions, then modifying the Auto Renew field.

Why is my renewal date not changing after I renewed my subscription?

If your subscription is enabled for renewal but the renewal date still shows the same date as before, don't worry - because we don't charge your account for the subscription renewal until the renewal date, the renewal date will not change until that charge takes place. For example, say you enabled a subscription for renewal with a renewal date of November 11, 2010. On November 11 we will charge your account for the cost of the renewal and update your renewal date to November 11, 2011. If your subscription does not appear when you click Renewals in your store account it is already enabled for renewal.

I reinstalled my NG Firewall Server, why can't I reinstall my paid subscriptions?

Each NG Firewall has a UID, or Unique Identifier that is set during the install and never changed. If you reinstall your NG Firewall it will have a new UID and you'll need to transfer the subscription to the new UID to be able to download your subscription. Instructions on subscription transfer are below.

How can I transfer my subscription?

IMPORTANT: Before transferring the subscription, be sure to download any backups from your store account at Appliances > Backups - once the transfer has been made you will no longer be able to access the backups of the old UID.

Steps to transfer the license to the new server.
1. Login to the store with the store account.
2. On the top menu, click Subscriptions.

Remove Subscriptions
Remove Subscriptions

3. Click the Name/UID link for the subscription you want to transfer.
4. This will remove the subscription from the appliance. Click Remove to confirm. Once removed, the subscription becomes a voucher available for use on another NG Firewall UID.
5. To add the license to another NG Firewall UID, click the unassigned link on the Subscriptions tab.

Click Unassigned
Click Unassigned

6. Select a device from the list to transfer the subscriptions to and click Add.

Add Subscription
Add Subscription


This section has answers to common networking questions. You'll want to take a look at our User Guide and Network Configuration for more information on general network settings.

If I am using NAT, how can I provide access to a web server on the internal network?

  1. If the web server is using DHCP, it should be assigned a static address or a static DHCP lease.
  2. Create a port forward rule for all incoming traffic on port 80 to your web server as discussed in Port Forward Rules.

Why can only some of my subnets access the Internet?

NG Firewall needs to know about the other subnets in order to correctly route traffic to them; this can be done in several ways:

  • Give NG Firewall an alias on each subnet at Config > Networking for that interface. Make sure to use a reall, unused IP, not x.x.x.0.
  • Alternatively, if your subnets are close (e.g. 192.168.1.x, 192.168.2.x) you can expand NG Firewall's netmask on that interface.

If your other subnets are behind a different internal router, you'll probably need to add routes pointing the subnets to that router.

Read Network_Configuration and Installation for more information.

Does NG Firewall support dual WAN or WAN failover?

Yes! For information on Multi-WAN, see WAN Balancer for Load Balancing and WAN Failover for failover.

Can I use OpenDNS with NG Firewall?

We've seen a lot of confusion regarding OpenDNS - many of our customers want to use OpenDNS as a "second layer of protection." While this is all well and good, most of the time we see people putting OpenDNS's servers on NG Firewall's External interface, which isn't the right way of going about it. We always recommend using your ISP's DNS servers on any WAN interfaces of NG Firewall. We do not recommend using OpenDNS, public, or internal DNS servers as they can hamper the effectiveness of Spam Blocker and sometimes the performance of Web Filter.

If you want to use OpenDNS with NG Firewall, you should hand out OpenDNS as the DNS servers for the end users only. To do this, set the OpenDNS DNS server as the "DNS Override setting in your DHCP settings on your internal interface(s).

This way, NG Firewall will hand out OpenDNS to the clients it gives DHCP addresses. If you're running your own DHCP server, you'll need to figure out how to make the change for your particular server software.


These FAQs explain how updates are performed.

How do I check for updates? Is this automatic?

NG Firewall automatically performs and installs definition updates for all applications; you can modify the platform updates settings at Config > Updates > Update Settings. If you turn Automatic Updates off, you will still receive definition updates, however platform updates will not automatically be applied.

How do I know if updates are available for download?

The Config > Upgrades button will light up when upgrades are available, just click it and follow the prompts to upgrade.


These FAQs explain how NG Firewall handles VoIP traffic.

How does NG Firewall handle VoIP traffic?

Most VoIP traffic is automatically bypassed from scanning by default because it is sensitive to latency. It is recommended to manually add bypass rules for non-standard VoIP installations.

After installing NG Firewall, my VoIP doesn't work. Why?

Verify your VoIP devices are set to do NAT Traversal themselves - if they are not, you can try enabling the SIP Helper at Config > Networking > Advanced > General.