Ingate Firewall 4.2: User Manual
Prev	Chapter 9. Basic Configuration	Next

Access Control

On the Access Control page, settings are made which controls the access to the firewall administration web interface.

Select one or two configuration IP addresses for the firewall. The configuration address is the IP address to which you direct your web browser to access the web interface of the firewall.

For each network interface, you also specify whether or not the firewall can be configured via this network interface.

You also select what kind of authentication will be performed for the users trying to access the web interface.

To further increase security, the firewall can only be configured from one or a few computers that are accessed from one of these interfaces. Enter the IP address or addresses that can configure the firewall. The IP addresses can belong to one or more computers.

Configuration transport

Select one or two firewall IP addresses. The firewall web server will listen for web traffic on the selected IP addresses and ports.

This is the IP address and port which should be entered in your web browser to connect to the firewall.

Configuration via HTTP

Select which IP address and port the firewall administrator should direct her web browser to when HTTP is used for firewall configuration. You can select from the firewall IP addresses configured on the Interface pages under Network.

You can use different IP addresses for HTTP and HTTPS configuration.

Configuration via HTTPS

Select which IP address and port the firewall administrator should direct her web browser to when HTTPS is used for firewall configuration. You can select from the firewall IP addresses configured on the Interface pages under Network.

You can use different IP addresses for HTTP and HTTPS configuration.

You also need to select a TLS certificate, which works as an ID card, identifying the firewall to your web browser. This will ensure that you are really communicating with your firewall and not somebody else's computer. TLS uses an encryption method using two keys, one secret and one public. The secret key is kept in the firewall and the public key is used in the certificate. If any of the keys is changed, the TLS connection won't work.

The certificate is created on the Certificates page.

User authentication

Select the mode of administrator authentication: a Local password (administrator username and password), via a RADIUS server, or a choice between the two alternatives at login (Local or RADIUS).

Local administrator users and their passwords are defined on the User Administration page under Administration. If the authentication should be made by help of a RADIUS server, you must enter one on the RADIUS page.

Configuration allowed via interface

Specify whether or not this interface can be used to configure the firewall. The choices are On and Off. This configuration is a complement to the Configuration computers setting below.

Configuration computers

Enter the IP address or addresses that can configure the firewall. The IP addresses can belong to one or more computers.

Note that you must also allow configuration via the firewall interface that the computers are connected to. See Configuration allowed via interface above.

DNS name or network address

Enter the DNS name or IP address of the computer or network from which the firewall can be configured. Avoid allowing configuration from a network or computer on the Internet or other insecure networks, or use HTTPS or VPN to connect to the firewall from these insecure networks.

Network address

Shows the IP address of the DNS name or network address you entered in the previous field.

Netmask/bits

Netmask/bits is the mask that will be used to specify the configuration computers. See chapter 4, Configuring Ingate Firewall, for instructions on writing the netmask. To limit access so that only one computer can configure, use the netmask 255.255.255.255. You can also specify the netmask as a number of bits, which in this case would be 32. To allow configuration from an entire network, you must enter the network address under Network address, and a netmask with a lower number here. To allow configuration from several computers or networks, create several lines for the information.

Range

The Range shows all IP addresses from which the firewall can be configured. The range is calculated from the configuration under DNS name or network address and Netmask/Bits. Check that the correct information was entered in the DNS name or network address and Netmask/Bits fields.

Via IPsec peer

Here, you can select an IPsec peer from which this connection must be made. If an IPsec peer is selected, you will only be able to configure the firewall from this IP address through an IPsec tunnel.

Log class

Here, you enter what log class the firewall should use to log the configuration traffic to the firewall's web server. Log classes are defined on the Log Classes page under Logging. See also chapter 13, Logging.

Log rule no.

The Log rule no. field determines the order of the lines. The order is important in deciding what is logged and warned for. The firewall uses the first line that matches the configuration traffic.

Perhaps you want to configure the firewall so that configuration traffic from one specific computer is simply logged while traffic from the rest of that computer's network is both logged and generates alarms.

The rules are used in the order in which they are listed, so if the network is listed first, all configuration traffic from that network is both logged and generates alarms, including the traffic from that individual computer. But if the individual computer is listed on a separate line before the network, that line will be considered first and all configuration traffic from that computer is only logged while the traffic from the rest of the computer's network is both logged and generates alarms.