8.1. Zone Configuration

A zone in UGMC is a logical aggregation of network interfaces. UGMC security policies use interface zones instead of interfaces themselves.

It is recommended to aggregate interfaces into a zone based on their intended use, e.g., a LAN interface zone, Internet interface zone, management interface zone, etc.

UGMC is supplied with the following default zones:

Name

Description

Management

Used to connect trusted networks from which UGMC management is allowed.

Trusted

Used to connect the managed devices and obtain access to the Internet.

For the UGMC to work, one configured interface is sufficient. Having separate network interfaces for UGMC device management and UserGate MD management is recommended for security but not mandatory.

UGMC administrators can edit the settings for the default zones and create additional zones.

Note

A maximum of 255 zones can be created.

To create a zone, follow these steps:

Task

Description

Step 1. Create a new zone.

Click Add and provide a name for the new zone.

Step 2. (Optional) Configure the DoS protection settings for the zone.

Configure the network flood protection settings for TCP (SYN-flood), UDP, and ICMP protocols in the zone:

  • Alert threshold: when the number of requests from a single IP address exceeds this threshold, the event is recorded in the system log.

  • Drop threshold: when the number of requests from a single IP address exceeds this threshold, UGMC starts dropping the incoming packets from that address and records the event in the system log.

The recommended values are 300 requests per second for the alert threshold and 600 requests per second for the drop threshold.

DoS protection exclusions: here you can list the server IP addresses that need to be excluded from the protection. This can be useful, e.g., for UserGate gateways that can send large amounts of data to UGMC servers.

Step 3. (Optional) Configure the access control settings for the zone.

Specify the UGMC-provided services that will be available to clients connected to this zone. It is recommended to disable all services for zones connected to uncontrolled networks, such as the Internet.

The following services exist:

  • Ping: enables pinging of UGMC.

  • SNMP: provides SNMP access to UserGate (UDP 161).

  • Administrative console: provides access to the administrative web console (TCP 8010 and 8300).

  • Control XML-RPC: enables API control of the product (TCP 4040).

  • VRRP: service required for combining multiple UserGate devices into an HA cluster (IP protocol 112).

  • Cluster: service required for combining several UserGate devices into a cluster (TCP 4369, TCP 9000-9100).

  • CLI over SSH: provides server access for management using CLI (command line interface) (TCP port 2200).

  • UserGate Management Center service: used for connecting UserGate NGFWs and UserGate LogAn devices (TCP 2022, 9712).

For more on network availability requirements, see Appendix 1. Network Environment Requirements.

Step 4. (Optional) Configure the IP spoofing protection settings.

IP spoofing attacks allow a malicious actor to transmit a packet from one network, such as Trusted, to another, such as Management. To do that, the attacker substitutes the source IP address with an assumed address of the relevant network. In this case, responses to this packet will be sent to the internal address.

To protect against this kind of attack, the administrator can specify the source IP address ranges allowed in the selected zone. Network packets with source IP addresses other than those specified will be discarded.

Using the Negate checkbox, the administrator can specify the source IP addresses from which packets may not be received on this zone's interfaces. In this case, packets with source IP addresses within those ranges will be rejected. As an example, you can specify "gray" IP address ranges as 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 and enable the Negate option.