FAQ restores

Michał Gryczka · Michał Gryczka · commit 3685233c6799 · 2025-09-01T16:00:06.000+02:00
diff --git a/src/content/config.ts b/src/content/config.ts
@@ -24,6 +24,14 @@ const productFeatures = defineCollection({
   }),
 });
 
+const faqSchema = defineCollection({
+  type: "content",
+  schema: z.object({
+    title: z.string(),
+    order: z.number(),
+  }),
+});
+
 const pricingSchema = z.object({
   name: z.string(),
   order: z.number(),
@@ -67,6 +75,7 @@ const blog = defineCollection({
 export const collections = {
   "client-features": productFeatures,
   "core-features": productFeatures,
+  faq: faqSchema,
   pricing,
   roadmap,
   blog,
diff --git a/src/content/faq/audit-logging.mdx b/src/content/faq/audit-logging.mdx
@@ -0,0 +1,13 @@
+---
+title: What auditing features does Defguard offer and how can event logs be integrated with external systems?
+order: 12
+---
+
+Defguard supports a **full event log** for both administrators (informing about every business event of each user, with detailed indication of VPN location, module, IP addresses) and for each user (detailed tracking of their own system activities).
+
+The event log supports **streaming events to external SIEM systems**, such as:
+
+* **Vector:** A lightweight observability pipeline program, enabling data forwarding to monitoring systems (Datadog, New Relic, Grafana Loki, Prometheus, InfluxDB, ClickHouse), SIEM and logging systems (ElasticSearch, Splunk HEC, Graylog, Mezmo, Axiom), and cloud services (AWS CloudWatch, Kinesis, S3, SNS/SQS; Google Cloud Pub/Sub, Monitoring, Storage).
+* **Logstash:** Open-source server-side software that ingests, processes, and forwards data for logging and analysis purposes.
+
+[Audit log and SIEM integration guide](https://docs.defguard.net/about/features-overview)
diff --git a/src/content/faq/client-features.mdx b/src/content/faq/client-features.mdx
@@ -0,0 +1,16 @@
+---
+title: What are the key features of Defguard Desktop and Mobile clients?
+order: 9
+---
+
+Desktop and Mobile clients offer many features:
+
+* **Automatic configuration synchronization**.
+* Support for **multiple VPN locations** and the ability to connect to **multiple Defguard instances**.
+* The option to choose whether the VPN should route **only administrator-defined traffic (predefined traffic) or all device traffic (all traffic)**, with the ability to disable this feature in the admin panel.
+* The desktop client offers **Grid** views (displaying all VPN locations and their status/statistics) and **Detailed** views (details of the selected location/connection, statistics, activity history).
+* An **Enrollment process** for the desktop client, which, during the first configuration, not only automatically configures VPN locations but also allows the user to **securely remotely set the Defguard account password**, verify account data, and display the administrator's contact information.
+* Defguard allows each user to **configure their own Desktop & Mobile devices** in their profile, without needing to contact an administrator, with the ability to enable this functionality.
+* Support for managing network devices, where an administrator can configure device access to a selected VPN location using a server-side command-line client running as a system service (automatic synchronization) or manual WireGuard configuration (for older devices).
+
+[Details on client behavior customization](https://docs.defguard.net/features/wireguard/behavior-customization)
diff --git a/src/content/faq/defguard-wireguard.mdx b/src/content/faq/defguard-wireguard.mdx
@@ -1,19 +1,21 @@
 ---
-title: Difference between WireGuard® and defguard
+title: What VPN protocol does Defguard use and why is it preferred?
 order: 1
 ---
 
-WireGuard® is a VPN protocol with some low-level command-line tools.
-Defguard makes WireGuard® easy to deploy and use, adding additional features like
+Defguard uses the **WireGuard** protocol for VPN infrastructure access. It is **technologically and security-wise more modern and secure than SSL VPN and IPsec**. Examples of innovations not supported by IPsec/SSL VPN include:
 
-<a
-  href="https://docs.defguard.net/admin-and-features/wireguard/multi-factor-authentication-mfa-2fa"
-  target="_blank"
->
-  real 2FA/Multi-Factor Authentication
-</a>
-.
+* **Stateless:** No session renegotiation, full resilience to packet loss, which means faster connections, resilience to network disruptions and IP changes, and ideal for mobile users, VPN always-on, and roaming.
+* **High performance:** WireGuard operates in the system kernel (Linux kernel module), providing 2–5 times faster data transfer than OpenVPN and is significantly more CPU efficient than IPsec.
 
-Defguard has its own VPN <a href="/client/" target="_blank">desktop clients</a> (with mobile clients soon to be released) that include additional functionalities not available in standard WireGuard® clients.
+[Learn more about WireGuard and Zero-Trust VPN in the Defguard docs](https://docs.defguard.net/features/wireguard)
 
-Defguard also offers features outside of VPN, such as built-in OpenID Connect SSO, Yubico YubiKey provisioning, and more!
+---
+
+**What cryptographic algorithms does WireGuard use in Defguard?**
+
+WireGuard in Defguard uses modern and most secure algorithms, not supporting outdated or insecure algorithms like 3DES, Blowfish, or RSA. These are:
+
+* **ChaCha20** (encryption)
+* **Poly1305** (authentication)
+* **Curve25519** (key exchange)
diff --git a/src/content/faq/external-idp.mdx b/src/content/faq/external-idp.mdx
@@ -0,0 +1,15 @@
+---
+title: With which external identity providers does Defguard integrate for MFA and authorization?
+order: 6
+---
+
+Defguard is the only provider supporting multi-factor authentication using external identity providers and supports VPN authorization with them, such as:
+
+* **Google Workspace**
+* **Microsoft EntraID** (formerly Azure EntraID)
+* **Okta**
+* **JumpCloud**
+* **Zitadel**
+* Any other provider supporting the **OpenID Connect (OIDC)** protocol
+
+[See all supported external SSO providers](https://docs.defguard.net/about/features-overview)
diff --git a/src/content/faq/hardware-keys.mdx b/src/content/faq/hardware-keys.mdx
@@ -0,0 +1,8 @@
+---
+title: What is the purpose of the hardware key configuration module in Defguard?
+order: 13
+---
+
+Defguard offers a **hardware key configuration and initialization module (Workstation Provisioning)**, which enables simple and secure configuration of **YubiKey hardware keys** for users. These keys are used for authentication (SSH, GPG/FIDO2) as part of multi-factor authentication (MFA). After initialization, the user's profile displays key details such as the YubiKey serial number and associated public keys (SSH and GPG).
+
+[YubiKey provisioning documentation](https://docs.defguard.net/features/yubikey-provisioning)
diff --git a/src/content/faq/identity-provider.mdx b/src/content/faq/identity-provider.mdx
@@ -0,0 +1,12 @@
+---
+title: Does Defguard act as an Identity Provider (IdP)? What are its capabilities in this regard?
+order: 10
+---
+
+Yes, Defguard is an **Identity Provider (IdP) compliant with the OIDC (OpenID Connect) protocol**. This allows external applications to be configured to use Defguard as SSO, offering a "Log in with Defguard" option. It provides an easy GUI for application configuration and a list of authenticated applications in each user's profile, with the ability to easily revoke consent for access.
+
+As an IdP, Defguard supports multi-factor authentication using **TOTP, EMAIL one-time passwords, and hardware keys (e.g., YubiKey)** when logging into applications using Defguard-based SSO.
+
+Thanks to its built-in IdP, Defguard provides a single solution for **one login/password and MFA system for logging into business applications and remote access simultaneously**.
+
+[Identity management and SSO details](https://docs.defguard.net/about/features-overview)
diff --git a/src/content/faq/integration-methods.mdx b/src/content/faq/integration-methods.mdx
@@ -0,0 +1,11 @@
+---
+title: What integration methods does Defguard offer for other systems?
+order: 16
+---
+
+Defguard supports the following integration methods:
+
+* **Full REST API**
+* For selected events, **WebHooks configuration**
+
+[Integrations overview: REST API & Webhooks](https://docs.defguard.net/about/features-overview)
diff --git a/src/content/faq/mfa-architecture.mdx b/src/content/faq/mfa-architecture.mdx
@@ -0,0 +1,13 @@
+---
+title: How does Defguard implement Multi-Factor Authentication (MFA) for WireGuard?
+order: 3
+---
+
+Defguard is the **only solution that supports Multi-Factor Authentication (MFA) at the WireGuard protocol level**. This means that **every connection undergoes multi-factor authentication**, not just a 2FA process during application startup or configuration, making Defguard offer a **Zero-Trust VPN**. It has advanced MFA methods that support (beyond private and public keys):
+
+* **The first authentication step** (see question 4)
+* **The second authentication step** using WireGuard PSK (Pre-Shared Key) keys, which enhances encryption and **protects against post-quantum attacks**.
+* **The third level** is the exchange of WireGuard PSK session keys.
+* **The fourth level** is the physical configuration of the Gateway server after the entire multi-factor session, without which the VPN server has no configuration for a given client/device.
+
+[See MFA architecture in Defguard docs](https://docs.defguard.net/features/wireguard/multi-factor-authentication-mfa-2fa/architecture)
diff --git a/src/content/faq/mfa-methods.mdx b/src/content/faq/mfa-methods.mdx
@@ -0,0 +1,14 @@
+---
+title: What MFA methods are available in Defguard for the first authentication step?
+order: 4
+---
+
+For the first authentication step, Defguard supports:
+
+* **Time-Based One-Time Password (TOTP)**, e.g., Google Authenticator or other desktop/mobile applications.
+* **Time-based One-Time Password via EMAIL.**
+* On mobile devices: **Biometrics (Touch ID, Face ID).**
+* In case of integration with an **external identity provider (SSO)**, authentication occurs with that provider (e.g., Google, Microsoft, Okta, JumpCloud, OIDC) through a dedicated authentication session in the browser.
+* **Hardware keys** (e.g., YubiKey) are supported when Defguard acts as an embedded identity provider for applications using SSO.
+
+[Explore MFA setup and onboarding](https://docs.defguard.net/using-defguard-for-end-users/instance-configuration)
diff --git a/src/content/faq/platform-support.mdx b/src/content/faq/platform-support.mdx
@@ -0,0 +1,8 @@
+---
+title: What operating systems does Defguard support for WireGuard VPN?
+order: 8
+---
+
+Defguard supports WireGuard VPN on operating systems such as: **Linux, FreeBSD, OPNSense, NetBSD**
+
+[See platform support overview](https://docs.defguard.net/about/features-overview)
diff --git a/src/content/faq/post-quantum-protection.mdx b/src/content/faq/post-quantum-protection.mdx
@@ -0,0 +1,8 @@
+---
+title: How does multi-factor authentication in Defguard protect against post-quantum attacks?
+order: 5
+---
+
+Protection against post-quantum attacks is achieved through the **second authentication step using WireGuard PSK (Pre-Shared Key) keys**. This is a secret generated for each VPN session, optionally used alongside public/private keys, which enhances encryption.
+
+[Learn about PSK-based MFA in the docs](https://docs.defguard.net/features/wireguard/multi-factor-authentication-mfa-2fa/architecture)
diff --git a/src/content/faq/rust.mdx b/src/content/faq/rust.mdx
@@ -1,12 +1,11 @@
 ---
-title: Why Rust and not Go?
-order: 10
+title: What programming language is Defguard written in, and what security benefits does it offer?
+order: 15
 ---
 
-Rust is widely preferred over Go in cases of memory safety, performance and fine-grained control over system resources.
-It's ideal for security solutions, the biggest and best companies that value security and speed relay on rust, for example
+Defguard is written in **Rust**, which offers the following security benefits:
 
-<a href="https://blog.cloudflare.com/tag/rust/" target="_blank">
-  CloudFlare
-</a>
-.
+* **Prevents errors:** Rust prevents errors such as null pointer dereferences, buffer overflows, and use-after-free issues thanks to its ownership system, without the need for a garbage collector.
+* **Compile-time checks:** It enforces strict compile-time checks regarding lifetimes, mutability, and borrowing, detecting many errors before the code even runs.
+* **Safe concurrent programming:** Rust's type system prevents data races at compile time.
+* **Secure dependency ecosystem:** Cargo and crates.io support reproducible builds, cryptographic signatures, and dependency auditing.
diff --git a/src/content/faq/secure-configuration.mdx b/src/content/faq/secure-configuration.mdx
@@ -0,0 +1,13 @@
+---
+title: How does Defguard provide secure remote configuration for clients?
+order: 7
+---
+
+Defguard is the **only solution offering secure remote client configuration (Desktop & Mobile)** that **does not require critical components to be publicly exposed** (such as the user database or the main control plane integrated with an identity provider) on the internet. These components should only be accessible within the Intranet. Instead, Defguard handles configuration using a **secure, stateless proxy component**, which:
+
+* Can be safely exposed on the internet.
+* **Does not have access to the Intranet/corporate network**; it is the main **control plane (Defguard core) that connects to the proxy**, ensuring secure firewall rules.
+* Configuration occurs using **tokens unique to the user and device**, valid for 24 hours from issuance and 10 minutes from their use.
+* All business operations are performed in a secure segment inaccessible from the public network, and only the result of these operations is passed to the proxy.
+
+[More on remote enrollment and secure configuration](https://docs.defguard.net/about/features-overview)
diff --git a/src/content/faq/security-architecture.mdx b/src/content/faq/security-architecture.mdx
@@ -0,0 +1,12 @@
+---
+title: Describe the basic security principles of Defguard's architecture.
+order: 14
+---
+
+Defguard has a **secure architecture** that:
+
+* Allows the main control plane component (Core) to run **in an internal network inaccessible from the Internet**, protecting all system and user data.
+* All events requiring access from a public network (e.g., the Internet) are handled by a **stateless and secure Proxy component**.
+* The Core component connects to the Proxy and **performs all business operations in a secure segment inaccessible from the public network, passing only the result of these operations to the proxy component**.
+
+[Architecture and security concepts](https://docs.defguard.net/about/features-overview)
diff --git a/src/content/faq/user-sync.mdx b/src/content/faq/user-sync.mdx
@@ -0,0 +1,10 @@
+---
+title: How does Defguard handle user directory synchronization?
+order: 11
+---
+
+Defguard supports **two-way synchronization of user and group directories** using an **LDAP server and Microsoft Active Directory**. It also allows choosing whether Defguard or LDAP/Active Directory is the primary source of user data during synchronization.
+
+When Defguard is configured with an external identity provider, it supports synchronization of user and group directories with: **Google Workspace, Microsoft EntraID, and Okta**.
+
+[Learn about LDAP and external IdP sync](https://docs.defguard.net/about/features-overview)
diff --git a/src/data/nav.json b/src/data/nav.json
@@ -34,6 +34,12 @@
     "url": "/pricing/",
     "prefetch": true
   },
+  {
+    "display": "FAQ",
+    "url": "/faq/",
+    "prefetch": true,
+    "external": false
+  },
   {
     "display": "Documentation",
     "url": "https://docs.defguard.net/",
diff --git a/src/pages/faq.astro b/src/pages/faq.astro
