Device Management

The Device management section includes the following NGFW settings:

  • Clustering
  • Diagnostics settings
  • Server operations
  • Backup
  • Settings export and import

Diagnostics

This section contains the server diagnostics settings that UserGate technical support will need to resolve eventual problems.

Name

Description

Diagnostic details

  • Off: diagnostics logs are disabled

  • Error: log only server errors

  • Warning: log only errors and warnings

  • Info: log only errors, warnings, and additional information

  • Debug: provide as much detail as possible

It is recommended to set Diagnostic details to Error (errors only) or Off (disabled), unless UserGate technical support asked you to set different values. Any values other than Error (errors only) or Off (disabled) will affect NGFW performance negatively.

Diagnostics logs

  • Download logs: download the diagnostic logs for sending to UserGate support. Frontend and/or system logs are available for download. To download logs, select the desired ones and click or tap Start archiving logs. When archiving is completed, the logs will be available for download using the Download button.

  • Clear logs: purge logs of content.

Remote assistance

  • On/Off: enable/disable the remote assistance mode. Remote assistance allows a UserGate support engineer to connect securely to a UserGate server for troubleshooting and problem solving using the known values of the Remote assistance ID and token. For a successful activation of remote assistance, NGFW must have SSH access to the remote assistance server.

  • Remote assistance ID: a randomly generated value that is unique for each remote assistance session. that is unique for each remote assistance session.

  • Remote assistance token: a randomly generated token value. that is unique for each remote assistance session.

Server operations

In this section, you can perform the following server maintenance actions:

Name

Description

Server operations

  • Reboot: reboot NGFW

  • Shutdown: shutdown NGFW

Updates channel

Here you can select the update channel for UserGate software:

  • Stable: check for stable software updates and download them (if any)

  • Beta: check for experimental updates and download them (if any)

Server updates

Displays available NGFW updates.

Starts the server update process and allows to create a restore point.

View a changelog for the update.

Offline updates

Download a file for offline updates.

Upstream proxy settings to check licenses and updates

Configure the upstream HTTP(S) proxy server settings for license and software updates for NGFW.

Specify the IP address and port of the upstream proxy server. If necessary, specify login and password for authentication on the upstream proxy server.

The UserGate team is continuously working to improve its software and provides UserGate product updates as part of a Security Update license module subscription (for more details on licensing, see the chapter Licensing). If there are any updates available, a notification to that effect will display in the Device management ➜ Server Operations section. As a product update can take quite a while, it is recommended to account for the potential NGFW downtime when planning update installation.

To install updates, follow these steps:

Name

Description

Step 1. Create a backup file.

Create a backup of NGFW state as described in the System Utilities section. This step is always recommended before applying updates because it will allow you to restore the previous state of the device, should any problems arise during the update process.

Step 2. Install the updates.

In the Device management section, if the New updates available notification is present, click Install now. The system will install the downloaded updates, and when the installation completes, NGFW will reboot.

System backup management

This section allows you to manage NGFW backups, i.e. to set backup export rules, to create a backup, and to restore NGFW.

To create a backup, follow these actions:

Name

Description

Step 1. Create a backup

Under Device management ➜ System backup management, click Create backup. The system will save the current server settings in a file named:

backup_PRODUCT_NODE-NAME_DATE.gpg, where:

PRODUCT is the product type: NGFW, LogAn, or MC;

NODE-NAMEis the UserGate node name;

DATE is the date and time when the backup was created as YYYY-MM-DD-HH-MM. The time is in UTC time zone.

To interrupt the backup process, press the Stop button. The backup record will be displayed in the device event log.

To restore the device status, follow these steps:

Name

Description

Step 1. Restore the device state

In the Device management ➜ System backup management, click Restore from backup and specify the path to the previously created settings file to upload it to the server. Restore will be suggested in the tty console when the device reboots.

In addition, the administrator can configure a scheduled file upload to external servers (FTP, SSH). To create a schedule for uploading settings, follow these steps:

Name

Description

Step 1. Create a backup export rule

In the Device management ➜ System backup management, click Add and enter a name and description for the rule.

Step 2. Specify the remote server parameters

In the Remote server tab of the rule, specify the parameters for the remote server:

  • Server type: FTP or SSH

  • Address: the server's IP address

  • Port: the server's port

  • Login name: the user account on the remote server

  • Password/Repeat password: the password for the user account

  • Directory path: the path on the server where the settings will be uploaded

If using an SSH server, you can use key authorization. To import or generate a key, select SSH key setup and specify Generate key or Import key.

Important! If you re-create a key, the existing SSH key will be deleted. The public key must reside on the SSH server in the user keys directory /home/user/.ssh/ in the authorized_keys file.

When initially configuring the SSH backup export rule, connection verification is mandatory (Check connection button). When the connection is verified, the fingerprint is placed in known_hosts. The files are not sent without verification.

Important! If you change the SSH server or reinstall it, the backup files will be unavailable, because the fingerprint has changed. This protects you from spoofing.

Step 3. Select the upload schedule

In the Schedule tab of the rule, specify when the settings should be uploaded. If specifying the time in the crontab-format, enter it as follows:

(minutes: 0-59) (hours: 0-23) (days of the month: 1-31) (month: 1-12) (days of the week: 0-6, where 0 is Sunday)

Each of the first five fields can be defined using:

  • An asterisk (*) denotes the entire range (from the first number to the last).

  • A dash (-) denotes a number range. For example, "5-7" means 5, 6, and 7.

  • Lists: comma-separated numbers or ranges. For example, "1,5,10,11" or "1-11,19-23".

  • The asterisk and dash are also used for spacing out values in ranges. The increment is given after a slash. Examples: "2-10/2" means "2,4,6,8,10" while "*/2" in the "hours" field means "every two hours".

Exporting and importing settings

The administrator can save the current NGFW settings in a file and later restore them on the same or another NGFW. This is different from a backup in that importing/exporting the settings does not preserve the current state of all system components --- only the current settings are saved.

ПримечаниеЭкспорт/импорт настроек не восстанавливает состояние кластера и информацию о лицензии. During configuration import, you will be prompted to select the desired cluster node for restore.
ПримечаниеЭкспорт настроек является кластерной функцией, т.е. After completing the import, you will need to re-register NGFW using the existing PIN code and, if necessary, re-create the cluster.
Note If TOTP-based multifactor authentication is used, TOTP keys are not stored; re-authentication will be required.

You can export either all settings (except those listed above) or export network settings only. When only the network settings are exported, the following information is preserved:

  • DNS settings

  • DHCP Configuration

  • The settings for all interfaces, including tunnels

  • Gateway settings

  • Virtual router (VRF) settings

  • WCCP Configuration

  • Zone settings.

To export the settings, follow these steps:

Name

Description

Step 1. Export the settings.

Under Device management ➜ Settings export and import, click Export ➜ Export all settings or Export network settings. The system will save the current server settings in a file named

utm-utmcore@nodename_version-YYYYMMDD_HHMMSS.bin, where:

nodename is the NGFW node name

version is the UGOS version, and

YYYYMMDD_HHMMSS is the settings export time in the UTC timezone, for example:

utm-utmcore@heashostatot_6.1.1.10462R-1_20210511_095942

To apply the exported settings, follow these steps:

Name

Description

Step 1. Import the settings.

In the Device management ➜ Settings export section, click Import, and browse to the path of the settings file created earlier. The settings will be applied to the server, after which the server will reboot.
Note To correctly import the rules that use updatable UserGate lists (applications, URL categories, etc.), you need to have licenses for the SU and ATP modules as well as pre-downloaded UserGate lists.

In addition, the administrator can configure a scheduled settings upload to external servers (FTP, SSH). To create a schedule for uploading settings, follow these steps:

Name

Description

Step 1. Create an export rule.

Under Device management ➜ Settings export and import, click Add and enter a name and description for the rule.

Step 2. Specify the remote server parameters.

In the Remote server tab of the rule, specify the parameters for the remote server:

  • Server type: FTP or SSH

  • Address: the server's IP address

  • Port: the server's port

  • Login name: the user account on the remote server

  • Password/Confirm password: the password for the user account

  • Directory path: the path on the server where the settings will be uploaded

Step 3. Select the upload schedule.

In the Schedule tab of the rule, specify when the settings should be uploaded. If specifying the time in the CRONTAB format, enter it as follows:

(minutes: 0-59) (hours: 0-23) (days of the month: 1-31) (month: 1-12) (days of the week: 0-6, where 0 is Sunday)

Each of the first five fields can be defined using:

  • An asterisk (*) denotes the entire range (from the first number to the last).

  • A dash (-) denotes a number range. For example, "5-7" means 5, 6, and 7.

  • Lists: comma-separated numbers or ranges. For example, "1,5,10,11" or "1-11,19-23".

  • The asterisk and dash are also used for spacing out values in ranges. The increment is given after a slash. Examples: "2-10/2" means "2,4,6,8,10" while "*/2" in the "hours" field means "every two hours".