Dashboard
System overview
0 Online
0 Offline
0 Orphan
Auto-refresh: 30s
Devices
—
Online Devices
—
Agents
—
Threats (24h)
—
Blocked IPs
—
Rule Hits
—
SIEM Alerts
—
Events (24h)
—
TI Entries
—
Active Feeds
—
Threat Activity (Last 24h)
-24hNow
Recent Threats
| Time | Agent | Source IP | Threat | Action | Reasoning |
|---|
← Back to Agents
—
—
System
Resources
Connection
Client Info
Threat Summary
Bandwidth
No bandwidth data yet
Bridges
Interfaces
IP Set Assignments
Geo CIDR Lists
Firewall Hardening
Enable automatic blocking of invalid or malicious traffic patterns. Changes apply on next device sync.
Block INVALID stateDROP packets with INVALID conntrack state
Block XMAS scanDROP packets with all TCP flags set (FIN+URG+PSH)
Block NULL scanDROP packets with no TCP flags set
Block Bogon IPsDROP bogon/martian source IPs (0/8, 127/8, 224/4, etc.)
Block FragmentsDROP fragmented IP packets
Block Port ScanRate-limit new connections to detect port scanning
Block SYN FloodRate-limit SYN packets to prevent SYN flood attacks
Log DropsLOG before DROP for hardening rules (GLACEWALL_HARDEN prefix)
Log Sources
Loading...
| Time | Source | Dest | Proto | Threat | Action | Reasoning |
|---|
Orphan Devices
Unassigned devices awaiting adoption
| ID | Hostname | OS | MACs | Status | Registered | Actions |
|---|
Investigate
Analyze and act on log entries
Critical (8-10)
—
Warning (5-7)
—
Low (0-4)
—
Total
—
Filters
Results
| Time | Source | Server | Src IP | Method | URI | Status | Message |
|---|
Agents
Firewalls, defenders, and collectors
Install Agent
Install Glacewall agent on any Linux server. Auto-detects services, prompts for defender or collector mode:
curl -fsSL https://master.glacewall.fi/install.sh | bash
| ID | Hostname | Type | Sources / IP Sets | Status | Last Seen |
|---|
Orphan Devices
| ID | Hostname | Type | Fingerprint |
|---|
Log Feed
Real-time SIEM events & log history
Disconnected
Live Feed 0 events
Waiting for events...
| Time | Agent | Source | Dest | Proto | Threat | Action | Reasoning |
|---|
Page 1
IP Lists
IP sets & entries
Search IP
Clients
Multi-tenant management
| ID | Name |
|---|
Users
| ID | Username | Role | Client | Created |
|---|
My Profile
Account settings and password
Account
Change Password
Configuration
System settings
Telegram Bot
Send a message to the bot first, then click Refresh to discover available chats.
Threat Settings
System Logs
Master server events and errors
Application Log
Auto Rules
Automatically add IPs to IP sets when log entries match patterns
Auto Rules match single log entries using regex patterns and exact filters.
When a log matches, the source IP is instantly added to the selected IP set:
• "URI matches
• "Log source
For multi-event attack detection, use Correlation Rules.
• "URI matches
/wp-login + status 4xx → add to blocklist"• "Log source
sshd + message matches Failed password → add to ssh-blocklist"For multi-event attack detection, use Correlation Rules.
Hostile URI Scanner — auto-blocks IPs probing known malicious paths (4xx/5xx)
▼
Loading...
Friendly URI Whitelist — never flagged as hostile
▼
New Rule
LOG SOURCE
HTTP FILTERS
AUTH / IDENTITY FILTERS
LOG MESSAGE FILTER
Shortcuts:
{ip4}
{ip6}
{ip}
{port}
{user}
{path}
{num}
{any}
THRESHOLD (optional — for brute force detection)
Leave empty for instant trigger on first match. Set both to require X hits from same IP within Y seconds before blocking.
Matching log entries grouped by IP
| Name | Patterns | IP Set | Hits | Last Hit | Status |
|---|
Geo CIDR Lists
Country-based IP blocking using CIDR ranges
Sync Countries
Stored CIDR Lists
| Country | IP Version | CIDRs | Direction | Enabled | Last Updated |
|---|
SIEM Dashboard
Security event overview
Events (24h)
—
Unresolved Alerts
—
Threat Intel Hits
—
Active Feeds
—
Recent Alerts
| Severity | Rule | Source IP | Events | Action | Time |
|---|
Top Source IPs
| IP | Events | Threat Intel |
|---|
Event Categories
SIEM Alerts
Correlation alert management
Filters
Alerts
| Severity | Rule | Source IP | Events | Action | Time | Status |
|---|
Threat Intelligence
Manage threat feeds and check IPs
IP Threat Check
Add Threat Feed
Threat Feeds
| Name | URL | Type | Entries | Last Sync | Status | Actions |
|---|
Audit Log
Immutable audit trail
Filters
Audit Entries
| Time | Action | Detail | By | IP |
|---|
Correlation Rules
SIEM event correlation and automated response
Correlation Rules detect complex attack patterns by chaining multiple events together over time.
Unlike Auto Rules (single log entry → action), these analyze patterns across many events:
• Threshold — "50 login failures from same IP in 60 seconds → block + alert"
• Sequence — "N login failures followed by 1 success from same IP → brute force detected"
The correlation engine runs every 30s, checking these rules against normalized events.
• Threshold — "50 login failures from same IP in 60 seconds → block + alert"
• Sequence — "N login failures followed by 1 success from same IP → brute force detected"
The correlation engine runs every 30s, checking these rules against normalized events.
New Correlation Rule
| Name | Type | Severity | Action | Window | Threshold | Hits | Status |
|---|