12.6.1. Zones

name

Zone name.

description

Zone description.

dos-protection-syn

Protect the zone against network flooding for TCP protocol (SYN-flood):

• enabled: enable/disable the protection.

  • on.

  • off.

• aggregate:

  • on: count all packets incoming to this zone interface.

  • off: count packets for each IP address separately.

• alert-threshold: alert threshold; if the number of requests exceeds this value, the event is recorded in the system log.

• drop-threshold: packet drop threshold; if the number of requests exceeds this value, UserGate drops packets and records this event in the system log.

• excluded-ips: list of IP addresses of servers that should be excluded from protection.

dos-protection-udp

Protect the zone against network flooding for UDP protocol:

• enabled: enable/disable the protection.

  • on.

  • off.

• aggregate:

  • on: count all packets incoming to this zone interface.

  • off: count packets for each IP address separately.

• alert-threshold: alert threshold; if the number of requests exceeds this value, the event is recorded in the system log.

• drop-threshold: packet drop threshold; if the number of requests exceeds this value, UserGate drops packets and records this event in the system log.

• excluded-ips: list of IP addresses of servers that should be excluded from protection.

dos-protection-icmp

Protect the zone against network flooding for ICMP protocol:

• enabled: enable/disable the protection.

  • on.

  • off.

• aggregate:

  • on: count all packets incoming to this zone interface.

  • off: count packets for each IP address separately.

• alert-threshold: alert threshold; if the number of requests exceeds this value, the event is recorded in the system log.

• drop-threshold: packet drop threshold; if the number of requests exceeds this value, UserGate drops packets and records this event in the system log.

• excluded-ips: list of IP addresses of servers that should be excluded from protection.

enabled-services

Zone access control settings:

• "Any ICMP": allow use of the ping command to a UserGate address.

• SNMP: provides SNMP access to UserGate (UDP 161).

• response-pages: permission to display Captive portal auth and block pages (TCP 80, 443, 8002).

• rpc: control XML-RPC: enables API control of the product (TCP 4040).

• ha: service required to combine multiple UserGate nodes into a cluster (TCP 4369, TCP 9000-9100).

• VRRP: required for combining several UserGate nodes into a HA cluster (IP protocol 112).

• "Admin Console": access to the management web console (TCP 8001).

• DNS: provides access to the DNS proxy service (TCP 53, UDP 53).

• "HTTP Proxy": access to the HTTP(S) proxy (TCP 8090).

• "Authorization agent": server access required for Windows authentication agents and terminal servers (UDP 1813).

• "SMTP Proxy": service to filter SMTP traffic for spam and viruses. Required only when publishing a mail server to the Internet.

• "POP3 Proxy": service to filter POP3 traffic for spam and viruses. Required only when publishing a mail server to the Internet.

• "CLI over SSH": access to server to manage it via CLI, port TCP 2200.

• VPN: provides server access for connecting L2TP VPN clients (UDP 500, 4500).

• SCADA: SCADA traffic filtering. Required only for SCADA traffic control.

• "REVERSE PROXY": service required to publish internal resources using Reverse Proxy.

• "PROXY PORTAL": service required to publish internal resources using an SSL VPN.

• "SAML SERVER": select an SAML server in the list of zone services and general UserGate settings.

• "Log Analyzer": the Log Analyzer service. Enable this if you plan to use this UserGate server as a Log analyzer (TCP 2023 and 9713).

• "Dynamic routing OSPF": OSPF dynamic routing service.

• "Dynamic routing BGP": BGP dynamic routing service.

• "SNMP Proxy": service used to build a distributed monitoring system (used to balance load and organize monitoring of a distributed network infrastructure).

• "SSH Proxy": service used to initiate SSH traffic.

• Multicast: multicast service.

• NTP: access to the accurate time service running on the UserGate server.

• "Dynamic routing RIP": RIP dynamic routing service.

service-addresses

Allowed IP addresses for services:

• service: select services (the list corresponds to enabled-services).

• allowed-addresses: allowed IP addresses (in IP/mask format).

antispoof-enabled

Enable/disable IP spoofing protection:

• on.

• off.

ip-spoofing-networks

Specify source IP addresses available in the zone in <ip> or <ip/mask> format. Network packets with source IP addresses other than those specified will be discarded.

antispoof-negate

Enumerated options:

• on.

• off.

If antispoof-negate on is enabled, the interfaces in that zone will not receive packets from the source addresses specified in the value ip-spoofing-networks. In this case packets with specified source IP addresses will be discarded.

dos-protection-syn

Protect the zone against network flooding for TCP protocol (SYN-flood):

• excluded-ips: list of IP addresses of servers that should be excluded from protection.

dos-protection-udp

Protect the zone against network flooding for UDP protocol:

• excluded-ips: list of IP addresses of servers that should be excluded from protection.

dos-protection-icmp

Protect the zone against network flooding for ICMP protocol:

• excluded-ips: list of IP addresses of servers that should be excluded from protection.

enabled-services

Zone access control settings:

• "Any ICMP": allow use of the ping command to a UserGate address.

• SNMP: provides SNMP access to UserGate (UDP 161).

• response-pages: permission to display Captive portal auth and block pages (TCP 80, 443, 8002).

• rpc: control XML-RPC: enables API control of the product (TCP 4040).

• ha: service required to combine multiple UserGate nodes into a cluster (TCP 4369, TCP 9000-9100).

• VRRP: required for combining several UserGate nodes into a HA cluster (IP protocol 112).

• "Admin Console": access to the management web console (TCP 8001).

• DNS: provides access to the DNS proxy service (TCP 53, UDP 53).

• "HTTP Proxy": access to the HTTP(S) proxy (TCP 8090).

• "Authorization agent": server access required for Windows authentication agents and terminal servers (UDP 1813).

• "SMTP Proxy": service to filter SMTP traffic for spam and viruses. Required only when publishing a mail server to the Internet.

• "POP3 Proxy": service to filter POP3 traffic for spam and viruses. Required only when publishing a mail server to the Internet.

• "CLI over SSH": access to server to manage it via CLI, port TCP 2200.

• VPN: provides server access for connecting L2TP VPN clients (UDP 500, 4500).

• SCADA: SCADA traffic filtering. Required only for SCADA traffic control.

• "REVERSE PROXY": service required to publish internal resources using Reverse Proxy.

• "PROXY PORTAL": service required to publish internal resources using an SSL VPN.

• "SAML SERVER": select an SAML server in the list of zone services and general UserGate settings.

• "Log Analyzer": the Log Analyzer service. Enable this if you plan to use this UserGate server as a Log analyzer (TCP 2023 and 9713).

• "Dynamic routing OSPF": OSPF dynamic routing service.

• "Dynamic routing BGP": BGP dynamic routing service.

• "SNMP Proxy": service used to build a distributed monitoring system (used to balance load and organize monitoring of a distributed network infrastructure).

• "SSH Proxy": service used to initiate SSH traffic.

• Multicast: multicast service.

• NTP: access to the accurate time service running on the UserGate server.

• "Dynamic routing RIP": RIP dynamic routing service.

service-addresses

Allowed IP addresses for services:

• service: select services (the list corresponds to enabled-services).

• allowed-addresses: allowed IP addresses (in IP/mask format).

ip-spoofing-networks

When IP spoofing protection is enabled, the administrator can specify source IP addresses allowed in the zone in <ip> or <ip/mask> format. Network packets with source IP addresses other than those specified will be discarded.