UserGate NGFW Console Access Management

Access to the UserGate NGFW web console is controlled by creating additional administrator accounts, assigning them access profiles, defining an administrator password management policy, and configuring web console access at the network zone level in terms of allowing the service in the zone properties. As an additional security measure for console access, you can turn on certificate-based authorization for administrators.

Note A local superuser named Admin is created during the initial setup of NGFW.

To create additional device administrator accounts, follow these steps:

Name

Description

Step 1. Create an administrator access profile.

In the Administrators ➜ Administrator profiles section, click Add and enter the desired settings.

Step 2. Create an administrator account and assign it one of the administrator profiles created earlier.

In the Administrators section, click Add and select the desired option.

  • Add local administrator: create a local user, set a password for the user, and assign them one of the access profiles created earlier.

  • Add LDAP user: add a user from an existing domain. This requires a correctly configured LDAP connector in the Authorization servers section. When logging in to the administrative console, the username must be specified in the user@domain format. Assign this user a profile created earlier.

  • Add LDAP group: add a user group from an existing domain. This requires a correctly configured LDAP connector in the Authorization servers section. When logging in to the administrative console, the username must be specified in the user@domain format. Assign this user a profile created earlier.

  • Add administrator with authorization profile: create a user and assign them an administrator profile created earlier and an authorization profile (this requires correctly configured authorization servers).

When creating an administrator access profile, specify the following parameters:

Name

Description

Name

Profile name.

Description

Profile description.

API permissions

The list of objects available for access delegation when using the Application Programming Interfaces (API). The objects are described in the API documentation. The following access options are available:

  • No access

  • Read only

  • Read and write.

Web console permissions

The list of web console tree objects available for delegation. The following access options are available:

  • No access

  • Read only

  • Read and write.

CLI permissions

CLI access can be enabled here. The following access options are available:

  • No access

  • Read only

  • Read and write.

An NGFW administrator can configure additional administrator account protection settings, such as password complexity and temporary account blocking on exceeding the max failures limit of authentication attempts.

To configure the above settings, follow these steps:

Name

Description

Step 1. Configure the password policy.

In the Administrators ➜ Administrators section, click Configure.

Step 2. Fill in the relevant fields.

Provide values for these fields:

  • Strong password: enables the additional password complexity settings presented below, such as Minimum length, Minimum uppercase letters, Minimum lowercase letters, Minimum digit letters, Minimum special characters, and Maximum characters repetition block.

  • Number of invalid auth attempts: the number of failed attempts to authenticate as an administrator after which the account is blocked for Block time.

  • Block time: the time for which the account is blocked.

The administrator can define the zones from which access to the web console service will be allowed (TCP port 8001).

Note Web console access should not be allowed for zones connected to uncontrolled networks (e.g. the Internet).

To allow the web console service for a specific zone, go to the zone properties and allow access to the Administrative console service in the Access control section. For more details on configuring zone access control, see the section Zone Configuration.

As an additional security measure for console access, you can turn on certificate-based authorization for administrators.

To turn on this mode, follow these steps (this example uses the openssl utility):

Name

Description

Step 1. Create additional administrator accounts.

Configure the settings as described earlier in this chapter --- for example, create an administrator account named Administrator54.

Step 2. Create or import an existing CA (Certification Authority) type certificate for web console authorization.

Create or import an existing CA certificate (the public key will suffice) as described in chapter Certificate Management.

Important! The existing CA certificate is the certificate that was used directly to sign the administrator certificates and not the root certificate.

For example, to create a CA using openssl, invoke these commands:

openssl req -x509 -subj '/C=RU/ST=Moscow/O= MyCompany /CN=ca.mycompany.com' -newkey rsa:2048 -keyout ca-key.pem -out ca.pem -nodes
openssl rsa -in ca-key.pem -out ca-key.pem

The file ca-key.pem will store the private key for the certificate and the ca.pem file will store the public key. Import the public key into NGFW.

Step 3. Create certificates for the administrator accounts.

Create certificates for each of the administrators using 3rd party utilities, such as openssl. The Common name field in the certificate must match exactly the administrator account name as created in NGFW.

For openssl and the Administrator54 user, the commands will be as follows:

openssl req -subj '/C=SG/ST=Singapore/O= MyCompany /CN=Administrator54' -out admin.csr -newkey rsa:2048 -keyout admin-key.pem -nodes

Step 4. Sign the administrator certificates created at Step 2 with the CA certificate.

Sign the administrator certificates with the web console CA certificate using 3rd party utilities, such as openssl.

For openssl, the commands will be as follows:

openssl x509 -req -days 9999 -CA ca.pem -CAkey ca-key.pem -set_serial 1 -in admin.csr -out admin.pem
openssl pkcs12 -export -in admin.pem -inkey admin-key.pem -out admin.p12 -name 'Administrator54 client certificate'

The admin.p12 file will contain the signed administrator certificate.

Step 5. Add the signed certificates to the OS from which the administrators will be authorized for web console access.

Add the signed administrator certificates (admin.p12 in our example) to the OS (or to the Firefox browser if it is used for console access) from which the administrators will be authorized for web console access. For more details, see the documentation for the relevant OS.

Step 6. Switch the web console to the X.509 certificate authorization mode.

In the General settings section, change the Web console authentication mode to X.509 certificate.

Note The web console authentication mode can be switched using CLI commands.

The Administrators ➜ Administrator sessions section displays all administrators who are logged in to the NGFW administrative web console. Any of the administrator sessions can be reset (closed) if necessary.