A stateful firewall is a network-based firewall that individually tracks sessions of network connections traversing it. Stateful packet inspection, also referred to as dynamic packet filtering, is a security feature used to invoke fine-grained security policies. AZTCO-FW does this by default, and can be configured to block traffic based on policy matches. Alternatively, one can just inspect and not block traffic, by adding pass rules for all traffic on each interface from any/to any as desired.
IP/DNS-based filtering can block web traffic from entire countries, one mechanism for stopping cyber criminals from attacking your business. Network connections are blocked based on geographic location (information gathered from IP addresses) which can then be used to filter and prevent outgoing and incoming connections to and from your business.
AZTCO-FW by default implicitly blocks all unsolicited inbound traffic to the WAN interface.
Anti spoofing detects packets with false addresses which leads to increased security.
A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources.
allow firewall rules to activate during specified days and/or time ranges. Time based rules function the same as any other rule, except they are effectively not present in the ruleset outside of their scheduled times.
A firewall policy allows or denies traffic based on a matching tuple: source address, destination address, and service; and connection count, which enables detection of anomalous connection requests.
Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device.
Dynamic DNS automatically updates a name server in the Domain Name System, often in real time, with the active DDNS configuration of its configured hostnames, addresses or other information. The Dynamic DNS client built into AZTCO-FW registers the IP address of a WAN interface with a variety of dynamic DNS service providers. This is used to remotely access services on hosts that have WANs with dynamic IP addresses, most commonly VPNs, web servers, etc.
A DHCP Server is a network server that automatically provides and assigns IP addresses, default gateways and other network parameters to client devices. It relies on the standard protocol known as Dynamic Host Configuration Protocol (DHCP) to respond to broadcast queries by clients. The DHCP Server in pfSense Plus software provides addresses to DHCP clients, and automatically configures them for network access.
DNS forwarding determines how particular sets of DNS queries are handled by a designated server, rather than being handled by the initial server contacted by the client. AZTCO-FW is equipped with a DNS Forwarded that resolves DNS requests using hostnames obtained by the DHCP service, static DHCP mappings, or manually entered information.
Policy-based routing forwards and routes data packets based on specified policies or filters using parameters such as source and destination IP address, source or destination port, traffic type, protocols, access list, packet size, etc. to then route packets on user-defined routes.
IPv4 address space is rapidly exhausting. IPv6 addresses are the future, but the two will need to peacefully coexist for years to come. Therefore NAT mapping for inbound and outbound traffic needs to support concurrent IPv4 and IPv6, making it easier to configure static routes on the router.
Static routing occurs when a router uses a manually-configured routing entry, rather than information from dynamic routing traffic.
IPv6-to-IPv6 Network Prefix Translation (NPTv6 or NAT66) is a specification for IPv6 to achieve address-independence at the network edge, similar to network address translation (NAT) in Internet Protocol version 4.
IPv6 router advertisement is used for IPv6 auto-configuration and routing. When enabled, messages are sent by the router periodically and in response to solicitations. A host uses the information to learn the prefixes and parameters for the local network.
Multiple IP addresses per network interface allow the mapping of many host names (non-aliased), each to a single IP address also within a single server, even though that server might only have one physical network interface.
Point-to-Point Protocol over Ethernet (PPPoE) is designed to manage how data is transmitted over Ethernet networks, allowing a single server connection to be divided between multiple clients, using Ethernet.
Most AZTCO-FW configuration is performed using its built-in web-based GUI. Some tasks may also be performed from the console, whether it be a monitor and keyboard, over a serial port, or via SSH.
The first time a user logs into the AZTCO-FW GUI, the firewall automatically presents a setup wizard, facilitating new users with a guided setup tour.
AZTCO-FW supports several ways to remotely administer a firewall running pfSense Plus software – with varying levels of recommendation based on client restrictions, corporate policies, etc.
The main GUI page of the AZTCO-FW is the dashboard. The dashboard page provides a wealth of information that can be seen at a glance, contained in configurable widgets.
AZTCO-FW has a complete Backup and Restore capability accessible via the GUI Diagnostics menu option. Configuration file. Simply select your pfSense Plus software configuration backup XML filem click on the Restore configuration button, and your computer will upload the XML file and restore the AZTCO-FW configuration backup.
AZTCO-FW supports export/import of system configuration information in XML through the use of GUI Backup, where a web browser prompts the user to save the file somewhere on an external compute environment.
AZTCO-FW natively supports automatic encryption of backups for instant and secure offsite backups of a firewall with no user intervention.
AZTCO-FW supports groupings of user privileges so they do not need to be maintained individually on every user account. For example, a group can be used for IPsec xauth users, or a group that can access the firewall dashboard, a group of firewall administrators, or many other possible scenarios using any combination of privileges.
By default, update settings look for officially released versions of pfSense Plus software software, but can also be set to track development snapshots.
Many configurations are forward-compatible, depending on the software version and its corresponding configuration revision numbers and whether the configuration backup is complete or partial.
Basic configuration and maintenance tasks can be performed from the AZTCO-FW console. The console is available using a keyboard and monitor, serial console, or by using SSH. Access methods vary depending on hardware.
Wake-on-LAN is an Ethernet or Token Ring networking standard that allows a computer to be turned on by a network message normally sent to the target computer by a program executed on a device connected to the same local area network, e.g., a smartphone.
AZTCO-FW allows for a RADIUS or LDAP server to authenticate GUI users. Users and/or group memberships must be defined in the firewall in order to properly allocate permissions, as there is no method to obtain permissions dynamically from an authentication server.
GUI user privileges can be set and administered on an individual or group basis. Privileges including page access, password management, remote connection/authentication, firewall configuration changes, and root-level access are controllable.
AZTCO-FW supports the ability to set a date by which the firewall will automatically deactivate a user account.
AZTCO-FW can use RADIUS and LDAP servers to authenticate users from remote sources.
Attempting to login to the GUI or SSH and failing many times will cause the connecting IP address to be added to the lockout table.
High-availability clusters are groups of firewalls or routers that can step in for one another – in the event of a failure – to minimize down-time. AZTCO-FW leverages Common Area Redundancy Protocol (CARP) to provide failover redundancy for multiple firewalls / routers on the same local area network.
The multiple WAN (multi-WAN) capabilities in AZTCO-FW allow a firewall to utilize multiple Internet connections to achieve more reliable connectivity and greater throughput capacity.
A reverse proxy typically sits between remote clients and local servers, and allows for load balancing, failover, or other intelligent connection routing for public services such as web servers. AZTCO-FW uses HAProxy to address many types of proxy tasks, and has the benefit of scaling well for large deployments.
Multiple remote servers can be configured on OpenVPN clients. If the first server cannot be reached, the second will be used. This can be used in combination with a multi-WAN OpenVPN server deployment to provide automatic failover for clients.
Bandwidth throttling is the intentional slowing or speeding of an internet connection. It is used to regulate network traffic and minimize bandwidth congestion. AZTCO-FW supports bandwidth throttling through the use of traffic shaper queues. Each queue has settings specific to the scheduler and can be chosen through a traffic shaping wizard.
The easiest way to get started with traffic shaping is by using the AZTCO-FW shaper wizard, which guides administrators through the shaper configuration process. Each step of the wizard sets up unique queues and rules that control what traffic is assigned into those queues.
Limiters are an alternate method of traffic shaping that do not rely on alternate queuing (ALTQ). Limiters are currently the only way to achieve per-IP address or per-network bandwidth rate limiting using AZTCO-FW, and are also used by Captive Portal for per-user bandwidth limits.
AZTCO-FW uses limits to enforce a total cap on user traffic and to dynamically manage the connections based on real network conditions — allocating more bandwidth per device when the network is quiet and less bandwidth per device when many clients are chatting at the same time.
Using Captive Portal with AZTCO-FW allows administrators to not only restrict data rates on a per authenticated user basis, but also limit the total amount of bytes transferred in a given period of time. Traffic quotas are based on captive portal sessions, and can be set via the web interface or by retrieving traffic limits from RADIUS.
AZTCO-FW dashboard widgets provide an excellent bird’s eye view of system-level status, log and graph-based information. Over 20 widgets are available, each containing a specific set of data, type of information, graph, etc.
AZTCP-FW logs – useful for both troubleshooting and long-term monitoring – may be stored locally either in memory or written to disk.
AZTCO-FW logs – useful for both troubleshooting and long-term monitoring – may be stored locally either in memory or written to disk.
AZTCO-FW supports a host of local monitoring graphs covering system performance, traffic, WAN interface quality, VPN usage and more.
AZTCO-FW is equipped with real-time traffic graphs which show interface traffic as it happens. Real-time graphs focus on what is happening “now”, as opposed to averaged data from RRD graphs – which are better suited for long-term traffic analysis.
Simple Network Management Protocol (SNMP) enables remote monitoring of numerous pfSense Plus software software parameters including network traffic, network flows, pf queues, and general system information such as CPU, memory, and disk usage. Additionally, traps can be sent to an SNMP server for certain events.
AZTCO-FW can notify administrators of important events and errors via several mechanisms including GUI menu bar alerts, SMTP E-mail, Telegram API, Pushover API and Growl.
AZTCO-FW is equipped with a rich set of diagnostics for easily managing network administration tasks.
IPsec is a group of protocols used together to set up encrypted connections between devices. It helps keep data sent over public networks secure. IPsec is often used to set up VPNs, where it both encrypts IP packets and authenticates the source from where the packets originated.
OpenVPN is a VPN solution that implements secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities.
WireGuard is an open-source VPN software solution designed with the intent of providing ease of use, high speed performance, and a low attack surface.
Site-to-site VPNs allow multiple users’ traffic to flow through each VPN tunnel. Remote-access VPNs only allow one user’s traffic to travel through each VPN tunnel. AZTCO-FW supports both site-to-site and remote-access VPN capabilities via IPsec or OpenVPN.
OpenVPN supports clients on a wide range of operating systems including all the BSDs, Linux, Android, Mac OS X, iOS, Solaris, Windows 2000 and newer, and even some VoIP handsets.
AZTCP-FW supports remote access VPN for a variety of Android and iOS devices. Other clients may work as well.
OpenVPN can connect a site-to-site tunnel to either an IPv4 address or an IPv6 address, and both IPv4 and IPv6 traffic may be passed inside of an OpenVPN tunnel at the same time. IPv6 is supported both in site-to-site and mobile clients, and it can be used to deliver IPv6 to a site that only has IPv4 connectivity.
IPsec is capable of connecting to a tunnel over IPv4 or IPv6 phase 1 peer addresses, but with some traffic limitations.
Split tunneling allows a user to access dissimilar security domains, e.g., a public network and a local LAN or WAN at the same time, using the same or different network connections.
AZTCO-FW supports the ability to establish multiple VPN tunnels over a single physical interface – useful, for example when securely connecting a number of office locations to one another.
AZTCO-FW supports both OpenVPN and IPsec tunnel failover
AZTCO-FW supports both OpenVPN and IPsec tunnel failover
OpenVPN and IPsec tunnels can be configured using either auto-generated or custom-designed routes.
AZTCO-FW allows for user authentication to be managed either by local user authentication, or by RADIUS/LDAP as an authentication source for a VPN.
Intrusion Detection Systems (IDS) analyze network traffic for signatures that match known cyberattacks. Intrusion Prevention Systems (IPS) analyzes packets as well, but can also stop the packet from being delivered, helping to halt the attack.
Snort is a packet sniffer that monitors network traffic in real time, scrutinizing each packet closely to detect a dangerous payload or suspicious anomalies.
Layer 7, the OSI (Open System Interconnection) Model application layer, supports application and end-user processes, such as HTTP and SMTP. Attacks at this layer present a security challenge as malicious code can masquerade as valid client requests and normal application data.
Depending on choices around performance, security risk tolerance, and actual business applications in use, there are many ways to configure an IDS/IPS. AZTCO-FW supports the use of multiple sources of rules for both Snort and Suricata. Additionally, each of those packages have multiple categories for rules as well, including floating rules, interface group rules, and interface rules.
An IDS/IPS solution can be configured to simply log detected network events, or both log and block them. This is performed through the use of detection signatures, called rules. Rules can be custom created by the user, or any of several pre-packaged rule sets can be enabled and downloaded. Pre-packaged rulesets offer added detection / protection against emerging threats in the wild.
IP blacklisting filters out illegitimate or malicious IP addresses from accessing your networks. pfBlocker is a AZTCO-FW package that allows you to add IP block list and country block lists.
AZTCO-FW is equipped with a number of automatically added firewall rules. Examples include anti-lockout, anti-spoofing, block private networks, block Bogon networks, IPsec protocol use and port access, default deny rule, etc.
AZTCO-FW allows each LAN or WAN interface to be independently configured with firewall rules and other per-interface functionality.
Each IDS/IPS security admin must ultimately decide their own alert volume tolerance, as only you know the type of traffic that is normal on your network. AZTCO-FW enables you to select specific ruleset and alerting policies on a per interface basis, as well as offering detailed guidance about how to eliminate noisy false positives.
Deep Packet Inspection (DPI) enables security analysts to capture and evaluate full packet header and payload information to identify protocol compliance, spam, virus, intrusion, and other anomalous or malicious traffic. Snort, Suricata, and NTOPNG packages each support DPI capabilities.
AZTCO-FW leverages Snort and OpenAppID to detect, monitor and manage application usage on your network.
AZTCO-FW enables web (HTTP and HTTPS) proxy functions via Squid (for caching web pages and related tasks), SquidGuard (for filtering and controlling access to web content) and Lightsquid (for reporting user activity based on the Squid access logs) packages.
AZTCO-FW supports both non-transparent and transparent caching proxy via Squid.
AZTCO-FW uses the MESD list and the Shalla list to control access to predefined lists of sites in specific categories such as social, adult, music, and sports sites. Additional domains and/or specific URLs that are designed to be blocked may also be added, e.g., facebook.com, google.com, microsoft.com, etc.
AZTCO-FW can be configured to function as an anti-virus proxy using the HAVP package. Antivirus proxies act like traditional web proxies, except they scan all content passing through the proxy for virus or malware signatures. If the proxy identifies the content as malicious, the download will be blocked and the client computer will be redirected to an error page.
AZTCO-FW uses the SquidGuard package to protect customers from unwanted search results. It is supported by Google, Yandex, Yahoo, MSN, Live Search.
AZTCO-FW uses the SquidGuard package as a web filter to block access to unwanted or illegal (in some countries, a web filter for schools is even required by law) content from the Internet.
AZTCO-FW leverages LightSquid, a Squid log analyzer, to parse through proxy access logs and produce web-based reports that detail the URLs accessed by each user on the network.
AZTCO-FW uses LightSquid to monitor internet usage on your network. By parsing through proxy access logs, web-based reports that detail URLs accessed by date and time by each user on the network, bandwidth usage, and top site reports can be produced – unbeknownst to network users.