7.1. Firewall

Using firewall rules, the administrator can allow or deny any type of transit network traffic that passes through UserGate. Source/destination zones or IP addresses, users, groups, services, and applications can all be used as conditions for the rules.

Firewall rule trigger events are displayed in the traffic log (Logs and reports --> Traffic) when Logging is enabled in the rule settings.

Note

The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.

Note

The Negate checkbox changes the condition to the opposite, which corresponds to a Boolean NOT (negation).

Note

If there are no rules created, all transit traffic via UserGate is blocked.

To create a firewall rule, go to the Network policies --> Firewall section, click Add, and provide the desired settings.

For a rule to be triggered, all conditions specified in the rule's settings must match.

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the rule.

Description

A description of the rule.

Action

Deny: blocks the traffic.

Allow: allows the traffic.

Reject with

This parameter is available in rules that block traffic (with the Deny action selected). It can take one of the following values:

  • Not selected.

  • Send ICMP host unreachable: block the traffic and send an ICMP message.

  • Send TCP reset: block the traffic and send a TCP connection reset message.

    Important! To select the Send TCP reset action, a service that uses the TCP protocol (the Service) tab must be selected.

  • Send TCP reset to both parties: block the traffic and send a TCP connection reset message to the client and server.

Scenario

The scenario that must be active for the rule to be triggered. For more details on how scenarios work, see the section Scenarios.

Important! A scenario is an additional condition. If the scenario was not triggered (one or more scenario triggers did not occur), the rule will not be triggered.

Logging

Logs traffic information when the rule is triggered. The available options are:

  • Log session start: only the session start (first packet) will be recorded in the traffic log. This is the recommended logging option.

  • Log all network packets: every transmitted network packet will be logged. For this mode, it is recommended to enable the logging limit to prevent high device load.

  • None. Nothing will be logged.

Source

The zone, IP address lists, GeoIP address lists, or URL lists of the traffic source.

The URL list must include only domain names. Every 5 minutes UserGate resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, UserGate automatically updates the IP address value.

Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.

Important! Traffic processing performed with the following statements:

  • applying logic OR if several IP lists and/or domain lists are specified;

  • applying logic AND if several GeoIP and lists of IPs and/or domains are specified.

Users

The list of users or groups to which this rule is applied. The Any, Unknown, and Known user types can be used. To apply rules to specific users or Known users, user identification needs to be configured. For more details on user identification, see the chapter Users and Devices.

Destination

The zone, IP address lists, GeoIP address lists, or URL lists of the traffic destination.

The URL list must include only domain names. Every 5 minutes UserGate resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, UserGate automatically updates the IP address value.

Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.

Important! Traffic processing performed with the following statements:

  • applying logic OR if several IP lists and/or domain lists are specified;

  • applying logic AND if several GeoIP and lists of IPs and/or domains are specified.

Service

The service type, such as HTTP or HTTPS.

Applications

List of applications to which this rule applies.

The application is determined after a client to server connection has been established and traffic has been sent in both directions. The maximum amount of such traffic is 1KB. Therefore, a rule that allows an application will be applied to any traffic matching the rest of the rule's conditions until the application is determined. Similarly, a blocking rule (session termination) that has an application specified as one of the conditions will be triggered only after determining the application.

Time

The time periods when the rule is active.

Usage

The rule triggering statistics: the total number of triggers, the time of the first and last triggers and also the rule triggering table by application.

To reset statistics, select rules in the list and click Reset hit counts.

History

The time when the rule was created and last modified, as well as the event log entries related to this rule: adding, updating the rule, changing the position of the rule in the list, etc.