 So we're going to talk today about untangle firewall and a lot of people have asked me because I've done so many firewall reviews and you know I'm obviously a big advocate of pfSense because I really like open source firewalls But there are times when you need something that does full web filtering is turnkey is easy to use is a good solution and I've looked at a handful of them and I immediately got agitated with them and Then untangle came up, but I've talked to a handful of my tech friends who have deployed a lot of these My one friend had commented he's deployed almost I think he said a thousand of them overall over the years He's been using it for a long time So I've got a lot of people a lot of feedback from more than one of my well-respected tech friends who say yes This is a very solid product So we did some testing with it and I absolutely agree with them This was a really good product now first because someone's always asked well What about how does it compare to and this is a little bit difficult? I wish I had all the time in a world to spend Digging into every single firewall and do a head-to-head firewall video if anyone wants to throw enough money at me more than happy to do It but obviously that takes a lot to really dive deep into a firewall now The thing I will cover is first. It's not free It's not an open source firewall solution and we're gonna talk about pricing real quick Because that's where a lot of people may get turned off that they're always looking for the ultimate free solution Sorry, this isn't free. Good well filtering takes a good security team a good knock team to understand The threats on the web to compile the resources together and to deliver that to a firewall as a feed So your threat management stays up to date and relevant This is why I'm reviewing this firewall because it does that it does that at a reasonable price And we're gonna talk about price real quick here in a different way So right at the top of the untangle website. We have a buy button And then we have pricing. This is amazing. If only other companies like 40 net with their 40 care Contact support call us. So fos get pricing get a quote. It's this go Maraki Get a quote after you check some boxes and get an idea of their pricing, but don't really tell you Yeah, we're still back here where we don't know all these companies think they're hiding pricing. I don't understand this This has something that drives me nuts Just tell me the price of the thing without having to talk to a person fill out a form and get on your mailing list Literally, I'm right here on tingles website and we can figure out our pricing model Now I kind of like the pricing model in this is an important distinction. I want to get clear They have a firewall that is free, but the add-on features cost money you get a 14-day trial for Full-blown all the features the web filtering the content filtering the threat management and the feeds that come with it But this is my favorite part if you choose not to renew your license because you bought one previously Or you let your 14-day trial expire the firewall doesn't turn off it is not like Cisco Maraki where it turns into a pumpkin at midnight when you didn't pay the license and It keeps functioning without those extra feeds So you really do get a good firewall solution that if you decide you don't need those extra features You can not have to rip it out. You can keep it in place This is just a better business model to me going. Hey, these things cost money. These are things our team works on Keeping this firewall up to date. It's a lot of work for these threat management. So yes, that does cost money now what's even better is The bright fact that I don't have to talk to anyone to get pricing and I can go here and choose how many License devices not users. I made the mistake of saying that what I did talk to the sales rep people Which are really nice. They're super easy people to talk to they actually have a really we're working on becoming a partner because we Want to start reselling these untangles as some solutions to clients that need that extra layer of protection with the UTM And we've seen them deployed before we've seen them Where clients have bought them themselves and that's also another thing where we usually work with a lot of other IT Companies on special projects and we've seen untangle at the head end and they go this thing works great They really seem to like it as well They're device licensing you figure out this if you have some weird custom solution You can talk to a sales rep and work things out with them through partner networks and distributor networks But if you just want to buy a direct and you have a small office or even a 1,000 person office they have pricing out here. That's pretty clear the cool thing is this is the ng firewall complete I won't get into some of the other deals, but they do have a big discount for nonprofits and a public sector But the home one for home users This is really a great deal for home users who go, you know what? I really want a turnkey easy system to do some filtering and I don't want to have to pay a whole ton of money Well, you know 50 bucks a year is a great deal for home users We're looking for a firewall that's intuitive easy to use and will filter out things that you may not want your kids getting to By the way kids are really smart and they're gonna figure out ways around the firewall, but this is a layer at least a Extra barrier where you put some effort into trying to stop them from getting online It all depends how tech savvy your kids are and how tech savvy you are So I just want to cover the pricing get it out of the way because a lot of people are gonna ask about this It's nice and clear and online unlike these other companies that call for quote call for quote call for quote That drives me crazy. So let's roll back all the way to how do you download it? How do you get it? Well pretty easy ISO CD image download VMware appliance so they do support it running in a virtual machine I have now run it at my house for a little while on a physical hardware box I've run it on a virtual machine here as a test and both of them work perfectly fine I didn't run any issues with doing the demos with this I'm not gonna take you through the whole installer about tell you the installer is fairly straightforward and Nothing exciting about it was actually really easy to install It walks you through and I got this actually zoomed in too far It walks you through like a standard Install that you've seen for most Linux distributions Next in the issue way through it with a graphical installer. Let's use a mouse Made it easy to install and actually won't let me rescale this down But I can just press enter most of the times and it will just go through and set this firewall up Are you minimum to network cards does support more but like I said the installer I had no problems installing it Both on hardware or any virtual machine. I didn't actually download their OVA file But that would work fine as well. I'm sure So I'm gonna close this and cancel it now I'm bringing you here to my firewall demo of what it looks like installed because normally the council is not interesting Their council is very interesting. Yeah, move this over here for you So if you plug in to the council itself, this is actually what you see in there a firewall with a GUI That's strange. Those most firewalls are not managed with a GUI. They're managed with a web interface. Well, so is this one You have recovery utilities. You have a few other options under which I think is pretty cool But you can actually just it launches a web browser to manage the firewall Inside the GUI so you can actually plug in if you built this on a Commodity hardware, which of course commodity hardware supported and I didn't cover it in the beginning Yes, they have appliances they sell so this is either you load it yourself or you can buy one of their pre-configured hardware appliances To run this on so either way you want to run this is fine but the fact that it has a Graphical interface that lets you do this from the firewall is actually pretty neat I've not seen that before so I thought that was kind of novel and maybe someone's gonna say but Tom Haven't you seen so-and-so? Yeah, I'm sure there's other companies doing it, but this one's really nice So we can close the web browser. We can shut down reboot I have recovery utilities get to the terminal which I think prompt you with a warning. This is for advanced people who know how to terminal nice Do you want to run the recovery? We're gonna say no, but it does have cool recovery reboot services But the web interface inside of here looks the same as it does when you log in So let's start digging into the web interface a little bit and we're gonna do it a little different here So untangle being targeted at the commercial market. We're gonna go ahead and sign in here Now I'm gonna block out some IP addresses on here for my office and things like that, but what you're seeing is the Dashboard so you can see all of your appliances in one dashboard We have only two registered here because we just set this up and This dashboard comes with your account and what this is all as you do if you're an MSP like we are You can deploy these and then have them all in one dashboard So you can get an idea of what's going on with them and then from here we can manage them Now what happens is when you're setting up untangle it ask if you have a registered untangle account You can either create one or sign into yours each one of these that you sign into This all can be blocked if you don't want any remote access to your untangle via this dashboard You can shut all this off really easily You actually implicitly have to turn it on Because by signing into your account if you don't sign to your account Yes, you can keep using untangle But you're not gonna be able to license it because the licensing works through this But you can still license it through this and still block access to the dashboard if you so wanted to the nice thing is This dashboard means I don't have to open up any ports for management It keeps a secure proxy connection via the untangled dashboard. So we've looked at this how it works. It's really clever It's a really nice system. So let's actually get into managing untangle So I've zoomed in specifically to the one running at my house It's got some appliance warnings because there's only two days left of my trial We've been using this at home because I wanted to gather a lot of stats on it It's too much work to switch our entire work environment over to this So like I said, I just did some testing at home so I can kind of get an idea of what works What blocks and things like that which they have all these reporting and tools and may one day I'll get in more into the dashboard depending on the interest level in this video But I will show you now untangle itself and how the reporting looks so we click remote access and Remote access once the firewall password not my untangle password again So I have admin and a password set and now via proxy magic from untangle I'm into that ticket firewall logged in directly to the one at my house right now Maybe because proxy takes a second to load all the details and get the data pulled and this is the dashboard for untangle And you can see we use the Chromecast a whole lot, which is not surprising for home games my kids play make up a Big part of it, but it's one thing I'll say is right off the rip. They're reporting is nice It's easy. It makes chasing things down pretty simple It also makes adding conditions easy and what I mean by conditions are you can filter this dashboard out to be down to any specific service or IP address Which makes it really easy when you're doing things like okay, what's causing the problem or what's what's using all this data Do you want to host name equals Chromecast say yes, it's gonna take a second and Now it starts filtering this and what these are is adding conditions up here on the reporting menu So this is kind of neat the way it sees this now the real magic is in the apps This is the what you get to pay for and once these expire I lose access but the firewall is not going to like I said break at my house only I'll lose certain features So the application control SSL inspector bandwidth control and Virus blocker and web filters. Those are the things that are paid for also when fail over when balancer Directory connector because this does integrate with active directory policy manager where you can write really specific policies On things I'm not gonna get too much into that, but it's kind of neat Branding is Kind of cool because you can do some custom logo and branding. I believe if you buy the home version I don't know that that's a feature with the home version, but I don't think home users care and This is where we're gonna dig into a little bit more about the way this firewall works. So All these applications you go here You say install apps and you just choose which things if you want web caching we just go click here And we're gonna do it right now on a spot live here And it's downloading and enabling the web caching feature at my house with that one click It's now installed click on apps Right now that we have the web cache installed. Let's go ahead and click on the web cache and Any app and I'll have the same common interface we can go ahead and click enable I Understand the risk clear the cache. It's got there. So clear cash requires restarting the caching engine what will be disrupted But it's pretty cool These apps all have these really simple interfaces to them. So actually I'll leave that on why not Let's look at the other one like the application control Same thing slide button and enable here's the applications and some of the rules and of course then the reports Now web filtering versus application control. This is where the magic is and And what this allows you to do is you can flag tar pit or block Each of these Applications so we can go through here and go all right. We want to get rid of or remove this and Take and apply a policy to someone and go right. We want to block social media and a block gaming We just want to go no more for Chan at my house. So we just do this You can either tar pit it or block and the difference between tar pit and blocking is explained by the way their Documentation at wiki.ontango.com is very thorough and nice Generally you want tar pit applications that are hard to block may attempt to recommend blocking block will reset TCP connection So the client knows immediately the session has been reset tar pit will acknowledge the receipt of data But not send the data so it silently dropped for blocking web applications in a browser block is usually better as tar pit Will cause a browser to hang as it waits for data which can cause issues for the user So when you block it it just lets them know right away. It's blocked. It drops the connection It's using a TCP drop. So it's like immediate. They go well that connections broken I can't get to whatever that person is not blocked from Now this is just nice and this is the thing that a lot of people are looking for with all the different free firewalls That's really hard to do that Because of these feeds these feeds are constantly updated in order to assess this This is the secret sauce if you will it's not really secret It's a lot of hard work putting these together and understanding that how you can turn it into one click Because 4chan doesn't represent just a single website. There's a lot of pieces. There's a lot of components behind there So blocking it's not as simple as just we put in a DNS entry and it's blocked You can do that But then you always find people who are getting around it and that's where the problems start to come in as people get Around you and you're like well, why can't I do this? It's also a game even with the folks at untangle or any other web filtering company. It is a constant battle a cat and mouse game of people figured out a way to get around your firewall and This is just a layer of you're trying it at least you put the effort in I'm not a big fan of weblock and we do know web filtering here at my office But it's one of those things that a lot of people do look for and generally speaking the average user is pretty well Blocked by these things the advanced user that figures out how to get around VPNs with different SSL tools They're gonna still get around the blocking by the way just making sure it's this is not the end-all solution that makes your web perfectly safe to use Now the web filter works much the same way, but it's specifically just for the website So it's more the blunt object and it's got the site look up So you can see where it falls on the list block sites past sites past client rules advanced So it's the same thing But a little bit more blunt application is at the application level and it's using their heuristic system to understand what those Applications are to categorize them when filtering is kind of like it sounds just filtering general websites together So it's it's a cool using combination and tandem it works very well now Few other things that are in here tonight like this is part of the free version The IP sec VPN is part of the paid version of there But the free version comes with open VPN and tunnel VPN and tunnel VPN is Something a lot of people have asked about and they've made it really easy to do here inside of Untangle just like it says your top tunnel VPN provides connectivity through encrypted tunnels to remote VPN and services So we're gonna go ahead and look at tunnels. We're gonna click add Tunnel select provider now they support customization so you can use specific different companies But they have built in on Nord VPN and express VPN and private Internet access. So a couple popular VPN providers They just let you log in and then tunnel your entire network through this That's pretty awesome. The fact that they built this in and made it very turnkey for a lot of people I've done videos on this of how to do this and other firewalls And it's a not a lot But it's still some setup and steps and things you have to go through and it's why my video is a little bit longer on it because I get very detailed on how this works and I like doing it in a very controlled way but it's nice that they have an auto magic way that you just log in with your username and password for Your open VPN or private Internet access file and away you go and then to go a step further This is Sometimes people have a challenge with this It's policy routing and what policy routing does and they have this built in is you can take a condition and Force it through either route normally or available only through the tunnel So now you can start creating all the rules right in here to say all right I want and they have a couple example ones that maybe you want to do route all tagged with bit torrent usage over a tunnel because you want your Bit torrent usage to go through one of the VPN providers such as PIA And then you want your other internet to just go through your nance don't stand a provider Because as some people have noted already who have done full tunneling of their entire network You start having problems with a lot of sites like Netflix and a lot of places block you from coming in from a VPN So if they see that you're operating out of a VPN, they may block you in some sites do that for reasons and This way you can still have things like maybe your Chromecast connecting directly to Google and working the way you want But then your bit torrent usage going out over a VPN or any other maybe just single computer So you can create a Policy to route just one computer on your network over the VPN and the rest there This is like I said really nice that this is a turnkey feature and by the way anytime you change something It's really small down at the bottom is if you're looking for the save button Which I did that's the only not complaint But at least challenge I had when I first got the firewall going he's asking me to save things But I can't figure out where to save them It's down here in the bottom right hand corner everywhere and anything you change you want to save So unsafe changes will be lost. You want to continue? Let's go ahead. So yes, it takes out of there For those of you looking for that more robust level of filtering This does have an SSL inspector and if you're not familiar with the SSL inspector is it means you have to add to the trust certificate in order to make this Trust your computer. So I actually go over here SSL inspector So they have a page really talk about it in detail of how to install the cert You just go HTTP the IP address of your Untangled internal firewall slash cert and then we're going to pull up what it looks like So this is a windows 10 virtual machine. I have set up Behind an untangled VPN. I'm starting to untangle firewall in my virtual machine the one one I actually showed at the beginning here. Um the thing about this is Is Running it like this with the SSL inspector turned on didn't Really impress me Because one of the problems you run into right away is what browsers are going to use google chrome Well, google chrome has certificate pinning in it for the google sites So here we are at SSL labs And you can see that hey cool. I've got all these Things installed and I can pass an SSL cert and SSL cert is fine here I get a privacy error on google And this is just I want to give a heads up on this. They're aware of the problem And it's right here at the bottom SSL inspector does not seem to be working with google chrome Why new chrome versions use protocol quick to communicate with google adding firewall rule filter rule a block 4 4 3 quick force changes use a tps also The certificate error so the two problems here is the quick protocol And that and um, I don't know this is actually In let's dig a little deeper not to get too far off topic Let's talk about this real quick a quick guide to quick over on the sysco blog And I brought up sysco because people know them as the big commercial firewall company with filtering They have a problem with the quick protocol as well. And this is a Uh quick protocol. I'll maybe do a video on it soon. They just got ratified So the answer a lot of these companies have is to block it so you can filter better But on the other side of it is becoming a standard and all these companies that do any type of filtering are having A really hard time with it. So it's not an untangled specific problem It is a problem with this protocol because it's harder to see into the second part is the pinning part of the certificates Is a google thing because so we can't open google.com here in after installing the trusted cert because the sysco inspector is intercepting it and google doesn't like being intercepted But when you use microsoft edge, who the horror of using edge You notice that google has no problem with it because google specifically because they write the chrome browser they have extra certificates in the chrome browser that Double check and don't like anything in between there's some workarounds I haven't dug into them a lot But I just want to make sure people who may want to try this and want to go full-blown filtering where they put a certificate on Each device so that allows visibility into the encrypted tunnels So untangled can do a higher level of filtering and get really specific reports on this that is Going to be a problem for you if they're using the chrome browser I believe it works fine with firefox and it does work with edge So this want to bring those up real quick Close off So outside of that though, it works fine if you do turn on the ssl I guess I wanted to make sure I tested it now Let's go back over to the demo we have Oh in kind of related if you wonder why there's an open vpn here the open vpn installer is the same as I've seen on some of the Other firewalls. It's the standard open vpn gooey. So you can vpn in When you're setting up the vpn So let's go back over and close this and I don't have the ssl spectrum turned on at my house That's why I showed you the demo that I have here and the reason why is I'm not going to go put certificates on all The devices in my house. I don't like that. That's not something I recommend It's something we do only in as needed in business use cases But certainly I don't recommend it for home, but you can do it. It's an option Now quickly cover the open vpn set up once again. It's very turnkey everything so far about this firewall. It was very easy to do no problem just enable it Go to the server Set your address space add a user add clients. It's got its own Local directory of users or this does support active directory integration And it's nice having these things out of the box. So if you're deploying this in your office and you go Hey, I just have an act directory server and I want to apply Untangles an easy solution because they have that integration on there. So that I've tested the vpn It works perfectly fine. No gotchas. No Long config matter of fact One of the easiest ones I've set up in quite a while Just go here and nothing special needed and you download the open vpn client And of course they got reporting on the vpn. We'll get to reporting last now a few of these other things and like I said WAN failover WAN balancer You literally just go ahead and add a second WAN port and Test it and it works. We did test this and we didn't have any problems with Setting up failover. We demoed that they all these things we've tried so far with it were very easy obvious just to go into Now let's look at the config The config is neat Back to simplicity Here's all the interfaces that are on the box. We're using at my house external internal remap interfaces so we can simply remap all of them and you ask well How do you know if an interface is WAN or LAN? And in other firewalls, you just have to choose whether or not it's a gateway and this one You just say by address Check the box is WAN. It's a static A dhcp or a ppoe. That's it Done really really straightforward And if you want to rename these interfaces, uh, it just names them gamma delta epsilon zeta. So let's go over here Interface And two there we go. We've now changed your name. It's really My overall like this was pretty Easy to do and I gotta admit for doing all this in a web browser. It's actually uh, It's nice and I'm gonna move my head out of the way here and move it over here, but You get interface statistics drop errors for internal externals. So some of these things are still Easy enough to do. You can see different arp entries and addresses of all the devices on my network Host name can be changed here Uh service ports forwarding rules, which I forward my as a state server from home works fine Nat rules bypass rules you can all your standard things you need They have a few troubleshooting tools in here as well ping test dns test connection test trace route Download and packet test. So if I want to see how fast I can download something they have a couple options here So we're going to go a five meg test from cash fly Looks like my internet connection is working reasonably fast at home These are like I said nice features you can jump into and uh, take a look at them You can also go into some advanced, you know Enable the sip nat helper And a few other things on there. So if you're having some Trouble figuring these things out you can turn on things like net flow and dig into it a little bit further I haven't played with all the different tools on there and for those of you wondering it does support By default a fair queuing fq coddle, which is a pretty hands-off easy to use Qo s interface and once again, it's got full traffic shaping abilities and For the paid version we'll go back over to apps You do have the bandwidth management so you can get more In depth and create priorities, which they have a wizard that makes this really easy to do So you just run the bandwidth control wizard and away you go Um administration multiple users uh system information auto upgrades it asks you if you want to turn them on Yes, you can. Uh, it'll just automatically update the firewall. I'm Automatic upgrade schedule you check when you want it to do and what time you want it to do if you want this Or don't upgrade automatically because you want to do it all manually if you have a busy corporate environment that's operating at 24 7 Maybe you don't want it to upgrade automatically Email and event options and an about page Now let's get into the reports because this is something I thought they did a nice job on so since today This week. So let's let's start digging into tom's reports. Where has tom's People been going so let's look at the web usage You can filter these like filtered it for this week. I can add a condition to only find my computer Um, but yeah, this is this is nice. They have just Reports stacked on reports stacked on reports. I don't have any block sites. I guess or nothing in there. So they find something else um device reports To device additions to the network. I added two chrome casts yesterday So I can right away find that I added those. This is what time I added them So kind of neat device updates So when devices were uh taken on an office from people coming over my house and connecting their phones to my network Uh, you can run failover reports. Nothing to report there Open vpn summary. I don't uh, so I have Yeah, I don't have any in the last week that I've done any testing with the vpn tunnel vpn everything is a Same commonality of how these reports on their application controls top applications by session. So we can dig into What was pulling data across uh top applications by size? Let's see SSL was 25 gigabytes and quick was 20 gigabytes So that protocol, which I don't have blocked is obviously a big part of the internet So here we see netflix was 1.5 gigabytes of the data I think netflix is probably filtered somewhere in here and maybe it can't see it This is again one of those tricky things Uh a bit to our stuff that's going on on my network. So that was when we say flagged applications Ah, yeah, I do flag it in the options and this Flagging it creates a report for us flagging it. So kind of neat. Uh tom lords pc That's my gaming computer so we can see that like I said, they've got a lot of details in here. Um The fish blocker I wasn't using and I didn't like I said, I didn't think I really filtered too many websites So I can see who's pulling all the web data, uh, whoever dot 198 is And there's ways you can go through and name and dhcp server and all that. So I just want to give her This overview of it as a firewall. Maybe I'll do some more in-depth videos on specific things. It's extensive But the good news is their documentation is extensive. It's a commercial product So you get commercial support with the paid licenses on it. Um, they're Like I said, they're stale staff when I talked to them are great My overall impressions of this after only using it for a couple weeks was really positive Like I said, we're going to become a reseller because we've seen these out in the field And they've always seemed to work really well. So this is going to be just another solution We're not getting rid of every other firewall. We've ever talked about We're not a company that focuses on a single vertical single product We only deploy one thing for clients. We deploy things that fit solutions based on their use cases. So Untangle is just another tool in our toolkit of things we're going to be offering to our clients And it seems to be a really solid product and when I've compared it to some of the other ones out there 40 gate maraki sofos Just the fact that I can't even get a price for some of those other companies without digging into it I haven't had a lot of experience with sofos. I will say my experience of 40 gate for clients using it has been less than great But my experience with untangle from using it and from talking to my tech friends has been Absolutely smooth and wonderful and you can see almost how magical this whole system is and how it works pretty out of the box and turnkey And I didn't need to reference even their support documentation much to just to get it up and going and set up So go ahead 14 day free trial if you want to try it. Um, there's no offer codes I have no affiliation with this Company we're offering it as a solution to our clients. So you may buy it as us installing a solution But you can just go to untangle's website and click buy and download it yourself. There's not any affiliate links with this This is not sponsored by untangle. This is just me sharing my enthusiasm for it. And thanks Thanks for watching. If you like this video, go ahead and click the thumbs up Leave us some feedback below to let us know any details what you like and didn't like as well Because we love hearing a feedback or if you just want to say thanks Leave a comment If you wanted to be notified of new videos as they come out Go ahead and hit the subscribe and the bell icon that lets youtube know that you're interested in notifications Hopefully they send them as we've learned with youtube Anyways, if you want to contract us for consulting services You go ahead and hit launch systems.com and you can reach out to us for all the projects that we can do and help you We work with a lot of Small businesses it companies even some large companies and you can farm different work out to us Or just hire us as a consultant to help design your network Also, if you want to help the channel in other ways, we have a patreon We have affiliate links. You'll find them in the description You'll also find recommendations to other affiliate links and things you can sign up for on laurance systems.com Once again, thanks for watching and i'll see you in the next video