SecPoint Protector UTM Appliance Questions FAQ

Here you can get the answer to the most common questions for the Protector UTM Appliance.

Do you not see your question then please mail us.

You can see the questions in the right side menu.

The FAQ  frequently asked questions covers both technical and non technical questions.

You can also click our live chat and chat with a representative to get fast reply to your questions.

Some of the questions you can find answered.

 

Protector not starting up anymore
This morning I started a Firmware update from the console. After 4 hours it was still telling me that it was running but nothing happened. On the web interface a message was displayed that the system stopped updating at 59%. I chose the option to resume the update but nothing happened. At 13h00 I decided to restart the system. Now the system hangs at "Starting up X11 session manager". I have no more access to the system. What do you suggest to do?
 

Type
console
to force firmare from console

 

Constant Red Light on SFF Unit

yes, the red indicator is HDD light, it says hard drive in good working.

 

Meanwhile the Firmware update was succesful
We also ran the Kernel Update succesfully.
So now the status is entirely green again.
Thanks for the support! Keep on the good work.

 

We have problems that the intermediate certificates are not returned by protector.

It seems that the bundle contains 3 parts for the chain, 1 for the cert itself and 1 for the private.key

A added one extra to the chain (2 -> 3) and it works now for protector2.spam.exchange


So no bug but a missing cert in the chain.


Reply:


The chain certificate can be uploaded but it's not mandatory.

they can get and upload a chain or intermediate certificate, so that those website will not complain any more

 

 

How do the Protector work on the network compared to a traditional router?

Yes, but this can be used when you want to put the protector on your lan without touching anything in the LAN. It cannot do web filtering based on client ip, but all the rest works.
Then, if you already have a firewall, a IPS etc, ok, but the protector can do it better, and it has the email filtering that a normal router doesn’t have

In this diagram you can put the Protector on your LAN without touching anything in the LAN configuration.
This scenario will give the benefits of Firewall, VPN, IPS, 640 Million IP Block List, Email Filtering/Archive, Anti Virus & Application Blocking.

 

Can we block any unusual SSH and RDP connections with SecPoint Protector?

For Protector UTM Firewall:

RDP to any IP on the default port can be blocked through 1-click app block or through the firewall.
RDP to specific IPs or through ports different than default, must be blocked through firewall.
SSH must be blocked through firewall, with choice to select all IPs or specific IPs and default port or specific port.
 

 

It prevents others to abuse your domain for spam sending.

SPF DKIM and a policy.

 

Can I get a daily or weekly report

Can I get a daily or weekly report sent to multiple persons about the overall performance of each of the modules on the firewall

 

yes.
In the the Alert Center > Notification Emails
takes you to this page

/spprotector/admin/alertmail.php


You can add multiple email addresses there.
Now only is your email address added:

Error connecting to VPN from Android

How can I connect from Android device?

On Android
VPN type :PPTP
Checkbox PPP Cryptography (MPPE): checked
That's it.

How can I turn on the Firewall?

The firewall turned on or off.

When you enable the firewall module you must first check the ports are  allowed that you need.
The main benefit to enable firewall here is that it will block all ports but those that are allowed.
You can from here /spprotector/fwrules.php

 

How can I change the MX record for my domain?

I need to change the MX record for my domain to point to the Protector Firewall for anti spam scanning.

Please goto https://dnschecker.org/mx-lookup.php and there type your domain.

Then it will show your existing MX record.

Next step is to contact your domain provider or login to their interface and change it to the new dns hostname or IP address.

 

After the Change is made.

Then in the Protector you goto the Email Setup > Mail Servers tab put in your domain name and the mail server IP address where it sent clean mails to.

Should I use Grey listing?

There is a smart function for anti spam called grey listing
The customer can enable or disable it easily.

Grey listing will use a small trick to block ALL mails for 10 minutes the first time.
So if a valid user sends a mail the protector put a 10 minute delay.

And because it is a real mail the real mail server will retry to send the mail to the protector.
When the protector see it resend then it knows it is a real mail server and whitelist the user.
The downside is in the first time they mail it can cause 10 minute delay but only 1 time until they are whitelisted.


Most spam computers are hacked botnes / Windows computers and they can not resend mails.
so by enable grey list it will alone remove about 70-80% of spam.

It is off now and customer can enable if they get more spam just so they are aware there can be small delay in the start.

Should any settings be changed in Outlook?

Should the IP address of the protector be place in the area where sever is. Please advise as they are getting an error when using the application outlook. Is there a special configuration that has to be set for outlook?

They must not change the outlook settings. The protector is not a smtp server, it captures and checks mail that is sent from a client to the smtp server.

Adding 16 GB ram to Virtual Image How to disable Swap?

Only do this if you have any stability issues.

Sometimes when adding 16 GB ram to virtual edition can cause problem and require Swap be turned off.

The Linux OS inside the VM will have 16 GB

This can be done from console menu but only do if any issues experienced.

How can I block IP ranges that are hammering our Mail Server? 

If someone are hammering your protector mail server you simple click Anti Spam Listings and Hard Block Listing & TLD

There you can add their entire IP CIDR range to block them off.

I get error loading G4L Ghost 4 Linux Image

Issue was that I made the disk 250GB, but the size after partitioning was about 232GB.

Made it 300GB, ran again and worked.

Firewall configuration rule

When I try to configure any rule in the validation always show the next message

Reply

The Destination zone: If you enter an IP address, you must also click "Only hosts..."

Outgoing reports quarantined

I have configured the Protector to send Webfilter reports on a daily basis. The reports get into the spam. When I want to release the report it ends up again in the list of quarantined e-mails.
I whitelisted the localhost but still the problem persists

The row is green, which means that the email is whitelisted. All the emails processed by the Protector are visible in the quarantine, not only spam.

Carbonite backup blocked

It has the same pattern as P2P.

So to allow it make sure from the Content Filter to disable Anti P2P Blocking.

640 Million IP Block question

After enable 640 Million IP block in Firewall cant receive specific mails

We have trouble receive some specific mails when enable the 640 Million IP blocking.

If it worked after unblocking the 640 million, it means that the sender's ip address is in the list. So, they can leave it disabled.

The error did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA is not related to the 640 million block.

How to get online with a Modem?

I received Protector P9 the device today and started immediately with the install.
The Protector is connected to the internet modem. I have no fix public IP address for my internet connection. Attached the config of the Internet access on the device I replace and which is working fine.
With the same settings (Gateway and DNS), the Protector is unable to connect to the internet.
What is going wrong?

 

Ok you put Modem in port A so it has internet.
Then you set Protector with local IP example 192.168.1.2.

So you have
ModemWAN Protector LAN

 

Via VPN problem connect local resource

While connect to the vpn i can access the network via the ip address and not the hostname

If I type 192.168.0.4 (file://192.168.0.4) I get through if I type mainsrv (file://mainsrv) I don’t get through

Reply

It most probably depends on the DNS. Which DNS server is configured on the client? The client should use a DNS server that can resolve these names.

AWL Score Question

I noticed that some messages are being blocked because the AWL score is high.

In this case the AWL gives 4.21 points, that makes the spamfilter block the message.

Any idea why? In my opinion when an address is whitelisted it should give a lower score?


This question came out of a few messages that are being blocked.

I saw the AWL giving the mail a higher score.

The issue is that some messages are being blocked that we don’t want to be blocked.

Those are mostly messages from services as Sendgrid.

I have address the IP address in the whitelist as XXX.XX. but still the messages are being blocked.

I have three Message IDs, is it possible to take a look and explain why those are blocked?

 

Reply

 

has received a score of 5.99 from AWL, which would be enough to trigger the SPAM flag. However it has also been caught by 4 RBL, with an extra score of 18, which means that the sender is blacklisted in public registers.
Message is almost the same

Message  has received a negative score from AWL (non-spam), but has been caught by 3 RBL, which have added a score of 13.50. So, this one has not been blocked by AWL.
We may create an AWL config interface in the Protector to alter the behavior of the AWL filter, but the main issue here seems to be the RBL.

 

Reply

But doesnt it help that we’ve whitelisted the IP range to avoid the blacklist?

 

Reply

The IP address added to the white/black list is checked against the sender's IP address, but there's no check for partial IPs. I have removed the "XXX.XX." from the white list and added 4 complete IPs. So, the answer to this issue is that the IP address must be complete.

 

As an improvement, we may look at a more recent version of the check function that also checks for partial IP addresses. Or another version that allows white/blacklisting per TLD


However this improvement should also be done with the AWL management, so that the user is able to watch the content of the AWL and remove email addresses from it.

Reply

Ok perfect. I’ll keep an eye to see how it goes now.

Daily Report Question

Perhaps you can check why it is not possible to receive the daily spam report?

When I try to send it, nothing happens. I do not see it in outgoing mail e-mail and I do not receive it.
For the daily webfilter report this is working fine.

You must click to enable it.

Gmail to handle all e-mails for that domain

I am preparing the configuration of the e-mail for a domain that makes use of gmail to handle al e-mails for that domain. At this moment the MX records of the domain refer to the Google aspmx.l.google.com url.
I can modify the MX records to refer to the Protector public IP but how to configure the Protector to send e-mail to the google SMTP servers? I cannot find any guide on the Secpoint website explaining this.

 Yes. In theory, on the Protector you must simply configure as mail server the current MX record, then point the MX record to the Protector.

Is the Protector configured with aspmx.l.google.com as mail server?
Yes, aspmx.l.google.com is ocnfigured as mailserver in the protector.
 
Problem is solved.
The user email needed to be added to the e-mail users.
 

Question on TLS

Normally the ISP supports TLS and credentials need to be used. Any idea why this is not working? As you may understand, I prefer encrypted e-mail.

TLS means Encrypted email, so there’s no problem.
Credentials only need to be used when a client (the email owner, through Outlook etc.) connects to the mail server to download email from a mailbox, or when it wants to send an email outside.
When a mail transfer agent (the postman) connects to a mail server to deliver a mail to a mailbox, it doesn’t need to enter credentials (unless special protected mail servers ask to do so).

Question on mail setup

I am trying to setup the e-mail on the Protector. As a trial, I am setting up the e-mail for the domain ; for which e-mail addresses have not been made public up to now. This way I ca do the setup without interrupting my business.The mailserver is at my ISP hosting the domain. The public IP address of the server is IP.

I have added the mailserver in the e-mail setup. Printscreens are attached.
I also added the involved IP address in the Servers Authorized to Relay tab. Printscreen attached.
I also added the user to the E-mail authorized users.
I configured the MX record as follows: domain - TTL300 - IN - MX - filter.domain (I cannot enter IP addresses for MX records)
I created filter.domain - TTL300 - IN - A - IP (my public IP)

So the idea is that the domain domain  hosted on IP, based on MX settings, will transfer e-mails to the Protector on IP. Protector is configured to send out e-mails that have been validated again to IP which also hosts the webmail app.

When sending an e-mail, it is timed out. So it seems that the Protector does not receive the e-mail.
In order to solve this I thought a rule on the Cisco to forward incoming traffic in port 993 (imap port supported by ISP) to the Protector on 192.168.1.2 would solve the issue. But no change.

Please can you help on this?

Reply

The MX record is correctly set to filter domain – OK

filter domain points to IP​ the Protector public IP – OK

As a consequence, the email for domain will be sent to IP, and here, from the public IP, it must be sent to the Protector’s local IP. The protocol is not IMAP, because the Protector acts as a MTA (mail transfer agent), using ports 25 or 465, depending on the settings. So, the rule to create on the Cisco is to forward ports 25 and/or 465.
Another problem could be the username/password configured to forward mail to the mail server IP. The username/password are required by the mail server when we try to relay (send an email to another server through IP). For incoming mail it should not be necessary.
Then, at least for testing, I would remove the restriction on Authorized Users. When the whole mail management works, for incoming and outgoing mail, it can be restored.

 

Email works, after enabling incoming mail on port 25.

 

Problem connect VPN

Attached is the error that I now receive

Reply

a connection to VPN from Windows 10 connects

Cant connect Keyboard to unit

No Connection with USB Keyboard.
Ok, thanks. Switching to a qwerty keyboard enabled me to get to the secpoint login screen. Now I tried to login with the admin credentials that were provided.

 

Protector Config with Cisco Device

Indeed, replaced the Azerty keyboard with querty.

Ok, i now succeeded to login as su.
 
Ifconfig shows me the ipnaddres that I entered: 10.10.0.2
 
Firefox now starts and I am able to get to the gui when using my credentials received in the box and pointing to the ip address 10.10.0.2
 
I have removed the eth3 adapter via the gui.I then rebooted the system.
 
So far all good.
 
My network config:
Internet modem will be connected to eth1 of protector with IP10.10.0.2, eth2 will be connected to my cisco rv325 router with IP 10.10.0.1. Pc is connected to the cisco router and from the moment has fixed IP10.10.0.5.
 
This is what I did yesterday and what should work to my understanding.
 
But Protector gives error that internet is not available. Network settings on the Prtector are:
IP 10.10.0.2
Subnet 255.255.255.0
Gateway 10.10.0.1
DNS1;
DNS2:
Both dns setting are from IPS
 
What is wrong in my configuration?
 
 
Please set dns to 1.1.1.1 1.0.0.1
 

To do a test, disconnect the cisco router from the Protector.

The Protector uses eth0 and eth1 in bridge. Eth0 (not eth1) must be connected to the Internet modem. If the public IP of the Internet modem is IP, probably the Protector cannot reach it. In the Protector shell, try and ping or telnet IP, and see if it can be reached. If not, configure the Protector network settings with gateway = the local IP address of the Internet router.

Alternatively, temporarily bypass the Protector by connecting the cisco router to the internet router. Then , on the PC 10.10.0.5, open a DOS command prompt as administrator, type ipconfig /all and see what's the default gateway. Put the same gateway in the Protector.
 
The idea of giving the Protector an IP in the network of IP was because I saw in a picture that the cisco was configured with a similar IP.
Question: where is the DHCP server? I guess the PC is configured with automatic IP, and if the cisco is configured as gateway, the only possible dhcp server is the Modem, right?
In this case, what is the IP range configured for DHCP in the modem?
Is it possible to connect a PC to the modem (Protector and cisco disconnected) and see what IP address it receives?
 
The cisco is set as a switch, so it must be behind the protector. Can we test with a pc connected straight into the Internet modem. I wanted to know what IP the pc receives, so this would tell us what network is behind the modem, and especially if it has a dhcp server or not.
 

This could be the problem. it means that the Internet modem behaves like a network switch, without a DHCP server, and the whole ISP network is like a big LAN. So, I guess that the cisco is normally configured to get the IP through DHCP.
Then, the Cisco is normally configured as a router, so it has a DHCP server inside that provides addresses in the LAN behind it in the subnet 10.10.0.x

Unfortunately the Protector can only work with a static IP, and this IP cannot be in the subnet 10.10.0.x, because this is a subnet created by the Cisco when it's configured as router. And the Cisco today is behind the Protector, not on top of it.

 

Solutions:
1-

Modem (variable IP) --> (Wan Port)Cisco RV325 IP 10.10.0.1 (LAN Port) --> (Eth0 Port) Protector IP10.10.0.2 (Eth1 Port) --> Another network switch -> LAN (PC IP10.10.0.106 etc.)
The Cisco is used as a DHCP server (configured like a router), and not used like a switch. Only 1 LAN port will be used on the Cisco, and it is for the Protector. The Protector must be connected to the Cisco, not to the modem, and can have IP 10.0.0.2. In this configuration, the Protector should be able to access the Internet. Then, the LAN must be connected to the Eth1 port of the Protector through another network switch.
2-

Modem (variable IP) --> A new Router (192.168.0.1) --> (Eth0 Port) Protector IP 192.168.0.2 (Eth1 Port) --> (Wan Port)Cisco RV325 IP 10.10.0.1 (LAN Port) -> LAN (PC IP10.10.0.106 etc.)
A new router must be placed behind the modem. It will receive an IP address (like it is for the Cisco today) in the subnet of the ISP (84.192...). It has a DHCP server that will create a new subnet, for example 192.168.0.x. The Protector is connected to the new router and has a static IP in the subnet 192.168.0.x. The Cisco is connected to Eth1 of the Protector and is configured as today (router), so it will receive an IP through DHCP in the subnet 192.168.0.x and will provide addresses to the LAN behind it, like today.

3-
Get a static IP address from ISP and configure the Protector with it.

 

In this moment the Protector is working as a transparent bridge. With the ISP restrictions in place on IP and MAC address, the solution to adopt is #1

1-

Modem (variable IP) -->  (Wan Port)Cisco RV325 IP 10.10.0.1 (LAN Port) --> (Eth0 Port) Protector IP10.10.0.2 (Eth1 Port) --> Another network switch -> LAN (PC IP10.10.0.106 etc.)
The Cisco is used as a DHCP server (configured like a router), and not used like a switch. Only 1 LAN port will be used on the Cisco, and it is for the Protector. The Protector must be connected to the Cisco, not to the modem, and can have IP 10.0.0.2. In this configuration, the Protector should be able to access the Internet. Then, the LAN must be connected to the Eth1 port of the Protector through another network switch.
 

 

 How to see IPS blocked statistics

In any case the stamparm (Drupalgeddon) rules are already there, in the Web specific rules, it's enough to activate them

 

I cant ping Protector

So pinging to it is disabled. When I disable the checkbox and restart the firewall, I can ping the Protector from the LAN.
 On the other hand, outgoing ping requests to the LAN should work.

 

Double domain as reply



The to address is info@domain , but after a reply it goes to  [email protected]

The last part is somehow added by the protector in the reply and ofcourse the reply then bounces.


Any idea what is going wrong with the reply on this received mail?

The reason is because domain domain not correctly configured in DNS. A DNS query fails, and a ping replies with the same IP as domain, and with host name " domain.domain"

In fact. If the result is different depending on the DNS server you are querying, there must be something wrong, unless you have configured a private DNS server to do so.
The primary DNS server configured on filter.spamcheck.eu is 1.1.1.1, and on this DNS, domain does not exist. The default behavior in these cases is to consider the target domain part of the local domain. Therefore, it becomes "domain.domain".

How to setup MX Record of Domain to Point to the Protector?

You type in your domain name.

The it will show the MX record typically pointing to the IP address of the current Mail Server.

Then you need to find your Protectors Public IP and make sure incoming TCP Port 25 goes to the Protector IP.

Now you change the MX record and your domain hosting provider to the public IP Address for the Protector UTM Firewall.

In the Protector you go in Menu Email > Setup

Firewall how to block ICMP?

Please click the firewall ICMP blocking menu.

Firewall how to block Ports incoming / outgoing

You can easily configure port blocking from the new Firewall menu point

I am suddenly getting more spam how can i block it?

All they have the SPF_PASS spamassassin rule that removes 10 points from the spam score, so they must have found the way to send spam with a valid SPF record. At this point you may use the newest feature of firmware 48 and decrease the SPF_PASS from -10 to maybe -1.

Hard Block Addresses

You already have implemented a hard block sender list... but;

Would be nice to implement a hard block *recipient* list so that the mail archiver log would be more clean for non existent e-mail addresses or unwanted or terminated mail addresses.

Another solution would be to block sender (to:) addresses from the mail archiver self.

Please try this way

it's possible to blacklist a recipient, but the only way to do it is this:
Go to the advanced white/blacklisting page https:///spprotector/spamstatistics.php?query=lists
and add a new entry like this picture, and then restart the Anti Spam engine on the home page.

When you want to white/blacklist a sender it's different, because you can leave the to: field empty, so this made me think it was not possible to do the same for recipients. But forcing the text "default" it works.

How can I use VPN from a hotel?

1: PPTP client in windows/android out must be able to reach tcp 1723 on your Protector

2: SSLVPN to the Protector IP.

NAT redirecting Question

How the NAT is performed in the UTM or redirecting the traffic from the Internet to an internal IP address with specific ports, such as the following:
 
IP Public XX.XX.XX.XX:16001 re redirect to 192.168.X.X: 16001

The traffic enters through the same Public IP for different ports to internal IPs with those same ports

At this moment it is being done through a router but it is required to do through the UTM Firewall
 

Reply:

The request is to forward a port of the public ip, so it can't be done with a static routing. The only way that the Protector allows to nat the public ip is through dmz. If this unit has the dmz card eth2, it can be done through menu Network setup > Dmz nat setup and in that page choose option 2, forward Protector's network card.

How to upgrade the kernel?

How can I easily apply new Kernel and CPU vulnerabilities Spectre Meltdown etc?

It is very easy and safe to apply the latest patches for kernel and Intel AMD cpus.

Simple login to the Protector or Penetrator and issue the console menu.

As seen in the screenshot below point 17 will install the new kernel and test for the vulnerabilities.

A reboot is required afterwards.

Customer adding domains to whitelist

A customer adds domains to the whitelist, those entries are added to his "own" part of the spamfilter I assume. not to the default list.


When he adds a domain, the filter keeps blocking them, the domains are whitelisted when I add them as Admin.

I've had this issue with the domain , after I added the domain, the issue has been solved.
Now, the customer added the domain , the next day a mail still have been blocked.
 

Reply:

The whitelist entry has been added by user, which is a domain administrator. Automatically, all the whitelist entries are from the chosen domain/domain to the domain managed by the user. In this case the Protector doesn't know which domain is managed by this user, because the account name is not in the form of an email address , so it doesn't contain a domain name.
My suggestion is to rename this user to and from this moment on, all the white/blacklist entries will be created "to
somedomain". At the same time it's necessary to change all the current whitelist entries of this account in lists.php

 

G4L Preload Question

I have problem to preload G4l Linux Image over network

I have trouble to get the ftp preloading to work how can I solve it?

Please do a local installation without using FTP.

Name Server DNS Question

Any idea why “Name server: remote.example.com.: host name lookup failure” is presented.

Can you please set DNS to:
1.1.1.1
1.0.0.1

The Protector seems configured correctly, and the domain name can be found using the 2 google dns, so there is no apparent reason for this failure. The only issue I can see from the log file is that the lookup is being done on "remote.example.com.", with a final dot, that shouldn't be there.

 

Storage on NAS?

We are currently evaluating the Secpoint protector and we previously asked a question regarding to mail archiving and to where the archived email being stored.
 
and your answer is on the Secpoint server itself.
 
our questing is do have a way to redirect it to a different location like in NAS?
 
​​​Should you need any further information, Please do not hesitate to contact us.

Reply

If the nas has a linux file system, it can be mounted on themail scanning directory and the messages would then automatically be stored on the nas. The index would remain on the local database. However the index doesn't contain the message text.

Grey Listing question

I need help with clients not getting emails that we are sending out. I think it maybe how secpoint is set up

In the anti spam menu
sub menu grey black white listing

Social Media Blocking Howto?

Please click the application blocking menu

 

Outgoing mail stuck in queue

I have some emails to specific domains but they keep staying in Protector Queue never get delivered. 

All is ok, but the problem is that the MX record does not exist

If you go on mxtoolbox.com and search for the mx record of domain.xyz and anotherdomain.one, you cannot find it

Outgoing Mail Server Question

How can we set outgoing ISP mail server for sending outgoing mail from the protector?

The ISP force us to mail all outgoing mails via their SMTP server.

How can we make the Protector relay all via ISP SMTP server?

Configure the mail client to use the protector as smtp server and configure the ISP relay server in the Protector

Setup user to relay question

How do I setup a user to relay on Protector? We have an internal mail host, MX record points to protector ...outlook unable to connect to send

You can add the IP address on https://YOURIP/spprotector/mailsetup.php

What about mobile users?

For mobile users it should not be different than for wired users. They must have a mail client on their mobile and that mail client must be configured with a smtp server for outgoing mail. Mobile users should point to the internal mail host for outgoing mail.
If the problem is that the mail host does not have a public ip and mobile users are not connected through the corporate lan, it can only be fixed if the mx record points to a public ip and the mail host is on that ip.

How to setup correct DNS records for a RBL server?

In this case we look at rbl.secpoint.com

First you must set a A record that point to the IP address.

After that you must set rbl.secpoint.net with a ns report and point to rbl.secpoint.net

We get T_SPF_PERMERROR with SPF

In the protector we get a T_SPF_PERMERROR for the from @ourdomain

Checking in mxtoolbox we see no problems.

v=spf1 mx a a:exchange.ourdomain include:_spf.ourdomain include:_spf.ourdomain include:_spf.afas.online.nl -all

 

In the protector we get a T_SPF_PERMERROR for the from domain

 

We have found the problem, one of our hosted cloud services has changed the include:_spf.afas.domain (this didn’t exist anymore)

We changed it to include:spf.domain which is the new correct spf record.

 

Anti Spam File names being blocked

Why are the 2 filenames blocked:

The real file names of these 2 files are:
"xx-xx-xxxx_xxxx_xxxx xxx _week_1.pdf"
"xx-xx-xxxx_xxxx_xxxx xxx _week_2.chr"

and they match the rule "White Spaces"

IP Address to blacklist question

How to easily add a spam senders IP address to the blacklist?

It can be done easily by clicking as shown in the Image

Anti Spam IP Address Black List

Anti Spam Firewall Question

Do you support the following:

Active communication equipment type FIREWALL/UTM

  1. interfaces WAN 1x GE RJ45 (Gigabit Ethernet)

  2. interfaces DMZ 1x GE RJ45

  3. interfaces LAN 1x GE RJ45

TECHNIQUE

  1. Firewall Policies > 5,000
  2. (packets of 512 bytes with encryption AES256-SHA256)

  3. Gateway-to-Gateway IPsec VPN Tunnels 200

  4. Client-to-Gateway IPsec VPN Tunnels 500

  5. SSL-VPN Throughput = 150 Mbps

  6. Concurrent SSL-VPN Users (Tunnel = 100 Mode)

  7. SSL Inspection Throughput (IPS, HTTP) = 170 Mbps . The performances for SSL encryption are measured in the conditions of TLS v1.2 with AES128-SHA256

  8. High availability configurations

  9. Application Control Throughput (HTTP > 650 Mbps 64K)

  10. Threat Protection Throughput > 200Mbps

  11. IPS Throughput > 400 Mbps

  12. CAPWAP Throughput (HTTP 64K) > 890 Mbps

 

CAPABILITIES

1. | UTM CHARACTERISTICS (Unified Threat yes. included. Management)

2. | Antivirus yes. Traffic scanning. With license included.

3. | Yes. Traffic scanning. With license included.

4. | IP, TCP/UDP ports, applications. Da. With license included.

5. | Web filtering. Yes. With license included.

6. | Vulnerability scanning .Yes. With license included

7. | Email scanning. Yes. With license included.

8. | DHCP server. Yes. With advanced facilities: IP reservation, allocation pool addresses at the interface level

9. | Advanced monitoring facilities. Yes. Reporting and journaling.

10. | Possibility to realize VPN IPSec and SSL.

POWER SUPPLY CHARACTERISTICS

1. | Power supply 100-240V AC, 50-60 Hz

2. | Power supply source included. Yes.

3. | Redundant power supply. Yes.

4. | Power supply cables for powering directly from from the electrical outlet, but also from UPS.

ENVIRONMENTAL CHARACTERISTICS

1. | Operation in the temperature range 0°C - 50°C

2. | Humidity 10-90%

CERTIFICATIONS AND COMPATIBILITIES

1. | Certifications and Compatibilities FCC, CE, UL, CB, RoHS2

2. | Antivirus, IPS&Application Control, Vulnerability Scan, etc. Yes.

WARRANTY

3 years warranty of Next Business Day type, on site, offered by the vendor

LICENSING Minimum 2 years

1. | Antivirus Yes.

2. | IDS/IPS & applications control. Yes.

3. | Web filtering. Yes.

4. | Vulnerability scanning. Yes.

5. | Email scanning.Yes.

Anti Spam list selector

To add a anti spam advanced setup i need to give the rule name (exact), and drop or create the rule. It would be better to have a icon, get the whole list of rules, select and then give custom score and add it to this list.

Second point is that if we want to change the custom score, we need to remove the rule and recreated instead of make this changable.

This is an advanced page, and requires an advanced user to know the rule names. The rules already in the list can be managed through an advanced page, click on "Click for more details" to know how.

The whole set of rules and default scores is a long list and there is not a unique score for most of them. Then, keeping the list up to date can be a hard task.
This is an advanced settings page. If a user knows what a rule means, we prefer let them write the rule name rather than choosing from a very long list

Anti Spam Advanced Rules

To be some more in control we would like a feature to bypass the default behavior on spam detection to set this up per rule. Not only the score but also what to do, like a firewall rule. This way we think it could be possible that on certain extentions we can mail; this extention is not allowed, please use xyz or forward the message on softw failure instead of the 2 options now (it is spam or it is not spam)

It requires a post processor that takes decisions ("what to do") on incoming mail based on some rules

SecPoint Protector Alert Meters Question

We would like to see an option to setup who the alert meters schould work. Now it is pretty straight forward but if we are scared about high numbers or red meters it most of the times is not but is giving a high value from the past. The feature we are looking for is to setup how each meter is working, highest number, only on past 10 minutes or whatever is possible.  

The alerts can be fine tuned in /spprotector/admin/alertthresholds.php. If an alert triggers too much for no reason, it means that the trigger level is too low.
You can also set the notifications for each event/level at /spprotector/admin/alertnotify.php

In the GUI, at menu Alert Center > Customize Thresholds and at Alert Center > Customize Notifications

 

Anti Spam Grey List question

We now have 2 options for spam, non, send e-mail to user, spam, block as spam. Is it possible to add a 3th option to set between this or with rules change to comply, this could be spam and send the user a part of the message and make it possible to self support so they can release the whole mail or make it html, sort of an advanced learning mechanism.

This is out of the scope of the anti spam filter. There should be a mail processor post-filter to analyze mail and take decision based on some user rules.

How often do HA get synced?

Using 50.1 firmware in a 64 bit HA environment we have an issue with the spam mails.

There are listed on both units but if we click the mails they are only available on the first unit, the other unit seems to missing the mail itself.

The mail content is copied to the client unit with the synchronization, which occurs every 2 hours. The mail headers are copied in real time.
For this reason it appears that the content is empty. It only happens for the mail that came into the master unit after the most recent synchronization.

Whitelist rule Question

There was a whitelist rule from domain.com to anotherdomain.com but we removed that immediately, does it take sometime before that takes effect?

On the otherhand the message detailed that the message was MCP whitelisted..

The anti spam engine must be restarted for the changes to take effect. This may not happen automatically when the changes are done in the advanced settings pages (in the mail archive).

DNSWL_BLOCKED Questions

In the Anti Spam > Setup they can alter this score or disable this check

Any idea why the score in my case was 5.0 for both?

The option to change these scores was added in the latest firmware. Before, when bounce was enabled, it added the score 5 for both and it could not be changed. In the latest firmware the scores.can be changed but we didn't touch those already in place.

DNS connection problem

I've seen that the firewall was active but the dns could not be contacted. So, I've found out that it was because the chosen firewall profile was Protector Services, and this profile in some cases may inhibit the connection to the DNS. Now I've restored the default firewall profile and it seems all fine.

 

 

How to disable old cipher suites

Please upgrade to 50.1 which has support for it.

Error importing certificate

Invalid certificate or key error  is what i got. Nothing in the logging.

It is not possible to import a certificate that contains a password. We removed the password and now the import worked.

 

How to add correct regex for file attachment blocking

The correct way is.

.doc$ instead of .doc$

Long file name being blocked in email 

Sending a file name like:
 
xxxx-xx-xx xxxx xxxxx; xxxxxxxxxxxxxxx, xxxxxxxxxx, montage enz.pdf
Is getting blocked.
 
 
This is the rule that matches. The file name is too long

Does HA work between a 32 bit protector and a 64 bit unit?

It is only supported by 64 bit to 64 bit unit.

Mail Attachment being blocked

Allow the filename TEST.RPT.pdf match

Unchecking this rule, the mail is not blocked.

Firewall is not active

I've seen that the firewall was active but the DNS could not be contacted. So, I've found out that it was because the chosen firewall profile was Protector Services, and this profile in some cases may inhibit the connection to the DNS. Now I've restored the default firewall profile and it seems all fine.

Spam Score Question

The spam score of DNSWL_BLOCKED is 5, how can I reduce this value.

You can change the spam scores in the anti spam menu from extreme to medium or low

Protector Next Generation Firewall

What exactly makes the Protector as “Next Gen Firewall’? Please advise.

The Next Gen is given by the capability to use macros to block specific protocols/applications

Office 365 integration Question

How to ingrate the Protector UTM Firewall with Office 365?

Setup DNS in Office 365

You must configure DNS in Office 365.

1. Click the the Manage domains page.

2. Click Add domain and it will start the setup wizard.

3. Put in your domain name.

4. Add your DNS records click the Okay added the record.

5. Change the MX record you have set from Office 365 to the Protector.

6. The Protector must receive all mail coming to your domain to scan it and forward the clean mails to Office 365 afterwards.

7. In the Protector setup your domain with the IP address of your Office 365.

Question about mail delivery

Mail delivery problem to server error 530 5.7.1 client was not authenticated

This is the message the sender of the mail receives:
Client not authenticated, why? not activated yet.

The error 530 5.7.1 client was not authenticated is issued by the exchange server when the client trying to connect is not authenticated. So it seems that the exchange server is not configured to accept connections from the Protector. Here follows the test conducted on mail.example domai that demonstrates it. The ip 192.168.100.5 is the IP address of the mail server.


To fix it, it should be enough to follow these steps:
    Login to Exchange server.
    Go under your Exchange Organization-->Server configuration-->
    Click on Hub transport and Select the server default receive connector.
    Right click and select properties
    Click on last tab “permission Groups”
    Place check mark into “Anonymous users”
    Click Apply and OK

When an email is identified as being quarantine what happens?

When an email is identified as being quarantine what happens? Does is still go the the user's mail box and is flagged as a quarantined email giving the user the option to release of delete the email or it has to be done by the administrator via the protector.

The user will get a daily report of quarantined mails.
Then the user can login at /antispam/ and manage their own specific email account mail

Example they can easily release mails from quarantine or mark a spam as spam that got through.

everything can also be done by the main administrator of the system.
Anyway the customer prefer it.

in system logs menu
they can choose for how long time they want to keep the mails or other data.

Error connecting to VPN from Windows

The network connection between your computer and the VPN server was interrupted.
This can be caused by a problem in the VPN transmission and is commonly the result of internet latency or simply that your
VPN server has reached capacity. Please try to reconnect to the VPN server. If this problem persists, contact the VPN administrator
and analyze quality of network connectivity.

I have just created a new connection on windows 10 with the default parameters and it works. I have received and IP in the subnet and I could connect to the protector on 192.168.0.3

Error connecting to VPN from Linux

If run Linux you must enable Use Point to Point MPPE for it to work.

If it was unchecked, you have to check it.

 

 

Which Port must I open to allow client to lan VPN connection?

TCP Port 1723 must be open and forwarded to Protector IP.

VPN remote connection unable connect local services

What I am saying is from a remote location when I get to connect to the vpn, I am unable to the local network and the server. I am also unable to connect using terminal services.

When the client is connected to VPN, the client routing must be configured to send to the VPN channel the traffic for the VPN only, not all the traffic. This is probably why there is no access to the internet.

In the picture the IP range is 192.168.1.201-255, but the IP address he would like to ping is 192.168.0.5. It seems that the IP is in another subnet as the Protector.

The VPN settings must match the same local network.

Reply:

After I changed the ip address I was successfully able to log in. So this case can be closed

Problem connecting to VPN LDAP Active Directory Server


I would like to set up for the client to connect to the vpn from outside. I have tried by connection to active directory but I keep on getting an error "CANNOT COMPLETE"


Reply:

it looks like the password is not correct for AD server

Please click Local Database instead of Active Directory you can see it works.
Then users can be added manually.

Testing with the local database is just to isolate the error.

If it gives error to the AD but the VPN works with the local database, it's a AD connection error.

They can please also test the connection with AD server with the web filter setup. Another way to test the AD parameters is use a PC program, software ldap browser, that can be used independently on the Protector.
 

Reply:

I was able to get the vpn to work.
 

How to change hostname on Protector UTM Firewall? 

In the Network Setup it is possible to change the hostname

Report notifications

How can I set Reporting of incidents from firewall to go to my email

Please click

Alert Center ->Notification emails

What is the size difference between 1U appliance and SFF unit?

Please see the images

https://support.secpoint.com/hc/en-us/articles/360011059120-What-is-the-size-difference-between-1U-appliance-and-SFF-unit-

How to add custom RBL list in Protector UTM Firewall

Yes, go to Anti Spam > Listings - Tab Reputation Block Lists, then click Advanced Settings.

There click Create new and enter info as in picture. In Root zone, don't forget the final dot. The score can be anything above zero.

A diagram for install

How we can setup install in this network diagram:

Ok, it seems they need to make a static routing on 2 subnets. This is ok, they can even do it with DMZ, or with any protector adapter, with firmware 52.

 

How to configure the Web Filter on VMware

You must create a link between the Protector virtual network card and the physical network card connected to the Internet on the host computer. Then also create a second link, between the Protector second virtual network card and the physical network card of the host computer connected to the LAN.

To do this, please use a program that is part of the Vmware suite, called vmnetcfg.exe. In the picture below, the virtual cards VMnet0 and VMnet2 are bridged to the 2 physical network cards of the host computer. If I remember well, the protector uses VMnet1 and VMnet8, so he must bridge those 2

Can I add Barracuda RBL?

Yes, go to Anti Spam > Listings - Tab Reputation Block Lists, then click Advanced Settings.

There click Create new and enter info as in picture. In Root zone, don't forget the final dot. The score can be anything above zero.

 

Two different interfaces on Protector

I was wondering is it possible to have two different interfaces in the software like for example one network card has the WAN(Public) IP address and the other has the Lan IP Address(192.168.1.2) as I just realized when trying to setup the Protector on my network, that when changing the IP Address of the protector to the WAN(Public) IP Address because it states it is offline, that then prohibits me from accessing it then and then I have to start all over from scratch because I cannot access the protector web interface anymore.

Is this doable? Or am I not seeing where the parts are at, that indicate in VMware ESXI how to setup the WAN & Lan IP Addresses and Network Interfaces to work.

As I checked for the VMware ESXI server Install Guide PDF, it says 404 on your website so there is that as well.

Reply:

This can be done with the DMZ (eth2) network card. That card can be configured with a local IP address and a different subnet. Then, to access the web interface, it can be done from a computer in the DMZ subnet. Pay attention: there is no dhcp, so all the devices in the DMZ subnet must have a static IP, otherwise it's necessary to install a dhcp server in the subnet.

The same will be possible using network cards from eth3 upwards as soon as firmware 52 is released.

How to Reset Network Interfaces

My Protector Appliance can not recognize the netcards how can I reset it?

Please go in terminal type console and reset netcards.

Whitelist question CIDR

We would like to whitelist the following IP subnet.
xxx.xx.0.0/17

I've added the entry into the whitelist, but mails from an IP within this subnet is still being blocked.
Am I doing something wrong in here? See attached printscreen.

Thanks in advance,

The mail doesn't accept CIDR notation, but it accepts partial IP addresses to whitelist a network. So, the range below should be replaced by xxx.xx. with final dot.
It will whitelist more than the /17 CIDR, but if it works as expected, it can be refined later.

How can we block Skype and Teamviewer?

The Skype rules in Anti-Chat and Teamviewer rules in Policy under Content Filter menu.
And, it's possible to add the skype and teamviewer domains to the webfilter blacklist.
The protector will find and block all the IPs of the blacklisted domains. For example, skype uses 16 DNS entries from dsn0.d.skype.net to dsn16.dsn.skype.net.


Please click menu Web filter - setup, then click on Black list for the default filter. There they can add domains. There are 2 videos in the page.

 

Office 365 and mobile users

How can we use Office 365 with mobile users must we add their IPs to the Protector?

There is no issue with office365, but the way they use it must be the opposite: they don't have to add O365 as relay server in the Protector, but they must configure O365 to use the Protector as MX server. And they must use the Protector as relay server. This is why it must have a public IP.

 

How many watts does the appliance draw?

My engineer wants to know for battery backup planning reason.

The P9/S9 appliances draws between: 150W to 250W

 

Is the HA High Availability takeover automatic?

The takeover of the second HA unit is automatic, please see this: https://player.vimeo.com/video/121443753

 

How to block Ransomware?

Ransomware falls in the category of trojans, so it is there that you can find it. Menu IPS - Anti Malware

How do Firewall Bridge mode work?

We can deliver an appliance with 2 SFP ports where the customer can put the SFP adapters and cables locally.

For the firewall only mode it will run in Bridge mode support at the moment since it is tuned for UTM usage.

With the bridge is running, you cannot create zones on each network card, because what crosses the bridge may come from outside or inside.
So you can't create rules on a network card and this is a restriction that you have to take into account.
Only 2 netports can be used for incoming and outgoing and a third port is for DMZ.
We need to make sure this meet their requirements.

So they can start by using the normal netports that are 1 gig and upgrade to the SFP later one when their load increases.

Please confirm the requirements of the firewall they need that the Protector fit it 100%.

The protector runs in bridge mode where they put the router in port A and the local lan in port B.

They can also configure a DMZ zone in port C.

In the firewall menu it is possible to set profiles.

Here we have a guide that explains more.
https://www.secpoint.com/manual/SecPoint-Protector-Firewall-Setup-Guide.pdf

 

Do the Protector UTM Firewall support SFP ports?

Yes this way it is possible to gain high speed 10 GB

Small Form-Factor Pluggable Gigabit Interface Converter,

SFP

 

How to hide clean mails in Protector?

When using the protector to investigate spam mails all engineers directly see the content of each message. Based uppon the AVG law in Europe this could be a risk. Also dirty content as sex(y) images and language we do not want to see is displayed directly. If there is html content it is also shown and therefore noted to the sender.

If we invest we would like to see the message details directly instead of the content.

I only can see Hide Clean and Whitelisted messages for all users in the Mail Archiver

This is not hiding content for other messages and showing details at first.

Please go to Anti Spam > Setup, and at the bottom of the page he will find the optio

After Firmware 51.0.1 it is fully possible.

Office 365 Relay Question

How do I setup a user to relay on Protector? We have an internal mail host, MX record points to protector ...outlook unable to connect to send.?

For mobile users it should not be different than for wired users. They must have a mail client on their mobile and that mail client must be configured with a smtp server for outgoing mail. Mobile users should point to the internal mail host for outgoing mail.
If the problem is that the mail host does not have a public ip and mobile users are not connected through the corporate lan, it can only be fixed if the mx record points to a public ip and the mail host is on that ip.

There is no issue with office365, but the way they use it must be the opposite: they don't have to add O365 as relay server in the protector, but they must configure O365 to use the protector as MX server. And they must use the protector as relay server. This is why it must have a public IP.

 

inittab missing action field

I’m testing SecPoint Protector (secpoint-protector-HyperV-July2019.rar), using our older Hyper-V 2012 environment as a testing ground.

I get stuck on a inittab missing action field. 

I suggest to use a newer Hyper-v environment and see if anything changes

Problem to activate ESET which ports must be open?

It says it only needs to communicate with remote servers on port 443 and 80, which should be for the normal operations.
They say that for activation it needs to open port 2222, but on another site they talk about port 2221.

 

Which Anti Virus engines to use?

Protector UTM Appliance can run 3 Anti Virus engines, but by default only ClamAV is enabled.

Do we need to buy a separate license from Eset, Kaspersky in order order to enable Eset/Kaspersky antivirus ?

 

AI Machine Learning

Do the Protector support Advanced AI and Machine Learning?

It uses Advanced AI and ML in different areas including:

Anti Spam & Anti Virus.

System Status where it can predict and prevent based on data future system problems.

IPS Intrusion Prevention System to block attacks more effective.

 

Mail takes several hours to get delivered

It is due to Grey  list running
You can disable in this page on your IP:
https://protector.secpoint.com/spprotector/setuplists.php

 

How to enable the firewall module?

I have simply applied one of the default firewall profiles. Then, I have restarted the basic protection modules (anti spam, anti virus, IPS etc.).

 

How to set Static routing?

If the Protector receives a public IP and needs to be configured with that IP, that is different from the LAN IP range, it's possible to add a static routing in menu Network > Static routing and enter the values like this.

 

Zip file block

Currently when a message has been blocked because of it's content (zip file) I or the customer needs to login to the spamfilter and download the file. Then send it to the person that it was send to.

Is it possible to release the zip file with the button "Release message"? The message is now being re-send, however, the zip file isn't being send. 

This is the current behavior, and has been designed like this to avoid the spread of bad attachments. In this picture the message type makes the difference: it's only possible to release rfc822 types.

In a future firmware we may plan to release the whole message, including the attachments, but it won't be in firmware 48.

Hyper-V Lost IP Address

Our spamfilter doesn't work.
Won't retrieve an IP-address. I checked our DHCP server and it does work.
I don't know how to reproduce, sending the login details won't help because the filter is offline.
 

In the terminal I typed "Console", setup the IP again and worked.

 

CPU is busy 96%


Tell me please why the CPU of my P800 is 96% all the time since we have new firmware v47?


It can be a process being stuck a reboot will solve the problem.
 

 

I get empty quarantine report with 0 emails

I only want to get quarantine reports if there is something in them.

I thought that a empty quarantine report (with 0 e-mails) was not send anymore from the version 47.

Is there a option that I must set to enable this? Where can I find this option?


Reply

It's not automatic, it must be disabled. The option is in Anti Spam - Daily Report

 

Firmware Update

How can I Enable or Disable Automatic Firmware Update on the Protector?

Please visit the Update menu and Setup page

 

How can I change ET POLICY RDP or ET POLICY MS?

I can find ET TROJAN etc

The configuration of Policy rules is in the Content Filter page. Click Content Filter on the menu, then click Configure next to Policy

 

Log of Traffic

Log of traffic for a specific IP address, both of what the UTM blocks, as well as traffic to the Internet, something like a sniffer, the previous thing to be able to verify which page or url or port is blocking, every time I have inconveniences with pages that appear blocked but I do not know why they are blocked.

· How to make a static route to change the address of the UTM, try it but I can lose management on it.

· How to access via the web from anywhere to the UTM through a vpn.

 Reply:

If the https filter is active and the https page doesn't load, it means that the domain is blocked because of the https block. If it's a http page, the browser should show an error page with the reason why the page was blocked: a bad category (e.g. sex), or a blacklisted page etc. The full log of http access can be seen at menu Stats & Logs > Web Filter Logs > Full Visit Log. The Summary or User Usage summary in the same menu will show a statistics for the whole filter or for a single user.
To change the IP address of the UM it's not necessary to create a static routing. The static routing can be used to forward traffic to port B (the LAN behind the UTM). By default all the traffic that reaches the UTM and is going to an IP in the same network is already routed to port B, so it's not necessary to create a static routing for that.
If you change the IP address of the UTM, you may lose the connection. So it's better to connect to the UTM through port B with a pc that is in the same LAN segment, and from there change the IP.
To connect to the UTM from the internet, it's not necessary to set up a VPN, it's enough to edit the settings in your master router, the one that you use as gateway to the internet. There, you must route all the traffic that reaches port 443 of your public IP to port 443 of the IP address of the UTM, and do the same with port 80. If those ports are already routed to another IP on your router, you may choose another port number. So, for example if you route port 8443 of your public IP to port 443 of the UTM, then you can login from the internet with https://:8443

In any case, if you want to set up a VPN, the IP address of the UTM must be visible from the Internet, so the steps above bust be done.

Some spam is being sent to a non existing email address

I can see those messages in the reports. Can I filter them out to keep the report a bit more clean?

The email has been accepted because one of the recipient domains is managed by the protector:

To reject email messages addressed to a valid domain, it's necessary to add all the valid email addresses in the "Domain User Management"

An option to reduce this type of spam is activate the grey listing or add the sender domains to the Hard Block List.
When a message that has passed the grey listing and the hard block filters is caught as spam, it will be necessarily added to the spam report

Problems bridging in my Protector VMware

i migrate last night from 1 vmware to another vmware.
on new vmware i defined the 2 network cads
1 on the internet side
1 for behind the protector
i cannot reacht server fromout internet
from server out i cannot reach internet

Solution:

First thing is to change the networkcard from e1000 in vm to vmxnet3 by remove the old cards en make 2 new cards:

Then change the security settings on port A and B in the networking part of the VM networking

Auto White List Question


Why is mail which is in the auto white list receiving 10 points so it is considered as spam?

Reply:

AWL doesn't necessarily mean that the sender is whitelisted. The AWL check tracks scores from messages previously received and adjusts the message score, either by boosting messages from senders who send ham or penalizing senders who have sent spam previously. This not only treats some senders as if they were whitelisted but also treats spammers as if they were blacklisted. Each message from a particular sender adjusts the historical total score which can change them from a spammer if they send non-spam messages. Senders who are considered non-spammers can become treated as spammers if they send messages which appear to be spam.  More details here: https://wiki.apache.org/spamassassin/AwlWrongWay

In this particular case I think the best thing to do is whitelist the sender's email address

NFR Multi boot for partners

Our Box/Unit is a NFR Penetrator, however, the software inside the box is a Protector UTM firewall.

The system is Multi boot NFR.
It means for partners only it is possible to get a box that has BOTH systems

NFR Multiboot Protector Penetrator

I don't see a WAN port for the ISP just like any other firewall?

WAN port is the first port.
It has 4 ports.
The second port is LAN and third port is DMZ.

How do the Web Filter work?


  HTTPS |                             |
  block |                             |
        |                             |
        |           OFF               |                   ON
        |                             |
        |                             |
        |                             |
Blanket |                             |
block   |                             |
---------------------------------------|------------------------------------------------------
         | http: blocks categories     | http: blocks categories
         |       blocks BL             |       blocks BL
         |       passes WL             |       passes WL
         |                             |
         | https not blocked           | https: - --if proxy is not set on browsers
   OFF   |                             |         |  - blocks BL (by extended IP address list)
         |                             |         |  - passes WL (by domain's IP address)
         |                             |         |
         |                             |         --if proxy is set on browsers
         |                             |            - blocks all domains except WL
         | (1)                         | (2)
---------------------------------------|------------------------------------------------------
         | http: blocks all except WL  | http: blocks all except WL
         |                             |
   ON    | https not blocked           | https: - --if proxy is not set on browsers
         |                             |         |  - blocks BL (by extended IP address list)
         |                             |         |  - passes WL (by domain's IP address)
         |                             |         |
         |                             |         --if proxy is set on browsers
         |                             |            - blocks all domains except WL
         | (3)                         | (4)
---------------------------------------|------------------------------------------------------

 

How to whitelist Virtru.com?

Virtru.com is blocked because it's included in the list of IP addresses blocked with youtube.com. To enable it, a new feature allows to whitelist the IP addresses associated with the domains in the white list. To enable virtru.com, it's also necessary to whitelist the following domains in the web filter:

maps.googleapis.com
fonts.googleapis.com
virtru.com
google-analytics.com
fonts.gstatic.com
googletagmanager.com
googleadservices.com

How can I turn off Invalid SPF check rule?

By clicking:

Anti spam - Setup

Here you can easily turn it off.

Invalid SPF Record

 

Blacklisting relay servers

In some cases it’s not enough to blacklist a sender, because spam is usually sent by random accounts on random domains. In such cases it’s more efficient to blacklist the sender’s relay server, as it may manage the sending of spam for multiple spammers’ domains.  To do this, click on Blacklist sender's relay server in the Message Viewer page. The Protector will add to the list of blacklisted domains the first relay server in the list of servers through which the email passed.

 

 

How can I customize Alert Notifications

By clicking

Alert Center -> Customize Alert Notifications

 

Mail not delivered DNSSEC

We have mail (password reset) which is received by the protector but it is not deliverd to our mail server.

If we change the MX record, which has exactly the same routing for delivery, then everything works.

In de mail log we see strange things happening, but cannot explain it.

Below the example of the mail with id which is received with the protector but is NOT received by exchange.

We expect the following problem:

dsn=4.0.0, stat=Deferred: Name server: exchange.example.com.: host name lookup failure

But only mail coming from …@gaia-hosted.bounces.google.com gives this error.

The destination is [email protected]

Can you see or explain what is going wrong?

Why is all other mail to example@example working and delivered?

MX record change and bypassing the protector works, mail is delivered.

Sending the same password reset to a mail adres not handled by the protector also works.
 

If the protector is handling the incoming mail for topicus.nl then everything works, EXCEPT the mail coming from gaia-hosted.bounces.google.com

The mail is not marked as spam and is not delivered.

Even if I release the clean mail again then it not delivered.
 

In the log we see: Name server: example.com.:host name lookup failure

But we cannot explain why exchange.topicus.nl is used as a DNS server ? the setting is 8.8.8.8 en 8.8.4.4


We have found the problem. Dnssec for example.com was invalid and the protector used 8.8.8.8 and 8.8.4.4 which doesn’t resolve if the dnssec is invalid.

Potentially dangerous content in the messages 

I can change the language, but where can I change the text of the warning for dangerous content.

We want only to add the expanded complete URL within brackets (without the screaming protector message)


Something like this.

Please click here linkfor our website

Or

 
Login to site for access to your account.

 

I think this is not yet possible at the moment.
 

Are we talking about the mail signature? It is in menu Anti Spam > Signature

already set ON by default

It is in the Anti Spam > Setup menu

Another strange example of blocked file

How can I prevent this false positives ?

The customer receives a lot mails with false positive blocked file which I cannot explain. Also allow in file extension does not help. Or must I add a new regular expression, how?

The attachment with double extension matches this rule. Disabling it, the attachment will be accepted.

 

We make use of subdomains for mail

Is a wildcard *.domain.tld supported with smtp server? so that it can handle for example:

@server1.example.com

@server2.example.com

@server3.example.com

The correct way to enter the domain is example.com, without any *

Grey listing problem with hosted gmail/office365 services

Fixed in V47 and newer.

The automatic option is the most nicest implementation:
   


(v) Option to Bypass Greylisting on SPF Pass
  
 

If protector receives an email from a domain which has published SPF records, and the IP address connecting to protector is authorized to send from this domain, and this option is enabled, protector will not perform grey listing.

 

(v) Option Bypass Greylisting when message arrives from A or MX record.

Prior to running grey listing, protector will do a DNS/A and DNS/MX lookup. If the connecting address is found in one of the records, the grey listing will be skipped if this option is enbabled.

Otherwise manual entries of spf records will also do:
   

v=spf1 include:spf.protection.outlook.com -all
   

outlook
   

https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx

v=spf1 include:_spf.google.com
   

google
   

 

v=spf1 include:mail.zendesk.com
   

zendesk
   

 

v=spf1 include:email.freshdesk.com
   

freshdesk
   

 

v=spf1 include:spf.mandrillapp.com
   

mandrilapp
   

 

v=spf1 include:servers.mcsv.net
   

mailchimp
   

 

v=spf1 exists:%{i}._spf.mta.salesforce.com
   

 

How to easily block youtube, facebook etc

Please do it with the application filter menu.

No internet on port B

There was no internet on port B after I did a factory reset.

It has deleted the /etc/udev/rules.d file and the LAN ports on the back side changed. So, now port B is no longer port 1, but port 2.

No plugged the LAN cord in port 2 and it worked.

If this happens please contact support.

 

Daily report on for quarantine reports

Available in firmware 46, and it's already set ON by default

It is in the Anti Spam > Setup menu

Daily AntiSpam Quarantine Report

Can I import interface backup in other Protector?

Yes make sure all Protector versions are at least v47.

Then you can import export configuration from any system even from 32 bit to 64 bit.

 

Is there a limit in Active Directory Connection Parameters

1000 items in the active directory is a default in the AD parameters.

I am getting Memory Errors in the ESXi Virtual Protector

I run ESXi and I get errors such as:

kernel: [496212.442892] Out of memory: Kill process 3399

The system runs too low on ram and must be increased to

 

Can I restore a Protector configuration backup on multiple units?

I need to deploy 10 Protector units.

And I am making 1 master configuration can I easily load that on multiple units?

You can restore the same backup file on multiple units, there's no restriction on that.

The systems IP address remains the same, it's not affected by the database restore.

 

Can the Protector UTM Firewall block SCADA attacks?

The Protector UTM Firewall IPS Intrusion Prevention System can block for SCADA attacks.

 

If I whitelist an email or domain will RBL still block it?

No RBL wont touch it.

If the email of the user or entire domain is in the whitelist it wont get triggered by RBL.

Is there a limit to VPN tunnels/connections? 

There are no fixed limits in the software level.

The only limitation can be the hardware natural limits including ram / cpu throughput.

How can I block Netflix?

It is possible to block it in the web filter.

The web filter will take care of blocking all the IP addresses that refer to Netflix

 

I did not receive an email warning about low disk space

My unit went low on disk space and I was not notified.

 

To get notifications please visit the Alert Center page where you can put in your email address.

Here you can verify your email address is in all 3 fields to receive full notifications.

SecPoint Protector Alert Center

 

How to see free space in the terminal?

In terminal please type

df -h to see available disk space

It is possible see directory sizes example

I am getting spam from my own domain

I am getting spam that looks as it is coming from my own domain:


Example:

in this here case if the domain is secpoint.com

the spam would appear as it comes from [email protected]

To solve this you need to make sure your own domain is not in the white list.

Example if you navigate to

https://YOURIP/spprotector/setuplists.php

Then make sure your domain is not listed there.

 

System Logs Eventlog

Should I worry, is something going wrong?
System Logs
Eventlog
06:29:54 PM CET Dec 23 2017 Check User Logins
06:29:54 PM CET Dec 23 2017 Check User Logins
06:29:54 PM CET Dec 23 2017 Check User Logins
06:29:54 PM CET Dec 23 2017 Check User Logins
06:29:54 PM CET Dec 23 2017 Check User Logins
06:29:54 PM CET Dec 23 2017 Check User Logins
06:29:54 PM CET Dec 23 2017 Check User Logins
06:29:54 PM CET Dec 23 2017 Check User Logins
06:29:54 PM CET Dec 23 2017 Check User Logins
06:29:54 PM CET Dec 23 2017 Check User Logins
 
 
It adds an entry to this log every time it shows a user in the User Logins page (/spprotector/admin/user_logins.php). Since that page shows 20 user logins per page, it will add 20 log entries each time.
In any case, there’s nothing to be worried about

 

DKIM support outgoing/incoming

Two questions:

1.      Is there already DKIM support for outgoing mail? If not, will this be implemented in the near future?

2.      Is the incoming mail checking by protector against DKIM?

The DKIM support is available with the default settings. If the antispam filter is also enabled on outgoing mail, DKIM is active in both directions, otherwise it's active for incoming mail only.

 

How to find unknown users in quarantine?

You can do this with the Domain User Management function in menu E-mail > SMTP > Advanced configuration

It also allows to get the list from a LDAP server

 

Where to raise Anti Spam Value

Where can I raise the value of T_SPF_HELO_TEMPERROR from 0.01 to 0.5

It's not possible to tune each and every parameter. In this particular case, the general policy is not to give any score to any temporary error

Spam coming in with SPF

All these mails have a valid SPF record, so they got a -10 score for SPF_PASS. I have disabled it now on your unit

Spammers get smarter and smarter. However there is a warning about this in the protector. If you turn it on, it warns you about possible spam not being filtered.

It's disabled by default. This is the best choice, because it uses the default SA value that is 0

 

999 Anti Spam Score

Spam is not recognized anymore, threashold score is 999 ?

Where can I set the threshold back to 4.3 ?

I’ve just restarted the antispam service.
 
See screenshot, spam catching is working again Now.
 
I’m a bit worried why the spam filtering stopped working suddenly, not recognizing any spam.
 
 
The 999 is a false problem, because it's designed to work like this. This is how the whole thing works:
Based on the address the message is going to, a function must choose the correct Spam score.
If the actual "To:" user is not found, then use the domain defaults as supplied by the domain administrator. If there is no domain default, then fallback to the system default as defined in the "admin" user. If the user has not supplied a value and the domain administrator has not supplied a value and the system administrator has not supplied a value, then return 999 which will effectively let everything through and nothing will be considered Spam.

So, if all the scores have not been supplied (all 0), then the anti spam filter will be ineffective.
 
 
Now I understand. The antispam user admin is used to set the default values.
 
I did reset the values of admin because all the other users had “0” configured for spam score and I thought that the admin had wrong scores and didn’t inherit.
 
It it more clear for all users to put the default spam score and high spam score as two fields in:
Antispam > Setup >
[4.3] Global spam score threashold.
[30] Global high spam score threashold.
 

That menu is only available to administration users who can login to the web panel, not to antispam users. In this firmware we have done a point for him to keep these two functions separate, and now he cannot ask us to let antispam users go into the Antispam>Setup page and change stuff. Also because that page allows to do a setup for the system, not for a user.
 

 

Getting Stuck booting g4l

I boot G4l from a USB disk I made with Rufus

But I get the error

SYSLINUX 6.03 EDD 2014-10-06 Copyright (C) 1994-2014 H. Peter Anvin et al

You need open syslinux.conf on the drive

replace all append lines with:

APPEND initrd=ramdisk.lzma live-getty console=telnetd=yes
run="agetty -L 115200 ttyS0 &" ramdisk_size=65536 root=/dev/ram0

How can I add an antispam user?

The users themselves are not allowed to add user, only the admin.

The user creation and password reset in the antispam login page.

The user creation is also available through the administration panel in menu Anti Spam > Advanced Configuration > User Management

 

Why does this message get marked as spam? What does the AWL mean?

What is the AWL?

Reply:

AWL means Auto whitelist, that doesn't necessarily mean that the sender is whitelisted. The AWL check tracks scores from messages previously received and adjusts the message score, either by boosting messages from senders who send ham or penalizing senders who have sent spam previously. This not only treats some senders as if they were whitelisted but also treats spammers as if they were blacklisted. Each message from a particular sender adjusts the historical total score which can change them from a spammer if they send non-spam messages. Senders who are considered non-spammers can become treated as spammers if they send messages which appear to be spam.  More details here: https://wiki.apache.org/spamassassin/AwlWrongWay
In this particular case I think the best thing to do is whitelist the sender's email address

Does Protector support DDNS?

Can the Protector be setup to support Dynamic DNS? If so which services are supported?
 
It is not supported at the moment.
Stay tuned for future firmware update to include support.

VMware has its own DHCP server, have you tried to stop that service? You should put it to disabled.

In any case, this problem usually happens when the VMware DHCP server assigns addresses that are not on the same segment as your Lan. So, it’s possible that when you connect to the WiFi, the DHCP server assigns you an IP on another segment (192.168.x.y).

There may also be an IP conflict, if there is another computer on the lan with the same IP as the VM.

More about UTM Firewall here

VMware Player / Workstation DHCP conflict

When I start up the clean virtual machine I cant connect a laptop to the network to get DHCP IP address.

The issue is DHCP stops working on entire network..

So every time I connect on the WiFi I need to manually give the laptop a normal IP like 192.168.1.77, 255.255.255.0 192.168.1.1

 

Whitelist not working for all computers within the same group

The issue  is that 2 computers in the same webfilter group have different behavior when browsing websites.
What's the group and what features have been set for it?
Can we have an example of unexpected behavior?
At present time the behavior of the webfilter is supposed to be as this scheme:

  HTTPS |                             |
  block |                             |
        |                             |    
        |           OFF               |                   ON
        |                             |
        |                             |
        |                             |
Blanket |                             |
block   |                             |
---------------------------------------|---------------------------------------------
         | http: blocks categories     | http: blocks categories
         |       blocks BL             |       blocks BL 
         |       passes WL             |       passes WL
         |                             |
         | https not blocked           | https: - --if proxy is not set on browsers
   OFF   |                             |         |  blocks BL
         |                             |         |
         |                             |         --if proxy is set on browsers
         |                             |            blocks all domains except WL
         |                             |
         | (1)                         | (2)
---------------------------------------|---------------------------------------------
         | http: blocks all except WL  | http: blocks all except WL
         |                             |
   ON    | https not blocked           | https: not blocked, regardless of 
         |                             |        proxy settings on browsers
         | (3)                         | (4)
---------------------------------------|---------------------------------------------

SecPoint Webfilter Config

How can i disable the Mail Archiver?

To enable disable mail logging to hard drive please visit 

Please this page:

Anti Spam > Advanced Configuration > Email Processing

 

Grey Listing outlook/hotmail broken

SOLUTION:


This is a problem that we faced 2 years ago.. On big mail services like gmail, hotmail etc it's normal that every message, even from the same sender, comes from a different smtp server, therefore a different IP address.

For this reason, we have created a new option that allows to whitelist sender domains, IP addresses, or CIDRs in the greylist filter. In this case it could be enough to whitelist hotmail.com in the senders list of the greylist filter

PROBLEM:

We are testing grey listing (default on with protector) and see that mail from hotmail.com will never be delivered. So the greylisting is useless at the moment.


Tested:

Grey Listing Delay (1 minutes)

Grey Listing Autowhitelist (90 days)


The problem is that the retry is coming from a new IP address (not in the database offcoarse L )


Workaround 1:

Use known SPF to make an exeption for Hotmail servers  (probably more needed, gmail?

To do this you have to create 39 objects for network ranges. I made mine in 4 network groups named after the SPF records for future maintenance.


spf-a.hotmail.com

spf-b.hotmail.com

spf-c.hotmail.com

spf-d.hotmail.com


Once that's make and exception  to skip greylisting for those objects and mail will flow nice and fast if legitimate hotmail mail.

Do you support Fiber ports? 

For a UTM Firewall we need to run four ports UTM only , for fiber port and Ethernet 10G ports is this available ?

In the standard appliances Ports on board are 1G, thus 10/100/1000.

NIP-52041 PCIe Gen2 

PCIex4 - 4xFiber - Intel I350-AM4  - AI3-3454

Transceivers 1000Base SX and 10/100/1000Base T can have a multiple vendors, but all should work with our card.

We recommend the Finidar transceivers, but Cisco, HP, Dell and others should work fine as well.

 

End customer usually select transceivers, because they know what kind of switches are installed.

 

For fiber or high speed we support:

 

    1x 10G copper with 2 ports that must use a Cat 6, Cat 6a, or Cat 7 cable.  (spec suggesting to use CAT6a)
 


    1x 10G fiber with 4 cages
Intel® Ethernet Controller XL710 based Fiber Network Interface Card with 4x SFP Ports and PCIe 3.0 x8 Interface

 

    Intel® Ethernet Controller XL710
    4x fiber SFP ports
    Support PCIe Gen3 x8

    For fiber card cable and transceiver are not included

SecPoint Fiber

 

I need this feature : Intrusion Prevention System


    Intruder Detection (LAN)/Network Intrusion Detection System -
    Blocking Intruder Attack
    Signature Detection
    Anomaly Activity Detection
    Traffic Sniffer
    Honeypots : Recording Intruder Activity and Trap Intruder Activity

Reply:

Well, yes, it's a traffic sniffer, with the purpose of detecting and blocking the "malicious" traffic.

But it's not something like wireshark, or tcpdump, I mean it doesn't have the purpose of showing you the traffic. Its purpose is analyze it.

o   Intruder Detection (LAN)/Network Intrusion Detection System  YES

    Blocking Intruder Attack  YES
    Signature Detection  YES
    Anomaly Activity Detection YES
    Traffic Sniffer YES

o   Honeypots : Recording Intruder Activity and Trap Intruder Activity  YES it will block them.
Ordering is easy here

We ship world wide with UPS.

SPF Check Question

I enabled the SPF check a while ago. 
Since then I had the idea that some messages, when the SPF check fails are being forwarded to the customer.

Today I received a spammail from EMAIL, only containing a .doc file. 
The mail has been sent from Vietnam, the IP isn't listed in our SPF record. 
Yet the mail was delivered without warning or block. 
MessageID: vA3DJAN6003865 

The SPF check is intended to increase trust in mail messages with a valid SPF record, without affecting the score of messages without. So, if a message does not have a valid SPF record, it's not treated as spam.
If you see, the message score isn't altered by the SPF score, because it doesn't have the SPF

The behavior seems to be as expected. The message , tested on the command line, fires the rule T_SPF_TEMPERROR, that has a score of 0, so it doesn't cause any change in the overall message score, and this is coherent with the behavior of the SPF filter in the Protector: increase trust in mail messages with a valid SPF record. On the other side, when a message has a valid SPF record, like in , it receives a "bonus" score of -10 thanks to the rule SPF_HELO_PASS.
What could be done in the next firmware is add more options to the SPF filter, in order to:
- decrease the score score for every valid match: SPF_PASS,  SPF_HELO_PASS
- increase the score for every invalid match: 
T_SPF_PERMERROR, 
T_SPF_TEMPERROR,
T_SPF_HELO_PERMERROR 
T_SPF_HELO_TEMPERROR 
SPF_FAIL 
SPF_HELO_FAIL 
SPF_HELO_SOFTFAIL 
SPF_SOFTFAIL ​

 

Failover & Redundancy

We need more information about failover & redundancy for SecPoint UTM protector products . Please explain & share any datasheets can help below inquiry from our partner . 

Please see:
https://vimeo.com/121443753
And
https://www.secpoint.com/protectorreleasenotes/Protector-UTM-32-0-release-notes.pdf

HA sync has stopped working how to fix it?

Both units are up, without firewall function. I have disabled and enabled the service on both units but it still is not working.

From the client Protector, the Master shows ports 8898 and 5432 filtered, instead of open. And a telnet session could not be established. This issue could be the reason why it doesn't work.

It is recommended to set filter option so only the ports are open to the Protectors only.

 

How to block Browsec VPN ?

The simplest way to block the Browsec VPN is block the other endpoint of the tunnel, that is "postis.com".

 

Block non admin users from adding domains to blacklist?

I’m currently looking for the option to block non admin users from adding domains to the blacklist.

Can you tell me where to find it?

The block is automatic, and the new behavior is as follows:
User: can white/black list an email address or a domain, but only for messages with the user itself as recipient (email-address to User, domain to User). So, all the other users are not affected.
Admin: can white/black list an email address or a domain for all the users in the system (email-address to All, domain to All).
The only warning is that all non-privileged users should be created as User, not Admin.

 

When I release a Spam from Quarantine it gets scanned again

The message I release from quarantine keeps getting rescanned and categorized as spam again how can I solve it?


It is probably because you have this option enabled. Please disable it and release the mail.

Anti Spam Release Mail

How to configure Protector to forward Identity of SMTP incoming mail

Hi Just a quick question: I need to configure the Secpoint to forward the Identity of the SMTP incoming mail.
Right now the Mail Server behind the firewall receives the Mail with the IP of the Firewall, so it does not recognise the sender SMTP server.
Can you help me?
Thank you in advance

Reply
From what I can see, the the Protector is configured to receive and filter the mail for a number of domains, and it's configured as the MX record of those domains:


For this reason, the Protector is acting as a mail transfer agent (MTA), and, after the anti spam/ anti virus check, it will forward the mail to the mail server in the LAN, which will see the mail coming from the Protector.
However, if you go to /rep_message_listing.php and click inside [ ] to see the mail details, you will see the originating smtp server.

 

SMTP Question 

Let me explain: we have the Protector in front of a Mail Server.
Each SMTP message that the Mail server is being delivered to the Mail Server with the IP of the Protector.
This does not allow the server to recognize the IP and leverage it's own blacklists instead of the Protector.
Customer has their own AntiSpam and they don't want to use the Protector for this.
But it cannot be done if the mail server does see the originating IP.
Look:


Current log with 10.0.1.8 as Protector local address on the subnet of the Mail Server:
[0EE0:0030-0358] 02/10/2017 16:43:19   SMTP Server: mail.xxx.xxx(10.0.1.8) connected
[0EE0:0030-0C18] 02/10/2017 16:43:19   SMTP Server: Message xxxx(MessageID: [email protected]>) received
[0E90:0020-0908] 02/10/2017 16:43:19   Router: Agent printing: SJ-EXEMPTED! [email protected], ID: stero/it
[0EE0:0030-0C18] 02/10/2017 16:43:19   SMTP Server: mail.xxxx.xxxx(10.0.1.8) disconnected. 1 message[s] received
[0EE0:0030-20D0] 02/10/2017 16:43:30   SMTP Server: mail.xxxx.xxxx(10.0.1.8) connected
[0E90:0017-0C8C] 02/10/2017 16:43:37   Router: Agent printing: SJ-EXEMPTED! [email protected], ID:

With other customer where we have a front firewall in a similar configuration this happens:

02/10/2017 16.18.38   SMTP Server: Message xxxx (MessageID: ) received
02/10/2017 16.18.38   SMTP Server: xxxx.xxxx.xxxx(xxxxx) disconnected. 1 message[s] received
02/10/2017 16.18.53   SMTP Server: Remote host xxxx() found in blacklist at sbl-xbl.spamhaus.org
02/10/2017 16.18.53   SMTP Server: xxxxconnected
02/1

 

Reply:

In this case it means that not to use Protector as mail proxy and leave the mail pass untouched through it and reach the destination IP address instead.

So, since the MX records of all the domains already point to the public IP xxxx, which is the same IP address as the Protector, it should be enough to turn off the mail proxy in the Protector and route port 25 to the correct destination IP in the LAN

Most customers use the Protector as the spam & anti virus scanning so they remove the load from their mail server and also protect the mail server from compromise. 

IPS DB Update

How often is the IPS Intrusion Prevention Databases updated?

The IPS block and the Web filter work independently. So, a worm will be blocked even if there is nobody surfing the web.

One type of protection can be obtained with IPS, another type with the web filter.

Block Zero Day attacks

How does the Protector block from Malware or Zero day attacks?

The web filter is only needed to block surfing, and is ineffective if you don't use a browser.

The IPS Intrusion Prevention System is actively working to protect against intrusions etc.

So, it's not necessary to activate the web filter to stay protected.

Office 365 Question

Email is Hosted on Office 365.

They would like to make use of IPS scanning, Web Filtering, VPN and Firewall capabilities of the UTM.  If there is a way of routing Office 365 mail though the UTM to provide Antispam, then this as well.

If they are using Office 365 , to do so, they most probably had to point the MX record of their domain(s) to Office 365.

Even using Office 365, it's also possible to route mail to a proprietary server (the Protector) for processing mail BEFORE it's routed to Office 365 (read here https://technet.microsoft.com/en-us/library/jj937232(v=exchg.150).aspx ). In this case, the MX record should point to the Protector, then in the Protector, the mail server must be set up to point to Office 365.

 

LDAP Microsoft Active Directory 999 lines limit

he problem is with LDAP, the selection is incomplete.
When I do the same with softterra ldap browser (same criteria) they are in the list.

I have looked at two different customers and both have more than 999 lines in the selection.

The problem is the [count] => 1000

This means that ONLY 1000 lines from the active directory are read and then it stops! This numer should be much bigger or endless.


Solution:

The limit of 1000 tems is a page size set by the LDAP server, but it can be changed with these commands on the LDAP server:
C:> ntdsutil
ntdsutil: ldap policies
ldap policy: connections
server connections: connect to server x.x.x.x
server connections : q
ldap policy : show values ( here we will see all the values including MaxPageSize which is 1000 currently)
ldap policy : set maxpagesize to 5000
ldap policy : commit changes
ldap policy : q
ntdsutil : q

Today the active directory has been modified and your right is now does about 1200 lines, de scope is set to 5000.

 

Whitelist question

I have a question/issue.

When I add a domain/sender as whitelisted as Admin, this entry is added to "default". Basically means that the domain/sender is whitelisted serverwide. 
Now, the issue is that, when a user adds a whitelist entry, the entry is being added to "default" also. 
Currently we have the issue that one of our customers is adding gmail and hotmail as whitelisted. That the customer whants this is fine by me, but I don't want those domains to be 
whitelisted for everyone.

How should this work normally?

Reply:

When anyone adds an email address or domain to the whitelist, it's whitelisted for all the domains hosted by that Protector. So, if you are hosting two domains (domain1.com and domain2.com) and you whitelist gmail.com, gmail will be whitelisted for domain1.com and domain2.com. This is the way it works.
If you want to whitelist from gmail to domain1 and NOT from gmail to domain2, you should create the whitelisting rule in the advanced page.

Here, enter both domains, From and To, and select Whitelist, then Add

 

SecPoint Protector White Listing

SecPoint Protector Whitelist

 

How can the Protector UTM Firewall block Wannacry?

I cant find the Wannacry blocking in the Protector when I look in IPS configuration?

Wannacry is not in the IPS configuration, it's in the Anti Malware setup page, in the Trojan page

SecPoint Protector Malware Block

Do the Protector UTM Firewall have Failover Mail Server capability?

Failover Relay Server When you have your own mail server provided with a double network connection, or a backup mail server in a failover location, you may configure the SMTP failover option of the Protector.This feature allows to automatically switch to the alternate server (failover) if the connection to the main server should fail.

The function is available through menu SMTP > SMTP Configuration.     Here you can define any number of servers to send clean mail to. If you want to create a failover connection for a mail server, create a new entry for an existing domain and leave the Master check box unchecked.

The new SMTP connection will become the secondary (failover) connection for that domain, whilst the existing one will become the master. To switch roles, edit one SMTP and click on Master to reverse its status.On the list, the Master connection is marked with the symbol , and the secondary (failover) connection with .

When the Protector is using a failover connection, it will revert to the master connection as soon as it becomes active again.   The Protector can handle an unlimited number of failover connections for the same domain. Each connection must use a different IP address.

Two mails one is spam

Two almost identical e-mail messages, one is classified as spam

Can you tell me what goes wrong? I have two almost identical e-mail messages, one is classified as spam with a ANY_BOUNCE_MESSAGE and a BOUNCE_MESSAGE score of 10. The other message is not classified as spam.

Both e-mails are send from the same server. I have attached the headers and spam scores at this ticket.

Thanks in advance,
 

Reply:

The two messages are almost identical, as you said, but they are not the same, and this makes the difference. The difference is in the message size, and above a certain size messages are not scanned. You can change this in the Anti Spam - Setup, in the Basic section.

 

Hardware Certificates

SecPoint Penetrator and Protector Hardware Appliance Certificates

LANNER appliances

https://www.secpoint.com/certificates/lanner/1608002 CER CE.pdf

https://www.secpoint.com/certificates/lanner/1608002 CER FCC.pdf

https://www.secpoint.com/certificates/lanner/ISO-9001 2008 Certificate.pdf

https://www.secpoint.com/certificates/lanner/RoHS_NCA-4210A.pdf


Alfa WiFi Adapter
https://www.secpoint.com/certificates/alfa/AWUS036AC CE certificate.pdf

https://www.secpoint.com/certificates/alfa/AWUS052NH Conformity.pdf
 

JETWAY

https://www.secpoint.com/certificates/jetway/557 CASE CE CERTIFICATE-REPORT (1).pdf

https://www.secpoint.com/certificates/jetway/NC9K CE Test Report-1.pdf

https://www.secpoint.com/certificates/jetway/NC9K CE Test Report.pdf


NEXCOM

https://www.secpoint.com/certificates/nexcom/ISO_9001(Ver_2000).pdf

Receiving signed mails (S/MIME) 

When receiving mails from customers that are signing their e-mail with a certificate we are getting the following error.
"Error: It is possible that the content of the message is changed"
We never had this issue before we changed our spamfilter. When this customer sends an e-mail to our Gmail address there is nothing wrong with the certificate.
My idea is that the spamfilter is adding a signature in their message (I already emptied the message, however, I cannot remove the last space) because of that the message has been changed. Therefore it seems a legit error.

This can be fixed by removing the mail signature.

File Extension Block

How to make file extension rule based on from (email or domain) to Email/ domain

The option From/To Email/Domain is in the advanced settings of the File Extension page. Click on "Switch to Advanced"

Mail Certificate Error

When receiving mails from customers that are signing their e-mail with a certificate we are getting the following error.

"Error: It is possible that the content of the message is changed"
We never had this issue before we changed our spamfilter. When this customer sends an e-mail to our Gmail address there is nothing wrong with the certificate.
My idea is that the spamfilter is adding a signature in their message (I already emptied the message, however, I cannot remove the last space) because of that the message has been changed. Therefore it seems a legit error. 

You can clean all mail signatures in Anti Spam -> Email Signature

 

How to block File extention in the Anti Spam Module?

To block by regex you have to click the other radio button,  not file extension.
The reg exp must have single backslash, not double.

Please see the screenshot:

SecPoint Regex Blocking

 

Release message, blocked other

I have some emails that are blocked under other, when I release them
they are blocked again

It may be because the Rescan option is enabled in Antispam-Setup

 

How can I improve Bandwidth on the Protector Firewall?

I run the 32 Bit version of the Protector UTM Firewall and I need to improve the throughput speed.

Please upgrade to the 64 Bit version with the 64 Bit traffic engine, 8 gb ram for maximum performance.

Database Management System = NO

I get the Database Management System to red in the system status indicator.

How can I fix it? 

It means there is an inconsistency in the SQL database please create a support ticket for an engineer to investigate.

What additional features does the UTM provide?

State of art 64 Bit Platform
Best Anti Virus with up to 4 supported engines: Kaspersky, Eset, ClamAV,
Next Generation Firewall with easy country blocking
SSL VPN, IPsec
Web Filtering easily block social media, setup group policy, Time based policy.
Content Filter easily block P2P and other network Services.
Vulnerability Scanning / Vulnerability Assessment
IPS Intrusion Prevention to block specific attacks.

 

Proxy Question for Protector

Transparent web proxy to manage different vlan users Internet usage and provide details reporting and management reporting

My client requirement is that to have a transparent web proxy to manage different vlan users Internet usage
and provide details reporting and management reporting.

At the same time they prefer using transparent proxy because they don't need to add changes to users
workstation and this will be great if this solutions can link back with their AD.

Answer:
Yes
Both detailed reporting and management reporting are available. The first one is the full visit log,
and is available on screen. The management report is available on screen and can be sent automatically
via email every day in html format.

How to block Proxies

Can you block Anonymous proxies. Now there are chrome and Firefox plugins for VPN to unblock the sites for example browsec.com.

The browsec plugin creates a tunnel between the browser and a website, that seems to be example.com. Therefore it should be enough to block that website to block the plugin

 

I am getting false positives for Spam with FH_DATE_PAST_20XX code

It means your database is out of date.

To solve it please run a database or firmware update.

PCI Compliance Question

We are getting PCI compliance but need to upload a SSL certificate how can we do it?

You can upload a trusted certificate in menu System > SSL Certificates.

VPN Protector Question

Please see the modules we need to consider that is available on a single appliance/box: For Firewall VPN

Can the Protector do the Following?

  1. Network Capabilities - Routing
  2. VPN – IPSEC,L2pt,pptp and SSL VPN
  3. Web and content filtering – Must have website categories such as Streaming,p2p sites, etc.
  4. Application filtering – Must have categories such as mobile application, Instant messenger, etc.
  5. Built in reporting – must have internal storage
  6. Log viewer – Live traffic
  7. Tool such as packet capture and system graphs
  8. User Identity security – layer 8 security (Captive Portal, Single Sign on, etc.)
  9. Gateway Antivirus and Anti Spam
  10. IPS/IDS
  11. Firewall

Please see answer below:

1 Yes (static routing also available)
2 IPSec, PPTP, SSL
3 Yes
4 Content filtering is not application-based. An application-based blocking will be available as a Firewall option in next firmware.
5 Reporting is available. Internal storage is available on screen
6 Web traffic log is available. Network traffic chart is available
7 explain more
8 Captive portal / SSO not available
9 Yes
10 Yes
11 Yes

 

Web Filter Block Groups

I consider this also but can we block group of users via username? Via ip address and via mac addresses?

Users can be blocked by IP in the Web Filter.

 

How can I run VMware tools?

Please upgrade to firmware 38.5.x and later it will run automatically.

 

How to create Anti Spam Quarantine Users on the Protector?

Please login to the Protector web interface (not the Anti-spam login) and go to Anti Spam > Advanced Configuration > User Management
There it's possible to create new users.

 

Will the Protector block attacks or just list them?

The advanced high speed 64 Bit Intrusion Prevention System IPS Engine can block attacks in real time.

It is updated on a daily basis for the latest attack forms.

 

Can the Protector only block Spyware?

The Protector will block:

Malware, Mobile Malware, Trojans, Worms and Spyware.

 

Network Interface Ports

What are the Network interfaces on the Protector UTM Firewall?

You can use the following:

Br0 is the bridge between eth0 and eth1 and eth2 is DMZ zone.

 

Time of Day Firmware Updates

What time of day will the automatic Firmware get installed on the Protector UTM Firewall?

he automatic firmware will happen some minutes after midnight to minimize system interruption.

Reboot is not required after firmware is installed.

 

Protector Database Updates

How often are Database updates carried out on the Protector UTM Firewall?

The default for database update is once a day. You can customize it very detailed.

Please see screenshot:

In Update -> Setup menu

SecPoint Protector Daily Update

 

Normal mails as spam

It means the Anti Spam database is out of date.

To fix it simple run a database update or force Firmware Update.

 
How do the Smart Host Relay Check Work?
 
The check for smart host relay works like this:
- the check is performed every 30 seconds on the whole set of relay servers defined
- when one or more servers are unresponsive, a counter starts
- when the number of bad checks reaches 5 (2 minutes after the first bad check), the Not Good flag is raised
- when all the relay servers give a positive reply, the counter is reset.

The reason for the counter is that it may happen that one or more mail servers may appear down (slow internet, server slow to reply etc.), so it is considered a bad server after 5 attempts.
However, as soon as all the relay servers are found online, the Status is restored to Perfect.

The reason for a possible delay is: When the bad server is deleted from the list, the check process is at the beginning of the 30 seconds sleep, so it won't start checking the remaining servers before that time.
 
Grey List Question
How to easily whitelist Microsoft Cloud or Google in Grey List?
Yes, here you can whitelist the IP addresses of Microsoft 360 or Google etc. and the mail using their SMTP services won't be blocked any more.
 
What time do the Firmware Update automatically?

The automatic firmware update is launched a few minutes after midnight.

 
Spam via Firewall

We are experiencing an increased amount of spam going through the Firewall.

Some of these are NDR spam however I have     set the Firewall to      block NDR spam.

I have found that for the domain example.nl all bounce mails are blocked. So when I send to a non existent recipient I will not receive a NDR report.

How come, since this domain example.nl is in the smtp list?

In fact the
relay server that has been whitelisted (Smtp.isp.nl) corresponds to a
very large number of IP addresses, and it's not possible to whitelist
all of them. The mail of last test, for example,
has used IP xxx.xx.xx.xxx, which is in the range of IPs of Smtp.isp.nl.

A deeper look at the email message shows that the email has crossed
these relay server before being returned back:

MS.example.local

So, instead of whitelisting the server Smtp.example.nl, I have whitelisted
MS.example.local, and the result has been that the mail has been
recognized as valid and not as spam.

Now, please try to send again the same test mail, that, if the server
MS.example.local is in the path to the destination server, should
return back and be recognized as non-spam.

 

Protector Firmware Changelog

Where can I find the latest Protector Firmware Change Log

To view the latest Protector Firmware Changelog, Release Videos, Release notes.

 

Change Email Address of Sender

How can I change send address of Protector UTM Firewall?

It is in menu Anti Spam > Quarantine Sender

 

Set Automatic Firmware Update

How can I set the Protector UTM Firewall to get new firmware update automatically?

Yes

You can goto Update -> Setup

And click automatic update on.

SecPoint Protector Auto Firmware

 

 

Web Filter Proxy Traffic Question

How can I blocking incoming traffic from the Internet to the Web filter Proxy?

Set the firewall default policy Any->fwall to DROP for more safety and restart the firewall. Then activate the web filter.

On this unit, the new rules are in place, but the firewall is still running with the old ones. So it should be restarted after validating the new rules

The new firewall rules have been released for this exact reason: avoid to have a protector acting as a public proxy.

 

Can the Protector sync with Microsoft Active Directory?

Yes.

The Protector fully synchronize with the Microsoft Active Directory for Anti Spam Quarantine users, Web Filter users and groups, VPN users.

If you are not using Microsoft you can sync with LDAP on Linux or other platforms as well.

 

Can you set a time based Web Filter blocking policy? 

Yes.

You can easily set up Web filter groups to block things such as social media or other categories in specific time zones.

It could be in a work environment where certain things are allowed outside of business hours or during lunch.

Then in specific times as specified the web filter will activate again.

You can also setup group policies so each group have a different policy all together.

Example a sales department group has a specific policy on.

And a support team group has another policy.

 

Hyper-V Support for Protector Firewall

Our customer is using a Hyper-V virtualized environment. Do you support that?

Yes You can download for Microsoft Hyper-V, VMware ESXi or Raw Linux ISO.

Download is available in VIP Lounge.

 

How can the VPN Authenticate?

The SSL VPN has a local database for authentication. The IPsec is a server-to-server that only requires the 2 endpoints to recognize each others, so the authentication credentials have to be configured in the 2 Protectors.

The Client-to-lan (PPTP) VPN has both LDAP and local authentication.

 

How can I protect my network from hacker Intrusion ?

I think the main thing I am looking at is if someone is trying to get into my network does the Protector UTM Firewall have detection notification?
 
Yes.
The 64 Bit High performance Protector UTM Firewall has strong Intrusion Prevention system engine that analyze traffic in real time and block specific attacks.
 
You will see statistics in the interface of any attacks and the evidence of attack
It will store the attack they did timestamp and IP

 

How can I block all traffic from a specific country?

I want to block traffic from countries we are not dealing with such as North Korea, Nigeria,Russia, China.

Do you have an easy solution for that? 

Yes in the Protector UTM Firewall you can by just a few clicks block all traffic from malicious countries that are known for hacker, malware attacks and by this greatly eliminate attacks coming to your network.

 

How can I block Dangerous Macros?

How can we block the macro dangerous files.

You can easily add file extensions in the Anti Spam File Extension blocking menu.

Please see more information at:

(https://www.file-extensions.org/filetype/extension/name/microsoft-office-files)

file extension dotm
   

Microsoft Word Open XML macro-enabled document template

file extension ppsm
   

Microsoft PowerPoint macro-enabled Open XML complete slide show

file extension pptm
   

Microsoft PowerPoint macro-enabled Open XML presentation

 

file extension xlsm
   

Microsoft Excel Open XML macro-enabled workbook

 file extension docm
   

Microsoft Word Open XML macro-enabled document


 file extension xlam
   

Microsoft Excel Open XML macro-enabled add-in file


 

 file extension xlm
   

Microsoft Excel macro

 

file extension xltm
   

Microsoft Excel Open XML macro-enabled workbook template

file extension ppam
   

Microsoft PowerPoint macro-enabled Open XML add-in

file extension potm
   

Microsoft PowerPoint 2007/2010 macro-enabled Open XML template file

 file extension mam
   

Microsoft Access macro shortcut file

 file extension sldm
   

Microsoft PowerPoint 2007/2010 macro-enabled Open XML slide file

It is recommended blocking attentions such as:

OCM, XLSM, PPTM

This can help block specific Malware as well.

See more here:

https://blogs.technet.microsoft.com/mmpc/2016/02/24/locky-malware-lucky-to-avoid-it/


https://isc.sans.edu/forums/diary/Locky JavaScript Deobfuscation/20749/

It can also be recommended to block javascript extensions .js

 

Web Filter Question

What happens to the Web Proxy when you Disable the Web Filter?

The web filter and the web proxy are different modules, that can be enabled independently, with the following restrictions:

Web filter requires Web proxy, therefore:

- the Web Proxy is automatically turned on (if not already on) when the Web filter is turned on

- the Web Filter is automatically turned off (if not already off) when the Web proxy is turned off

The Web proxy can be used independently on the Web filter when the computers in the LAN are behind a firewall that blocks the direct access to the internet unless they use the Web proxy.

 

Protector Office 365 Question

I want to control internet access for production clients to only allow access to Office 365 URL's, especially use Exchange Online with Outlook client (HTTPS). No other internet access should be allowed.

Yes. In the web filter, the Blanket Block function allows to completely block web surfing except for those domains/urls added to the White List.


Is it possible to import the WebURL list in your Protector which i want to white list for O365 usage? Microsoft has a complete URL List in XML format. Please see following link.

I's a matter of white listing in the web filter , it's possible to upload a list in csv format.

To block everything the easiest thing is to use the blanket block.
Then the Office 365 IPs must be added to the white list.

 

Where to download the Protector UTM Firewall Install Guides?

To download all support documents please login to your VIP Lounge account at here.

 

Social Media Blocking

How can I easily block Social media and popular shopping sites on the Protector UTM Firewall?

How can I block sites such as Facebook, Amazon, Youtube in the Protector UTM Firewall?

In this case it should be enough to add facebook, amazon or youtube to the webfilter's blacklist.

 

 

The Protector UTM VPN Firewall Supports Client to LAN VPN

Create secure encrypted VPN tunnels between network to network point. Users to network or via SSL VPN that is controlled via the browser.

For the full list of UTM Firewall VPN Questions please see the links in the right side menu.