12.5.3. Configuring device management

12.5.3.1. Configuring radmin emergency

To enable/disable remote access to the server for technical support in case the UserGate server hangs up, use the following command:

Admin@UGOS# set settings device-mgmt diagnostic radmin-emergency <on | off>

Parameters:

Parameter

Description

interface

The interface name.

ip-addr

Interface IP address and mask.

gateway-address

Gateway IP address.

In case of problems with the UserGate kernel, you may be unable to authorize using the CLI. To activate the remote assistant in such cases, administrators can log in to the CLI using the root administrator account created when UserGate was initialized. Usually, this is the Admin account; however, it is not always so. To log in, specify the name as Admin@emergency, and use the root administrator password as the password.

12.5.3.2. Configuring diagnostics

The server diagnostics settings required for the technical support team to solve problems are set at the device‑mgmt diagnostic level. To view the current settings, use the following command:

Admin@UGOS# show settings device-mgmt diagnostic

At the settings device-mgmt diagnostic radmin level you can enable or disable server remote access for the UserGate technical support (Radmin). To enable/disable Radmin, use the following command:

Admin@UGOS# set settings device-mgmt diagnostic radmin <on | off>

To view the Radmin state, use the following command:

Admin@UGOS# show settings device-mgmt diagnostic radmin

At the settings device-mgmt diagnostic details level you can use the following command to set the level of diagnostic details (disabled; errors only; errors and warnings; errors, warnings, and additional information; maximum level of detail):

Admin@UGOS# set settings device-mgmt diagnostic details <off | error | warning | info | debug>

To view the status of the diagnostics detail level, use the following command:

Admin@UGOS# show settings device-mgmt diagnostic details

12.5.3.3. Configuring server operations

To set an update channel, use the following command:

Admin@UGOS# set settings device-mgmt updates-channel <stable | beta>

To view any updates and the selected update channel, use the following command:

Admin@UGOS# show settings device-mgmt updates-channel

12.5.3.4. Export settings

You create and configure export settings rules at the settings device-mgmt settings-export level.

To create an export settings rule, use the following command:

Admin@UGOS# create settings device-mgmt settings-export

Available parameters:

Parameter

Description

enabled

Enable/disable an export settings rule for the UserGate server.

name

Export rule name.

description

Export rule description.

type

Select a remote server to export settings:

  • ssh.

  • ftp.

address

Remote server IP address.

port

Server port.

login

Remote server login name.

password

Password for the login name.

path

Directory path to upload the settings to.

schedule

Schedule for settings export.

Time is set in crontab format: (minutes: 0-59) (hours: 0-23) (days of the month: 1-31) (month: 1-12) (days of the week: 0-6; 0 is Sunday). You can set each field as follows:

  • An asterisk (*): denotes the entire range (from the first number to the last).

  • A dash (-): denotes a number range. For example, "5-7" means 5, 6, and 7.

  • Lists: comma-separated numbers or ranges. For example, "1,5,10,11" or "1‑11,19-23".

  • An asterisk or range spacing. Used for spacing out values in ranges. The increment is given after a slash. Examples: "2-10/2" means "2,4,6,8,10" while "*/2" in the "hours" field means "every two hours".

To update an existing rule to export UserGate server settings, use the following command:

Admin@UGOS# set settings device-mgmt settings-export <rule-name>

You can use the same set of parameters as when creating rules.

To delete a rule to export settings, use the following command:

Admin@UGOS# delete settings device-mgmt settings-export <rule-name>

To display a rule to export settings, use the following command:

Admin@UGOS# show settings device-mgmt settings-export <rule-name>

For update, delete or display rule commands, you can set <filter> not only to the rule name, but also to the parameters specified in an existing rule (this may be helpful if there is more than one rule with the same name). Parameters used to identify an export rule are similar to those of the set command.

12.5.3.5. Settings for protecting configuration data from changes

To configure settings for protecting product configuration data (settings) from being changed, use the following command:

Admin@UGOS# set settings change-control config <off | log | block>

Configuration data integrity is checked every few minutes after UserGate boots.

  • log: enable tracking of changes in the configuration data. If any changes are detected, UserGate records this information in the event log. A password is required which will be used to change the tracking mode.

  • off: disable tracking of changes in the configuration data. Requires the password that was set when enabling the configuration change tracking.

  • block: enable tracking of changes in the configuration data. A password is required which will be used to change the tracking mode. If any changes are detected, UserGate records this information in the event log and creates a firewall blocking rule that denies any transit traffic through UserGate.

Before enabling configuration data protection, the administrator configures the product according to the organization's requirements and then "freezes" the settings (log or block mode). Any setting change through the web interface, CLI, or other means will result in logging and/or blocking of transit traffic, depending on the selected mode.

To view the current configuration data protection mode, use the following command:

Admin@UGOS# show settings change-control config

12.5.3.6. Protect executable files from changes

To configure settings to protect product executable code from potential unauthorized modification, use the following command:

Admin@UGOS# set settings change-control code <off | log | block>

Executable code integrity is checked every few minutes after UserGate boots.

  • log: enable tracking of unauthorized changes in the executable code. If any changes are detected, UserGate records this information in the event log. A password is required which will be used to change the tracking mode.

  • off: disable tracking of unauthorized changes in the executable code. Requires the password that was set when enabling the executable code change tracking.

  • block: enable tracking of unauthorized changes in the executable code. A password is required which will be used to change the tracking mode. If any changes are detected, UserGate records this information in the event log and creates a firewall blocking rule that denies any transit traffic through UserGate. To disable an existing firewall rule you need to disable tracking of unauthorized changes.

To view the current executable file protection mode, use the following command:

Admin@UGOS# show settings change-control code