DefGuard
diff --git a/‎.gitbook/assets/Screenshot 2025-08-01 at 13.38.44.png‎
462 KB b/‎.gitbook/assets/Screenshot 2025-08-01 at 13.38.44.png‎
462 KB
diff --git a/‎SUMMARY.md‎
Lines changed: 7 additions & 10 deletions b/‎SUMMARY.md‎
Lines changed: 7 additions & 10 deletions
diff --git a/‎about/features-overview.md‎
Lines changed: 12 additions & 12 deletions b/‎about/features-overview.md‎
Lines changed: 12 additions & 12 deletions
diff --git a/‎activity-log/README.md‎
Lines changed: 4 additions & 4 deletions b/‎activity-log/README.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎activity-log/activity-log-streaming/activity-log-integrations/logstash-integration-guide.md‎
Lines changed: 1 addition & 1 deletion b/‎activity-log/activity-log-streaming/activity-log-integrations/logstash-integration-guide.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎activity-log/activity-log-streaming/activity-log-integrations/vector-integration-guide.md‎
Lines changed: 3 additions & 3 deletions b/‎activity-log/activity-log-streaming/activity-log-integrations/vector-integration-guide.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎admin-and-features/access-control-list/README.md‎
Lines changed: 25 additions & 25 deletions b/‎admin-and-features/access-control-list/README.md‎
Lines changed: 25 additions & 25 deletions
@@ -16,14 +16,14 @@
 
 * [Overview](admin-and-features/overview.md)
 * [Zero-Trust VPN with 2FA/MFA](admin-and-features/wireguard/README.md)
-  * [Create/manage VPN Location](admin-and-features/wireguard/create-your-vpn-network.md)
+  * [Create/Manage VPN Location](admin-and-features/wireguard/create-your-vpn-network.md)
   * [Network overview](admin-and-features/wireguard/network-overview.md)
   * [Executing custom gateway commands](admin-and-features/wireguard/executing-custom-gateway-commands.md)
   * [Multi-Factor Authentication (MFA/2FA)](admin-and-features/wireguard/multi-factor-authentication-mfa-2fa/README.md)
     * [MFA Architecture](admin-and-features/wireguard/multi-factor-authentication-mfa-2fa/architecture.md)
   * [Remote desktop client configuration](admin-and-features/wireguard/remote-desktop-activation.md)
   * [DNS and domains](admin-and-features/wireguard/dns-and-domains.md)
-  * [VPN & Client behavior customization](admin-and-features/wireguard/behavior-customization.md)
+  * [VPN & Client behaviour customization](admin-and-features/wireguard/behavior-customization.md)
 * [Remote user enrollment](admin-and-features/remote-user-enrollment/README.md)
   * [User onboarding after enrollment](admin-and-features/remote-user-enrollment/user-onboarding-after-enrollment.md)
   * [Automatic (real time) desktop client configuration & sync](admin-and-features/remote-user-enrollment/automatic-real-time-desktop-client-configuration.md)
@@ -100,19 +100,16 @@
 ## Using Defguard (for end users) <a href="#help" id="help"></a>
 
 * [Overview](help/overwiew.md)
-* [Desktop Client](help/desktop-client/README.md)
-  * [Instance configuration](help/desktop-client/instance-configuration.md)
-  * [Using Multi-Factor Authentication (MFA)](help/desktop-client/using-multi-factor-authentication-mfa.md)
 * [Mobile Client](help/mobile-client/README.md)
   * [Adding new Instance](help/mobile-client/instance-adding.md)
   * [Connecting to Instance](help/mobile-client/instance-connect.md)
   * [Managing your Instance](help/mobile-client/instance-manage.md)
+* [Desktop Client](help/desktop-client/README.md)
+  * [Instance configuration](help/desktop-client/instance-configuration.md)
+  * [Using Multi-Factor Authentication (MFA)](help/desktop-client/using-multi-factor-authentication-mfa.md)
 * [CLI Client](help/cli-client.md)
-* [Configuring VPN](help/configuring-vpn/README.md)
-  * [Defguard Desktop Client](help/configuring-vpn/add-new-instance/README.md)
-    * [Update instance](help/configuring-vpn/add-new-instance/update-instance.md)
-  * [Other WireGuard® Clients](help/configuring-vpn/adding-wireguard-devices/README.md)
-    * [Configuring a device for new VPN Location manually](help/configuring-vpn/adding-wireguard-devices/configuring-a-device-for-a-new-vpn-location.md)
+* [Other WireGuard® Clients](help/adding-wireguard-devices/README.md)
+  * [Configuring a device for new VPN Location manually](help/adding-wireguard-devices/configuring-a-device-for-a-new-vpn-location.md)
 * [Password change / Reset](help/changing-your-password.md)
 * [Enrollment & Onboarding](help/enrollment/README.md)
   * [With internal Defguard SSO](help/enrollment/with-internal-defguard-sso.md)
 
@@ -3,23 +3,23 @@
 ### Remote Access with WireGuard® VPN 2FA/MFA:
 
 * [**Multi-Factor Authentication**](../admin-and-features/wireguard/multi-factor-authentication-mfa-2fa/) using our [desktop client](https://defguard.net/client)
-* **multiple VPN Locations** (networks/sites) - with defined access (all users or only Admin group)
-* multiple [Gateways](https://github.com/DefGuard/gateway) for each VPN Location ([**high availability/failove**](../deployment-strategies/high-availability-and-failover.md)**r**) - supported on a cluster of routers/firewalls for Linux, FreeBSD/PFSense/OPNSense
-* import your current WireGuard server configuration (with a wizard!)
-* _easy_ device setup by users themselves (self-service)
-* automatic IP allocation
-* kernel (Linux, FreeBSD/OPNSense/PFSense) & userspace WireGuard support
-* dashboard and statistics overview of connected users/devices for admins
+* **Multiple VPN Locations** (networks/sites) - with defined access (all users or only Admin group)
+* Multiple [Gateways](https://github.com/DefGuard/gateway) for each VPN Location ([**high availability/failove**](../deployment-strategies/high-availability-and-failover.md)**r**) - supported on a cluster of routers/firewalls for Linux, FreeBSD/PFSense/OPNSense
+* Import your current WireGuard server configuration (with a wizard!)
+* _Easy_ device setup by users themselves (self-service)
+* Automatic IP allocation
+* Kernel (Linux, FreeBSD/OPNSense/PFSense) & userspace WireGuard support
+* [Dashboard and statistics overview](../admin-and-features/wireguard/network-overview.md) of connected users/devices for admins
 
-_defguard is not an official WireGuard project, and WireGuard is a registered trademark of Jason A. Donenfeld._
+_Defguard is not an official WireGuard project, and WireGuard is a registered trademark of Jason A. Donenfeld._
 
 ### Identity Management:
 
 * #### [OpenID Connect](https://openid.net/developers/how-connect-works/) based SSO
 * External [OpenID providers for login/account creation (Google/Microsoft/Custom)](../admin-and-features/external-openid-providers/)
 * LDAP (tested on [OpenLDAP](https://www.openldap.org/)) synchronization
-* nice UI to manage users
-* Users **self-service** (besides typical data management, users can revoke access to granted apps, MFA, Wireguard, etc.)
+* Nice UI to manage users
+* Users **self-service** (besides typical data management, users can revoke access to granted apps, MFA, WireGuard, etc.)
 
 #### [Multi-Factor/2FA](https://en.wikipedia.org/wiki/Multi-factor_authentication) Authentication
 
@@ -33,9 +33,9 @@ _defguard is not an official WireGuard project, and WireGuard is a registered tr
 * User [onboarding after enrollment](https://defguard.gitbook.io/defguard/help/remote-user-enrollment/user-onboarding-after-enrollment)
 * Self-service for password reset
 
-### Yubikey Provisioning
+### YubiKey Provisioning
 
-[Yubikey hardware keys](https://www.yubico.com/) provisioning for users with _one click_
+[YubiKey hardware keys](https://www.yubico.com/) provisioning for users with _one click_
 
 ### Integrations
 
 
@@ -4,19 +4,19 @@
 This feature is available starting from version 1.4
 {% endhint %}
 
-The Activity Log provides a comprehensive view of user interactions within your Defguard instance. This allows you to monitor user behavior, troubleshoot issues, and maintain an audit trail of important activities.
+The Activity Log provides a comprehensive view of user interactions within your Defguard instance. This allows you to monitor user behaviour, troubleshoot issues, and maintain an audit trail of important activities.
 
 ## Viewing Activity log events
 
 Activity log is available as a dedicated page in Defguard core Web UI that's used to manage your instance.
 
-To access it click the `Activity log` button in the navbar.
+To access it, click the `Activity log` button in the navbar.
 
 <figure><img src="../.gitbook/assets/image.png" alt=""><figcaption><p>Activity log page</p></figcaption></figure>
 
 ### Overview
 
-Activity log page displays a chronological list of user-initiated events. By default most recent events are on top.
+Activity log page displays a chronological list of user-initiated events. By default, most recent events are on top.
 
 Each entry in the list contains following fields:
 
@@ -31,7 +31,7 @@ Each entry in the list contains following fields:
 
 Events are grouped into modules based on the part of the system they are related to.
 
-Currently there are four modules:
+Currently, there are four modules:
 
 * **Defguard** - operations performed in the core Web UI (e.g. adding users, modifying devices, managing groups etc.)
 * **Client** - actions performed by desktop client applications
 
@@ -10,7 +10,7 @@ This guide demonstrates how to configure a Logstash service running in Docker us
 
 ### Setup Logstash
 
-Save the following config to `logstash.conf` . This will setup http input for Logstash on port 8002 and output the incoming data into stdout.
+Save the following config to `logstash.conf` . This will set up http input for Logstash on port 8002 and output the incoming data into stdout.
 
 ```
 input {
 
@@ -11,7 +11,7 @@ The goal is to connect Defguard as [HTTP Source](https://vector.dev/docs/referen
 
 ### Setup Vector
 
-For the sake of this example we will follow simple Docker deployment of Vector via Docker Compose but you most likely want to follow Vector's guide to [deploy ](https://vector.dev/docs/setup/deployment/)it in your infrastructure.
+For the sake of this example we will follow simple Docker deployment of Vector via Docker Compose, but you most likely want to follow Vector's guide to [deploy ](https://vector.dev/docs/setup/deployment/)it in your infrastructure.
 
 ### Vector configuration
 
@@ -37,7 +37,7 @@ sinks:
 
 This basic configuration adds an HTTP source named `defguard` and a console sink, which forwards all logs received from `defguard` to standard output.
 
-Next add vector service to your **docker-compose.yaml** file.
+Next, add vector service to your **docker-compose.yaml** file.
 
 ```yaml
   vector:
@@ -50,7 +50,7 @@ Next add vector service to your **docker-compose.yaml** file.
       - "8001:8001"
 ```
 
-Make sure that new `vector` service is up and it loaded the configuration, it should print it in stdout:
+Make sure that new `vector` service is up, and it loaded the configuration, it should print it in stdout:
 
 ```
 INFO vector::app: Loading configs. paths=["/etc/vector/vector.toml"]
 
@@ -5,7 +5,7 @@ This is an enterprise feature. To use it, purchase our [enterprise license](../.
 {% endhint %}
 
 {% hint style="warning" %}
-Access Control List feature is available in Defguard Core v1.3.0 and Defgaurd Gateway v1.3.0.
+Access Control List feature is available in Defguard Core v1.3.0 and Defguard Gateway v1.3.0.
 
 Defguard Gateway v1.3.0 supports Linux machines with [NFTables](https://nftables.org/).\
 Defguard Gateway v1.4.0 supports FreeBSD, NetBSD, and macOS machines with Packet Filter (PF).
@@ -18,7 +18,7 @@ The ACL (Access Control List) functionality in Defguard allows administrators to
 Access Control can be enabled for each location individually. To enable it:
 
 1. Navigate to **VPN Overview** > **Edit Location settings**
-2. In **Location configuration** section select **Enable ACL for this location**.
+2. In **Location configuration** section, select **Enable ACL for this location**.
 3. Click on **Save changes**.
 
 <figure><img src="../../.gitbook/assets/image (17).png" alt=""><figcaption></figcaption></figure>
@@ -27,7 +27,7 @@ Access Control can be enabled for each location individually. To enable it:
 
 ## Default Access Control List Policy
 
-Default policy defines how to treat network traffic (with regarding to resources) that was not explicitly specified in ACL rules:
+Default policy defines how to treat network traffic (with regard to resources) that was not explicitly specified in ACL rules:
 
 * **Allow** - users and devices connected to a location will be able to access all resources within the network, if the resource access is not modified by one of ACL rules.
 * **Deny** - all traffic to network resources that is not regulated by one of the ACL rules will be blocked.
@@ -37,7 +37,7 @@ Default policy defines how to treat network traffic (with regarding to resources
 Make sure ACL has been enabled (see above), otherwise the policy setting will not be inactive.
 
 1. Navigate to **VPN Overview** > **Edit Location settings**
-2. In **Location configuration** choose the desired option under **Default ACL Policy**.
+2. In **Location configuration,** choose the desired option under **Default ACL Policy**.
 3. Click on **Save changes**.
 
 <figure><img src="../../.gitbook/assets/image (17).png" alt=""><figcaption></figcaption></figure>
@@ -68,7 +68,7 @@ Use the **Deploy pending changes** button to apply all the rules from **Pending
 Defguard’s ACL functionality is designed to allow users to apply access control rules in batches. This approach minimizes the risk of transient network issues that could occur when deploying rules individually. By grouping changes and deploying them together, the system reduces the likelihood of connectivity hiccups or firewall disruptions.
 {% endhint %}
 
-The ACL list view also allows rule filtering by name, locations and other attributes
+The ACL list view also allows rule filtering by name, locations, and other attributes
 
 <figure><img src="../../.gitbook/assets/image (2) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
@@ -120,24 +120,24 @@ In Defguard, sources can be defined as one of three object types:
 Each ACL rule in Defguard is intended to fully define access to a specific resource, you must therefore always include at least one allowed source.
 
 {% hint style="warning" %}
-This setting is independent from the default location-level [**Allowed groups**](../wireguard/create-your-vpn-network.md#allowed-groups) configuration.
+This setting is independent of the default location-level [**Allowed groups**](../wireguard/create-your-vpn-network.md#allowed-groups) configuration.
 
 If you give a user access to some resource through an ACL rule, but they do not have access to a given location, they still won't be able to access it, because they'll be unable to establish a VPN connection with the gateway.
 {% endhint %}
 
 ### How to define your ACL ruleset
 
-Access Control List (ACL) rules in Defguard are used to manage **who can access specific resources** across your network. Think of each rule as a clear instruction that says: _These users or devices are allowed to reach this resource – and optionally, these others are not._
+Access Control List (ACL) rules in Defguard are used to manage **who can access specific resources** across your network. Think of each rule as a clear instruction that says: _These users or devices are allowed to reach this resource – and, optionally, these others are not._
 
 #### Key Concepts:
 
 * Each rule connects **who** (users, groups, or devices) to **what** (a resource address).
 * At least one "allowed" source must always be specified - this defines who gets access.
 * Optionally, you can **exclude** specific users, groups, or devices using the "denied" section.
 * You can use this combination to create flexible rules, such as:\
-  \&#xNAN;_Allow everyone in the “Remote Workers” group except a few individuals access specific office network._
+  \&#xNAN;_Allow everyone in the “Remote Workers” group except a few individuals to access a specific office network._
 
-This setup helps controlling access clearly and safely without worrying about lower-level network and firewall behavior.
+This setup helps control access clearly and safely without worrying about lower-level network and firewall behaviour.
 
 #### Details
 
@@ -153,51 +153,51 @@ This setup helps controlling access clearly and safely without worrying about lo
 
 #### Allowing access for specific users
 
-In this scenario we will allow specific users to access the 10.1.1.0/24 network, assuming the users connect through _Office-Berlin_ location.
+In this scenario, we will allow specific users to access the 10.1.1.0/24 network, assuming the users connect through _Office-Berlin_ location.
 
 To do this, the following new rules have to be added:
 
 * Navigate to **Access Control**.
 * Click on **Add new** button.
-* Name the rule under **Rule Name**: _Staff access Berlin_.
+* Name the rule under **Rule Name**: _Staff access, Berlin_.
 * Select _Office-Berlin_ in the **Locations** input.
-* Under **Manual Input** > **IPv4/v6 CIDR range or adderess**, enter: _10.1.1.0/24_.
+* Under **Manual Input** > **IPv4/v6 CIDR range or address**, enter: _10.1.1.0/24_.
 * Add desired users in the **"Allowed Users/Groups/Devices** > **Users**.
 * Click on the **Submit** button.
 
 <figure><img src="../../.gitbook/assets/image (71).png" alt=""><figcaption></figcaption></figure>
 
-You will be redirected back to the [ACL List View](./#list-of-acl-rules) and the new rule should now be in the **Pending Changes** section.
+You will be redirected back to the [ACL List View,](./#list-of-acl-rules) and the new rule should now be in the **Pending Changes** section.
 
 <figure><img src="../../.gitbook/assets/image (73).png" alt=""><figcaption></figcaption></figure>
 
 Now, click on **Deploy pending changes (1)** button. After that, the rule should be applied on the _Office-Berlin_ location.
 
 <figure><img src="../../.gitbook/assets/image (75).png" alt=""><figcaption></figcaption></figure>
 
-(See [Implementation Details](../../enterprise/all-enteprise-features/access-control-list/firewall-internals.md) documentation to understand integrationn with system packet filtering.)
+(See [Implementation Details](../../enterprise/all-enteprise-features/access-control-list/firewall-internals.md) documentation to understand integration with system packet filtering.)
 
 #### Adding access exceptions for specific users
 
-Let's build on the last example. The example defined a single rule that grants network access for two users. In this example we will block access for one specific user. But first let's rethink our approach.
+Let's build on the last example. The example defined a single rule that grants network access for two users. In this example, we will block access for one specific user. But first, let's rethink our approach.
 
-It may be tempting to specify the access for each user individually, like we did while constructing the first rule. This may work at first or if your users don't change too often. But what if you have a constant influx of new users? This might get tedious pretty fast.
+It may be tempting to specify the access for each user individually, like we did while constructing the first rule. This may work at first, or if your users don't change too often. But what if you have a constant influx of new users? This might get tedious pretty fast.
 
 So what we will do is:
 
-* we will define two groups:
+* Define two groups:
   * _Staff-Berlin_
   * _Externals_
-* we will add all the users that work in our _Berlin_ office to _Staff-Berlin_ group
-* we will add all users we collaborate with in _Berlin_, but are not our direct employees, to the _Externals_ group
-* we will allow all users in _Staff-Berlin_ group access to the network
-* we will add an exception for the users in _Externals_ group so that they are not allowed to access the network
+* Add all the users that work in our _Berlin_ office to _Staff-Berlin_ group
+* Add all users we collaborate with in _Berlin_, but are not our direct employees, to the _Externals_ group
+* Allow all users in _Staff-Berlin_ group access to the network
+* Add an exception for the users in _Externals_ group so that they are not allowed to access the network
 
 Once you have created appropriate groups and assigned the users, let's update the ACL rule. The rule should now:
 
-* still be assigned to the _Office-Berlin_ location
-* still define the destination resource address as `10.1.1.0/24`
-* instead of specific users in the **Allowed Users** input, we now select the _Staff-Berlin_ group in the **Allowed Groups** input
-* in **Denied Groups** input we should now select the _Externals_ group
+* Still be assigned to the _Office-Berlin_ location
+* Still define the destination resource address as `10.1.1.0/24`
+* Instead of specific users in the **Allowed Users** input, we now select the _Staff-Berlin_ group in the **Allowed Groups** input
+* In **Denied Groups** input we should now select the _Externals_ group
 
 <figure><img src="../../.gitbook/assets/image (80).png" alt=""><figcaption></figcaption></figure>