Hello, this is the second article about the NGFW solution from the company UserGate… The purpose of this article is to show how to install a UserGate firewall on a virtual system (I will use VMware Workstation virtualization software) and perform its initial configuration (allow access from the local network through the UserGate to the Internet).
To begin with, I will describe the various ways to implement this gateway into the network. I would like to note that depending on the selected connection option, certain gateway functionality may not be available. UserGate solution supports the following connection modes:
L2 transparent bridge
L3 transparent bridge
Virtually in the gap, using the WCCP protocol
Virtually into the gap, using Policy Based Routing
Router on a Stick
Explicitly specified WEB proxy
UserGate as default gateway
Mirror Port Monitoring
UserGate supports 2 types of clusters:
Configuration cluster. Clustered configuration nodes maintain uniform settings across the cluster.
Failover cluster. Up to 4 nodes of the configuration cluster can be combined into a failover cluster that supports operation in the Active-Active or Active-Passive mode. It is possible to collect multiple failover clusters.
As mentioned in the previous article, UserGate is delivered as a hardware and software package or is deployed in a virtual environment. From your personal account on the website UserGate download the image in the OVF (Open Virtualization Format) format, this format is suitable for the vendors VMWare and Oracle Virtualbox. Virtual machine disk images are supplied for Microsoft Hyper-v and KVM.
According to the UserGate website, it is recommended to use at least 8Gb of RAM and a 2-core virtual processor for the virtual machine to work correctly. The hypervisor must support 64-bit operating systems.
Installation begins by importing the image into the selected hypervisor (VirtualBox and VMWare). In the case of Microsoft Hyper-v and KVM, you need to create a virtual machine and specify the downloaded image as a disk, then disable integration services in the settings of the created virtual machine.
By default, after import, a virtual machine is created in VMWare with the following settings:
As it was written above, the RAM should be at least 8Gb and in addition, you need to add 1Gb for every 100 users. The default hard disk size is 100Gb, but this is usually not enough to store all the logs and settings. The recommended size is 300Gb or more. Therefore, in the properties of the virtual machine, we change the size of the disk to the desired one. Initially, virtual UserGate UTM comes with four interfaces assigned to zones:
Management – the first interface of the virtual machine, a zone for connecting trusted networks from which UserGate management is allowed.
Trusted – the second interface of the virtual machine, a zone for connecting trusted networks, for example, LAN networks.
Untrusted – the third interface of the virtual machine, a zone for interfaces connected to untrusted networks, such as the Internet.
DMZ is the fourth interface of the virtual machine, a zone for interfaces connected to the DMZ network.
Next, we start the virtual machine, although the manual says that you need to select Support Tools and perform Factory reset UTM, but as you can see there is only one choice (UTM First Boot). During this step, the UTM configures the network adapters and increases the size of the partition on the hard drive to the full size of the drive:
To connect to the UserGate web interface, you need to enter the Management zone, eth0 interface is responsible for this, which is configured to obtain an IP address in automatic mode (DHCP). If it is not possible to assign an address for the Management interface in automatic mode using DHCP, then it can be explicitly set using the CLI (Command Line Interface). To do this, you need to log into the CLI using the username and password of a user with Full administrator rights (by default Admin with a Capital letter). If the UserGate device has not passed the initial initialization, then to access the CLI it is necessary to use Admin as the username and utm as the password. And type a command like iface config –name eth0 –ipv4 192.168.1.254/24 –enable true –mode static. Later, go to the UserGate web console at the specified address, it should look something like this: https: // UserGateIPaddress: 8001:
In the web console, we continue the installation, we need to select the interface language (at the moment it is Russian or English), time zone, then we read and agree to the license agreement. We set the login and password to enter the web management interface.
After installation, this is how the platform control web interface window looks like:
Then you need to configure the network interfaces. To do this, in the “Interfaces” section you need to enable them, set the correct IP addresses and assign the appropriate zones.
The “Interfaces” section displays all physical and virtual interfaces available in the system, allows you to change their settings and add VLAN interfaces. It also shows all the interfaces of each node in the cluster. Interface settings are specific for each of the nodes, that is, they are not global.
In interface properties:
Enable or disable the interface
· Specify the interface type – Layer 3 or Mirror.
Assign a zone to an interface
Assign a Netflow profile to send statistics to the Netflow collector
Change physical parameters of the interface – MAC address and MTU size
Select the type of IP-address assignment – no address, static IP-address or obtained via DHCP
· Configure DHCP relay operation on the selected interface.
The Add button allows you to add the following types of logical interfaces:
In addition to the previously listed zones that the Usergate image comes with, there are three more predefined types:
Cluster – zone for interfaces used for cluster operation
VPN for Site-to-Site is a zone where all Office-to-Office clients connected to UserGate via VPN are located
VPN for remote access – the zone where all mobile users connected to UserGate via VPN are located
UserGate administrators can change the settings of the zones created by default, as well as create additional zones, but as stated in the manual for version 5, no more than 15 zones can be created. To change or create them, you need to go to the zone section. For each zone, you can set the packet drop threshold, SYN, UDP, ICMP are supported. Also, access control to Usergate services is configured, and protection against spoofing is enabled.
After configuring the interfaces, you need to configure the default route in the “Gateways” section. Those. to connect UserGate to the Internet, you must specify the IP address of one or several gateways. If several providers are used to connect to the Internet, then several gateways must be specified. The gateway configuration is unique for each node in the cluster. If two or more gateways are specified, 2 options are possible:
Balancing traffic between gateways.
Main gateway with switching to a spare.
The state of the gateway (available – green, unavailable – red) is determined as follows:
Network check disabled – the gateway is considered available if UserGate can obtain its MAC address using an ARP request. Checking for Internet access through this gateway is not performed. If the MAC address of the gateway cannot be determined, the gateway is considered unreachable.
Network check enabled – the gateway is considered available if:
UserGate can obtain its MAC address using an ARP request.
Checking for Internet access through this gateway completed successfully.
Otherwise, the gateway is considered unavailable.
In the “DNS” section, add the DNS servers that UserGate will use. This setting is specified in the System DNS Servers area. Below are the settings for managing DNS requests from users. UserGate allows you to use a DNS proxy. The DNS proxy service allows you to intercept DNS requests from users and modify them depending on the administrator’s needs. DNS proxy rules can be used to specify the DNS servers to which requests for specific domains are forwarded. In addition, static records of the host type (A record) can be specified using a DNS proxy.
In the “NAT and Routing” section, you need to create the necessary NAT rules. For Internet users of the Trusted network, the NAT rule has already been created – “Trusted -> Untrusted”, it remains only to enable it. The rules are applied from top to bottom in the order they appear in the console. Only the first rule for which the conditions specified in the rule are met is always executed. For the rule to be triggered, all conditions specified in the rule parameters must be met. UserGate recommends creating general NAT rules, for example, a NAT rule from the local network (usually the Trusted zone) to the Internet (usually the Untrusted zone), and differentiating access by users, services, applications using firewall rules.
It is also possible to create DNAT rules, port forwarding, Policy-based routing, Network mapping.
After that, in the “Firewall” section, you need to create firewall rules. For unrestricted Internet access for users of the Trusted network, the firewall rule has also been created – “Internet for Trusted” and must be enabled. Using firewall rules, the administrator can allow or deny any type of transit network traffic passing through UserGate. Zones and source / destination IP addresses, users and groups, services and applications can be used as rule conditions. The rules are applied in the same way as in the “NAT and Routing” section, i.e. top down. If no rules have been created, then any transit traffic through UserGate is prohibited.
This concludes the article. We installed a UserGate firewall on a virtual machine and made the minimum necessary settings for the Internet to work on the Trusted network. We will consider further configuration in the next articles.