4 more months with NGFW Usergate C150
In the previous article, we got acquainted with the test firmware out of the box for the NFGW Usergate C150, finishing the template for monitoring and ended up with a memory leak, or rather, we froze in anticipation of a fix for this leak.
We continue to monitor the development of import-substituted NGFW and see what has changed in 4 months.
Memory leak – fixed
Let's start with the improvements. In firmware 7.1.2, more precisely in 7.1.2 (build 7.1.2.33025R, 08/27/2024), a problem with a memory leak was fixed, due to which, in 10 days without load, the amount of occupied RAM of the Usergate C150 increased from 30% to 60%. However, I had to install the firmware again from scratch; the option to roll over was contrary to support recommendations.
While we were updating the firmware from scratch, we noticed the GRUB bootloader. On the vendor's website in English version indicated:
Our developers have devoted a great deal of attention to creating our own proprietary platform rather than using open source code and third-party modules.
What's in Russian version looks like:
The developers paid a lot of attention to creating own platform, not based on the use of someone else's source code and third-party modules.
Also, in vendor presentations, one of the advantages UGOS and the Usergate C150 PAK in particular features a refusal to use open source solutions in favor of developing everything from scratch, a kind of NIH. And yet something non-proprietary is used under the hood.
Let's take a closer look at UGOS 7.1.2
Since the memory is no longer leaking, you can configure the C150 to finally use it at the border of the local network and the Internet. All actions were performed after installing the firmware from scratch.
Default settings with dependencies
After flashing the firmware from scratch, the device has various presets: examples of firewall rules, NAT, captive portal, VPN, etc. There is no option to reset the settings to factory defaults and not set the default configuration, so we try to remove them manually.
Compared to 7.1.1, in 7.1.2, when deleting a default entity that is a dependency of another, an error message shows the dependent entities. But if you unintentionally remove someone’s dependency and do not wait for the interface to load (sometimes it takes 15-20 seconds), then the dependency will disappear from the list, and the entity that used this dependency cannot be deleted. The only solution was to reset it to factory settings.
In addition, there was an episode when the web interface tab was 10 minutes without interaction, after which the interface stopped responding and the C150 stopped pinging. Reboot helped.
Backup in a binary file
According to the documentation, there are two types of backup: export/import of settings and backup:
The administrator has the ability to save the current NGFW settings to a file and subsequently restore these settings on the same or another NGFW. Unlike backup, export/import of settings does not save the current state of all components of the complex; only the current settings are saved.
In both cases, the output will be a binary file; for a backup, this is 10+ GB. There was no way to backup settings to a text file, so it is not clear how to track and version configuration changes, in addition to the built-in log.
NTP client is working*
Configure as NTP servers ntp1.vniiftri.ru And ntp2.vniiftri.ru, which work from the signals of the working scales of the State primary time standard.
Via GUI for unknown reason
ntp1.vniiftri.rufailed to install. At the same time, the serverspool.ntp.orginstalled without problems.ntp1.vniiftri.ru was installed via CLI, but the command
set settings general server-time ntp-servers [ server1 server2 ]from web versions of documentation irrelevant. Based on the console prompts, the correct team was assembledset settings general server-time primary-ntp-server ntp1.vniiftri.ru second-ntp-server ntp2.vniiftri.ru
Later, in the process of communicating with support, we learned that the most current version of the documentation is a PDF file available on the website https://docs.usergate.com in the Downloads section. At the time of writing this article, this is the file https://docs.usergate.com/pdf_manuals/ngfw/ngfw-7.1.x-manual.pdfand yes, the command syntax there is correct.
DHCP server is working
To organize a test DMZ zone, we configured a DHCP server. Some of the noted shortcomings include:
The rental time cannot be set to less than 300 seconds. Ok for a stand, not ok for implementation, when the rental time needs to be set to a minimum for the switching period to reduce downtime.
The domain name is required. You cannot create a DHCP server without specifying a domain name.
Meanwhile, the Huawei NGFW, which the NGFW Usergate C150 was preparing to replace, allows you to set the lease time to 1 minute and not fill in the domain name.
L2 bridge is working
According to the documentation, “through the bridge, you can configure filtering of transmitted content at the L2 level without making changes to the company’s network infrastructure.”
Okay, let's try this option at the stand. The connection diagram is simple: test PC ↔ Usergate C150 ↔ router with DHCP server. They turned it on, and on the PC the IP address was 169.254…, that is, the PC did not receive an address.
Support told us that it is necessary to add an allowing rule with the necessary zones and services to the firewall. Added it, it worked. In general, and perhaps obviously, the documentation describes this mode as follows:
When selecting Layer 2 mode, the bridge being created does not need to be assigned an IP address and do not need to register routes and gateways for it to work correctly. In this mode, the bridge operates at the MAC address level, translating a packet from one segment to another. In this case, it is impossible to use the ICS and Mail security rules. Content filtering works in this mode.
The content filtering in the last sentence vaguely hints at firewall settings, although without an explicit indication. There is a course “UGOS7.1 Administration of UserGate 7.1 firewalls” 40 ac. h. for 95,000 ₽ in an authorized training center, which possibly reveals all the features, was not tested.
L3 bridge does not work
Let's look at the L3 bridge. We set it up according to the documentation: we created a bridge interface, assigned an IP address to it, and added 2 ports to it. The stand layout is similar to the previous one. The allowing rule in the firewall also remains.
Turn on the PC, again the IP address is 169.254. We sent export settings to support and received the answer: “The L3 bridge does not allow broadcast traffic, there are no such problems with L2, the task has been transferred to the developers.” And if the problem is critical for us, then we can escalate the process through the UserGate manager. By process, we probably mean the process of fixing the bug and fitting the fix into the next development sprint.
Not Conclusions
Another 4 months of implementation of the NGFW Usergate C150 have passed. Some oddities and peculiarities were discovered in the operation of the basic functionality. During this time, we waited for the memory leak to be fixed, now we are waiting for the L3 bridge to be fixed.
Based on the comments to the previous article, it is clear that older D200 models also have problems with Usergate, and there are also difficulties in communication with vendor support. On the sidelines of conferences, colleagues mention the impossibility of delineating rights to grant the information security department the necessary access. Comments on the K2Tech publication similarly show various problems in the implementation and operation of Usergate solutions.
The patch with the memory leak fixed came out in about 3 months, we'll see when the L3 bridge will work.
