This is what ETM is. Your account on ETM allows for remote access and configuration.

I'm talking about out-of-band management, for cases when the firewall has crashed, is off, down, unbootable, etc. If the firewall is booted up and functioning enough that ETM would work, I don't need it.

There's a recovery console if the unit can boot far enough to get past the BIOS/UEFI. Other than that, no: if the NG Firewall software can't start, it's not possible to manage it in any capacity.

They do not have out of band management of any sort. They do have remote admin capacity either via configured access rule directly, or the Command Center.

And you shouldn't need out of band management by the way, if you do you need to be onsite because you're going to be rewiring things. If you need an emergency option in this space, that's what VRRP and a warm spare appliance is for.

well I had a good example just this morning of a case where lights-out management would've been very helpful on a Z4. the customer's internet access was down... I couldn't connect to OpenVPN or access their firewall in any way. I really couldn't figure out what all was wrong, the combination of symptoms didn't seem to add up to any single thing; I did what I could over the phone, but decided to stop guessing and get in the car. On arrival I immediately discovered the Z4 was off; the lights the customer reported as being lit were just the ethernet port lights. I connected a keyboard/monitor/mouse to the Z4 and got into the setup - the factory had set the BIOS "Power state after power failure" setting to "Stay OFF". Rather ridiculous that a firewall device would ship set to remain off after a power failure.
Obviously with remote management I would have easily discovered the unit was off, and could've pushed the button remotely.

This is exactly why I used to use Supermicro units. They all have IPMI built in and license free!

yep, the reason I asked the question originally is I have a very distant site (like airfare & hotel distant) that is sometimes lights-out/doors-locked for a week or more at a time, and I had a supermicro Atom D525-based untangle in there for about 10 years; it just failed so I need to replace it (as a temporary solution I built a new untangle on their VMware server). A Z4 seemed like a simple and cheap answer, until I realized it doesn't have remote management, and having that remote management on the supermicro has saved the day more than once over the last 10 years.

Untangle is a database server, you do not want a database server bouncing. If you enable the power on after power fault stetting in the BIOS you're setting yourself up for a reinstall instead of a push button. Train the locals better. Again unless you want to watch postgress splatter all over the pavement, leave the power on after failure feature of the BIOS disabled!

Also, since Untangle is the router itself, if it's down your lights out should be down too... that is unless you're maintaining an entirely separate infrastructure to do that. And if you're going that far, spending on an IPKVM to handle that load is trivial. And if you have your out of band directly connected to the internet someplace when it can control your network security device... You have no security. Don't look at me like that, I've seen it... and it makes me cry!

That said why has untangle never supported ups's?

Because it can be properly shutdown via a script from a properly managed UPS? They don't have to do everything for you, and backup is built into the subscription. Besides, do you really want the ability to power down your router via USB device? That's another slew of issues! (apcupsd isn't a panacea)

But I suppose setting up certificate based authentication on the root account, properly and securely configuring the access rules to enable SSH from the trusted location, and making use of a plink single command script via the above to actually cleanly shutdown the OS remotely from within Powerchute is just too hard for some folks.

Some folks I'll just flat out say right here right now, don't deserve to call themselves IT professionals. This is 101 level stuff, and no one should have to do it for you. Network equipment needs management in a power down scenario, ALL OF IT. Untangle is no exception, Unifi is no exception, Aruba, Threatwall, Watchguard, WHATEVER doesn't matter! How an engineer integrates all that is hard, and it matters. But this is also why everyone else took all real functionality off the box and put it in the cloud. But even still with simpler systems like USG and Sonicwall you wind up with power related issues from time to time.

I live in a place with constant power faults. I put Untangle on a good surge strip, with offsite backups built in, and local users trained to push a power button when they come in the morning after a storm. I have very little down time, it's only the larger environments that want to invest in the top part of this post. So you don't even have to go as hard as what I just indicated to be successful, most of my installs don't!

I just don't want to see people enabling machines to autopower up after a fault. That usually results in corrupted databases and a mandated format and restore. That's even more time than driving over there to push a power button until someone local with access gets it.

Disaster Recovery doesn't mean a tech solution, sometimes the best solution is a human brain with a solid plan on paper. Indeed, I prefer the latter it's far more flexible!

All that is good but the target of untangle is small office, home office, etc. Proxmox can work with a ups. Just steal that code and charge for it. LOL

I've seen that process brick VMs... and it only works with specific APC branded UPSs none of which are the new Lithium units. If a Hypervisor is involved in the APC reality the only safe way forward is either the really expensive UPSs that have their own management that can issue commands, or the less expensive units slaved to Powerchute that issues commands instead.

The latter I've had great success with. But, even that is irrelevant because SMBs don't have servers on premise anymore. So you slap APCUPSd on a rpi and have that issuing commands.

Because again, you don't need to properly shutdown just Untangle, you need to properly shutdown the entire network stack. Saving Untangle does you no good if you've confused the cable modem and primary switch flanking it!

And even that honestly... I'm not sure is needed anymore. If I disable automatic restart in the BIOS and run NGFW on a quality SSD I've lost exactly zero machines to power failure. Push the button, and they simply reboot. What kills the database isn't the dirty down, it's the dirty down after the dirty down. Which again is why you don't allow the system to restart while the power is yoyo'ing. If you have a decent UPS on Untangle, it can be configured to not provide power to the equipment until it has a configured charge level in reserve. If you enable that feature, and set it to whatever charge level can hold the equipment up for at least 10min after reboot... you could safely enable the automatic restart in NGFW's supporting BIOS.

All you have to do is engineer to avoid the bounce, the down is fine, the down after the down is the problem. The UPS is required for this, integration with it is not.

Thanks. I have not looked at ups's for a long time and didn't know that was an option. I was about to order a new battery but will look for a new ups instead. Is there a search tern for that feature?

It's a standard feature of the SmartUPS line, I'm pretty sure Symmettra does it too... but that's out of the SMB wheelhouse. You need a SmartUPS with either Powerchute on a Windows machine to configure it or an APC unit that has its own internal NIC with configuration options. None of this is "cheap" of course.