General Explanations
======================
Introduction
*******************
VT AIR Next Gen Firewall is a Linux based firewall system delivering high firewall throughput
while containing large number of Features to manage your network.
VT AIR is equipped with a modern management WebGUI, REST API and command line.
VT AIR Architecture
*********************
VT AIR runs on the Linux Operating System Debian and it utilizes a custom Linux Kernel for maximum compatibility and network speed.
Technology Stack
*********************
VT AIR is designed and built using open source software projects including:
- `Debian `_ as the base operating system
- `SNMPD `_ for SNMP
- `FRR `_ for routing protocols
- `Kea `_ for DHCP services
- `Unbound `_ for DNS
- `ntp.org `_ daemon for NTP
- keepalived for VRRP and HA Failover
- `Docker `_ for App Container
- `Suricata `_ for Intrusion Detection and App Control
- `Squid `_ as Web Filter
- `Coraza `_ as Web Application Firewall
- `HAProxy `_ as Reverse Proxy and Load Balancer
- `Apache Guacamole `_ as WebVPN
- `OpenVPN `_
- `strongSwan `_ for IPsec key management
- `WireGuard `_
Default login
*******************
The default login data for the WebGUI needs to be set the first time you log on.
The WebGUI will force you to set a password for the default user **admin**.
For SSH or the console the user is **root**.
The **root** and **admin** user share the same password, so you can use the SSH login only after the default has been set.
.. note::
:ref:`VT AIR Amazon AWS` and :ref:`VT AIR Azure` have a different login nechanism
Default Firewall User
**************************
The following users are active on the firewall by default:
+-------------------------------+--------------------------------+------------------------------------------+
| Name | Function | Description |
+===============================+================================+==========================================+
| admin | Web GUI Administrator | Webinterface Admin |
+-------------------------------+--------------------------------+------------------------------------------+
| hasync | Web GUI High Availability User | HA Config Sync User with random password |
+-------------------------------+--------------------------------+------------------------------------------+
| root | SSH Only User | Password is synced with admin user |
+-------------------------------+--------------------------------+------------------------------------------+
Breadcrumb
*************
Each page has a navigational breadcrumb with the current page in it.
Depending on the page there are also additional shortcuts on the right upper corner.
Shortcuts include:
* Link to the Service Overview Page
* Link to the Service specific Diagnostic
* Link to the Logfile
Search
*************
The search box in the upper navigation bar can search the menu and return page results.
It **does not** search through **any saved data**.
If you want to find a menu entry fast it is a good tool to use.
Supported Browser
**************************
VT AIR supports Chrome, Edge, Firefox and Safari.
The Internet Explorer is not a supported browser and might have errors showing GUI features.
Current VT AIR Appliances
****************************
**Desktop**
* :ref:`VT AIR 100`
* :ref:`VT AIR 500`
**Rack**
* :ref:`VT AIR 1200`
* :ref:`VT AIR 1500`
**Industrial**
* :ref:`VT AIR 300`
* :ref:`VT AIR 310`
Release Schedule
****************************
VT AIR is released quarterly and the version number reflects the month and year of the release.
For example the release 2021.07.1 is released in July 2021.
Releases are in January, Aprul, July and October and are numbered like the following by replacing YYYY with the year of the release:
* YYYY.01
* YYYY.04
* YYYY.07
* YYYY.10
The Kernel is updated on the 04 (April) and 10 (October) release.
There are exceptions like critical security vulnerabilities or other major reasons where we are forced to release a Kernel update outside of the release schedule.
Default Firewall Rules
****************************
Only the **LAN Interface** has default firewall rules enabled.
+-------------+----------------+----------------+-----------------------+------------------+---------------------------------+
| Protocol | Source IP | Source Port | Destination IP | Destination Port | Description |
+=============+================+================+=======================+==================+=================================+
| TCP | Any | Any | LAN Address | 22, 80, 443 | Anti Lockout Rule |
+-------------+----------------+----------------+-----------------------+------------------+---------------------------------+
| TCP/UDP | LAN Network | Any | LAN Address | 53, 853 | DNS Server |
+-------------+----------------+----------------+-----------------------+------------------+---------------------------------+
| ICMP | LAN Network | \- | LAN Address | \- | ICMP to VT AIR |
+-------------+----------------+----------------+-----------------------+------------------+---------------------------------+
| Any | Any | Any | Private Networks | Any | Access to Private IPs v4 and v6 |
+-------------+----------------+----------------+-----------------------+------------------+---------------------------------+
| Any | Any | Any | NOT Private Networks | Any | Access to Public IPs v4 and v6 |
+-------------+----------------+----------------+-----------------------+------------------+---------------------------------+
The **WAN Interface** blocks all Traffic and has an explicit extra Firewall Rule to block Private IPs.
Please refer to the open ICMP and ICMPv6 ports below for all Interfaces.
Default Services
**************************
The following tables shows the Services and their open ports that are enabled in factory default settings on the VT AIR:
+----------------+----------------+----------------+-----------------------------------------+-----------------+
| Service | Port | Protocol | Default Firewall Rule | Description |
+================+================+================+=========================================+=================+
| DNS | 53 | TCP and UDP | Yes on LAN Interface | DNS Server |
+----------------+----------------+----------------+-----------------------------------------+-----------------+
| DNS | 853 | TCP and UDP | Yes on LAN Interface | DNS Server TLS |
+----------------+----------------+----------------+-----------------------------------------+-----------------+
| HTTP | 80 | TCP | Yes on LAN Interface | Web Server |
+----------------+----------------+----------------+-----------------------------------------+-----------------+
| HTTPS | 443 | TCP | Yes on LAN Interface | Web Server |
+----------------+----------------+----------------+-----------------------------------------+-----------------+
| DHCP | 67 | UDP | Yes on LAN Interface | DHCP Server |
+----------------+----------------+----------------+-----------------------------------------+-----------------+
| SSH | 22 | TCP | Yes on LAN Interface | SSH Server |
+----------------+----------------+----------------+-----------------------------------------+-----------------+
| NTP | 123 | UDP | No Blocked | NTP Server |
+----------------+----------------+----------------+-----------------------------------------+-----------------+
| ICMP | | ICMP | Yes on LAN Interface + See Table below | ICMP Messages |
+----------------+----------------+----------------+-----------------------------------------+-----------------+
| ICMPv6 | | ICMPv6 | See Table below | ICMPv6 Messages |
+----------------+----------------+----------------+-----------------------------------------+-----------------+
Open ICMP Types to the VT AIR Firewall:
+-------------------------------+----------------------+---------------------------------+
| ICMP Type | Input Interface | Description |
+===============================+======================+=================================+
| All | LAN | LAN ICMP to VT AIR |
+-------------------------------+----------------------+---------------------------------+
| Destination unreachable (3) | ALL | Destination Unreachable Message |
+-------------------------------+----------------------+---------------------------------+
| Time exceeded (11) | ALL | Time exceeded Message |
+-------------------------------+----------------------+---------------------------------+
| Parameter problem (12) | ALL | Parameter Problem |
+-------------------------------+----------------------+---------------------------------+
Open ICMPv6 Types to the VT AIR Firewall:
+------------------------------------+-----------------------------------------------------+---------------------------------+
| ICMPv6 Type | Input Interface | Description |
+====================================+=====================================================+=================================+
| Destination unreachable (1) | ALL | Destination Unreachable Message |
+------------------------------------+-----------------------------------------------------+---------------------------------+
| Packet Too Big (2) | ALL | Packet Too Big |
+------------------------------------+-----------------------------------------------------+---------------------------------+
| Time exceeded (3) | ALL | Time exceeded Message |
+------------------------------------+-----------------------------------------------------+---------------------------------+
| Parameter problem (4) | ALL | Parameter Problem |
+------------------------------------+-----------------------------------------------------+---------------------------------+
| Neighbor Solicitation (135) | ALL | Neighbour Solicitation |
+------------------------------------+-----------------------------------------------------+---------------------------------+
| Neighbor Advertisement (136) | ALL | Neighbour Advertisement |
+------------------------------------+-----------------------------------------------------+---------------------------------+
| Multicast Listener Query (130) | ALL | Multicast Listener Query |
+------------------------------------+-----------------------------------------------------+---------------------------------+
| Multicast Listener Report (131) | ALL | Multicast Listener Report |
+------------------------------------+-----------------------------------------------------+---------------------------------+
| Multicast Listener Done (132) | ALL | Multicast Listener Done |
+------------------------------------+-----------------------------------------------------+---------------------------------+
| Multicast Listener Report v2 (143) | ALL | Multicast Listener Report |
+------------------------------------+-----------------------------------------------------+---------------------------------+
| Multicast Router Advertisemet (151)| ALL | Multicast Listener Report |
+------------------------------------+-----------------------------------------------------+---------------------------------+
| Multicast Router Solicitation (152)| ALL | Multicast Listener Report |
+------------------------------------+-----------------------------------------------------+---------------------------------+
| Multicast Router Termination (153) | ALL | Multicast Listener Report |
+------------------------------------+-----------------------------------------------------+---------------------------------+
| Echo Reply (129) | ALL (fe80::/10, ff02::/16 <-> fe80::/10, ff02::/16) | Link Local Only |
+------------------------------------+-----------------------------------------------------+---------------------------------+
| Router Solicitation (133) | ALL (fe80::/10, ff02::/16 <-> fe80::/10, ff02::/16) | Link Local Only |
+------------------------------------+-----------------------------------------------------+---------------------------------+
| Router Advertisement (124) | ALL (fe80::/10, ff02::/16 <-> fe80::/10, ff02::/16) | Link Local Only |
+------------------------------------+-----------------------------------------------------+---------------------------------+