NG Firewall Installation: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
Line 58: Line 58:
== Common Post-Setup-Wizard Configuration ==
== Common Post-Setup-Wizard Configuration ==


At this point Untangle has the basic configuration that will work for most networks. However, some network require some more configuration.
At this point Untangle has the basic configuration that will work for most networks. However, some networks require some more configuration.


=== Account Registration ===
=== Account Registration ===

Revision as of 00:46, 14 May 2019

Hello and thanks for your interest in Untangle!

This guide will be a quick primer on getting your Untangle installed, up and running. Hopefully it will also answer some common configuration questions without causing too much confusion. If you already have Untangle in your network you can skip to any relevant section and read from there. If you're new to Untangle, we recommend reading this section in its entirety to help familiarize yourself with the software and how it works - it will probably save you a headache or two later on.


What is Untangle?

Untangle is NGFW/UTM software, bringing together everything your network needs to stay healthy on one box: web content and spam filtering, virus scanning, VPN connectivity, multi-WAN failover capability and much more. We strive to make deployment and administration easy, with a friendly web-based GUI to help you monitor and filter traffic on your network. Untangle provides a suite of applications free of charge with the option of subscribing to additional applications as best suits your organization - our website has a full list of features. If you have additional questions the wiki and forums are always open, plus support is just a ticket away. Current pricing for paid applications, packages and appliances can be found in the store.


Perhaps we should also mention what Untangle is not:

Untangle is not a proxy. Whether in router mode or bridge mode, Untangle acts as a transparent filter for traffic, so you do not "point" browsers at it to filter traffic as you would with a proxy. Computers on your network will either use Untangle as their gateway or your network will force their traffic to flow through it, being filtered in the process. More information on deployment can be found below.


You can also take peek at Limitations of Untangle to see if Untangle is right for you.

Installing Untangle

If you have ordered a hardware appliance with Untangle pre-installed, refer to the hardware setup guides.

Untangle installs to the hard drive of a PC, erasing all data on that drive in the process. Please be aware of this before starting the installation. Also note that Untangle requires at least two NICs to be installed before you start the installation.

You can read about Untangle's hardware requirements and guidance in the Hardware Requirements documentation.

You have a few methods to install Untangle on a new server:

  • ISO: Download the ISO from Untangle or Sourceforge, burn it to a disc and boot - the Installation Wizard will guide you through the install and network configuration process.
We also have a QuickStart Guide available.
  • USB: Write an image to a bootable USB stick - instructions are available here.
  • OVA: Download the OVA from Untangle. This can be deployed in VMware and other virtualization software. When deploying in a virtual environment, be sure to read through the Cardinal Rules. Additional details are available here.
  • AWS: You can launch and run Untangle on Amazon Web Services. See AWS Install instructions here

Most users install Untangle on the server before the server is placed in-line on their network. To do this plug one interface of your Untangle into your network as you would any other computer, then start the installer. This ensures that Untangle will have access to the internet during installation.

Power down the server, insert the ISO or USB installer, and power on the server. Make sure the boot options are set to boot from the inserted CD or USB media. Once the Untangle installation has started, follow the directions on the screen to complete the installation process.

For those wishing for custom partitioning or special storage considerations, read the Expert Mode Installation

After the installation is complete the server will reboot and the Setup Wizard will appear to walk you through the next phase of installation.

If you encounter issues while installing Untangle onto your server, read the Troubleshooting Server Installation.


Setup Wizard

The Setup Wizard will open automatically when NG Firewall first boots. If you do not have a keyboard/mouse/video connected to the NG Firewall server, the Setup Wizard can be reached by plugging into a DHCP-configured laptop into the internal interface opening a browser to http://192.168.2.1/.

Once installed, the setup wizard can be repeated at any time and can be found in the NG Firewall GUI at Config > System > Support > Setup Wizard.

Welcome Page

For versions 16.3 and newer the Setup Wizard begins with a welcome page. Choose to either create an ETM Dashboard account or login with an existing account to get started. Your ETM Dashboard account is free and is necessary to activate a trial or complete license on the device. Your account is also linked to ETM Dashboard, enabling you to remotely manage your Arista Edge Threat Management appliances.

By logging in or creating your ETM Dashboard account, the Add Appliance wizard opens automatically and includes the UID of your appliance. The Add Appliance wizard guides you through the remainder of the setup steps for your new NG Firewall appliance. See Adding Appliances to ETM Dashboard for more details.

If your NG Firewall device is not connected to the Internet or requires specific configuration to connect, the wizard allows you to Configure the Internet Connection. If you are unable to connect to the Internet, you can continue with the local setup wizard by following these instructions: Offline Setup Wizard

The next steps include installing the desired apps and possibly tuning the configuration of your NG Firewall.


Common Post-Setup-Wizard Configuration

At this point Untangle has the basic configuration that will work for most networks. However, some networks require some more configuration.

Account Registration

Untangle will prompt you to sign in or register a new account with untangle.com. Registration is required to install any applications and takes only a second.

Registration has the following benefits:

  • Install free or paid applications on your Untangle NGFW.
  • Manage your licenses, renewals, servers and contact info all from one dashboard.
  • Easily transfer licenses between servers.

If you signed in with an existing account, the system will check for any unused subscriptions in your account and ask if you would like to apply them to this system.

Once you have completed the process, continue with the steps below. Your account can always be accessed by visiting http://untangle.com or clicking My Account.

Install Applications

Installing applications is covered in the User Guide. It is recommended to finish reading this section and get everything working before configuring/tuning the application settings.

Configure Other Subnets

Untangle will route all traffic according to its routing table, even in when installed as a Transparent Bridge. This means Untangle must have the proper routing table for all subnets on your network.

If you have other subnets on the network aside from those configured in the Setup Wizard you will need to configure Untangle to know about these networks. For example, if you are running as a bridge with Untangle having an address 192.168.1.2 with a netmask 255.255.255.0 but you also have a 192.168.20.* network and also a 10.0.*.* network you will need to tell Untangle where to reach these hosts.

There are several ways to do this:

  • Add a route in Config > Network > Routes telling Untangle how to reach those subnets. If 10.0.*.* is local on Internal then you simple need to create a 10.0.0.0/16 route to "Local on Internal." If 10.0.*.* lives behind another router on your network like 192.168.1.100 then you will need to add a route to send all 10.0.0.0/16 traffic to 192.168.1.100.
  • Add an alias on the appropriate interface. In Config > Network > Interface click edit on the appropriate interface and add an alias IP. This effectively tells Untangle that this IP range is local and can be reached locally on that interface. It also provides Untangle a local address on those subnets should any of those clients need to reach Untangle using a local IP.

Each subnet on your network will need to be configured so Untangle knows how to reach them. The "Ping Test" in Config > Network > Troubleshooting can be used to verify that Untangle can reach the configured subnets.

More in depth information about how Untangle network is configured is found in Network Configuration.

Configure Other Interfaces

In the setup wizard you configured both the Internal and External interfaces. If you have more than 2 interfaces, the 3rd and beyond are Disabled by default.

If you plan to use them, they must be configured and it is suggested to choose a name reflecting its use.

Common uses include:

Additional WAN interfaces (if you have multiple internet connections) for failover/balancing
To do this just configure it as a WAN interface with the ISP's provided values. Read more about WAN Failover and WAN Balancer for more information about failover/balancing.
Other internal networks
To do this just configure it as a non-WAN interface with a static internal IP. For example if you used 192.168.1.1/24 on your internal, you could use 192.168.2.1/24 on your 3rd interface. This is useful on larger networks, for guest networks, for wireless networks etc.
Public segment for public servers (DMZ)
If you have servers with public address you can stick them on the additional interface(s) and bridge those interfaces to your WAN. Then configure them with IPs on the same subnet as the WAN interface.
Additional NICs for existing networks
If you want additional NICs for you Internal (for example) you can bridge the 3rd interface to your Internal and plug in additional internal machines to that NIC. This behaves similar to a switch, but traffic going through the untangle to reach other internal hosts is scanned by the apps.

More in depth information about how Untangle network is configured is found in Network Configuration.

Email

Some Untangle applications and functions rely on sending email like reports and spam quarantine digests. Email sending is configured in Config > Email. By default email will be sent directly using DNS MX records like a mail server. However, some ISPs and networks block port 25 to prevent spam and in this case you must configure a SMTP relay (and the appropriate authorization credentials if required).

Hostname

You can configure the hostname (and domain) for the Untangle server in Config > Network > Hostname.

Port Forward Rules

If Untangle is installed as a router and have internal servers with services that need to be publicly accessible you need to configure port forward rules to forward that traffic to the appropriate server. You can configure port forward rules in Config > Network > Port Forward Rules.

Bypass Rules

Unlike many next-generation firewalls, Untangle scans All TCP and UDP traffic on all ports at the application layer by default, except for VoIP traffic. This is ideal for most deployments but if you are running a very large (1000s of users) network it probably makes sense to bypass traffic that you are not interested in scanning. Traffic can be bypassed in Config > Network > Bypass Rules. More is described in the Network documentation.

Public Address

If you use OpenVPN or quarantine or other publicly accessible services on Untangle, you may wish to configure the "public address" of Untangle so that it sends the appropriate URL to remote users. Public Address can be configured in Config > Administration > Public Address.

External Administration

If you'd like to be able to administer Untangle via HTTPS remotely you will need to enable HTTPS access on WAN interfaces in the Access Rules.

Installing Untangle on the Network

At this point Untangle should be ready to drop into the network if it is not already in place.

If Untangle is configured in bridge mode an easy way to test Untangle is to install it with only one or a few computers behind it - plug the External interface into your network then plug a switch with a few computers into the Internal interface so they must go through Untangle. Only those computers will be filtered, allowing you to test without disturbing there rest of your network.

If you are running as a Transparent Bridge verify that Untangle is not plugged in backwards by unplugging the network cables one at a time and looking at the green lights in Config > Network > Interfaces. If Untangle is configured as a bridge and plugged in backwards it will pass traffic but some functionality will not work correctly. Untangle also provides Administrative Alerts which will bring this to your attention so you can fix it.

  • Untangle is designed to drop in to your network with minimum disruption. When testing we recommend putting the system in place, keeping most defaults unless you're having problems. This way you can get a feel for how Untangle works before making possibly major changes that may affect system operation.

Using Untangle

The next step is installing the applications and configuring Untangle to meet your needs. The User Guide provides in depth documentation of the various functions of Untangle and the applications.

Welcome to Untangle! ʘ‿ʘ