Description
UserGate Next-Generation Firewall is available as a hardware and software system (HSC, appliance) or as a virtual machine image (virtual appliance) designed to be deployed in a virtual environment. As a virtual appliance, UserGate Next-Generation Firewall is supplied with ten Ethernet interfaces. In the form of an HSC, it can have 2 to 64 Ethernet ports.
Virtual Appliance Deployment
UserGate NGFW Virtual Appliance is a quick way to deploy a VM with pre-configured components. The VM image is supplied in the OVF format (Open Virtualization Format) supported by vendors such as VMWare and Oracle VirtualBox, as well as Qcow2 format for QEMU-KVM virtualization systems. For Microsoft Hyper-V, a VM disk image is supplied.
To get started with the virtual appliance, follow these steps:
|
Name |
Description |
|---|---|
|
Step 1. Download and unpack the VM image. |
Download the latest version of the virtual appliance from the official website, https://www.usergate.com. |
|
Step 2. Import the VM image into your virtualization system. |
Instructions on how to import a VM image can be found on the VirtualBox and VMWare websites. For Microsoft Hyper-V, you first need to create a VM, specify the downloaded VM image as the disk, and then disable Integration Services in the settings for the newly created VM. |
|
Step 3. Configure the VM parameters. |
Increase the size of the RAM for the VM. In the VM properties, set a minimum of 8GB and add 1GB for each 100 users. |
|
Step 4. Important! Manually create an additional disk of the required size. |
The default disk size is 100GB, which is usually not enough to store all logs and settings. In the VM properties, set a disk size of 200GB or more. The recommended size is 300GB or more. For QEMU-KVM, the default system partition size is 8GB. At the first boot, the system will automatically detect the additional disk and expand its system partitions. This command adds a 100GB disk to a QEMU-KVM system: qemu-img create -f qcow2 -o preallocation=metadata,refcount_bits=16,lazy_refcounts=on,cluster_size=4K your-disk-name.qcow2 100G |
|
Step 5. Configure virtual networks. |
UserGate is supplied with four interfaces assigned to zones:
|
|
Step 6. Perform factory reset. |
Start the UserGate VM. During loading, select Support Menu and then Factory reset. This is a critical step. UserGate uses this step to configure network adapters and increase the partition size on the hard disk to the full size specified at Step 4. |
Automate UserGate NGFW Deployment Using Cloud-init
Cloud-init is an industry standard for cross-platform VM instance initialization in clouds of different providers. UserGate Next-Generation Firewall supports initial configuration using the cloud-init mechanism. The firewall setup is done using two modules:
-
Setup using CLI (file with a #utm-config header). All CLI commands can be used for full instance setup.
-
License activation (file with a #utm-license header).
No other cloud-init modules are supported.
Example configuration file with CLI commands (user-data):
#utm-config #set password for initial Administrator (Admin). Obligatory comand. password 123 #Set addresses and settings for network interfaces: set network interface adapter port1 \ ip-addresses [ 172.16.6.9/24 ] \ enabled on \ zone "Trusted" set network interface adapter port2 \ ip-addresses [ 172.16.8.9/24 ] \ enabled on \ zone "Untrusted" set network interface adapter port3 \ ip-addresses [ 172.16.7.9/24 ] \ enabled on \ zone "DMZ" #Create network gateway to Internet: create network gateway \ ip 172.16.8.2 \ default on \ interface port2 \ virtual-router default \ enabled on #Create firewall rule to allow traffic from Trusted to untrusted security zones: create network-policy firewall \ position 1 upl-rule ALLOW \ src.zone = Trusted \ dst.zone = Untrusted \ enabled(true) \ name("Cloud-Init: Allow from Trusted to Untrusted")
All CLI commands available to the administrator can be used in this file. For more details on CLI commands, see the Command Line Interface (CLI) chapter.
# marks the beginning of a comment, and a backslash (\) denotes a wrap to the next line.
If you need to activate the instance being created, you can do so by specifying the licensing parameters in a separate file. Note that activation is only possible if the instance has Internet access. Example license activation file (vendor-data):
#utm-license pin_code: UGN4-XXXX-YYYY-ZZZZ-AAAA reg_name: UG-test email: email@company.com user_name: John last_name: Doe company: UserGate country: UAE region: Dubai
The two files can be merged into one using the multipart format:
Content-Type: multipart/mixed; boundary="//" MIME-Version: 1.0 --// Content-Type: text/utm-config; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="config.txt" #utm-config password 123 set network interface adapter port1 \ ip-addresses [ 172.16.6.9/24 ] \ enabled on \ zone "Trusted" set network interface adapter port2 \ ip-addresses [ 172.16.8.9/24 ] \ enabled on \ zone "Untrusted" set network interface adapter port3 \ ip-addresses [ 172.16.7.9/24 ] \ enabled on \ zone "DMZ" create network gateway \ ip 172.16.8.2 \ default on \ interface port2 \ virtual-router default \ enabled on create network-policy firewall \ position 1 upl-rule ALLOW \ src.zone = Trusted \ dst.zone = Untrusted \ enabled(true) \ name("Cloud-Init: Allow from Trusted to Untrusted") --// Content-Type: text/utm-license; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="license.txt" #utm-license pin_code: UGN4-XXXX-YYYY-ZZZZ-AAAA reg_name: UG-test email: email@company.com user_name: John last_name: Doe company: UserGate country: UAE region: Dubai --//
Settings can be transferred to NGFW:
-
Using the methods implemented by the cloud provider --- e.g., when creating a VM (droplet) on Digital Ocean, the settings should be added to the optional field User data (Select additional options ➜ User data). Other cloud services providers support similar methods of settings transfer.
-
Using a mounted .iso image. The image must contain files named meta-data, user-data, and vendor-data with the following contents:
meta-data: instance-id: vm1 user-data --- with CLI instance setup commands:
#utm-config #set password for initial Administrator (Admin). Obligatory comand. password 123 #Set addresses and settings for network interfaces: set network interface adapter port1 \ ip-addresses [ 172.16.6.9/24 ] \ enabled on \ zone "Trusted" ...
#utm-license pin_code: UGN4-XXXX-YYYY-ZZZZ-AAAA reg_name: UG-test email: email@company.com ...
To create an .iso image in Linux, you can use the mkisofs utility as follows:
mkisofs -joliet -rock -volid "cidata" -output nocloud.iso meta-data user-data vendor-data
Mount the resulting .iso image on the UserGate VM. After the first successful boot, the VM will receive all settings specified for it in the created files.
Network Environment Requirements
For the correct operation of the firewall, UserGate must have access to the following Internet servers:
-
Registration server --- reg2.usergate.com (TCP ports 80, 443)
-
UserGate list and software update servers --- updates.usergate.com, (TCP ports 80, 443).
When creating a configuration cluster, the following protocols must be allowed between the nodes:
-
Settings replication support --- TCP ports 4369, 9000-9100
-
Web console service --- TCP port 8001.
For more on network availability requirements, see the appendix Network Environment Requirements.
Connecting to UserGate NGFW
The port0 interface is configured to receive an IP address automatically from a DHCP server and assigned to the Management zone. The initial configuration is done via the administrator's web console connection via the port0 interface.
If it is not possible to assign an IP address to the Management interface automatically using DHCP, it can be set explicitly from the CLI (Command Line Interface). For more details on using the CLI, see the chapter Command Line Interface (CLI).
Other network interfaces are disabled and require further configuration.
To perform the initial configuration, follow these steps:
|
Name |
Description |
|---|---|
|
Step 1. Connect to the management interface. |
When a DHCP Server Is Used Connect the port0 interface to the corporate network with a working DHCP server. Start NGFW. After booting, NGFW will display the IP address to connect to for subsequent product activation. Static IP address Start NGFW. Use the CLI to assign the desired IP address to the port0 interface. Perform initial setup via the CLI or connect to the NGFW web console at that IP address. The address string should look similar to this: https://NGFW_IP_address:8001. For more details on using the CLI, see the chapter Command Line Interface (CLI). |
|
Step 2. Select a language. |
Select the language that will be used for the rest of the initial configuration. |
|
Step 3. Set a password. |
Set a login name and a password to log in to the web management interface. |
|
Step 4. Configure zones, set IP addresses of the network interfaces, and connect UserGate to the corporate network. |
In the Interfaces section, enable the desired network interfaces, assign valid IP addresses that correspond to your networks, and bind the interfaces to the respective zones. For more details on network interface management, see the chapter Network Interface Configuration. The system is supplied with a number of predefined zones:
|
|
Step 5. Configure the Internet gateway. |
In the Gateways section, specify the IP address for the Internet gateway on an Internet-connected network interface in the Untrusted zone. For more details on configuring Internet gateways, see the Gateway Configuration chapter. |
|
Step 6. Specify the system DNS servers. |
In the DNS section, specify the IP addresses of your provider's or corporate DNS servers. For more details on DNS management, see the DNS Configuration chapter. |
|
Step 7. Set the server time. |
In the UserGate ➜ General settings ➜ Server time settings section, configure time synchronization with NTP servers. |
|
Step 8. Register NGFW. |
Enter the PIN code and complete the form to register the product. To activate the system, NGFW must have Internet access. For more details on product licensing, see the Licensing chapter. |
|
Step 9. Create NAT rules. |
In the NAT and Routing section, create the desired NAT rules. A NAT rule has already been created for Internet access for Trusted network users: NAT from Trusted to Untrusted. For more details on NAT rules, see the NAT and Routing chapter. |
|
Step 10. Create firewall rules. |
In the Firewall section, create the desired firewall rules. There is a predefined firewall rule Allow trusted to untrusted that allows unrestricted Internet access for the users in the Trusted network --- it only needs to be enabled. For more details on firewall rules, see the Firewall chapter. |
|
Step 11. (Optional) Create additional administrators. |
In the UserGate Administrators section, create additional system administrators and grant them the necessary rights (roles). |
|
Step 12. (Optional) Configure user authorization. |
In the Users and devices section, create the required user authorization methods. The simplest option is to create local NGFW users with explicitly set IP addresses or use the system without user authentication (specify the user Any in all rules). For other user authorization options, see Users and Devices chapter. |
|
Step 13. (Optional) Create content filtering rules. |
In the Content filtering section, create HTTP(S) filtering rules. For more details on filtering content, see the Content filtering chapter. |
|
Step 14. (Optional) Create safe browsing rules. |
In the Safe browsing section, create additional safe browsing rules. For more details on safe browsing, see the Safe Browsing chapter. |
|
Step 15. (Optional) Create SSL inspection rules. |
In the SSL inspection section, create rules for intercepting and decrypting HTTPS traffic. For more details on HTTPS decryption, see the SSL Inspection chapter. |
When the above steps are completed, NGFW is ready for use. For more detailed configuration, see the relevant chapters of this Guide.