Zones

description

Zone description.

dos-protection-udp

Protect the zone against network flooding for UDP protocol:

• enabled: enable/disable the protection.

  • on

  • off

• aggregate:

  • on: count all packets incoming to the zone's interfaces

  • off: count packets for each IP address separately.

• alert-threshold: alert threshold; if the number of requests exceeds this value, the event is recorded in the system log.

• drop-threshold: packet drop threshold; if the number of requests exceeds this value, UserGate drops packets and records this event in the system log.

• excluded-ips: list of IP addresses of servers that should be excluded from protection.

enabled-services

Zone access control settings:

• "Any ICMP": allow use of the ping command to a UserGate address.

• SNMP: provides SNMP access to UserGate (UDP 161).

• response-pages: permission to display Captive portal auth and block pages (TCP 80, 443, 8002).

• rpc: control XML-RPC: enables API control of the product (TCP 4040).

• ha: service required to combine multiple UserGate nodes into a cluster (TCP 4369, TCP 9000-9100).

• VRRP: required for combining several UserGate nodes into a HA cluster (IP protocol 112).

• "Admin Console": access to the management web console (TCP 8001).

• DNS: provides access to the DNS proxy service (TCP 53, UDP 53).

• "HTTP Proxy": access to the HTTP(S) proxy (TCP 8090).

• "Authorization agent": server access required for Windows authorization agents and terminal servers (UDP 1813).

• "SMTP Proxy": service to filter SMTP traffic for spam and viruses. Required only when publishing a mail server to the Internet.

• "POP3 Proxy": service to filter POP3 traffic for spam and viruses. Required only when publishing a mail server to the Internet.

• "CLI over SSH": access to server to manage it via CLI, port TCP 2200.

• VPN: provides server access for connecting L2TP VPN clients (UDP 500, 4500).

• SCADA: SCADA traffic filtering. Required only for SCADA traffic control.

• "REVERSE PROXY": service required to publish internal resources using Reverse Proxy.

• "PROXY PORTAL": service required to publish internal resources using an SSL VPN.

• L7 DNS: DNS traffic detection at the application level.

• L7 NTP: NTP traffic detection at the application level.

• "SAML SERVER": select an SAML server in the list of zone services and general UserGate settings.

• Log Analyzer: the Log Analyzer service. Enable this if you plan to use this UserGate server as a Log analyzer (TCP 2023 and 9713).

• "Dynamic routing OSPF": OSPF dynamic routing service.

• "Dynamic routing BGP": BGP dynamic routing service.

• "SNMP Proxy": service used to build a distributed monitoring system (used to balance load and organize monitoring of a distributed network infrastructure).

• "SSH Proxy": service used to initiate SSH traffic.

• Multicast: multicast service.

• NTP: access to the accurate time service running on the UserGate server.

• "Dynamic routing RIP": RIP dynamic routing service.

• UserID agent: a transparent authentication service. Active Directory log and Syslog are used as the authentication data source for that purpose.

• BFD: the Bidirectional Forwarding Detection service for quick network fault detection.

antispoof-enabled

Enable/disable IP spoofing protection:

• on

• off

antispoof-negate

Enumerated options:

• on

• off

If antispoof-negate on is enabled, the interfaces in that zone will not receive packets from the source addresses specified in the value ip-spoofing-networks. In this case packets with specified source IP addresses will be discarded.

dos-protection-udp

Protect the zone against network flooding for UDP protocol:

• excluded-ips: list of IP addresses of servers that should be excluded from protection.

enabled-services

The previously configured zone access control settings

ip-list

List of IP addresses that are used in IP spoofing protection.