Access to the UserGate NGFW web console is controlled by creating additional administrator accounts, assigning them access profiles, defining an administrator password management policy, and configuring web console access at the network zone level in terms of allowing the service in the zone properties. As an additional security measure for console access, you can turn on certificate-based authorization for administrators.
To create additional device administrator accounts, follow these steps:
|
Name |
Description |
|---|---|
|
Step 1. Create an administrator access profile. |
In the Administrators ➜ Administrator profiles section, click Add and enter the desired settings. |
|
Step 2. Create an administrator account and assign it one of the administrator profiles created earlier. |
In the Administrators section, click Add and select the desired option.
|
When creating an administrator access profile, specify the following parameters:
|
Name |
Description |
|---|---|
|
Name |
Profile name. |
|
Description |
Profile description. |
|
API permissions |
The list of objects available for access delegation when using the Application Programming Interfaces (API). The objects are described in the API documentation. The following access options are available:
|
|
Web console permissions |
The list of web console tree objects available for delegation. The following access options are available:
|
|
CLI permissions |
CLI access can be enabled here. The following access options are available:
|
An NGFW administrator can configure additional administrator account protection settings, such as password complexity and temporary account blocking on exceeding the max failures limit of authentication attempts.
To configure the above settings, follow these steps:
|
Name |
Description |
|---|---|
|
Step 1. Configure the password policy. |
In the Administrators ➜ Administrators section, click Configure. |
|
Step 2. Fill in the relevant fields. |
Provide values for these fields:
|
The administrator can define the zones from which access to the web console service will be allowed (TCP port 8001).
To allow the web console service for a specific zone, go to the zone properties and allow access to the Administrative console service in the Access control section. For more details on configuring zone access control, see the section Zone Configuration.
As an additional security measure for console access, you can turn on certificate-based authorization for administrators.
To turn on this mode, follow these steps (this example uses the openssl utility):
|
Name |
Description |
|---|---|
|
Step 1. Create additional administrator accounts. |
Configure the settings as described earlier in this chapter --- for example, create an administrator account named Administrator54. |
|
Step 2. Create or import an existing CA (Certification Authority) type certificate for web console authorization. |
Create or import an existing CA certificate (the public key will suffice) as described in chapter Certificate Management. Important! The existing CA certificate is the certificate that was used directly to sign the administrator certificates and not the root certificate. For example, to create a CA using openssl, invoke these commands: openssl req -x509 -subj '/C=RU/ST=Moscow/O= MyCompany /CN=ca.mycompany.com' -newkey rsa:2048 -keyout ca-key.pem -out ca.pem -nodes
openssl rsa -in ca-key.pem -out ca-key.pem
The file ca-key.pem will store the private key for the certificate and the ca.pem file will store the public key. Import the public key into NGFW. |
|
Step 3. Create certificates for the administrator accounts. |
Create certificates for each of the administrators using 3rd party utilities, such as openssl. The Common name field in the certificate must match exactly the administrator account name as created in NGFW. For openssl and the Administrator54 user, the commands will be as follows: openssl req -subj '/C=SG/ST=Singapore/O= MyCompany /CN=Administrator54' -out admin.csr -newkey rsa:2048 -keyout admin-key.pem -nodes |
|
Step 4. Sign the administrator certificates created at Step 2 with the CA certificate. |
Sign the administrator certificates with the web console CA certificate using 3rd party utilities, such as openssl. For openssl, the commands will be as follows: openssl x509 -req -days 9999 -CA ca.pem -CAkey ca-key.pem -set_serial 1 -in admin.csr -out admin.pem
openssl pkcs12 -export -in admin.pem -inkey admin-key.pem -out admin.p12 -name 'Administrator54 client certificate'
The admin.p12 file will contain the signed administrator certificate. |
|
Step 5. Add the signed certificates to the OS from which the administrators will be authorized for web console access. |
Add the signed administrator certificates (admin.p12 in our example) to the OS (or to the Firefox browser if it is used for console access) from which the administrators will be authorized for web console access. For more details, see the documentation for the relevant OS. |
|
Step 6. Switch the web console to the X.509 certificate authorization mode. |
In the General settings section, change the Web console authentication mode to X.509 certificate. |
The Administrators ➜ Administrator sessions section displays all administrators who are logged in to the NGFW administrative web console. Any of the administrator sessions can be reset (closed) if necessary.