6.1. Zone Configuration

A zone in UserGate LogAn is a logical aggregation of network interfaces. UserGate LogAn security policies use interface zones instead of interfaces as such.

It is recommended to aggregate interfaces into a zone based on their intended use, e.g., a LAN interface zone, Internet interface zone, management interface zone, etc.

By default, UserGate LogAn is supplied with the following zones:




Used to connect trusted networks from which UserGate LogAn management is allowed.


Used to connect trusted networks, such as LANs. It is assumed that the Trusted zone will connect LogAn to the network that will be used by UserGate gateways to send logs to it and by LogAn to access the Internet.

For UserGate LogAn to work, one configured interface is sufficient. Having separate network interfaces for device management and data collection is recommended for security but not mandatory.

UserGate LogAn administrators can edit the settings for the default zones and create additional zones.


A maximum of 255 zones can be created.

To create a zone, follow these steps:



Step 1. Create a new zone.

Click Add and provide a name for the new zone.

Step 2. (Optional) Configure the DoS protection settings for the zone.

Configure the network flood protection settings for TCP (SYN-flood), UDP, and ICMP protocols in the zone:

  • Alert threshold: when the number of requests from a single IP address exceeds this threshold, the event is recorded in the system log.

  • Drop threshold: when the number of requests from a single IP address exceeds this threshold, UserGate LogAn starts dropping the packets from that address and records the event in the system log.

The recommended values are 300 requests per second for the alert threshold and 600 requests per second for the drop threshold.

DoS protection exclusions: here you can list the server IP addresses that need to be excluded from the protection. This can be useful, e.g., for UserGate gateways that can send large amounts of data to LogAn servers.

Step 3. (Optional) Configure the access control settings for the zone.

Specify the services provided by UserGate LogAn that will be available to clients connected to this zone. It is recommended to disable all services for zones connected to uncontrolled networks, such as the Internet.

The following services exist:

  • Ping: enables pinging of UserGate LogAn.

  • SNMP: provides SNMP access (UDP 161) to UserGate LogAn.

  • Control XML-RPC: enables API control of the product (TCP 4040).

  • Administrative console: provides access to the administrative web console (TCP 8010).

  • CLI over SSH: provides server access for management using CLI (command line interface) (TCP port 2200).

  • Log Analyzer: the Log Analyzer service. Needs to be allowed in zones from which LogAn will receive the data sent by UserGate servers (TCP 22699 for UserGate v6.1.х servers; TCP 22711 for UserGate v7.0.х servers that use SSL for data transmission).

  • Log collector: a service that enables information collection from remote devices using the Syslog protocol (the default port number is 514).

For more on network availability requirements, see Appendix 1. Network Environment Requirements.

Step 4. (Optional) Configure the IP spoofing protection settings.

IP spoofing attacks allow a malicious actor to transmit a packet from one network, such as Trusted, to another, such as Management. To do that, the attacker substitutes the source IP address with an assumed address of the relevant network. In this case, responses to this packet will be sent to the internal address.

To protect against this kind of attack, the administrator can specify the source IP address ranges allowed in the selected zone. Network packets with source IP addresses other than those specified will be discarded.

Using the Negate checkbox, the administrator can specify the source IP addresses from which packets may not be received on this zone's interfaces. In this case, packets with source IP addresses within those ranges will be rejected. As an example, you can specify "gray" IP address ranges as,, and enable the Negate option.