5.1. Zone Configuration

A zone in UserGate is a logical aggregation of network interfaces. UserGate security policies use interface zones instead of interfaces as such. This provides the needed flexibility to the policies and significantly eases the management of a HA cluster. Zones are the same on all cluster nodes, i.e., this is a global setting for the entire cluster.

It is recommended to aggregate interfaces into a zone based on their intended use, e.g., a LAN interface zone, Internet interface zone, partner-connected interface zone, etc.

By default, UserGate is supplied with the following zones:

Name

Description

Management

Used to connect trusted networks from which UserGate management is allowed.

Trusted

Used to connect trusted networks, such as LANs.

Untrusted

Used for interfaces connected to untrusted networks, such as the Internet.

DMZ

Used for interfaces connected to the DMZ network.

Cluster

Used for interfaces that support the operation of a cluster.

VPN for Site-to-Site

Used for all Office-to-Office clients that connect to UserGate using a VPN.

VPN for remote access

Used for all mobile users who connect to UserGate using a VPN.

Tunnel inspection zone

Used for tunnel inspection. All source and destination addresses of packets encapsulated into a tunnel will belong to this zone.

UserGate administrators can edit the settings for the default zones and create additional zones.

Note

A maximum of 255 zones can be created.

To create a zone, follow these steps:

Task

Description

Step 1. Create a new zone.

Click Add and provide a name for the new zone.

Step 2. (Optional) Configure the DoS protection settings for the zone.

Configure the network flood protection settings for TCP (SYN-flood), UDP, and ICMP protocols in the zone:

  • Aggregate: if set, all incoming packets to the zone's interfaces are included in the count. If not set, packets are counted separately for each IP address.

  • Alert threshold: when the number of requests exceeds this threshold, the event is recorded in the system log.

  • Drop threshold: when the number of requests exceeds this threshold, UserGate starts dropping the packets and records the event in the system log.

The recommended values are 300 requests per second for the alert threshold and 600 requests per second for the drop threshold. It is recommended to enable flood protection on all interfaces except those in the Cluster zone.

The UDP drop threshold should be increased if the zone's interfaces carry traffic for services such as VoIP or L2TP VPN.

DoS protection exclusions: here you can list the server IP addresses that need to be excluded from the protection. This can be useful, e.g., for the VoIP service as it sends large numbers of UDP packets.

Important! UserGate allows more granular DoS protection. For more details, see the section DoS Protection.

Step 3. (Optional) Configure the access control settings for the zone.

Specify the UserGate-provided services that will be available to clients connected to this zone. It is recommended to disable all services for zones connected to uncontrolled networks, such as the Internet.

The following services exist:

  • Ping: enables pinging of UserGate.

  • SNMP: provides SNMP access to UserGate (UDP 161).

  • Captive portal and block pages: required for displaying the captive portal's auth page and block page (TCP 80, 443, 8002).

  • Control XML-RPC: enables API control of the product (TCP 4040).

  • Cluster: required for combining several UserGate nodes into a cluster (TCP 4369, TCP 9000-9100).

  • VRRP: required for combining several UserGate nodes into a HA cluster (IP protocol 112).

  • Administrative console: provides access to the administrative web console (TCP 8001).

  • DNS: provides access to the DNS proxy service (TCP 53, UDP 53).

  • HTTP(S) proxy: provides access to the HTTP(S) proxy service (TCP 8090).

  • Authorization agent: provides server access required by Windows authorization agents and terminal servers (UDP 1813).

  • SMTP(S) proxy: spam filtering for SMTP traffic. Required only when publishing a mail server to the Internet. For more details, see the section Mail Security.

  • POP3(S) proxy: spam filtering for POP3 traffic. Required only when publishing a mail server to the Internet. For more details, see the section Mail Security.

  • CLI over SSH: provides server access for management using CLI (command line interface) (TCP port 2200).

  • VPN: provides server access for connecting L2TP VPN clients (UDP 500, 4500).

  • SCADA: SCADA traffic filtering. Required only for SCADA traffic control.

  • Reverse proxy: required for publishing internal resources using a reverse proxy. For more details, see the section HTTP/HTTPS Resource Publishing Using Reverse Proxy.

  • Web portal: required for publishing internal resources using a SSL VPN. For more details, see the section Web Portal.

  • Log Analyzer: provides connection to Log Analyzer (TCP 2023, 9713).

  • OSPF: OSPF dynamic routing service. For more details, see the section OSPF.

  • BGP: BGP dynamic routing service. For more details, see the section BGP.

  • NTP service: enables access to a time server running on the UserGate server.

For more on network availability requirements, see Appendix 1. Network environment requirements.

Step 4. (Optional) Configure the IP spoofing protection settings.

IP spoofing attacks allow a malicious actor to transmit a packet from an external network, such as Untrusted, to an internal one, such as Trusted. To do that, the attacker substitutes the source IP address with an assumed internal network address. In this case, responses to this packet will be sent to the internal address.

To protect against this kind of attack, the administrator can specify the source IP address ranges allowed in the selected zone. Network packets with source IP addresses other than those specified will be discarded.

Using the Negate checkbox, the administrator can specify the source IP addresses from which packets may not be received on this zone's interfaces. In this case, packets with source IP addresses within those ranges will be rejected. As an example, for the Untrusted zone, you can specify "gray" IP address ranges as 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 and turn on the Negate option.