7.1. Firewall

Based on various firewall rules, network administrators can allow or prohibit any type of transit network traffic passing through UserGate. You can use zones, source/destination IP addresses, users, groups, services and applications as the matching criteria.

Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

Important! When no rules are defined, the transit traffic cannot pass through UserGate.

To create a new firewall rule, click Add in the Network policies--> Firewall section and specify the following parameters.

Name

Description

Enabled

Enables or disables a rule

Name

Rule name

Description

Description of a rule

Action

Deny - blocks the traffic

Allow - allows the traffic

Scenarios

It indicates a scenario that must be active for applying the rule. For more details on scenarios, please refer to Scenarios.

Important! A scenario represents an additional condition. If the scenario is not activated (i.e. one or more its triggers are not launched), the rule will not be applied.

Enable logging

Logs information about traffic when a rule is triggered. The following modes can be used:

  • Log session start. Only first packet will be logged for every session. This is recommended setting for logging.

  • Log all packets. Every network packet will be logged. It is recommended to enable logging limit to avoid high system utilization for this mode.

Apply rule to

  • Any packets

  • Only fragmented packets - only packets with fragmentation bit set

  • Not fragmented packets - only packets wit fragmentation bit not set

Source

Zone(s) and IP addresses of the traffic source

Users

List of users and groups of users to which this rule will be applied. You can add users of the Any, Unknown, Known type. To apply rules to individual users or user of the Known type, make sure to set up authentication properly. For more details on user identification, please refer to Users and devices.

Destination

A destination zone and/or a list of destination IP addresses for the traffic.

Service

Service type, e.g. HTTP or HTTPS

Application

List of applications to which this rule will be applied.

Time

Time ranges when rule is active.