ENA NetShield UTM

User Access

User access should be granted during turn up. If team members need access to UTM, please contact ENA CTAC or your Account Services Manager to ensure access is granted. You may have any member of your team access ENA NetShield UTM. Currently, ENA does not have varied levels of user rights. Everyone has read/write permissions once granted access to ENA NetShield UTM.

Getting Started

Logging In

  1. Point your browser to my.ena.com.
  2. Enter your my.ena.com credentials.
  3. Select ENA NetShield UTM.

Lock/Unlock ENA NetShield UTM

This is accomplished with the Lock function in the top right of your UTM portal. Upon logging in, you will be authenticated, but the workspace is unlocked. When working in an unlocked workspace, you will have read-only access to the UTM portal. You will not be able to create or edit objects or policies. You will be able to run reports, view logs, and view policies.

Note: When locked, the workspace will indicate which user has control in the top right-hand side of the screen. If you need help unlocking a workspace, contact ENA CTAC to force unlock another user.

Save & Install

Note: Until you have clicked Save, all changes made will be lost if you are logged out.

Note: Until you have clicked Install, no changes to your firewall will be in effect, only saved in your workspace and pending install.

ENA NetShield UTM allows any user to build changes without actually committing them immediately to the firewall to take effect. When building changes, Create merely means that you’ve drafted new objects or policies. Save means that those drafts are saved to your workspace and will be there even if you get logged out. Install means the changes are actually pushed to the firewall and will take effect.

Remember, that you may have other team members managing your firewall or ENA may be helping on unrelated projects and changes with your firewall. If you leave saved but uninstalled changes pending in your workspace, when anyone clicks Install, all changes will be pushed – whether you meant them to or not.

If undesired changes are pushed, those can be deleted or deactivated (depending on the type of change) from the firewall or you can call ENA CTAC to return to a previous state version.

Your Dashboard

In the top left, you see Device Name and one or more names listed. The name should be familiar – referencing your organization or a specific site. Most customers will have one Device listed. The reason for a second device will most commonly be a customer with dual egress and therefore two firewall instances (whether physical or hosted).

If your organization does have two devices, most policy creation will be able to be applied across both firewalls simultaneously. The place to have care is when building NAT – if you have questions about NAT for dual egress, please contact ENA CTAC.

In the top right, are controls to lock your workspace. You have read-only access to ENA NetShield UTM until you’ve locked the workspace. Only one user may lock the workspace at any given time. If the workspace is locked by someone else, you should be able to see the user currently holding the controls.

If you need to be able to manage your ENA NetShield UTM but cannot unlock with workspace, contact ENA CTAC for help forcing an unlock.

All graphs provided on your dashboard may be viewed in chart or table format, with the addition of map format for the Countries data. All charts/tables are exportable in PNG, PDF, SVG, and CSV formats.

Reports and Monitoring

Overview

The Reports & Monitoring section provides granular detail on both real-time and historical network activity. There are several sections to this part of your ENA NetShield UTM. For any questions, requests for custom reporting, or other logging and reporting needs, please contact ENA CTAC.

Available reports include:

  • Reports: Templated reports you may run at any time. All generated reports will be stored and can be exported.
  • Traffic: Pre-filtered view of logs for easy searching
  • Site to Site VPN: Monitoring of any Site to Site VPNs that have been established by ENA engineers.
  • Remote Access VPN: Monitoring of any active Remote Access VPNs created through ENA NetShield UTM.
  • Log History: Log data reaching back approximately two weeks. Data can be filtered and exported as needed.
  • Live Logs: Real-time log flow for the last 5 minutes. Flow can be paused to help with problem solving.

Log Views & Troubleshooting

If you’re looking for specific log activity in the last two weeks, the best place to begin is the Log History tab within the Reports & Monitoring section. Here you can search for a log by keyword, by device, by event or traffic type, or by narrowing down the time of an event.

Note: Your log history on myENA will only return log traffic up to 14 days old. If you need logs from further back in history, please contact ENA CTAC so that a report can be run. ENA does not hold logs indefinitely and will only be able to provide data reaching back 30-60 days beforehand, depending on the volume of logs generated per day by your network.

If your organization has a different requirement for log access, please bring this request to your Account Services Manager.

Live logs in the Reports & Monitoring section will be useful when you’re trying to validate a rule is filtering traffic the way you want it to, or to look for logs related to an event happening in real-time. This page is continuously updated and you’ll see the logs moving over time. The last five minutes of all logs are listed in this page.

Note: The Pause button in the top right allows you to pause the logs from flowing in so that you can investigate an event, have a conversation with team members, or work elsewhere without losing that specific information. When you hit Resume this page will update to current time.

Custom Report Requests

If you need data reaching further back than currently available in your portal, please contact ENA CTAC. ENA does not store data indefinitely, but will consider each request and may be able to provide additional log data depending on storage processes.

If you would like different reporting, dashboards, or information to be presented in the reports you are running, please contact ENA CTAC. We will continue to update the available reports in ENA NetShield UTM and will consider each request and may be able to provide the desired reporting.

Certificates

Why is it important to install the ENA certificate on all of my user devices?

ENA NetShield UTM is able to provide robust security services including Intrusion Prevention (IPS), application layer control, antivirus and malware protection. Those services, however, rely on the ability to inspect all traffic crossing your network. Today over 70% of internet traffic is HTTPS or encrypted. Without an SSL Certificate to inspect that encrypted traffic, this would go unmonitored by those advanced ENA NetShield UTM security features. Therefore, while ENA NetShield UTM can continue to work without installing the ENA certificate on your user devices, these features will be severely degraded.

What is a Certificate?

A security certificate is a small text file that is part of a third-party generated public key infrastructure (PKI) to help guarantee the identity of both the user logging in and the web site they are logging into.

A certificate includes identifying information such as the company and location information for the web site, as well as the third-party company name, the expiry date of the certificate, and the public key.

ENA NetShield UTM uses X.509 certificates to authenticate single sign-on (SSO) for users. The X.509 standard has been in use since before 2000, and allows only a trusted authority to sign the certificate.

How do I Install a Certificate?

The ENA certificate will be provided during installation and can be requested from ENA at any time. Unfortunately, ENA cannot install the device on your machines. To do this, take advantage of an MDM or other automated process wherever possible.

Click here for step-by-step instructions.

CA Certificates

What is a CA Certificate?

A certificate authority (CA) is a trusted entity that issues digital certificates, which are data files used to cryptographically link an entity with a public key. CAs issue the SSL certificates that web browsers use to authenticate content sent from web servers.

Importing a CA Certificate (Certificate Authority)

  1. Select CA certificates from Certificates drop-down.
  2. Click Import certificate.
  3. Enter a certificate Name.
  4. Upload certificate file or Paste the certificate text.
  5. Click Create.

Server Certificates

What is a Server Certificate?

After a certificate is successfully installed on a server, it ensures a secure connection between the server and its client by activating the HTTPS protocol and the padlock. The certificate ensures the encryption and decryption of transmitted data. This certificate will be different from the certificate used for identity management and user device authentication. An example use case is SSL VPN.

Importing a Server Certificate

  1. Select Server certificates from Certificates drop-down.
  2. Click Import certificate.
  3. Enter a certificate Name.
  4. In Description enter name or the site or server (optional).
  5. Upload certificate file or Paste the certificate text.
  6. Upload or paste Private key.
  7. Click Create.

Mapped Server Certificates

Importing a Mapped Server Certificate

  1. Select Mapped server certificates from Certificates drop-down.
  2. Click New mapped server certificate.
  3. Enter a certificate Name.
  4. In Description enter name or the site or server (optional).
  5. Select devices and certificates to map.
  6. Click Create.

Firewall Objects

Note: Objects are not policies. They are used to create policies. Be sure to name so your team will know what it is in your absence, and you will know what it is a year from now.

Note: If you have worked with ENA’s Network Engineers to implement IPv6 policy management on your ENA NetShield UTM, all notes below apply to IPv6 address objects as well.

Addresses

In this section you see both addresses and address groups. An address group can only be created after at least one address object is created and mapped to that group. If an address group or address object is edited, note that this will impact any policies currently installed on your firewall that reference those components.

Three Address types are available to you:

Create an address

  1. Select Addresses under Firewall objects.
  2. Expand Available IPv4 Addresses.
  3. Search for address before creating anything new. You will not be able to create duplicate addresses (same name).
  4. If the address doesn’t already exist, select New IPv4 Address.
  5. Enter address Name.

    Name is the title for the object. Name should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

  6. Enter address Description.

    The Description is the intended purpose of the address object. Description should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

  7. Select Type.
    • Geography: Select Country (only one country per address).
    • IP/Netmask: Enter your netmask.
    • IP Range: Enter your IP range.
  8. Add to a group (optional).
  9. Click Create.

Note: Be sure to save and install as you work. Until you have clicked Save, all changes made will be lost if you are logged out. Until you have clicked Install, no changes to your firewall will be in effect, only saved in your workspace and pending install.

Services

Create a Service

  1. Select Services under Firewall objects.
  2. Expand Available services.
  3. Search for service and port before creating anything new. You will not be able to create duplicate services (same name).
  4. If the service doesn’t already exist, select New custom service.
  5. Enter service Name.

    Name is the title for the rule. Name should be something another member of your team or someone at ENA can understand in the future when they work on your firewall (e.g., Remote Access).

  6. Enter address Description.

    Description is the intended purpose of the service object. Description should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

  7. Select Protocol type.
  8. You can create up to 16 port identifiers at once. These are like object groups on some other firewall platforms. If you require more than 16 port identifiers, you’ll need to create multiple services with up to 16 identifiers each and then add each of those services to a Service group.

    • Protocol: Protocol(s) requested
    • Source port: 1-65535. This will be the inside port from which traffic is coming.
    • Destination Port: This will be the outside port from which traffic is coming.
  9. Helper (optional). Typically, this should be set to auto.
  10. Click Create.

Note: Be sure to save and install as you work. Until you have clicked Save, all changes made will be lost if you are logged out. Until you have clicked Install, no changes to your firewall will be in effect, only saved in your workspace and pending install.

Virtual IPs

Create Virtual IP

  1. Select Virtual IPs under Firewall objects.
  2. Search for your Virtual IP before creating anything new. You will not be able to create duplicate services (same name).
  3. If the Virtual IP doesn’t already exist, select New Virtual IP.
  4. Enter Virtual IP Name.

    Name is commonly related to how it will be used, and should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

  5. Enter address Description (optional).

    The Description is the intended purpose of the object. Description should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

  6. Select Interface from available list.
  7. Select Source interface exclusion from available list (optional).
  8. Enter External IP address.
  9. Enter Mapped IP address.
  10. Enter Source addresses. (optional)
  11. Set Port forwarding. (optional)

    Default setting is OFF. Click button to activate. Available options are TCP, UDP, and ICMP.

  12. Click Create.

Note: Be sure to save and install as you work. Until you have clicked Save, all changes made will be lost if you are logged out. Until you have clicked Install, no changes to your firewall will be in effect, only saved in your workspace and pending install.

IPv4 Pools

Create IPv4 Pools

  1. Select IPv4 Pools under Firewall objects.
  2. Search for your IPv4 Pool before creating anything new. You will not be able to create duplicate services (same name).
  3. If the IPv4 Pool doesn’t already exist, select New IPv4 Pool.
  4. Enter IPv4 Pool Name.

    Name should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

  5. Enter address Description (optional).

    The Description is the intended purpose of the object. Description should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

  6. Select Protocol type. (optional)
    • Overload: This will be the most commonly used type. Sometimes referred to as "Dynamic" on other platforms.
    • One-to-One
    • Fixed Port Range
    • Port Block Allocation
  7. Click Create.

Note: Be sure to save and install as you work. Until you have clicked Save, all changes made will be lost if you are logged out. Until you have clicked Install, no changes to your firewall will be in effect, only saved in your workspace and pending install.

Security Profiles

Antivirus

Antivirus policies are read-only in your ENA NetShield UTM. These policies can have significant impact on your UTM’s performance. When making IPv4 Policies, once you enable the Security Profiles function, you have the ability to turn these antivirus policies on or off to apply to your specific policy.

To change or configure antivirus policies, please contact ENA CTAC so an engineer can work with you directly.

Intrusion Prevention (IPS)

IPS policies are read-only in your ENA NetShield UTM. These policies can have significant impact on your UTM’s performance. When making IPv4 Policies, once you enable the Security Profiles function, you have the ability to turn these IPS policies on or off to apply to your specific policy.

To change or configure antivirus policies, please contact ENA CTAC so an engineer can work with you directly.

Application Control

Note: ENA NetShield UTM is dynamically updated with new applications found online, but no service is perfect. In order to most effectively filter traffic by application, you must have installed the ENA NetShield UTM certificate on your end user devices. Without the cert, ENA NetShield UTM will not be able to properly inspect and identify traffic a specific application.

Note: Application Control Profiles behave similarly to Firewall Objects. They do not impact your traffic until they are referenced in a policy and that policy is installed to take effect on your network.

Create Application profile

  1. Select Application control under Security profiles.
  2. Click New profile.
  3. Enter application profile Name.

    Name should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

  4. Enter Description (optional).

    The Description is the intended purpose of the object. Description should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

  5. Select the action you’d like to take for Categories.

    If you have no specific need to Block or Shape an entire category, the recommendation is to use Monitor. ENA will set all categories to default to Monitor unless directed otherwise by you. The exception to this is Botnets, which will default to Block.

  6. Set Application exceptions.

    This section allows you to say that you have one or multiple exceptions to the action you wish to take on a whole category. For example, you may want to block Social Media, but allow Facebook and Twitter which are sanctioned by your organization.

  7. Search for items you’d like to exempt in the Filter Signatures section at the top left. You can search in any number of ways, shown in the drop-down menu. This can be as simple as choosing Vendor or Name and searching for a known product (such as Facebook).

    You’ll find that many major applications have multiple components that you can act on as a group or individually. For instance, Facebook has 18 components ranging from Like Button to Chat to VideoTransfer within FacebookMessenger.

    Once found, click Add Signature(s) for the items you want to except from the action you chose in the Categories section.

    They will now appear in the next container on the page. You can change the action listed for each of these signatures. Monitor is the best option if you are going to allow the traffic, because it ensures logs will be generated.

  8. Filter Overrides

    There may be other ways you want to ensure certain type of traffic are excepted from allow/block rules. This section allows you to filter items based on behavior, protocol, risk, technology, and vendor. This is not required to create an Application control profile.

  9. Click Create.

Now that you’ve created your profile, you can reference it in an IPv4 Policy. When creating a new IPv4 Policy, if you choose to Accept traffic as your performed action, you’ll see that the option to use Security Profiles appears.

Note: Be sure to save and install as you work. Until you have clicked Save, all changes made will be lost if you are logged out. Until you have clicked Install, no changes to your firewall will be in effect, only saved in your workspace and pending install.

SSL (Secure Socket Layer)/SSH (Secure Shell) Inspection

Individual deep inspection security profiles can be created depending on the requirements of your policy. These specific security profiles can be used to decrypt SSL and the typical use case is to protect specific servers. To apply this level of deep packet inspection, you must first create an SSL/SSH profile and then apply it to an IPv4 Policy.

Create your SSL/SSH Profile

  1. Select SSL/SSH inspection under Security Profiles.
  2. Click New profile.
  3. Name your profile.

    Name should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

  4. Enter Description (optional).

    The Description is the intended purpose of the object. Description should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

  5. Select the Protecting SSL Server certificate.

To apply SSL/SSH scanning to a policy

  1. Create new IPv4 policy or open edit tool for an existing IPv4 policy.
  2. Action must be Accept or IPSEC.
  3. Turn Security Profiles ON.
  4. Choose a profile from the SSL/SSH Inspection drop-down.

    Note: You may also create a profile from here by clicking to the right of the SSL/SSH Inspection drop-down.

  5. Click Save.

Policies

IPv4

Note: IPv4 Policies are sometimes referred to as "Access Lists" on other platforms

Note: If you have worked with ENA engineers to activate IPv6, these instructions will apply to that section as well.

To make a new IPv4 Policy in ENA NetShield UTM, a few steps are required. Completing the steps below will enable you to create a policy that will filter traffic.

  1. Create Source or Destination IP
  2. Create Services
  3. Create your IPv4 Policy

Note: Remember, before you can create anything, you must lock your workspace.

Note: Be sure to save and install as you work. Until you have clicked Save, all changes made will be lost if you are logged out. Until you have clicked Install, no changes to your firewall will be in effect, only saved in your workspace and pending install.

Create Source or Destination IP

  1. Select Addresses under Firewall objects.
  2. Expand Available IPv4 addresses.
  3. Search for IP/Network before creating anything new. You will not be able to create duplicate services (same name).
  4. If the address doesn’t already exist, select New IPv4 address.
  5. Enter Name .

    Name should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

    Alert: Do not name your Address object the IP address only. Use identifiers like “host,” “network,” “service,” etc. to ensure the object is used correctly in the future

  6. Enter address Description (optional).

    The Description is the intended purpose of the object. Description should be something another member of your team or someone at ENA can understand in the future when they work on your firewall (e.g., Remote access).

  7. Select IP/Netmask from Type.
  8. Enter IP/Netmask. Use host's IP if there is no network.
  9. Leave Add to groups blank.
  10. Click Create.

Note: You must create one IP/Network for each direction

Example: External / Public IP Address

Example: Internal / Private IP Network

Create Services

  1. Select Services under Firewall objects.
  2. Expand Available services.
  3. Search for service and port before creating anything new. You will not be able to create duplicate services (same name).
  4. If the service doesn’t already exist, select New custom service.
  5. Enter service Name.

    Name is the title for the rule. Name should be something another member of your team or someone at ENA can understand in the future when they work on your firewall (e.g., Remote Access).

  6. Enter address Description.

    The Description is the intended purpose of the service object. Description should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

  7. Select Protocol type. Protocol type = Protocol requested.
  8. You can create up to 16 port identifiers at once (these are like object groups in ASAs). If you require more than 16 port identifiers, you’ll need to create multiple services with up to 16 identifiers each and then add each of those services to a Service group.

    • Protocol: Protocol(s)requested
    • Source port: 1-65535. This will be the inside port from which traffic is coming.
    • Destination Port: This will be the outside port from which traffic will be coming.
  9. Helper (optional). Set to auto.
  10. Click Create.

Note: Be sure to save and install as you work. Until you have clicked Save, all changes made will be lost if you are logged out. Until you have clicked Install, no changes to your firewall will be in effect, only saved in your workspace and pending install.

Create your IPv4 Policy

  1. Select IPv4 under Policies.
  2. Review existing policies to confirm there will be no duplications. You will not be able to create duplicate services (same name).
  3. If the policy doesn’t already exist, click New Policy.
  4. Enter policy Name.

    Name is the title for the rule. Name should be something another member of your team or someone at ENA can understand in the future when they work on your firewall (e.g., Remote Access).

  5. Enter policy Description.

    The Description is the intended purpose of the service object. Description should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

  6. Input Incoming interface (from).
  7. Input Outgoing interface (to).
  8. Select Source address object previously created.

    Note: If you also want to associate Source users or a Source user group, be aware that these are "AND" statements and increase the specificity of your policy.

  9. Select Destination address object previously created.
  10. Select Select object previously created.
  11. Select Deny or Accept as Performed action.
  12. If choose Accept as Performed action:
    • Select if/how you would like to Log traffic.
    • Note: If in doubt, choose Log security events under Log violation traffic. If logging is not enabled, troubleshooting a policy or validating its effectiveness will be much more difficult.

    • Enable or disable NAT.
    • Note: Always enable NAT unless you are absolutely sure you don't want NAT on.

    • Turn Security profiles ON or OFF (optional).

      Turning on one or more security profiles will apply additional inspection to the traffic impacted by this policy.

    • Apply Shaper. (optional).

      The traffic impacted by this policy will be limited to the bandwidth per the parameters set in the shaper object .

  13. Click Create.

Note: Be sure to save and install as you work. Until you have clicked Save, all changes made will be lost if you are logged out. Until you have clicked Install, no changes to your firewall will be in effect, only saved in your workspace and pending install.

Reorder the sequence of policies

  1. Select IPv4 under Policies.
  2. Click and drag.

Source NAT

Note: Source NATs are based off the Source IP Address. They are sometimes called “Dynamic NATs” on other platforms.

Note: Public and Private IP address objects will each need to be created separately and linked together in a final policy. They are not automatically created as symmetrical.

Create private IP address object

  1. Select Addresses under Firewall objects.
  2. Expand Available IPv4 addresses.
  3. Search for existing IP/Network before creating anything new. You will not be able to create duplicate services (same name).
  4. If the service doesn’t already exist, select New IPv4 address.
  5. Enter address Name.

    Name should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

    Alert: DO NOT name your Address object the IP address only. Use identifiers like “host,” “network,” “service,” etc. to ensure the object is used correctly in the future

  6. Enter addressDescription.

    Description should be something another member of your team or someone at ENA can understand in the future when they work on your firewall (e.g., Smith Elementary).

  7. Under Type, select IP/Netmask.
  8. Enter IP/Netmask.
  9. Click Create.

Note: Be sure to save and install as you work. Until you have clicked Save, all changes made will be lost if you are logged out. Until you have clicked Install, no changes to your firewall will be in effect, only saved in your workspace and pending install.

Destination NAT

Note: Destination NATs are sometimes called “Static NATs” on other platforms. Destination NATs will translate traffic from a specific internal host to the internet and allow traffic from specified points of the internet to access that host.

To create a Source NAT Policy, you will need both a Private IP and Public IP. These will be created as separate objects and then linked together in a policy. Any Hosted-based Source NAT will be able to reach out to the internet, but the internet will not be able to reach that host.

Create Private IP Address Object:

  1. Click Addresses in the Firewall objects drop-down.
  2. Expand Available IPv4 addresses.
  3. Search for address before creating anything new. You will not be able to create duplicate addresses (same name).
  4. If the address doesn't already exist, click New IPv4 address.
  5. Enter Name

    Name should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

    Alert: DO NOT name your Address object the IP address only. Use identifiers like “host,” “network,” “service,” etc. to ensure the object is used correctly in the future

  6. Enter address Description.

    The Description is the intended purpose of the object. Description should be something another member of your team or someone at ENA can understand in the future when they work on your firewall (e.g., Smith Elementary School).

  7. Select IP/Netmask from Type.
  8. Enter IP/Netmask. Use host's IP if there is no network.
  9. Click Create.

Note: Be sure to save and install as you work. Until you have clicked Save, all changes made will be lost if you are logged out. Until you have clicked Install, no changes to your firewall will be in effect, only saved in your workspace and pending install.

Create Public IP Address Object (IPv4 Pool):

  1. Click IPv4 Pools in the Firewall objects drop-down.
  2. Expand Available IPv4 addresses.
  3. Search for address before creating anything new. You will not be able to create duplicate addresses (same name).
  4. If the address doesn't already exist, click New IPv4 pool.
  5. Enter Name

    Name should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

    Alert: DO NOT name your Address object the IP address only. Use identifiers like “host,” “network,” “service,” etc. to ensure the object is used correctly in the future

  6. Enter address Description (optional).

    Description should include reason for creating, who is creating, and/or ENA ticket number.

  7. For Protocol Type, choose Overload for Dynamic NATs and One-to-One for Static NATs
  8. Enter Public IP/IP range/Network in External IP range.
  9. Click Create.

Note: Be sure to save and install as you work. Until you have clicked Save, all changes made will be lost if you are logged out. Until you have clicked Install, no changes to your firewall will be in effect, only saved in your workspace and pending install.

Traffic Shaping

There are two ways to enable traffic shaping on your network – through a traffic shaping policy or by applying traffic shapers to an IPv4 policy. To accomplish either, you’ll need to create your traffic shaper(s) first.

Creating traffic shaper objects

When creating a new shaper you’ll need to choose shared shaper or per-IP shaper.

Per-IP shapers limit traffic for each individual IP hitting the policy with the shaper applied.

Shared shapers apply to all users hitting a policy, and a traffic limit can be applied in one of two ways:

  • Limit traffic to each policy using the shaper
  • Limit total traffic affected by the shaper (regardless of how many policies use it)

Creating a shared shaper

  1. Select Traffic Shapers under Firewall objects.
  2. Expand Available shared traffic shapers.
  3. Search for the shaper you want before creating anything new. You will not be able to create duplicate services (same name).
  4. If the shaper doesn’t already exist, select New shared traffic shaper.
  5. Enter shaper Name.

    Name should be something another member of your team or someone at ENA can understand in the future when they work on your firewall (e.g., Staff 10Mbps).

  6. Select whether the shaping will be Per policy or shared across all policies using this shaper.

    Example: If you create a 100mbps shaper and select Per policy, 100mbps would be granted to Netflix and Facebook each. If you create a 100mbps shaper and select all policies using this shaper, 100mbps total will be granted for both Netflix and Facebook.

  7. Select Bandwidth unit.
  8. Set the Guaranteed and/or Maximum Bandwidth for this policy. Be sure to correctly set the units you want.
  9. Click Create.

The shaper in the example below will limit traffic the same for each policy using this shaper. Traffic will be limited to a maximum of 10mbps but guaranteed at least 5mbps. Therefore, if the shaper is applied to both Facebook and Twitter, both applications will be guaranteed at least 5mbps.

Note: Be sure to save and install as you work. Until you have clicked Save, all changes made will be lost if you are logged out. Until you have clicked Install, no changes to your firewall will be in effect, only saved in your workspace and pending install.

Creating a per-IP shaper

  1. Select Traffic Shapers under Firewall objects.
  2. Expand Available per IP-traffic shapers.
  3. Search for the shaper you want before creating anything new. You will not be able to create duplicate services (same name).
  4. If the shaper doesn’t already exist, select New per-IP traffic shaper.
  5. Enter shaper Name.

    Name should be something another member of your team or someone at ENA can understand in the future when they work on your firewall (e.g., 15Mbps Max).

  6. Specify Maximum bandwidth and set bandwidth unit. (optional)
  7. Specify Maximum Concurrent Connections. This is the number of tabs a user can have open at once. (optional)
  8. Click Create.

Note: Be sure to save and install as you work. Until you have clicked Save, all changes made will be lost if you are logged out. Until you have clicked Install, no changes to your firewall will be in effect, only saved in your workspace and pending install.

Referencing shaper policies

Once created, you’ll need to build a policy that references this shaper. Typically, this will be done while creating an IPv4 Policy. To reference a shaper policy:

  1. Select IPv4 under Policies.
  2. Click Edit for an existing IPv4 Policy or click Create new.
  3. Scroll to the bottom of the policy and select the shaper.
    • Shared shaper applies the shared shaper to outbound traffic (e.g., traffic coming from Netflix).
    • Reverse shaper applies the shared shaper to inbound traffic (e.g., traffic going to Netflix).

      Note: Reverse Traffic Shaping applies your policy to traffic coming into your network. You’ll want to use this if trying to limit certain applications at schools, such as video streaming.

    • Per-IP shaper applies the per-IP shaper to any traffic hitting that policy
  4. Click Save.
  5. Note: You may also create a profile from here by clicking to the right of the SSL/SSH Inspection drop-down.

Geo-Blocking

Creating policies to allow/deny traffic based on the country of origin is easy with ENA NetShield UTM. Before making these policies, consider a few key items:

  • While there are countries that you can fairly confidently make assumptions about—the countries in which major corporations avoid building data centers and hosting services for political reasons—many others will surprise you. Microsoft or Amazon may have data centers in unexpected places. These major companies move their traffic around all the time for load balancing and other reasons. If you over-block traffic from around the world, you may have unexpected impacts to your network when that traffic moves around.

Create geo-blocking policy

Note: For best quality, please click View video in full screen mode iconto view the video below in full screen mode.

  1. Select Addresses under Firewall objects.
  2. Expand Available IPv4 addresses.
  3. Search for existing IP/Network before creating anything new. You will not be able to create duplicate services (same name).
  4. If the service doesn’t already exist, select New IPv4 address.
  5. Enter address Name.

    Name should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

  6. Enter address Description.

    Description should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

  7. Under Type, select Geography.
  8. Select the country you would like to include in this object.

    You can only choose one country at a time.

    To block multiple countries, create an Address Group with a name like “Geo-block” or “Blocked Countries.” Then each time you create an Address Object for a country, you can add it to your group immediately. Now, when you build your policy that references those objects, you can simply select the group, instead of each individual object.

  9. Click Create.
  10. Next, navigate to IPv4 Policies in the Policies section.
  11. Create a new IPv4 Policy that references your country-based objects as you would like. Here is an example.

    Make sure to choose your source and destination interfaces carefully. Select Enable under Log Violation Traffic, so that any time traffic related to that country does occur on your network, your logs will give you the information you need to address that activity.

Note: A policy will not be applied to your firewall until you’ve both Saved and Installed it. Be sure to save and install as you work.

Block VPN

Note: ENA NetShield UTM is dynamically updated with new applications found online, but no service is perfect. In order to most effectively block VPNs, you must have installed the ENA NetShield UTM certificate on your end user devices. Without the cert, ENA NetShield UTM will not be able to properly inspect and identify traffic as a VPN.

Application control profiles behave similarly to Firewall objects. They must be referenced by a policy to impact traffic. To create an application control profile:

  1. Select Application control under Security profiles.
  2. Search for existing application control profile before creating anything new. You will not be able to create duplicate services (same name).
  3. If the service doesn’t already exist, select New profile.
  4. Enter application control profile Name

    Name should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

  5. Enter application control profile Description.

    Description should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

  6. Click Categories.
  7. Click the Remote Access category and choose the desired action (most likely, block).

  8. Click Done.
  9. Click Application exceptions.

    You see all the Remote Access applications within the Remote Access category. If you have no intended exceptions to this rule, you’re finished and can hit Create at the bottom of the page.

  10. If you have any VPN products that should be approved, click Add signature for the items you want to except from being blocked.

    You can search for VPN products using Filter signatures. Select a filter from the first drop-down. Use the secondary filter that appears if you need to further refine your search.

  11. Once found, click Add signature for the items you want to except from being blocked.
  12. The item appears in a new container. You can change the action listed for each of these signature.
  13. Click Done.
  14. Move to Filter Overrides and create a filter with the Behavior of Tunneling. Add these signatures to create an additional filter.

Now that you’ve created your profile, you can reference it in an IPv4 Policy. When creating a new IPv4 Policy, if you choose Accept traffic as your performed action, you see the option to use security profiles.

You’ll be able to apply your application control profile once this is turned ON.

Note: Be sure to save and install as you work. Until you have clicked Save, all changes made will be lost if you are logged out. Until you have clicked Install, no changes to your firewall will be in effect, only saved in your workspace and pending install.

Block Social Media Application(s)

Note: ENA NetShield UTM is dynamically updated with new applications found online, but no service is perfect. In order to most effectively filter traffic by application, you must have installed the ENA NetShield UTM certificate on your end user devices. Without the cert, ENA NetShield UTM will not be able to properly inspect and identify traffic a specific application.

Application control profiles behave similarly to Firewall objects. They must be referenced by a policy to impact traffic.

Create application control profile

  1. Select Application control under Security profiles.
  2. Search for existing application control profile before creating anything new. You will not be able to create duplicate services (same name).
  3. If the service doesn’t already exist, select New profile.
  4. Enter application control profile Name that will make sense to others managing your firewall.
  5. Enter application control profile Description.

    Description should be something another member of your team or someone at ENA can understand in the future when they work on your firewall.

  6. Click Categories.
  7. Click the Social Media category and choose the desired action (most likely, block).
  8. Click Done.
  9. Click Application exceptions.

    You see all the applications within the Social Media category. If you have no intended exceptions to this rule, you’re finished and can hit Create at the bottom of the page.

  10. If you have any applications that should be approved, click Add signature for the items you to except from being blocked.

    You can search for applications using Filter signatures. Select a filter from the first drop-down. Use the secondary filter that appears if you need to further refine your search.

    You’ll find that many major applications have multiple components that you can act on as a group or individually. For instance, Facebook has 18 components ranging from Like Button to Chat to VideoTransfer within FacebookMessenger.

  11. Once found, click Add signature for the items you want to except from being blocked.
  12. The item appears in a new container. You can change the action listed for each of these signature.
  13. Click Filter Overrides. (optional)

    There may be other ways you want to override your core rule. This section allows you to filter items based on behavior, protocol, risk, technology, and vendor. This is not required to create an Application control profile.

  14. Click Done.

Reference application control profile

Now that you’ve created your profile, you can reference it in an IPv4 Policy. When creating a new IPv4 Policy, if you choose to Accept traffic as your performed action, you’ll see that the option to use Security Profiles appears.

You’ll be able to apply your Application control profile once this is turned ON.

Note: Be sure to save and install as you work. Until you have clicked Save, all changes made will be lost if you are logged out. Until you have clicked Install, no changes to your firewall will be in effect, only saved in your workspace and pending install.

VPN

Site to Site VPN

This section allows you to check the status of any existing Site-to-Site VPN tunnels. You’ll be able to see tunnel status, incoming data, uptime, and other details. ENA NetShield UTM customers do not have the ability to create, delete, or change Site-to-Site VPN tunnels. To do so, please contact ENA CTAC.

Remote Access VPN

Remote access VPN is an included feature of ENA NetShield UTM. This VPN supports all major operating systems. If you experience issues with the client or connection, please contact ENA CTAC. To create a remote access VPN in your ENA Netshield UTM portal, you do the following:

  • Create a portal profile
  • Create a remote access VPN
  • Create a policy rule

Create portal profile

  1. Select Addresses from Firewall objects drop-down.
  2. Open Available IPv4 addresses and click New IPv4 address.
  3. For Type, select IP range to identify which IP address should be asisgned to the client's machine when on the VPN.
  4. Enter IP range.

  5. Create one or more Address objects of Type IP/Netmask to identify which networks should be routed over the VPN (Split Tunneling).
  6. If more than one address object is needed for routing over the VPN, then create an address-group to group the subnets together.
  7. If not already present, add a CA (or identity) certificate for the VPN to use for remote access VPN.

    To upload a CA certificate into ENA NetShield UTM, select Import under the CA Certificates section of your workspace.

  8. Select Remote access VPN from Firewall objects drop-down.
  9. Click New portal profile.

  10. Name your portal and set Tunnel Mode to Enable.
  11. For Source IP Pools choose the address object you made earlier that is a range of IP addresses to assign to the client device.
  12. Set Enable split tunneling to Enable and choose the address object or address group that you made earlier to identify subnets that should be routed over the tunnel.
  13. Click Create.

Create new remote access VPN

  1. Click New remote access VPN.

    Note: Only one Remote Access VPN is permitted per device. If you have dual egress, you may have two devices from which to choose.

  2. Choose the Device to be configured.
  3. Select Listen on interface(s) usually this will be Any.
  4. Select Listen on port, for best performance 443 should be selected.
  5. Select whether you want to Restrict access to specific hosts.
  6. Choose the desired Server certificate.
  7. In Address Range, choose Automatically assign addresses in order to use what is defined in the portal profile or Specifies custom IP range to assign everyone that connects to a specific IP range .
  8. Set the DNS server to the your domain controller or internal DNS servers.
  9. Under Authentication/Portal Mapping assign a portal profile to the user group you created earlier.
  10. Click Create.

Create policy to allow access

  1. Select IPv4 policy from Policies drop-down.
  2. Create an IPv4 policy to allow access from the client VPN IP space to the target devices you want to allow the VPN to talk to. Usually these are the subnets you added for split tunneling, but could be more specific.

Note: Be sure to save and install as you work. Until you have clicked Save, all changes made will be lost if you are logged out. Until you have clicked Install, no changes to your firewall will be in effect, only saved in your workspace and pending install.